From 5775721e55f6a2604a4a958a503925e91022d2e3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 12:12:45 +0200 Subject: [PATCH 0001/1736] build: default target to apparmor 4.1 --- cmd/prebuild/main.go | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index fab6b8f350..62685202fb 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -17,7 +17,7 @@ func init() { prebuild.ABI = 4 // Define the default version - prebuild.Version = 4.0 + prebuild.Version = 4.1 // Define the tasks applied by default prepare.Register( @@ -36,7 +36,7 @@ func init() { "hotfix", // Temporary fix for #74, #80 & #235 ) - // Compatibility with AppArmor 3 + // Matrix of ABI/Apparmor version to integrate with switch prebuild.Distribution { case "arch": @@ -45,12 +45,9 @@ func init() { case "jammy": prebuild.ABI = 3 prebuild.Version = 3.0 - case "noble", "oracular": + case "noble": prebuild.ABI = 4 prebuild.Version = 4.0 - case "plucky": - prebuild.ABI = 4 - prebuild.Version = 4.1 } case "debian": @@ -58,16 +55,13 @@ func init() { case "bullseye", "bookworm": prebuild.ABI = 3 prebuild.Version = 3.0 - case "trixie", "sid": - prebuild.ABI = 4 - prebuild.Version = 4.1 } case "whonix": prebuild.ABI = 3 prebuild.Version = 3.0 - // Hide rewrittem Whonix profiles + // Hide rewritten Whonix profiles prebuild.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure /etc/apparmor.d/home.tor-browser.firefox /etc/apparmor.d/tunables/homsanitycheck From 6d2147582e4cc4eb7fe804b53b219df3432b4ffb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Apr 2025 22:44:56 +0200 Subject: [PATCH 0002/1736] build: add mappings to the list of directories without profile files. --- pkg/prebuild/builder/userspace.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/userspace.go b/pkg/prebuild/builder/userspace.go index 20498bb4f5..618b67c17c 100644 --- a/pkg/prebuild/builder/userspace.go +++ b/pkg/prebuild/builder/userspace.go @@ -33,7 +33,7 @@ func init() { } func (b Userspace) Apply(opt *Option, profile string) (string, error) { - for _, dir := range []string{"abstractions", "tunables", "local"} { + for _, dir := range []string{"abstractions", "tunables", "local", "mappings"} { if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join(dir)); ok { return profile, nil } From c32884ddebe17ce8d052572a04a2cf0246ee41cd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Apr 2025 22:47:33 +0200 Subject: [PATCH 0003/1736] feat(profile): add base mappings definition. Used by profiles before to confine pre login script bfore transitionning to user hat. It should only be enabled when mapping is enabled as otherwise the shell is not confined. --- apparmor.d/mappings/login/base | 30 ++++++++++++++++++++++++++++++ apparmor.d/mappings/sshd/base | 30 ++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 apparmor.d/mappings/login/base create mode 100644 apparmor.d/mappings/sshd/base diff --git a/apparmor.d/mappings/login/base b/apparmor.d/mappings/login/base new file mode 100644 index 0000000000..f74b90418c --- /dev/null +++ b/apparmor.d/mappings/login/base @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# It is used by login to run pre login scripts (as root) such as the motd. +# After the login, Apparmor libpam will transition to the roles defined in +# other files under + + @{shells_path} rCx -> shell, + + profile shell flags=(attach_disconnected) { + include + include + include + + @{shells_path} rix, + @{bin}/env rix, + @{bin}/run-parts rix, #aa:only apt + + #aa:only apt + /etc/update-motd.d/ r, + /etc/update-motd.d/* rPx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, + + @{run}/motd.dynamic.new rw, #aa:only apt + + include if exists + } + +# vim:syntax=apparmor diff --git a/apparmor.d/mappings/sshd/base b/apparmor.d/mappings/sshd/base new file mode 100644 index 0000000000..dd9218d9c5 --- /dev/null +++ b/apparmor.d/mappings/sshd/base @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# It is used by login to run pre login scripts (as root) such as the motd. +# After the login, Apparmor libpam will transition to the roles defined in +# other files under + + @{shells_path} rCx -> shell, + + profile shell flags=(attach_disconnected) { + include + include + include + + @{shells_path} rix, + @{bin}/env rix, + @{bin}/run-parts rix, #aa:only apt + + #aa:only apt + /etc/update-motd.d/ r, + /etc/update-motd.d/* rPx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, + + @{run}/motd.dynamic.new rw, #aa:only apt + + include if exists + } + +# vim:syntax=apparmor From 35d42038fd76f64a73b6f35fe58b6aff56ab3c7a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Apr 2025 22:48:01 +0200 Subject: [PATCH 0004/1736] feat(abs): add abstraction for ansible. --- apparmor.d/abstractions/ansible | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 apparmor.d/abstractions/ansible diff --git a/apparmor.d/abstractions/ansible b/apparmor.d/abstractions/ansible new file mode 100644 index 0000000000..5797830964 --- /dev/null +++ b/apparmor.d/abstractions/ansible @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + owner @{HOME}/.ansible/tmp/ansible-tmp-*/* rw, + + include if exists + +# vim:syntax=apparmor From 0860667d2876d5edb736760d9d0944e2bef07614 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Apr 2025 22:49:00 +0200 Subject: [PATCH 0005/1736] fix(profile): spotify needs to read usb. --- apparmor.d/profiles-s-z/spotify | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index ef516a7d64..a6d349b9cb 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -17,6 +17,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, @@ -51,10 +52,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { /dev/tty rw, - deny @{sys}/bus/ r, - deny @{sys}/bus/*/devices/ r, - deny @{sys}/class/*/ r, - deny @{sys}/devices/@{pci}/usb@{int}/** r, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists From 5760ba4e48d25114a8eeebd0e55fff6692b6fd47 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Apr 2025 22:50:49 +0200 Subject: [PATCH 0006/1736] feat(abs): fusermount: add mount, umount to fusermount. --- apparmor.d/abstractions/app/fusermount | 7 +++++++ apparmor.d/groups/freedesktop/xdg-document-portal | 6 ------ apparmor.d/groups/gvfs/gvfsd-fuse | 3 --- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/apparmor.d/abstractions/app/fusermount b/apparmor.d/abstractions/app/fusermount index 659eee99d4..a394e25288 100644 --- a/apparmor.d/abstractions/app/fusermount +++ b/apparmor.d/abstractions/app/fusermount @@ -17,8 +17,15 @@ @{bin}/fusermount{,3} mr, + @{bin}/mount rix, + @{bin}/umount rix, + @{etc_ro}/fuse{,3}.conf r, + @{run}/mount/utab r, + @{run}/mount/utab.* rwk, + + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, /dev/fuse rw, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index de362990a8..c56729248a 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -77,14 +77,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { unix (send receive) type=stream peer=(label=xdg-document-portal), - @{bin}/mount rix, - @{bin}/umount rix, - owner @{run}/user/@{uid}/doc/ rw, - @{run}/mount/utab r, - @{run}/mount/utab.* rwk, - include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index bb19d54549..2695a1bf70 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -49,9 +49,6 @@ profile gvfsd-fuse @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse), - @{bin}/mount rix, - @{bin}/umount rix, - include if exists } From e61529bd049eb964857c9afdc35b99910d8e5870 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Apr 2025 22:54:34 +0200 Subject: [PATCH 0007/1736] feat(profile): add integration with role profiles. --- apparmor.d/groups/apt/apt-methods-gpgv | 1 + apparmor.d/groups/apt/apt-methods-http | 1 + apparmor.d/groups/apt/apt-methods-store | 1 + 3 files changed, 3 insertions(+) diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index f4e77fa4d2..db5d50f435 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -24,6 +24,7 @@ profile apt-methods-gpgv @{exec_path} { signal (receive) peer=apt, signal (receive) peer=aptitude, signal (receive) peer=packagekitd, + signal (receive) peer=role_*, signal (receive) peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 0638120bad..b6976e9af7 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -27,6 +27,7 @@ profile apt-methods-http @{exec_path} { signal (receive) peer=apt, signal (receive) peer=aptitude, signal (receive) peer=packagekitd, + signal (receive) peer=role_*, signal (receive) peer=synaptic, signal (receive) peer=ubuntu-advantage, signal (receive) peer=unattended-upgrade, diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store index 4c414f07c1..5492fdd5e6 100644 --- a/apparmor.d/groups/apt/apt-methods-store +++ b/apparmor.d/groups/apt/apt-methods-store @@ -24,6 +24,7 @@ profile apt-methods-store @{exec_path} { signal (receive) peer=apt, signal (receive) peer=aptitude, signal (receive) peer=packagekitd, + signal (receive) peer=role_*, signal (receive) peer=synaptic, @{exec_path} mr, From cd890bb81b9139e221a42bd18036b6f9654b886a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Apr 2025 23:00:52 +0200 Subject: [PATCH 0008/1736] feat(profile): minor improvement & update. --- apparmor.d/abstractions/X-strict | 1 - apparmor.d/abstractions/nvidia-strict | 2 +- apparmor.d/groups/apparmor/aa-notify | 2 ++ apparmor.d/groups/apt/unattended-upgrade | 2 ++ apparmor.d/groups/cups/cups-pk-helper-mechanism | 2 +- apparmor.d/groups/freedesktop/upowerd | 1 + apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/gnome/gnome-extension-gsconnect | 1 + .../groups/systemd/systemd-tty-ask-password-agent | 14 +++++++------- apparmor.d/profiles-a-f/ffplay | 2 +- apparmor.d/profiles-a-f/freetube | 1 + apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-m-r/rsyslogd | 2 ++ apparmor.d/profiles-s-z/swtpm | 6 +++--- 14 files changed, 24 insertions(+), 16 deletions(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 4c506da69c..d3e2cef4f3 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -4,7 +4,6 @@ abi , - # The unix socket to use to connect to the display unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index a3948e144b..ebaced47ff 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -26,7 +26,7 @@ @{PROC}/modules r, @{PROC}/sys/vm/max_map_count r, @{PROC}/sys/vm/mmap_min_addr r, - owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/comm r, diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 5b41f7b7c2..31622c1bdc 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -102,6 +102,8 @@ profile aa-notify @{exec_path} { /etc/apparmor.d/** rw, /etc/apparmor/* r, + @{PROC}/@{pid}/mounts r, + include if exists } diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 8a7c9755f3..bee1c0fe81 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -50,6 +50,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/apt-listchanges rPx, @{bin}/dpkg rPx, + @{bin}/dpkg-divert rPx, @{bin}/dpkg-preconfigure rPx, @{bin}/etckeeper rPx, @{bin}/lsb_release rPx -> lsb_release, @@ -64,6 +65,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{etc_ro}/login.defs r, @{etc_ro}/security/capability.conf r, + /etc/apport/report-ignore/ r, /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, diff --git a/apparmor.d/groups/cups/cups-pk-helper-mechanism b/apparmor.d/groups/cups/cups-pk-helper-mechanism index 89d55c2f1d..89d517631f 100644 --- a/apparmor.d/groups/cups/cups-pk-helper-mechanism +++ b/apparmor.d/groups/cups/cups-pk-helper-mechanism @@ -26,7 +26,7 @@ profile cups-pk-helper-mechanism @{exec_path} { /etc/cups/ppd/*.ppd r, - owner @{tmp}/[a-z0-9]* rw, + owner @{tmp}/@{int} rw, @{run}/cups/cups.sock rw, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index f832d285e9..a8244bce97 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -56,6 +56,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/power_supply/**/* r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/misc/uhid/*/input/input@{int}/name r, /dev/input/event* r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index d54ed16fcd..4440b80e3f 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -47,7 +47,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal send set=hup peer=xorg, signal send set=hup peer=xwayland, - unix (bind) type=stream addr=@@{udbus}/bus/gdm-session-wor/system, + unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system, #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon #aa:dbus talk bus=system name=org.freedesktop.home1.Manager label=systemd-homed diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index c0f131dd11..ee9c147b6b 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -21,6 +21,7 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index a9575dd892..bbd4b7438c 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -17,13 +17,13 @@ profile systemd-tty-ask-password-agent @{exec_path} { capability net_admin, capability sys_resource, - signal receive set=(term cont) peer=*//systemctl, - signal receive set=(term cont) peer=deb-systemd-invoke, - signal receive set=(term cont) peer=default, - signal receive set=(term cont) peer=logrotate, - signal receive set=(term cont) peer=makepkg//sudo, - signal receive set=(term cont) peer=role_*, - signal receive set=(term cont) peer=rpm, + signal receive set=(term cont winch) peer=*//systemctl, + signal receive set=(term cont winch) peer=deb-systemd-invoke, + signal receive set=(term cont winch) peer=default, + signal receive set=(term cont winch) peer=logrotate, + signal receive set=(term cont winch) peer=makepkg//sudo, + signal receive set=(term cont winch) peer=role_*, + signal receive set=(term cont winch) peer=rpm, @{exec_path} mrix, diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay index 6d3e1972d4..a4dec5d349 100644 --- a/apparmor.d/profiles-a-f/ffplay +++ b/apparmor.d/profiles-a-f/ffplay @@ -30,7 +30,7 @@ profile ffplay @{exec_path} { owner @{user_videos_dirs}/** rw, @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node[0-9]/meminfo r, + @{sys}/devices/system/node/node@{int}/meminfo r, include if exists } diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 63bb82f112..8250cf8aa1 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -40,6 +40,7 @@ profile freetube @{exec_path} flags=(attach_disconnected) { @{bin}/xdg-settings rPx -> freetube//&xdg-settings, deny @{sys}/devices/@{pci}/usb@{int}/** r, + deny /dev/ r, include if exists } diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index b1b4ccb707..191ac5782d 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -100,7 +100,7 @@ profile libreoffice @{exec_path} { owner @{tmp}/*.tmp/{,**} rwk, owner @{tmp}/hsperfdata_@{user}/ rw, owner @{tmp}/hsperfdata_@{user}/@{int} rwk, - owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex32} rw, + owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index b4ae4b211f..1dc744ff35 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -24,6 +24,8 @@ profile rsyslogd @{exec_path} { capability sys_nice, capability syslog, + signal receive set=hup peer=@{p_systemd}, + @{exec_path} mr, @{lib}/@{multiarch}/rsyslog/*.so mr, diff --git a/apparmor.d/profiles-s-z/swtpm b/apparmor.d/profiles-s-z/swtpm index 783e582379..369046b6bc 100644 --- a/apparmor.d/profiles-s-z/swtpm +++ b/apparmor.d/profiles-s-z/swtpm @@ -14,11 +14,11 @@ profile swtpm @{exec_path} { @{exec_path} mr, - /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk, - /var/lib/libvirt/swtpm/@{uuid}/tpm2/*.permall rw, - /var/log/swtpm/libvirt/qemu/*-swtpm.log w, + owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk, + owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/* rw, + /tmp/.swtpm_setup.pidfile.* rw, /tmp/@{int}/.lock rwk, /tmp/@{int}/TMP* rw, From 5e38394986e6e2d0d14638261a214cf4cf91faa6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Apr 2025 23:38:11 +0200 Subject: [PATCH 0009/1736] fix(profile): snap: simplify cgroup access. --- apparmor.d/groups/snap/snapd | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index f1cd465374..4efe83957d 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -157,12 +157,11 @@ profile snapd @{exec_path} { @{run}/systemd/private rw, @{sys}/fs/cgroup/{,*/} r, - @{sys}/fs/cgroup/cgroup.controllers r, - @{sys}/fs/cgroup/system.slice/{,**/} r, - @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, @{sys}/fs/cgroup/*.slice/ r, @{sys}/fs/cgroup/*.slice/*.service/{,**/} r, - @{sys}/fs/cgroup/*.slice/*-@{uid}.slice/*@@{uid}.service/app.slice/snap*.service/cgroup.procs r, + @{sys}/fs/cgroup/*.slice/*.slice/{,**/} r, + @{sys}/fs/cgroup/*.slice/**/cgroup.procs r, + @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/kernel/kexec_loaded r, @{sys}/kernel/security/apparmor/.notify r, @{sys}/kernel/security/apparmor/features/{,**} r, From 69aa16625b5ba2045f3d74877d433e68cefbd574 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 18:14:51 +0200 Subject: [PATCH 0010/1736] feat(profile): add support for gimp 3.0 fix #656 --- apparmor.d/profiles-g-l/gimp | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index 1588853757..7f8eb716a4 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -26,16 +26,19 @@ profile gimp @{exec_path} { @{exec_path} mr, - @{bin}/env rix, - @{bin}/gjs-console rix, - @{bin}/lua rix, - @{lib}/gimp/@{version}/extensions/*/* rix, - @{lib}/gimp/*/plug-ins/** rix, - @{python_path} rix, + @{python_path} rix, + @{bin}/env rix, + @{bin}/gimp-script-fu-interpreter-* rix, + @{bin}/gjs-console rix, + @{bin}/lua rix, + @{lib}/gimp/@{version}/extensions/*/* rix, + @{lib}/gimp/*/plug-ins/** rix, @{bin}/xsane-gimp rPx, @{open_path} rPx -> child-open-help, + @{lib}/gimp/@{version}/plug-ins/python-console/__pycache__/{,*} w, + /usr/share/gimp/{,**} r, /usr/share/mypaint-data/{,**} r, /usr/share/xml/iso-codes/{,**} r, @@ -62,7 +65,16 @@ profile gimp @{exec_path} { owner @{tmp}/gimp/{,**} rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists } From 63e2b9372bd7b7f75331fc68311daecab9c63d83 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 18:33:20 +0200 Subject: [PATCH 0011/1736] fix: snap access to cgroup. --- apparmor.d/groups/snap/snapd | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 4efe83957d..cbaa8bce95 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -158,8 +158,7 @@ profile snapd @{exec_path} { @{sys}/fs/cgroup/{,*/} r, @{sys}/fs/cgroup/*.slice/ r, - @{sys}/fs/cgroup/*.slice/*.service/{,**/} r, - @{sys}/fs/cgroup/*.slice/*.slice/{,**/} r, + @{sys}/fs/cgroup/*.slice/{,**/} r, @{sys}/fs/cgroup/*.slice/**/cgroup.procs r, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/kernel/kexec_loaded r, From 379a093b10f93e69a03e5524b89278cb17334aff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 18:34:59 +0200 Subject: [PATCH 0012/1736] feat(fsp): small improvment to systemd profiles. --- apparmor.d/groups/_full/systemd | 8 +++----- apparmor.d/groups/_full/systemd-user | 1 + 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index d055135bde..d3a193244b 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -79,8 +79,8 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, - mount fstype=vfat -> /boot/efi/, + mount /dev/** -> /boot/{,efi/}, mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**, mount options=(rw bind) @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/, @@ -108,7 +108,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { remount @{run}/systemd/unit-root/{,**}, remount /, remount /snap/{,**}, - remount options=(ro bind) /boot/efi/, + remount options=(ro bind) /boot/{,efi/}, remount options=(ro noexec noatime bind) /var/snap/{,**}, remount options=(ro nosuid bind) /dev/, remount options=(ro nosuid nodev bind) /dev/hugepages/, @@ -221,12 +221,10 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{att}/@{run}/systemd/journal/dev-log r, @{run}/ rw, - @{run}/*.socket w, + @{run}/* rw, @{run}/*/ rw, @{run}/*/* rw, - @{run}/auditd.pid r, @{run}/credentials/{,**} rw, - @{run}/initctl rw, @{run}/systemd/{,**} rw, @{run}/udev/data/+bluetooth:* r, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index e3ae3acb40..b0b3272a1a 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -146,6 +146,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { deny capability net_admin, deny capability perfmon, deny capability sys_admin, + deny capability sys_boot, deny capability sys_resource, profile systemctl { From c008cbda671320879d18f26afb2f44bf6ae72c4a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 18:43:57 +0200 Subject: [PATCH 0013/1736] feat(profile): add profile for most of udev internat scripts Required by FSP. --- apparmor.d/groups/systemd/systemd-udevd | 2 +- apparmor.d/profiles-s-z/udev-ata_id | 23 +++++++++++++++ .../profiles-s-z/udev-bcache-export-cached | 23 +++++++++++++++ apparmor.d/profiles-s-z/udev-cdrom_id | 24 ++++++++++++++++ apparmor.d/profiles-s-z/udev-fido_id | 24 ++++++++++++++++ apparmor.d/profiles-s-z/udev-hdparm | 28 +++++++++++++++++++ apparmor.d/profiles-s-z/udev-probe-bcache | 21 ++++++++++++++ dists/flags/main.flags | 6 ++++ 8 files changed, 150 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/profiles-s-z/udev-ata_id create mode 100644 apparmor.d/profiles-s-z/udev-bcache-export-cached create mode 100644 apparmor.d/profiles-s-z/udev-cdrom_id create mode 100644 apparmor.d/profiles-s-z/udev-fido_id create mode 100644 apparmor.d/profiles-s-z/udev-hdparm create mode 100644 apparmor.d/profiles-s-z/udev-probe-bcache diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 29b40cb484..9e81cec831 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/udevadm @{lib}/systemd/systemd-udevd -profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { +profile systemd-udevd @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-s-z/udev-ata_id b/apparmor.d/profiles-s-z/udev-ata_id new file mode 100644 index 0000000000..f12ed105fc --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-ata_id @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/ata_id +profile udev-ata_id @{exec_path} { + include + include + + capability sys_rawio, + + @{exec_path} mr, + + /etc/udev/udev.conf r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-bcache-export-cached b/apparmor.d/profiles-s-z/udev-bcache-export-cached new file mode 100644 index 0000000000..51746625ea --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-bcache-export-cached @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/bcache-export-cached +profile udev-bcache-export-cached @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/bcache-super-show rix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-cdrom_id b/apparmor.d/profiles-s-z/udev-cdrom_id new file mode 100644 index 0000000000..5521598676 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-cdrom_id @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/cdrom_id +profile udev-cdrom_id @{exec_path} { + include + + capability sys_rawio, + + @{exec_path} mr, + + /etc/udev/udev.conf r, + + /dev/sr@{int} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id new file mode 100644 index 0000000000..76ec27b68e --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/fido_id +profile udev-fido_id @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/udev/udev.conf r, + + @{sys}/devices/@{pci}/report_descriptor r, + @{sys}/devices/virtual/**/report_descriptor r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-hdparm b/apparmor.d/profiles-s-z/udev-hdparm new file mode 100644 index 0000000000..bca98163b6 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-hdparm @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/hdparm +profile udev-hdparm @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/sed rix, + @{bin}/udevadm rPx, + + /etc/hdparm.conf r, + + @{PROC}/cmdline r, + @{PROC}/mdstat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-probe-bcache b/apparmor.d/profiles-s-z/udev-probe-bcache new file mode 100644 index 0000000000..e02e070a84 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-probe-bcache @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/probe-bcache +profile udev-probe-bcache @{exec_path} { + include + include + + capability sys_rawio, + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 06c3e3e27e..5f99d75527 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -352,7 +352,13 @@ telegram-desktop complain totem attach_disconnected,complain tracker-writeback complain ucf complain +udev-ata_id complain +udev-bcache-export-cached complain +udev-cdrom_id complain udev-dmi-memory-id complain +udev-fido_id complain +udev-hdparm complain +udev-probe-bcache complain udisksctl complain udisksd attach_disconnected,complain ufw complain From 80f5c50f139431b67cd81f25ebf42f177393d623 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 19:04:44 +0200 Subject: [PATCH 0014/1736] feat(profile): ensure flatpak can handle chromium based software. fix #715 --- apparmor.d/groups/flatpak/flatpak-app | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index e332f50cad..397475a432 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -41,12 +41,12 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix stream, - ptrace (read), + ptrace read, ptrace trace peer=flatpak-app, signal receive peer=flatpak, signal receive set=(int term) peer=flatpak-portal, - signal receive set=(int) peer=flatpak-session-helper, + signal receive set=(int term) peer=flatpak-session-helper, @{bin}/** rmix, @{lib}/** rmix, @@ -57,6 +57,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/*/**/@{bin}/** rmix, /var/lib/flatpak/app/*/**/@{lib}/** rmix, + @{run}/flatpak/app/*/.org.chromium.Chromium.@{rand6} rm, @{run}/flatpak/app/*/**so* rm, @{run}/parent/@{bin}/** rmix, @{run}/parent/@{lib}/** rmix, From e75d1729c1a9e3209fd67081740a82850714abde Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 19:06:53 +0200 Subject: [PATCH 0015/1736] fix(tunable): remove vimtutor to the list of editors. #678 --- apparmor.d/tunables/multiarch.d/programs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 3611178a22..d6b8e424fe 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -33,7 +33,7 @@ @{open_names} = exo-open xdg-open gio kde-open gio-launch-desktop # Editors -@{editor_names} = sensible-editor vim{,.*} vimtutor vim-nox11 nvim nano +@{editor_names} = sensible-editor vim{,.*} vim-nox11 nvim nano @{editor_ui_names} = gnome-text-editor gedit mousepad # Pager From 8c591c90ab32bc598878f3005567ad65d00f75cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 19:28:59 +0200 Subject: [PATCH 0016/1736] feat(profile): journalctl minor improvments. --- apparmor.d/groups/systemd/journalctl | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 36fbd9e756..bc061cfe5e 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -20,8 +20,10 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - signal (receive) set=(term) peer=cockpit-bridge, - signal (send) peer=child-pager, + network netlink raw, + + signal receive set=term peer=cockpit-bridge, + signal send peer=child-pager, @{exec_path} mr, @@ -49,6 +51,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { @{run}/host/container-manager r, @{run}/systemd/journal/io.systemd.journal rw, + @{run}/systemd/notify rw, @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, From 1ca12d173f58f1583a964758af031e87f8049be2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 20:31:18 +0200 Subject: [PATCH 0017/1736] ci: only run integration tests on dev branch. --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 166840b447..15807cfe2e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -81,6 +81,7 @@ jobs: tests: runs-on: ubuntu-24.04 needs: build + if: github.ref == 'refs/heads/dev' steps: - name: Check out repository code uses: actions/checkout@v4 From e774ad65788b7888e64368cb73d776a882563e4d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 20:33:36 +0200 Subject: [PATCH 0018/1736] fix(ci): minor fixes. --- apparmor.d/groups/systemd/journalctl | 1 + tests/integration/common.bash | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index bc061cfe5e..ef62e37cde 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -22,6 +22,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { network netlink raw, + signal receive set=kill peer=snapd, signal receive set=term peer=cockpit-bridge, signal send peer=child-pager, diff --git a/tests/integration/common.bash b/tests/integration/common.bash index ed167d4f93..7a012191bf 100644 --- a/tests/integration/common.bash +++ b/tests/integration/common.bash @@ -9,7 +9,7 @@ load "$BATS_LIB_PATH/bats-support/load" export SYSTEMD_PAGER= # Ignore the profile not managed by apparmor.d -IGNORE=(php-fpm snapd/snap-confine) +IGNORE=(php-fpm snapd/snap-confine snap.vault.vaultd) # User password for sudo commands export PASSWORD=${PASSWORD:-user} From e5b1c0ca7de318b50998fa823137846c235b0ffa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 20:38:14 +0200 Subject: [PATCH 0019/1736] feat(profile): minor update. --- .../gnome/gnome-calculator-search-provider | 2 ++ apparmor.d/groups/pacman/pacman | 5 ----- apparmor.d/profiles-g-l/ghc-pkg | 4 +++- apparmor.d/profiles-g-l/gimp | 3 +++ apparmor.d/profiles-g-l/gpartedbin | 2 +- apparmor.d/profiles-m-r/nvtop | 19 ++++++++++--------- 6 files changed, 19 insertions(+), 16 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index da03ed6653..8400f03c1a 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -23,6 +23,8 @@ profile gnome-calculator-search-provider @{exec_path} { @{bin}/* rPUx, + owner @{user_cache_dirs}/gnome-calculator/* r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 0043cd0615..271540f528 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -149,11 +149,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /dev/tty@{int} rw, owner /dev/pts/@{int} rw, - # Silencer, - deny @{HOME}/ r, - deny @{HOME}/**/ r, - deny /tmp/ r, - profile gpg { include include diff --git a/apparmor.d/profiles-g-l/ghc-pkg b/apparmor.d/profiles-g-l/ghc-pkg index df66130420..3ccfdec4aa 100644 --- a/apparmor.d/profiles-g-l/ghc-pkg +++ b/apparmor.d/profiles-g-l/ghc-pkg @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/ghc-pkg{,-*} +@{exec_path} = @{bin}/ghc-pkg{,-*} @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} profile ghc-pkg @{exec_path} { include include @@ -26,6 +26,8 @@ profile ghc-pkg @{exec_path} { @{sys}/devices/system/node/ r, + @{PROC}/@{pid}/task/@{tid}/comm rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index 7f8eb716a4..b335650d88 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -46,6 +46,9 @@ profile gimp @{exec_path} { /etc/fstab r, /etc/gimp/{,**} r, + owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, + owner @{user_documents_dirs}/{,**} rw, owner @{user_pictures_dirs}/{,**} rw, owner @{user_work_dirs}/{,**} rw, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index a82bf8b473..0b2fea4c30 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/gpartedbin @{lib}/{,gparted/}gpartedbin -profile gpartedbin @{exec_path} { +profile gpartedbin @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index e4846d58e0..d0553d1864 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -43,15 +43,16 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/pcie_bw r, @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/ r, - @{PROC}/@{pids}/ r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/@{pids}/fdinfo/ r, - @{PROC}/@{pids}/fdinfo/@{int} r, - @{PROC}/@{pids}/stat r, - @{PROC}/devices r, - @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/stat r, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/dri/ r, /dev/nvidia-caps/ rw, From f90208bb7fb80897590ab7a3796b7da2be214f5b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 20:40:19 +0200 Subject: [PATCH 0020/1736] feat(profile): add deb-systemd-* profiles. --- apparmor.d/groups/apt/deb-systemd-helper | 39 ++++++++++++++++++++++++ apparmor.d/groups/apt/deb-systemd-invoke | 29 ++++++++++++++++++ dists/flags/main.flags | 2 ++ 3 files changed, 70 insertions(+) create mode 100644 apparmor.d/groups/apt/deb-systemd-helper create mode 100644 apparmor.d/groups/apt/deb-systemd-invoke diff --git a/apparmor.d/groups/apt/deb-systemd-helper b/apparmor.d/groups/apt/deb-systemd-helper new file mode 100644 index 0000000000..28de2a8a0c --- /dev/null +++ b/apparmor.d/groups/apt/deb-systemd-helper @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/deb-systemd-helper +profile deb-systemd-helper @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{bin}/systemctl rCx -> systemctl, + + /var/lib/systemd/deb-systemd-helper-enabled/** rw, + /var/lib/systemd/deb-systemd-helper-masked/ rw, + + profile systemctl { + include + include + + /etc/ r, + /etc/systemd/ r, + /etc/systemd/system/ r, + /etc/systemd/system/* rw, + /etc/systemd/system/*.wants/ r, + /etc/systemd/system/*.wants/* rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke new file mode 100644 index 0000000000..63dfdaf528 --- /dev/null +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/deb-systemd-invoke +profile deb-systemd-invoke @{exec_path} { + include + include + include + + capability net_admin, + capability sys_resource, + + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/systemctl rix, + @{bin}/systemd-tty-ask-password-agent rPx, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 5f99d75527..8b1f3030c8 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -75,6 +75,8 @@ cups-notifier-rss complain cups-pk-helper-mechanism complain cupsd attach_disconnected,complain ddcutil complain +deb-systemd-helper complain +deb-systemd-invoke complain dino attach_disconnected,complain discord complain discord-chrome-sandbox complain From b765d8174b85850150007bc888d208e1272fab8a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 21:08:04 +0200 Subject: [PATCH 0021/1736] feat(profile): add initial dpkg-script-* profiles. --- apparmor.d/groups/apt/dpkg-script-apparmor | 60 ++++++++++++++++++++++ apparmor.d/groups/apt/dpkg-script-man | 27 ++++++++++ apparmor.d/groups/apt/dpkg-script-udev | 21 ++++++++ dists/flags/main.flags | 3 ++ 4 files changed, 111 insertions(+) create mode 100644 apparmor.d/groups/apt/dpkg-script-apparmor create mode 100644 apparmor.d/groups/apt/dpkg-script-man create mode 100644 apparmor.d/groups/apt/dpkg-script-udev diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor new file mode 100644 index 0000000000..088fff84ac --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -0,0 +1,60 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/apparmor* +profile dpkg-script-apparmor @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/grep rix, + + @{bin}/deb-systemd-helper rPx, + @{bin}/deb-systemd-invoke rPx, + @{bin}/dpkg-divert rix, + @{bin}/systemctl rCx -> systemctl, + + /usr/share/apparmor.d/** rw, + + /etc/apparmor.d/** rw, + + /var/lib/dpkg/diversions rw, + /var/lib/dpkg/diversions-new rw, + /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, + + /var/lib/dpkg/info/*.list r, + /var/lib/dpkg/status r, + /var/lib/dpkg/triggers/File r, + /var/lib/dpkg/triggers/Unincorp r, + /var/lib/dpkg/updates/ r, + /var/lib/dpkg/updates/@{int} r, + + profile systemctl { + include + include + + capability net_admin, + capability sys_resource, + + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + @{bin}/systemd-tty-ask-password-agent rix, + + owner @{run}/systemd/ask-password/ rw, + owner @{run}/systemd/ask-password-block/{,*} rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-man b/apparmor.d/groups/apt/dpkg-script-man new file mode 100644 index 0000000000..63f5c5c78f --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-man @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/man-db.* +profile dpkg-script-man @{exec_path} { + include + include + include + + capability setgid, + capability setuid, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/setpriv rix, + @{bin}/mandb rPx, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-udev b/apparmor.d/groups/apt/dpkg-script-udev new file mode 100644 index 0000000000..58840ef390 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-udev @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/udev* +profile dpkg-script-udev @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/systemd-hwdb rPx, + @{bin}/deb-systemd-invoke rPx, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 8b1f3030c8..894945f2e9 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -86,6 +86,9 @@ dmsetup complain dockerd attach_disconnected,complain dolphin complain downloadhelper complain +dpkg-script-apparmor complain +dpkg-script-man complain +dpkg-script-udev complain drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain From 1aa8b429823d50e235a5503ae2c08e48ffd2d939 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 21:09:10 +0200 Subject: [PATCH 0022/1736] feat(profile): add initial version of dpkg-maintscript-helper --- apparmor.d/groups/apt/dpkg-maintscript-helper | 41 +++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 42 insertions(+) create mode 100644 apparmor.d/groups/apt/dpkg-maintscript-helper diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper new file mode 100644 index 0000000000..b7d8675e84 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-maintscript-helper @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/dpkg-maintscript-helper +profile dpkg-maintscript-helper @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/dpkg rCx -> dpkg, + + /usr/share/dpkg/sh/* r, + + profile dpkg { + include + include + include + + capability dac_read_search, + + @{bin}/dpkg mr, + @{bin}/dpkg-query rpx, + + /etc/dpkg/dpkg.cfg r, + /etc/dpkg/dpkg.cfg.d/{,*} r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 894945f2e9..453d5f73a8 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -86,6 +86,7 @@ dmsetup complain dockerd attach_disconnected,complain dolphin complain downloadhelper complain +dpkg-maintscript-helper complain dpkg-script-apparmor complain dpkg-script-man complain dpkg-script-udev complain From 9f0947a0fc0408da9350b95eb95a6860f8018471 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 16 Apr 2025 00:11:15 +0200 Subject: [PATCH 0023/1736] doc: add link to the play machine. --- README.md | 8 +++++++- docs/index.md | 4 ++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a2ae8d6fb8..ddb1e79b35 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # apparmor.d -[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link] +[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link] [![][play]][play-link] **Full set of AppArmor profiles** @@ -37,6 +37,10 @@ * XFCE (Lightdm) *(work in progress)* - [Fully tested](https://apparmor.pujol.io/development/tests/) +**Demo** + +You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ + > This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments. ## Concepts @@ -92,6 +96,8 @@ and thus has the same license (GPL2). [goreportcard]: https://goreportcard.com/report/github.com/roddhjav/apparmor.d [matrix]: https://img.shields.io/badge/Matrix-%23apparmor.d-blue?style=flat-square&logo=matrix [matrix-link]: https://matrix.to/#/#apparmor.d:matrix.org +[play]: https://img.shields.io/badge/Live_Demo-play.pujol.io-blue?style=flat-square +[play-link]: https://play.pujol.io [android_model]: https://arxiv.org/pdf/1904.05572 [clipos]: https://clip-os.org/en/ diff --git a/docs/index.md b/docs/index.md index 6f09983cba..39679d01a5 100644 --- a/docs/index.md +++ b/docs/index.md @@ -36,6 +36,10 @@ See the [Concepts](concepts.md)' page for more detail on the architecture. - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* - [Fully tested](development/tests.md) +### Demo + +You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ + ### Presentations Building the largest set of AppArmor profiles: From 7394b9ff9cfb75241591ccd557bcc92f8ab87f3b Mon Sep 17 00:00:00 2001 From: zinootje <16385833+zinootje@users.noreply.github.com> Date: Thu, 24 Apr 2025 17:19:20 +0200 Subject: [PATCH 0024/1736] Update PKGBUILD arch to any (#717) * Update PKGBUILD arch to any updated PKGBUILD arch to any to support all archs * Update PKGBUILD set archs as arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') --- PKGBUILD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/PKGBUILD b/PKGBUILD index ca1aaa8402..58a693d343 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -7,7 +7,7 @@ pkgname=apparmor.d pkgver=0.001 pkgrel=1 pkgdesc="Full set of apparmor profiles" -arch=("x86_64") +arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') url="https://github.com/roddhjav/$pkgname" license=('GPL-2.0-only') depends=('apparmor') From 7c46ed2dd1f2b41ceadbb5a08a1d4030af0051b3 Mon Sep 17 00:00:00 2001 From: moisesmsf Date: Thu, 24 Apr 2025 15:20:00 +0000 Subject: [PATCH 0025/1736] Fix the links to issues (#723) --- docs/development/roadmap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index e8a047a037..52d7201ead 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -21,7 +21,7 @@ This is the current list of features that must be implemented to get to a stable - [ ] General documentation improvements - [ ] **General improvements** - - [ ] Provide a proper fix for #74, #80 & #235 + - [ ] Provide a proper fix for [#74](https://github.com/roddhjav/apparmor.d/issues/74), [#80](https://github.com/roddhjav/apparmor.d/issues/80) & [#235](https://github.com/roddhjav/apparmor.d/issues/235) - [ ] The apt/dpkg profiles needs to be reworked ## Next features From ce8e54c15fb11d3b9da1296e3890321daa01f6cc Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 25 Apr 2025 09:09:37 -0600 Subject: [PATCH 0026/1736] Allow vim to read spell files https://vimhelp.org/spell.txt.html --- apparmor.d/abstractions/app/editor | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index 3992fb7b03..d21930d813 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -25,6 +25,7 @@ owner @{HOME}/.selected_editor r, owner @{HOME}/.viminf@{c}{,.tmp} rw, + owner @{HOME}/.vim/{after/,}spell/{,**} rw, owner @{HOME}/.vimrc r, owner @{HOME}/ r, From 3295a1334a7bbbe66b1f857a43d414ed96534455 Mon Sep 17 00:00:00 2001 From: beroal Date: Fri, 25 Apr 2025 20:14:49 +0300 Subject: [PATCH 0027/1736] webcam (#729) * webcam * webcam comment --- apparmor.d/groups/kde/baloo | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 75532a7730..5ceb04725f 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -53,6 +53,7 @@ profile baloo @{exec_path} { @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* + @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c89:@{int} r, # For I2C bus interface @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* @{run}/udev/data/c116:@{int} r, # For ALSA From b3da8d4be7ebca1021d418013a84b52a60492dbb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Apr 2025 17:23:30 +0200 Subject: [PATCH 0028/1736] feat(profile): update steam profiles. --- apparmor.d/groups/steam/steam | 9 ++++++++- apparmor.d/groups/steam/steam-fossilize | 6 ++++-- apparmor.d/groups/steam/steam-game-native | 2 +- apparmor.d/groups/steam/steam-game-proton | 20 +++++++++++++++++-- apparmor.d/groups/steam/steam-gameoverlayui | 4 +++- apparmor.d/groups/steam/steam-launch | 7 ++++++- apparmor.d/groups/steam/steam-launcher | 2 +- apparmor.d/groups/steam/steam-runtime | 9 ++++++--- .../groups/steam/steam-runtime-steam-remote | 2 +- apparmor.d/groups/steam/steamerrorreporter | 2 +- 10 files changed, 49 insertions(+), 14 deletions(-) diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 9cb5ac86bc..a29a396874 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -21,7 +21,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -174,6 +174,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/steam/** rwk, owner @{tmp}/steam@{rand6}/{,**} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, + owner @{tmp}/steam@{rand6} rwk, owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, owner /dev/shm/fossilize-*-@{int}-@{int} rw, @@ -292,6 +293,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/host/@{lib}/** rix, @{share_dirs}/config/cefdata/WidevineCdm/**/linux_*/libwidevinecdm.so mr, + @{share_dirs}/config/htmlcache/WidevineCdm/**/linux_*/libwidevinecdm.so mr, + @{share_dirs}/linux{32,64}/steamclient.so mr, @{runtime_dirs}/var/tmp-@{rand6}/usr/.ref w, @@ -302,12 +305,15 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/ r, /usr/local/lib/ r, /var/tmp/ r, + /home/ r, owner /bindfile@{rand6} rw, owner /var/cache/ldconfig/aux-cache* rw, owner /var/pressure-vessel/ldso/* rw, + owner @{HOME}/ r, + owner @{lib_dirs}/.cef-* wk, owner @{share_dirs}/{,**} r, @@ -348,6 +354,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, + @{PROC}/version r, @{PROC}/@{pid}/stat r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, diff --git a/apparmor.d/groups/steam/steam-fossilize b/apparmor.d/groups/steam/steam-fossilize index e3e7f87e28..a5dd65b7ce 100644 --- a/apparmor.d/groups/steam/steam-fossilize +++ b/apparmor.d/groups/steam/steam-fossilize @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -39,11 +39,13 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/@{pids}/statm r, + @{PROC}/@{pid}/statm r, @{PROC}/pressure/io r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + deny network inet stream, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/groups/steam/steam-game-native b/apparmor.d/groups/steam/steam-game-native index ca80801d76..ba06d56a41 100644 --- a/apparmor.d/groups/steam/steam-game-native +++ b/apparmor.d/groups/steam/steam-game-native @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} diff --git a/apparmor.d/groups/steam/steam-game-proton b/apparmor.d/groups/steam/steam-game-proton index 3c4695e4fb..de0b0a2955 100644 --- a/apparmor.d/groups/steam/steam-game-proton +++ b/apparmor.d/groups/steam/steam-game-proton @@ -6,7 +6,8 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime_name} = sniper soldier +@{runtime} = SteamLinuxRuntime_@{runtime_name} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -35,18 +36,24 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { @{exec_path} mr, @{bin}/bwrap mrix, + @{sh_path} rix, + @{bin}/cat rix, + @{bin}/env rix, @{bin}/chmod rix, @{bin}/fc-match rix, @{bin}/getopt rix, @{bin}/gzip rix, @{bin}/ldconfig rix, + @{bin}/ln rix, @{bin}/localedef rix, - @{python_path} rix, + @{bin}/mkdir rix, @{bin}/readlink rix, + @{bin}/rm rix, @{bin}/steam-runtime-launcher-interface-@{int} rix, @{bin}/steam-runtime-system-info rix, @{bin}/steam-runtime-urlopen rix, @{bin}/true rix, + @{python_path} rix, @{open_path} rix, @{lib_dirs}/** mr, @@ -54,6 +61,14 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { @{lib}/pressure-vessel/from-host/@{lib}/** rix, @{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, + # TODO stack with steam ? rpx -> steam-game-proton&//steam, + @{runtime_dirs}/run.sh rix, + @{runtime_dirs}/@{arch}@{bin}/steam-runtime-identify-library-abi rix, + @{runtime_dirs}/@{arch}@{bin}/steam-runtime-launcher-interface-@{int} rix, + @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/run.sh rix, + @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/@{arch}@{bin}/steam-runtime-identify-library-abi rix, + @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/@{arch}@{bin}/steam-runtime-launcher-interface-@{int} rix, + @{app_dirs}/** mrix, @{run}/host/@{bin}/ldconfig rix, @@ -72,6 +87,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { owner "@{app_dirs}/Steamworks Shared/runasadmin.vdf" rw, owner @{app_dirs}/@{runtime}/var/tmp-@{rand6}/usr/.ref rwk, + owner @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/* rw, owner @{app_dirs}/Proton*/** rwkl, owner @{share_dirs}/*.dll r, diff --git a/apparmor.d/groups/steam/steam-gameoverlayui b/apparmor.d/groups/steam/steam-gameoverlayui index 0cd8371356..278b47e981 100644 --- a/apparmor.d/groups/steam/steam-gameoverlayui +++ b/apparmor.d/groups/steam/steam-gameoverlayui @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -49,6 +49,8 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { owner @{share_dirs}/resource/{,**} rk, owner @{share_dirs}/userdata/@{int}/{,**} rk, + owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, + owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, diff --git a/apparmor.d/groups/steam/steam-launch b/apparmor.d/groups/steam/steam-launch index 4929c1d569..321c9c9c5d 100644 --- a/apparmor.d/groups/steam/steam-launch +++ b/apparmor.d/groups/steam/steam-launch @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -36,6 +36,8 @@ profile steam-launch @{exec_path} { @{lib}/steam/bin_steam.sh rix, @{share_dirs}/steam.sh rPx, + @{lib_dirs}/** mr, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rPx, @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/* r, @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix, @@ -44,7 +46,10 @@ profile steam-launch @{exec_path} { /usr/local/ r, owner @{share_dirs}/bootstrap.tar.xz rw, + owner @{share_dirs}/logs/ r, + owner @{share_dirs}/logs/* rwk, + owner @{run}/user/@{uid}/srt-fifo.@{rand6}/ rw, owner @{run}/user/@{uid}/srt-fifo.@{rand6}/fifo rw, owner @{PROC}/@{pid}/fd/@{int} rw, diff --git a/apparmor.d/groups/steam/steam-launcher b/apparmor.d/groups/steam/steam-launcher index 0bd8c67d3d..e73b30d1a0 100644 --- a/apparmor.d/groups/steam/steam-launcher +++ b/apparmor.d/groups/steam/steam-launcher @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} diff --git a/apparmor.d/groups/steam/steam-runtime b/apparmor.d/groups/steam/steam-runtime index 2a3e839ffd..543324c0fe 100644 --- a/apparmor.d/groups/steam/steam-runtime +++ b/apparmor.d/groups/steam/steam-runtime @@ -6,7 +6,8 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime_name} = sniper soldier +@{runtime} = SteamLinuxRuntime_@{runtime_name} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -50,16 +51,17 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { @{lib}/ r, @{lib_dirs}/ r, + owner @{HOME}/ r, owner @{HOME}/.steam/steam.pipe r, owner @{app_dirs}/*/ r, owner @{app_dirs}/config/config.vdf{,.*} rw, owner @{app_dirs}/@{runtime}/** r, owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk, - owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk, + owner @{app_dirs}/@{runtime}/@{runtime_name}_platform_*/** rwk, owner @{app_dirs}/@{runtime}/var/** rwk, owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**, - owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**, + owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/@{runtime_name}_platform_*/**, owner @{share_dirs}/config/config.vdf{,.*} rw, owner @{share_dirs}/steamapps/appmanifest_* rw, @@ -78,6 +80,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/stat r, /dev/tty rw, diff --git a/apparmor.d/groups/steam/steam-runtime-steam-remote b/apparmor.d/groups/steam/steam-runtime-steam-remote index 93a93e8925..b7d5f2b152 100644 --- a/apparmor.d/groups/steam/steam-runtime-steam-remote +++ b/apparmor.d/groups/steam/steam-runtime-steam-remote @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} diff --git a/apparmor.d/groups/steam/steamerrorreporter b/apparmor.d/groups/steam/steamerrorreporter index 27fe69be90..b4d5f3e686 100644 --- a/apparmor.d/groups/steam/steamerrorreporter +++ b/apparmor.d/groups/steam/steamerrorreporter @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} From e15dfdc33eb6597f321d1f21561b68fc581493aa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Apr 2025 17:27:27 +0200 Subject: [PATCH 0029/1736] feat(profiles): smallupdate to gnome profiles. --- apparmor.d/groups/gnome/gnome-control-center | 2 -- apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/gnome/localsearch | 2 ++ apparmor.d/groups/gnome/loupe | 3 ++- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 195a72d39d..07f6a05998 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -35,8 +35,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { signal send set=kill peer=unconfined, signal send set=kill peer=passwd, - unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), - #aa:dbus own bus=session name=org.gnome.Settings #aa:dbus own bus=session name=org.bluez.obex.Agent1 diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 15d8f7268a..05156bac1c 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -65,7 +65,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), unix (send,receive) type=stream addr=none peer=(label=xkbcomp), unix (send,receive) type=stream addr=none peer=(label=xwayland), - unix (send,receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon), # Owned by gnome-shell diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 448e517a5a..74a4e0f366 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -33,6 +33,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { @{lib}/localsearch-extractor-3 ix, # nnp /usr/share/localsearch3/{,**} r, + /usr/share/osinfo/{,**} r, /usr/share/poppler/{,**} r, # Allow to search user files @@ -47,6 +48,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner /var/tmp/etilqs_@{hex15} rw, owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{hex12}@{h} rw, owner @{tmp}/etilqs_@{hex12}@{hex2} rw, owner @{tmp}/etilqs_@{hex15} rw, owner @{tmp}/etilqs_@{hex16} rw, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 75835395ab..4ee0d9268d 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -42,6 +42,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, @@ -50,7 +51,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(kill) peer=loupe, + signal receive set=kill peer=loupe, @{bin}/bwrap mr, @{lib}/glycin-loaders/*/glycin-* rix, From dca81f4a1e3dcfb67ab716cbb964ab5c6464dae1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Apr 2025 17:28:10 +0200 Subject: [PATCH 0030/1736] chore(abs): comment the use of keyfile in dconf. --- apparmor.d/abstractions/dconf-write | 2 +- apparmor.d/abstractions/dconf.d/complete | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write index 3f25c66af6..72a9435270 100644 --- a/apparmor.d/abstractions/dconf-write +++ b/apparmor.d/abstractions/dconf-write @@ -10,7 +10,7 @@ include include - owner @{user_config_dirs}/glib-2.0/settings/keyfile w, + owner @{user_config_dirs}/glib-2.0/settings/keyfile w, # When GSETTINGS_BACKEND=keyfile owner @{run}/user/@{uid}/dconf/ w, owner @{run}/user/@{uid}/dconf/user w, diff --git a/apparmor.d/abstractions/dconf.d/complete b/apparmor.d/abstractions/dconf.d/complete index b207e45391..1796c7ca0a 100644 --- a/apparmor.d/abstractions/dconf.d/complete +++ b/apparmor.d/abstractions/dconf.d/complete @@ -4,7 +4,7 @@ /usr/share/dconf/profile/gdm r, - owner @{user_config_dirs}/glib-2.0/settings/keyfile r, + owner @{user_config_dirs}/glib-2.0/settings/keyfile r, # When GSETTINGS_BACKEND=keyfile owner @{run}/user/@{uid}/dconf/ r, From 5bfebf6ea525945042a14d98d5358dd005d5ef76 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Apr 2025 17:34:30 +0200 Subject: [PATCH 0031/1736] feat(profile): small general improvments. --- apparmor.d/groups/flatpak/flatpak | 6 +++++- apparmor.d/groups/freedesktop/xdg-desktop-portal-kde | 8 ++++++++ apparmor.d/profiles-a-f/finalrd | 3 +-- apparmor.d/profiles-s-z/spotify | 2 ++ apparmor.d/profiles-s-z/syncthing | 4 ++++ 5 files changed, 20 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 42d9fd9c37..c958bd2cd8 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -98,7 +98,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{tmp}/ostree-gpg-@{rand6}/{,**} rw, owner /dev/shm/flatpak*/{,**} rw, - @{run}/.userns r, + @{run}/.userns r, + @{att}/@{run}/.userns r, + @{run}/user/@{uid}/.dbus-proxy/ w, @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/.dbus-proxy/* rw, @@ -146,6 +148,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include + capability setuid, + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 3b02d2b169..8c1c1686f8 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -10,10 +10,12 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-kde profile xdg-desktop-portal-kde @{exec_path} { include + include include include include include + include network inet dgram, network inet6 dgram, @@ -27,8 +29,14 @@ profile xdg-desktop-portal-kde @{exec_path} { #aa:exec kioworker + /usr/share/plasma/look-and-feel/** r, + + owner @{HOME}/ r, + owner @{desktop_config_dirs}/user-dirs.dirs r, + owner @{user_cache_dirs}/xdg-desktop-portal-kde/{,**} rw, + owner @{user_config_dirs}/autostart/org.kde.*.desktop r, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index 7578b505dc..bb68e873e1 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -65,9 +65,8 @@ profile finalrd @{exec_path} { include include - @{bin}/ldd mr, + @{bin}/* mr, @{lib}/@{multiarch}/ld-linux-*so* mrix, - @{lib}/ld-linux.so* mr, include if exists } diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index a6d349b9cb..1a0bd0ea92 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -36,6 +36,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) { /etc/spotify-adblock/* r, /var/lib/dbus/machine-id r, + owner @{HOME}/.tmp rw, + owner @{user_music_dirs}/{,**} r, owner @{user_config_dirs}/spotify-adblock/* r, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index d03ece9e4b..6ff0fe7e94 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -36,10 +36,14 @@ profile syncthing @{exec_path} { @{user_sync_dirs}/{,**} rw, @{PROC}/@{pids}/net/route r, + @{PROC}/bus/pci/devices r, + @{PROC}/modules r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/net/core/somaxconn r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/statm r, include if exists } From 2bc87f68a80fe12e6d725b18ef20c17dbe122ea6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Apr 2025 14:20:22 +0200 Subject: [PATCH 0032/1736] tests(packer): define more common cloud init resources. --- Justfile | 2 +- .../cloud-init/archlinux-cosmic.user-data.yml | 28 ++----- .../cloud-init/archlinux-gnome.user-data.yml | 31 ++------ tests/cloud-init/archlinux-kde.user-data.yml | 31 ++------ .../cloud-init/archlinux-server.user-data.yml | 53 ++----------- tests/cloud-init/archlinux-xfce.user-data.yml | 31 ++------ tests/cloud-init/archlinux.yml | 47 ++++++++++++ tests/cloud-init/common.yml | 22 ++++++ tests/cloud-init/debian.yml | 64 ++++++++++++++++ tests/cloud-init/debian12-gnome.user-data.yml | 45 ++--------- .../cloud-init/debian12-server.user-data.yml | 43 ++--------- .../cloud-init/debian13-server.user-data.yml | 37 ++------- tests/cloud-init/opensuse-gnome.user-data.yml | 19 +---- tests/cloud-init/opensuse-kde.user-data.yml | 19 +---- .../cloud-init/opensuse-server.user-data.yml | 35 +-------- tests/cloud-init/opensuse.yml | 16 ++++ tests/cloud-init/ubuntu.yml | 76 +++++++++++++++++++ .../cloud-init/ubuntu24-desktop.user-data.yml | 45 +---------- .../cloud-init/ubuntu24-kubuntu.user-data.yml | 8 ++ .../cloud-init/ubuntu24-server.user-data.yml | 34 +-------- .../cloud-init/ubuntu25-desktop.user-data.yml | 45 +---------- .../cloud-init/ubuntu25-server.user-data.yml | 7 ++ tests/packer/builds.pkr.hcl | 7 +- 23 files changed, 311 insertions(+), 434 deletions(-) create mode 100644 tests/cloud-init/archlinux.yml create mode 100644 tests/cloud-init/debian.yml create mode 100644 tests/cloud-init/opensuse.yml create mode 100644 tests/cloud-init/ubuntu.yml create mode 100644 tests/cloud-init/ubuntu24-kubuntu.user-data.yml create mode 100644 tests/cloud-init/ubuntu25-server.user-data.yml diff --git a/Justfile b/Justfile index 740b29cc11..1558ebef89 100644 --- a/Justfile +++ b/Justfile @@ -201,7 +201,7 @@ create dist flavor: --vcpus {{vcpus}} \ --ram {{ram}} \ --machine q35 \ - --boot uefi \ + {{ if dist == "archlinux" { "" } else { "--boot uefi" } }} \ --memorybacking source.type=memfd,access.mode=shared \ --disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \ --filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \ diff --git a/tests/cloud-init/archlinux-cosmic.user-data.yml b/tests/cloud-init/archlinux-cosmic.user-data.yml index 70d446076a..be623e625e 100644 --- a/tests/cloud-init/archlinux-cosmic.user-data.yml +++ b/tests/cloud-init/archlinux-cosmic.user-data.yml @@ -3,9 +3,7 @@ packages: # Install core packages - apparmor - - audit - base-devel - - firewalld - qemu-guest-agent - rng-tools - spice-vdagent @@ -26,14 +24,14 @@ packages: - cups-pdf - system-config-printer - # Install Graphical Interface - - cosmic - # Install Applications - firefox - chromium - terminator + # Install Graphical Interface + - cosmic + runcmd: # Regenerate grub.cfg - grub-mkconfig -o /boot/grub/grub.cfg @@ -53,20 +51,6 @@ runcmd: - systemctl enable systemd-timesyncd.service write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-gnome.user-data.yml b/tests/cloud-init/archlinux-gnome.user-data.yml index 1fa1c9c1d8..c292993c1e 100644 --- a/tests/cloud-init/archlinux-gnome.user-data.yml +++ b/tests/cloud-init/archlinux-gnome.user-data.yml @@ -4,7 +4,6 @@ packages: # Install core packages - apparmor - base-devel - - firewalld - qemu-guest-agent - rng-tools - spice-vdagent @@ -25,17 +24,17 @@ packages: - cups-pdf - system-config-printer + # Install Applications + - firefox + - chromium + - terminator + # Install Graphical Interface - gnome - gnome-extra - seahorse - alacarte - # Install Applications - - firefox - - chromium - - terminator - runcmd: # Regenerate grub.cfg - grub-mkconfig -o /boot/grub/grub.cfg @@ -55,20 +54,6 @@ runcmd: - systemctl enable systemd-timesyncd.service write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-kde.user-data.yml b/tests/cloud-init/archlinux-kde.user-data.yml index 5953eab2e2..c89b3a25c8 100644 --- a/tests/cloud-init/archlinux-kde.user-data.yml +++ b/tests/cloud-init/archlinux-kde.user-data.yml @@ -4,7 +4,6 @@ packages: # Install core packages - apparmor - base-devel - - firewalld - qemu-guest-agent - rng-tools - spice-vdagent @@ -25,6 +24,11 @@ packages: - cups-pdf - system-config-printer + # Install Applications + - firefox + - chromium + - terminator + # Install Graphical Interface - plasma-meta - sddm @@ -33,11 +37,6 @@ packages: - konsole - okular - # Install Applications - - firefox - - chromium - - terminator - runcmd: # Regenerate grub.cfg - grub-mkconfig -o /boot/grub/grub.cfg @@ -57,20 +56,6 @@ runcmd: - systemctl enable systemd-timesyncd.service write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-server.user-data.yml b/tests/cloud-init/archlinux-server.user-data.yml index e0edaca167..2b35671713 100644 --- a/tests/cloud-init/archlinux-server.user-data.yml +++ b/tests/cloud-init/archlinux-server.user-data.yml @@ -1,22 +1,6 @@ #cloud-config -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget +packages: *core-packages runcmd: # Regenerate grub.cfg @@ -34,34 +18,7 @@ runcmd: - systemctl enable systemd-timesyncd.service write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml index e9f4a78a64..54329bfb8d 100644 --- a/tests/cloud-init/archlinux-xfce.user-data.yml +++ b/tests/cloud-init/archlinux-xfce.user-data.yml @@ -4,7 +4,6 @@ packages: # Install core packages - apparmor - base-devel - - firewalld - qemu-guest-agent - rng-tools - spice-vdagent @@ -25,17 +24,17 @@ packages: - cups-pdf - system-config-printer + # Install Applications + - firefox + - chromium + - terminator + # Install Graphical Interface - xfce4 - xfce4-goodies - lightdm - lightdm-gtk-greeter - # Install Applications - - firefox - - chromium - - terminator - runcmd: # Regenerate grub.cfg - grub-mkconfig -o /boot/grub/grub.cfg @@ -55,20 +54,6 @@ runcmd: - systemctl enable systemd-timesyncd.service write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux.yml b/tests/cloud-init/archlinux.yml new file mode 100644 index 0000000000..d860f1a1e9 --- /dev/null +++ b/tests/cloud-init/archlinux.yml @@ -0,0 +1,47 @@ +#cloud-config + +# Core packages for Archlinux +core-packages: &core-packages + # Install core packages + - apparmor + - base-devel + - qemu-guest-agent + - rng-tools + - spice-vdagent + + # Install usefull core packages + - bash-completion + - git + - htop + - man + - pass + - python-notify2 + - vim + - wget + +# Core desktop packages for Archlinux +desktop-packages: &desktop-packages + # Install basic services + - networkmanager + - cups + - cups-pdf + - system-config-printer + + # Install Applications + - firefox + - chromium + - terminator + +# Enable AppArmor in kernel parameters +grub-enable-apparmor: &grub-enable-apparmor + path: /etc/default/grub + append: true + content: | + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" + +# Set some bash aliases +setup-bash-aliases: &setup-bash-aliases + path: /etc/skel/.bashrc + append: true + content: | + [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases diff --git a/tests/cloud-init/common.yml b/tests/cloud-init/common.yml index ac619c879a..2048e53682 100644 --- a/tests/cloud-init/common.yml +++ b/tests/cloud-init/common.yml @@ -15,3 +15,25 @@ users: package_update: true package_upgrade: true package_reboot_if_required: false + +# Mount shared directory +shared-directory: &shared-directory + path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + +# Network configuration for server +systemd-netword: &systemd-netword + path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/cloud-init/debian.yml b/tests/cloud-init/debian.yml new file mode 100644 index 0000000000..cead162a4e --- /dev/null +++ b/tests/cloud-init/debian.yml @@ -0,0 +1,64 @@ +#cloud-config + +# Core packages for Debian +core-packages: &core-packages + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - htop + - qemu-guest-agent + - rsync + - vim + +gnome-packages: &desktop-packages + # Core packages for Debian + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - htop + - qemu-guest-agent + - rsync + - vim + + # Gnome packages for Debian + - spice-vdagent + - task-gnome-desktop + - terminator + +kde-packages: &kubuntu-packages + # Core packages for Debian + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - htop + - qemu-guest-agent + - rsync + - vim + + # KDE packages for Debian + - spice-vdagent + - task-kde-desktop + - terminator + +debian12-runcmd: &debian12-runcmd + - apt-get update -y + - apt-get install -y -t bookworm-backports golang-go + +debian13-runcmd: &debian13-runcmd + - apt-get update -y + - apt-get install -y golang-go + +# Add backports repository +debian12-backports: &debian12-backports + path: /etc/apt/sources.list + append: true + content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free diff --git a/tests/cloud-init/debian12-gnome.user-data.yml b/tests/cloud-init/debian12-gnome.user-data.yml index 5ce6cedf50..fbb3d12322 100644 --- a/tests/cloud-init/debian12-gnome.user-data.yml +++ b/tests/cloud-init/debian12-gnome.user-data.yml @@ -1,45 +1,10 @@ #cloud-config -packages: - - apparmor-profiles - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - htop - - qemu-guest-agent - - rsync - - spice-vdagent - - task-gnome-desktop - - vim +packages: *gnome-packages -runcmd: - - apt-get update -y - - apt-get install -y -t bookworm-backports golang-go +runcmd: *debian12-runcmd write_files: - # Add backports repository - - path: /etc/apt/sources.list - append: true - content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 + - *debian12-backports # Add backports repository + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian12-server.user-data.yml b/tests/cloud-init/debian12-server.user-data.yml index aef29f5794..cec721285e 100644 --- a/tests/cloud-init/debian12-server.user-data.yml +++ b/tests/cloud-init/debian12-server.user-data.yml @@ -1,43 +1,10 @@ #cloud-config -packages: - - apparmor-profiles - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - htop - - qemu-guest-agent - - rsync - - vim +packages: *core-packages -runcmd: - - apt-get update -y - - apt-get install -y -t bookworm-backports golang-go +runcmd: *debian12-runcmd write_files: - # Add backports repository - - path: /etc/apt/sources.list - append: true - content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 + - *debian12-backports # Add backports repository + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-server.user-data.yml b/tests/cloud-init/debian13-server.user-data.yml index 1400584baa..6925487707 100644 --- a/tests/cloud-init/debian13-server.user-data.yml +++ b/tests/cloud-init/debian13-server.user-data.yml @@ -1,36 +1,9 @@ #cloud-config -packages: - - apparmor-profiles - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - golang-go - - htop - - qemu-guest-agent - - rsync - - vim +packages: *core-packages -write_files: - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* +runcmd: *debian13-runcmd - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml index 406b4445da..3ab5a6c08c 100644 --- a/tests/cloud-init/opensuse-gnome.user-data.yml +++ b/tests/cloud-init/opensuse-gnome.user-data.yml @@ -1,21 +1,6 @@ #cloud-config -packages: - - apparmor-profiles - - bash-completion - - distribution-release - - git - - go - - golang-packaging - - htop - - make - - rpmbuild - - rsync - - vim +packages: *core-packages write_files: - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml index 406b4445da..3ab5a6c08c 100644 --- a/tests/cloud-init/opensuse-kde.user-data.yml +++ b/tests/cloud-init/opensuse-kde.user-data.yml @@ -1,21 +1,6 @@ #cloud-config -packages: - - apparmor-profiles - - bash-completion - - distribution-release - - git - - go - - golang-packaging - - htop - - make - - rpmbuild - - rsync - - vim +packages: *core-packages write_files: - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/opensuse-server.user-data.yml b/tests/cloud-init/opensuse-server.user-data.yml index 7699fb0747..98b78ec80b 100644 --- a/tests/cloud-init/opensuse-server.user-data.yml +++ b/tests/cloud-init/opensuse-server.user-data.yml @@ -1,36 +1,7 @@ #cloud-config -packages: - - apparmor-profiles - - bash-completion - - distribution-release - - git - - go - - golang-packaging - - htop - - make - - rpmbuild - - rsync - - vim +packages: *core-packages write_files: - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/opensuse.yml b/tests/cloud-init/opensuse.yml new file mode 100644 index 0000000000..1adf2b6eb1 --- /dev/null +++ b/tests/cloud-init/opensuse.yml @@ -0,0 +1,16 @@ +#cloud-config + +# Core packages for OpenSUSE +core-packages: &core-packages + - apparmor-profiles + - bash-completion + - distribution-release + - git + - go + - golang-packaging + - htop + - make + - rpmbuild + - rsync + - vim + diff --git a/tests/cloud-init/ubuntu.yml b/tests/cloud-init/ubuntu.yml new file mode 100644 index 0000000000..ba640e3afb --- /dev/null +++ b/tests/cloud-init/ubuntu.yml @@ -0,0 +1,76 @@ +#cloud-config + +# Core packages for Ubuntu +core-packages: &core-packages + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - golang-go + - htop + - qemu-guest-agent + - rsync + - vim + +desktop-packages: &desktop-packages + # Core packages for Ubuntu + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - golang-go + - htop + - qemu-guest-agent + - rsync + - vim + + # Desktop packages for Ubuntu + - spice-vdagent + - terminator + - ubuntu-desktop + +kubuntu-packages: &kubuntu-packages + # Core packages for Ubuntu + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - golang-go + - htop + - qemu-guest-agent + - rsync + - vim + + # Desktop packages for Ubuntu + - spice-vdagent + - terminator + - kubuntu-desktop + +desktop-runcmd: &desktop-runcmd + # Add missing snap packages + - snap install snap-store + - snap install snapd-desktop-integration + - snap install --edge desktop-security-center + + # Remove default filesystem and related tools not used with the suggested + # storage layout. These may yet be required if different partitioning schemes + # are used. + - apt-get -y purge btrfs-progs xfsprogs + + # Remove other packages present by default in Ubuntu Server but not + # normally present in Ubuntu Desktop. + - >- + apt-get -y purge + byobu dmeventd finalrd gawk kpartx landscape-common lxd-agent-loader + mdadm motd-news-config ncurses-term open-iscsi open-vm-tools + screen sg3-utils sosreport ssh-import-id sssd tmux + + # Finally, remove things only installed as dependencies of other things + # we have already removed. + - apt-get -y autoremove diff --git a/tests/cloud-init/ubuntu24-desktop.user-data.yml b/tests/cloud-init/ubuntu24-desktop.user-data.yml index d1b1f169cc..7f4183d494 100644 --- a/tests/cloud-init/ubuntu24-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu24-desktop.user-data.yml @@ -1,47 +1,8 @@ #cloud-config -# Based on https://github.com/canonical/autoinstall-desktop +packages: *desktop-packages -packages: - - apparmor-profiles - - build-essential - - config-package-dev - - debhelper - - devscripts - - golang-go - - linux-generic-hwe-24.04 - - qemu-guest-agent - - rsync - - spice-vdagent - - terminator - - ubuntu-desktop - - vim - -runcmd: - # Add missing snap packages - - snap install snap-store - - snap install snapd-desktop-integration - - # Remove default filesystem and related tools not used with the suggested - # storage layout. These may yet be required if different partitioning schemes - # are used. - - apt-get -y purge btrfs-progs xfsprogs - - # Remove other packages present by default in Ubuntu Server but not - # normally present in Ubuntu Desktop. - - >- - apt-get -y purge - byobu dmeventd finalrd gawk kpartx landscape-common lxd-agent-loader - mdadm motd-news-config ncurses-term open-iscsi open-vm-tools - screen sg3-utils sosreport ssh-import-id sssd tmux - - # Finally, remove things only installed as dependencies of other things - # we have already removed. - - apt-get -y autoremove +runcmd: *desktop-runcmd write_files: - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/ubuntu24-kubuntu.user-data.yml b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml new file mode 100644 index 0000000000..d4139c2f7c --- /dev/null +++ b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml @@ -0,0 +1,8 @@ +#cloud-config + +packages: *kubuntu-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/ubuntu24-server.user-data.yml b/tests/cloud-init/ubuntu24-server.user-data.yml index 8e9c7bd389..98b78ec80b 100644 --- a/tests/cloud-init/ubuntu24-server.user-data.yml +++ b/tests/cloud-init/ubuntu24-server.user-data.yml @@ -1,35 +1,7 @@ #cloud-config -packages: - - apparmor-profiles - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - golang-go - - htop - - qemu-guest-agent - - rsync - - vim +packages: *core-packages write_files: - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu25-desktop.user-data.yml b/tests/cloud-init/ubuntu25-desktop.user-data.yml index 881e9b4e97..7f4183d494 100644 --- a/tests/cloud-init/ubuntu25-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu25-desktop.user-data.yml @@ -1,47 +1,8 @@ #cloud-config -# Based on https://github.com/canonical/autoinstall-desktop +packages: *desktop-packages -packages: - - apparmor-profiles - - build-essential - - config-package-dev - - debhelper - - devscripts - - golang-go - - linux-generic-hwe-24.04 - - qemu-guest-agent - - rsync - - spice-vdagent - - terminator - - ubuntu-desktop - - vim - -runcmd: - - snap install snap-store - - snap install snapd-desktop-integration - - snap install --edge desktop-security-center - - # Remove default filesystem and related tools not used with the suggested - # storage layout. These may yet be required if different partitioning schemes - # are used. - - apt-get -y purge btrfs-progs xfsprogs - - # Remove other packages present by default in Ubuntu Server but not - # normally present in Ubuntu Desktop. - - >- - apt-get -y purge - byobu dmeventd finalrd gawk kpartx landscape-common lxd-agent-loader - mdadm motd-news-config ncurses-term open-iscsi open-vm-tools - screen sg3-utils sosreport ssh-import-id sssd tmux - - # Finally, remove things only installed as dependencies of other things - # we have already removed. - - apt-get -y autoremove +runcmd: *desktop-runcmd write_files: - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/ubuntu25-server.user-data.yml b/tests/cloud-init/ubuntu25-server.user-data.yml new file mode 100644 index 0000000000..98b78ec80b --- /dev/null +++ b/tests/cloud-init/ubuntu25-server.user-data.yml @@ -0,0 +1,7 @@ +#cloud-config + +packages: *core-packages + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index 674a295b10..48a5fafb63 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -32,7 +32,7 @@ source "qemu" "default" { cd_label = "cidata" cd_content = { "meta-data" = "" - "user-data" = format("%s\n%s", + "user-data" = format("%s\n%s\n%s", templatefile("${path.cwd}/tests/cloud-init/common.yml", { username = "${var.username}" @@ -41,6 +41,7 @@ source "qemu" "default" { hostname = "${local.name}" } ), + file("${path.cwd}/tests/cloud-init/${regex_replace(var.dist, "[0-9]*$", "")}.yml"), file("${path.cwd}/tests/cloud-init/${var.dist}-${var.flavor}.user-data.yml") ) } @@ -70,10 +71,10 @@ build { "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for Cloud-Init...'; sleep 20; done", # Ensure cloud-init is successful - "cloud-init status", + # "cloud-init status", # Remove logs and artifacts so cloud-init can re-run - "cloud-init clean", + # "cloud-init clean", # Install local files and config "bash /tmp/init.sh", From 475d8dc082cdc6bc6048ce3d0838249071d1f8d3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Apr 2025 14:28:18 +0200 Subject: [PATCH 0033/1736] doc: small update & improvements. --- docs/configuration.md | 4 ++-- docs/development/dbus.md | 2 ++ docs/development/roadmap.md | 9 ++++++++- docs/development/vm.md | 40 ++++++++++++++++++++++++++----------- docs/full-system-policy.md | 2 ++ 5 files changed, 42 insertions(+), 15 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index dda450a85f..fd8a5d38c0 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -32,7 +32,7 @@ The profiles heavily use the **largely extended** [XDG directory variables](#xdg ``` 3. Then restart the AppArmor service to reload the profiles in the kernel: ```sh - sudo systemctl restart apparmor.service + sudo systemctl reload apparmor.service ``` ### Profile Additions @@ -55,7 +55,7 @@ By default, `nautilus` (and any file browser) only allows access to user files. ``` 2. Then restart the AppArmor service to reload the profiles in the kernel: ```sh - sudo systemctl restart apparmor.service + sudo systemctl reload apparmor.service ``` ### XDG variables diff --git a/docs/development/dbus.md b/docs/development/dbus.md index e4133e5d14..165626f24f 100644 --- a/docs/development/dbus.md +++ b/docs/development/dbus.md @@ -20,6 +20,8 @@ Default **system**, **session**, and **accessibility** bus access are provided w - `abstractions/bus-session` - `abstractions/bus-accessibility` +Do not use the dbus abstractions from apparmor in this project, they won't work as expected as the dbus daemon is confined. Furthermore, in `apparmor.d` there is no such thing as a strict dbus abstraction (`abstractions/dbus-strict`) as they are strict by default: bus access needs to be explicitly allowed using an interface abstraction or a directive. + ### Interfaces Access to common dbus interfaces is done using the abstractions under **[`abstractions/bus/`](https://github.com/roddhjav/apparmor.d/tree/main/apparmor.d/abstractions/bus)**. They are kept minimal on purpose. The goal is not to give full talk access an interface but to provide a *read-only* like view of it. It may be required to have a look at the dbus interface documentation to check what method can be safely allowed. diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index 52d7201ead..75cbcdd106 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -6,7 +6,7 @@ title: Roadmap This is the current list of features that must be implemented to get to a stable release -- [ ] **Play machine** +- [x] **Play machine** - [ ] **[Sub packages](https://github.com/roddhjav/apparmor.d/issues/464)** - [x] Move most profiles into groups such that @@ -24,6 +24,13 @@ This is the current list of features that must be implemented to get to a stable - [ ] Provide a proper fix for [#74](https://github.com/roddhjav/apparmor.d/issues/74), [#80](https://github.com/roddhjav/apparmor.d/issues/80) & [#235](https://github.com/roddhjav/apparmor.d/issues/235) - [ ] The apt/dpkg profiles needs to be reworked +- [ ] Build system + - [ ] Continuous release on the main branch, ~2 releases per week + - [ ] Provide packages repo for ubuntu/debian + - [ ] Provide complain/enforced packages version + - [ ] Add a `just` target to install the profiles in the right place + - [ ] Fully drop the Makefile in favor of `just` + ## Next features - [ ] **Conditions** diff --git a/docs/development/vm.md b/docs/development/vm.md index ead82ed0fa..66630022ef 100644 --- a/docs/development/vm.md +++ b/docs/development/vm.md @@ -5,32 +5,48 @@ title: Development VM To ensure compatibility across distribution, this project ships a wide range of development and tests VM images. The test VMs can be built locally using [cloud-init](https://cloud-init.io/), [packer](https://www.packer.io/) on Qemu/KVM using Libvirt. No other hypervisor will be targeted for these tests. The files that generate these images can be found in the **[tests/packer](https://github.com/roddhjav/apparmor.d/tree/main/tests/packer)** directory. -The VMs are fully managed using a [justfile](https://github.com/casey/just) that provide an integration environment helper for `apparmor.d`. +The VMs are fully managed using a [justfile](https://github.com/casey/just) that provides an integration environment helper for `apparmor.d`. ```sh $ just ``` ``` -Integration environment helper for apparmor.d - Available recipes: - default # Show this help message - package dist # Build the apparmor.d package - img dist flavor # Build the image - vm dist flavor # Create the machine + help # Show this help message + build # Build the go programs + enforce # Prebuild the profiles in enforced mode + complain # Prebuild the profiles in complain mode + fsp # Prebuild the profiles in FSP mode + install # Install the profiles + pkg # Build & install apparmor.d on Arch based systems + dpkg # Build & install apparmor.d on Debian based systems + rpm # Build & install apparmor.d on OpenSUSE based systems + tests # Run the unit tests + lint # Run the linters + check # Run style checks on the profiles + man # Generate the man pages + docs # Build the documentation + serve # Serve the documentation + clean # Remove all build artifacts + package dist # Build the package in a clean OCI container + img dist flavor # Build the VM image + create dist flavor # Create the machine up dist flavor # Start a machine halt dist flavor # Stops the machine + reboot dist flavor # Reboot the machine destroy dist flavor # Destroy the machine ssh dist flavor # Connect to the machine list # List the machines - images # List the machine images - available # List the machine that can be created + images # List the VM images + available # List the VM images that can be created + init dist flavor # Install dependencies for the bats integration tests integration dist flavor # Run the integration tests on the machine - lint # Run the linters - clean # Remove the machine images get_ip dist flavor get_osinfo dist + +See https://apparmor.pujol.io/development/ for more information. + ``` ## Requirements @@ -88,7 +104,7 @@ archlinux gnome 3.3G Mar 1 14:49 The VM can then be created with: ```sh -$ just vm archlinux gnome +$ just create archlinux gnome ``` And connected to with: diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index 80da55c2a6..c747cb7397 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -29,6 +29,8 @@ Particularly: - Desktop environment must be explicitly supported, your UI will not start otherwise. Again, it is a **feature**. - FSP mode will run unknown user application into the `default` profile. It might be enough for your application. If not you have to make a profile for it. - In FSP mode, all sandbox managers **must** have a profile. Then user sandboxed applications (flatpak, snap, etc) will work as expected. +- PID 1 is the last program that should be confined. It does not make sense to confine only PID. All other programs must be confined first. + ## Installation From 4d706f35987492e0f95256df47fc3af2f8cdf070 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Apr 2025 14:30:10 +0200 Subject: [PATCH 0034/1736] build: be more verbose when file sync fail. --- pkg/paths/paths.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkg/paths/paths.go b/pkg/paths/paths.go index 9126118506..357b9c2f7b 100644 --- a/pkg/paths/paths.go +++ b/pkg/paths/paths.go @@ -391,7 +391,11 @@ func CopyTo(src *Path, dst *Path) error { // CopyFS copies the file system fsys into the directory dir, // creating dir if necessary. It is the exivalent of os.CopyFS with Path. func (p *Path) CopyFS(dst *Path) error { - return os.CopyFS(dst.String(), os.DirFS(p.String())) + err := os.CopyFS(dst.String(), os.DirFS(p.String())) + if err != nil { + return fmt.Errorf("copying %s to %s: %s", p, dst, err) + } + return nil } // CopyDirTo recursively copies the directory denoted by the current path to From 532676b4214e833450748c4c134869f9bcaf6b3b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Apr 2025 14:33:44 +0200 Subject: [PATCH 0035/1736] build: improve documentation about overwriten profiles. Make it clear why a given profile is overwriten from upstream. --- dists/overwrite | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/dists/overwrite b/dists/overwrite index 1464f03ff2..5bc00f9fe8 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -1,8 +1,8 @@ -# Apparmor 4.0 ships several profiles that allow userns and are otherwise -# unconfined. This file keeps track of them and allow apparmor.d to replace -# them by our own. +# Apparmor 4.0 and over ships a few profiles that can conflict with apparmor.d +# This file keeps track of them and allow apparmor.d to replace them by our own. # File format: one profile name by line. +# Overwrite unconfined upstream profiles that only allow userns brave chrome chromium @@ -12,22 +12,30 @@ firefox flatpak foliate loupe -lsblk -lsusb msedge mullvad nautilus -openvpn opera os-prober plasmashell -remmina signal-desktop slirp4netns steam systemd-coredump thunderbird -transmission -unix-chkpwd virtiofsd + +# Overwrite upstreamed profiles, our local version may be more up to date +unix-chkpwd + +# Overwrite some profiles recently added in apparmor while being already present in apparmor.d for a while +# They can be multiple justification for keeping our profiles here, or or the contrary using upstream ones: +# - Keep ours: If they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile +# - Drop ours: when upstream profiles is better +fusermount3 +lsblk +lsusb +openvpn +remmina +transmission wg-quick From 4bb57bed22b1eda8430e5901948338cf5c658fee Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Apr 2025 14:35:46 +0200 Subject: [PATCH 0036/1736] doc: update aa-log man page. --- share/man/man8/aa-log.8 | 42 ++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/share/man/man8/aa-log.8 b/share/man/man8/aa-log.8 index 42c9a3560f..62f40966e9 100644 --- a/share/man/man8/aa-log.8 +++ b/share/man/man8/aa-log.8 @@ -1,10 +1,10 @@ -.\" Automatically generated by Pandoc 3.1.9 +.\" Automatically generated by Pandoc 3.1.12.1 .\" -.TH "aa-log" "8" "September 2024" "" "" +.TH "aa\-log" "8" "September 2024" "" "" .SH NAME -aa-log \[em] Review AppArmor generated messages in a colorful way. +aa\-log \[em] Review AppArmor generated messages in a colorful way. .SH SYNOPSIS -\f[B]aa-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] +\f[B]aa\-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] .SH DESCRIPTION Review AppArmor generated messages in a colourful way. Support logs from \f[I]auditd\f[R], \f[I]systemd\f[R], \f[I]syslog\f[R] @@ -13,48 +13,48 @@ as well as \f[I]dbus session\f[R] events. It can be given an optional profile name to filter the output with. .PP It can be used to generate AppArmor rules from the logs and it therefore -an alternative to \f[CR]aa-logprof(8)\f[R]. +an alternative to \f[CR]aa\-logprof(8)\f[R]. The generated rules should be manually reviewed and inserted into the profile. .PP Default logs are read from \f[CR]/var/log/audit/audit.log\f[R]. Other files in \f[CR]/var/log/audit/\f[R] can easily be checked: -\f[B]aa-log -f 1\f[R] parses \f[CR]audit.log.1\f[R] +\f[B]aa\-log \-f 1\f[R] parses \f[CR]audit.log.1\f[R] .SH OPTIONS -\f[B]aa-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] +\f[B]aa\-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] .TP [\f[I]profile\f[R]] Optional profile name to filter the output with. .TP -\f[CR]--file\f[R], \f[CR]-f\f[R] +\f[CR]\-\-file\f[R], \f[CR]\-f\f[R] Set a logfile or a suffix to the default log file. .TP -\f[CR]--systemd\f[R], \f[CR]-s\f[R] +\f[CR]\-\-systemd\f[R], \f[CR]\-s\f[R] Parse systemd logs from journalctl. Provides all AppArmor logs since the last boot. .TP -\f[CR]--rules\f[R], \f[CR]-r\f[R] +\f[CR]\-\-rules\f[R], \f[CR]\-r\f[R] Convert the log into AppArmor rules. .TP -\f[CR]--raw\f[R], \f[CR]-R\f[R] +\f[CR]\-\-raw\f[R], \f[CR]\-R\f[R] Print the raw log without any formatting. Useful for reporting logs. .TP -\f[CR]--help\f[R], \f[CR]-h\f[R] +\f[CR]\-\-help\f[R], \f[CR]\-h\f[R] Print the program usage. .SH USAGE To read the AppArmor log from \f[CR]/var/log/audit/audit.log\f[R]: .IP .EX -aa-log +aa\-log .EE .PP To optionally filter a given profile name: -\f[CR]aa-log \f[R] (your shell will autocomplete the +\f[CR]aa\-log \f[R] (your shell will autocomplete the profile name): .IP .EX -$ aa-log dnsmasq +$ aa\-log dnsmasq DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r DENIED dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r @@ -63,7 +63,7 @@ DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r To generate AppArmor rule: .IP .EX -$ aa-log -r dnsmasq +$ aa\-log \-r dnsmasq profile dnsmasq { \[at]{PROC}/\[at]{pid}/environ r, \[at]{PROC}/cmdline r, @@ -71,9 +71,9 @@ profile dnsmasq { } .EE .SH SEE ALSO -\f[CR]aa-logprof(8)\f[R], \f[CR]apparmor(7)\f[R], -\f[CR]apparmor.d(5)\f[R], \f[CR]aa-genprof(1)\f[R], -\f[CR]aa-enforce(1)\f[R], \f[CR]aa-complain(1)\f[R], -\f[CR]aa-disable(1)\f[R], and https://apparmor.pujol.io. +\f[CR]aa\-logprof(8)\f[R], \f[CR]apparmor(7)\f[R], +\f[CR]apparmor.d(5)\f[R], \f[CR]aa\-genprof(1)\f[R], +\f[CR]aa\-enforce(1)\f[R], \f[CR]aa\-complain(1)\f[R], +\f[CR]aa\-disable(1)\f[R], and https://apparmor.pujol.io. .SH AUTHORS -aa-log was written by Alexandre Pujol (alexandre\[at]pujol.io). +aa\-log was written by Alexandre Pujol (alexandre\[at]pujol.io). From b8f2f38c7225a1eeab982ee242236be339e6c4b0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Apr 2025 14:38:31 +0200 Subject: [PATCH 0037/1736] doc: improve justfile doc. --- Justfile | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/Justfile b/Justfile index 1558ebef89..1e626dc1c0 100644 --- a/Justfile +++ b/Justfile @@ -2,8 +2,6 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Integration environment for apparmor.d -# # Usage: # just # just img ubuntu24 server @@ -63,9 +61,8 @@ prefix := "aa-" [doc('Show this help message')] help: - @echo -e "Integration environment helper for apparmor.d\n" @just --list --unsorted - @echo -e "\nSee https://apparmor.pujol.io/development/vm/ for more information." + @echo -e "\nSee https://apparmor.pujol.io/development/ for more information." [doc('Build the go programs')] build: @@ -160,7 +157,7 @@ clean: debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ .pkg/{{pkgname}}* {{build}} coverage.out -[doc('Build the apparmor.d package')] +[doc('Build the package in a clean OCI container')] package dist: #!/usr/bin/env bash set -eu -o pipefail @@ -175,7 +172,7 @@ package dist: fi bash dists/docker.sh $dist $version -[doc('Build the image')] +[doc('Build the VM image')] img dist flavor: (package dist) @mkdir -p {{base_dir}} packer build -force \ @@ -238,7 +235,7 @@ list: @echo -e '\033[1m Id Distribution Flavor State\033[0m' @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' -[doc('List the images')] +[doc('List the VM images')] images: #!/usr/bin/env bash set -eu -o pipefail @@ -254,7 +251,7 @@ images: } ' -[doc('List the machine that can be created')] +[doc('List the VM images that can be created')] available: #!/usr/bin/env bash set -eu -o pipefail From fd17a77b179bde3eea91b4ad43b3032d0a8e4f88 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 28 Apr 2025 21:27:57 +0200 Subject: [PATCH 0038/1736] feat(profile): use @{sbin} for all program inside /usr/sbin. --- apparmor.d/abstractions/app/kmod | 14 +++--- .../abstractions/authentication.d/complete | 2 +- apparmor.d/groups/_full/systemd | 2 +- apparmor.d/groups/_full/systemd-service | 6 +-- apparmor.d/groups/apparmor/aa-enforce | 4 +- apparmor.d/groups/apparmor/aa-notify | 2 +- apparmor.d/groups/apparmor/aa-status | 2 +- apparmor.d/groups/apparmor/aa-teardown | 2 +- apparmor.d/groups/apparmor/aa-unconfined | 2 +- apparmor.d/groups/apparmor/apparmor.systemd | 6 +-- apparmor.d/groups/apparmor/apparmor_parser | 2 +- apparmor.d/groups/apt/apt | 4 +- apparmor.d/groups/apt/aptitude | 2 +- apparmor.d/groups/apt/dpkg-preconfigure | 2 +- apparmor.d/groups/apt/querybts | 2 +- apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/apt/synaptic | 2 +- apparmor.d/groups/apt/unattended-upgrade | 4 +- apparmor.d/groups/bluetooth/blueman-mechanism | 6 +-- apparmor.d/groups/browsers/firefox | 2 +- apparmor.d/groups/cron/anacron | 2 +- apparmor.d/groups/cron/cron | 2 +- apparmor.d/groups/cron/cron-anacron | 2 +- apparmor.d/groups/cron/cron-apt | 2 +- apparmor.d/groups/cron/cron-apt-compat | 2 +- apparmor.d/groups/cron/cron-apt-xapian-index | 2 +- apparmor.d/groups/cron/cron-cracklib | 2 +- apparmor.d/groups/cron/cron-exim4-base | 4 +- .../groups/cron/cron-ipset-autoban-save | 2 +- apparmor.d/groups/cron/cron-logrotate | 2 +- apparmor.d/groups/cron/cron-man-db | 2 +- apparmor.d/groups/cron/cron-mlocate | 2 +- apparmor.d/groups/cron/cron-plocate | 2 +- .../groups/cron/cron-popularity-contest | 6 +-- apparmor.d/groups/cron/crontab | 2 +- apparmor.d/groups/cups/cups-browsed | 2 +- apparmor.d/groups/cups/cupsd | 4 +- apparmor.d/groups/filesystem/fsck.btrfs | 2 +- apparmor.d/groups/filesystem/fsck.fat | 2 +- apparmor.d/groups/filesystem/lvm | 2 +- apparmor.d/groups/filesystem/lvmconfig | 2 +- apparmor.d/groups/filesystem/lvmdump | 2 +- apparmor.d/groups/filesystem/lvmpolld | 2 +- apparmor.d/groups/filesystem/mke2fs | 4 +- apparmor.d/groups/filesystem/mkfs-btrfs | 2 +- apparmor.d/groups/filesystem/mkswap | 2 +- apparmor.d/groups/filesystem/mount-cifs | 2 +- apparmor.d/groups/filesystem/ntfsclone | 2 +- apparmor.d/groups/filesystem/ntfscp | 2 +- apparmor.d/groups/filesystem/ntfslabel | 2 +- apparmor.d/groups/filesystem/ntfsresize | 2 +- apparmor.d/groups/filesystem/ntfsundelete | 2 +- apparmor.d/groups/filesystem/udisksd | 16 +++---- apparmor.d/groups/filesystem/umount.udisks2 | 2 +- apparmor.d/groups/firewall/firewalld | 14 +++--- apparmor.d/groups/firewall/nft | 2 +- apparmor.d/groups/firewall/ufw | 6 +-- apparmor.d/groups/firewall/ufw-init | 6 +-- apparmor.d/groups/flatpak/flatpak-app | 2 +- apparmor.d/groups/freedesktop/accounts-daemon | 8 ++-- apparmor.d/groups/freedesktop/plymouthd | 2 +- .../groups/freedesktop/update-mime-database | 2 +- apparmor.d/groups/gnome/gnome-control-center | 4 +- apparmor.d/groups/grub/grub-install | 2 +- apparmor.d/groups/grub/grub-macbless | 2 +- apparmor.d/groups/grub/grub-mkconfig | 6 +-- apparmor.d/groups/grub/grub-mkdevicemap | 2 +- apparmor.d/groups/grub/grub-multi-install | 2 +- apparmor.d/groups/grub/grub-probe | 4 +- apparmor.d/groups/grub/grub-reboot | 2 +- apparmor.d/groups/grub/grub-set-default | 2 +- apparmor.d/groups/grub/update-grub | 4 +- apparmor.d/groups/kde/kauth-kded-smart-helper | 2 +- .../kde/kauth-kinfocenter-dmidecode-helper | 2 +- apparmor.d/groups/kde/kscreenlocker_greet | 2 +- apparmor.d/groups/kde/sddm-xsession | 2 +- apparmor.d/groups/network/ModemManager | 2 +- apparmor.d/groups/network/NetworkManager | 8 ++-- apparmor.d/groups/network/dhcpcd | 4 +- apparmor.d/groups/network/iwctl | 2 +- apparmor.d/groups/network/iwd | 2 +- apparmor.d/groups/network/mullvad-daemon | 2 +- apparmor.d/groups/network/nm-dispatcher | 4 +- apparmor.d/groups/network/nm-openvpn-service | 2 +- apparmor.d/groups/network/openvpn | 12 ++--- apparmor.d/groups/network/tailscale | 2 +- apparmor.d/groups/network/tailscaled | 4 +- apparmor.d/groups/network/wg-quick | 12 ++--- apparmor.d/groups/pacman/mkinitcpio | 6 +-- apparmor.d/groups/pacman/pacman | 18 ++++---- apparmor.d/groups/pacman/pacman-hook-depmod | 2 +- apparmor.d/groups/pacman/pacman-hook-dkms | 2 +- apparmor.d/groups/procps/sysctl | 2 +- apparmor.d/groups/shadow/chpasswd | 2 +- apparmor.d/groups/shadow/groupadd | 2 +- apparmor.d/groups/shadow/groupdel | 2 +- apparmor.d/groups/shadow/groupmod | 2 +- apparmor.d/groups/shadow/grpck | 2 +- apparmor.d/groups/shadow/pwck | 2 +- apparmor.d/groups/shadow/useradd | 4 +- apparmor.d/groups/shadow/userdel | 2 +- apparmor.d/groups/shadow/usermod | 2 +- apparmor.d/groups/snap/snapd | 12 ++--- apparmor.d/groups/snap/snapd-apparmor | 2 +- apparmor.d/groups/ssh/sshd | 4 +- apparmor.d/groups/steam/steam | 4 +- apparmor.d/groups/steam/steam-game-proton | 4 +- apparmor.d/groups/systemd/systemd-dissect | 2 +- apparmor.d/groups/systemd/systemd-fsck | 6 +-- .../systemd/systemd-generator-ds-identify | 2 +- apparmor.d/groups/systemd/systemd-homed | 6 +-- apparmor.d/groups/systemd/systemd-makefs | 4 +- .../groups/systemd/systemd-sulogin-shell | 2 +- apparmor.d/groups/systemd/systemd-udevd | 8 ++-- apparmor.d/groups/ubuntu/apport-gtk | 2 +- apparmor.d/groups/ubuntu/cron-ubuntu-fan | 2 +- .../groups/ubuntu/subiquity-console-conf | 4 +- .../groups/ubuntu/update-motd-fsck-at-reboot | 2 +- apparmor.d/groups/utils/agetty | 2 +- apparmor.d/groups/utils/blkid | 2 +- apparmor.d/groups/utils/blockdev | 2 +- apparmor.d/groups/utils/fsck | 6 +-- apparmor.d/groups/utils/fstrim | 2 +- apparmor.d/groups/utils/locale-gen | 2 +- apparmor.d/groups/utils/losetup | 2 +- apparmor.d/groups/utils/nologin | 2 +- apparmor.d/groups/utils/su | 2 +- apparmor.d/groups/utils/sulogin | 2 +- apparmor.d/groups/utils/swaplabel | 2 +- apparmor.d/groups/utils/swapon | 2 +- apparmor.d/groups/utils/uuidd | 2 +- apparmor.d/groups/utils/zramctl | 2 +- apparmor.d/groups/virt/cni-portmap | 2 +- apparmor.d/groups/virt/cockpit-bridge | 4 +- apparmor.d/groups/virt/cockpit-update-motd | 2 +- apparmor.d/groups/virt/containerd | 2 +- apparmor.d/groups/virt/dockerd | 4 +- apparmor.d/groups/virt/k3s | 2 +- apparmor.d/groups/virt/libvirt-dbus | 4 +- apparmor.d/groups/virt/libvirtd | 20 ++++---- apparmor.d/groups/virt/virt-aa-helper | 2 +- apparmor.d/groups/virt/virtlockd | 2 +- apparmor.d/groups/virt/virtlogd | 2 +- apparmor.d/groups/virt/virtnetworkd | 2 +- apparmor.d/groups/virt/xtables | 2 +- apparmor.d/groups/whonix/pam-info | 2 +- apparmor.d/groups/whonix/whonix-firewalld | 2 +- apparmor.d/profiles-a-f/acpi-powerbtn | 4 +- apparmor.d/profiles-a-f/acpid | 2 +- apparmor.d/profiles-a-f/adduser | 10 ++-- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-a-f/alsactl | 2 +- apparmor.d/profiles-a-f/aspell-autobuildhash | 4 +- apparmor.d/profiles-a-f/auditctl | 2 +- apparmor.d/profiles-a-f/auditd | 2 +- apparmor.d/profiles-a-f/augenrules | 4 +- apparmor.d/profiles-a-f/badblocks | 2 +- apparmor.d/profiles-a-f/biosdecode | 2 +- apparmor.d/profiles-a-f/blkdeactivate | 6 +-- apparmor.d/profiles-a-f/borg | 2 +- apparmor.d/profiles-a-f/briar-desktop | 2 +- apparmor.d/profiles-a-f/calibre | 2 +- apparmor.d/profiles-a-f/cfdisk | 2 +- apparmor.d/profiles-a-f/cgdisk | 2 +- apparmor.d/profiles-a-f/check-bios-nx | 4 +- .../profiles-a-f/check-support-status-hook | 6 +-- apparmor.d/profiles-a-f/cracklib-packer | 2 +- apparmor.d/profiles-a-f/deluser | 6 +-- apparmor.d/profiles-a-f/dhclient-script | 6 +-- apparmor.d/profiles-a-f/dkms | 4 +- apparmor.d/profiles-a-f/dkms-autoinstaller | 2 +- apparmor.d/profiles-a-f/dmeventd | 2 +- apparmor.d/profiles-a-f/dmidecode | 2 +- apparmor.d/profiles-a-f/dmsetup | 2 +- apparmor.d/profiles-a-f/dropbox | 2 +- apparmor.d/profiles-a-f/dumpe2fs | 2 +- apparmor.d/profiles-a-f/e2fsck | 4 +- apparmor.d/profiles-a-f/e2image | 2 +- apparmor.d/profiles-a-f/e2scrub_all | 2 +- apparmor.d/profiles-a-f/f3fix | 2 +- apparmor.d/profiles-a-f/fail2ban-server | 4 +- apparmor.d/profiles-a-f/fatlabel | 2 +- apparmor.d/profiles-a-f/fatresize | 2 +- apparmor.d/profiles-a-f/fdisk | 2 +- apparmor.d/profiles-a-f/finalrd | 2 +- apparmor.d/profiles-a-f/firecfg | 2 +- apparmor.d/profiles-a-f/frontend | 6 +-- apparmor.d/profiles-g-l/gajim | 2 +- apparmor.d/profiles-g-l/gdisk | 2 +- apparmor.d/profiles-g-l/gparted | 8 ++-- apparmor.d/profiles-g-l/gpartedbin | 46 +++++++++---------- apparmor.d/profiles-g-l/gsmartcontrol | 4 +- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/hdparm | 2 +- apparmor.d/profiles-g-l/hw-probe | 30 ++++++------ apparmor.d/profiles-g-l/hwinfo | 2 +- apparmor.d/profiles-g-l/hypnotix | 2 +- apparmor.d/profiles-g-l/ifconfig | 2 +- apparmor.d/profiles-g-l/ifup | 8 ++-- apparmor.d/profiles-g-l/initd-kexec | 2 +- apparmor.d/profiles-g-l/initd-kexec-load | 2 +- apparmor.d/profiles-g-l/inxi | 10 ++-- apparmor.d/profiles-g-l/ip | 2 +- apparmor.d/profiles-g-l/ipcalc | 2 +- apparmor.d/profiles-g-l/iw | 2 +- apparmor.d/profiles-g-l/iwconfig | 2 +- apparmor.d/profiles-g-l/iwlist | 2 +- apparmor.d/profiles-g-l/kexec | 2 +- apparmor.d/profiles-g-l/kmod | 2 +- apparmor.d/profiles-g-l/kodi | 2 +- apparmor.d/profiles-g-l/kvm-ok | 4 +- apparmor.d/profiles-g-l/logrotate | 4 +- apparmor.d/profiles-m-r/mkinitramfs | 8 ++-- apparmor.d/profiles-m-r/modprobed-db | 2 +- apparmor.d/profiles-m-r/monitorix | 4 +- apparmor.d/profiles-m-r/mpsyt | 2 +- apparmor.d/profiles-m-r/needrestart | 4 +- .../profiles-m-r/needrestart-apt-pinvoke | 2 +- .../needrestart-iucode-scan-versions | 2 +- apparmor.d/profiles-m-r/on-ac-power | 2 +- apparmor.d/profiles-m-r/os-prober | 6 +-- apparmor.d/profiles-m-r/packagekitd | 2 +- apparmor.d/profiles-m-r/pam-auth-update | 4 +- apparmor.d/profiles-m-r/parted | 4 +- apparmor.d/profiles-m-r/partprobe | 4 +- apparmor.d/profiles-m-r/pass-import | 2 +- apparmor.d/profiles-m-r/pcscd | 2 +- apparmor.d/profiles-m-r/rdmsr | 2 +- apparmor.d/profiles-m-r/resize2fs | 2 +- apparmor.d/profiles-m-r/resolvconf | 2 +- apparmor.d/profiles-m-r/rfkill | 2 +- apparmor.d/profiles-m-r/rsyslogd | 2 +- apparmor.d/profiles-m-r/rtkitctl | 2 +- apparmor.d/profiles-m-r/run-parts | 8 ++-- apparmor.d/profiles-m-r/runuser | 2 +- apparmor.d/profiles-s-z/sensors-detect | 2 +- apparmor.d/profiles-s-z/setvtrgb | 2 +- apparmor.d/profiles-s-z/sfdisk | 2 +- apparmor.d/profiles-s-z/sgdisk | 2 +- apparmor.d/profiles-s-z/smartctl | 2 +- apparmor.d/profiles-s-z/smartd | 2 +- .../profiles-s-z/spectre-meltdown-checker | 4 +- apparmor.d/profiles-s-z/spice-vdagentd | 2 +- apparmor.d/profiles-s-z/syncthing | 2 +- apparmor.d/profiles-s-z/thermald | 2 +- apparmor.d/profiles-s-z/tlp | 6 +-- apparmor.d/profiles-s-z/tomb | 14 +++--- apparmor.d/profiles-s-z/torsocks | 2 +- .../profiles-s-z/udev-bcache-export-cached | 2 +- apparmor.d/profiles-s-z/unix-chkpwd | 2 +- .../profiles-s-z/update-ca-certificates | 2 +- apparmor.d/profiles-s-z/update-cracklib | 6 +-- apparmor.d/profiles-s-z/update-initramfs | 4 +- apparmor.d/profiles-s-z/update-pciids | 2 +- .../profiles-s-z/update-secureboot-policy | 2 +- apparmor.d/profiles-s-z/update-smart-drivedb | 4 +- apparmor.d/profiles-s-z/updatedb-mlocate | 2 +- apparmor.d/profiles-s-z/veracrypt | 8 ++-- apparmor.d/profiles-s-z/vidcutter | 2 +- apparmor.d/profiles-s-z/virt-manager | 2 +- apparmor.d/profiles-s-z/wechat | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 2 +- apparmor.d/profiles-s-z/whdd | 2 +- apparmor.d/profiles-s-z/wpa-action | 6 +-- apparmor.d/profiles-s-z/wpa-cli | 4 +- apparmor.d/profiles-s-z/wpa-supplicant | 2 +- apparmor.d/profiles-s-z/wrmsr | 2 +- apparmor.d/profiles-s-z/youtube-dl | 2 +- apparmor.d/profiles-s-z/ytdl | 2 +- apparmor.d/profiles-s-z/zsysd | 2 +- 270 files changed, 475 insertions(+), 475 deletions(-) diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index 25a0c0c38b..86bb7d78a8 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -7,13 +7,13 @@ include - @{bin}/depmod mr, - @{bin}/insmod mr, - @{bin}/kmod mr, - @{bin}/lsmod mr, - @{bin}/modinfo mr, - @{bin}/modprobe mr, - @{bin}/rmmod mr, + @{sbin}/depmod mr, + @{sbin}/insmod mr, + @{bin}/kmod mr, + @{sbin}/lsmod mr, + @{sbin}/modinfo mr, + @{sbin}/modprobe mr, + @{sbin}/rmmod mr, @{lib}/modprobe.d/ r, @{lib}/modprobe.d/*.conf r, diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete index 450fa84d47..a4ed65e8ca 100644 --- a/apparmor.d/abstractions/authentication.d/complete +++ b/apparmor.d/abstractions/authentication.d/complete @@ -6,7 +6,7 @@ @{lib}/pam-tmpdir/pam-tmpdir-helper rPx, #aa:only abi3 - @{bin}/unix_chkpwd rPx, + @{sbin}/unix_chkpwd rPx, #aa:only whonix @{lib}/security-misc/pam-abort-on-locked-password rPx, diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index d3a193244b..827e9fcf7a 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -173,7 +173,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { # Shell based systemd unit services # TODO: create unit profile for all of them - @{bin}/ldconfig Px -> systemd-service, + @{sbin}/ldconfig Px -> systemd-service, @{bin}/mandb Px -> systemd-service, @{bin}/savelog Px -> systemd-service, @{coreutils_path} Px -> systemd-service, diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service index dfe3000bcd..a53193cc52 100644 --- a/apparmor.d/groups/_full/systemd-service +++ b/apparmor.d/groups/_full/systemd-service @@ -21,7 +21,7 @@ profile systemd-service flags=(attach_disconnected) { capability chown, capability fsetid, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/savelog rix, @{bin}/systemctl rix, @{bin}/gzip rix, @@ -32,8 +32,8 @@ profile systemd-service flags=(attach_disconnected) { @{bin}/ifup rPx, # shadow.service - @{bin}/pwck rPx, - @{bin}/grpck rPx, + @{sbin}/pwck rPx, + @{sbin}/grpck rPx, @{bin}/grub-editenv rPx, @{bin}/ibus-daemon rPx, diff --git a/apparmor.d/groups/apparmor/aa-enforce b/apparmor.d/groups/apparmor/aa-enforce index da4d634606..fcf7dc7248 100644 --- a/apparmor.d/groups/apparmor/aa-enforce +++ b/apparmor.d/groups/apparmor/aa-enforce @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-enforce @{bin}/aa-complain @{bin}/aa-audit @{bin}/aa-disable +@{exec_path} = @{sbin}/aa-enforce @{sbin}/aa-complain @{sbin}/aa-audit @{sbin}/aa-disable profile aa-enforce @{exec_path} { include include @@ -17,7 +17,7 @@ profile aa-enforce @{exec_path} { @{exec_path} mr, @{bin}/ r, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 31622c1bdc..c6fc2dff2d 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -89,7 +89,7 @@ profile aa-notify @{exec_path} { ptrace read peer=aa-notify, - @{bin}/apparmor_parser Px, + @{sbin}/apparmor_parser Px, @{lib}/@{python_name}/site-packages/apparmor/update_profile.py ix, /usr/share/apparmor/** r, diff --git a/apparmor.d/groups/apparmor/aa-status b/apparmor.d/groups/apparmor/aa-status index a48dc693c3..17de744396 100644 --- a/apparmor.d/groups/apparmor/aa-status +++ b/apparmor.d/groups/apparmor/aa-status @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-status @{bin}/apparmor_status +@{exec_path} = @{sbin}/aa-status @{sbin}/apparmor_status profile aa-status @{exec_path} { include include diff --git a/apparmor.d/groups/apparmor/aa-teardown b/apparmor.d/groups/apparmor/aa-teardown index b625ad8c6f..059766181e 100644 --- a/apparmor.d/groups/apparmor/aa-teardown +++ b/apparmor.d/groups/apparmor/aa-teardown @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-teardown +@{exec_path} = @{sbin}/aa-teardown profile aa-teardown @{exec_path} { include include diff --git a/apparmor.d/groups/apparmor/aa-unconfined b/apparmor.d/groups/apparmor/aa-unconfined index 08c401270f..7c53f7c8d6 100644 --- a/apparmor.d/groups/apparmor/aa-unconfined +++ b/apparmor.d/groups/apparmor/aa-unconfined @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-unconfined +@{exec_path} = @{sbin}/aa-unconfined profile aa-unconfined @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/apparmor/apparmor.systemd b/apparmor.d/groups/apparmor/apparmor.systemd index 79b3f1a861..cb862ff488 100644 --- a/apparmor.d/groups/apparmor/apparmor.systemd +++ b/apparmor.d/groups/apparmor/apparmor.systemd @@ -19,14 +19,14 @@ profile apparmor.systemd @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, - @{bin}/aa-status rPx, - @{bin}/apparmor_parser rPx, + @{sbin}/aa-status rPx, + @{sbin}/apparmor_parser rPx, @{bin}/getconf rix, @{bin}/ls rix, @{bin}/sed rix, @{bin}/cat rix, @{bin}/sort rix, - @{bin}/sysctl rix, + @{sbin}/sysctl rix, @{bin}/systemd-detect-virt rPx, @{bin}/xargs rix, diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser index dc15d48b9e..0a9f9fcaf2 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -8,7 +8,7 @@ include @{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib} -@{exec_path} = @{bin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser +@{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index fc5d1b3ccb..5c33a18667 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/apt @{bin}/apt-get @{bin}/aptd +@{exec_path} = @{bin}/apt @{bin}/apt-get @{sbin}/aptd profile apt @{exec_path} flags=(attach_disconnected) { include include @@ -80,7 +80,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/df rPx, @{bin}/dmesg rPx, @{bin}/dpkg rPx, - @{bin}/dpkg-preconfigure rPx, + @{sbin}/dpkg-preconfigure rPx, @{bin}/dpkg-source rcx -> dpkg-source, @{bin}/etckeeper rPx, @{bin}/localepurge rPx, diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index 29a1309c79..eb8a8cd8df 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -75,7 +75,7 @@ profile aptitude @{exec_path} flags=(complain) { @{bin}/apt-listbugs rPx, @{bin}/apt-listchanges rPx, @{bin}/apt-show-versions rPx, - @{bin}/dpkg-preconfigure rPx, + @{sbin}/dpkg-preconfigure rPx, @{bin}/debtags rPx, @{bin}/localepurge rPx, @{bin}/appstreamcli rPx, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index c71d9749c2..ef78528639 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/dpkg-preconfigure +@{exec_path} = @{sbin}/dpkg-preconfigure profile dpkg-preconfigure @{exec_path} { include include diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index 85bd2e6c39..2a2063d8ef 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -31,7 +31,7 @@ profile querybts @{exec_path} { @{bin}/ r, @{sh_path} rix, @{bin}/stty rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{open_path} rPx -> child-open-browsers, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index ae2e64e5d1..dbd02ff6c1 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -30,7 +30,7 @@ profile reportbug @{exec_path} { @{bin}/ r, @{python_path} r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/selinuxenabled rix, @{sh_path} rix, @{bin}/aa-enabled rix, diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index 58224dd45d..651fac1bae 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -45,7 +45,7 @@ profile synaptic @{exec_path} { @{bin}/deborphan rPx, @{bin}/debtags rPx, @{bin}/dpkg rPx, - @{bin}/dpkg-preconfigure rPx, + @{sbin}/dpkg-preconfigure rPx, @{bin}/localepurge rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/pkexec rCx -> pkexec, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index bee1c0fe81..2778b2b39b 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -51,10 +51,10 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/apt-listchanges rPx, @{bin}/dpkg rPx, @{bin}/dpkg-divert rPx, - @{bin}/dpkg-preconfigure rPx, + @{sbin}/dpkg-preconfigure rPx, @{bin}/etckeeper rPx, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{bin}/sendmail rPUx, @{lib}/apt/methods/http{,s} rPx, @{lib}/needrestart/apt-pinvoke rPx, diff --git a/apparmor.d/groups/bluetooth/blueman-mechanism b/apparmor.d/groups/bluetooth/blueman-mechanism index bb6c6cdf7f..ffdda336ef 100644 --- a/apparmor.d/groups/bluetooth/blueman-mechanism +++ b/apparmor.d/groups/bluetooth/blueman-mechanism @@ -36,9 +36,9 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { /dev/rfkill rw, # For network AP - #@{bin}/ip rix, - #@{bin}/xtables-nft-multi rix, - #@{bin}/dnsmasq rPx, + #@{sbin}/ip rix, + #@{sbin}/xtables-nft-multi rix, + #@{sbin}/dnsmasq rPx, #@{bin}/dhclient rPx, # @{PROC}/sys/net/ipv4/ip_forward w, # @{PROC}/sys/net/ipv4/conf/ r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index a561954a31..7d1be84425 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -39,7 +39,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{bin}/plasma-browser-integration-host rPx, @{bin}/speech-dispatcher rPx, - @{bin}/update-mime-database rPx, + @{sbin}/update-mime-database rPx, @{lib}/gvfsd-metadata rPx, @{lib}/mozilla/kmozillahelper rPUx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/groups/cron/anacron index 57c2ed4b8f..1322108d4a 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/groups/cron/anacron @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/anacron +@{exec_path} = @{sbin}/anacron profile anacron @{exec_path} { include include diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 25549a39c8..c924415689 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/cron +@{exec_path} = @{sbin}/cron profile cron @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/cron/cron-anacron b/apparmor.d/groups/cron/cron-anacron index 15d1b97378..91c531618b 100644 --- a/apparmor.d/groups/cron/cron-anacron +++ b/apparmor.d/groups/cron/cron-anacron @@ -12,7 +12,7 @@ profile cron-anacron @{exec_path} { @{exec_path} r, - @{bin}/anacron rPx, + @{sbin}/anacron rPx, @{sh_path} rix, @{bin}/cat rix, @{bin}/date rix, diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index 29294fa537..81e5761d79 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/cron-apt +@{exec_path} = @{sbin}/cron-apt profile cron-apt @{exec_path} { include include diff --git a/apparmor.d/groups/cron/cron-apt-compat b/apparmor.d/groups/cron/cron-apt-compat index 2aaa6b142b..fcf5e44309 100644 --- a/apparmor.d/groups/cron/cron-apt-compat +++ b/apparmor.d/groups/cron/cron-apt-compat @@ -14,7 +14,7 @@ profile cron-apt-compat @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{bin}/apt-config rPx, @{lib}/apt/apt.systemd.daily rPx, diff --git a/apparmor.d/groups/cron/cron-apt-xapian-index b/apparmor.d/groups/cron/cron-apt-xapian-index index 2c3f90a9aa..f264de78cc 100644 --- a/apparmor.d/groups/cron/cron-apt-xapian-index +++ b/apparmor.d/groups/cron/cron-apt-xapian-index @@ -22,7 +22,7 @@ profile cron-apt-xapian-index @{exec_path} { @{bin}/ r, @{bin}/update-apt-xapian-index rPx, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, # For shell pwd / r, diff --git a/apparmor.d/groups/cron/cron-cracklib b/apparmor.d/groups/cron/cron-cracklib index ede030682e..9399b6ed46 100644 --- a/apparmor.d/groups/cron/cron-cracklib +++ b/apparmor.d/groups/cron/cron-cracklib @@ -15,7 +15,7 @@ profile cron-cracklib @{exec_path} { @{sh_path} rix, @{bin}/logger rix, - @{bin}/update-cracklib rPx, + @{sbin}/update-cracklib rPx, /etc/cracklib/cracklib.conf r, diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base index 42f2f0823a..2970f8d42a 100644 --- a/apparmor.d/groups/cron/cron-exim4-base +++ b/apparmor.d/groups/cron/cron-exim4-base @@ -39,8 +39,8 @@ profile cron-exim4-base @{exec_path} { @{bin}/exim4 rPx, @{bin}/exim_tidydb rix, - @{bin}/start-stop-daemon rix, - @{bin}/runuser rix, + @{sbin}/start-stop-daemon rix, + @{sbin}/runuser rix, /etc/default/exim4 r, diff --git a/apparmor.d/groups/cron/cron-ipset-autoban-save b/apparmor.d/groups/cron/cron-ipset-autoban-save index 6013684462..8b5891eed1 100644 --- a/apparmor.d/groups/cron/cron-ipset-autoban-save +++ b/apparmor.d/groups/cron/cron-ipset-autoban-save @@ -15,7 +15,7 @@ profile cron-ipset-autoban-save @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/ipset rix, + @{sbin}/ipset rix, /etc/peerblock/autoban rw, diff --git a/apparmor.d/groups/cron/cron-logrotate b/apparmor.d/groups/cron/cron-logrotate index abe3542f6c..36044b2f34 100644 --- a/apparmor.d/groups/cron/cron-logrotate +++ b/apparmor.d/groups/cron/cron-logrotate @@ -14,7 +14,7 @@ profile cron-logrotate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/logrotate rPx, + @{sbin}/logrotate rPx, @{bin}/logger rix, diff --git a/apparmor.d/groups/cron/cron-man-db b/apparmor.d/groups/cron/cron-man-db index 8629f7be23..709f843e80 100644 --- a/apparmor.d/groups/cron/cron-man-db +++ b/apparmor.d/groups/cron/cron-man-db @@ -20,7 +20,7 @@ profile cron-man-db @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, - @{bin}/start-stop-daemon rix, + @{sbin}/start-stop-daemon rix, @{bin}/xargs rix, @{bin}/find rix, diff --git a/apparmor.d/groups/cron/cron-mlocate b/apparmor.d/groups/cron/cron-mlocate index 852e85141b..f0757187a7 100644 --- a/apparmor.d/groups/cron/cron-mlocate +++ b/apparmor.d/groups/cron/cron-mlocate @@ -23,7 +23,7 @@ profile cron-mlocate @{exec_path} { @{bin}/nice rix, @{bin}/updatedb.mlocate rPx, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{run}/mlocate.daily.lock rwk, diff --git a/apparmor.d/groups/cron/cron-plocate b/apparmor.d/groups/cron/cron-plocate index 7080658c3f..742531b41e 100644 --- a/apparmor.d/groups/cron/cron-plocate +++ b/apparmor.d/groups/cron/cron-plocate @@ -23,7 +23,7 @@ profile cron-plocate @{exec_path} { @{bin}/nice rix, @{bin}/updatedb.plocate rPx, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{run}/plocate.daily.lock rwk, diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index 21455fb7d3..c4b9de0b32 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -29,11 +29,11 @@ profile cron-popularity-contest @{exec_path} { # To send reports via TOR @{bin}/torify rix, @{bin}/torsocks rix, - @{bin}/getcap rix, + @{sbin}/getcap rix, /usr/share/popularity-contest/popcon-upload rCx -> popcon-upload, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/runuser rCx -> runuser, + @{sbin}/runuser rCx -> runuser, @{bin}/savelog rCx -> savelog, /usr/share/popularity-contest/ r, @@ -93,7 +93,7 @@ profile cron-popularity-contest @{exec_path} { include include - @{bin}/runuser mr, + @{sbin}/runuser mr, @{sh_path} rix, @{bin}/popularity-contest rPx, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index d240454f5b..156d5e820c 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/crontab +@{exec_path} = @{sbin}/crontab profile crontab @{exec_path} { include include diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 41d22ed9bd..f671ce6e9c 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/cups-browsed +@{exec_path} = @{sbin}/cups-browsed profile cups-browsed @{exec_path} { include include diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 697a307f9e..91dd32f512 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/cupsd +@{exec_path} = @{sbin}/cupsd profile cupsd @{exec_path} flags=(attach_disconnected) { include include @@ -54,7 +54,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/gs rix, @{bin}/gsc rix, @{bin}/hostname rix, - @{bin}/ippfind rix, + @{sbin}/ippfind rix, @{bin}/mktemp rix, @{bin}/printenv rix, @{python_path} rix, diff --git a/apparmor.d/groups/filesystem/fsck.btrfs b/apparmor.d/groups/filesystem/fsck.btrfs index f8ac9419d6..512265788b 100644 --- a/apparmor.d/groups/filesystem/fsck.btrfs +++ b/apparmor.d/groups/filesystem/fsck.btrfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fsck.btrfs +@{exec_path} = @{sbin}/fsck.btrfs profile fsck.btrfs @{exec_path} { include diff --git a/apparmor.d/groups/filesystem/fsck.fat b/apparmor.d/groups/filesystem/fsck.fat index fd944532fc..0e7df947d7 100644 --- a/apparmor.d/groups/filesystem/fsck.fat +++ b/apparmor.d/groups/filesystem/fsck.fat @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fsck.fat @{bin}/fsck.msdos @{bin}/fsck.vfat @{bin}/dosfsck +@{exec_path} = @{sbin}/fsck.fat @{sbin}/fsck.msdos @{sbin}/fsck.vfat @{sbin}/dosfsck profile fsck.fat @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/lvm b/apparmor.d/groups/filesystem/lvm index 4fb66d92c6..ad4645bff0 100644 --- a/apparmor.d/groups/filesystem/lvm +++ b/apparmor.d/groups/filesystem/lvm @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/lvm +@{exec_path} = @{sbin}/lvm profile lvm @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/filesystem/lvmconfig b/apparmor.d/groups/filesystem/lvmconfig index 5e5a0d1dda..39224c22f0 100644 --- a/apparmor.d/groups/filesystem/lvmconfig +++ b/apparmor.d/groups/filesystem/lvmconfig @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/lvmconfig +@{exec_path} = @{sbin}/lvmconfig profile lvmconfig @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/lvmdump b/apparmor.d/groups/filesystem/lvmdump index 6a443fc570..5e90ffeee3 100644 --- a/apparmor.d/groups/filesystem/lvmdump +++ b/apparmor.d/groups/filesystem/lvmdump @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/lvmdump +@{exec_path} = @{sbin}/lvmdump profile lvmdump @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/lvmpolld b/apparmor.d/groups/filesystem/lvmpolld index fdc3bad3f1..4168ad4fec 100644 --- a/apparmor.d/groups/filesystem/lvmpolld +++ b/apparmor.d/groups/filesystem/lvmpolld @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/lvmpolld +@{exec_path} = @{sbin}/lvmpolld profile lvmpolld @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/mke2fs b/apparmor.d/groups/filesystem/mke2fs index 56a223bddf..a3edbeb50b 100644 --- a/apparmor.d/groups/filesystem/mke2fs +++ b/apparmor.d/groups/filesystem/mke2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mke2fs @{bin}/mkfs.ext2 @{bin}/mkfs.ext3 @{bin}/mkfs.ext4 +@{exec_path} = @{sbin}/mke2fs @{sbin}/mkfs.ext2 @{sbin}/mkfs.ext3 @{sbin}/mkfs.ext4 profile mke2fs @{exec_path} { include include @@ -19,7 +19,7 @@ profile mke2fs @{exec_path} { # To check for badblocks @{sh_path} rix, - @{bin}/badblocks rPx, + @{sbin}/badblocks rPx, /usr/share/file/misc/magic.mgc r, diff --git a/apparmor.d/groups/filesystem/mkfs-btrfs b/apparmor.d/groups/filesystem/mkfs-btrfs index 1e6c958385..54c83e5598 100644 --- a/apparmor.d/groups/filesystem/mkfs-btrfs +++ b/apparmor.d/groups/filesystem/mkfs-btrfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mkfs.btrfs +@{exec_path} = @{sbin}/mkfs.btrfs profile mkfs-btrfs @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/mkswap b/apparmor.d/groups/filesystem/mkswap index 4a818cd58c..fa30030f3f 100644 --- a/apparmor.d/groups/filesystem/mkswap +++ b/apparmor.d/groups/filesystem/mkswap @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mkswap +@{exec_path} = @{sbin}/mkswap profile mkswap @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/mount-cifs b/apparmor.d/groups/filesystem/mount-cifs index cf1ceefb35..a6c8d01e30 100644 --- a/apparmor.d/groups/filesystem/mount-cifs +++ b/apparmor.d/groups/filesystem/mount-cifs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mount.cifs +@{exec_path} = @{sbin}/mount.cifs profile mount-cifs @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/groups/filesystem/ntfsclone b/apparmor.d/groups/filesystem/ntfsclone index c239e81af8..c6443bf7a3 100644 --- a/apparmor.d/groups/filesystem/ntfsclone +++ b/apparmor.d/groups/filesystem/ntfsclone @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfsclone +@{exec_path} = @{sbin}/ntfsclone profile ntfsclone @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfscp b/apparmor.d/groups/filesystem/ntfscp index 2e36046ba7..f3bc38b6a8 100644 --- a/apparmor.d/groups/filesystem/ntfscp +++ b/apparmor.d/groups/filesystem/ntfscp @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfscp +@{exec_path} = @{sbin}/ntfscp profile ntfscp @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfslabel b/apparmor.d/groups/filesystem/ntfslabel index 471aefaa16..5d4089a44d 100644 --- a/apparmor.d/groups/filesystem/ntfslabel +++ b/apparmor.d/groups/filesystem/ntfslabel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfslabel +@{exec_path} = @{sbin}/ntfslabel profile ntfslabel @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfsresize b/apparmor.d/groups/filesystem/ntfsresize index 5c7d5c8350..3eac37d70f 100644 --- a/apparmor.d/groups/filesystem/ntfsresize +++ b/apparmor.d/groups/filesystem/ntfsresize @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfsresize +@{exec_path} = @{sbin}/ntfsresize profile ntfsresize @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfsundelete b/apparmor.d/groups/filesystem/ntfsundelete index 4d96d1dbdd..9f68cba7a5 100644 --- a/apparmor.d/groups/filesystem/ntfsundelete +++ b/apparmor.d/groups/filesystem/ntfsundelete @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfsundelete +@{exec_path} = @{sbin}/ntfsundelete profile ntfsundelete @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index f661ccd121..7d4febb1f8 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -73,18 +73,18 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/umount rix, - @{bin}/dmidecode rPx, - @{bin}/dumpe2fs rPx, + @{sbin}/dmidecode rPx, + @{sbin}/dumpe2fs rPx, @{bin}/eject rPx, - @{bin}/fsck.fat rPx, - @{bin}/lvm rPUx, - @{bin}/mke2fs rPx, - @{bin}/mkfs.* rPx, + @{sbin}/fsck.fat rPx, + @{sbin}/lvm rPUx, + @{sbin}/mke2fs rPx, + @{sbin}/mkfs.* rPx, @{bin}/mount.exfat-fuse rPUx, @{bin}/ntfs-3g rPx, @{bin}/ntfsfix rPx, - @{bin}/sfdisk rPx, - @{bin}/sgdisk rPx, + @{sbin}/sfdisk rPx, + @{sbin}/sgdisk rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-escape rPx, @{bin}/xfs_* rPUx, diff --git a/apparmor.d/groups/filesystem/umount.udisks2 b/apparmor.d/groups/filesystem/umount.udisks2 index 4e842c7fb9..752a1d5d38 100644 --- a/apparmor.d/groups/filesystem/umount.udisks2 +++ b/apparmor.d/groups/filesystem/umount.udisks2 @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/umount.udisks2 +@{exec_path} = @{sbin}/umount.udisks2 profile umount.udisks2 @{exec_path} flags=(complain) { include diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 003089ca4b..7a6b7a9cfa 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/firewalld +@{exec_path} = @{sbin}/firewalld profile firewalld @{exec_path} flags=(attach_disconnected) { include include @@ -34,14 +34,14 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/alts rix, - @{bin}/ebtables-legacy rix, - @{bin}/ebtables-legacy-restore rix, + @{sbin}/ebtables-legacy rix, + @{sbin}/ebtables-legacy-restore rix, @{bin}/false rix, - @{bin}/ipset rix, + @{sbin}/ipset rix, @{bin}/kmod rix, - @{bin}/modprobe rix, - @{bin}/xtables-legacy-multi rix, - @{bin}/xtables-nft-multi rmix, + @{sbin}/modprobe rix, + @{sbin}/xtables-legacy-multi rix, + @{sbin}/xtables-nft-multi rmix, /usr/local/lib/@{python_name}/dist-packages/ r, diff --git a/apparmor.d/groups/firewall/nft b/apparmor.d/groups/firewall/nft index 292b220430..2392829c87 100644 --- a/apparmor.d/groups/firewall/nft +++ b/apparmor.d/groups/firewall/nft @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/nft +@{exec_path} = @{sbin}/nft profile nft @{exec_path} { include include diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw index d16675235f..09f4f06f2c 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -33,9 +33,9 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/cat rix, @{bin}/env r, - @{bin}/sysctl rix, - @{bin}/xtables-legacy-multi rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/sysctl rix, + @{sbin}/xtables-legacy-multi rix, + @{sbin}/xtables-nft-multi rix, @{lib}/ufw/ufw-init rix, /etc/default/ufw rw, diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init index 78483a399a..5c0521790c 100644 --- a/apparmor.d/groups/firewall/ufw-init +++ b/apparmor.d/groups/firewall/ufw-init @@ -22,9 +22,9 @@ profile ufw-init @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/sysctl rix, - @{bin}/xtables-legacy-multi rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/sysctl rix, + @{sbin}/xtables-legacy-multi rix, + @{sbin}/xtables-nft-multi rix, /etc/default/ufw r, /etc/ufw/* r, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index 397475a432..8d35bc8e0f 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -65,7 +65,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { @{bin}/gtk{,4}-update-icon-cache rPx -> flatpak-app//>k-update-icon-cache, @{bin}/update-desktop-database rPx -> flatpak-app//&update-desktop-database, - @{bin}/update-mime-database rPx -> flatpak-app//&update-mime-database, + @{sbin}/update-mime-database rPx -> flatpak-app//&update-mime-database, @{bin}/xdg-dbus-proxy rPx -> flatpak-app//&xdg-dbus-proxy, @{lib}/kf5/kioslave5 rPx, diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index d3aaa753fa..85e2771985 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -27,13 +27,13 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/adduser rPx, + @{sbin}/adduser rPx, @{bin}/cat rix, @{bin}/chage rPx, @{bin}/passwd rPx, - @{bin}/chpasswd rPx, - @{bin}/userdel rPx, - @{bin}/usermod rPx, + @{sbin}/chpasswd rPx, + @{sbin}/userdel rPx, + @{sbin}/usermod rPx, @{bin}/locale rPUx, /usr/share/language-tools/language-validate rPx, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 1b004021f9..0a23906610 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/plymouthd +@{exec_path} = @{sbin}/plymouthd profile plymouthd @{exec_path} { include include diff --git a/apparmor.d/groups/freedesktop/update-mime-database b/apparmor.d/groups/freedesktop/update-mime-database index 9efd9cccc4..6f6b397008 100644 --- a/apparmor.d/groups/freedesktop/update-mime-database +++ b/apparmor.d/groups/freedesktop/update-mime-database @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/update-mime-database +@{exec_path} = @{sbin}/update-mime-database profile update-mime-database @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 07f6a05998..994c8e4451 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -60,11 +60,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/bwrap rCx -> bwrap, @{bin}/gkbd-keyboard-display rPx, @{bin}/gnome-software rPx, - @{bin}/openvpn rPx, + @{sbin}/openvpn rPx, @{bin}/passwd rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/software-properties-gtk rPx, - @{bin}/usermod rPx, + @{sbin}/usermod rPx, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/cups/backend/snmp rPx, @{lib}/gnome-control-center-goa-helper rPx, diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index e52e96b8a3..06fdf1601f 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grub-install +@{exec_path} = @{sbin}/grub-install profile grub-install @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/groups/grub/grub-macbless b/apparmor.d/groups/grub/grub-macbless index c2571ea73a..17e71a25c6 100644 --- a/apparmor.d/groups/grub/grub-macbless +++ b/apparmor.d/groups/grub/grub-macbless @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-macbless +@{exec_path} = @{sbin}/grub-macbless profile grub-macbless @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 1ff23f1fe0..0ca05d5494 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grub-mkconfig +@{exec_path} = @{sbin}/grub-mkconfig profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { include include @@ -27,14 +27,14 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/date rix, @{bin}/dirname rix, - @{bin}/dmsetup rPUx, + @{sbin}/dmsetup rPUx, @{bin}/dpkg rPx, @{bin}/find rix, @{bin}/findmnt rPx, @{bin}/gettext rix, @{bin}/grub-editenv rPx, @{bin}/grub-mkrelpath rPx, - @{bin}/grub-probe rPx, + @{sbin}/grub-probe rPx, @{bin}/grub-script-check rPx, @{bin}/head rix, @{bin}/id rPx, diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap index 533f9780b9..2a7082c64b 100644 --- a/apparmor.d/groups/grub/grub-mkdevicemap +++ b/apparmor.d/groups/grub/grub-mkdevicemap @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-mkdevicemap +@{exec_path} = @{sbin}/grub-mkdevicemap profile grub-mkdevicemap @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index 94c4c7e2be..d147b94fb6 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -13,7 +13,7 @@ profile grub-multi-install @{exec_path} { @{exec_path} mr, - @{bin}/grub-install rPx, + @{sbin}/grub-install rPx, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/cat rix, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 3c22c2d27c..6d0ec6a72f 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grub-probe +@{exec_path} = @{sbin}/grub-probe profile grub-probe @{exec_path} { include include @@ -20,7 +20,7 @@ profile grub-probe @{exec_path} { /{usr/,}{local/,}{s,}bin/zpool rPx, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/lvm rPx, + @{sbin}/lvm rPx, @{bin}/udevadm rPx, /usr/share/grub/* r, diff --git a/apparmor.d/groups/grub/grub-reboot b/apparmor.d/groups/grub/grub-reboot index 7d94a22afa..310b416bf1 100644 --- a/apparmor.d/groups/grub/grub-reboot +++ b/apparmor.d/groups/grub/grub-reboot @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-reboot +@{exec_path} = @{sbin}/grub-reboot profile grub-reboot @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-set-default b/apparmor.d/groups/grub/grub-set-default index 11c78024b2..9e3c964642 100644 --- a/apparmor.d/groups/grub/grub-set-default +++ b/apparmor.d/groups/grub/grub-set-default @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-set-default +@{exec_path} = @{sbin}/grub-set-default profile grub-set-default @{exec_path} { include include diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index 03df052953..1996b346ba 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/update-grub{2,} +@{exec_path} = @{sbin}/update-grub{2,} profile update-grub @{exec_path} { include include @@ -15,7 +15,7 @@ profile update-grub @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/grub-mkconfig rPx, + @{sbin}/grub-mkconfig rPx, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index 6483fe39f8..cf0caffeba 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -22,7 +22,7 @@ profile kauth-kded-smart-helper @{exec_path} { @{exec_path} mr, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper index 5ae1f5f12c..afecd8d53d 100644 --- a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper +++ b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper @@ -13,7 +13,7 @@ profile kauth-kinfocenter-dmidecode-helper @{exec_path} { @{exec_path} mr, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, include if exists } diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 2c129b426c..dd3a6b42b9 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -39,7 +39,7 @@ profile kscreenlocker_greet @{exec_path} { @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, - @{bin}/unix_chkpwd rPx, + @{sbin}/unix_chkpwd rPx, @{lib}/@{multiarch}/libexec/kcheckpass rPx, /usr/share/plasma/** r, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index b5cceee955..0ae174b09c 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -37,7 +37,7 @@ profile sddm-xsession @{exec_path} { @{bin}/sed rix, @{bin}/stat rix, @{bin}/tail rix, - @{bin}/tcsh rix, + @{sbin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, @{bin}/which{,.*} rix, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index b92ad8e68a..1d89877090 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/ModemManager +@{exec_path} = @{sbin}/ModemManager profile ModemManager @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index d41f38b1be..008b6bd317 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/NetworkManager +@{exec_path} = @{sbin}/NetworkManager profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include @@ -75,12 +75,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/nft rix, + @{sbin}/nft rix, - @{bin}/dnsmasq rPx, + @{sbin}/dnsmasq rPx, @{bin}/kmod rPx, @{bin}/netconfig rPUx, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, @{bin}/systemctl rCx -> systemctl, @{lib}/{,NetworkManager/}nm-daemon-helper rPx, @{lib}/{,NetworkManager/}nm-dhcp-helper rPx, diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index c1b5d04c5d..7f47b9975e 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/dhcpcd +@{exec_path} = @{sbin}/dhcpcd profile dhcpcd @{exec_path} flags=(attach_disconnected) { include include @@ -35,7 +35,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{bin}/chmod rix, @{bin}/cmp rix, @{bin}/mkdir rix, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, @{bin}/rm rix, @{bin}/sed rix, @{lib}/dhcpcd/dhcpcd-run-hooks rix, diff --git a/apparmor.d/groups/network/iwctl b/apparmor.d/groups/network/iwctl index 0b5bd090ec..eddcaedf7f 100644 --- a/apparmor.d/groups/network/iwctl +++ b/apparmor.d/groups/network/iwctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/iwctl +@{exec_path} = @{sbin}/iwctl profile iwctl @{exec_path} { include diff --git a/apparmor.d/groups/network/iwd b/apparmor.d/groups/network/iwd index d3c114a43a..13edaaf161 100644 --- a/apparmor.d/groups/network/iwd +++ b/apparmor.d/groups/network/iwd @@ -24,7 +24,7 @@ profile iwd @{exec_path} { network packet dgram, @{exec_path} mr, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, /etc/iwd/{,**} r, /var/lib/iwd/{,**} rw, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 6c4c41e6c9..ecd23ce535 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -33,7 +33,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/ip rix, + @{sbin}/ip rix, "/opt/Mullvad VPN/resources/openvpn" rix, "/opt/Mullvad VPN/resources/*.so*" mr, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index e6150c5098..726798180a 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -39,7 +39,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/gawk rix, @{bin}/grep rix, @{bin}/id rix, - @{bin}/invoke-rc.d rCx -> invoke-rc, + @{sbin}/invoke-rc.d rCx -> invoke-rc, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @@ -101,7 +101,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { profile invoke-rc { include - @{bin}/invoke-rc.d rm, + @{sbin}/invoke-rc.d rm, @{sh_path} rix, @{bin}/basename rix, @{bin}/ls rix, diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service index 675c14679d..943386f61d 100644 --- a/apparmor.d/groups/network/nm-openvpn-service +++ b/apparmor.d/groups/network/nm-openvpn-service @@ -20,7 +20,7 @@ profile nm-openvpn-service @{exec_path} { @{sh_path} rix, @{bin}/kmod rPx, - @{bin}/openvpn rPx, + @{sbin}/openvpn rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 608b989940..5623901fbc 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -22,7 +22,7 @@ abi , include -@{exec_path} = @{bin}/openvpn +@{exec_path} = @{sbin}/openvpn profile openvpn @{exec_path} flags=(attach_disconnected) { include include @@ -61,7 +61,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{run}/openvpn/*.{pid,status} rw, @{run}/systemd/journal/dev-log r, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/systemd-ask-password rPx, @{lib}/nm-openvpn-service-openvpn-helper rPx, /etc/openvpn/force-user-traffic-via-vpn.sh rCx -> force-user-traffic-via-vpn, @@ -83,9 +83,9 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cut rix, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/which{,.debianutils} rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, /etc/iproute2/rt_tables r, /etc/iproute2/rt_tables.d/{,*} r, @@ -110,8 +110,8 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/env rix, - @{bin}/ip rix, - @{bin}/nft rix, + @{sbin}/ip rix, + @{sbin}/nft rix, @{bin}/sed rix, /etc/iproute2/rt_realms r, diff --git a/apparmor.d/groups/network/tailscale b/apparmor.d/groups/network/tailscale index 4e5bba684d..096fe276cf 100644 --- a/apparmor.d/groups/network/tailscale +++ b/apparmor.d/groups/network/tailscale @@ -23,7 +23,7 @@ profile tailscale @{exec_path} { @{exec_path} mr, - @{bin}/ip rPx, + @{sbin}/ip rPx, owner @{run}/tailscale/tailscaled.sock rw, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index ac29b0b283..fa6cd8ddda 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -35,9 +35,9 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/resolvectl rPx, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index b5e8d88e83..e8ece5c884 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -21,19 +21,19 @@ profile wg-quick @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, - @{bin}/ip rPx, + @{sbin}/ip rPx, @{bin}/mv rix, - @{bin}/nft rix, + @{sbin}/nft rix, @{bin}/readlink rix, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, @{bin}/resolvectl rPx, @{bin}/rm rix, @{bin}/sort rix, @{bin}/stat rix, @{bin}/sync rix, - @{bin}/sysctl rCx -> sysctl, + @{sbin}/sysctl rCx -> sysctl, @{bin}/wg rPx, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, /usr/share/terminfo/** r, @@ -49,7 +49,7 @@ profile wg-quick @{exec_path} flags=(attach_disconnected) { profile sysctl flags=(attach_disconnected) { include - @{bin}/sysctl mr, + @{sbin}/sysctl mr, @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index f1d4818efe..fdd9618fc8 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -28,11 +28,11 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/bsdtar rix, @{bin}/fc-match rix, @{bin}/findmnt rPx, - @{bin}/fsck rix, + @{sbin}/fsck rix, @{bin}/getent rix, @{bin}/gzip rix, @{bin}/hexdump rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ldd rix, @{bin}/loadkeys rix, @{bin}/objcopy rix, @@ -45,7 +45,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/{depmod,insmod} rPx, @{bin}/{kmod,lsmod} rPx, @{bin}/{modinfo,rmmod} rPx, - @{bin}/modprobe rPx, + @{sbin}/modprobe rPx, @{bin}/plymouth rPx, @{bin}/plymouth-set-default-theme rPx, @{bin}/sbctl rPx, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 271540f528..ada70feec7 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -69,35 +69,35 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/ghc-pkg-@{version} rix, @{bin}/gio-querymodules rPx, @{bin}/glib-compile-schemas rPx, - @{bin}/groupadd rPx, + @{sbin}/groupadd rPx, @{bin}/gtk-query-immodules-{2,3}.0 rPx, @{bin}/gtk{,4}-update-icon-cache rPx, - @{bin}/iconvconfig rix, + @{sbin}/iconvconfig rix, @{bin}/install-catalog rPx, @{bin}/install-info rPx, @{bin}/iscsi-iname rix, @{bin}/journalctl rPx, @{bin}/killall rix, - @{bin}/ldconfig rix, - @{bin}/locale-gen rPx, + @{sbin}/ldconfig rix, + @{sbin}/locale-gen rPx, @{bin}/mkinitcpio rPx, - @{bin}/needrestart rPx, + @{sbin}/needrestart rPx, @{bin}/pacdiff rPx, @{bin}/pacman-key rPx, @{bin}/pkgfile rPUx, @{bin}/pkill rix, @{bin}/rsync rix, @{bin}/sbctl rPx, - @{bin}/setcap rix, + @{sbin}/setcap rix, @{bin}/setfacl rix, - @{bin}/sysctl rPx, + @{sbin}/sysctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-* rPx, @{bin}/tput rix, @{bin}/update-ca-trust rPx, @{bin}/update-desktop-database rPx, - @{bin}/update-grub rPx, - @{bin}/update-mime-database rPx, + @{sbin}/update-grub rPx, + @{sbin}/update-mime-database rPx, @{bin}/vercmp rix, @{bin}/which rix, @{bin}/xmlcatalog rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index 45336a100c..fe1bc5781b 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -16,7 +16,7 @@ profile pacman-hook-depmod @{exec_path} { @{bin}/basename rix, @{bin}/bash rix, - @{bin}/depmod rPx, + @{sbin}/depmod rPx, @{bin}/kmod rPx, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms index a039db4149..a8a54c151c 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dkms +++ b/apparmor.d/groups/pacman/pacman-hook-dkms @@ -19,7 +19,7 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/dkms rPx, + @{sbin}/dkms rPx, @{bin}/kmod rPx, @{bin}/nproc rix, diff --git a/apparmor.d/groups/procps/sysctl b/apparmor.d/groups/procps/sysctl index a25414390c..3131befeb3 100644 --- a/apparmor.d/groups/procps/sysctl +++ b/apparmor.d/groups/procps/sysctl @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/sysctl +@{exec_path} = @{sbin}/sysctl profile sysctl @{exec_path} { include include diff --git a/apparmor.d/groups/shadow/chpasswd b/apparmor.d/groups/shadow/chpasswd index 0dc65b1fbd..5e84f31b47 100644 --- a/apparmor.d/groups/shadow/chpasswd +++ b/apparmor.d/groups/shadow/chpasswd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/chpasswd +@{exec_path} = @{sbin}/chpasswd profile chpasswd @{exec_path} { include include diff --git a/apparmor.d/groups/shadow/groupadd b/apparmor.d/groups/shadow/groupadd index 65e7356050..2d135007a0 100644 --- a/apparmor.d/groups/shadow/groupadd +++ b/apparmor.d/groups/shadow/groupadd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/groupadd +@{exec_path} = @{sbin}/groupadd profile groupadd @{exec_path} { include include diff --git a/apparmor.d/groups/shadow/groupdel b/apparmor.d/groups/shadow/groupdel index 734b224630..8f8b282395 100644 --- a/apparmor.d/groups/shadow/groupdel +++ b/apparmor.d/groups/shadow/groupdel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/groupdel +@{exec_path} = @{sbin}/groupdel profile groupdel @{exec_path} { include include diff --git a/apparmor.d/groups/shadow/groupmod b/apparmor.d/groups/shadow/groupmod index 01841483e6..34bf046cda 100644 --- a/apparmor.d/groups/shadow/groupmod +++ b/apparmor.d/groups/shadow/groupmod @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/groupmod +@{exec_path} = @{sbin}/groupmod profile groupmod @{exec_path} { include include diff --git a/apparmor.d/groups/shadow/grpck b/apparmor.d/groups/shadow/grpck index 3b820febb9..1e47307e4c 100644 --- a/apparmor.d/groups/shadow/grpck +++ b/apparmor.d/groups/shadow/grpck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grpck +@{exec_path} = @{sbin}/grpck profile grpck @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/shadow/pwck b/apparmor.d/groups/shadow/pwck index 6aef4d028e..456a15af49 100644 --- a/apparmor.d/groups/shadow/pwck +++ b/apparmor.d/groups/shadow/pwck @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/pwck +@{exec_path} = @{sbin}/pwck profile pwck @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/shadow/useradd b/apparmor.d/groups/shadow/useradd index 021ede7830..b10487cf23 100644 --- a/apparmor.d/groups/shadow/useradd +++ b/apparmor.d/groups/shadow/useradd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/useradd +@{exec_path} = @{sbin}/useradd profile useradd @{exec_path} { include include @@ -25,7 +25,7 @@ profile useradd @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - @{bin}/usermod rPx, + @{sbin}/usermod rPx, @{bin}/pam_tally2 rCx -> pam_tally2, diff --git a/apparmor.d/groups/shadow/userdel b/apparmor.d/groups/shadow/userdel index afaa52a036..589c726d09 100644 --- a/apparmor.d/groups/shadow/userdel +++ b/apparmor.d/groups/shadow/userdel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/userdel +@{exec_path} = @{sbin}/userdel profile userdel @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/shadow/usermod b/apparmor.d/groups/shadow/usermod index 1e5c6e4eb6..b59260a259 100644 --- a/apparmor.d/groups/shadow/usermod +++ b/apparmor.d/groups/shadow/usermod @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/usermod +@{exec_path} = @{sbin}/usermod profile usermod @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index cbaa8bce95..b3ee8a5dae 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -65,17 +65,17 @@ profile snapd @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/adduser rPx, - @{bin}/apparmor_parser rPx, + @{sbin}/adduser rPx, + @{sbin}/apparmor_parser rPx, @{bin}/cp rix, @{bin}/getent rix, - @{bin}/groupadd rPx, + @{sbin}/groupadd rPx, @{bin}/gzip rix, @{bin}/hostnamectl rPx, @{bin}/journalctl rPx, @{bin}/kmod rPx, @{bin}/mount rix, - @{bin}/runuser rCx -> runuser, + @{sbin}/runuser rCx -> runuser, @{bin}/ssh-keygen rPx, @{bin}/sync rix, @{bin}/systemctl rCx -> systemctl, @@ -85,7 +85,7 @@ profile snapd @{exec_path} { @{bin}/umount rix, @{bin}/unsquashfs rix, @{bin}/update-desktop-database rPx, - @{bin}/useradd rPx, + @{sbin}/useradd rPx, @{bin_dirs}/fc-cache-* mr, @{bin_dirs}/snap rPUx, @@ -201,7 +201,7 @@ profile snapd @{exec_path} { profile runuser { include - @{bin}/runuser mr, + @{sbin}/runuser mr, include if exists } diff --git a/apparmor.d/groups/snap/snapd-apparmor b/apparmor.d/groups/snap/snapd-apparmor index 6d873982b6..63251a976c 100644 --- a/apparmor.d/groups/snap/snapd-apparmor +++ b/apparmor.d/groups/snap/snapd-apparmor @@ -15,7 +15,7 @@ profile snapd-apparmor @{exec_path} { @{exec_path} mrix, @{bin}/systemd-detect-virt rPx, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, @{lib_dirs}/** mr, @{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index a7d9a6699d..3ae1326d87 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -15,7 +15,7 @@ abi , include -@{exec_path} = @{bin}/sshd +@{exec_path} = @{sbin}/sshd profile sshd @{exec_path} flags=(attach_disconnected) { include include @@ -62,7 +62,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{bin}/@{shells} rUx, @{bin}/false rix, - @{bin}/nologin rPx, + @{sbin}/nologin rPx, @{bin}/passwd rPx, @{lib}/{openssh,ssh}/sftp-server rPx, @{lib}/{openssh,ssh}/sshd-session rix, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index a29a396874..73c78f2ed1 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -67,7 +67,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{open_path} rPx -> child-open, @{bin}/getopt rix, @{bin}/journalctl rPx -> systemctl, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsof rix, @@ -276,7 +276,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/getopt rix, @{bin}/gzip rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/localedef rix, @{bin}/readlink rix, @{bin}/true rix, diff --git a/apparmor.d/groups/steam/steam-game-proton b/apparmor.d/groups/steam/steam-game-proton index de0b0a2955..1b094c2a3e 100644 --- a/apparmor.d/groups/steam/steam-game-proton +++ b/apparmor.d/groups/steam/steam-game-proton @@ -43,7 +43,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { @{bin}/fc-match rix, @{bin}/getopt rix, @{bin}/gzip rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ln rix, @{bin}/localedef rix, @{bin}/mkdir rix, @@ -71,7 +71,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { @{app_dirs}/** mrix, - @{run}/host/@{bin}/ldconfig rix, + @{run}/host/@{sbin}/ldconfig rix, @{run}/host/@{bin}/localedef rix, @{run}/host/@{lib}/** mr, diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 7dc10fd46b..0381b93b11 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -31,7 +31,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/fsck rPx, + @{sbin}/fsck rPx, @{pager_path} rPx -> child-pager, # Location of file system OS images diff --git a/apparmor.d/groups/systemd/systemd-fsck b/apparmor.d/groups/systemd/systemd-fsck index 0680e0be8e..4836c9747e 100644 --- a/apparmor.d/groups/systemd/systemd-fsck +++ b/apparmor.d/groups/systemd/systemd-fsck @@ -19,9 +19,9 @@ profile systemd-fsck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/e2fsck rPx, - @{bin}/fsck rPx, - @{bin}/fsck.* rPx, + @{sbin}/e2fsck rPx, + @{sbin}/fsck rPx, + @{sbin}/fsck.* rPx, owner @{run}/systemd/quotacheck w, owner @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify index d9a6639c10..346e7d94eb 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify @@ -17,7 +17,7 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/blkid rPx, + @{sbin}/blkid rPx, @{bin}/grep rix, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index a248581253..a89cd90f89 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -42,9 +42,9 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{lib}/systemd/systemd-homework rPx -> systemd-homed//&systemd-homework, - @{bin}/mkfs.btrfs rPx, - @{bin}/mkfs.fat rPx, - @{bin}/mke2fs rPx, + @{sbin}/mkfs.btrfs rPx, + @{sbin}/mkfs.fat rPx, + @{sbin}/mke2fs rPx, /etc/machine-id r, /etc/systemd/homed.conf r, diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs index 8556e51d77..74a824411a 100644 --- a/apparmor.d/groups/systemd/systemd-makefs +++ b/apparmor.d/groups/systemd/systemd-makefs @@ -17,8 +17,8 @@ profile systemd-makefs @{exec_path} { @{exec_path} mr, - @{bin}/mkfs.* rPx, - @{bin}/mkswap rPx, + @{sbin}/mkfs.* rPx, + @{sbin}/mkswap rPx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sulogin-shell b/apparmor.d/groups/systemd/systemd-sulogin-shell index d28531e563..5ccf332198 100644 --- a/apparmor.d/groups/systemd/systemd-sulogin-shell +++ b/apparmor.d/groups/systemd/systemd-sulogin-shell @@ -18,7 +18,7 @@ profile systemd-sulogin-shell @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/sulogin rPx, + @{sbin}/sulogin rPx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 9e81cec831..03bfd60006 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -41,15 +41,15 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{coreutils_path} rix, @{pager_path} rPx -> child-pager, @{bin}/*-print-pci-ids rix, - @{bin}/alsactl rPUx, + @{sbin}/alsactl rPUx, @{bin}/ddcutil rPx, - @{bin}/dmsetup rPx, - @{bin}/ethtool rix, + @{sbin}/dmsetup rPx, + @{sbin}/ethtool rix, @{bin}/issue-generator rPx, @{bin}/kmod rPx, @{bin}/logger rix, @{bin}/ls rix, - @{bin}/lvm rPx, + @{sbin}/lvm rPx, @{bin}/mknod rix, @{bin}/multipath rPx, @{bin}/nfsrahead rix, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 0121dd46db..15c7f27ad8 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -43,7 +43,7 @@ profile apport-gtk @{exec_path} { @{bin}/gsettings rPx, @{bin}/ischroot rix, @{bin}/journalctl rPx, - @{bin}/killall5 rix, + @{sbin}/killall5 rix, @{bin}/kmod rPx, @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index c5c31edd34..eb299345c2 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -19,7 +19,7 @@ profile cron-ubuntu-fan @{exec_path} { @{bin}/flock rix, @{bin}/grep rix, @{bin}/id rix, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, @{bin}/touch rix, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 58323b8ff4..575481de2c 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -25,7 +25,7 @@ profile subiquity-console-conf @{exec_path} { @{sh_path} rix, @{bin}/cat rix, @{bin}/grep rix, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/mkdir rix, @{bin}/mv rix, @{bin}/sleep rix, @@ -35,7 +35,7 @@ profile subiquity-console-conf @{exec_path} { @{bin}/journalctl rCx -> journalctl, @{bin}/ssh-keygen rPx, - @{bin}/sshd rPx, + @{sbin}/sshd rPx, @{bin}/snap rPUx, /usr/lib/snapd/snap-recovery-chooser rPUx, /usr/share/netplan/netplan.script rPUx, # TODO: rPx, diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index 77b24fa279..0573f38bfc 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -12,7 +12,7 @@ profile update-motd-fsck-at-reboot @{exec_path} { @{exec_path} mr, - @{bin}/dumpe2fs rPx, + @{sbin}/dumpe2fs rPx, @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/cat rix, diff --git a/apparmor.d/groups/utils/agetty b/apparmor.d/groups/utils/agetty index 3eca54abcb..9ae450196b 100644 --- a/apparmor.d/groups/utils/agetty +++ b/apparmor.d/groups/utils/agetty @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/agetty +@{exec_path} = @{sbin}/agetty profile agetty @{exec_path} { include include diff --git a/apparmor.d/groups/utils/blkid b/apparmor.d/groups/utils/blkid index 27207bdb72..3eee035fe0 100644 --- a/apparmor.d/groups/utils/blkid +++ b/apparmor.d/groups/utils/blkid @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/blkid +@{exec_path} = @{sbin}/blkid profile blkid @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/utils/blockdev b/apparmor.d/groups/utils/blockdev index 96e3ad23f8..0c5e7b17cf 100644 --- a/apparmor.d/groups/utils/blockdev +++ b/apparmor.d/groups/utils/blockdev @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/blockdev +@{exec_path} = @{sbin}/blockdev profile blockdev @{exec_path} { include include diff --git a/apparmor.d/groups/utils/fsck b/apparmor.d/groups/utils/fsck index 5d05880266..40694aff99 100644 --- a/apparmor.d/groups/utils/fsck +++ b/apparmor.d/groups/utils/fsck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fsck +@{exec_path} = @{sbin}/fsck profile fsck @{exec_path} flags=(attach_disconnected) { include include @@ -18,8 +18,8 @@ profile fsck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/e2fsck rPx, - @{bin}/fsck.* rPx, + @{sbin}/e2fsck rPx, + @{sbin}/fsck.* rPx, /etc/fstab r, diff --git a/apparmor.d/groups/utils/fstrim b/apparmor.d/groups/utils/fstrim index 211913f419..a6ada04d54 100644 --- a/apparmor.d/groups/utils/fstrim +++ b/apparmor.d/groups/utils/fstrim @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/fstrim +@{exec_path} = @{sbin}/fstrim profile fstrim @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/utils/locale-gen b/apparmor.d/groups/utils/locale-gen index b9254171a7..3620018a7c 100644 --- a/apparmor.d/groups/utils/locale-gen +++ b/apparmor.d/groups/utils/locale-gen @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/locale-gen +@{exec_path} = @{sbin}/locale-gen profile locale-gen @{exec_path} { include include diff --git a/apparmor.d/groups/utils/losetup b/apparmor.d/groups/utils/losetup index bb0ac6c74e..9b32074ba8 100644 --- a/apparmor.d/groups/utils/losetup +++ b/apparmor.d/groups/utils/losetup @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/losetup +@{exec_path} = @{sbin}/losetup profile losetup @{exec_path} { include include diff --git a/apparmor.d/groups/utils/nologin b/apparmor.d/groups/utils/nologin index 3ee32cf346..795a1aa35a 100644 --- a/apparmor.d/groups/utils/nologin +++ b/apparmor.d/groups/utils/nologin @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/nologin +@{exec_path} = @{sbin}/nologin profile nologin @{exec_path} { include include diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index 4bd4735845..81e299d236 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -22,7 +22,7 @@ profile su @{exec_path} { @{exec_path} mr, @{bin}/@{shells} rUx, - @{bin}/nologin rPx, + @{sbin}/nologin rPx, @{etc_ro}/default/su r, /etc/default/locale r, diff --git a/apparmor.d/groups/utils/sulogin b/apparmor.d/groups/utils/sulogin index ccf7216e0c..2af869dab0 100644 --- a/apparmor.d/groups/utils/sulogin +++ b/apparmor.d/groups/utils/sulogin @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/sulogin +@{exec_path} = @{sbin}/sulogin profile sulogin @{exec_path} { include include diff --git a/apparmor.d/groups/utils/swaplabel b/apparmor.d/groups/utils/swaplabel index 05dc5783ab..16abf153dc 100644 --- a/apparmor.d/groups/utils/swaplabel +++ b/apparmor.d/groups/utils/swaplabel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/swaplabel +@{exec_path} = @{sbin}/swaplabel profile swaplabel @{exec_path} { include include diff --git a/apparmor.d/groups/utils/swapon b/apparmor.d/groups/utils/swapon index 83d2c6a3be..dd4aec8e26 100644 --- a/apparmor.d/groups/utils/swapon +++ b/apparmor.d/groups/utils/swapon @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/swapon @{bin}/swapoff +@{exec_path} = @{sbin}/swapon @{sbin}/swapoff profile swapon @{exec_path} { include include diff --git a/apparmor.d/groups/utils/uuidd b/apparmor.d/groups/utils/uuidd index 4d75a70ed5..0f03325c82 100644 --- a/apparmor.d/groups/utils/uuidd +++ b/apparmor.d/groups/utils/uuidd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/uuidd +@{exec_path} = @{sbin}/uuidd profile uuidd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/utils/zramctl b/apparmor.d/groups/utils/zramctl index 9dbf23243f..91697be736 100644 --- a/apparmor.d/groups/utils/zramctl +++ b/apparmor.d/groups/utils/zramctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/zramctl +@{exec_path} = @{sbin}/zramctl profile zramctl @{exec_path} { include include diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index 73ad13cb1a..0f2692ecf9 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -15,7 +15,7 @@ profile cni-portmap @{exec_path} { network netlink raw, @{exec_path} mr, - @{bin}/xtables-nft-multi rPx -> cni-xtables-nft, + @{sbin}/xtables-nft-multi rPx -> cni-xtables-nft, @{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index a6eb80e9f7..87ffb3f4ad 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -38,13 +38,13 @@ profile cockpit-bridge @{exec_path} { @{bin}/cat ix, @{bin}/date ix, @{bin}/find ix, - @{bin}/ip ix, + @{sbin}/ip ix, @{python_path} ix, @{bin}/test ix, @{bin}/file ix, @{bin}/chage Px, - @{bin}/dmidecode Px, + @{sbin}/dmidecode Px, @{bin}/findmnt Px, @{bin}/journalctl Px, @{bin}/last Px, diff --git a/apparmor.d/groups/virt/cockpit-update-motd b/apparmor.d/groups/virt/cockpit-update-motd index 1de016aeaf..d71eb9ec1d 100644 --- a/apparmor.d/groups/virt/cockpit-update-motd +++ b/apparmor.d/groups/virt/cockpit-update-motd @@ -15,7 +15,7 @@ profile cockpit-update-motd @{exec_path} { @{sh_path} rix, @{bin}/hostname rix, - @{bin}/ip rPx, + @{sbin}/ip rPx, @{bin}/sed rix, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 4f73ff9858..598ec7ca9d 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -46,7 +46,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, @{bin}/containerd-shim-runc-v2 rPx, @{bin}/kmod rPx, @{bin}/unpigz rPUx, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 3f18bbdccb..6b1e3537a4 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -64,7 +64,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, @{bin}/containerd rPx, @{bin}/docker-init rCx -> init, @{lib}/docker/docker-init rCx -> init, @@ -74,7 +74,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/ps rPx, @{bin}/runc rUx, @{bin}/unpigz rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, # Docker needs full access of the containers it manages. # TODO: should be in a sub profile started with pivot_root, not supported yet. diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 0949e72eeb..2142e28b98 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -62,7 +62,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{bin}/systemd-run rix, @{bin}/{nano,emacs,ed} rPUx, @{bin}/vim{,.basic} rPUx, - @{bin}/xtables-nft-multi rPx -> cni-xtables-nft, + @{sbin}/xtables-nft-multi rPx -> cni-xtables-nft, @{lib}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, /var/lib/rancher/k3s/data/@{hex}/bin/* rix, diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index 44d24f1ae4..303e906c22 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/libvirt-dbus +@{exec_path} = @{sbin}/libvirt-dbus profile libvirt-dbus @{exec_path} { include include @@ -18,7 +18,7 @@ profile libvirt-dbus @{exec_path} { @{exec_path} mr, - @{bin}/libvirtd rPx, + @{sbin}/libvirtd rPx, @{bin}/virtqemud rPx, /usr/share/dbus-1/interfaces/org.libvirt.*.xml r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 061866717a..53dcb0703c 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -14,7 +14,7 @@ abi , include -@{exec_path} = @{bin}/libvirtd +@{exec_path} = @{sbin}/libvirtd profile libvirtd @{exec_path} flags=(attach_disconnected) { include include @@ -103,26 +103,26 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{lib}/xen-common/bin/xen-toolstack rPUx, @{lib}/xen/bin/* rPUx, - @{bin}/dmidecode rPx, - @{bin}/dnsmasq rPx, + @{sbin}/dmidecode rPx, + @{sbin}/dnsmasq rPx, @{bin}/kmod rPx, - @{bin}/lvm rPUx, + @{sbin}/lvm rPUx, @{bin}/mdevctl rPx, @{bin}/swtpm rPx, @{bin}/swtpm_ioctl rPx, @{bin}/swtpm_setup rPx, @{bin}/udevadm rPx, @{bin}/virtiofsd rux, # TODO: WIP - @{bin}/virtlogd rPx, + @{sbin}/virtlogd rPx, @{sh_path} rix, - @{bin}/ip rix, - @{bin}/nft rix, + @{sbin}/ip rix, + @{sbin}/nft rix, @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper - @{bin}/tc rix, + @{sbin}/tc rix, @{bin}/xmllint rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{lib}/libvirt/virt-aa-helper rPx, /etc/libvirt/hooks/** rPUx, @@ -265,7 +265,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /dev/vhost-net rw, # Force the use of virt-aa-helper - audit deny @{bin}/apparmor_parser rwxl, + audit deny @{sbin}/apparmor_parser rwxl, audit deny @{etc_rw}/apparmor.d/libvirt/** wxl, audit deny @{sys}/kernel/security/apparmor/features rwxl, audit deny @{sys}/kernel/security/apparmor/matching rwxl, diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index c10f449224..81ec217b90 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -19,7 +19,7 @@ profile virt-aa-helper @{exec_path} { @{exec_path} mr, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, /etc/apparmor.d/libvirt/* r, @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw, diff --git a/apparmor.d/groups/virt/virtlockd b/apparmor.d/groups/virt/virtlockd index ea9336cef2..ef28e59e99 100644 --- a/apparmor.d/groups/virt/virtlockd +++ b/apparmor.d/groups/virt/virtlockd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/virtlockd +@{exec_path} = @{sbin}/virtlockd profile virtlockd @{exec_path} { include diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd index 44bf06ba07..d362ad1088 100644 --- a/apparmor.d/groups/virt/virtlogd +++ b/apparmor.d/groups/virt/virtlogd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/virtlogd +@{exec_path} = @{sbin}/virtlogd profile virtlogd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd index 42e13ef646..2d7df07b64 100644 --- a/apparmor.d/groups/virt/virtnetworkd +++ b/apparmor.d/groups/virt/virtnetworkd @@ -18,7 +18,7 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/dnsmasq rPx, + @{sbin}/dnsmasq rPx, /etc/libvirt/*.conf r, diff --git a/apparmor.d/groups/virt/xtables b/apparmor.d/groups/virt/xtables index 71f75b6428..a10b75ddef 100644 --- a/apparmor.d/groups/virt/xtables +++ b/apparmor.d/groups/virt/xtables @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/xtables-nft-multi @{bin}/xtables-legacy-multi +@{exec_path} = @{sbin}/xtables-nft-multi @{sbin}/xtables-legacy-multi profile xtables { include include diff --git a/apparmor.d/groups/whonix/pam-info b/apparmor.d/groups/whonix/pam-info index 51053ccee4..1cc3e7668f 100644 --- a/apparmor.d/groups/whonix/pam-info +++ b/apparmor.d/groups/whonix/pam-info @@ -14,7 +14,7 @@ profile pam-info @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/faillock rix, + @{sbin}/faillock rix, @{bin}/grep rix, @{bin}/str_replace rix, @{bin}/wc rix, diff --git a/apparmor.d/groups/whonix/whonix-firewalld b/apparmor.d/groups/whonix/whonix-firewalld index 01e1cb4181..08322714f3 100644 --- a/apparmor.d/groups/whonix/whonix-firewalld +++ b/apparmor.d/groups/whonix/whonix-firewalld @@ -29,7 +29,7 @@ profile whonix-firewalld @{exec_path} { @{bin}/rm rix, @{bin}/touch rix, @{bin}/whonix-*-firewall rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{bin}/qubesdb-read rPUx, @{bin}/qubesdb-cmd rPUx, diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index 7961941468..bf7daf85e9 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -13,11 +13,11 @@ profile acpi-powerbtn flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{e,}grep rix, - @{bin}/killall5 rix, + @{sbin}/killall5 rix, @{bin}/pgrep rix, @{bin}/pinky rix, @{bin}/sed rix, - @{bin}/shutdown rix, + @{sbin}/shutdown rix, /etc/acpi/powerbtn.sh rix, @{bin}/dbus-send Cx -> bus, diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index 5bf6c433a9..4985bca3a3 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/acpid +@{exec_path} = @{sbin}/acpid profile acpid @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index e1d8133247..135f65067c 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -33,12 +33,12 @@ profile adduser @{exec_path} { @{bin}/chage rPx, @{bin}/chfn rPx, @{bin}/gpasswd rPx, - @{bin}/groupadd rPx, - @{bin}/groupdel rPx, + @{sbin}/groupadd rPx, + @{sbin}/groupdel rPx, @{bin}/passwd rPx, - @{bin}/useradd rPx, - @{bin}/userdel rPx, - @{bin}/usermod rPx, + @{sbin}/useradd rPx, + @{sbin}/userdel rPx, + @{sbin}/usermod rPx, /etc/{group,passwd,shadow} r, /etc/adduser.conf r, diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index 28576423dd..6999f5baf9 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -18,7 +18,7 @@ profile adequate @{exec_path} flags=(complain) { @{exec_path} r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, # It wants to ldd all binaries/libs in packages. @{bin}/ldd rCx -> ldd, diff --git a/apparmor.d/profiles-a-f/alsactl b/apparmor.d/profiles-a-f/alsactl index b2b97a62ab..adf0d5cd3a 100644 --- a/apparmor.d/profiles-a-f/alsactl +++ b/apparmor.d/profiles-a-f/alsactl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/alsactl +@{exec_path} = @{sbin}/alsactl profile alsactl @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index b3baaaa8f8..a10df83949 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/aspell-autobuildhash +@{exec_path} = @{sbin}/aspell-autobuildhash profile aspell-autobuildhash @{exec_path} flags=(complain) { include include @@ -47,7 +47,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { /usr/share/debconf/frontend r, - @{bin}/aspell-autobuildhash rPx, + @{sbin}/aspell-autobuildhash rPx, @{sh_path} rix, @{bin}/stty rix, diff --git a/apparmor.d/profiles-a-f/auditctl b/apparmor.d/profiles-a-f/auditctl index d6881f3e77..762273a9f1 100644 --- a/apparmor.d/profiles-a-f/auditctl +++ b/apparmor.d/profiles-a-f/auditctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/auditctl +@{exec_path} = @{sbin}/auditctl profile auditctl @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index bb2c64ceec..41fb158c09 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/auditd +@{exec_path} = @{sbin}/auditd profile auditd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules index 7a515c1ba2..5ae84876ba 100644 --- a/apparmor.d/profiles-a-f/augenrules +++ b/apparmor.d/profiles-a-f/augenrules @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/augenrules +@{exec_path} = @{sbin}/augenrules profile augenrules @{exec_path} flags=(attach_disconnected) { include include @@ -16,7 +16,7 @@ profile augenrules @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{,e,f}grep rix, @{bin}/{,g,m}awk rix, - @{bin}/auditctl rPx, + @{sbin}/auditctl rPx, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cmp rix, diff --git a/apparmor.d/profiles-a-f/badblocks b/apparmor.d/profiles-a-f/badblocks index e0f686b90a..ff3a710c38 100644 --- a/apparmor.d/profiles-a-f/badblocks +++ b/apparmor.d/profiles-a-f/badblocks @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/badblocks +@{exec_path} = @{sbin}/badblocks profile badblocks @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/biosdecode b/apparmor.d/profiles-a-f/biosdecode index 8010b380a1..87457a1294 100644 --- a/apparmor.d/profiles-a-f/biosdecode +++ b/apparmor.d/profiles-a-f/biosdecode @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/biosdecode +@{exec_path} = @{sbin}/biosdecode profile biosdecode @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index 2cabb639fa..f864a605b5 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/blkdeactivate +@{exec_path} = @{sbin}/blkdeactivate profile blkdeactivate @{exec_path} flags=(complain) { include include @@ -15,11 +15,11 @@ profile blkdeactivate @{exec_path} flags=(complain) { @{exec_path} rm, @{sh_path} rix, - @{bin}/dmsetup rPUx, + @{sbin}/dmsetup rPUx, @{bin}/grep rix, @{bin}/touch rix, @{bin}/lsblk rPx, - @{bin}/lvm rPx, + @{sbin}/lvm rPx, @{bin}/multipathd rPx, @{bin}/sort rix, @{bin}/umount rPx, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index ff3f8b43a6..6d2683ade0 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -31,7 +31,7 @@ profile borg @{exec_path} { @{bin}/{,@{multiarch}-}ld.bfd rix, @{bin}/cat rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/uname rix, @{bin}/ccache rCx -> ccache, diff --git a/apparmor.d/profiles-a-f/briar-desktop b/apparmor.d/profiles-a-f/briar-desktop index 9ea7a824c6..1cfda03d92 100644 --- a/apparmor.d/profiles-a-f/briar-desktop +++ b/apparmor.d/profiles-a-f/briar-desktop @@ -80,7 +80,7 @@ profile briar-desktop @{exec_path} { profile jspawnhelper flags=(attach_disconnected) { include - @{bin}/ldconfig ix, + @{sbin}/ldconfig ix, owner @{HOME}/.briar/desktop/tor/tor Px -> briar-desktop-tor, @{system_share_dirs}/java/briar-desktop.jar r, diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index 6d71ed28df..e3643ab6dc 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -48,7 +48,7 @@ profile calibre @{exec_path} { @{sh_path} rix, @{python_path} rix, @{bin}/file rix, - @{bin}/ldconfig{,.real} rix, + @{sbin}/ldconfig{,.real} rix, @{bin}/uname rix, @{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix, diff --git a/apparmor.d/profiles-a-f/cfdisk b/apparmor.d/profiles-a-f/cfdisk index 9cacb9324c..ee8d277f2b 100644 --- a/apparmor.d/profiles-a-f/cfdisk +++ b/apparmor.d/profiles-a-f/cfdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/cfdisk +@{exec_path} = @{sbin}/cfdisk profile cfdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/cgdisk b/apparmor.d/profiles-a-f/cgdisk index 0f91c1e851..8f3f11af08 100644 --- a/apparmor.d/profiles-a-f/cgdisk +++ b/apparmor.d/profiles-a-f/cgdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/cgdisk +@{exec_path} = @{sbin}/cgdisk profile cgdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx index 775e3f640d..965e0dc3ac 100644 --- a/apparmor.d/profiles-a-f/check-bios-nx +++ b/apparmor.d/profiles-a-f/check-bios-nx @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/check-bios-nx +@{exec_path} = @{sbin}/check-bios-nx profile check-bios-nx @{exec_path} { include include @@ -25,7 +25,7 @@ profile check-bios-nx @{exec_path} { @{bin}/kmod rCx -> kmod, - @{bin}/rdmsr rPx, + @{sbin}/rdmsr rPx, owner @{PROC}/@{pid}/fd/@{int} rw, diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index 4c805b9b11..39f30c5fe2 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -24,10 +24,10 @@ profile check-support-status-hook @{exec_path} { @{bin}/mktemp rix, @{bin}/rm rix, - @{bin}/adduser rPx, + @{sbin}/adduser rPx, @{bin}/check-support-status rPx, @{bin}/debconf-escape rCx -> debconf-escape, - @{bin}/runuser rCx -> runuser, + @{sbin}/runuser rCx -> runuser, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, @@ -111,7 +111,7 @@ profile check-support-status-hook @{exec_path} { # To write records to the kernel auditing log. capability audit_write, - @{bin}/runuser mr, + @{sbin}/runuser mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-a-f/cracklib-packer b/apparmor.d/profiles-a-f/cracklib-packer index cc183f5273..4db396fa0e 100644 --- a/apparmor.d/profiles-a-f/cracklib-packer +++ b/apparmor.d/profiles-a-f/cracklib-packer @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/cracklib-packer +@{exec_path} = @{sbin}/cracklib-packer profile cracklib-packer @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 1c51858337..5262e9065f 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -20,11 +20,11 @@ profile deluser @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/crontab rPx, + @{sbin}/crontab rPx, @{bin}/gpasswd rPx, - @{bin}/groupdel rPx, + @{sbin}/groupdel rPx, @{bin}/mount rCx -> mount, - @{bin}/userdel rPx, + @{sbin}/userdel rPx, /etc/adduser.conf r, /etc/deluser.conf r, diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index b650498cfb..d5505ff861 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -28,7 +28,7 @@ profile dhclient-script @{exec_path} { @{bin}/fold rix, @{bin}/head rix, @{bin}/hostname rix, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mv rix, @@ -36,11 +36,11 @@ profile dhclient-script @{exec_path} { @{bin}/ping rPx, @{bin}/printenv rix, @{bin}/readlink rix, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, - @{bin}/sysctl rix, + @{sbin}/sysctl rix, @{bin}/tr rix, @{bin}/xxd rix, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 75487fbec2..0a01e5db50 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/dkms +@{exec_path} = @{sbin}/dkms profile dkms @{exec_path} flags=(attach_disconnected) { include include @@ -43,7 +43,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/readelf rix, @{bin}/rpm rPUx, @{bin}/strip rix, - @{bin}/update-secureboot-policy rPUx, + @{sbin}/update-secureboot-policy rPUx, @{bin}/zstd rix, @{lib}/gcc/@{multiarch}/@{version}/* rix, diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller index ffce309217..2d799987ff 100644 --- a/apparmor.d/profiles-a-f/dkms-autoinstaller +++ b/apparmor.d/profiles-a-f/dkms-autoinstaller @@ -15,7 +15,7 @@ profile dkms-autoinstaller @{exec_path} { @{exec_path} rm, @{sh_path} rix, - @{bin}/dkms rPx, + @{sbin}/dkms rPx, @{bin}/echo rix, @{bin}/plymouth rix, @{bin}/readlink rix, diff --git a/apparmor.d/profiles-a-f/dmeventd b/apparmor.d/profiles-a-f/dmeventd index 0484cf99d8..9845455081 100644 --- a/apparmor.d/profiles-a-f/dmeventd +++ b/apparmor.d/profiles-a-f/dmeventd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/dmeventd +@{exec_path} = @{sbin}/dmeventd profile dmeventd @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-a-f/dmidecode b/apparmor.d/profiles-a-f/dmidecode index aba4555351..680d259922 100644 --- a/apparmor.d/profiles-a-f/dmidecode +++ b/apparmor.d/profiles-a-f/dmidecode @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/dmidecode +@{exec_path} = @{sbin}/dmidecode profile dmidecode @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dmsetup b/apparmor.d/profiles-a-f/dmsetup index b5a1f3ab77..eb9d1dc193 100644 --- a/apparmor.d/profiles-a-f/dmsetup +++ b/apparmor.d/profiles-a-f/dmsetup @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/dmsetup +@{exec_path} = @{sbin}/dmsetup profile dmsetup @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index 065fe92c59..eecdb2e6d5 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -32,7 +32,7 @@ profile dropbox @{exec_path} { @{bin}/readlink rix, @{bin}/dirname rix, @{bin}/uname rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/python3.@{int} rix, @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index eb3d4d61ab..a4184a3588 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/dumpe2fs @{bin}/e2mmpstatus +@{exec_path} = @{sbin}/dumpe2fs @{sbin}/e2mmpstatus profile dumpe2fs @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index be5d26b9fa..c120a3590a 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/e2fsck @{bin}/fsck.ext2 @{bin}/fsck.ext3 @{bin}/fsck.ext4 +@{exec_path} = @{sbin}/e2fsck @{sbin}/fsck.ext2 @{sbin}/fsck.ext3 @{sbin}/fsck.ext4 profile e2fsck @{exec_path} { include include @@ -21,7 +21,7 @@ profile e2fsck @{exec_path} { # To check for badblocks @{sh_path} rix, - @{bin}/badblocks rPx, + @{sbin}/badblocks rPx, /usr/share/file/misc/magic.mgc r, diff --git a/apparmor.d/profiles-a-f/e2image b/apparmor.d/profiles-a-f/e2image index b099f1ccfe..c7238f262a 100644 --- a/apparmor.d/profiles-a-f/e2image +++ b/apparmor.d/profiles-a-f/e2image @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/e2image +@{exec_path} = @{sbin}/e2image profile e2image @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index 25fab12c71..af10dddcd6 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/e2scrub_all +@{exec_path} = @{sbin}/e2scrub_all profile e2scrub_all @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/f3fix b/apparmor.d/profiles-a-f/f3fix index 4d743fbb76..a2cfe43c55 100644 --- a/apparmor.d/profiles-a-f/f3fix +++ b/apparmor.d/profiles-a-f/f3fix @@ -21,7 +21,7 @@ profile f3fix @{exec_path} { @{sh_path} rix, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/udevadm rCx -> udevadm, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index 2506b1db9d..21d2a1cf82 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -20,8 +20,8 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/xtables-nft-multi rix, - @{bin}/iptables rix, + @{sbin}/xtables-nft-multi rix, + @{sbin}/iptables rix, @{bin}/ r, @{python_path} r, diff --git a/apparmor.d/profiles-a-f/fatlabel b/apparmor.d/profiles-a-f/fatlabel index c7ac0d3992..c8bdedaa36 100644 --- a/apparmor.d/profiles-a-f/fatlabel +++ b/apparmor.d/profiles-a-f/fatlabel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fatlabel +@{exec_path} = @{sbin}/fatlabel profile fatlabel @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/fatresize b/apparmor.d/profiles-a-f/fatresize index e299a109bc..8db6bde6f5 100644 --- a/apparmor.d/profiles-a-f/fatresize +++ b/apparmor.d/profiles-a-f/fatresize @@ -21,7 +21,7 @@ profile fatresize @{exec_path} { @{sh_path} rix, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/udevadm rCx -> udevadm, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-a-f/fdisk b/apparmor.d/profiles-a-f/fdisk index e6a7aeebf8..bab1525748 100644 --- a/apparmor.d/profiles-a-f/fdisk +++ b/apparmor.d/profiles-a-f/fdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fdisk +@{exec_path} = @{sbin}/fdisk profile fdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index bb68e873e1..74c6ad3b17 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -25,7 +25,7 @@ profile finalrd @{exec_path} { @{bin}/env rix, @{bin}/find rix, @{bin}/grep rix, - @{bin}/ldconfig{,.real} rix, + @{sbin}/ldconfig{,.real} rix, @{bin}/ln rix, @{bin}/mkdir rix, @{bin}/mount rix, diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index a54d1c9ac7..d8086715a4 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -19,7 +19,7 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, @{etc_ro}/login.defs r, diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend index 3d7ee07f88..6d95022204 100644 --- a/apparmor.d/profiles-a-f/frontend +++ b/apparmor.d/profiles-a-f/frontend @@ -28,14 +28,14 @@ profile frontend @{exec_path} flags=(complain) { @{bin}/locale rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/stty rix, - @{bin}/update-secureboot-policy rPx, + @{sbin}/update-secureboot-policy rPx, # debconf apps @{bin}/adequate rPx, - @{bin}/aspell-autobuildhash rPx, + @{sbin}/aspell-autobuildhash rPx, @{bin}/debconf-apt-progress rPx, @{bin}/linux-check-removal rPx, - @{bin}/pam-auth-update rPx, + @{sbin}/pam-auth-update rPx, @{bin}/ucf rPx, @{bin}/whiptail rPx, @{lib}/tasksel/tasksel-debconf rPx -> tasksel, diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index e06c49b9db..1dcdf8042b 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -33,7 +33,7 @@ profile gajim @{exec_path} { @{bin}/ r, @{sh_path} rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/uname rix, # To play sounds diff --git a/apparmor.d/profiles-g-l/gdisk b/apparmor.d/profiles-g-l/gdisk index 1357b03b6f..b49e20570f 100644 --- a/apparmor.d/profiles-g-l/gdisk +++ b/apparmor.d/profiles-g-l/gdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/gdisk +@{exec_path} = @{sbin}/gdisk profile gdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index d4511c62ca..d749457774 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/gparted +@{exec_path} = @{sbin}/gparted profile gparted @{exec_path} flags=(attach_disconnected) { include include @@ -20,7 +20,7 @@ profile gparted @{exec_path} flags=(attach_disconnected) { @{coreutils_path} rix, @{sh_path} rix, - @{bin}/killall5 rCx -> killall, + @{sbin}/killall5 rCx -> killall, @{bin}/systemctl rCx -> systemctl, @{bin}/udevadm rCx -> udevadm, @@ -29,7 +29,7 @@ profile gparted @{exec_path} flags=(attach_disconnected) { @{bin}/ps rPx, @{bin}/xhost rPx, - @{bin}/gpartedbin rPx, + @{sbin}/gpartedbin rPx, @{lib}/gparted/gpartedbin rPx, @{lib}/gpartedbin rPx, @@ -71,7 +71,7 @@ profile gparted @{exec_path} flags=(attach_disconnected) { ptrace (read), - @{bin}/killall5 mr, + @{sbin}/killall5 mr, @{PROC}/ r, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 0b2fea4c30..29bac6a2f6 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/gpartedbin @{lib}/{,gparted/}gpartedbin +@{exec_path} = @{sbin}/gpartedbin @{lib}/{,gparted/}gpartedbin profile gpartedbin @{exec_path} flags=(attach_disconnected) { include include @@ -30,9 +30,9 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, - @{bin}/blkid rPx, - @{bin}/dmidecode rPx, - @{bin}/hdparm rPx, + @{sbin}/blkid rPx, + @{sbin}/dmidecode rPx, + @{sbin}/hdparm rPx, @{bin}/kmod rPx, @{bin}/mount rCx -> mount, @@ -42,28 +42,28 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { @{bin}/btrfs rPx, @{bin}/btrfstune rPx, @{bin}/dmraid rPUx, - @{bin}/dmsetup rPUx, - @{bin}/dumpe2fs rPx, - @{bin}/e2fsck rPx, - @{bin}/e2image rPx, - @{bin}/fsck.* rPUx, - @{bin}/lvm rPUx, - @{bin}/mdadm rPUx, - @{bin}/mke2fs rPx, - @{bin}/mkfs.* rPUx, - @{bin}/mkntfs rPx, - @{bin}/mkswap rPx, + @{sbin}/dmsetup rPUx, + @{sbin}/dumpe2fs rPx, + @{sbin}/e2fsck rPx, + @{sbin}/e2image rPx, + @{sbin}/fsck.* rPUx, + @{sbin}/lvm rPUx, + @{sbin}/mdadm rPUx, + @{sbin}/mke2fs rPx, + @{sbin}/mkfs.* rPUx, + @{sbin}/mkntfs rPx, + @{sbin}/mkswap rPx, @{bin}/mtools rPx, @{bin}/ntfsinfo rPx, - @{bin}/ntfslabel rPx, - @{bin}/ntfsresize rPx, - @{bin}/resize2fs rPx, - @{bin}/swaplabel rPx, - @{bin}/swapoff rPx, - @{bin}/swapon rPx, + @{sbin}/ntfslabel rPx, + @{sbin}/ntfsresize rPx, + @{sbin}/resize2fs rPx, + @{sbin}/swaplabel rPx, + @{sbin}/swapoff rPx, + @{sbin}/swapon rPx, @{bin}/tune.* rPUx, - @{bin}/tune2fs rPx, - @{bin}/xfs_io rPUx, + @{sbin}/tune2fs rPx, + @{sbin}/xfs_io rPUx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol index 5d04e33fbc..988c547f0b 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol +++ b/apparmor.d/profiles-g-l/gsmartcontrol @@ -20,7 +20,7 @@ profile gsmartcontrol @{exec_path} { @{bin}/dbus-launch Cx -> bus, @{bin}/dbus-send Cx -> bus, - @{bin}/smartctl Px, + @{sbin}/smartctl Px, @{bin}/xterm Cx -> terminal, /etc/fstab r, @@ -67,7 +67,7 @@ profile gsmartcontrol @{exec_path} { capability setuid, @{bin}/xterm mr, - @{bin}/update-smart-drivedb rPx, + @{sbin}/update-smart-drivedb rPx, /usr/include/X11/bitmaps/vlines2 r, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index aaa28bd55a..97fad1f139 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -39,7 +39,7 @@ profile hardinfo @{exec_path} { @{bin}/make rix, @{bin}/perl rix, @{python_path} rix, - @{bin}/route rix, + @{sbin}/route rix, @{bin}/ruby@{int}.@{int} rix, @{bin}/strace rix, @{bin}/tr rix, diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm index a4fa349731..53e520509a 100644 --- a/apparmor.d/profiles-g-l/hdparm +++ b/apparmor.d/profiles-g-l/hdparm @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/hdparm +@{exec_path} = @{sbin}/hdparm profile hdparm @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 590d4427ed..2a1244ef7f 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -37,28 +37,28 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/acpi rPx, @{bin}/amixer rPx, @{bin}/aplay rPx, - @{bin}/biosdecode rPx, + @{sbin}/biosdecode rPx, @{bin}/cpuid rPx, @{bin}/cpupower rPx, @{bin}/curl rCx -> curl, @{bin}/df rPx, - @{bin}/dkms rPx, + @{sbin}/dkms rPx, @{bin}/dmesg rPx, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/edid-decode rPx, - @{bin}/ethtool rCx -> netconfig, - @{bin}/fdisk rPx, + @{sbin}/ethtool rCx -> netconfig, + @{sbin}/fdisk rPx, @{bin}/glxgears rPx, @{bin}/glxinfo rPx, @{bin}/hciconfig rPx, - @{bin}/hdparm rPx, + @{sbin}/hdparm rPx, @{bin}/hwinfo rPx, @{bin}/i2cdetect rPx, - @{bin}/ifconfig rCx -> netconfig, + @{sbin}/ifconfig rCx -> netconfig, @{bin}/inxi rPx, - @{bin}/iw rCx -> netconfig, - @{bin}/iwconfig rCx -> netconfig, + @{sbin}/iw rCx -> netconfig, + @{sbin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, @{bin}/kmod rix, @@ -70,10 +70,10 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/memtester rPx, @{bin}/nmcli rPx, @{bin}/pacman rCx -> pacman, - @{bin}/rfkill rPx, + @{sbin}/rfkill rPx, @{bin}/rpm rCx -> rpm, @{bin}/sensors rPx, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-analyze rPx, @{bin}/udevadm rCx -> udevadm, @@ -205,10 +205,10 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { network appletalk dgram, network netlink raw, - @{bin}/iw mr, - @{bin}/ifconfig mr, - @{bin}/iwconfig mr, - @{bin}/ethtool mr, + @{sbin}/iw mr, + @{sbin}/ifconfig mr, + @{sbin}/iwconfig mr, + @{sbin}/ethtool mr, owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/net/dev r, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index e7bf2937c1..21165acec9 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -27,7 +27,7 @@ profile hwinfo @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/udevadm rCx -> udevadm, - @{bin}/acpidump rPUx, + @{sbin}/acpidump rPUx, @{bin}/dmraid rPUx, diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix index cda55bc595..ce1ad519b9 100644 --- a/apparmor.d/profiles-g-l/hypnotix +++ b/apparmor.d/profiles-g-l/hypnotix @@ -34,7 +34,7 @@ profile hypnotix @{exec_path} { @{python_path} r, @{sh_path} rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/mkdir rix, @{bin}/xdg-screensaver rPx, diff --git a/apparmor.d/profiles-g-l/ifconfig b/apparmor.d/profiles-g-l/ifconfig index 5bebad6910..48181e1302 100644 --- a/apparmor.d/profiles-g-l/ifconfig +++ b/apparmor.d/profiles-g-l/ifconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ifconfig +@{exec_path} = @{sbin}/ifconfig profile ifconfig @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index aac25b8115..42169dd6d3 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -19,8 +19,8 @@ profile ifup @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/ip rix, - @{bin}/route rix, + @{sbin}/ip rix, + @{sbin}/route rix, @{bin}/seq rix, @{bin}/sleep rix, @{bin}/wc rix, @@ -32,7 +32,7 @@ profile ifup @{exec_path} { @{bin}/run-parts rCx -> run-parts, @{bin}/kmod rCx -> kmod, - @{bin}/sysctl rCx -> sysctl, + @{sbin}/sysctl rCx -> sysctl, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, @@ -110,7 +110,7 @@ profile ifup @{exec_path} { capability net_admin, capability sys_admin, - @{bin}/sysctl mr, + @{sbin}/sysctl mr, @{PROC}/sys/ r, @{PROC}/sys/** r, diff --git a/apparmor.d/profiles-g-l/initd-kexec b/apparmor.d/profiles-g-l/initd-kexec index 074b4e7353..199483f4fb 100644 --- a/apparmor.d/profiles-g-l/initd-kexec +++ b/apparmor.d/profiles-g-l/initd-kexec @@ -19,7 +19,7 @@ profile initd-kexec @{exec_path} { @{bin}/tput rix, @{bin}/echo rix, - @{bin}/kexec rPx, + @{sbin}/kexec rPx, @{bin}/run-parts rCx -> run-parts, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/profiles-g-l/initd-kexec-load b/apparmor.d/profiles-g-l/initd-kexec-load index 1b27d1a4ea..b5bf58ff22 100644 --- a/apparmor.d/profiles-g-l/initd-kexec-load +++ b/apparmor.d/profiles-g-l/initd-kexec-load @@ -25,7 +25,7 @@ profile initd-kexec-load @{exec_path} { @{bin}/readlink rix, @{bin}/tput rix, - @{bin}/kexec rPx, + @{sbin}/kexec rPx, @{bin}/run-parts rCx -> run-parts, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 09753107b4..38b2a17a28 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -32,7 +32,7 @@ profile inxi @{exec_path} { @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{bin}/ip rCx -> ip, + @{sbin}/ip rCx -> ip, @{bin}/kmod rCx -> kmod, @{bin}/systemctl rCx -> systemctl, @{bin}/udevadm rCx -> udevadm, @@ -43,11 +43,11 @@ profile inxi @{exec_path} { # shared object file): ignored. @{bin}/dpkg-query rpx, - @{bin}/blockdev rPx, + @{sbin}/blockdev rPx, @{bin}/compton rPx, @{bin}/df rPx, @{bin}/dig rPx, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/glxinfo rPx, @{bin}/hddtemp rPx, @{bin}/lsblk rPx, @@ -56,7 +56,7 @@ profile inxi @{exec_path} { @{bin}/openbox rPx, @{bin}/ps rPx, @{bin}/sensors rPx, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, @{bin}/sudo rPx, @{bin}/uptime rPx, @{bin}/who rPx, @@ -115,7 +115,7 @@ profile inxi @{exec_path} { network netlink raw, - @{bin}/ip mr, + @{sbin}/ip mr, @{sys}/devices/@{pci}/net/*/{duplex,address,speed,operstate} r, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index bcb521c014..3495bcc80c 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ip +@{exec_path} = @{sbin}/ip profile ip @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/ipcalc b/apparmor.d/profiles-g-l/ipcalc index c6dfa762a0..628728846c 100644 --- a/apparmor.d/profiles-g-l/ipcalc +++ b/apparmor.d/profiles-g-l/ipcalc @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ipcalc +@{exec_path} = @{sbin}/ipcalc profile ipcalc @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/iw b/apparmor.d/profiles-g-l/iw index c760c50f66..631b0b9d1e 100644 --- a/apparmor.d/profiles-g-l/iw +++ b/apparmor.d/profiles-g-l/iw @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/iw +@{exec_path} = @{sbin}/iw profile iw @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/iwconfig b/apparmor.d/profiles-g-l/iwconfig index 962b4ab235..ec6b9a46b4 100644 --- a/apparmor.d/profiles-g-l/iwconfig +++ b/apparmor.d/profiles-g-l/iwconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/iwconfig +@{exec_path} = @{sbin}/iwconfig profile iwconfig @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/iwlist b/apparmor.d/profiles-g-l/iwlist index 298c946885..b89af77b97 100644 --- a/apparmor.d/profiles-g-l/iwlist +++ b/apparmor.d/profiles-g-l/iwlist @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/iwlist +@{exec_path} = @{sbin}/iwlist profile iwlist @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/kexec b/apparmor.d/profiles-g-l/kexec index 102b75d831..d1e142a137 100644 --- a/apparmor.d/profiles-g-l/kexec +++ b/apparmor.d/profiles-g-l/kexec @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/kexec +@{exec_path} = @{sbin}/kexec profile kexec @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 08fc10c226..0338e39751 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -28,7 +28,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{bin}/basename rix, @{bin}/false rix, @{bin}/id rix, - @{bin}/sysctl rPx, + @{sbin}/sysctl rPx, @{bin}/true rix, @{lib}/modprobe.d/{,*.conf} r, diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index fc6a6ede57..016dceae05 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -30,7 +30,7 @@ profile kodi @{exec_path} { @{bin}/df rix, @{bin}/dirname rix, @{bin}/find rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/mv rix, @{bin}/uname rix, diff --git a/apparmor.d/profiles-g-l/kvm-ok b/apparmor.d/profiles-g-l/kvm-ok index eb3d1cc80e..f62e9ddf98 100644 --- a/apparmor.d/profiles-g-l/kvm-ok +++ b/apparmor.d/profiles-g-l/kvm-ok @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/kvm-ok +@{exec_path} = @{sbin}/kvm-ok profile kvm-ok @{exec_path} { include @@ -20,7 +20,7 @@ profile kvm-ok @{exec_path} { @{bin}/kmod rCx -> kmod, - @{bin}/rdmsr rPx, + @{sbin}/rdmsr rPx, #/proc/cpuinfo r, #/dev/kvm r, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index fdd3b6209f..f74f309fee 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/logrotate +@{exec_path} = @{sbin}/logrotate profile logrotate @{exec_path} flags=(attach_disconnected) { include include @@ -32,7 +32,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{bin}/cat rix, @{bin}/grep rix, @{bin}/gzip rix, - @{bin}/invoke-rc.d rix, + @{sbin}/invoke-rc.d rix, @{bin}/kill rix, @{bin}/ls rix, @{bin}/setfacl rix, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index fdc258da1e..ad626192c5 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/mkinitramfs +@{exec_path} = @{sbin}/mkinitramfs profile mkinitramfs @{exec_path} { include include @@ -58,7 +58,7 @@ profile mkinitramfs @{exec_path} { @{bin}/find rCx -> find, @{bin}/kmod rCx -> kmod, - @{bin}/ldconfig rCx -> ldconfig, + @{sbin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, @{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd, @{lib}/ld-linux.so* rCx -> ldd, @@ -130,10 +130,10 @@ profile mkinitramfs @{exec_path} { capability sys_chroot, - @{bin}/ldconfig mr, + @{sbin}/ldconfig mr, @{sh_path} rix, - @{bin}/ldconfig.real rix, + @{sbin}/ldconfig.real rix, owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf r, owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf.d/{,*.conf} r, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index cd2ddc0e68..8b8968464c 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/modprobed-db +@{exec_path} = @{sbin}/modprobed-db profile modprobed-db @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index e847db8729..cf77b7ab8a 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -43,8 +43,8 @@ profile monitorix @{exec_path} { @{bin}/free rix, @{bin}/ss rix, @{bin}/who rix, - @{bin}/lvm rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/lvm rix, + @{sbin}/xtables-nft-multi rix, @{bin}/sensors rix, @{bin}/getconf rix, @{bin}/ps rix, diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt index 502f941be3..a66fc287fb 100644 --- a/apparmor.d/profiles-m-r/mpsyt +++ b/apparmor.d/profiles-m-r/mpsyt @@ -27,7 +27,7 @@ profile mpsyt @{exec_path} { @{python_path} r, @{bin}/ r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/tset rix, @{bin}/uname rix, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 397646c5ef..2470c527fc 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/needrestart +@{exec_path} = @{sbin}/needrestart profile needrestart @{exec_path} flags=(attach_disconnected) { include include @@ -37,7 +37,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, - @{bin}/unix_chkpwd rPx, + @{sbin}/unix_chkpwd rPx, @{bin}/whiptail rPx, @{bin}/who rix, @{lib}/needrestart/* rPx, diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index 480caf77e4..b70a49be86 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -19,7 +19,7 @@ profile needrestart-apt-pinvoke @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dbus-send rix, - @{bin}/needrestart rPx, + @{sbin}/needrestart rPx, @{bin}/rm rix, @{run}/needrestart/{,**} rw, diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 75b150042c..cf51936da6 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -12,7 +12,7 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{exec_path} mr, - @{bin}/iucode_tool rix, + @{sbin}/iucode_tool rix, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/bsdtar rix, diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index c92d4d8498..ffe3d4119b 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/on_ac_power +@{exec_path} = @{sbin}/on_ac_power profile on-ac-power @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index bfee591872..263fab8bb4 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -26,20 +26,20 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{e,f,}grep rix, - @{bin}/blkid rPx, + @{sbin}/blkid rPx, @{bin}/btrfs rPx, @{bin}/cat rix, @{bin}/cut rix, @{bin}/dmraid rPUx, @{bin}/find rix, @{bin}/grub-mount rPx, - @{bin}/grub-probe rPx, + @{sbin}/grub-probe rPx, @{bin}/head rix, @{bin}/kmod rPx, @{bin}/logger rix, @{bin}/ls rix, @{bin}/lsblk rPx, - @{bin}/lvm rPx, + @{sbin}/lvm rPx, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mount rix, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index bcd9ba6b72..c3df0072d3 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -52,7 +52,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/gdbus rix, @{bin}/gzip rix, @{bin}/ischroot rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/repo2solv rix, @{bin}/tar rix, @{bin}/test rix, diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 3991299b91..655ed9d40e 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/pam-auth-update +@{exec_path} = @{sbin}/pam-auth-update profile pam-auth-update @{exec_path} flags=(complain) { include include @@ -35,7 +35,7 @@ profile pam-auth-update @{exec_path} flags=(complain) { /usr/share/debconf/frontend r, - @{bin}/pam-auth-update rPx, + @{sbin}/pam-auth-update rPx, @{sh_path} rix, @{bin}/stty rix, diff --git a/apparmor.d/profiles-m-r/parted b/apparmor.d/profiles-m-r/parted index 4a98dbae81..1ae7f5478f 100644 --- a/apparmor.d/profiles-m-r/parted +++ b/apparmor.d/profiles-m-r/parted @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/parted +@{exec_path} = @{sbin}/parted profile parted @{exec_path} { include include @@ -22,7 +22,7 @@ profile parted @{exec_path} { @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, /etc/inputrc r, diff --git a/apparmor.d/profiles-m-r/partprobe b/apparmor.d/profiles-m-r/partprobe index 6a0a6c9cf2..79e4b0ffba 100644 --- a/apparmor.d/profiles-m-r/partprobe +++ b/apparmor.d/profiles-m-r/partprobe @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/partprobe +@{exec_path} = @{sbin}/partprobe profile partprobe @{exec_path} { include include @@ -23,7 +23,7 @@ profile partprobe @{exec_path} { @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{PROC}/devices r, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index c8fb38e441..8d55dd156c 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -24,7 +24,7 @@ profile pass-import @{exec_path} { @{bin}/ r, @{bin}/gcc rix, # TODO: Test deny @{bin}/ld rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/pass rPx, @{python_path} rix, @{lib}/gcc/**/collect2 rix, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index 984b566cf5..67e0ee74ea 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/pcscd +@{exec_path} = @{sbin}/pcscd profile pcscd @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/rdmsr b/apparmor.d/profiles-m-r/rdmsr index 47dd9beabe..81f43b3e61 100644 --- a/apparmor.d/profiles-m-r/rdmsr +++ b/apparmor.d/profiles-m-r/rdmsr @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/rdmsr +@{exec_path} = @{sbin}/rdmsr profile rdmsr @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/resize2fs b/apparmor.d/profiles-m-r/resize2fs index 7b28a1d229..38d4823268 100644 --- a/apparmor.d/profiles-m-r/resize2fs +++ b/apparmor.d/profiles-m-r/resize2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/resize2fs +@{exec_path} = @{sbin}/resize2fs profile resize2fs @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index c050ce970f..a83c867fa4 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/resolvconf +@{exec_path} = @{sbin}/resolvconf profile resolvconf @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/rfkill b/apparmor.d/profiles-m-r/rfkill index c80211b092..c65298b27b 100644 --- a/apparmor.d/profiles-m-r/rfkill +++ b/apparmor.d/profiles-m-r/rfkill @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/rfkill +@{exec_path} = @{sbin}/rfkill profile rfkill @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 1dc744ff35..599fac88f3 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -12,7 +12,7 @@ include # following: # watch -n 1 'dmesg | tail -5' -@{exec_path} = @{bin}/rsyslogd +@{exec_path} = @{sbin}/rsyslogd profile rsyslogd @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/rtkitctl b/apparmor.d/profiles-m-r/rtkitctl index 9417c93b10..733573d6b7 100644 --- a/apparmor.d/profiles-m-r/rtkitctl +++ b/apparmor.d/profiles-m-r/rtkitctl @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/rtkitctl +@{exec_path} = @{sbin}/rtkitctl profile rtkitctl @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index fc46c29677..f6d40b0c51 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -25,7 +25,7 @@ profile run-parts @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/anacron rix, + @{sbin}/anacron rix, @{bin}/cat rix, @{bin}/date rix, @{bin}/nice rix, @@ -229,12 +229,12 @@ profile run-parts @{exec_path} { @{bin}/which{,.debianutils} rix, @{bin}/apt-config rPx, - @{bin}/dkms rPx, + @{sbin}/dkms rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/systemd-detect-virt rPx, @{bin}/update-alternatives rPx, - @{bin}/update-grub rPUx, - @{bin}/update-initramfs rPx, + @{sbin}/update-grub rPUx, + @{sbin}/update-initramfs rPx, @{lib}/dkms/dkms_autoinstaller rPx, @{lib}/modules/*/updates/ w, diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser index 9931c07fbe..4bd5699551 100644 --- a/apparmor.d/profiles-m-r/runuser +++ b/apparmor.d/profiles-m-r/runuser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/runuser +@{exec_path} = @{sbin}/runuser profile runuser @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index e3eca4e22e..96dc170428 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/sensors-detect +@{exec_path} = @{sbin}/sensors-detect profile sensors-detect @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/setvtrgb b/apparmor.d/profiles-s-z/setvtrgb index 6c9a3fe62b..7fdfddcbb0 100644 --- a/apparmor.d/profiles-s-z/setvtrgb +++ b/apparmor.d/profiles-s-z/setvtrgb @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/setvtrgb +@{exec_path} = @{sbin}/setvtrgb profile setvtrgb @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk index 0009d52cbb..05ab2273f9 100644 --- a/apparmor.d/profiles-s-z/sfdisk +++ b/apparmor.d/profiles-s-z/sfdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/sfdisk +@{exec_path} = @{sbin}/sfdisk profile sfdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sgdisk b/apparmor.d/profiles-s-z/sgdisk index ecc6abcdbc..4e68816d76 100644 --- a/apparmor.d/profiles-s-z/sgdisk +++ b/apparmor.d/profiles-s-z/sgdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/sgdisk +@{exec_path} = @{sbin}/sgdisk profile sgdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/smartctl b/apparmor.d/profiles-s-z/smartctl index 4af40c8aba..d025d160b9 100644 --- a/apparmor.d/profiles-s-z/smartctl +++ b/apparmor.d/profiles-s-z/smartctl @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/smartctl +@{exec_path} = @{sbin}/smartctl profile smartctl @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index d0f9c28fd7..60a77a782d 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/smartd +@{exec_path} = @{sbin}/smartd profile smartd @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index e70a5c4995..5277dcc1e0 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -46,7 +46,7 @@ profile spectre-meltdown-checker @{exec_path} { @{bin}/gzip rix, @{bin}/head rix, @{bin}/id rix, - @{bin}/iucode_tool rix, + @{sbin}/iucode_tool rix, @{bin}/kmod rCx -> kmod, @{bin}/lzop rix, @{bin}/mktemp rix, @@ -55,7 +55,7 @@ profile spectre-meltdown-checker @{exec_path} { @{bin}/od rix, @{bin}/perl rix, @{bin}/pgrep rCx -> pgrep, - @{bin}/rdmsr rix, + @{sbin}/rdmsr rix, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index bebfbe4198..95013d8e0a 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/spice-vdagentd +@{exec_path} = @{sbin}/spice-vdagentd profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 6ff0fe7e94..8b66b652f2 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -23,7 +23,7 @@ profile syncthing @{exec_path} { @{exec_path} mrix, @{open_path} rPx -> child-open, - @{bin}/ip rix, + @{sbin}/ip rix, /usr/share/mime/{,**} r, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index fe30e6da82..101310df17 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/thermald +@{exec_path} = @{sbin}/thermald profile thermald @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index ff447e81e0..52fe2af61e 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -30,13 +30,13 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cp rix, - @{bin}/ethtool rix, + @{sbin}/ethtool rix, @{bin}/flock rix, @{bin}/grep rix, - @{bin}/hdparm rPx, + @{sbin}/hdparm rPx, @{bin}/head rix, @{bin}/id rPx, - @{bin}/iw rPx, + @{sbin}/iw rPx, @{bin}/logger rix, @{bin}/mktemp rix, @{bin}/readlink rix, diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 0b35cff02d..a9db94276e 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -48,7 +48,7 @@ profile tomb @{exec_path} { @{bin}/id rix, @{bin}/kill rix, @{bin}/locate rix, - @{bin}/losetup rix, + @{sbin}/losetup rix, @{bin}/ls rix, @{bin}/lsof rix, @{bin}/mkdir rix, @@ -67,22 +67,22 @@ profile tomb @{exec_path} { @{bin}/zsh rix, @{bin}/btrfs rPx, - @{bin}/cryptsetup rPUx, + @{sbin}/cryptsetup rPUx, @{bin}/e2fsc rPUx, - @{bin}/fsck rPx, + @{sbin}/fsck rPx, @{bin}/gpg{,2} rPx, @{bin}/lsblk rPx, - @{bin}/mkfs.* rPUx, + @{sbin}/mkfs.* rPUx, @{bin}/mount rPx, @{bin}/pinentry rPx, @{bin}/pinentry-* rPx, @{bin}/qrencode rPx, - @{bin}/resize2fs rPx, + @{sbin}/resize2fs rPx, @{bin}/tomb-kdb-pbkdf2 rPUx, - @{bin}/tune2fs rPx, + @{sbin}/tune2fs rPx, @{bin}/umount rCx -> umount, @{bin}/updatedb.mlocate rPx, - @{bin}/zramctl rPx, + @{sbin}/zramctl rPx, /usr/share/file/** r, /usr/share/terminfo/** r, diff --git a/apparmor.d/profiles-s-z/torsocks b/apparmor.d/profiles-s-z/torsocks index c7c914387f..ad258189cc 100644 --- a/apparmor.d/profiles-s-z/torsocks +++ b/apparmor.d/profiles-s-z/torsocks @@ -19,7 +19,7 @@ profile torsocks @{exec_path} { @{sh_path} rix, @{bin}/* rPUx, @{lib}/uwt/uwtexec rPUx, - @{bin}/getcap rix, + @{sbin}/getcap rix, /etc/tor/torsocks.conf r, diff --git a/apparmor.d/profiles-s-z/udev-bcache-export-cached b/apparmor.d/profiles-s-z/udev-bcache-export-cached index 51746625ea..e42b10c26e 100644 --- a/apparmor.d/profiles-s-z/udev-bcache-export-cached +++ b/apparmor.d/profiles-s-z/udev-bcache-export-cached @@ -15,7 +15,7 @@ profile udev-bcache-export-cached @{exec_path} { @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/bcache-super-show rix, + @{sbin}/bcache-super-show rix, include if exists } diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 85b99b8abd..4b7d35c328 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/unix_chkpwd +@{exec_path} = @{sbin}/unix_chkpwd profile unix-chkpwd @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index b496777e94..4bc88faaee 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-ca-certificates +@{exec_path} = @{sbin}/update-ca-certificates profile update-ca-certificates @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index 9bef23a77f..b7f00b263c 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/update-cracklib +@{exec_path} = @{sbin}/update-cracklib profile update-cracklib @{exec_path} { include include @@ -16,8 +16,8 @@ profile update-cracklib @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/cracklib-format rix, - @{bin}/cracklib-packer rPx, + @{sbin}/cracklib-format rix, + @{sbin}/cracklib-packer rPx, @{bin}/env rix, @{bin}/file rix, @{bin}/find rix, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index 6948f28127..51961efb34 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-initramfs +@{exec_path} = @{sbin}/update-initramfs profile update-initramfs @{exec_path} { include include @@ -32,7 +32,7 @@ profile update-initramfs @{exec_path} { @{bin}/dpkg-trigger rPx, @{bin}/linux-version rPx, - @{bin}/mkinitramfs rPx, + @{sbin}/mkinitramfs rPx, /var/lib/initramfs-tools/* w, diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids index d2e36ead0c..a40afd9942 100644 --- a/apparmor.d/profiles-s-z/update-pciids +++ b/apparmor.d/profiles-s-z/update-pciids @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-pciids +@{exec_path} = @{sbin}/update-pciids profile update-pciids @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index e5ffca44f4..232c92d0cd 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-secureboot-policy +@{exec_path} = @{sbin}/update-secureboot-policy profile update-secureboot-policy @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/update-smart-drivedb b/apparmor.d/profiles-s-z/update-smart-drivedb index 2ce61cebfe..70b9bc6e24 100644 --- a/apparmor.d/profiles-s-z/update-smart-drivedb +++ b/apparmor.d/profiles-s-z/update-smart-drivedb @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-smart-drivedb +@{exec_path} = @{sbin}/update-smart-drivedb profile update-smart-drivedb @{exec_path} { include include @@ -28,7 +28,7 @@ profile update-smart-drivedb @{exec_path} { @{bin}/cmp rix, @{bin}/ r, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/wget rCx -> browse, diff --git a/apparmor.d/profiles-s-z/updatedb-mlocate b/apparmor.d/profiles-s-z/updatedb-mlocate index 7a951b7e74..a9c77b5c28 100644 --- a/apparmor.d/profiles-s-z/updatedb-mlocate +++ b/apparmor.d/profiles-s-z/updatedb-mlocate @@ -19,7 +19,7 @@ profile updatedb-mlocate @{exec_path} { @{exec_path} mr, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, # For shell pwd / r, diff --git a/apparmor.d/profiles-s-z/veracrypt b/apparmor.d/profiles-s-z/veracrypt index 6612846cde..1e5417b15c 100644 --- a/apparmor.d/profiles-s-z/veracrypt +++ b/apparmor.d/profiles-s-z/veracrypt @@ -29,11 +29,11 @@ profile veracrypt @{exec_path} { @{sh_path} rix, @{open_path} rPx -> child-open-help, - @{bin}/dmsetup rPx, + @{sbin}/dmsetup rPx, @{bin}/grep rix, @{bin}/kmod rix, - @{bin}/ldconfig rix, - @{bin}/losetup rCx -> losetup, + @{sbin}/ldconfig rix, + @{sbin}/losetup rCx -> losetup, @{bin}/mount rPx, @{bin}/sudo rix, @{bin}/umount rCx -> umount, @@ -85,7 +85,7 @@ profile veracrypt @{exec_path} { capability sys_rawio, - @{bin}/losetup mr, + @{sbin}/losetup mr, include if exists } diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 1460fb1a7a..7cf741dc28 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -28,7 +28,7 @@ profile vidcutter @{exec_path} { @{python_path} r, @{bin}/ r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ffmpeg rPx, @{bin}/ffprobe rPx, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 614084c715..7c0443daee 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -39,7 +39,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{bin}/getfacl rix, @{bin}/setfacl rix, - @{bin}/libvirtd rPx, + @{sbin}/libvirtd rPx, @{bin}/ssh rPx, @{lib}/spice-client-glib-usb-acl-helper rPx, diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index e23d4db43e..d0fc54b7c7 100755 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -33,7 +33,7 @@ profile wechat @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir ix, @{bin}/gawk rix, @{bin}/lsblk rPx, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/xdg-user-dir rix, @{open_path} rpx -> child-open-strict, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 88c44287d5..67b3cf5039 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -38,7 +38,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir ix, @{bin}/gawk rix, @{bin}/lsblk rPx, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/xdg-user-dir rix, @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, diff --git a/apparmor.d/profiles-s-z/whdd b/apparmor.d/profiles-s-z/whdd index cc4ae2959f..41541ea84c 100644 --- a/apparmor.d/profiles-s-z/whdd +++ b/apparmor.d/profiles-s-z/whdd @@ -25,7 +25,7 @@ profile whdd @{exec_path} { @{bin}/tr rix, # To read SMART attributes - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, owner @{PROC}/@{pid}/mounts r, @{PROC}/partitions r, diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action index 136caa781b..b2cfe0091f 100644 --- a/apparmor.d/profiles-s-z/wpa-action +++ b/apparmor.d/profiles-s-z/wpa-action @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/wpa_action +@{exec_path} = @{sbin}/wpa_action profile wpa-action @{exec_path} { include @@ -17,14 +17,14 @@ profile wpa-action @{exec_path} { @{exec_path} mr, - @{bin}/wpa_cli rPx, + @{sbin}/wpa_cli rPx, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/cat rix, @{bin}/date rix, @{bin}/ifup rix, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/ln rix, @{bin}/logger rix, @{bin}/rm rix, diff --git a/apparmor.d/profiles-s-z/wpa-cli b/apparmor.d/profiles-s-z/wpa-cli index 11da651797..eb4efeee91 100644 --- a/apparmor.d/profiles-s-z/wpa-cli +++ b/apparmor.d/profiles-s-z/wpa-cli @@ -7,13 +7,13 @@ abi , include -@{exec_path} = @{bin}/wpa_cli +@{exec_path} = @{sbin}/wpa_cli profile wpa-cli @{exec_path} { include @{exec_path} mr, - @{bin}/wpa_action rPx, + @{sbin}/wpa_action rPx, /etc/inputrc r, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index 23f77f8408..24f87b5a72 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/wpa_supplicant +@{exec_path} = @{sbin}/wpa_supplicant profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/wrmsr b/apparmor.d/profiles-s-z/wrmsr index 7de522fc8c..6ef05cc0fd 100644 --- a/apparmor.d/profiles-s-z/wrmsr +++ b/apparmor.d/profiles-s-z/wrmsr @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/wrmsr +@{exec_path} = @{sbin}/wrmsr profile wrmsr @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index d618a0db19..381e878fad 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -38,7 +38,7 @@ profile youtube-dl @{exec_path} { @{bin}/ r, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/git rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/rtmpdump rix, @{bin}/uname rix, @{lib}/git{,-core}/git rix, diff --git a/apparmor.d/profiles-s-z/ytdl b/apparmor.d/profiles-s-z/ytdl index 12fd657c30..a76bf0d89a 100644 --- a/apparmor.d/profiles-s-z/ytdl +++ b/apparmor.d/profiles-s-z/ytdl @@ -27,7 +27,7 @@ profile ytdl @{exec_path} { @{python_path} r, @{bin}/ r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/uname rix, /etc/mime.types r, diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd index 8ac23a07c1..42181500b0 100644 --- a/apparmor.d/profiles-s-z/zsysd +++ b/apparmor.d/profiles-s-z/zsysd @@ -20,7 +20,7 @@ profile zsysd @{exec_path} flags=(complain) { /{usr/,}{local/,}{s,}bin/zfs rPx, /{usr/,}{local/,}{s,}bin/zpool rPx, # ALLOWED zsysd exec /usr/sbin/update-grub info="no new privs" comm=zsysd requested_mask=x denied_mask=x error=-1 - @{bin}/update-grub rPx, + @{sbin}/update-grub rPx, /etc/hostid r, /etc/zsys.conf r, From 8ae1118de61b750ae39ceebb40dc420931c07f9d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 28 Apr 2025 21:48:53 +0200 Subject: [PATCH 0039/1736] tests(check): ensure bin is not used instead of sbin. --- tests/check.sh | 11 + tests/sbin.list | 738 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 749 insertions(+) create mode 100644 tests/sbin.list diff --git a/tests/check.sh b/tests/check.sh index 3ddda98278..e35fd8b39b 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -106,6 +106,16 @@ _ensure_vim() { fi } +check_sbin() { + echo -e "\033[1m ⋅ \033[0mEnsuring '@{sbin}' is used in all profiles:" + while IFS= read -r name; do + mapfile -t files < <(grep -l -R "@{bin}/$name" apparmor.d) + for file in "${files[@]}"; do + _die "$file contains '@{bin}/$name' instead of '@{sbin}/$name'" + done + done Date: Mon, 28 Apr 2025 21:57:26 +0200 Subject: [PATCH 0040/1736] feat(tunable): configure sbin across distributions. --- apparmor.d/tunables/multiarch.d/system | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 11fc6c2a87..6f7995c055 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -14,8 +14,9 @@ @{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/ # Common places for binaries and libraries across distributions -@{bin}=/{,usr/}{,s}bin -@{sbin}=/{,usr/}sbin +@{bin}=/{,usr/}bin +@{sbin}=/{,usr/}sbin #aa:only apt zypper +@{sbin}=/{,usr/}{,s}bin #aa:only pacman @{lib}=/{,usr/}lib{,exec,32,64} # Common places for temporary files From af070877f2e096dcb267b8b83ccf9551e9d1bea7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 28 Apr 2025 22:09:28 +0200 Subject: [PATCH 0041/1736] tests: update unit tests to last changes. --- pkg/aa/apparmor_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index 9d68596d39..71be0ba0a2 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -211,7 +211,7 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { &Include{IsMagic: true, Path: "tunables/global"}, &Variable{ Name: "exec_path", Define: true, - Values: []string{"@{bin}/aa-status", "@{bin}/apparmor_status"}, + Values: []string{"@{sbin}/aa-status", "@{sbin}/apparmor_status"}, }, }, Profiles: []*Profile{{ From aeb3614a076f0a666c0d85673110c07f813a41bb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 28 Apr 2025 22:34:17 +0200 Subject: [PATCH 0042/1736] tests: add some program to the list of tracked files in sbin. --- tests/sbin.list | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/tests/sbin.list b/tests/sbin.list index 3bc1941d1a..91057a4030 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -40,6 +40,7 @@ arptables-nft-save arptables-restore arptables-save aspell-autobuildhash +atd audisp-af_unix audisp-filter audisp-syslog @@ -48,6 +49,7 @@ auditd augenrules aureport ausearch +autrace avahi-daemon badblocks bashreadline-bpfcc @@ -76,6 +78,7 @@ bluetoothd bpflist-bpfcc bpftool bridge +brltty brltty-setup btrfsdist-bpfcc btrfsslower-bpfcc @@ -239,10 +242,12 @@ gnome-menus-blacklist gparted groupadd groupdel +groupmems groupmod grpck grpconv grpunconv +grub-bios-setup grub-install grub-macbless grub-mkconfig @@ -252,6 +257,7 @@ grub-reboot grub-set-default halt hardirqs-bpfcc +hc-ifscan hdparm hwclock iconvconfig @@ -298,11 +304,22 @@ iptables-translate iptunnel isadump isaset +iscsi_discovery +iscsi-iname +iscsiadm +iscsid +iscsistart isosize ispell-autobuildhash iucode_tool iucode-tool iw +iwconfig +iwevent +iwgetid +iwlist +iwpriv +iwspy javacalls-bpfcc javaflow-bpfcc javagc-bpfcc @@ -311,6 +328,7 @@ javastat-bpfcc javathreads-bpfcc kbdrate kdump-config +kerneloops kexec kexec-load-kernel key.dns_resolver @@ -359,6 +377,8 @@ lvrename lvresize lvs lvscan +lxc +lxd make-bcache make-ssl-cert mdadm @@ -403,6 +423,10 @@ mount.ntfs mount.ntfs-3g mount.smb3 mountsnoop-bpfcc +mpathpersist +multipath +multipathc +multipathd mysqld_qslower-bpfcc nameif naptime.bt @@ -431,6 +455,7 @@ oomkill.bt opensnoop-bpfcc opensnoop.bt openvpn +overlayroot-chroot ownership pam_extrausers_chkpwd pam_extrausers_update @@ -482,6 +507,7 @@ pythoncalls-bpfcc pythonflow-bpfcc pythongc-bpfcc pythonstat-bpfcc +qemu-ga rarp rdmaucma-bpfcc rdmsr @@ -548,6 +574,7 @@ sshd ssllatency.bt sslsniff-bpfcc sslsnoop.bt +sssd stackcount-bpfcc start-stop-daemon statsnoop-bpfcc @@ -607,6 +634,7 @@ thin_trim threadsnoop-bpfcc threadsnoop.bt tipc +tlp tplist-bpfcc trace-bpfcc traceroute @@ -617,6 +645,7 @@ tunefs.reiserfs u-d-c-print-pci-ids ucalls uflow +ufw ugc umount.udisks2 undump.bt @@ -635,6 +664,7 @@ update-fonts-alias update-fonts-dir update-fonts-scale update-grub +update-grub-gfxpayload update-grub2 update-gsfontmap update-icon-caches @@ -652,6 +682,7 @@ update-secureboot-policy update-shells update-smart-drivedb update-xmlcatalog +upgrade-from-grub-legacy usb_modeswitch usb_modeswitch_dispatcher usbmuxd From 7b55b351effc7e9aca311c0fab06457278a0599b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 28 Apr 2025 22:41:40 +0200 Subject: [PATCH 0043/1736] feat(profile): replace @{bin} by @{sbin} on additional profiles. --- apparmor.d/groups/firewall/ufw | 2 +- apparmor.d/groups/grub/grub-bios-setup | 2 +- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/systemd/systemd-sleep-tlp | 2 +- apparmor.d/groups/systemd/systemd-udevd | 3 ++- apparmor.d/profiles-a-f/atd | 2 +- apparmor.d/profiles-a-f/blkdeactivate | 2 +- apparmor.d/profiles-g-l/kerneloops | 2 +- apparmor.d/profiles-m-r/multipath | 2 +- apparmor.d/profiles-m-r/multipathd | 2 +- apparmor.d/profiles-m-r/os-prober | 2 +- apparmor.d/profiles-m-r/qemu-ga | 2 +- apparmor.d/profiles-s-z/tlp | 2 +- 13 files changed, 14 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw index 09f4f06f2c..b7f1336413 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ufw +@{exec_path} = @{sbin}/ufw profile ufw @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/grub/grub-bios-setup b/apparmor.d/groups/grub/grub-bios-setup index b0d606701a..9ccd02275c 100644 --- a/apparmor.d/groups/grub/grub-bios-setup +++ b/apparmor.d/groups/grub/grub-bios-setup @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-bios-setup +@{exec_path} = @{sbin}/grub-bios-setup profile grub-bios-setup @{exec_path} { include include diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index ada70feec7..2d80b673ad 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -75,7 +75,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{sbin}/iconvconfig rix, @{bin}/install-catalog rPx, @{bin}/install-info rPx, - @{bin}/iscsi-iname rix, + @{sbin}/iscsi-iname rix, @{bin}/journalctl rPx, @{bin}/killall rix, @{sbin}/ldconfig rix, diff --git a/apparmor.d/groups/systemd/systemd-sleep-tlp b/apparmor.d/groups/systemd/systemd-sleep-tlp index 60a28d4af2..fc9a510674 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-tlp +++ b/apparmor.d/groups/systemd/systemd-sleep-tlp @@ -13,7 +13,7 @@ profile systemd-sleep-tlp @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/tlp rPUx, + @{sbin}/tlp rPUx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 03bfd60006..1a9d51b359 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -46,12 +46,13 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{sbin}/dmsetup rPx, @{sbin}/ethtool rix, @{bin}/issue-generator rPx, + @{sbin}/kdump-config rPUx, @{bin}/kmod rPx, @{bin}/logger rix, @{bin}/ls rix, @{sbin}/lvm rPx, @{bin}/mknod rix, - @{bin}/multipath rPx, + @{sbin}/multipath rPx, @{bin}/nfsrahead rix, @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, @{bin}/setfacl rix, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index 3a0669c76e..8d94da3db1 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/atd +@{exec_path} = @{sbin}/atd profile atd @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index f864a605b5..d567822676 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -20,7 +20,7 @@ profile blkdeactivate @{exec_path} flags=(complain) { @{bin}/touch rix, @{bin}/lsblk rPx, @{sbin}/lvm rPx, - @{bin}/multipathd rPx, + @{sbin}/multipathd rPx, @{bin}/sort rix, @{bin}/umount rPx, diff --git a/apparmor.d/profiles-g-l/kerneloops b/apparmor.d/profiles-g-l/kerneloops index 815fa4e382..70c8b94607 100644 --- a/apparmor.d/profiles-g-l/kerneloops +++ b/apparmor.d/profiles-g-l/kerneloops @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/kerneloops +@{exec_path} = @{sbin}/kerneloops profile kerneloops @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/multipath b/apparmor.d/profiles-m-r/multipath index 409834fbc8..588f4b6b1f 100644 --- a/apparmor.d/profiles-m-r/multipath +++ b/apparmor.d/profiles-m-r/multipath @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/multipath +@{exec_path} = @{sbin}/multipath profile multipath @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd index 14bb16cafb..a07691a5ca 100644 --- a/apparmor.d/profiles-m-r/multipathd +++ b/apparmor.d/profiles-m-r/multipathd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/multipathd +@{exec_path} = @{sbin}/multipathd profile multipathd @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index 263fab8bb4..fc071d80f6 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -43,7 +43,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mount rix, - @{bin}/multipath rPx, + @{sbin}/multipath rPx, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 461d27c61a..c6e6ca54ea 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/qemu-ga +@{exec_path} = @{sbin}/qemu-ga profile qemu-ga @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 52fe2af61e..c01edd9ec7 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/tlp +@{exec_path} = @{sbin}/tlp profile tlp @{exec_path} flags=(attach_disconnected) { include include From 1c499183f2f2b19dda44f69d08dd2b3bd56384c8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 28 Apr 2025 22:43:33 +0200 Subject: [PATCH 0044/1736] feat(aa-log): add support for the sbin variable. --- pkg/logs/logs.go | 3 ++- pkg/logs/logs_test.go | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 194e6dc030..2443eaace1 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -67,7 +67,8 @@ var ( `/att/[^/@]+`, `@{att}/`, `/usr/lib(32|64|exec)`, `@{lib}`, `/usr/lib`, `@{lib}`, - `/usr/(bin|sbin)`, `@{bin}`, + `/usr/sbin`, `@{sbin}`, + `/usr/bin`, `@{bin}`, `(x86_64|amd64|i386|i686)`, `@{arch}`, `@{arch}-*linux-gnu[^/]?`, `@{multiarch}`, `/usr/etc/`, `@{etc_ro}/`, diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go index 6ddd5ac9ec..376b23f420 100644 --- a/pkg/logs/logs_test.go +++ b/pkg/logs/logs_test.go @@ -81,7 +81,7 @@ func TestAppArmorEvents(t *testing.T) { want: AppArmorLogs{ { "apparmor": "ALLOWED", - "profile": "@{bin}/httpd2-prefork//vhost_foo", + "profile": "@{sbin}/httpd2-prefork//vhost_foo", "operation": "rename_dest", "name": "@{HOME}/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg", "comm": "httpd2-prefork", From 4f4a8fa8e7ff457c27496885dc086549484cebc9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 28 Apr 2025 23:04:17 +0200 Subject: [PATCH 0045/1736] test(check): ensurre we only match the sbin name. --- tests/check.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/check.sh b/tests/check.sh index e35fd8b39b..02ae718125 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -109,7 +109,7 @@ _ensure_vim() { check_sbin() { echo -e "\033[1m ⋅ \033[0mEnsuring '@{sbin}' is used in all profiles:" while IFS= read -r name; do - mapfile -t files < <(grep -l -R "@{bin}/$name" apparmor.d) + mapfile -t files < <(grep --files-with-matches --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d) for file in "${files[@]}"; do _die "$file contains '@{bin}/$name' instead of '@{sbin}/$name'" done From 018ca1b0b596b1469418a9d3e0916ddff52de149 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 29 Apr 2025 00:14:01 +0200 Subject: [PATCH 0046/1736] feat(abs): ensure app root launcher can start program in sbin. --- apparmor.d/abstractions/app-launcher-root | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 5d2f743638..0bc7dbeff6 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -6,6 +6,7 @@ abi , @{bin}/** PUx, + @{sbin}/** PUx, /usr/local/{s,}bin/** PUx, @{bin}/ r, From b9eaa840bd3aed84c94399d14556e6e6aa955fd2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 29 Apr 2025 00:31:08 +0200 Subject: [PATCH 0047/1736] fix: integration tests. --- .github/local/needrestart | 1 + apparmor.d/groups/apt/deb-systemd-helper | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/local/needrestart b/.github/local/needrestart index 33b23e0148..3825baf617 100644 --- a/.github/local/needrestart +++ b/.github/local/needrestart @@ -1,2 +1,3 @@ + @{bin}/waagent r, /var/lib/waagent/** r, diff --git a/apparmor.d/groups/apt/deb-systemd-helper b/apparmor.d/groups/apt/deb-systemd-helper index 28de2a8a0c..a81ef6d7c3 100644 --- a/apparmor.d/groups/apt/deb-systemd-helper +++ b/apparmor.d/groups/apt/deb-systemd-helper @@ -18,6 +18,7 @@ profile deb-systemd-helper @{exec_path} { /var/lib/systemd/deb-systemd-helper-enabled/** rw, /var/lib/systemd/deb-systemd-helper-masked/ rw, + /var/lib/systemd/deb-systemd-user-helper-enabled/** rw, profile systemctl { include @@ -27,8 +28,11 @@ profile deb-systemd-helper @{exec_path} { /etc/systemd/ r, /etc/systemd/system/ r, /etc/systemd/system/* rw, - /etc/systemd/system/*.wants/ r, + /etc/systemd/system/*.wants/ rw, /etc/systemd/system/*.wants/* rw, + /etc/systemd/user/ r, + /etc/systemd/user/*.wants/ rw, + /etc/systemd/user/*.wants/* rw, include if exists } From d162032af9d5f57dc381dc42681a7ff675d885c3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 30 Apr 2025 22:16:45 +0200 Subject: [PATCH 0048/1736] feat(profile): allow needrestart to scan more directories. --- apparmor.d/profiles-m-r/needrestart | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 2470c527fc..567c744b8d 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -26,7 +26,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/* r, @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, @@ -43,11 +42,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{lib}/needrestart/* rPx, /usr/share/debconf/frontend rix, - @{att}/@{lib}/@{python_name}/** r, - - /usr/share/needrestart/{,**} r, - /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, - /etc/debconf.conf r, /etc/init.d/* r, /etc/needrestart/{,**} r, @@ -56,11 +50,14 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { / r, /boot/ r, - /boot/intel-ucode.img r, - /boot/vmlinuz* r, - - owner /var/lib/juju/agents/{,**} r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /boot/* r, + /opt/*/** r, + @{bin}/* r, + @{lib}/** r, + @{sbin}/** r, + @{att}/@{lib}/** r, + /usr/share/** r, + /var/lib/*/** r, /tmp/@{word10}/ rw, From 48a37bbf3431c4c79e4651229fbfad223d3f1003 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 14:36:57 +0200 Subject: [PATCH 0049/1736] build: configure sbin value according to the target distribution. --- pkg/aa/apparmor.go | 3 +-- pkg/prebuild/builder/userspace.go | 10 ++++++++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index f0deaffc91..6119a0c91e 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -33,7 +33,7 @@ func DefaultTunables() *AppArmorProfileFile { return &AppArmorProfileFile{ Preamble: Rules{ &Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true}, - &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true}, + &Variable{Name: "bin", Values: []string{"/{,usr/}bin"}, Define: true}, &Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true}, &Variable{Name: "dpkg_script_ext", Values: []string{"config", "templates", "preinst", "postinst", "prerm", "postrm"}, Define: true}, &Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true}, @@ -45,7 +45,6 @@ func DefaultTunables() *AppArmorProfileFile { &Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true}, &Variable{Name: "rand", Values: []string{"@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}"}, Define: true}, // Up to 10 characters &Variable{Name: "run", Values: []string{"/run/", "/var/run/"}, Define: true}, - &Variable{Name: "sbin", Values: []string{"/{,usr/}sbin"}, Define: true}, &Variable{Name: "uid", Values: []string{"{[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}"}, Define: true}, &Variable{Name: "user_cache_dirs", Values: []string{"/home/*/.cache"}, Define: true}, &Variable{Name: "user_config_dirs", Values: []string{"/home/*/.config"}, Define: true}, diff --git a/pkg/prebuild/builder/userspace.go b/pkg/prebuild/builder/userspace.go index 618b67c17c..37bb3a978b 100644 --- a/pkg/prebuild/builder/userspace.go +++ b/pkg/prebuild/builder/userspace.go @@ -40,6 +40,16 @@ func (b Userspace) Apply(opt *Option, profile string) (string, error) { } f := aa.DefaultTunables() + if prebuild.Distribution == "arch" { + f.Preamble = append(f.Preamble, &aa.Variable{ + Name: "sbin", Values: []string{"/{,usr/}{,s}bin"}, Define: true, + }) + } else { + f.Preamble = append(f.Preamble, &aa.Variable{ + Name: "sbin", Values: []string{"/{,usr/}sbin"}, Define: true, + }) + } + if _, err := f.Parse(profile); err != nil { return "", err } From 7431867fa4fa885305a0c029a07fe149d88bf760 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 14:37:31 +0200 Subject: [PATCH 0050/1736] ci(github): remove useless github specific rules. --- .github/local/needrestart | 3 --- .github/workflows/main.yml | 1 - 2 files changed, 4 deletions(-) delete mode 100644 .github/local/needrestart diff --git a/.github/local/needrestart b/.github/local/needrestart deleted file mode 100644 index 3825baf617..0000000000 --- a/.github/local/needrestart +++ /dev/null @@ -1,3 +0,0 @@ - - @{bin}/waagent r, - /var/lib/waagent/** r, diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 15807cfe2e..f04ac13814 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -101,7 +101,6 @@ jobs: sudo apt-get install -y \ apparmor-profiles apparmor-utils \ bats bats-support - sudo install -Dm0644 .github/local/needrestart /etc/apparmor.d/local/needrestart - name: Install apparmor.d run: | From dc816178f5768dd1b26deb68061ea8197c781f71 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 14:38:52 +0200 Subject: [PATCH 0051/1736] fix(profile): ensure adduser use sbin. --- apparmor.d/profiles-a-f/adduser | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index 135f65067c..d971d22f39 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/add{user,group} +@{exec_path} = @{sbin}/adduser @{sbin}/group profile adduser @{exec_path} { include include From 3a568ba3074cc95ccdc0763a9bcd4c439a7d8677 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 15:17:03 +0200 Subject: [PATCH 0052/1736] feat(profile): add more programs to the list of sbin program. --- apparmor.d/groups/apparmor/aa-notify | 2 +- apparmor.d/groups/apparmor/aa-unconfined | 2 +- apparmor.d/groups/apt/unattended-upgrade | 2 +- .../groups/display-manager/xdm-xsession | 2 +- apparmor.d/groups/filesystem/btrfs-convert | 2 +- apparmor.d/groups/filesystem/btrfs-image | 2 +- apparmor.d/groups/filesystem/btrfstune | 2 +- apparmor.d/groups/filesystem/mount-nfs | 4 +- apparmor.d/groups/filesystem/nfsdcld | 2 +- .../freedesktop/plymouth-set-default-theme | 2 +- apparmor.d/groups/gnome/gnome-initial-setup | 2 +- apparmor.d/groups/grub/grub-install | 2 +- apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/gvfs/gvfsd-wsdd | 2 +- apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/kde/systemsettings | 2 +- apparmor.d/groups/pacman/mkinitcpio | 2 +- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/steam/steam | 4 +- apparmor.d/groups/systemd/systemd-udevd | 2 +- apparmor.d/groups/utils/lspci | 2 +- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-a-f/atd | 2 +- apparmor.d/profiles-a-f/chronyd | 2 +- apparmor.d/profiles-a-f/crda | 2 +- apparmor.d/profiles-a-f/fatresize | 2 +- apparmor.d/profiles-g-l/gpartedbin | 6 +- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/hw-probe | 6 +- apparmor.d/profiles-g-l/hwinfo | 4 +- apparmor.d/profiles-g-l/install-info | 2 +- apparmor.d/profiles-g-l/inxi | 2 +- apparmor.d/profiles-g-l/irqbalance | 2 +- apparmor.d/profiles-g-l/issue-generator | 2 +- apparmor.d/profiles-m-r/monitorix | 2 +- apparmor.d/profiles-m-r/os-prober | 4 +- apparmor.d/profiles-m-r/packagekitd | 2 +- apparmor.d/profiles-m-r/rngd | 2 +- apparmor.d/profiles-s-z/setpci | 2 +- apparmor.d/profiles-s-z/ss | 2 +- apparmor.d/profiles-s-z/tomb | 2 +- apparmor.d/profiles-s-z/update-alternatives | 2 +- apparmor.d/profiles-s-z/wsdd | 2 +- tests/sbin.list | 287 ++++++++++++++++++ 44 files changed, 338 insertions(+), 51 deletions(-) diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index c6fc2dff2d..b64317a574 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-notify +@{exec_path} = @{sbin}/aa-notify profile aa-notify @{exec_path} { include include diff --git a/apparmor.d/groups/apparmor/aa-unconfined b/apparmor.d/groups/apparmor/aa-unconfined index 7c53f7c8d6..68729b7fee 100644 --- a/apparmor.d/groups/apparmor/aa-unconfined +++ b/apparmor.d/groups/apparmor/aa-unconfined @@ -21,7 +21,7 @@ profile aa-unconfined @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/netstat Px, - @{bin}/ss Px, + @{sbin}/ss Px, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 2778b2b39b..3e60798e92 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -55,7 +55,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/etckeeper rPx, @{bin}/lsb_release rPx -> lsb_release, @{sbin}/on_ac_power rPx, - @{bin}/sendmail rPUx, + @{sbin}/sendmail rPUx, @{lib}/apt/methods/http{,s} rPx, @{lib}/needrestart/apt-pinvoke rPx, @{lib}/update-notifier/update-motd-updates-available rPx, diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index cfdaeed3f7..052180a99c 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -20,7 +20,7 @@ profile xdm-xsession @{exec_path} { @{bin}/basename rix, @{bin}/cat rix, - @{bin}/checkproc rix, + @{sbin}/checkproc rix, @{bin}/dirname rix, @{bin}/fortune rPUx, @{bin}/gpg-agent rPx, diff --git a/apparmor.d/groups/filesystem/btrfs-convert b/apparmor.d/groups/filesystem/btrfs-convert index 2dccbf1fd2..22715c8576 100644 --- a/apparmor.d/groups/filesystem/btrfs-convert +++ b/apparmor.d/groups/filesystem/btrfs-convert @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfs-convert +@{exec_path} = @{sbin}/btrfs-convert profile btrfs-convert @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/btrfs-image b/apparmor.d/groups/filesystem/btrfs-image index 6f18ac0959..48be7c3815 100644 --- a/apparmor.d/groups/filesystem/btrfs-image +++ b/apparmor.d/groups/filesystem/btrfs-image @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfs-image +@{exec_path} = @{sbin}/btrfs-image profile btrfs-image @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/btrfstune b/apparmor.d/groups/filesystem/btrfstune index f8fa4a0476..24a8ef46e2 100644 --- a/apparmor.d/groups/filesystem/btrfstune +++ b/apparmor.d/groups/filesystem/btrfstune @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfstune +@{exec_path} = @{sbin}/btrfstune profile btrfstune @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/mount-nfs b/apparmor.d/groups/filesystem/mount-nfs index 26f3e2d570..f670b62d78 100644 --- a/apparmor.d/groups/filesystem/mount-nfs +++ b/apparmor.d/groups/filesystem/mount-nfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mount.nfs +@{exec_path} = @{sbin}/mount.nfs profile mount-nfs @{exec_path} flags=(complain) { include include @@ -42,7 +42,7 @@ profile mount-nfs @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/flock rix, - @{bin}/start-statd rix, + @{sbin}/start-statd rix, @{bin}/systemctl rCx -> systemctl, /etc/fstab r, diff --git a/apparmor.d/groups/filesystem/nfsdcld b/apparmor.d/groups/filesystem/nfsdcld index be122a3cb3..23ecc576ef 100644 --- a/apparmor.d/groups/filesystem/nfsdcld +++ b/apparmor.d/groups/filesystem/nfsdcld @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/nfsdcld +@{exec_path} = @{sbin}/nfsdcld profile nfsdcld @{exec_path} { include diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index bd5a34dcd9..b9b2cfd458 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/plymouth-set-default-theme +@{exec_path} = @{sbin}/plymouth-set-default-theme profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 3f5cf61090..e8a0315bd6 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -37,7 +37,7 @@ profile gnome-initial-setup @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/locale rix, @{bin}/lscpu rPx, - @{bin}/lspci rPx, + @{sbin}/lspci rPx, @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 06fdf1601f..3274a5e6d3 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -19,7 +19,7 @@ profile grub-install @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/efibootmgr rix, + @{sbin}/efibootmgr rix, @{bin}/kmod rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/udevadm rPx, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 0ca05d5494..8034d7e54d 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -21,7 +21,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/{e,f,}grep rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, - @{bin}/btrfs rPx, + @{sbin}/btrfs rPx, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cut rix, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 6c29d96803..25eccc93d1 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -19,7 +19,7 @@ profile gvfsd-wsdd @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{bin}/wsdd rPx, + @{sbin}/wsdd rPx, @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 4d883303fa..b4111d6d03 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -76,7 +76,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{shells_path} rix, @{bin}/cat rix, - @{bin}/checkproc rix, + @{sbin}/checkproc rix, @{bin}/disable-paste rix, @{bin}/locale rix, @{bin}/manpath rix, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index e68d248b6a..0d71565029 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -29,7 +29,7 @@ profile systemsettings @{exec_path} { @{bin}/cat rix, @{bin}/eglinfo rPUx, @{bin}/kcminit rPx, - @{bin}/lspci rPx, + @{sbin}/lspci rPx, @{bin}/openssl rix, @{bin}/pactl rPx, @{bin}/plasma-discover rPx, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index fdd9618fc8..785f4f448d 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -47,7 +47,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/{modinfo,rmmod} rPx, @{sbin}/modprobe rPx, @{bin}/plymouth rPx, - @{bin}/plymouth-set-default-theme rPx, + @{sbin}/plymouth-set-default-theme rPx, @{bin}/sbctl rPx, @{bin}/sync rPx, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 2d80b673ad..8d7345fda4 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -74,7 +74,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gtk{,4}-update-icon-cache rPx, @{sbin}/iconvconfig rix, @{bin}/install-catalog rPx, - @{bin}/install-info rPx, + @{sbin}/install-info rPx, @{sbin}/iscsi-iname rix, @{bin}/journalctl rPx, @{bin}/killall rix, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 73c78f2ed1..11e863972f 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -71,7 +71,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsof rix, - @{bin}/lspci rCx -> lspci, + @{sbin}/lspci rCx -> lspci, @{bin}/tar rix, @{bin}/which{,.debianutils} rix, @{bin}/xdg-icon-resource rPx, @@ -408,7 +408,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { unix receive type=stream, - @{bin}/lspci mr, + @{sbin}/lspci mr, owner @{HOME}/.steam/steam.pipe r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 1a9d51b359..3861056b82 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -45,7 +45,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{bin}/ddcutil rPx, @{sbin}/dmsetup rPx, @{sbin}/ethtool rix, - @{bin}/issue-generator rPx, + @{sbin}/issue-generator rPx, @{sbin}/kdump-config rPUx, @{bin}/kmod rPx, @{bin}/logger rix, diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index b390346bb2..7fc88e41a8 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/lspci +@{exec_path} = @{sbin}/lspci profile lspci @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index 6999f5baf9..c4741b09a4 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -34,7 +34,7 @@ profile adequate @{exec_path} flags=(complain) { # shared object file): ignored. @{bin}/dpkg-query rpx, # - @{bin}/update-alternatives rPx, + @{sbin}/update-alternatives rPx, /var/lib/adequate/pending rwk, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index 8d94da3db1..aa0a365fd3 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -27,7 +27,7 @@ profile atd @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/sendmail rPUx, + @{sbin}/sendmail rPUx, @{bin}/exim4 rPx, @{etc_ro}/environment r, diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd index 155d82f075..e4a986c8af 100644 --- a/apparmor.d/profiles-a-f/chronyd +++ b/apparmor.d/profiles-a-f/chronyd @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/chronyd +@{exec_path} = @{sbin}/chronyd profile chronyd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/crda b/apparmor.d/profiles-a-f/crda index 50d34bad49..d3b6cba6fa 100644 --- a/apparmor.d/profiles-a-f/crda +++ b/apparmor.d/profiles-a-f/crda @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/crda +@{exec_path} = @{sbin}/crda profile crda @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/fatresize b/apparmor.d/profiles-a-f/fatresize index 8db6bde6f5..6f4c86647f 100644 --- a/apparmor.d/profiles-a-f/fatresize +++ b/apparmor.d/profiles-a-f/fatresize @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fatresize +@{exec_path} = @{sbin}/fatresize profile fatresize @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 29bac6a2f6..235d0cadca 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -39,9 +39,9 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { @{bin}/udevadm rCx -> udevadm, @{bin}/umount rCx -> umount, - @{bin}/btrfs rPx, - @{bin}/btrfstune rPx, - @{bin}/dmraid rPUx, + @{sbin}/btrfs rPx, + @{sbin}/btrfstune rPx, + @{sbin}/dmraid rPUx, @{sbin}/dmsetup rPUx, @{sbin}/dumpe2fs rPx, @{sbin}/e2fsck rPx, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 97fad1f139..459efa23e0 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -53,7 +53,7 @@ profile hardinfo @{exec_path} { @{bin}/glxinfo rPx, @{bin}/xdpyinfo rPx, - @{bin}/lspci rPx, + @{sbin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/netstat rPx, @{bin}/qtchooser rPx, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 2a1244ef7f..fc6b8775b6 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -24,7 +24,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/dd rix, - @{bin}/efibootmgr rix, + @{sbin}/efibootmgr rix, @{bin}/efivar rix, @{bin}/find rix, @{bin}/md5sum rix, @@ -53,7 +53,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/glxinfo rPx, @{bin}/hciconfig rPx, @{sbin}/hdparm rPx, - @{bin}/hwinfo rPx, + @{sbin}/hwinfo rPx, @{bin}/i2cdetect rPx, @{sbin}/ifconfig rCx -> netconfig, @{bin}/inxi rPx, @@ -65,7 +65,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsblk rPx, @{bin}/lscpu rPx, - @{bin}/lspci rPx, + @{sbin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/memtester rPx, @{bin}/nmcli rPx, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 21165acec9..4919d2fb21 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/hwinfo +@{exec_path} = @{sbin}/hwinfo profile hwinfo @{exec_path} { include include @@ -29,7 +29,7 @@ profile hwinfo @{exec_path} { @{bin}/udevadm rCx -> udevadm, @{sbin}/acpidump rPUx, - @{bin}/dmraid rPUx, + @{sbin}/dmraid rPUx, /usr/share/hwinfo/{,**} r, diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info index f155339b18..e7fdfd95a9 100644 --- a/apparmor.d/profiles-g-l/install-info +++ b/apparmor.d/profiles-g-l/install-info @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/install-info +@{exec_path} = @{sbin}/install-info profile install-info @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 38b2a17a28..01d358fbfa 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -51,7 +51,7 @@ profile inxi @{exec_path} { @{bin}/glxinfo rPx, @{bin}/hddtemp rPx, @{bin}/lsblk rPx, - @{bin}/lspci rPx, + @{sbin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/openbox rPx, @{bin}/ps rPx, diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index fec2d7c932..022dc92d52 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/irqbalance +@{exec_path} = @{sbin}/irqbalance profile irqbalance @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 8f2d53f76b..7783c8005f 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/issue-generator +@{exec_path} = @{sbin}/issue-generator profile issue-generator @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index cf77b7ab8a..b640d90fd3 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -41,7 +41,7 @@ profile monitorix @{exec_path} { @{bin}/tail rix, @{bin}/{m,g,}awk rix, @{bin}/free rix, - @{bin}/ss rix, + @{sbin}/ss rix, @{bin}/who rix, @{sbin}/lvm rix, @{sbin}/xtables-nft-multi rix, diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index fc071d80f6..162c0b7432 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -27,10 +27,10 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{e,f,}grep rix, @{sbin}/blkid rPx, - @{bin}/btrfs rPx, + @{sbin}/btrfs rPx, @{bin}/cat rix, @{bin}/cut rix, - @{bin}/dmraid rPUx, + @{sbin}/dmraid rPUx, @{bin}/find rix, @{bin}/grub-mount rPx, @{sbin}/grub-probe rPx, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index c3df0072d3..ca93ade6bd 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -63,7 +63,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg rPx -> child-dpkg, #aa:only apt @{bin}/fc-cache rPx, @{bin}/glib-compile-schemas rPx, - @{bin}/install-info rPx, + @{sbin}/install-info rPx, @{bin}/rpm rPUx, #aa:only opensuse @{bin}/rpmdb2solv rPUx, #aa:only opensuse @{bin}/systemd-inhibit rPx, diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 8ae73c5d07..ebbf0a5abc 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/rngd +@{exec_path} = @{sbin}/rngd profile rngd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index 019e89e23d..b45dd3986b 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/setpci +@{exec_path} = @{sbin}/setpci profile setpci @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index a942cac4f5..2ce6b6b4d5 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/ss +@{exec_path} = @{sbin}/ss profile ss @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index a9db94276e..508ac6effd 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -66,7 +66,7 @@ profile tomb @{exec_path} { @{bin}/tr rix, @{bin}/zsh rix, - @{bin}/btrfs rPx, + @{sbin}/btrfs rPx, @{sbin}/cryptsetup rPUx, @{bin}/e2fsc rPUx, @{sbin}/fsck rPx, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 8f08b74fa0..68ddb97a58 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-alternatives +@{exec_path} = @{sbin}/update-alternatives profile update-alternatives @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 20575b2a89..7aa812f79f 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/wsdd +@{exec_path} = @{sbin}/wsdd profile wsdd @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 91057a4030..8697295437 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -9,22 +9,29 @@ aa-genprof aa-load aa-logprof aa-mergeprof +aa-notify aa-remove-unknown aa-status aa-teardown aa-unconfined aa-update-browser accessdb +acpi_genl acpid +acpidump add-shell addgnupghome addgroup +addpart adduser agetty alsa alsa-info +alsa-info.sh +alsa-init alsabat-test alsactl +alternatives anacron apparmor_parser apparmor_status @@ -44,13 +51,17 @@ atd audisp-af_unix audisp-filter audisp-syslog +audit auditctl auditd augenrules aureport ausearch +autodep +automount autrace avahi-daemon +avahi-dnsconfd badblocks bashreadline-bpfcc bashreadline.bt @@ -71,17 +82,26 @@ bitesize.bt blkdeactivate blkdiscard blkid +blkmapd blkpr blkzone blockdev +blogctl +blogd +blogger bluetoothd bpflist-bpfcc bpftool bridge brltty brltty-setup +btrfs +btrfs-convert +btrfs-image +btrfsck btrfsdist-bpfcc btrfsslower-bpfcc +btrfstune cache_check cache_dump cache_metadata_size @@ -97,16 +117,22 @@ cfdisk cgdisk chat chcpu +check_mail_queue check-bios-nx +checkproc chgpasswd +chkstat-polkit chmem chpasswd +chronyd chroot cifs.idmap cifs.upcall cobjnew-bpfcc coldreboot compactsnoop-bpfcc +complain +config.postfix cpgr cppw cpudist-bpfcc @@ -116,6 +142,8 @@ cracklib-check cracklib-format cracklib-packer cracklib-unpacker +cracklib-update +crda create-cracklib-dict criticalstat-bpfcc cron @@ -123,7 +151,10 @@ cryptdisks_start cryptdisks_stop cryptsetup ctrlaltdel +ctstat cups-browsed +cups-genppd.5.3 +cups-genppdupdate cupsaccept cupsctl cupsd @@ -137,20 +168,27 @@ dcb dcsnoop-bpfcc dcsnoop.bt dcstat-bpfcc +ddns-confgen deadlock-bpfcc debugfs debugfs.reiserfs debugreiserfs +decode defrag.f2fs delgroup +delpart deluser depmod devlink dhcpcd dirtop-bpfcc +disable dkms +dmevent_tool dmeventd +dmfilemapd dmidecode +dmraid dmsetup dmstats dnsmasq @@ -172,6 +210,7 @@ e2scrub_all e2undo e4crypt e4defrag +eapol_test ebtables ebtables-nft ebtables-nft-restore @@ -179,11 +218,17 @@ ebtables-nft-save ebtables-restore ebtables-save ebtables-translate +ec_access +efibootdump +efibootmgr +enforce era_check era_dump era_invalidate era_restore ethtool +eventlogadm +exec execsnoop-bpfcc execsnoop.bt exfat2img @@ -196,7 +241,11 @@ f2fscrypt f2fslabel f2fsslower-bpfcc faillock +fancontrol fatlabel +fatresize +fbtest +fdformat fdisk fibmap.f2fs filefrag @@ -207,6 +256,8 @@ filetop-bpfcc findfs firewalld fixparts +flushb +fonts-config fsadm fsck fsck.btrfs @@ -229,17 +280,23 @@ funccount-bpfcc funcinterval-bpfcc funclatency-bpfcc funcslower-bpfcc +g13-syshelp gdisk +gdm gdm3 genl +genprof getcap gethostlatency-bpfcc gethostlatency.bt getpcaps +getsysinfo getty getweb gnome-menus-blacklist +gpart gparted +gpm groupadd groupdel groupmems @@ -255,16 +312,36 @@ grub-mkdevicemap grub-probe grub-reboot grub-set-default +grub2-bios-setup +grub2-check-default +grub2-install +grub2-macbless +grub2-mkconfig +grub2-ofpathname +grub2-once +grub2-probe +grub2-reboot +grub2-set-default +grub2-sparc64-setup +grub2-switch-to-blscfg halt hardirqs-bpfcc hc-ifscan hdparm hwclock +hwinfo iconvconfig ifconfig +ifrename +ifstat +import-openSUSE-build-key init inject-bpfcc +inputattach insmod +install_acx100_firmware +install_intersil_firmware +install-info install-sgmlcatalog installkernel integritysetup @@ -273,6 +350,7 @@ ip ip6tables ip6tables-apply ip6tables-legacy +ip6tables-legacy-batch ip6tables-legacy-restore ip6tables-legacy-save ip6tables-nft @@ -292,6 +370,7 @@ ipset-translate iptables iptables-apply iptables-legacy +iptables-legacy-batch iptables-legacy-restore iptables-legacy-save iptables-nft @@ -302,6 +381,8 @@ iptables-restore-translate iptables-save iptables-translate iptunnel +irqbalance +irqbalance-ui isadump isaset iscsi_discovery @@ -311,6 +392,8 @@ iscsid iscsistart isosize ispell-autobuildhash +isserial +issue-generator iucode_tool iucode-tool iw @@ -327,15 +410,19 @@ javaobjnew-bpfcc javastat-bpfcc javathreads-bpfcc kbdrate +kbdsettings kdump-config kerneloops kexec +kexec-bootloader kexec-load-kernel key.dns_resolver killall5 +killproc killsnoop-bpfcc killsnoop.bt klockstat-bpfcc +klogd kpartx kvm-ok kvmexit-bpfcc @@ -347,9 +434,12 @@ libgvc6-config-update libvirt-dbus libvirtd llcstat-bpfcc +lnstat loads.bt locale-gen +logprof logrotate +logrotate-all logsave losetup lpadmin @@ -357,6 +447,7 @@ lpc lpinfo lpmove lsmod +lspci lspcmcia luksformat lvchange @@ -365,7 +456,9 @@ lvcreate lvdisplay lvextend lvm +lvm_import_vdo lvmconfig +lvmdevices lvmdiskscan lvmdump lvmpolld @@ -377,16 +470,21 @@ lvrename lvresize lvs lvscan +lwepgen lxc lxd make-bcache make-ssl-cert +mariadbd +mcelog mdadm mdflush-bpfcc mdflush.bt mdmon memleak-bpfcc mii-tool +mk_isdnhwdb +mkdict mkdosfs mke2fs mkfs @@ -406,10 +504,13 @@ mkfs.reiserfs mkfs.vfat mkfs.xfs mkhomedir_helper +mkill mkinitramfs mklost+found mkntfs +mkpostfixcert mkreiserfs +mksubvolume mkswap ModemManager modinfo @@ -419,14 +520,18 @@ mount.ddi mount.fuse mount.fuse3 mount.lowntfs-3g +mount.nfs +mount.nfs4 mount.ntfs mount.ntfs-3g mount.smb3 mountsnoop-bpfcc +mountstats mpathpersist multipath multipathc multipathd +mysqld mysqld_qslower-bpfcc nameif naptime.bt @@ -436,12 +541,21 @@ netqtop-bpfcc NetworkManager newusers nfnl_osf +nfsconf +nfsdcld nfsdist-bpfcc +nfsidmap +nfsiostat nfsslower-bpfcc +nfsstat nft +nmbd nodegc-bpfcc nodestat-bpfcc nologin +notify +nss-mdns-config +nstat ntfsclone ntfscp ntfslabel @@ -452,22 +566,28 @@ offwaketime-bpfcc on_ac_power oomkill-bpfcc oomkill.bt +openconnect opensnoop-bpfcc opensnoop.bt openvpn overlayroot-chroot ownership +packer pam_extrausers_chkpwd pam_extrausers_update pam_getenv pam_namespace_helper pam_timestamp_check pam-auth-update +pam-config paperconfig parse.f2fs parted partprobe +partx +pbl pccardctl +pcilmr pcscd pdata_tools perlcalls-bpfcc @@ -476,11 +596,26 @@ perlstat-bpfcc phpcalls-bpfcc phpflow-bpfcc phpstat-bpfcc +pidofproc pidpersec-bpfcc pidpersec.bt pivot_root plipconfig +pluginviewer +plymouth-set-default-theme plymouthd +postalias +postcat +postconf +postdrop +postfix +postkick +postlock +postlog +postmap +postmulti +postqueue +postsuper poweroff ppchcalls-bpfcc pppd @@ -502,18 +637,96 @@ pvscan pwck pwconv pwhistory_helper +pwmconfig pwunconv pythoncalls-bpfcc pythonflow-bpfcc pythongc-bpfcc pythonstat-bpfcc qemu-ga +qmqp-source rarp +rcapparmor +rcauditd +rcautofs +rcavahi-daemon +rcavahi-dnsconfd +rcblk-availability +rcbolt +rcbtrfsmaintenance-refresh +rcca-certificates +rcchrony-wait +rcchronyd +rccolord +rccron +rccups +rccups-browsed +rccups-lpd +rcdbus +rcdisplay-manager +rcdm-event +rcdnsmasq +rcfancontrol +rcfirewalld +rcflatpak-system-helper +rcfstrim +rcfwupd +rcfwupd-offline-update +rcfwupd-refresh +rcgpm +rcirqbalance +rcissue-add-ssh-keys +rcissue-generator +rckexec-load +rclm_sensors +rclogrotate +rclvm2-lvmpolld +rclvm2-monitor +rcmariadb +rcmcelog +rcmdmonitor +rcModemManager +rcmultipathd +rcmysql +rcnetwork +rcnfs-client +rcnmb +rcopenvpn +rcostree-prepare-root +rcostree-remount +rcpackagekit +rcpackagekit-offline-update +rcpcscd +rcpkcs11_eventmgr +rcpostfix +rcrng-tools +rcrpcbind +rcrsyncd +rcrtkit-daemon +rcsddm +rcsmartd +rcsmb +rcsnmpd +rcsnmptrapd +rcspeech-dispatcherd +rcspice-vdagentd +rcsshd +rctuned +rcudisks2 +rcupower +rcusbmuxd +rcwpa_supplicant +rcwsdd +rcxdm +rcxvnc +rdma rdmaucma-bpfcc rdmsr readahead-bpfcc readprofile reboot +refresh_initrd +regdbdump reiserfsck reiserfstune remove-default-ispell @@ -524,17 +737,33 @@ reset-trace-bpfcc resize_reiserfs resize.f2fs resize2fs +resizepart resolvconf rfkill rmmod rmt rmt-tar +rndc +rndc-confgen +rngd route +routel +rpc.gssd +rpc.idmapd +rpc.statd +rpc.svcgssd +rpcbind +rpcctl +rpcdebug +rpcinfo +rpmconfigcheck +rsyncd rsyslogd rtacct rtcwake rtkitctl rtmon +rtstat rubycalls-bpfcc rubyflow-bpfcc rubygc-bpfcc @@ -547,38 +776,67 @@ runqlen-bpfcc runqlen.bt runqslower-bpfcc runuser +rvmtab saned +sasldblistusers2 +saslpasswd2 +save_y2logs +schema2ldif select-default-ispell select-default-wordlist +sendmail sensors-detect service +set_polkit_default_privs setcap +setconsole +setpci setuids.bt +setup-nsssysinit.sh setvesablank setvtrgb sfdisk sgdisk shadowconfig +shim-install shmsnoop-bpfcc +showconsole +showmount shutdown +skdump +sktest slabratetop-bpfcc slattach sload.f2fs +sm-notify +smart_agetty smartctl smartd +smbd +smtp-sink +smtp-source +snapperd +snmpd +snmptrapd sofdsnoop-bpfcc softirqs-bpfcc solisten-bpfcc spice-vdagentd +ss sshd +sshd-gen-keys-start ssllatency.bt sslsniff-bpfcc sslsnoop.bt sssd stackcount-bpfcc +start_daemon +start-statd start-stop-daemon +startproc statsnoop-bpfcc statsnoop.bt +status sudo_logsrvd sudo_sendlog sulogin @@ -590,9 +848,11 @@ switch_root sync-available syncsnoop-bpfcc syncsnoop.bt +sysconf_addword syscount-bpfcc syscount.bt sysctl +sysusers2shadow tarcat tc tclcalls-bpfcc @@ -638,20 +898,30 @@ tlp tplist-bpfcc trace-bpfcc traceroute +tsig-keygen ttysnoop-bpfcc tune.exfat tune2fs +tuned +tuned-adm tunefs.reiserfs +tunelp u-d-c-print-pci-ids ucalls uflow ufw ugc +umount.nfs +umount.nfs4 umount.udisks2 +unconfined undump.bt unix_chkpwd unix_update +unix2_chkpwd uobjnew +update-alternatives +update-bootloader update-ca-certificates update-catalog update-cracklib @@ -693,6 +963,7 @@ ustat uthreads uuidd validlocale +vconfig vcstime vdpa veritysetup @@ -711,6 +982,7 @@ vgexport vgextend vgimport vgimportclone +vgimportdevices vgmerge vgmknodes vgreduce @@ -719,22 +991,30 @@ vgrename vgs vgscan vgsplit +vhangup vigr vipw +virt-what virtiostat-bpfcc virtlockd virtlogd visudo vmcore-dmesg +vncsession vpddecode +vpnc +vpnc-disconnect wakeuptime-bpfcc wipefs +wiper.sh wpa_action wpa_cli +wpa_passphrase wpa_supplicant wqlat-bpfcc writeback.bt wrmsr +wsdd xfs_admin xfs_bmap xfs_copy @@ -750,6 +1030,7 @@ xfs_mdrestore xfs_metadump xfs_mkfile xfs_ncheck +xfs_property xfs_quota xfs_repair xfs_rtcp @@ -759,11 +1040,17 @@ xfs_spaceman xfsdist-bpfcc xfsdist.bt xfsslower-bpfcc +xkbctrl xtables-legacy-multi xtables-monitor xtables-nft-multi +yast +yast2 +zdump zerofree zfsdist-bpfcc zfsslower-bpfcc zic zramctl +zypp-refresh +zypper-log From 45d7cf48c4aa5909b34daa168195248aa37c72cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 18:48:31 +0200 Subject: [PATCH 0053/1736] fix(profile): small improvment raised by the tests. --- apparmor.d/groups/_full/systemd | 1 + apparmor.d/groups/apt/deb-systemd-helper | 11 ++++++++--- apparmor.d/groups/bus/dbus-system | 1 + apparmor.d/groups/network/rpcbind | 2 +- apparmor.d/profiles-m-r/needrestart | 2 ++ apparmor.d/profiles-m-r/run-parts | 2 +- apparmor.d/profiles-s-z/unhide-tcp | 2 +- apparmor.d/profiles-s-z/which | 2 ++ 8 files changed, 17 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 827e9fcf7a..e1a9918e1a 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -152,6 +152,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=system name=org.freedesktop.timesync1 @{bin}/** Px, + @{sbin}/** Px, @{lib}/** Px, /etc/cron.*/* Px, /etc/init.d/* Px, diff --git a/apparmor.d/groups/apt/deb-systemd-helper b/apparmor.d/groups/apt/deb-systemd-helper index a81ef6d7c3..77fe1f4557 100644 --- a/apparmor.d/groups/apt/deb-systemd-helper +++ b/apparmor.d/groups/apt/deb-systemd-helper @@ -16,14 +16,19 @@ profile deb-systemd-helper @{exec_path} { @{bin}/systemctl rCx -> systemctl, - /var/lib/systemd/deb-systemd-helper-enabled/** rw, - /var/lib/systemd/deb-systemd-helper-masked/ rw, - /var/lib/systemd/deb-systemd-user-helper-enabled/** rw, + /etc/systemd/system/* w, + /etc/systemd/user/* w, + + /var/lib/systemd/deb-systemd-helper-enabled/{,**} rw, + /var/lib/systemd/deb-systemd-helper-masked/{,**} rw, + /var/lib/systemd/deb-systemd-user-helper-enabled/{,**} rw, profile systemctl { include include + capability net_admin, + /etc/ r, /etc/systemd/ r, /etc/systemd/system/ r, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index ee64c6497a..4dec1d4073 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -47,6 +47,7 @@ profile dbus-system flags=(attach_disconnected) { @{exec_path} mrix, @{bin}/** PUx, + @{sbin}/** PUx, @{lib}/** PUx, /usr/share/*/** PUx, diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind index f9dcac8d19..1d81292fd1 100644 --- a/apparmor.d/groups/network/rpcbind +++ b/apparmor.d/groups/network/rpcbind @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/rpcbind +@{exec_path} = @{sbin}/rpcbind profile rpcbind @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 567c744b8d..c2bc8b2b6f 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -59,6 +59,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /usr/share/** r, /var/lib/*/** r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /tmp/@{word10}/ rw, owner @{run}/sshd.pid r, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index f6d40b0c51..8adb0f748d 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -232,7 +232,7 @@ profile run-parts @{exec_path} { @{sbin}/dkms rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/systemd-detect-virt rPx, - @{bin}/update-alternatives rPx, + @{sbin}/update-alternatives rPx, @{sbin}/update-grub rPUx, @{sbin}/update-initramfs rPx, @{lib}/dkms/dkms_autoinstaller rPx, diff --git a/apparmor.d/profiles-s-z/unhide-tcp b/apparmor.d/profiles-s-z/unhide-tcp index c4b30b8849..8827bca14b 100644 --- a/apparmor.d/profiles-s-z/unhide-tcp +++ b/apparmor.d/profiles-s-z/unhide-tcp @@ -22,7 +22,7 @@ profile unhide-tcp @{exec_path} { @{bin}/fuser rix, @{bin}/netstat rix, @{bin}/sed rix, - @{bin}/ss rix, + @{sbin}/ss rix, @{PROC}/@{pids}/net/tcp{,6} r, @{PROC}/@{pids}/net/udp{,6} r, diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index 855db3f4bc..cc95a17f93 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -17,7 +17,9 @@ profile which @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/ r, + @{sbin}/ r, @{bin}/**/ r, + @{sbin}/**/ r, @{lib}/ r, @{lib}/**/ r, /opt/**/bin/ r, From 8f250f451c8a0ce2e9aabcb54edf28af7f1d42db Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 19:23:42 +0200 Subject: [PATCH 0054/1736] doc: add sbin. --- docs/variables.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/variables.md b/docs/variables.md index 7dc8e5ff6e..1bcee8f938 100644 --- a/docs/variables.md +++ b/docs/variables.md @@ -168,7 +168,8 @@ title: Variables References | Home directories | `@{HOME}` | `@{HOMEDIRS}/*/ /root/` | | Root Mountpoints | `@{MOUNTDIRS}` | `/media/ @{run}/media/@{user}/ /mnt/` | | Mountpoints directories | `@{MOUNTS}` | `@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/` | -| Bin | `@{bin}` | `/{usr/,}{s,}bin` | +| Bin | `@{bin}` | `/{usr/,}bin` | +| Sbin | `@{sbin}` | `/{usr/,}sbin` | | Lib | `@{lib}` | `/{usr/,}lib{,exec,32,64}` | | multi-arch library | `@{multiarch}` | `*-linux-gnu*` | | Proc | `@{PROC}` | `/proc/` | From ad4bfab4f22d8decb271fe7958890601ccc4e3e9 Mon Sep 17 00:00:00 2001 From: Roman Beslik Date: Sat, 26 Apr 2025 22:04:27 +0300 Subject: [PATCH 0055/1736] loginctl-linger --- apparmor.d/groups/systemd/loginctl | 1 + apparmor.d/groups/systemd/systemd-logind | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index ca43277aa5..a6406ab70e 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -12,6 +12,7 @@ profile loginctl @{exec_path} flags=(attach_disconnected) { include include include + include capability net_admin, capability sys_resource, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index a879d02ec3..a56e162981 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -56,7 +56,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /swap/swapfile r, /swapfile r, - /var/lib/systemd/linger/ r, + /var/lib/systemd/linger/{,@{user}} rw, @{run}/.#nologin* rw, @{run}/credentials/getty@tty@{int}.service/ r, From 83806c1b357bf36be96473f150a34bc87a272e9a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 19:38:57 +0200 Subject: [PATCH 0056/1736] fix(profile): ensure cmus can read the home directory fix #728 --- apparmor.d/profiles-a-f/cmus | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/profiles-a-f/cmus b/apparmor.d/profiles-a-f/cmus index c3916890f8..750fe93453 100644 --- a/apparmor.d/profiles-a-f/cmus +++ b/apparmor.d/profiles-a-f/cmus @@ -18,6 +18,9 @@ profile cmus @{exec_path} { /etc/machine-id r, + / r, + owner @{HOME}/ r, # For pwd + owner @{user_music_dirs}/{,**} r, owner @{user_config_dirs}/ r, From c969faf6e813eb9f311be907fc1a5b3bf8e336e4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 19:46:32 +0200 Subject: [PATCH 0057/1736] feat(profile): add initial version of sshd-auth. Fix #725 --- apparmor.d/groups/ssh/sshd | 1 + dists/flags/main.flags | 1 + 2 files changed, 2 insertions(+) diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 3ae1326d87..fe5a6f1cd9 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -65,6 +65,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{sbin}/nologin rPx, @{bin}/passwd rPx, @{lib}/{openssh,ssh}/sftp-server rPx, + @{lib}/{openssh,ssh}/sshd-auth rPx, @{lib}/{openssh,ssh}/sshd-session rix, @{etc_ro}/environment r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 453d5f73a8..e57be4377a 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -292,6 +292,7 @@ snapd complain snapd-apparmor complain snapshot complain speech-dispatcher complain +sshd-auth complain ssservice complain startplasma complain startx attach_disconnected,complain From 5edde91d44d99a2526de52fd43afa757cd2880f3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 19:56:34 +0200 Subject: [PATCH 0058/1736] fix(test): update test to the new value of bin. --- pkg/aa/resolve_test.go | 2 +- pkg/prebuild/builder/core_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/aa/resolve_test.go b/pkg/aa/resolve_test.go index 5c9c9026fc..1e4a54fe5a 100644 --- a/pkg/aa/resolve_test.go +++ b/pkg/aa/resolve_test.go @@ -85,7 +85,7 @@ func TestAppArmorProfileFile_resolveValues(t *testing.T) { { name: "simple", input: "@{bin}/foo", - want: []string{"/{,usr/}{,s}bin/foo"}, + want: []string{"/{,usr/}bin/foo"}, }, { name: "double", diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go index 5a1a39da0a..06ceb1d284 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/prebuild/builder/core_test.go @@ -209,7 +209,7 @@ func TestBuilder_Apply(t *testing.T) { want: ` @{exec_path} = @{bin}/baloo_file @{lib}/{,kf6/}baloo_file @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloo_file - profile baloo /{{,usr/}{,s}bin/baloo_file,{,usr/}lib{,exec,32,64}/{,kf6/}baloo_file,{,usr/}lib{,exec,32,64}/*-linux-gnu*/{,libexec/}baloo_file} { + profile baloo /{{,usr/}bin/baloo_file,{,usr/}lib{,exec,32,64}/{,kf6/}baloo_file,{,usr/}lib{,exec,32,64}/*-linux-gnu*/{,libexec/}baloo_file} { include @{exec_path} mr, From 87e82b15056f66956d583eab389713eeb76a63c4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 20:15:24 +0200 Subject: [PATCH 0059/1736] fix(profile): modernise fuse-overlayfs. fix #726 --- apparmor.d/profiles-a-f/fuse-overlayfs | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/apparmor.d/profiles-a-f/fuse-overlayfs b/apparmor.d/profiles-a-f/fuse-overlayfs index da61184a30..91b279d200 100644 --- a/apparmor.d/profiles-a-f/fuse-overlayfs +++ b/apparmor.d/profiles-a-f/fuse-overlayfs @@ -10,14 +10,21 @@ include profile fuse-overlayfs @{exec_path} { include - capability sys_admin, + capability chown, capability dac_override, capability dac_read_search, - capability chown, + capability fowner, + capability setfcap, + capability setuid, + capability sys_admin, + + mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **, + mount fstype=fuse.overlayfs options=(rw,nodev,noatime) fuse-overlayfs -> @{user_share_dirs}/containers/storage/overlay/**/merged/, @{exec_path} mr, - mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **, + @{bin}/mount rix, + @{bin}/umount rix, owner @{user_share_dirs}/containers/storage/overlay/{,**} rwl, From 3cc39debfb5544872af9a6c468720e5eca97f5a2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 20:27:03 +0200 Subject: [PATCH 0060/1736] feat(profile): improve kde integration. --- apparmor.d/groups/kde/DiscoverNotifier | 2 +- apparmor.d/groups/kde/baloo | 17 +---------- apparmor.d/groups/kde/baloorunner | 29 ++---------------- apparmor.d/groups/kde/dolphin | 42 ++++++-------------------- apparmor.d/groups/kde/kalendarac | 1 + apparmor.d/groups/kde/kcminit | 2 ++ apparmor.d/groups/kde/kconf_update | 5 +-- apparmor.d/groups/kde/kded | 9 +++++- apparmor.d/groups/kde/kiod | 1 + apparmor.d/groups/kde/kioworker | 4 ++- apparmor.d/groups/kde/ksplashqml | 3 ++ apparmor.d/groups/kde/startplasma | 1 + 12 files changed, 35 insertions(+), 81 deletions(-) diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 197f90f889..3ec36976d9 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -41,7 +41,7 @@ profile DiscoverNotifier @{exec_path} { /var/cache/swcatalog/cache/ w, /var/cache/swcatalog/xml/{,**} r, - owner @{user_cache_dirs}/appstream/ r, + owner @{user_cache_dirs}/appstream/ rw, owner @{user_cache_dirs}/appstream/** rw, owner @{user_cache_dirs}/flatpak/{,**} rw, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 5ceb04725f..e53bf4039e 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -45,22 +45,7 @@ profile baloo @{exec_path} { @{run}/mount/utab r, @{run}/udev/data/+*:* r, - - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c4:@{int} r, # For TTY devices - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices - @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/c@{int}:@{int} r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index e3fca1f8f7..8410408b38 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -28,33 +28,8 @@ profile baloorunner @{exec_path} { /tmp/ r, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi* r, # for motherboard info - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # for sound card - - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c4:@{int} r, # For TTY devices - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices - @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/+*:* r, + @{run}/udev/data/c@{int}:@{int} r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 93780d8892..802ba0a96c 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -29,6 +29,9 @@ profile dolphin @{exec_path} { @{exec_path} mr, + @{lib}/libheif/ r, + @{lib}/libheif/*.so* mr, + @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{lib}/{,@{multiarch}/}utempter/utempter rPx, @@ -81,8 +84,10 @@ profile dolphin @{exec_path} { owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.lock rwk, owner @{user_config_dirs}/kde.org/#@{int} rw, - owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int}, owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, + owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int}, + owner @{user_config_dirs}/knfsshare.{,.@{rand6}} rwk, + owner @{user_config_dirs}/knfsshare.lock rwk, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/#@{int} rw, @@ -93,44 +98,15 @@ profile dolphin @{exec_path} { owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int}, - owner @{tmp}/dolphin.@{rand6} rwl, + owner @{tmp}/dolphin.@{rand6}{,.lock} rwlk, @{run}/issue r, @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi* r, # for motherboard info - @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # for sound card - - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c4:@{int} r, # For TTY devices - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices - @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/+*:* r, + @{run}/udev/data/c@{int}:@{int} r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index 661090bc11..a45652c7b7 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -25,6 +25,7 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi-firstrunrc r, + owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/emaildefaults r, owner @{user_config_dirs}/emailidentities r, diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 93378bf761..e11de6a480 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -26,6 +26,8 @@ profile kcminit @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/gtkrc-2.0{,.@{rand6}} rwl, owner @{user_config_dirs}/gtkrc{,.@{rand6}} rwl, + owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl, + owner @{user_config_dirs}/kcminputrc.lock rwk, owner @{user_config_dirs}/kgammarc r, owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/touchpadxlibinputrc r, diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index 49da5e3cac..ee42fef98a 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -32,14 +32,15 @@ profile kconf_update @{exec_path} { @{bin}/qtchooser rPx, @{lib}/kconf_update_bin/* rix, @{lib}/@{multiarch}/kconf_update_bin/* rix, + @{lib}/qt6/bin/qtpaths rix, /usr/share/kconf_update/*.py rix, /usr/share/kconf_update/*.sh rix, /usr/share/kconf_update/{,**} r, /usr/share/kglobalaccel/org.kde.krunner.desktop r, - /etc/xdg/konsolerc r, - /etc/xdg/ui/ui_standards.rc r, + /etc/xdg/*rc r, + /etc/xdg/ui/*rc r, /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 9efaec4fcb..c9fa538df0 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -55,6 +55,7 @@ profile kded @{exec_path} { @{bin}/pgrep rCx -> pgrep, @{bin}/plasma-welcome rPUx, @{python_path} rix, + @{bin}/flatpak rPx, @{bin}/setxkbmap rix, @{bin}/xmodmap rPUx, @{bin}/xrdb rPx, @@ -87,6 +88,12 @@ profile kded @{exec_path} { owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, + owner @{HOME}/.var/ w, + owner @{HOME}/.var/app/ w, + owner @{HOME}/.var/app/org.mozilla.firefox/**/ w, + owner @{HOME}/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/org.kde.plasma.browser_integration.json w, + owner @{HOME}/.var/app/org.mozilla.firefox/plasma-browser-integration-host w, + @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasmashell/ rw, owner @{user_cache_dirs}/plasmashell/** rwlk -> @{user_cache_dirs}/plasmashell/**, @@ -120,7 +127,7 @@ profile kded @{exec_path} { owner @{user_share_dirs}/user-places.xbel r, owner @{user_state_dirs}/#@{int} rw, - owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk, + owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk -> @{user_state_dirs}/#@{int}, @{run}/mount/utab r, @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index f6a7ba95a0..cf9646051b 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kiod{5,6} profile kiod @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 592e5811e1..1d091fd093 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -42,7 +42,7 @@ profile kioworker @{exec_path} { #aa:exec kio_http_cache_cleaner - /usr/share/kio_desktop/directory.desktop r, + /usr/share/kio_desktop/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/*.desktop r, /usr/share/remoteview/* r, @@ -56,6 +56,8 @@ profile kioworker @{exec_path} { /*/ r, @{bin}/ r, @{bin}/* r, + @{sbin}/ r, + @{sbin}/* r, @{lib}/ r, @{MOUNTDIRS}/ r, @{MOUNTS}/ r, diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index be59fe8425..13f1216a54 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -14,11 +14,14 @@ profile ksplashqml @{exec_path} { include include + ptrace read peer=startplasma, + @{exec_path} mr, @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, + /usr/share/color-schemes/* r, /usr/share/plasma/** r, /etc/machine-id r, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 773122f570..b69d7fdb95 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -40,6 +40,7 @@ profile startplasma @{exec_path} { /etc/machine-id r, /etc/xdg/menus/{,**} r, /etc/xdg/plasma-workspace/env/{,*} r, + /etc/xdg/plasmarc r, /var/lib/flatpak/exports/share/mime/ r, From df6378cec091741c2b53ba49e1dd35106d9629eb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 20:34:35 +0200 Subject: [PATCH 0061/1736] feat(profile): improve common freedesktop profiles. --- apparmor.d/groups/freedesktop/pipewire | 1 - .../freedesktop/pkla-check-authorization | 18 ++++++++++++++++++ apparmor.d/groups/freedesktop/upowerd | 1 + .../groups/freedesktop/xdg-desktop-portal | 6 +++++- .../groups/freedesktop/xdg-desktop-portal-gtk | 5 ++--- .../groups/freedesktop/xdg-document-portal | 3 ++- .../freedesktop/xdg-user-dirs-gtk-update | 3 +++ apparmor.d/groups/polkit/polkit-agent-helper | 10 ++++++---- apparmor.d/groups/polkit/polkitd | 6 ++---- dists/flags/main.flags | 3 ++- 10 files changed, 41 insertions(+), 15 deletions(-) create mode 100644 apparmor.d/groups/freedesktop/pkla-check-authorization diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index f4c9367cd2..ad4eb57c57 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -41,7 +41,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { / r, @{att}/ r, - owner @{att}// r, owner @{att}/.flatpak-info r, owner @{user_config_dirs}/pipewire/{,**} r, diff --git a/apparmor.d/groups/freedesktop/pkla-check-authorization b/apparmor.d/groups/freedesktop/pkla-check-authorization new file mode 100644 index 0000000000..ff5b72f719 --- /dev/null +++ b/apparmor.d/groups/freedesktop/pkla-check-authorization @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pkla-check-authorization +profile pkla-check-authorization @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index a8244bce97..4061af4c8b 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -13,6 +13,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { include include include + include include network netlink raw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index ae20e37514..59a24a3b33 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -10,7 +10,6 @@ include profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include - include include include include @@ -18,6 +17,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include @@ -73,6 +74,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/user-dirs.dirs r, + # The portal can receive any user file as it is a file chooser for UI app. + owner @{HOME}/** r, + @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/xdg-desktop-portal/* r, owner @{user_share_dirs}/xdg-desktop-portal/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index cff06d8671..ff4a6730af 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -32,8 +32,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { signal receive set=term peer=gdm, signal receive set=hup peer=gdm-session-worker, - unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), - #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk dbus receive bus=session path=/org/freedesktop/portal/desktop @@ -58,7 +56,8 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, - / r, + / r, + owner @{att}/ r, owner /var/lib/xkb/server-@{int}.xkm rw, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index c56729248a..91a203d3a9 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/xdg-document-portal profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include include capability sys_admin, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 8892bd1ce2..224bc2337a 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} { include + include + include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index 7f5ecd1074..e663c299ee 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -25,10 +25,12 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (receive) set=(term, kill) peer=gnome-shell, - signal (receive) set=(term, kill) peer=pkexec, - signal (receive) set=(term, kill) peer=pkttyagent, - signal (receive) set=(term, kill) peer=polkit-*-authentication-agent, + signal receive set=(term kill) peer=gnome-shell, + signal receive set=(term kill) peer=pkexec, + signal receive set=(term kill) peer=pkttyagent, + signal receive set=(term kill) peer=polkit-*-authentication-agent, + + unix bind type=stream addr=@@{udbus}/bus/polkit-agent-he/system, dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index 38f05275bc..46d7adc601 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -11,6 +11,7 @@ include profile polkitd @{exec_path} flags=(attach_disconnected) { include include + include include capability setgid, @@ -25,7 +26,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/pkla-check-authorization rPUx, + @{bin}/pkla-check-authorization rPx, @{bin}/pkla-admin-identities rPx, /etc/machine-id r, @@ -68,9 +69,6 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fdinfo/@{int} r, - # Silencer - deny /.cache/ rw, - include if exists } diff --git a/dists/flags/main.flags b/dists/flags/main.flags index e57be4377a..2d1f96c1f3 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -258,8 +258,9 @@ os-prober attach_disconnected,complain pam_kwallet_init complain pam-tmpdir-helper complain passimd attach_disconnected,complain -pkttyagent complain pkla-admin-identities complain +pkla-check-authorization complain +pkttyagent complain plank complain plasma_waitforname complain plasma-browser-integration-host complain From a98b8bbc0dd0447918497addd4008c476732703b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 20:39:10 +0200 Subject: [PATCH 0062/1736] feat(profile): improve dbus rule in the gnome profiles. --- apparmor.d/groups/gnome/deja-dup-monitor | 8 ++++++++ .../groups/gnome/evolution-calendar-factory | 5 ----- apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/gnome/gnome-calendar | 2 ++ apparmor.d/groups/gnome/gnome-characters | 4 +++- apparmor.d/groups/gnome/gnome-clocks | 1 + .../gnome/gnome-control-center-search-provider | 3 ++- apparmor.d/groups/gnome/gnome-initial-setup | 5 +++++ apparmor.d/groups/gnome/gnome-session | 1 + apparmor.d/groups/gnome/gnome-shell | 9 +++++++-- apparmor.d/groups/gnome/gsd-housekeeping | 3 ++- apparmor.d/groups/gnome/gsd-power | 3 ++- apparmor.d/groups/gnome/localsearch | 2 ++ apparmor.d/groups/gnome/nautilus | 3 ++- apparmor.d/groups/gnome/seahorse | 3 ++- apparmor.d/groups/gvfs/gvfsd-network | 10 +++++----- apparmor.d/groups/gvfs/gvfsd-recent | 6 +++--- apparmor.d/groups/gvfs/gvfsd-smb-browse | 4 ++-- apparmor.d/groups/gvfs/gvfsd-trash | 10 +++++----- apparmor.d/groups/gvfs/gvfsd-wsdd | 17 ++++++++++++++++- 20 files changed, 71 insertions(+), 30 deletions(-) diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index 90a5b0f649..af7fa51b0b 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -23,6 +23,11 @@ profile deja-dup-monitor @{exec_path} { #aa:dbus own bus=session name=org.gnome.DejaDup.Monitor #aa:dbus talk bus=session name=org.gnome.DejaDup interface+=org.gtk.Actions label=deja-dup + dbus send bus=session path=/org/gnome/DejaDup + interface=org.gtk.Actions + member=Activate + peer=(name=org.gnome.DejaDup), + dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=GetAll @@ -30,6 +35,9 @@ profile deja-dup-monitor @{exec_path} { @{exec_path} mr, + @{bin}/chrt rix, + @{bin}/ionice rix, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /var/tmp/ r, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index f856a06d2d..25f8ecc7f2 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -57,11 +57,6 @@ profile evolution-calendar-factory @{exec_path} { member=Complete peer=(name=org.freedesktop.DBus, label=gnome-calendar), - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member=Move - peer=(name=:*, label=gvfsd-metadata), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 4440b80e3f..1a05892b66 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -50,7 +50,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system, #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon - #aa:dbus talk bus=system name=org.freedesktop.home1.Manager label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label=systemd-homed dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 97309c1a73..c81e591cf9 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -14,6 +14,7 @@ profile gnome-calendar @{exec_path} { include include include + include include include include @@ -22,6 +23,7 @@ profile gnome-calendar @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.Calendar + #aa-dbus own bus=session name=org.gnome.Calendar.SearchProvider interface+=org.gnome.Shell.SearchProvider2 #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 9511e781fa..890a546919 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -11,11 +11,13 @@ profile gnome-characters @{exec_path} { include include include + include include include include - #aa:dbus own bus=session name=org.gnome.Characters interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.Characters + #aa-dbus own bus=session name=org.gnome.Characters.SearchProvider interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index 13f161dfd8..bdffedb721 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -20,6 +20,7 @@ profile gnome-clocks @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.clocks interface+=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.clocks.SearchProvider interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 3dfd1bf031..201abe4b43 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -10,11 +10,12 @@ include profile gnome-control-center-search-provider @{exec_path} { include include + include include include include - #aa:dbus own bus=session name=org.gnome.Settings.SearchProvider + #aa:dbus own bus=session name=org.gnome.Settings.SearchProvider interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index e8a0315bd6..cf7dc25065 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -31,6 +31,11 @@ profile gnome-initial-setup @{exec_path} { #aa:dbus own bus=session name=org.gnome.InitialSetup interface+=org.gtk.Actions + dbus send bus=system path=/com/canonical/UbuntuAdvantage/Manager + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=com.canonical.UbuntuAdvantage), + @{exec_path} mr, @{bin}/df rPx, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index ce6abe6d9e..e0ff334db7 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -28,6 +28,7 @@ profile gnome-session @{exec_path} { @{bin}/manpath rix, @{bin}/readlink rix, @{bin}/realpath rix, + @{bin}/run-parts rix, @{bin}/sed rix, @{bin}/tput rix, @{bin}/tr rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 05156bac1c..615cb1b057 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -75,6 +75,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=com.canonical.{U,u}nity #aa:dbus own bus=session name=com.rastersoft.dingextension #aa:dbus own bus=session name=org.ayatana.NotificationItem + #aa:dbus own bus=session name=org.freedesktop.a11y.Manager #aa:dbus own bus=session name=org.gtk.Actions path=/** #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications @@ -90,10 +91,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding #aa:dbus talk bus=session name=org.gnome.* label=gnome-* + #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label="*" + #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus # System bus @@ -113,6 +115,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Session bus + dbus send bus=session path=/org/gnome/** + peer=(name=org.gnome.*), + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Properties member=GetAll @@ -373,7 +378,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability sys_ptrace, - ptrace (read), + ptrace read, @{sh_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 55b0c3a514..9dec92df4b 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -10,10 +10,11 @@ include profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include - include include + include include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 9bba247510..0d09a0e9cc 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gsd-power profile gsd-power @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -20,11 +19,13 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include include include include include + include include include include diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 74a4e0f366..263604ba7d 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -26,6 +26,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { network netlink raw, + #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files #aa:dbus own bus=session name=org.freedesktop.LocalSearch3 @{exec_path} mr, @@ -61,6 +62,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/fs/inotify/max_user_watches r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 373593440e..60bbfb344b 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -28,8 +28,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { mqueue r type=posix /, - #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}" #aa:dbus own bus=session name=org.freedesktop.FileManager1 + #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}" + #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 921f6aa30c..2f190dfabb 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -16,12 +16,13 @@ profile seahorse @{exec_path} { include include include + include include include include include - #aa:dbus own bus=session name=org.gnome.seahorse.Application + #aa:dbus own bus=session name=org.gnome.seahorse.Application interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 87851fc168..adda9b958c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -18,27 +18,27 @@ profile gvfsd-network @{exec_path} { dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member={MountLocation,LookupMount,RegisterMount} - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member=GetConnection - peer=(name=:*, label=gvfsd-dnssd), + peer=(name="@{busname}", label=gvfsd-dnssd), dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member=GetConnection - peer=(name=:*, label=gnome-control-center), + peer=(name="@{busname}", label=gnome-control-center), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 1ec5f2e60b..042b66a680 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -23,15 +23,15 @@ profile gvfsd-recent @{exec_path} { dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=RegisterMount - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index f285a3c150..59d778133f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -26,12 +26,12 @@ profile gvfsd-smb-browse @{exec_path} { dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 683d271a86..9acfd6c86d 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -24,27 +24,27 @@ profile gvfsd-trash @{exec_path} { dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member=GetConnection - peer=(name=:*, label="{gnome-shell,nautilus}"), + peer=(name="@{busname}", label="{gnome-shell,nautilus}"), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=RegisterMount - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 25eccc93d1..c7dce4f578 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -10,11 +10,25 @@ include profile gvfsd-wsdd @{exec_path} { include include + include + include network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker label=gvfsd + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name="@{busname}", label=gvfsd), + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name="@{busname}", label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name="@{busname}", label=gvfsd), @{exec_path} mr, @@ -23,6 +37,7 @@ profile gvfsd-wsdd @{exec_path} { @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + owner @{run}/user/@{uid}/gvfsd/wsdd rw, include if exists } From 97ddc0de63d2d6c65bf27d44b3490e80a6f58b2b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 20:39:38 +0200 Subject: [PATCH 0063/1736] feat(profile): add sshd-auth --- apparmor.d/groups/ssh/sshd-auth | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 apparmor.d/groups/ssh/sshd-auth diff --git a/apparmor.d/groups/ssh/sshd-auth b/apparmor.d/groups/ssh/sshd-auth new file mode 100644 index 0000000000..cb4defc0f1 --- /dev/null +++ b/apparmor.d/groups/ssh/sshd-auth @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{openssh,ssh}/sshd-auth +profile sshd-auth @{exec_path} { + include + include + + capability setgid, + capability setuid, + capability sys_chroot, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + @{sbin}/sshd.hmac r, + + include if exists +} + +# vim:syntax=apparmor From fa317ad91b7a5bdac87955105aa5844a69d529b9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 20:40:26 +0200 Subject: [PATCH 0064/1736] feat(profile): improve netplan generator. --- apparmor.d/groups/network/netplan-generate | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate index 60ec7656fc..64f8399e1b 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan-generate @@ -21,9 +21,11 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) { /etc/netplan/{,*} r, + @{run}/NetworkManager/ rw, + @{run}/NetworkManager/conf.d/ rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf.@{rand6} rw, - @{run}/NetworkManager/system-connections/ r, + @{run}/NetworkManager/system-connections/ rw, @{run}/NetworkManager/system-connections/* rw, @{run}/systemd/generator/multi-user.target.wants/ w, @@ -43,13 +45,13 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) { @{run}/udev/rules.d/ rw, @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, - @{sys}/devices/**/net/*/address r, - @{run}/netplan/ r, @{run}/udev/rules.d/ r, @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, + @{sys}/devices/**/net/*/address r, + profile systemctl { include include From dd7841f4e9f86fa64d86f0999fc163f18c1f42d0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 20:42:12 +0200 Subject: [PATCH 0065/1736] feat(profile): pacman: ensure ghc-pkg is run independant from pacman. --- apparmor.d/groups/pacman/pacman | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 8d7345fda4..9cf9d6a369 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -66,7 +66,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gdk-pixbuf-query-loaders rPx, @{bin}/getent rix, @{bin}/gettext rix, - @{bin}/ghc-pkg-@{version} rix, + @{bin}/ghc-pkg-@{version} rPx, @{bin}/gio-querymodules rPx, @{bin}/glib-compile-schemas rPx, @{sbin}/groupadd rPx, @@ -102,7 +102,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/which rix, @{bin}/xmlcatalog rix, @{lib}/systemd/systemd-* rPx, - @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rix, + @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rPx, @{lib}/vlc/vlc-cache-gen rPx, /opt/Mullvad*/resources/mullvad-setup rPx, /usr/share/code-features/patch.py rPx, @@ -110,7 +110,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /usr/share/libalpm/scripts/* rPUx, /usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx, - # For shell pwd, keept as it can annoy some users to see error in pacman output + # For shell pwd, keept as it can annoy users to see error in pacman output /**/ r, # Install/update packages From 6423e962a0b95886de259e92a6f3529a9051e724 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 20:45:07 +0200 Subject: [PATCH 0066/1736] feat(abs): update dbus interface abs. --- .../bus/org.freedesktop.RealtimeKit1 | 17 +++++++++-------- .../bus/org.freedesktop.Tracker3.Miner.Files | 4 ++-- .../bus/org.freedesktop.UPower.PowerProfiles | 11 +++++++++++ .../abstractions/bus/org.freedesktop.hostname1 | 4 ++++ .../abstractions/bus/org.gtk.vfs.Metadata | 4 ++++ 5 files changed, 30 insertions(+), 10 deletions(-) create mode 100644 apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index 34b15010cd..0c6abbdbe8 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -2,15 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Allow setting realtime priorities. Clients require RLIMIT_RTTIME in the first -# place and client authorization is done via PolicyKit. Note that setrlimit() -# is allowed by default seccomp policy but requires 'capability sys_resource', -# which we deny be default. -# http://git.0pointer.net/rtkit.git/tree/README +# Allow setting realtime priorities. abi , - #-aa-dbus common bus=system name=org.freedesktop.RealtimeKit1 label=rtkit-daemon + #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label=rtkit-daemon dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get @@ -18,8 +14,13 @@ dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 - member={MakeThreadHighPriority,MakeThreadRealtime,MakeThreadRealtimeWithPID} - peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon), + member={MakeThreadHighPriority,MakeThreadRealtime} + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon), + + dbus send bus=system path=/org/freedesktop/RealtimeKit1 + interface=org.freedesktop.RealtimeKit1 + member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID} + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files index 48fa7e394d..c55736c1e4 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files +++ b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files @@ -7,12 +7,12 @@ dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), + peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"), dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.Tracker3.Endpoint member=Query - peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), + peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles new file mode 100644 index 0000000000..3d3980f81d --- /dev/null +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index d2a0b1d83f..e6182bead0 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -5,6 +5,10 @@ abi , #aa:dbus common bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.hostname1), include if exists diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata index ae1b928c23..ce6e600823 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata @@ -5,6 +5,10 @@ abi , #aa:dbus common bus=system name=org.gtk.vfs.Metadata path=/org/gtk/vfs/metadata label=gvfsd-metadata + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gvfsd-metadata), dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata From da97ffb63ce29a0212be21a822430b6d9cb51d63 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 2 May 2025 22:59:40 +0200 Subject: [PATCH 0067/1736] fix(profile): ensure gdm uses sbin. --- apparmor.d/groups/gnome/gdm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index dca6cda160..e35d165a2c 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/gdm{3,} +@{exec_path} = @{sbin}/gdm @{sbin}/gdm3 profile gdm @{exec_path} flags=(attach_disconnected) { include include From 38b9bf673edd265dcfaf42a3a62e25dccfadf93f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 3 May 2025 18:20:34 +0200 Subject: [PATCH 0068/1736] feat(tunable): dbus: ensure compatibility across multiple distribution even on apparmor 4.1 --- apparmor.d/tunables/multiarch.d/profiles | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index d18030d689..e966623d48 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -14,8 +14,8 @@ # Name of the dbus daemon profiles @{p_dbus_accessibility}=dbus-accessibility #aa:only apparmor4.1 -@{p_dbus_system}=dbus-system//&unconfined -@{p_dbus_session}=dbus-session//&unconfined +@{p_dbus_system}={dbus-system,dbus-system//&unconfined} +@{p_dbus_session}={dbus-session,dbus-session//&unconfined} #aa:exclude apparmor4.1 @{p_dbus_system}=dbus-system From f6c0893d90facd12a1b1f039634aca1d8b6a611c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 3 May 2025 18:30:25 +0200 Subject: [PATCH 0069/1736] feat(abs): update dbus rules for gtk4. --- apparmor.d/abstractions/gtk.d/complete | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 700e5e3057..99cf70d972 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -2,23 +2,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=session - interface=org.gtk.Actions - member=DescribeAll - peer=(name=@{busname}), - dbus send bus=session - interface=org.gtk.Actions - member=DescribeAll - peer=(label=gnome-shell), - dbus receive bus=session interface=org.gtk.Actions - member=Changed + member={Activate,DescribeAll,SetState} peer=(name=@{busname}), - dbus receive bus=session + + dbus send bus=session interface=org.gtk.Actions - member=Changed - peer=(label=gnome-shell), + member=Changed, dbus send bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties From 6d8eda6b8735626d5c2d25a810fb7600a4e3d60e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 3 May 2025 18:34:37 +0200 Subject: [PATCH 0070/1736] feat(profile): update some dbus defintion for gnome. --- apparmor.d/groups/gnome/gdm-generate-config | 2 ++ apparmor.d/groups/gnome/gnome-control-center | 11 +++++++++++ apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/session-migration | 10 ++++++---- apparmor.d/groups/gnome/yelp | 1 + apparmor.d/groups/gvfs/gvfsd-wsdd | 1 + apparmor.d/groups/network/nm-dispatcher | 7 ++++++- 7 files changed, 28 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 6d621f18b4..359eeb75fd 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -18,6 +18,8 @@ profile gdm-generate-config @{exec_path} { capability setgid, capability setuid, + ptrace read, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 994c8e4451..1f0b6239e5 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -43,9 +43,20 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell + #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences + #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control + #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label=fprintd + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label=ModemManager #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 615cb1b057..bfd6959596 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -87,6 +87,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index 9af0d4714b..aeb46f6c0a 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -15,14 +15,16 @@ profile session-migration @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{python_path} rix, - @{bin}/gsettings rPx, - /usr/share/session-migration/scripts/* rix, + @{sh_path} rix, + @{python_path} rix, + @{bin}/dconf rPx, + @{bin}/gsettings rPx, + /usr/share/session-migration/scripts/* rix, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/session-migration/{,**} r, + owner @{gdm_share_dirs}/ w, owner @{gdm_share_dirs}/session_migration-* rw, owner @{user_share_dirs}/session_migration-* rw, diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index b3f27187b4..058b9697a2 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -10,6 +10,7 @@ include profile yelp @{exec_path} { include include + include include network netlink raw, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index c7dce4f578..0064d682bf 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -11,6 +11,7 @@ profile gvfsd-wsdd @{exec_path} { include include include + include include network netlink raw, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 726798180a..87207e2b73 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -26,7 +26,12 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} + interface=org.freedesktop.NetworkManager.Settings.Connection + member=GetSettings + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, From f936088ae73c2443c314d2e21c1a692d22c3b089 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 4 May 2025 19:51:49 +0200 Subject: [PATCH 0071/1736] doc: add abstraction architecture. --- docs/development/abstractions.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md index 9390945f8a..f1ac6e18e3 100644 --- a/docs/development/abstractions.md +++ b/docs/development/abstractions.md @@ -19,6 +19,27 @@ This project and the official apparmor-profiles project provide a large selectio All of these abstractions can be extended by a system admin by adding rules in a file under `/etc/apparmor.d/.d` where `` is the name of one of these abstractions. +## Architecture + +Abstraction are structured in layers as follows: + +- **Layer 0:** for core atomic functionalities. They cannot include other abstractions. + + E.g.: *this resource uses* `mesa`, `openssl`, `bash-strict`, `gtk`... + +- **Layer 1:** for generic access. Cannot be architecture or device specific. Needs to be agnostic. + + E.g.: *This program needs/has this resource.* `nameservice`, `authentication`, `base`, `shell`, `graphics`, `audio-client`, `desktop`, `kde`, `gnome`... + +- **Layer 2:** for common kind of program. Only present inside `abstraction/common`. Multiple layer 2 can be used alongside with layer 1 and 0 abstractions. + + E.g.: *This program kind is* is a game, an electron app, a gnome app, sandboxed with bwrap app, a systemd app... + +- **Layer 3:** for application. Only present inside `abstraction/app`. The use of a layer 3 abstraction usually means you should not use any other abstractions (but base). Not a strict rule, but a good practice. Mostly used to provide common rules for subprofiles where the subprofiles only need to add rules for the specific use case. + + E.g.: *This program is* `firefox`, `sudo`, `systemctl`, `pgrep`, `editor`, `chromium`... + + ## Application helper Abstraction that aims at including a complete set of rules for a given program. The calling profile only needs to add rules dependant of its use case/program. From 4e21ef53e655db487bded716efde11251a3f604a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 4 May 2025 20:01:28 +0200 Subject: [PATCH 0072/1736] feat(profile): systemd: add nsresourced. --- apparmor.d/groups/systemd/systemd-fsckd | 2 +- apparmor.d/groups/systemd/systemd-nsresourced | 38 +++++++++++++++++++ .../groups/systemd/systemd-nsresourcework | 22 +++++++++++ .../groups/systemd/systemd-stdio-bridge | 22 +++++++++++ dists/flags/main.flags | 2 + 5 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/systemd/systemd-nsresourced create mode 100644 apparmor.d/groups/systemd/systemd-nsresourcework create mode 100644 apparmor.d/groups/systemd/systemd-stdio-bridge diff --git a/apparmor.d/groups/systemd/systemd-fsckd b/apparmor.d/groups/systemd/systemd-fsckd index 33a433a09c..7abde7c908 100644 --- a/apparmor.d/groups/systemd/systemd-fsckd +++ b/apparmor.d/groups/systemd/systemd-fsckd @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-fsckd -profile systemd-fsckd @{exec_path} { +profile systemd-fsckd @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-nsresourced b/apparmor.d/groups/systemd/systemd-nsresourced new file mode 100644 index 0000000000..d1beae4280 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-nsresourced @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-nsresourced +profile systemd-nsresourced @{exec_path} { + include + include + + capability bpf, + capability perfmon, + capability sys_resource, + + signal receive set=usr2 peer=systemd-nsresourced//&systemd-nsresourcework, + + @{exec_path} mr, + + @{lib}/systemd/systemd-nsresourcework Px -> systemd-nsresourced//&systemd-nsresourcework, + + @{run}/systemd/nsresource/ rw, + @{run}/systemd/nsresource/** rw, + + @{sys}/devices/kprobe/type r, + @{sys}/fs/bpf/ r, + @{sys}/fs/bpf/systemd/ rw, + @{sys}/fs/bpf/systemd/userns-restrict/{,**} rw, + @{sys}/fs/cgroup/system.slice/systemd-nsresourced.service/memory.pressure rw, + @{sys}/kernel/btf/vmlinux r, + @{sys}/kernel/security/lsm r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-nsresourcework b/apparmor.d/groups/systemd/systemd-nsresourcework new file mode 100644 index 0000000000..734717c44a --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-nsresourcework @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-nsresourcework +profile systemd-nsresourcework @{exec_path} { + include + + capability sys_resource, + + signal send set=usr2 peer=systemd-nsresourced, + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-stdio-bridge b/apparmor.d/groups/systemd/systemd-stdio-bridge new file mode 100644 index 0000000000..5f3bc2e364 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-stdio-bridge @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/systemd-stdio-bridge +profile systemd-stdio-bridge @{exec_path} flags=(attach_disconnected) { + include + include + include + + signal send set=term peer=@{p_systemd}, + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2d1f96c1f3..3a0b702647 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -346,6 +346,8 @@ systemd-inhibit attach_disconnected,complain systemd-journald attach_disconnected,mediate_deleted systemd-mount complain systemd-network-generator complain +systemd-nsresourced complain +systemd-nsresourcework complain systemd-portabled complain systemd-remount-fs complain systemd-resolve complain From 3e0c3067d89b3d87cf093d5a2ea6863c2e890142 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 4 May 2025 20:05:54 +0200 Subject: [PATCH 0073/1736] feat(profile): systemd: add some generators --- .../systemd-generator-friendly-recovery | 23 ++++++++++++++ .../groups/systemd/systemd-generator-rc-local | 28 +++++++++++++++++ .../groups/systemd/systemd-generator-snapd | 20 ++++++++++++ .../systemd/systemd-generator-sshd-socket | 28 +++++++++++++++++ .../groups/systemd/systemd-generator-sysv | 31 +++++++++++++++++++ dists/flags/main.flags | 5 +++ 6 files changed, 135 insertions(+) create mode 100644 apparmor.d/groups/systemd/systemd-generator-friendly-recovery create mode 100644 apparmor.d/groups/systemd/systemd-generator-rc-local create mode 100644 apparmor.d/groups/systemd/systemd-generator-snapd create mode 100644 apparmor.d/groups/systemd/systemd-generator-sshd-socket create mode 100644 apparmor.d/groups/systemd/systemd-generator-sysv diff --git a/apparmor.d/groups/systemd/systemd-generator-friendly-recovery b/apparmor.d/groups/systemd/systemd-generator-friendly-recovery new file mode 100644 index 0000000000..1af9fe22f9 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-generator-friendly-recovery @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/friendly-recovery +profile systemd-generator-friendly-recovery @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/cat rix, + + @{PROC}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-rc-local b/apparmor.d/groups/systemd/systemd-generator-rc-local new file mode 100644 index 0000000000..3e8bec6c53 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-generator-rc-local @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-rc-local-generator +profile systemd-generator-rc-local @{exec_path} flags=(attach_disconnected) { + include + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-snapd b/apparmor.d/groups/systemd/systemd-generator-snapd new file mode 100644 index 0000000000..8544a7938f --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-generator-snapd @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/snapd-generator +profile systemd-generator-snapd @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + @{PROC}/1/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-sshd-socket b/apparmor.d/groups/systemd/systemd-generator-sshd-socket new file mode 100644 index 0000000000..f08df7d90e --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-generator-sshd-socket @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/sshd-socket-generator +profile systemd-generator-sshd-socket @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + @{etc_ro}/ssh/sshd_config r, + @{etc_ro}/ssh/sshd_config.d/{,*} r, + + @{run}/systemd/generator/ssh.socket.d/{,*} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-sysv b/apparmor.d/groups/systemd/systemd-generator-sysv new file mode 100644 index 0000000000..4feb65d51c --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-generator-sysv @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-sysv-generator +profile systemd-generator-sysv @{exec_path} flags=(attach_disconnected) { + include + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + /etc/init.d/{,**} r, + /etc/rc@{int}.d/{,**} r, + + @{run}/systemd/generator.late/* w, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 3a0b702647..adced30c9f 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -329,14 +329,19 @@ systemd-generator-debug attach_disconnected,complain systemd-generator-ds-identify attach_disconnected,complain systemd-generator-environment-arch complain systemd-generator-environment-flatpak complain +systemd-generator-friendly-recover attach_disconnected,complain systemd-generator-fstab attach_disconnected,complain systemd-generator-getty attach_disconnected,complain systemd-generator-gpt-auto attach_disconnected,complain systemd-generator-hibernate-resume attach_disconnected,complain systemd-generator-integritysetup attach_disconnected,complain systemd-generator-ostree attach_disconnected,complain +systemd-generator-rc-local attach_disconnected,complain systemd-generator-run attach_disconnected,complain +systemd-generator-snapd attach_disconnected,complain +systemd-generator-sshd-socket attach_disconnected,complain systemd-generator-system-update attach_disconnected,complain +systemd-generator-sysv attach_disconnected,complain systemd-generator-user-autostart attach_disconnected,complain systemd-generator-user-environment attach_disconnected,complain systemd-generator-veritysetup attach_disconnected,complain From 74dcf2defc35609514354e8e99848874bc9de86d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 4 May 2025 20:31:10 +0200 Subject: [PATCH 0074/1736] feat(profile): systemd: improve some ctl tools. --- apparmor.d/groups/systemd/bootctl | 2 ++ apparmor.d/groups/systemd/busctl | 13 +++++++++++++ apparmor.d/groups/systemd/coredumpctl | 3 ++- apparmor.d/groups/systemd/localectl | 7 +++++++ apparmor.d/groups/systemd/loginctl | 18 +++++++++++++++++- apparmor.d/groups/systemd/resolvectl | 2 ++ 6 files changed, 43 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 28c2851fa6..12fcceaea6 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -15,6 +15,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { capability mknod, capability net_admin, + capability sys_resource, signal (send) peer=child-pager, @@ -36,6 +37,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { /{boot,efi}/loader/entries.srel w, /{boot,efi}/loader/random-seed w, + /etc/kernel/entry-token r, /etc/machine-id r, /etc/machine-info r, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 8b32b348fa..c31b288365 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -34,6 +34,19 @@ profile busctl @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Monitoring member=BecomeMonitor peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionCredentials,ListNames,ListActivatableNames} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Monitoring + member=BecomeMonitor + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionCredentials,ListNames,ListActivatableNames} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index e77f326fe3..d1ee1141c8 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -10,8 +10,9 @@ include @{exec_path} = @{bin}/coredumpctl profile coredumpctl @{exec_path} flags=(complain) { include - include include + include + include include capability dac_read_search, diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index db8e7b21be..7a5c67623e 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -10,9 +10,14 @@ include profile localectl @{exec_path} { include include + include capability net_admin, + signal send set=cont peer=child-pager, + + #aa:dbus talk bus=system org.freedesktop.locale1 label=systemd-localed + @{exec_path} mr, @{pager_path} rPx -> child-pager, @@ -20,6 +25,8 @@ profile localectl @{exec_path} { /usr/share/kbd/keymaps/{,**} r, + owner @{PROC}/@{pid}/cgroup r, + include if exists } diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index a6406ab70e..c65bb4edd6 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -9,9 +9,10 @@ include @{exec_path} = @{bin}/loginctl profile loginctl @{exec_path} flags=(attach_disconnected) { include - include include + include include + include include capability net_admin, @@ -26,6 +27,21 @@ profile loginctl @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, @{bin}/ssh rPx, + /etc/machine-id r, + + @{run}/log/journal/ r, + + /var/lib/systemd/catalog/database r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index dc3090c5a1..5c436f6c12 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -13,6 +13,8 @@ profile resolvectl @{exec_path} { include include + signal send set=cont peer=child-pager, + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved @{exec_path} mr, From 37f70a0030f99cd48932182103ed56d0dda112fe Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 4 May 2025 20:33:18 +0200 Subject: [PATCH 0075/1736] feat(abs): minor abstraction improvement. --- apparmor.d/abstractions/app-open | 2 ++ apparmor.d/abstractions/app/firefox | 1 + apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 | 4 ++++ apparmor.d/abstractions/common/app | 3 +-- apparmor.d/abstractions/gstreamer | 2 +- apparmor.d/abstractions/webkit | 4 +++- apparmor.d/abstractions/wine | 1 + 7 files changed, 13 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 73b2e45805..8c74d1f08e 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -60,6 +60,8 @@ # Backup @{lib}/deja-dup/deja-dup-monitor PUx, + @{bin}/gnome-session-quit rPx, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 602651587c..73cb820709 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -98,6 +98,7 @@ owner @{tmp}/@{name}/* rwk, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, + owner @{tmp}/remote-settings-startup-bundle- w, owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/* rwk, owner @{tmp}/tmp-*.xpi rw, diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index d15d5c5ba9..feaced7c32 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -5,6 +5,10 @@ abi , #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label=geoclue + dbus send bus=system path=/org/freedesktop/GeoClue2/Agent + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=org.freedesktop.DBus, label=geoclue), dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index f2201bd647..cc802ef060 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -34,8 +34,7 @@ dbus bus=session, dbus bus=system, - /usr/cache/** r, - /usr/local/{,**} r, + /usr/** r, /usr/share/** rk, /etc/{,**} r, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 10655740a6..7fc20c2935 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -32,7 +32,7 @@ # If one is blocked the next is used instead. # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag. owner @{run}/user/@{uid}/orcexec.@{rand6} mrw, - #owner /tmp/orcexec.* mrw, + owner @{tmp}/orcexec.@{rand6} mrw, #owner @{HOME}/orcexec.* mrw, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs diff --git a/apparmor.d/abstractions/webkit b/apparmor.d/abstractions/webkit index c4410d0267..9481d4fece 100644 --- a/apparmor.d/abstractions/webkit +++ b/apparmor.d/abstractions/webkit @@ -8,7 +8,7 @@ mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, - @{bin}/xdg-dbus-proxy rix, + @{bin}/xdg-dbus-proxy rix, # TODO: stack me @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, @@ -26,6 +26,8 @@ owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, + @{sys}/firmware/acpi/pm_profile r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine index 139b034502..28d15cf76a 100644 --- a/apparmor.d/abstractions/wine +++ b/apparmor.d/abstractions/wine @@ -11,6 +11,7 @@ owner @{tmp}/.wine-@{uid}/ rw, owner @{tmp}/.wine-@{uid}/** rwk, + owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, owner /dev/shm/wine-@{hex6}-fsync rw, owner /dev/shm/wine-@{hex6}@{h}-fsync rw, From b07be6863656e351ad0c19add7753c65e9066b2b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 4 May 2025 20:38:15 +0200 Subject: [PATCH 0076/1736] fix(profile): directive format in localectl. --- apparmor.d/groups/systemd/localectl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index 7a5c67623e..b49065fd70 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -16,7 +16,7 @@ profile localectl @{exec_path} { signal send set=cont peer=child-pager, - #aa:dbus talk bus=system org.freedesktop.locale1 label=systemd-localed + #aa:dbus talk bus=system name=org.freedesktop.locale1 label=systemd-localed @{exec_path} mr, From bb58c07871876838713bc4a50368f37c35690158 Mon Sep 17 00:00:00 2001 From: EricLin0509 Date: Sat, 10 May 2025 01:56:01 +0800 Subject: [PATCH 0077/1736] offices_names: add wps --- apparmor.d/tunables/multiarch.d/programs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index d6b8e424fe..198776f9b3 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -85,7 +85,7 @@ @{archive_viewers_names} = engrampa file-roller xarchiver # Office suites -@{offices_names} = libreoffice soffice +@{offices_names} = libreoffice soffice wps # Help @{help_names} = yelp From 29a352d78ffb8cd85dc194278d0d8d6fc87dcfb5 Mon Sep 17 00:00:00 2001 From: gjpin <3874515+gjpin@users.noreply.github.com> Date: Sun, 4 May 2025 16:16:58 +0100 Subject: [PATCH 0078/1736] feat(profile): xdg-permission-store: allow screencast --- apparmor.d/groups/freedesktop/xdg-permission-store | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 81c6fd1cb4..3b15d96886 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -47,6 +47,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/devices rw, owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, + owner @{user_share_dirs}/flatpak/db/screencast r, include if exists } From e044fbe5656763632e8b9551ae350096ce759c8d Mon Sep 17 00:00:00 2001 From: gjpin <3874515+gjpin@users.noreply.github.com> Date: Sun, 4 May 2025 14:23:03 +0100 Subject: [PATCH 0079/1736] git//ssh: allow execution of ksshaskpass --- apparmor.d/profiles-g-l/git | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 71bace3c3a..457e79d2aa 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -132,6 +132,7 @@ profile git @{exec_path} flags=(attach_disconnected) { network netlink raw, @{bin}/ssh mr, + @{bin}/ksshaskpass ix, @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config r, From 8697a6a7e1d78f99ee2ee19cd10dfca6d4ccaaa5 Mon Sep 17 00:00:00 2001 From: beroal Date: Wed, 14 May 2025 18:40:40 +0300 Subject: [PATCH 0080/1736] `cheese`: video capturing (#730) --- apparmor.d/profiles-a-f/cheese | 53 ++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 apparmor.d/profiles-a-f/cheese diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese new file mode 100644 index 0000000000..cadd1beab6 --- /dev/null +++ b/apparmor.d/profiles-a-f/cheese @@ -0,0 +1,53 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/cheese +profile cheese @{exec_path} { + include + include + include + include + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + @{bin}/bwrap Px -> gnome-desktop-thumbnailers, + @{open_path} rPx -> child-open-help, + + @{system_share_dirs}/gnome-video-effects/{,*.effect} r, + @{system_share_dirs}/ladspa/rdf/{,**} r, + @{system_share_dirs}/thumbnailers/{,*.thumbnailer} r, + + /etc/machine-id r, + + owner @{HOME}/ r, # file save dialog + owner @{user_pictures_dirs}/{,**} rw, + owner @{user_videos_dirs}/{,**} rw, + + owner @{user_cache_dirs}/gnome-desktop-thumbnailer/gstreamer-1.0/ r, + + @{run}/udev/data/c@{dynamic}:@{int} r, + owner @{tmp}/flatpak-seccomp-@{rand6} rw, + owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, + + @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,product_name,sys_vendor} r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/media@{int} rw, + /dev/video@{int} rw, + + include if exists +} + +# vim:syntax=apparmor From f83e24b1b7a9c2bcc9ff326c3bec08335cea8735 Mon Sep 17 00:00:00 2001 From: tpaau-17DB <113297655+tpaau-17DB@users.noreply.github.com> Date: Wed, 14 May 2025 20:17:06 +0000 Subject: [PATCH 0081/1736] Add profile for spotdl. (#736) * Add profile for spotdl. * Change `rpx` to `rPx` * Remove copyright --- apparmor.d/profiles-a-f/ffmpeg | 1 + apparmor.d/profiles-s-z/spotdl | 40 ++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 apparmor.d/profiles-s-z/spotdl diff --git a/apparmor.d/profiles-a-f/ffmpeg b/apparmor.d/profiles-a-f/ffmpeg index 5196881a7f..8633444d8d 100644 --- a/apparmor.d/profiles-a-f/ffmpeg +++ b/apparmor.d/profiles-a-f/ffmpeg @@ -28,6 +28,7 @@ profile ffmpeg @{exec_path} { /var/lib/dbus/machine-id r, owner @{HOME}/.Xauthority r, + owner @{HOME}/.spotdl/** rw, # For spotdl owner @{user_music_dirs}/** rw, owner @{user_videos_dirs}/** rw, diff --git a/apparmor.d/profiles-s-z/spotdl b/apparmor.d/profiles-s-z/spotdl new file mode 100644 index 0000000000..be31bb0d01 --- /dev/null +++ b/apparmor.d/profiles-s-z/spotdl @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 tpaau-17DB +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/spotdl +profile spotdl @{exec_path} { + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + @{exec_path} mr, + @{python_path} r, + + @{bin}/ffmpeg rPx, + @{bin}/ffprobe rPx, + + owner @{user_music_dirs}/{,**} rwk, + + owner @{HOME}/.spotdl/** rw, + + owner @{user_cache_dirs}/spotdl/{,**} rw, + owner @{user_config_dirs}/spotdl/{,**} rw, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor From 888954744f0e45b42d188f237a609a0fc3da7089 Mon Sep 17 00:00:00 2001 From: Yifan Zhu Date: Tue, 6 May 2025 18:34:43 -0700 Subject: [PATCH 0082/1736] fix(abstractions): allow link in thumbnail write --- apparmor.d/abstractions/thumbnails-cache-write | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write index 5e64fc66f9..e3b559418b 100644 --- a/apparmor.d/abstractions/thumbnails-cache-write +++ b/apparmor.d/abstractions/thumbnails-cache-write @@ -10,7 +10,7 @@ owner @{user_cache_dirs}/thumbnails/ w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png wl, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} w, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} wl, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int} w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/*.png w, From be0b63724c8cc61d2f1cafc20d9ba4551e6cc5e2 Mon Sep 17 00:00:00 2001 From: beroal Date: Wed, 14 May 2025 23:19:27 +0300 Subject: [PATCH 0083/1736] `v4l2-ctl`: a CLI utility for managing webcams (#731) * v4l2-ctl * abi 3 to 4 --- apparmor.d/profiles-s-z/v4l2-ctl | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 apparmor.d/profiles-s-z/v4l2-ctl diff --git a/apparmor.d/profiles-s-z/v4l2-ctl b/apparmor.d/profiles-s-z/v4l2-ctl new file mode 100644 index 0000000000..e398049de0 --- /dev/null +++ b/apparmor.d/profiles-s-z/v4l2-ctl @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/v4l2-ctl +profile v4l2-ctl @{exec_path} { + include + include + include + + @{exec_path} mr, + + /dev/media@{int} rw, + /dev/video@{int} rw, + + include if exists +} + +# vim:syntax=apparmor From c972607ca47bcb2a69771aa8b2adbb62790cd177 Mon Sep 17 00:00:00 2001 From: Roman Beslik Date: Fri, 25 Apr 2025 16:48:58 +0300 Subject: [PATCH 0084/1736] wmname --- apparmor.d/groups/freedesktop/wmname | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 apparmor.d/groups/freedesktop/wmname diff --git a/apparmor.d/groups/freedesktop/wmname b/apparmor.d/groups/freedesktop/wmname new file mode 100644 index 0000000000..1d2c7aa23d --- /dev/null +++ b/apparmor.d/groups/freedesktop/wmname @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/wmname +profile wmname @{exec_path} { + include + include + + @{exec_path} mr, + owner @{HOME}/.Xauthority r, + + include if exists +} + +# vim:syntax=apparmor From 10966661916160134fd86af30a03f6958470db03 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 14 May 2025 22:36:46 +0200 Subject: [PATCH 0085/1736] feat(profile): general minor update. --- apparmor.d/groups/firewall/firewalld | 1 + apparmor.d/groups/freedesktop/wireplumber | 1 + apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 2 ++ apparmor.d/groups/gnome/gnome-desktop-thumbnailers | 3 +++ apparmor.d/groups/gnome/gsd-sound | 2 +- apparmor.d/groups/gvfs/gvfsd-computer | 1 + apparmor.d/groups/polkit/pkexec | 1 + apparmor.d/groups/polkit/polkitd | 2 +- apparmor.d/groups/snap/snapd | 1 + apparmor.d/groups/utils/uuidd | 1 + apparmor.d/groups/utils/whereis | 1 + apparmor.d/profiles-a-f/finalrd | 9 ++++++--- apparmor.d/profiles-g-l/gtk-query-immodules | 2 +- apparmor.d/profiles-g-l/kerneloops-applet | 6 +++++- apparmor.d/profiles-m-r/needrestart-iucode-scan-versions | 1 + apparmor.d/profiles-m-r/power-profiles-daemon | 1 + apparmor.d/profiles-s-z/wpa-supplicant | 1 + 17 files changed, 29 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 7a6b7a9cfa..ddf0291eec 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -33,6 +33,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{python_path} r, @{bin}/ r, + @{sbin}/ r, @{bin}/alts rix, @{sbin}/ebtables-legacy rix, @{sbin}/ebtables-legacy-restore rix, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 7d0836f7ac..aa6928298d 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -50,6 +50,7 @@ profile wireplumber @{exec_path} { owner @{user_config_dirs}/wireplumber/{,**} r, owner @{run}/user/@{uid}/pipewire-@{int} rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, /dev/shm/lttng-ust-wait-@{int} r, owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index ff4a6730af..b77ad03d7c 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -61,7 +61,9 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { owner /var/lib/xkb/server-@{int}.xkm rw, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, owner @{gdm_config_dirs}/dconf/user r, + owner /var/lib/gdm3/greeter-dconf-defaults r, owner @{tmp}/runtime-*/xauth_@{rand6} r, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index 436d824431..8c637920b3 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -27,6 +27,9 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{tmp}/gnome-desktop-thumbnailer.png w, owner @{tmp}/gsf-thumbnailer-@{rand6} rw, + owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, + owner /dev/shm/lttng-ust-wait-@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 07a6ff6ed8..871203e6cf 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -16,7 +16,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(term, hup) peer=gdm*, + signal receive set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Sound diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index 0a520d1388..6eebca7386 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -13,6 +13,7 @@ profile gvfsd-computer @{exec_path} { include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-afc-volume-monitor @{exec_path} mr, diff --git a/apparmor.d/groups/polkit/pkexec b/apparmor.d/groups/polkit/pkexec index f4fc76639d..8c6d868da8 100644 --- a/apparmor.d/groups/polkit/pkexec +++ b/apparmor.d/groups/polkit/pkexec @@ -21,6 +21,7 @@ profile pkexec @{exec_path} { @{exec_path} mr, @{bin}/* PUx, + @{sbin}/* PUx, @{lib}/** PUx, /opt/*/** PUx, /usr/share/** PUx, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index 46d7adc601..4dc1380c05 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -20,7 +20,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { capability sys_ptrace, audit capability net_admin, - ptrace (read), + ptrace read, #aa:dbus own bus=system name=org.freedesktop.PolicyKit1 diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index b3ee8a5dae..38d8036551 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -150,6 +150,7 @@ profile snapd @{exec_path} { @{run}/user/@{uid}/snapd-session-agent.socket rw, @{run}/user/snap.*/{,**} rw, + @{run}/mount/utab.act rk, @{run}/snapd*.socket rw, @{run}/snapd/{,**} rw, @{run}/snapd/lock/*.lock rwk, diff --git a/apparmor.d/groups/utils/uuidd b/apparmor.d/groups/utils/uuidd index 0f03325c82..7879145372 100644 --- a/apparmor.d/groups/utils/uuidd +++ b/apparmor.d/groups/utils/uuidd @@ -16,6 +16,7 @@ profile uuidd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, owner /var/lib/libuuid/clock.txt rwk, + owner /var/lib/libuuid/clock-cont.txt rwk, @{run}/uuidd/request rw, @{att}/@{run}/uuidd/request rw, diff --git a/apparmor.d/groups/utils/whereis b/apparmor.d/groups/utils/whereis index 32d4ffa51a..36e4579981 100644 --- a/apparmor.d/groups/utils/whereis +++ b/apparmor.d/groups/utils/whereis @@ -15,6 +15,7 @@ profile whereis @{exec_path} { @{exec_path} mr, @{bin}/{,*/} r, + @{sbin}/{,*/} r, @{lib}/ r, @{lib}/go-*/bin/ r, /usr/{local/,}games/ r, diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index 74c6ad3b17..bc6c4cf622 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -42,8 +42,9 @@ profile finalrd @{exec_path} { @{lib}/systemd/systemd-shutdown rPx, /usr/share/finalrd/*.finalrd rix, - @{lib}/{,*} r, @{bin}/{,*} r, + @{lib}/{,*} r, + @{sbin}/{,*} r, /usr/share/finalrd/{,**} r, /usr/share/initramfs-tools/hook-functions r, @@ -54,10 +55,11 @@ profile finalrd @{exec_path} { / r, - @{run}/initramfs/{,**} rw, @{run}/ r, - @{run}/mount/ r, @{run}/finalrd-libs.conf rw, + @{run}/initramfs/{,**} rw, + @{run}/mount/ r, + @{run}/mount/utab r, @{PROC}/@{pid}/mountinfo r, @@ -66,6 +68,7 @@ profile finalrd @{exec_path} { include @{bin}/* mr, + @{sbin}/* mr, @{lib}/@{multiarch}/ld-linux-*so* mrix, include if exists diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index 46aece91a6..5097696988 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0 +@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0 @{lib}/@{multiarch}/libgtk-*/gtk-query-immodules-* profile gtk-query-immodules @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index 8f5e66cbc6..758ead716f 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -10,8 +10,12 @@ include @{exec_path} = @{bin}/kerneloops-applet profile kerneloops-applet @{exec_path} { include - include + include + include + include + include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index cf51936da6..3484ea2981 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -21,6 +21,7 @@ profile needrestart-iucode-scan-versions @{exec_path} { /usr/share/misc/ r, /usr/share/misc/intel-microcode* r, + /etc/default/amd64-microcode r, /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index fe4e35724d..43f27b2fcf 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -12,6 +12,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include include include + include include capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index 24f87b5a72..b20c6f1b48 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -42,6 +42,7 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { @{user_config_dirs}/cat_installer/*.pem r, owner @{run}/wpa_supplicant/{,**} rw, + owner @{run}/netplan/* r, @{sys}/devices/@{pci}/ieee*/phy@{int}/name r, From 415c09ca88c8ed25e023174acaf4d97b69a49dea Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 14 May 2025 22:43:58 +0200 Subject: [PATCH 0086/1736] feat(tunable): add alias from which.debianutils to which. --- apparmor.d/abstractions/app/editor | 4 ++-- apparmor.d/groups/apt/apt-listchanges | 2 +- apparmor.d/groups/apt/aptitude | 3 +-- apparmor.d/groups/browsers/brave-wrapper | 2 +- apparmor.d/groups/browsers/chrome-wrapper | 2 +- apparmor.d/groups/browsers/msedge-wrapper | 2 +- apparmor.d/groups/cron/cron-apt-compat | 2 +- apparmor.d/groups/cron/cron-apt-xapian-index | 2 +- apparmor.d/groups/cron/cron-aptitude | 2 +- apparmor.d/groups/cron/cron-mlocate | 2 +- apparmor.d/groups/cron/cron-plocate | 2 +- apparmor.d/groups/cron/cron-popularity-contest | 2 +- apparmor.d/groups/display-manager/x11-xsession | 2 +- apparmor.d/groups/gnome/gdm-xsession | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 2 +- apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/network/openvpn | 2 +- apparmor.d/groups/ubuntu/apport-gtk | 2 +- apparmor.d/profiles-a-f/anyremote | 2 +- apparmor.d/profiles-a-f/aspell-autobuildhash | 2 +- apparmor.d/profiles-a-f/claws-mail | 2 +- apparmor.d/profiles-g-l/ganyremote | 2 +- apparmor.d/profiles-g-l/gsmartcontrol-root | 2 +- apparmor.d/profiles-g-l/kanyremote | 2 +- apparmor.d/profiles-m-r/mumble-overlay | 2 +- apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version | 2 +- apparmor.d/profiles-m-r/openbox | 2 +- apparmor.d/profiles-s-z/ucf | 2 +- apparmor.d/profiles-s-z/update-pciids | 2 +- apparmor.d/profiles-s-z/uupdate | 2 +- apparmor.d/profiles-s-z/xinit | 2 +- apparmor.d/tunables/multiarch.d/system | 3 +++ 32 files changed, 35 insertions(+), 33 deletions(-) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index d21930d813..1c0b87e6a6 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -12,8 +12,8 @@ @{sh_path} rix, @{bin}/nvim mix, @{bin}/sensible-editor mr, - @{bin}/vim{,.*} mrix, - @{bin}/which{,.debianutils} ix, + @{bin}/vim{,.*} mrix, + @{bin}/which rix, /usr/share/nvim/{,**} r, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index dbbba9d4db..559e58504e 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -87,7 +87,7 @@ profile apt-listchanges @{exec_path} { @{bin}/ r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, owner @{HOME}/.less* rw, diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index eb8a8cd8df..e3a6a794b2 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -174,8 +174,7 @@ profile aptitude @{exec_path} flags=(complain) { @{bin}/ r, @{editor_path} mrix, @{sh_path} rix, - - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, owner @{HOME}/.less* rw, owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, diff --git a/apparmor.d/groups/browsers/brave-wrapper b/apparmor.d/groups/browsers/brave-wrapper index b4f70689c8..7001da3fef 100644 --- a/apparmor.d/groups/browsers/brave-wrapper +++ b/apparmor.d/groups/browsers/brave-wrapper @@ -23,7 +23,7 @@ profile brave-wrapper @{exec_path} { @{bin}/mkdir rix, @{bin}/readlink rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{lib_dirs}/brave rPx, diff --git a/apparmor.d/groups/browsers/chrome-wrapper b/apparmor.d/groups/browsers/chrome-wrapper index 709eb79a13..0a97d4052e 100644 --- a/apparmor.d/groups/browsers/chrome-wrapper +++ b/apparmor.d/groups/browsers/chrome-wrapper @@ -22,7 +22,7 @@ profile chrome-wrapper @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir rix, @{bin}/readlink rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{lib_dirs}/chrome rPx, diff --git a/apparmor.d/groups/browsers/msedge-wrapper b/apparmor.d/groups/browsers/msedge-wrapper index 8268db2e1d..3da31e332a 100644 --- a/apparmor.d/groups/browsers/msedge-wrapper +++ b/apparmor.d/groups/browsers/msedge-wrapper @@ -22,7 +22,7 @@ profile msedge-wrapper @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir rix, @{bin}/readlink rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{lib_dirs}/msedge rPx, diff --git a/apparmor.d/groups/cron/cron-apt-compat b/apparmor.d/groups/cron/cron-apt-compat index fcf5e44309..1778d4b7e6 100644 --- a/apparmor.d/groups/cron/cron-apt-compat +++ b/apparmor.d/groups/cron/cron-apt-compat @@ -22,7 +22,7 @@ profile cron-apt-compat @{exec_path} { @{bin}/dd rix, @{bin}/cksum rix, @{bin}/cut rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/sleep rix, include if exists diff --git a/apparmor.d/groups/cron/cron-apt-xapian-index b/apparmor.d/groups/cron/cron-apt-xapian-index index f264de78cc..83eb224288 100644 --- a/apparmor.d/groups/cron/cron-apt-xapian-index +++ b/apparmor.d/groups/cron/cron-apt-xapian-index @@ -14,7 +14,7 @@ profile cron-apt-xapian-index @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/{,e}grep rix, @{bin}/nice rix, diff --git a/apparmor.d/groups/cron/cron-aptitude b/apparmor.d/groups/cron/cron-aptitude index 76657dc94d..a471b28449 100644 --- a/apparmor.d/groups/cron/cron-aptitude +++ b/apparmor.d/groups/cron/cron-aptitude @@ -17,7 +17,7 @@ profile cron-aptitude @{exec_path} { @{bin}/cp rix, @{bin}/date rix, @{bin}/basename rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/dirname rix, @{bin}/rm rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/cron/cron-mlocate b/apparmor.d/groups/cron/cron-mlocate index f0757187a7..ec96909388 100644 --- a/apparmor.d/groups/cron/cron-mlocate +++ b/apparmor.d/groups/cron/cron-mlocate @@ -15,7 +15,7 @@ profile cron-mlocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, diff --git a/apparmor.d/groups/cron/cron-plocate b/apparmor.d/groups/cron/cron-plocate index 742531b41e..0604eba3a4 100644 --- a/apparmor.d/groups/cron/cron-plocate +++ b/apparmor.d/groups/cron/cron-plocate @@ -15,7 +15,7 @@ profile cron-plocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index c4b9de0b32..63a6640961 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -74,7 +74,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/mv rix, @{bin}/rm rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{sh_path} rix, /var/log/ r, diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index 4455316910..4eb916aabf 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -34,7 +34,7 @@ profile x11-xsession @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 03e77816c0..9804ddcb02 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -35,7 +35,7 @@ profile gdm-xsession @{exec_path} { @{bin}/tr rix, @{bin}/truncate rix, @{bin}/tty rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/zsh rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index c7478292ce..e5489c2b4c 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -47,7 +47,7 @@ profile gsd-xsettings @{exec_path} { @{bin}/cat rix, @{bin}/sed rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/busctl rPx, @{bin}/pactl rPx, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 8034d7e54d..c4c24efc91 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -56,7 +56,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/umount rPx, @{bin}/uname rix, - @{bin}/which{.debianutils,} rix, + @{bin}/which rix, @{bin}/zfs rPx, @{bin}/zpool rPx, /etc/grub.d/{,**} rix, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 5623901fbc..f4fcfa50d1 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -84,7 +84,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cut rix, @{sbin}/ip rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{sbin}/xtables-nft-multi rix, /etc/iproute2/rt_tables r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 15c7f27ad8..1307313d98 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -52,7 +52,7 @@ profile apport-gtk @{exec_path} { @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/uname rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{lib}/{,colord/}colord-sane rPx, @{lib}/@{multiarch}/ld*.so* rix, /usr/share/apport/root_info_wrapper rix, diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index db67de3199..6af2cd38d7 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -41,7 +41,7 @@ profile anyremote @{exec_path} { @{bin}/tail rix, @{bin}/tr rix, @{bin}/wc rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/convert-im6.q16 rCx -> imagemagic, @{bin}/killall rCx -> killall, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index a10df83949..43edd32333 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -20,7 +20,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { @{bin}/gzip rix, @{bin}/precat rix, @{bin}/prezip-bin rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/zcat rix, @{bin}/dpkg-trigger rPx, diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index 7c5486c50a..cecb0e22d1 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -24,7 +24,7 @@ profile claws-mail @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgsm rCx -> gpg, diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index 79f8c2fc72..b2dc7b92d4 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -30,7 +30,7 @@ profile ganyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, diff --git a/apparmor.d/profiles-g-l/gsmartcontrol-root b/apparmor.d/profiles-g-l/gsmartcontrol-root index 10c1f445b1..515d2234c9 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol-root +++ b/apparmor.d/profiles-g-l/gsmartcontrol-root @@ -15,7 +15,7 @@ profile gsmartcontrol-root @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/pkexec rCx -> pkexec, diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index 0e27fa5ae8..10e0857993 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -31,7 +31,7 @@ profile kanyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, @{bin}/head rix, diff --git a/apparmor.d/profiles-m-r/mumble-overlay b/apparmor.d/profiles-m-r/mumble-overlay index 8d17ef3d68..c077f38369 100644 --- a/apparmor.d/profiles-m-r/mumble-overlay +++ b/apparmor.d/profiles-m-r/mumble-overlay @@ -16,7 +16,7 @@ profile mumble-overlay @{exec_path} { @{sh_path} rix, @{bin}/file rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/glxgears rPx, diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version index 0c3c669a08..655566c743 100644 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -23,7 +23,7 @@ profile needrestart-vmlinuz-get-version @{exec_path} { @{bin}/rm rix, @{bin}/tail rix, @{bin}/tr rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/xz rix, /boot/intel-ucode.img r, diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index 15957b348f..e4e8a36e20 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -58,7 +58,7 @@ profile openbox @{exec_path} { @{lib}/@{multiarch}/openbox-xdg-autostart rix, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, # Apps allowed to run @{bin}/* rPUx, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 4fdbb5a523..86d94c7a19 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -33,7 +33,7 @@ profile ucf @{exec_path} { @{bin}/seq rix, @{bin}/stat rix, @{bin}/tr rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/dpkg-query rpx, @{bin}/dpkg-divert rPx, diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids index a40afd9942..bba603690c 100644 --- a/apparmor.d/profiles-s-z/update-pciids +++ b/apparmor.d/profiles-s-z/update-pciids @@ -24,7 +24,7 @@ profile update-pciids @{exec_path} { @{bin}/chmod rix, @{bin}/echo rix, @{bin}/cat rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/bunzip2 rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/profiles-s-z/uupdate b/apparmor.d/profiles-s-z/uupdate index 8858a80f13..eb26a49672 100644 --- a/apparmor.d/profiles-s-z/uupdate +++ b/apparmor.d/profiles-s-z/uupdate @@ -18,7 +18,7 @@ profile uupdate @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/basename rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/tr rix, @{bin}/{,e}grep rix, @{bin}/getopt rix, diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index a332bd20b9..61151a7db3 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -35,7 +35,7 @@ profile xinit @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, /etc/X11/xinit/xinitrc rix, /etc/X11/xinit/xserverrc rix, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 6f7995c055..3f6e0f8909 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -67,4 +67,7 @@ alias // -> /, +#aa:only apt +alias /usr/bin/which.debianutils -> /usr/bin/which, + # vim:syntax=apparmor From 877452519d3138bd4a98dc7ef3cd3dec78a5b9dc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 14 May 2025 22:49:58 +0200 Subject: [PATCH 0087/1736] feat(profile): unix-chkpwd: Add read capability to profile Following the Security Technical Implementation Guide, it is better to set the permissions to 0000 for the shadow file. However, since PAM version 1.6.0, after this change [0], unix-chkpwd will unconditionnaly read the shadow file. And with the previous restriction, the binary has an access denied to the shadow which blocks user authentications. Moreover the PAM changes is needed to fix the CVE-2024-10041. Giving the read capability to the unix-chkpwd profile allows it to function properly. See bug report [1]. [0] - https://github.com/linux-pam/linux-pam/pull/686 [1] - https://bugzilla.suse.com/show_bug.cgi?id=1241678 Signed-off-by: vlefebvre --- apparmor.d/profiles-s-z/unix-chkpwd | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 4b7d35c328..7407a9f99c 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -14,6 +14,7 @@ profile unix-chkpwd @{exec_path} { include capability audit_write, + capability dac_read_search, # To read shadow with 000 permissions. network netlink raw, From 36f9ae04582b48a06985ec79a3638ccb5a3fb64a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 14 May 2025 23:05:00 +0200 Subject: [PATCH 0088/1736] fix(profile): ensure deluser use sbin. --- apparmor.d/profiles-a-f/deluser | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 5262e9065f..1f5d6f0a75 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/del{user,group} +@{exec_path} = @{sbin}/deluser @{sbin}/delgroup profile deluser @{exec_path} { include include From 04dc921eb1ee2fe164015417ec4898044d87ef8e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 15 May 2025 22:09:52 +0200 Subject: [PATCH 0089/1736] doc: rewrite the introduction page. --- docs/assets/avatar-icon.png | Bin 0 -> 34202 bytes docs/index.md | 150 ++++++++++++++++++++++++------------ docs/install.md | 4 +- docs/overview.md | 48 ++++++++++++ mkdocs.yml | 1 + 5 files changed, 153 insertions(+), 50 deletions(-) create mode 100644 docs/assets/avatar-icon.png create mode 100644 docs/overview.md diff --git a/docs/assets/avatar-icon.png b/docs/assets/avatar-icon.png new file mode 100644 index 0000000000000000000000000000000000000000..80170da1e99b85bc3ddf2a25ef03bf23d4284036 GIT binary patch literal 34202 zcmeFYhf`DE_XUcgC{0AAizo=F2uPQ%Qj{u6Q$mqm0zq0r=VJk+iGUQTBE2^u!X=;} zO?odOiAo7I^xobH{=V;jcr#BYaxJk{1g;dDb$qj>v@hX;7}i7!>@=tgwwY^+!i5zzFhd|>6hqOCk@vs-fFM0 zss+So|AaKw&!!5s)zOtK56Q~dZgoh@ilt!X4W+YSeq+?D$^Bfv z@SY0uEs7=l0j1}SOEfn==bsn)Z|UI~$>$q18!rhw%LQg89IBg@)o#a4Em72ZrUb3Hzf26Lp*Zh(;`6lN(d=XFrLe=0s2#=Yf{*;REiF3; zDq8(!i>5vV+wcqj-YVQB31>IKf)2BycDACKr^cGq_<5T5{f<5y{(WOhI(q$tlH#N= zh38WAU;!*~aos1`<>^o=D$@Cm>9PDL#%*6$D5Uq}Ob_W(kiF$XMjW z$ILw*m$josuj#{c?~kqaV)g!3aezy<#AZP3I)8MwS2;{6+H1V^P|+vNc+KbivC&?P z8|?p%6m|(clx;iEd0LSJ+4Ewq<{XtC<(j5 z&j^_vRP2Pj-K!Sa4a{_7WmN0CMszpRjj0ak9y{aBdXD0hDMjx6c-%@$0e4iZFuT=Q zgEBo^Motm;7Up2`pyWpN80E2#4Ts15w!%m5^)p0>1@PHR^N0#@$>i)!lpn1h)|jPO z-93Jbhs}wEiymW*Qe(TL+MR7gh-dpZMKqjL=c9UiXg`?mO8{?bQ!0-pC>oC)a&diXuplQ@{i|OK>lSUBZv^qSu$c-{ zwt6q-K|!9@#{g+%bf6zi$k9zoJ;Py#gH(= zqI_g?elTxhINZKK>~K(1WYT4Jkl()&A0lU6_#AS^9VD?akVm7RUxf~vK2fvm_psu4 zW*?|#3UP|4Mz)XbZ58be2GgAZKK^f)p_;I_6a9I#IIiD8ZFog);BIn1)NJSU)1ec; z0e^pon>^iIb0F%lcbxemMz=4L7gdq@i08f1^$WddM6H2pA8iu)=2>=RVnJ*NNAwjo z*B>&)b5y{BpZSUa1xz<3QPpR?Gid)*qTzrTD0|16QDOqAAN6zL(<|a`M_;c*ZP|71 zvQ!>cYDHZ3<-PggtClJ}W2JRWzI&YTqy7qcFZi1EJw;jhzDZKF8zIU)%qo$6mwJd5 z=h@_XFbf8v?UIovO141W>%aSj9dHFnR!)t=jxVggKGg0$-8)nAe1Zjl^*=z>H_`70+E2OsPG`52=rdYxCh(eD>NTmc*`- zjc{wT)@774z&B8H(nplE7j1CoI?o$Yef1uL`--%!_RM_$57dOgb0TYx`QBtlzw72F z^swS~+;yrmqby+%l zFV)kaWNBP!nX{Vm;*&>rJ7l^r6&B#9~0pjTAQ6;|;V7yySY8q^@`(xSK zy<7FJZ%8|bQsM!dh4~9gW=H>}`a4zlZ!Boc$?Q;{v38Uf^)_)8mTJoAE}LWnYwMvf zC^6;qQ&e!u3a{4h!rf}@GjDo!7ggoI9Z@pJfT&l=(Mph8!)doGBo93-JBE32x9lY|o+fK_E5a0a zHl23IDhmcKMeKh1o7~SKyEWI#V%pn?K4NV>$q zI{D&#_cgY)@?;-rp}kx2vQz+3a;wM0P~Kl6)rJ3E2$?pI7gE)QFDa);I_1}G#m;ZU zERAP3txXTDTS_y{4{N}XGf`l1=@Xi;6bb?R$f(i3lagBuKh0!H|NQA@V`nhCU9()p$F0NjqVW-e18k=S$XC zrfvB0BYGY=t9v(%wZe;NlTe~ZEMU7g(qV||tl7yzF~inxu!s(N?V2ZjnyNN`jgpc) zu<<1Wz#UoB*@Bt_E5%oe{AMNO*LIoxc25u6CuAl>ZQlLV89EYQpKxW=*Qzt|M9^t4 zWP;~+j9MR^s?BQGvsxXL?*(()8kDcG2GLuvt)|j?wGvTqP;n8L9)Y7V%%8%Xs;UqOb zry(3IBDWY=qj;#??L3~JV~Wq6Fp;NwG)wo$2Aagb)Q0_)tl2nLBjiEvHGZ?&kPrK! zRP#&49TNrpP%~6>Ft<{lFU$(tz`%<8QO?!(-E5zHh-{L{S==KGij^RS;If219l0N$ zKN?(}rDSuG)P`|)IgUgAos7qu^_VE<+TXuy`GzC8cf+;jeqU3#x>v{DA}zETsv-;MPH_4az0?pUc;QmVg4jKcoAEc^Cc-9DR%ac2ICoyAz&rC!XIXgwK!66X>1 z2NR>&SySxu3lhx<@arZ5LhCvPjF#?$SuC?yDYG0{$#Z>_fS_J~`UK}LZYaguydTLa z+uQWt$6@~HDrsWXLrp7)gMI99b1m}aq8)&Z-tgRDK?c{DJ&R0%KHK7AU^I8Q_D%}M zy$n%Ly5+YdFg(0pQ(gHRqr^2^9Rb_GN}*;Zb8f4_uFW!!ur6wgZ!CG*E{R-lPbrjlMX} zxp`ZOVwyUOEw&s?G*V-%=q>K+(P;2Fu{$7y6F%tIZ>y~7Z2flSLA}Y;?@G|OAUWxG zq{(ZbO(Au&`a=g3?-D=p)1yfv7Lj4r9QgI3OYy{_M7EsD*=clHfO1mKkugI ztTDEji4*#QTT8Sy zjfqR|PN=eHy%|RB)T^rcgH%&o9js(&EGJTNg5EiGTTdIhBmy)3jB^0oHdHMAqZD}E zlT_=Bm(TD}cdvFa;}ilIjIwu>y7a*62)+}HZ zQ;Xu_>Z8YFh1d{Y{4qJ%Xsvz^0ii*yg1Gsb*m#Gb^?ue%;Ws7ke3sg(%ZPAZ?2nT_ z>KHf^a9Y*dOcW9qU#~y!fB*Msb;l{rt>oA{?K;mI+qdQ!rrPV^K7pT*oq13|?jV-skfJNwq> z$*$*B&xp5Sg+6shS{n>>4o6E24ilsUZztjvkIiJO|0u#~>4hDr=$$=4ZZL5rJ+DFT zG}R!cvT7D;E1q+)=&w9^7+S$9KNqSHJ}%-&COejy+-k&yF75sVQsmZLsZ(Fw=jT3e3@|L>_V0wqT089m8aFsza!u`wQw3f_ z+`hzVP&ULyWRI+s>|QwO=FIf1b@x^Rkpz!3E2QmKc;n&nn4{% z=D);!BR#FBO71;#Uv!_OAwFN~6m7kItSu{Fbloo6?(?eI|FTxOszIF9uuV%pdxAwG zyP^P=v*ewX>y*Qq!=&X>q+{$5wVTo#%ywe?gVSG@hvb|s2&;LKTKwFYWQ7ZC!SB+Wt`nEEN3PlEce*Z#QPeH z?>!vbV+a;5-8>hReIM5&enXA@L+_aoK8$VBMzK?`Plye@$O3snkGE^i!u88?Mf-hT zMqa%;4o(Q07dpeo`@L{~loSw}Y@j@0#2BFw+E%3=>~xEQKe3WfHA5SBA5aQ~y0Arf zmvQ-{_|$-^IJ1|b#P#B(Oj8laSX`do zBF*VZytTXo2*{6mmbDlwZ>+e9F96Jb!QvN}7A+vt_MI1`k8PwIv=!-%>A`U%DswqESi_v5o#%QO0uAj?Ep&A#@k`TLjF z9jt(tk|b@Lm-Q(i^!u}O#e1D^4Q+D2zRT?Ad8Hk>KEFB8qTs^FS*j&tm*jEBu1~h= zxnIX=AaL$golvWk)J62xN*~V;Wb$0!TGvn(F(sovTWjjY$%zli(4MQ7V$f*wT>i|5 z;?Q$yoo&q9@0|M1R6XZ9rL}v0?%!TZ=k)I}}tVafT6EPsB2 zBH*5VrB=!p+AcXinDV%x+RYOSg+ia1d@Q>?)*|%fO_kc2r)#ei zOFMUycfJF3CFJHDZ7R-%tI(cBpZ@tiATv9gukyCh+@SyI`&TW)xf$8Zj0Rl3XlTHF zNeJl<5d$~TX-Zi&PRV@5#Ux&rVoK>1VM^AjMffCjR7{wT_~VJ%b~$ar|@Hv za}!Fkk^=Z%67H}oN!HM{FHcxI@4ypsd?Ee*3SQ>1`}{g*$sOj4)r|k&XMFq(?(n*H4}@T@E+- zLpZ+*?^}Q^#W1u#hyCmc6f7~@Q?zWhcd)nDKEk!}8amI|#aEta`KFGhoWBzP`oE|f zYyGiqc|9DbrV{U;0A?JhI^47@SNRI1-*<-LrDxO9qPb#rcX#c)3o_SE&65niO1;$P zyWdX>`Z$w%b|g~n%h}mbdNG?09XE$2D$5{6?U|zYl=GjUe>;@BgGWkD!rNt?Ny&`n z@jWokuh3glz)0UYCY(_HfBGikq>SUibNT;0r@iQeQo?slrHJt_5iQFSWMpKiG1kie z#=BR{Z?jVx?lbYp4oW%~FEO;5IA9!HSEum6nXQ+!%j6wPgOO8w4a${2npHUZLG^Zc zIp5}H%AD@QGwJ9789S7pCg!Qdqc5|k0WoKMas;D9OZ2ST1mjAZ=jM6V@ zyxKAdr*oTG*Oo~AVCj@c@(jqO2@ve!SqxyzTomT9oN*kB%!HhiSI%Ru(beg*P&#?f zOQ$%ktf?LdlXKJ?;5V90M65u60Hv&yeQOJO+}GwPs~KzWMo)JzWI3mB{9>)c`q5c( zOnkq)F1IpYUiXa`h7ZR0jEmW58fs{`{U}XRKan>}{}yl2OB%ZKKp4P!POW;HWWzCD zJ&KJ(CzQg&qhbag&IqcHkX|2$o}NiH7U%wLy=p2YefqMSms=q2d^-Bhn90AD1*%s< z*A!u<_M~xXm0%oW`qn9DtM))7T0zM<#`xn8u$X(Dd3t1jrdHMV=MWvd)`D^FGmF3- z)At})TDsJupKa&KmJp0Zpp+_mSDDX2Z6z9}$*+54!;!}w7^z!0Qnu2UEkWlMb1CH+ zPF0AO3^Lk52b7Wmx^{vddW$#z3X%IQwNHwWQk<;vre*2&9ZVd}&q{{X%IXrd-9026 zXR>go$<_>XKttEKV5Vw`vbJ4s8xY$&s`QxSuYXsr{)JDTJ2F@VgIv)SEODN2GjcG& zFGLDR44MygMjZN@nQ5l**IasrJx~02aS_2IrwGE6LL$BXAmOzOJHZ3On*DS-t(#5tnS z-cZ0BSxNicwQq)dR@Xb*Ov}tqnoIf7?an)UQ!bK6)d`#XdUn-`Oan8?-f7-HA(tfo zF?Udj@E;*!xWq(H*9%p5&R8p2`1#57dOheGYKgwuhK#R1_C$Wi79aCRe;$9{_3kc{8#=m*o zPa?~T<$FbdvnE67K?34yF~+OC#pwtJn~s?rclmN-fwS0CHbAZsvGgV}aqzJs;qvQ! z|GxU52mtih+44R}wMK-^%;H>r%HY36yo$CoX%ES-1Or@!=T4xsTuPR% z(Env4wO8!xpL1mc;oIop)y{|%Q(B_#ez5dvqdrRQ)Ih#o zEjh?M1~ou&o*Tu)q0WYEbfVflGcbr-RQVs~BU1St+^mCYe{}B6EiHBMk5$l{=^JQz3>ECft-86r%Gb{fhPDa6Ad)G_W9?( zU?XjFhWUr6w2{k{{CPwvQmWHvW4p#eNtaPT^5dO__jH)7=a^UjIE#hdiG+|eGjvRl zfZH@Rl3vbm>OAhAOvIPsP9F~d9|7Uv)}G|t6eJpCq9!Ujx0Gi5KX(NlZf4Nn$A*?K zvYtV06IKmG7qYt}se}HHL{OUH))&Z`Va`Obwpqd#;!v-wt>aAV&wgyE>sDcGzzN{r| zs842y-w{{Fa8ZT&OEO18Q}Rx`_H1rm0$fNXO3F7Xfu_^{LhIxr0`UfWU>uJc>iDEj z5B)iyyY%dT`lMsFP~Wgh&Xb=Yiqp-r|;1&rnefV6jPJ>wH+;DI(*N z5xEe`4@06H{n539^w6wZZhe5>j8+v?KXvLPSdEU~F{^kzpSN#MGLA=&nM;|?SRXT= zjtAvm!?$0drq!w`&Pod zu1@zWJTJJy1;h8Nc25-Yg&#@weD>HCzjEFiaN;Wmhey>ES6#i`wLX|BpD*(D|g@aw6A3(JRmFS zTg%lr`o@ni|Jd>5)BcMYErQM(8XEeI#n(C2DxtQeSZ{#~>EvvBFKY)+3NpVnx{9B} z`R`&^yK)^y7UyOM|LQ^Ta?-0Fa&G9{nSI*oZ>z4oQaqwVDd^1G zQ2fym6~QUnni$@*H+%kgGr8eZdravii^UibX_VBGxo9-Pswv1KP|!K60fAal6U3vd zb4xk=3+_J8%(q0Kkf4nq^m@WK)SNzbv>s>x67u(?tJwTGtaT{uBW zz>qJ1^ajLuBg+cf%l7rL4aclhiHzZ_Mm*Fzr!XsU{NmB?_YsxV7D^!vi0-z?%9n)Z z+KCupG7(Tq<9Ye;l~iEwn$h)(B>mHkh+UrclI$tLr!cI&0|IdiJ|fXP(-YR+K5377 zsG0Y2hor>r`u^Akxm<(x4i<}CH&=#|@EZ?*M4&YoVJ5(^4e7r+b7;9uG`CrG@H6) z5XjX`^KUpb@7jgq#4Wu49!jqQhr>C*MyQia_-B{Hx{1jU%&{WLZ~RPAzwOE?b6Q}y z@7q7eB5$n>8Gr(E>lfYWhT>>9FF)fl^Y2?A>0CxaK93!G>$G@jp=%F>$rR^Okb*?N z9MK9cXEJQ>v=(v}85->pdn!e9Bvus-Wu1e#|9MH(=__=R4*D|1 zSz^^LyHlEkBZ0hdfgD#SE=>kNvMZ%YU7CgMu&?_9l9#xUSy79K>PDe|F=2X$hIr3H z7EM7bG%$Qf5UvA>erhf?&If8gvS7-yT`bA^zFQf3P*{o+)B+hxM4&i&`u6fdD7%6D zX^I>5*`R*rXermMNG@GLmk2Jc%LzzM$|{&cvds%`^{5`Z;j622QP^js5r%}Anx+#T(jNql8egFm{z4AF9bLHeD6b! z8>-}X0C2{0|JX@ua+OWg_-64&;7)e1nJ>b#DKZ%w?()0ADRd-lMI0I>Shq?ilJWK# z?*)lAcA9m6%QyPeSZuuNgL8*a6L+2|xp|4Te1*2G%5fWa|6%79)gKTk&2}h_D@diU zwJPu=NvEI2_yrfm{l9Kc8@#!Yje8*%kJ)=yFKiJp+EA?AE~`B%=zN!i!|+$m6h%l} zL^jg@jXUHE*& zP^-Igh-7emLH+4-(IfD;)ZatL0ioJvtJab-9Cl-}Hk`1V8R z1!$@O`xfQLBGI=%wFTm(bgC19f=e$1fk0F*3b{rR>P?^eabzX(;|OLD3cFVAR(IWP z`#Y<-y@k0Ho15{UJF)Y1U3K^77B?M|sj8d?dQ4CS*1b6srXlTEAl%O)Fn`q&M*9k?`M%tURhQpILC&S9TU2ljM+Rp_AN z2v>kh6oY4H3mJVmd_N)mK7xZ7d9BeL{acc~uC`2Iou~VHKH;0kt{kJCOghW=>mpev zZd8n{WP~o^f887S_G*zsV&u=TvFXJSyU`TI+jA|^(UOqLTU?vdoqfM&`2i0AP`iv9>-MnU84;t zr88ytmT2%ksp6IQ@ZQ*}5L;z^_PZ86e)bZR5w-M=Si z$xi|cN+cePbkbq`jDuK#RMW>WKqi?~X7Y=h_DPkCJs6~)U`qFcI*w18z5lS|1$Z4C=xCUV{y;jGBrwA z&9+%BFG_WN;I^bWZ0=8JlUIfU;@4+e@N`}yWbg*e59ZxD%7zWrkwi97mz}?ra;V?E z8FyB^=;kdRu<7rpt`cXW6Xeq_l@&Xj`9Mh|@5iLySDprhh=wr}6H@C()RlQ3X|<>w zTI)35)&lb-!e$T^X+O${))0j)hbK%Puf|9a4P1%jReVz@PRvO_Z-yRs?05l z_U(uMY;DZJ!ELZ7N|MlM+B>XOzlI#Ss}cIa5hb4l$=arpm%sqcE*hHhh&jJ94E{b` zP|_*z)k299(BR!1kiGz;h5sNThm|wv8IiobtM8RYRwcbhB=QOjuP5`6TcZ?~E0s72 zfnr1gC`gSS!|*Y{(I!L78vh;|CZt>k|dvw#DZ#PPafe#O%@Hn+GYy1#OnEw z;K{;``GZlnX|?te#JAF`Q4l7~pt zySVX{jQt$7)QMPpwsKgB0W{jljM6?3C%5hHfwTjP^a2jag`ih0g|%@^9HHVz)4c+c z;;tjS$D6%bHt{faWFs3@Zx}u!xJ4)9CG9&#;)HlNLXEx8#CfCG~-!#f9$1u z2X2)Eq{Le1KDHH`G;U@^3DH|$Z_Li@xu`gbd8dVrrdbfgneg$|`|JTQ({B8X_)<1j zwPfVpKeK#x8PJ9_Dr9}lwD~SPx#;E<#(^#L0B-&_c|tM&m5%`Sx2mPxD#lD25H?`H zx8>u9(=3UOpYaB(2k@>ae&@IOoHo^B>+Yv7NOn-S^w)7BfLHK z&(&@xYo3o6(~ABRkG>~)s84bFPS&psQ|B`<2(GS;FAB!Wp|IcfkPAj zl=-N4%!HMUkRwstr8Qbq%-VzjPryyZ=Dn-BgqGOfEPFN&BJKZ}pnO=6^>+`WYETF@ z1qR*=hnO~IfR>H(-qesn5a{yFFb)6efX(2%1}mrI@r$~5<5BxZs(k*&8n^{!pE#{a zkxC)sFV#~1ozMhwxy-EXG}|?)cR*|bOO*9Mo-2PZr^lDhyN$#)RM#FBwR5<8K$vL5XkdE4lk`Kv5kb7p(XLxO?d?9CZD^6t@&Ma*7@f_x@NkC(`k-5`+sslk&ow-1^~T z^nTbm%e&ysgyc2CyQBLD1;JX((%v6yE*KxTT<{*Y(!sZ2@1zr2t{trQN7Y z5uP5m6%_rIak8LagXw>_F%SycTSeh9mfGaA7e4N4?ImulB*~(0lCI%G(!9N*3pI2!}ZTl}&?M%pr;rGu!rhJ=f-&sg}N><-lkmTy_HyGe`|J z3P>6gr)p{yx~5dDIei!I-{kQGWt7cZQ^sS20s?u|KQ?w2N_}f`Q(Ccds(|qH$LSaW z-wJ*^FOJc?iHCy~9&Wq7FS~A5CcpIFS$H`ZH0foUUz+6N5_3l5Ua#{pVp?Ryf_s|^e} z@4585H#_yuL3vIo$DX{Q1w3gW{Ewn~Rwa|)fPgt&HB(yP8i-r=H+Jx*WXS=@{;sUF z^vuwTXTgAPLA@;wJqU>J^OVyKb7)={q&K0<|hsbF13ojqQ?|?ioSn z#=GkyC6ljT{2ZNoI=_%jNQ( zXM*_LN5O%G#3una9*%Tw!#;e7U{H~^0PwTcnKdY4Pe+q20m~}o2raJBW(22TeXB$D z3rN%#bE$nZff(YBle^MogscO*k~cPd&-JnZK$Ir;y3n)I7ah_7f~!F$H!Hw_ip85n zhn%S*%Qhq`LzEe>bs%39s%>Gq>?@n$goVe@f;c^Brj!>DL#1TbtF(YA zt}O%siFcGrd?n*CQzp^4Nb*cH`SdH;WR)CmCw$7Kcrs3}J(R*UotBQ-@;7NdV5#Kl zx>Q**OK@Qx2hslROI`fOjD=ronDMupZ3*v;>Nh!;wAHYK>2-b(2D)__-GZYxV}ECk z6t!#V_ZCO<7Po$JDt}&ld!W&Qb75;Pd8YPg$pdeu_#0QvF6;Uzq+9XR?-0{yEmf{Y zwhD=j4!2s4g2u?ADB6X|hGL%M$q`D<;ia%wfK+h&iUwa4vxnZ9IS)`j6_ET|^lZxT zxBPzkxuaFZNZIVf3vY40X^LyzhefDYQt~MB0p@;2f#Zn8PtyU`Y;g(+cJG|&>bs}S z(O-csIfvO!rn>m*B!jT<;Ld;K>lJukDEqcFE~yk-V;3?#?pc7EaNjPIa2*=58X;@@ zd}a{qSqu=l(eh##?i#&&l8C!d9P-k{G_9-qk#gA5zWK^Z>m~HP-^z;hGiOks0c{%b zWHsL*sgLDE*Oq7b@Tf<$Xnadt`#yVv5D>g`66@M2sw0BBikx~O(+bo`x;Nk_BzQlrhpT%P=E_E^KEJTiFPbFvUSIGthHMw6uzFcU0 zK79K!IPRXt`zC?f!=MtV94M(;ROw~|sWm|LtqEDA*w3UW2BcdkLIJ^44QbjyI+g1Tr!wLGsK~H9$SLeE89CYrE5r6zBaRoL*26kCSZ8qt1k zAdiZ6RdZLhc}fe{;wI5$Pra>!${y@~u1qa%-$UV3V%!jQCPf;w zB_leaHp8qLaVi?(d(AKmN3c?);*BI1)4(H1tzxb@RdFaoST=dyR`qz#?CRySDQV|0 zS!bap{9{2WNc$0>;vR6ZBJ6Y~D6yM@NR{vrL z6%w0%tzc1bkF3)zb98H|Ktw7eJLJDNzPf8e(n1$Vbl22o(LsWB#U0DrZ)TYke}No$ zqdR;Q0979^MF`UIFlop5n z<|gvE9rg>TOe|?Ld(4CY&;&ohGPn@!3G~!&ACMHL!#Q}ya9=iIUu!3#aI0}L3qbHF z#DP|QS1DXo^LNp`5o-jQ=X`-$!;PDx$rGUJ5@}A_tS>oNAowOyPzTgR9K>>wU*-}P z@Q+UmLzq!%`n%Jds#o}lC{3feF&utm7J44!5FI zQz_(*@(`vRy2a`yp6><^`0b35WdPBgWE7ul`jWKoX-Kd${i^JS*iS@7ZuMlqtte&Z zYN_33-?dC?HnV0jvx`*|3_qj>z%{48STWI(!So-xAseM$H^{+WIvV>_Ky1O+$?65G zCA(5Fy#+N_N!?Ih9j3C4+bbY?}X& zA_Kx+GNLre^+jWa=#chZkW#B_4LX3f99fOKwNRCbHL1Vsy?$RB{twAHG)Jm^)w{m0 zrJC(X3P~W)TipR^pA<8C^_Fz|nzAmBO zbdWrT%}_rH#3Onh2xii_MkRT`=(I&d;X#5o+ByFjd8SXHK_(NK({^v^K#8T}AQ_dr zy(4q?QpuhRr@;D<8<`Wo)8--3%I1a^LQ9^LN$s$OmCZ_={B|oPcq|G+i7I$0kK5d^ zxmCK|qL#e3Kh4jy3+T|@+8Yu-OQ&ft8&|+dk$3bW;5x*+ICSe;aZf1y>Gx=GNEQdC zx6C|TAAZZir2QDLFG5?F6|b(bw9rZ%d-+3rA{r~rw*r*Z$2F$%asnx)TfsRwz4I)2 zNM2qnPWi)H6X8J`C}9ragfdCi0co4Lo&mfkymDaepCaJ=#N49pBryHgV1=t5#)sjNYT zY;Dg7|B&9Dg;1tnAjkaT@D$j)?em3b)kt3kuKZ1RwC$-@88JZ7?!R|zgAHwND3P5( zOlXH?c91V+{lD2Sa-t`LA+vbMaI{o_-*4edEG_sE!P}{9yk#MPsW#y!TniweJ;+D;mnMHJ(m>{`_UOu9 z*_HNPY&lnjl3f2lbo7SbT|jQF+xfpoq85B^Ug8q1C(J}{^sh3bikXbcu5BEJ$vdOO z8cEA_L}#Ry!H8h?sKj%ybnTi);ILzR>(RjGTEi&-+BuflSF>h%-shH9x`Z~i7+Rsw z;@3d+RaX%0)aO6ehA}5Rsf-nHh1#4aLaWmT{JA{;NPl|US%wic6VN@H=j zRWg;wQn^P_<^S#iUKITXD5-U7~X zv8y(bMO%xA*oNZkev@Bf&OxrxVtmpZjn*BfetjEwxs9?-N$xn`{SE+lil(;tr)FS| z#DXu;PrCS)_^oyAPoi0T;MBhWSL8?zh(hWo zQW(*;8Te0*A#!{%S6L|*yZ=7euITp2{b2}am0jQEL_S1Au?!GkQ||5(APq&QS9ixq zn~qq$jZ)c}aP1L00HoCmZQ2IAA8j9ipcgG`zFeS+t(i~RV%rx{DoHap`~|{>h1{fA zISVrd6>_}G&Wyub6Sdv%l5Ie+t3Umne95IY38ebZj>$W%dVd~}Iwk;hcCj&f`_Vvc z$Sr;0hGW)q6Bt|t*&BfavkRy#jRESzP14XuyF^8LQk??k#fE*By{^`*FSA_NB8NYj zF15umnh)ll{T)QKdi^~KH0EHYT-}+Q^#_q;kR~BE&^WDwq0fot!>u#8&v~xq!>l(; zMaxB-uS}0JfE5}4x%KYK$Lph?zYw-2bJF01;4{(`mT$X9E8HGC=NgPG&Mpqta+ZKD zOn>@tBUkF{I^p$MxbTjLsY-@v6@&olE741nm3(l5-wQ1G1Z?!F^c^VY5Swn?`txghuFN@DgCDWVvjYY^P zigh=3?0L!B6~C;Qw@S9+p$Qt#W4KE`lK(Z?I$y%T`iY?NG%KEeUS_9k(|>s{)O7s| zv$Lpbg-y4?{KuQK^(<==JWx>?n(f?~YV^*_MzKc2`d@6JVP}_A+@U6PeZ~gAqs;iW zyX?wuMb|6DYEECrh~&-yM#8G5<(-T!UY?tL8K~FOpklPNN{$tKs@(hLp=p5Me}>lq zLS0>LB9k+}8|*VJWeIA+Z>W~Jc{e(_)f*G>Hib5Z(KS9bl`mQZOoMUD=5)QQL*dU_ zL^kSnf>;1?0u*10Z`-DJnSA_;Z;iioV2c*5wPZ8bXFuED^J(3=D>?kqTj%rI3X<`= z-tfvaF>>9xAA-uc&c>qWZ`2saNpm|sQdoaR&|@Sv*}wkJXzgP0V=%DAtJpL*ucN4o zciYojhFV9zhn3D>U!*Y#gClwJO6P;boK|ohBF%wsucoiUA)94_2@5AoXO<7 z0#ge1DLA7$Ct}r>a?(^#{%(XJfIW>%>Qad zqqT2-VIW%;_opbvjKGfj`J60zY{cqkMg;A3qBR5K`C~FGg)v?C6Rc(g9|8s<)PI0* zMRq`U(Lv@3<#koHg(K%>)?3-DlZmlx2N%PC^(-Vt5xd`eYRq*aVyU6FWljZuv7RBX z8Nn_ZGNoWKKB#fEr7TKkz;v~>e(^Pm)1s>v=`m9@5KdlRnn>EcjBI>N=XF=3c~dN& ze4_-5U*=o*r3QO5^ef0jnhhRtCI-SjQxfx$x&Zv{CEtfnXBnt&Z5e?*Dn54^PP_+tSY64|Vw~Rm z7XU+lUwfQ`#TkLKRo#H|tu58H5hJTtyw+d2L-R@_9?_Cig0b{a=#2{_1IXwQ<$xA3 z7C>f!r=Oq^+fOSDT&up+&sBEK*72uK-TMeGci20n=zvQ>v%UK%C4(v>^u4PFW@aFe z5x5yG0Lp_Zl@!VRmqNvE(P6C5s|TLeHJTfC(V1n-GQCVO-tBIa=uA#-8xgA2fnE1~ zA9kH^e&O}{uu4km^m8(EHz@2bRs=_MEbCv*@A-e)d+)ENw*B zEFGw&@2|VUhg1{TQ77l^aW~ht_X2ou-Bl2QozK0>a$bq^9C;PpQs10;AlJZ<{|^*6 zmvk4KKms(<6aR0rmeORd==7_yDal`qtL8Hq&IGBf_tY$kxoNx=9z;o~I{aE2A7$J& zWOMJ#UqpA)q*iqcX|a!(`S$%D zXxZD_n^S7Dm_SqnGPP9?Cb#!+0lfrVge?ZpOd&F~@ea*z$OLc^ZWrF1m&~B?dxxE< zX|)0Ozb@yGdHCvL?bOqT-g*!tXcpl3BU?_Z3aa* zk~{f6GFHj~WMU=y&!^ua?*XDRJ0l^l?GdN?UFsTea$)t-=!*iW25Kb?qg+?tKRoS< zV-{q_098X>oFSnhAu@rT6#=|Z4IfWawI2t5wbg(Dt~!Y*{AcY2zkTNSR3rghIF;)e7DT4l`@92vm5mbzuAfReON529G{cpJ297cCcmfM1ZfVK!!QbCgZO+gk+6=wku z3ZfTR7QOa&u<+A)2JuOwA4k(M?Rr}q8og*e4d49f#(npjvn|T9xt=H0lmS$G5=lJ$ zl1b-xmt4l%Q5B3ymWSc);ISI!%%y^E#Zud!2Pwf|X9x=XBFjqvSi!X%J&*TV_rH9t zTmQDkow)M>@GyRzTbtInZ9o=I^8R-9PZYPE6=lnA1ZUHm#0(Kern0;Oca9}YlK?w=;V)~FuhQ`{t*m1A0Py8j z${uHXb+m*3@V#>e9Q7QpBmYBsWkvuKgXX@)Fh>n65C0=>A!`f^KQLrfE`NOGrI8L# zh*Nch=+thA25|S2KbM$>vISVt_|c*!qKy*UV6`z-a>h#^F~pdGdeADe6>bXdeK$?=Y|gRPD=Gk3Kl8|TT7Poq#0P6E zItvgwA~nNe3%NFu9>mxV7C`pzA%Yiy68O!&*OoYb=?Ayj-Ks2lk5Ea<#jSWcOBS)= zs@hszMp?+m1SOxuMwI~OF>}nUK!VKm z97Q-g=c(3||bp?2^Lh}VpH`nxWBzx^MZ z_H)u=Mzv@GLEUso+Se&ippmAbV2On)x%s!t+jc;oCLf-DlVSzNEM;lk8Vk|pPk3f> zFZrv^)u83cnN?c5mcqT%vEVPdJ1DOkk}WAfR?n9^PTPEcUH8e5{>k7PEKXV5)|yo3 zh|3_W3IbQq4hT$BOLgM>YVgh}WTSO{Ub#2yG!k*dsok)U^%hw)^-=w@%WEW~z~m6i z-&fO`&p`+I*!NJhoCVZE{laksI;S|6-Qy}#kH}G1?%+xZ>-mq=XUjtX*DH9Mi7>YWa=u{l;2|F6S zuuj-MiC;bK*sd-RI%+zux7n_($ED6;ZB2NFk+@qjeVK6%->+0R|i-cD_U~G#``BI2=RtoWu{rw0|OZhWE5hG}8f zBBOq8tG0rpz>S3oxeqjLP~Nz$eFTr}6^Hr%rsI=6HN}!W=|UsXE3>;j_k1O8zvHBW4i#5&Wr``Muv`x* z4aLK12-P4V^WffbV&z+6r&DbNOjhP5Iql~oGm)##>E0fmN`2#iReR2`OsN;osC4M5 zQ+FzFxyZ^p!2xeg%zdEKu}Y~bcllP=J)XtblOW-SWZnr!1i_~k|4EC<(GB{##I>Nv zysK;$+zBuBtc4OI1Mi3N5nJs^1L0Loj!%Xv`%-E9+QFy0k;lVM?d9a99@?bv%0-Od zDj!t8Kz=gD{DSWq$?xlauWdMB6-wUa?h|WfRKfzk+4z=KhtP=4hqtOisFKjWdt)X< z-aipDS-PLNzgR1d3!`C)MUtsUUP5NUa`u6+7Dv6)O_*IpGyk3P8ewfY4(r{@ySuDt zNm$USVB6^V@HHH|79Ck}H0 z9)Bs)#^PPI|57;g|1dh{-}DxUD!zdBS+3MnOivPlk}Aw&enQCe|Qy8=~ys-6F>bDULVr(s^g;tc;M$B~~*-uMPj zlvvZM7CD1US)pf@^0FXM@r;vRb-Hu34Q^Vk>EpA^7Ai+4u%N|8We$RMV!x8D?~@bF zChJY`>nKfnA+!Yp+QJ?#-Tinb_3!R}xD{&qkoSLUId_gys|v26r;%G zV&nHdMQA4bQxD~DGjC7367ti&#b+cDi(mpm)FQCL0_wf_k7P*?oSBB#L4O)ez*Oxb zfC%*~<3Z&LourZQus(Vr-M3KgcRY`~+M@(g`;0V|R*2PFmeMp!jE8#TT# z>b#(Rc%YHAIuXk6xWpu3JWhOl%h$lypKES~4JugPQvU+mfDc3sgK&NRZmmxYL*XYd zyUF1Krs5vB?E}Vq!tez2RRsX{-=rn>C({raR-vaKuU#JrYoA!TW@%gHjfU3x>D*~< zwh^VuX6jcUZ8TwlFBVq8>}?cTLw~0!>r

F>;O84mNs`kFMPn{@)_Kznjt)>VR2}oi?mxG+Yg0e}5SltUdTFZiXLHc49<%sZ zR4T`}Gp4dz9fqP!ReVZ|@H8UL)O;WP@U=(v{>FUk_w%Gv{8yeRrLmn)^lpzvP>Fq` z|3Dt%cb^?6Sh%=Y-jO>(oc(-y1*_|uxB9O#9cN11A}}wuI5%MaVc7kY6j3PI)y%Jx=q_Vu0Fkdy<+=VPK#02O_V5=haV)vfgd*KK~yo+1`s> z&lbF~6p!F6S!FW#!+Y@kK6oS^7Ki=LQ0;(+v1L!6+V}hxzi^f=XU{#AM)dq1@!+2L z5C4&hcnxi*v9q<_^B?R3LhfJ!eEzOGnX(L|jWDCNl8VU->2;-Ap*#>3u^tO{Ew|55&FQ^dxYsXdwhpnA1oUff0-Sibj}V0& z^$9nQp_`Q?sIup?*#Y7cA{BD%<^2%Yx8{n4=(+;nPw*A*aSKDPE70OAI~~J6VIZ8p zgmg#bTrQmy1(OeKj_ZC&X)}jd1gQ4+(tc#pef?DDgaaOYbpU#CAhXaiCwS_^B*!in zS}CXGd7Lk^B~LB`2vrl8JYL;WyC(hL6eb*udC-I|WN75nmuyBquB*^~)9(3i$cpEO zzkfEsP@4v?GGiFTU5oUOP+?Odm7Je$Ia+7=HAuD|)A-k_-6r}oXhU7A;9`Yv7^#f+ zOm9-gBD{Ub;M?sK7S_WEh^GcX^X`{KwZW$+1}7Ev{aWaOb?IYEQq7XvkK~~S?8oda zin5u|=F`PSDHPgh1P5Cu1#V;kMr5UCWW6~I@AvxMnR&+})4Cn583vaQDU*5xJt?}# zI^iM$F|;fN%v*ZjmkY8CwL(WlElHST88yWntA%~5@hain0yqM=tvPm?~5 z3IYsdSt2mp`9cGTYDlzuy|8JR7OlL&6T(fX2N4qO4wu9uOrx31RPTAjoAj<|svBJKk?UrP!&nTB`9VR4RZD8Ud5t_i&uUZ~9LMjt+BgIn(2%`O?=BQ<-Y6S4af zeTXHpz}K>#*xa%!(4-g=*&9b4`fU~*+N>BK9>~oGO=?`JI5@9JPPl|N`AQbF=Y+y4 zr^XtNec@EV(f#=3^xbsG1=6XL`=hvO(7p+;>U0Gb`+IF_6ywnITiLqsbZ3lN?bC?A zPUU)~z&$rDh_MNCQkgerg*UHP7y`##tB@AB6Nr_Z4XvO}2`{*x=HrC7y%rjT#LaVj z@H(hUW_$4FjQ3E4@ybD~T}CPVM%=9l{f^8#Ef5g@$Dn>)5Uy9)k!IgVjI**5+mZMa zyA_9At3D0-v(3=MV&xe5{W>2YXi5=tMH&J|5HvSTQ7S<6#o1Pwb^nP-cZuy{z zYgkvLkYJ`BxxIj@m`zrF>JWk``#%kx0%s$age?LI<&Z*cIAA!}qZJOHOxc1T$~M+` z!o+PUSJ;J2Hg5<4nJkWrV!}lL{1o8*EN4x*H(D1s;hVs1%W~~X0^;~>c7#eJl+8tQ zW=LnA9vf_uk6qO=jo?-bZ?9)CMIQYin-m9@N86=-8eG0uEIO0hn8>`2vllF`z6IKU zkFVrr@QZt7Z;`Y1{V*%%zV+!}aDgX`#jC#VO>tkm$&B4%_sz_Xgd;|c4$)>U-zP-( zAQ=`sCR>CAkeW*1>#JaE`ktw&u41t^UP#WekSKVfnwL=~ zZj&#|+u+2d_@r!0wogyGA;Qr|dark<^JA75oiThV#uMqD#| z`D`J8^}Pq{P{K5#z|uyui> z3kShdb4@?r+BK=`Rm9k(stmPyOqMpK&;!&zi2pQ*sbGbEaTR`*n@e#QDZs1j|19z- z6XAg)QSR4j=Qp2B&Gko)K6Y6KP~9?xK~g9lBhe7%Mm8tyc_Pv*k0(C!fp7wL`37o&+c2^;;Qkt0Kf3&2z|6lF;PrlDL^adRvux6&@sj6A)G%WpP|P2%Z3 zZpbkJI8lL|oZfQ330_pIN<@>?R*)xY9?TjL;DMug2e6{|OKR(CBq~54oTJdeFQkn} z>>ev`AgS@Susq;6cuY(JS}bK_A!92Yvx07DDB?b{HK>0#lNd2t->hW2-0y*}Iu4vDDy-b*TU{Na91&Kzps0{9 z2=+zcna@b!{gIdD0HSWYWiJgL-Lv$1{-REhKBn4lel#}GD(oj$x)?l7v=8&==ft-> zLu`a=uC?3Xi12{2s2^d2!%}>FI>Au?XkNgr&b{PGxzZP=|4O1ihcuS=5`D<_dwZ2#M2xQ4nE%AJz$J5)mCSLBCT+;bBU==@% zllEjh*~L`-3W{(R@oaa}V}Iu9uqy8r0eJrG49_zs!8Ry0VNuLuS!UOF*+WBwZ%7+< zj|kY|R+xRQq2iNT1N#SL-`Hlw`dOQFKIYm~9%v}>OmzZ+Or6@`dW+G8w2Gr>JMFZv zg7EPgh;Q+Qn9h$EK3`ae1dXd{H)B_yw`KG=+9&YbTjSg1Pq!-zjoi)d^QtWc|Cz1h zMJs)>x^<5e9;$HxFzeTqd!*!lq1UE1693dfngPyLCWv#6B`%jht}nWKdkO6YNNt2h zphob)!h;Zt9OkM&?@M_MFsG`?y6nBEjO(Y=1nkS}j2kdQkw5mKo^EfNMnrIMXd|)t zG*?(!;(<`hL(!?JV+CFNms%dPhWc4j_g)2kiv7vr{cbp5DGEEbfuVLB=FTU&FE38D zI>pXi&(D_}C+c+QKz2DNYpy_#T7PwTIHs|&ka5#e4qwt{6be@N&yFwcdU_8L(7KA_ z15F0Bs|J{`eTvXsayM73aJYzcM2gZnd)7e3NTtp0N=IIq)gHLA&?h$&ZllS7TB5dT z&}bf-f^R?1b%XP|{b$X!DGP9ebXcRjE4-()Q@vnTu9}yk@&$X;mtODF+YkfqoL4(} zv{ll|SuU92Tga3Om{be+Kd#6Mt)&qJ)4@*t>DOn(DlNR-KQ;lO1+PJtZ~;-C+=-T% z^^fctO#G8CmugtxeP=5Ba=ij#HMJT zu^S=WKxuzZ@|Ve)CLI`RUQ27^@BWYfe=fig#lRIGF4FMAJ;EN_#0%(Pm2_%WXE_Kb za{T2s`P6Md?2IPE8yeJ8MmxX_wIPR3xm9UMfhzZzO10BJf32)#TPls<*eJ=;2mah(d8h^N6|mp`K7=dH@KUn z>742i;r%}k#DhSHCTvs4Gxy^nwv;;WB`^(2ynxvaKp2ZObdCNR%4^&v;&i;D%;oOT9N0h=`8228x@T z=DISF+vCJ64air%klJUHRqlVD=u34afO4l{slqH7kG%hF11G&vb$Ir5Kz$eK8D3k& z%nub-olGpN;T|ztIB}zIhuhTjPLswW26>efJkO^4@<_IlSiAXYG#~k#qhhuHvzTAE zl+jAKFHLiOy4rLpm)3LnGR7>h^IC|V0iHM5#+>DR<||}qmwq}MyNBs5TqCl=MC(Fv zxvDFU;r+qU)P~i`B{xRECe~aFQJR3;z1+?uK8PfIOzyC&`I!e@gqPyrxLS0e;nU^f zW~GxMrIbt_Xm8e=`-i`>Pc*sDII`|Rv~~L8A>?~&b_WpWh9PF@+bFLjlx^|#(lF-h zP?wtLr&AI8ah~$Jz!W}yA3`sFKVO=65|)W+In2g#%vfpAEB$4?wR`tp>PRNYQ5{nG z6{t3dji|DHvdrs=$4Fxz8kXuOFry`V%x)->t^XK=61F23$Y-U1P>qe0Yw6-ttEHYW z?cFOzs~!+jHL7aZxJf-YC?!{w#JKfpmYLQLAHM>9o%Y%Pg?}?;19K?nqh{?fKGNH^|QZ-D$XvZrCDvj4ywo5FH<_c5xTPRLh2iP zL^SoH8`i_DAP`U&9r06Tr@*^i-*m)5fy+3CV!BmIeJn9-9vBq%X9#Aey*5u)fUMew zFFhK#1fYsDY1TWNg+FxL9fgioOEX`aHX;vKd`uWR>YHLNWWlgHG@1F8Q4GA6>m8R9 zNUxAKrXRh-@S+GUIFAt~2ALh*14pMwJCLCkGUO@J^I3gfwNvf8Zf7lLNG$NZ0lA-sge{xsML>ZWauTU6 z4$l3qc$hSh=59$6X#p;9Tv&ZC0L8t}dnQrt>oEtVtuKGA->x)u?2yFJV)kXZb>8doqh&>$f{}tA)3zVP+$PG4}rov2E8} zK$O}T^~tQXYVnUc(3VOAkV{50`wbiT0w;@^p97VJi&s9~0HM+X6rJCznm#LHW(Km# zQj3GjzNk6~l1an}M5Ycs*M@D!BU%`HQl3HQX$%diF z#tD5&(cK8@nMpXRIaeU3XEc`!2LS+0AX`y9lPc?aLj!S`B*J$E>Vj3snBrd@ z*4p7AJ`9&AI`_3Oihx_<5Dh-)-#$Kaww8Z9{i*4J-)+J`F1l_t*=lAhfROPKP7BOE&*UT|{w3|VThgSM$nF&+i$qr-Yu`SUAeY&xk zxgGHk&}uV|Es2-1^Fq%zffkc$NEC=;UD7P1)DusuIs2zVIXT0d?Xde)A z7i>}vtDMhU&{eQLTZ#FAz{+6f;S{OFM(Scg)Wd^ZC2pq>QB7Kpjexc|gTG~u$uh8K z`xABMGs1n`Hzc)~(BW3&>Mm@#WTbHVNv+@b_MqP_|+m-j@ipzwsl$(~U05z@oYFDWXJ|P9Jy|h*uJ@F`M>s%!F19Hz{ zqFvJ=YrxlM+QPKZq6w$l(RRUqY?sOxPQMRd2I{YvkN}?4A}Ruk{Tvm+yO03@Si1a8H(4<5m70wcLsKhbV>~gHXr$MqAesWyur3wTQ5irRZrs z4-8PdZ&#WLIFe%IR;F8)|HR7zIb9;Rh-N^rfoF@A8zH&iu(E)!02j-GF%>0Kb^wl$ zIGkD?Jl6&{ul)76KMQv0$}_D9KkRy6%z5N{AF2E^nl2W_1lj}&=dt@3b! z;V-YhZe};1k~P$FvF^RS`g?5!^ijRPGc#lGj$^8VAwxD)$6n7{m=JD15Wmq%t_Ntp z4F3h7G430$P+u=Iqr)TXXWQWwKPA!D!=Q^Zr4{fmmi!+d>4`EqPaZ5S86;N8Wv%44 zi!Qpx72KB^z0zA`wRq^zgb8Wdt>Nbu;K!6GOxCbLEld5Vx$=g=sBTttaU@6jj%2J| zdKFn2xy!n{Tv#W3uEzS(^J{dR4eq97d*3-`MyFn3!CXoIA(0q;t3pHfRFSTcuW$5N zi)v*Czt}%Skbc_!>SqfFGEvk0{S+;MLuIO%hV-OG^6`TNwHVNMOy3>MHObiGWr!2O z&$&ToHTyRp%PQ`qUI^K{A8RqP6U%s&y;rKn#VIH%o4SVo!gn4sww)mM@LGrz7j!2D zeotg*-F@xz=c#uf-rqxnCV0E-)~{!N^!YldAXD&hLJiAi2k4 zU`FMrjX8<-TSALXB4D%k$#Wsa)8pxG(xHemRZVRCom%dKq7I07ea$-5E zntOfu*U+W&`#$v$K0|y0xLILf+>pUfM}HS^VeM|QUqJZPPdKR%Nd3$n-^MheIWpqn zh}>Y?&uJXGAzLrs7j9@aFqwz!JRtJB3A>GCz9t(%=F6ywcgcLlLoO@oH04}D7a{VZ z%!|*RpL^h73VCwR{(n_pOG9Wty_p#eRKnjoi}Q;G|1Hi6dGWkB@ZoZRw&4#~@7)~x zWU8-Z)?WpI%AkF#!Ij$RCn1WmE_cbAmYZB{a6&*XMDfVcE>tvC=d3GB0st55{W~1_ z!ExGHC9g|cBb9EP449OrtJd5&djkJ;P6PfasN03p+$mG)cd8W@3BWl;>`68ioq z1jc2ytW-uDO4=;=;bNbY*a(^rsW1y+6<#LE+W??0DOEdejx31!{j8mGOD~kqO??SCihnY9vV2 z%#7f4b4Ogni0~LcPoEH{rqLHCsgc3EIjWZO7KRj9>X#q(?sWsr&(P}DA15z?aMuglIu$Je?yU7+YgZpYR8_^uZca~;)!dqb!JX|& zuNncrg22+dA;5XoRYxpx?*q1x3P3meG&QR6A+C7m)86?>CNroCdnY-O4eElC9M1Q) zuRkX6oIgW!wqcC>`aB~?{(){2Nzil$Ss+(p(q&(~|M?9iq1Hd=Nv_w2wJNt|-ZHp- za1q&fh-1`=8ZTc#g)v1F)eFWlobf&2BpctY#n3c|LDI#NyMP-#I(>i1)<5x$xZgor za#})K>fMAR9^0x=jmf6jkE$ta7E*G3IQ><7nr1^BR&BQb&^4l9Z+G1ALabfIp8=q4 zgAku&9+KPfQ-`_(l2?eFRX1pYLDO2V2iA51M)=iz^4lHK5&At#)kkvhZP7J$w$u{6 z7?Nq#XDno@aQ?~ZX~=s@oHK(QUj!?Tl|BA}+x$C7)} zXRyJne3}z)aQ|;CaY39%k}7m>v4%6mEqm=$dv8@{_L5TlKmn>n2^##Rmm!||Vd=u- zDL_uxRAO-DE%MaV%}~#yau@E&_HWeA8}`p*@T1kP`G8Y&QMA8*sq6UDtlDL?`iEkB zOv2NaJLiQHMfo-l&ug=GS}A`0T&pf#)w^1wlt_82+Yfh;fa|(P5JKXLdzCpvL{?p;m=DpigyCMn;&A#lhS@h+nJWFXN3Lkflqq( zpjyNI2)jp<6=!Ecx;~WHT!(gA57;qKp*7vXgy8$iOb8D$bx_T2LR1R%@&18GuH$(X z+zp(Pm2BvjK@Rp6OP_{v;?Id8Al+zSij`kB*u0ssxAs9$J&q4m_F~-(k;hB~G6ZUS2c%95uJ5SAV}7;-Ep`X_!7u>s+LRvhP(Xm7m7k!urc+t|sL!-+wpq~UGz7zsUfDwnT`q>ljmOJZOap|F@WQ{;RVT)HdQctZAH=F zyK>$3yoN_Ls=Rr?#mf1qq7q;6D5e-pv5JCIHF->PY_m>mszSp7$5|?=!Iqa34|!n|@tOp=ImI2u|Mc-8RDB zVsW~RsfufsSNJR^pfc*=#_Ka`=u~0x!=mFwCNnyXoz2mDD-j5D1Z3JxG_6ixugR4H z9qj(f5GlwQV^lTKK!CAW4kO6CW zwM0BfuIS*LsV3_+sEbNoEp~dkVeTj=8i-8M-65vP+5gE>SEapozB>l3FN3VrRL77M z;tn7BK3ux1V!HiTQ|GmCgoGh>(~73Z{D&63ZoqY-xK zs3cGowf{6EDl^}7O|Uf2^lFj}RcEBP?VoUgl?fkHXD^7*%7A|&_+H;=flz^&3~-0Q z;zZh;jB&d{z&hgZD)eHQ-{-A|_BB-|2_F2*Rir4iTKB&{9 zTcTrJP-2u_gCMm9dju!!`}{n2V~21qo9^3V`IQz_p(WWWHh`u`~ z3%cZsNxq7rKw$yW1AN#xVEL`?cfziR|q%C;I)nTayHF1~`65s=P7_d0G zdW;-!e(tI;b6(r?_nMGd2@43Ky!Z@U-v!*i2Xj;mBF2=HtzTplrjJ`oBTrK8a`ex3 z{Xw|5!pd}@?Z5kxU+WzZ&N_bjsS#FL?}miUS^So(dM^;?-$(E)t&sfphCgS{B0Yr~ zfX4~E0XpO|yOX_Pw*~ovJ?mlrs%-9u-^>-5(Hij-tk9v&Hz#3yHq~n()YnJ{ z#ye$!8=y?!SQELHR^M5Y24J(uHRD_C

)X(z6CbX-WdOZlq<)d!BVN)>HUTgLe*Y z%jukyPa*UkNxEl^J(zhMZC@sDN(fD%4>6UO2etEjDKhs-1nVuiZ+!bVI0mS7F6$f3 zYKJ=~$qwp}YG(&rcymP0W?BNb#FVf6Rv0|03_X5UrNLu+C;xXI<{D>+;EKHN?!e23 zON3jQ2`X?kJ{y1UoKhA@c>}116Iv)7bh6x=$O9$z!$~#hUGd!?yO*k zef2>&mXLRmXqR#CI-WDFkzm%?;1&;hy+qUOwzoejRCkYQ=w`y4*Qa7k+@kI6c$(|+ z4DDj5(QCx3ORIVEq02FD_AJFD4zSDhoeR27OlTM_RF~%K2?tD|x{%d6NUkeS&#!48 zS}z)!ReSb8?YFx6KgT<6#Xfu2DTkxO$^#l-ZupuCQL~D0Z`%(Gkq(`#86}N2kA$5n zz`9FcC8ihTqd;;$-iZ7xtUZqdf^*OSQ{QETY<)fNq6poY%(rv=Ndz@#$_x+jN^Ey_ zfp?8M!Yrqg*7EY{hAzuJADk~_oYyBYB>ZjuZBLM;P>kLF@LM81A9(|9QFSb)rE+$7 zIG4tD#H>?}zeraR8DP<5wQzAWIoJl?Y zF>L#DPM}Uao2;`jb{TDaOaDkEq6q2vy}_!SHBj{>VV!53uI484GM#fr+L6UHkvMhu zAie5_z9N%*E8e>Au2@drxv^|k3WT>VHk49OiI9&l7Vl??cZw`3+yu`c61;=cd&Vt$yA z7f4dFXLCFZPsRB9TQ-=?kS;g>7#F0v-Xv$)rj^u05MODrpj|_3wYLlUE5I~SEzwsZ zb0so#nE{`}*9T~WRxcOcluX?n88j+V7`Hu z@WR)B6k3iG4PC;P9wld^e1H7aB_srB)!Wno%r92uDf0&o%H<;N1=2EGf1);u%tD0Q z;IPt*@LS}xkrp#2eEqf`6BC-k;Qq)p3Suc7JHHCTHD6_ooCrScQIc0Y=gfQEp3YP~ zu(NqjAwDfksqXEPcF2<|e!M>1h#_^JLQoopkuJm%uQ*kgdve*~nY#^HImrD4e%k{9 ztvj#EUNHc^$kK1MAi_nbTVZyKogXO4#nqVkoMLZvAq+DUIz^bxMB5$4xfa8S2BA`Z zL(mq8#>B!a-^_pw`1Wa(*h<-25>s98Y4NYoc1yV9l2uyFyRRbUk1I-Fh{{Wm= zpv1SM@a+Ghh!bqqY9pzcH~U##)Vc70%pRBfD-OuRxjdUhbCdbA-en=-2jGd>4aPQfj)k0pP5u=L#O=kKq(26X+=b~oEp z$A;PY;S(AroFl6bz7wY8x#;@X015i;5xH?*D-i?75b+mT*;$j5DOpp))>W1VD0;K_9*nPH|KWT#BeNAzwBz;S!dw!>&jq!OV|JP_b zy1)0eA3rktsW=Nb$;R)}tv_t=5v2a^5a0|BL!d?0*L&fG%;=8nWu4J;tX-qPDUc#M z_3tfZ6Tl9g_Gb~6SDec~aF|_Q_7p@@Sobr&4cF~tuvfgXEYjsH#vx!O@>I1E1rY_( z3cS(;Pa79nZ6f>ZFG!?H7M=U{0fqIWP0c&_PAx>+XKG{BraTMF=6=dDjuSFqU}we! zq4k%*RNgqcZ(mAKC1+jNYZwc)5nBy;(Sew3r*l;V@WN;|(EfBHT_DZ&RtGL=w`TPg zn{exRE75Xg{4>(izH&LMvuA_l5*kVk9dCo*-7o!q>U%^BR30Gx_tHGm%G({W7JSR* z`6dIdwFQ}&#|+)Seyti?bn!C-;BsB6DB(Ui%R4>V5K0U@!cB(K4e@Jm(S44it$XGL zfp=DBMEdI6?;NQdEH^7WEpBkGHmeeq{ib5=i7dJirXr+03S?-Vx8}|X0`Ad)e7LkQ z4GfwzxjVFag!iK}s`~pJ-HnOMKtLtVtZ{65MrLBI1SZrfDWKK>y0z>%x(_5DL?o?+J^xgk;V=V@N<8JXv%hD?jK0IWbp=kD zoS`C)BG8VkHvDIz8Ohzv@f*Is-R33`{%~7jpi5ZyD8S=g&2Kkt)6rAs9I-Pp_PM|y zjEJ_srF1NqPLhBRtr@cy>doHj*HLXK_FjncvilF0T$ML+7-x7}HaXJ=cnD7vl-Gw( ztJYq_)LcCO0=Ng=gHUgkt!WgE^~sT8x;T7G(hfWuZ{w%pU~XgcTL03Svz76eDxZP! z{&zJP;VzN(!$Y^x3*9F+8S>%?M_n!qZs0tV=6R38dL5%R%Sj@wO8fLqQm1xG(|Rg( zx9v4miV*47`KaOQ|GuWQxG$EWChT^aFTgAI=Wd`{T}^h?Uv&TP^MBO}Joi5lPiPG1 Uuo0TuJ`-H~iNRyI`tvvc2MfGVlK=n! literal 0 HcmV?d00001 diff --git a/docs/index.md b/docs/index.md index 39679d01a5..5e6c70c563 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,52 +1,106 @@ --- title: AppArmor.d +hide: + - toc --- - - -**Full set of AppArmor profiles** - -!!! danger "Help Wanted" - - This project is still in its early development. Help is very welcome; see [Development](development/index.md) - -**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. - -### Purpose - -- Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`, `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord` -- Confine all Desktop environments -- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland` -- Confine some *"special"* user applications: web browsers, file managers, etc -- Should not break a normal usage of the confined software - -See the [Concepts](concepts.md)' page for more detail on the architecture. - -### Goals - -- Target both desktops and servers -- Support for all distributions that support AppArmor: - * [:material-arch: Arch Linux](install.md#archlinux) - * [:material-ubuntu: Ubuntu 24.04/22.04](install.md#ubuntu) - * [:material-debian: Debian 12](install.md#debian) - * [:simple-suse: openSUSE Tumbleweed](install.md#opensuse) -- Support for all major desktop environments: - - [x] :material-gnome: Gnome (GDM) - - [x] :simple-kde: KDE (SDDM) - - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* -- [Fully tested](development/tests.md) - -### Demo - -You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ - -### Presentations - -Building the largest set of AppArmor profiles: - -- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* -- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* - -### Chat - -A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org + + + +

+
+
+
+ +

apparmor.d

+

Full set of AppArmor policies

+

apparmor.d is a collection of AppArmor profiles designed to restrict the behavior of Linux applications and processes.

+

Its goal is to confine everything, targeting both desktops and servers across all distributions that support AppArmor.

+ + Get started + + + + Demo Server + + +
+
+
+
diff --git a/docs/install.md b/docs/install.md index ff4a1b6bb6..a18185fbf2 100644 --- a/docs/install.md +++ b/docs/install.md @@ -89,7 +89,7 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf !!! warning - **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are different. + **Beware**: do not install a `.deb` made for Debian on Ubuntu as the packages are different. If your distribution is based on Ubuntu, you may want to manually set the target distribution by exporting `DISTRIBUTION=ubuntu`. @@ -125,7 +125,7 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf !!! warning - **Beware**: do not install a `.deb` made for Ubuntu on Debian, the packages are different. + **Beware**: do not install a `.deb` made for Ubuntu on Debian as the packages are different. If your distribution is based on Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian`. diff --git a/docs/overview.md b/docs/overview.md new file mode 100644 index 0000000000..fb6712a14c --- /dev/null +++ b/docs/overview.md @@ -0,0 +1,48 @@ +--- +title: Overview +--- + +!!! danger "Help Wanted" + + This project is still in its early development. Help is very welcome; see [Development](development/index.md) + +**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. + +### Purpose + +- Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`, `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord` +- Confine all Desktop environments +- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland` +- Confine some *"special"* user applications: web browsers, file managers, etc +- Should not break a normal usage of the confined software + +See the [Concepts](concepts.md)' page for more detail on the architecture. + +### Goals + +- Target both desktops and servers +- Support for all distributions that support AppArmor: + * [:material-arch: Arch Linux](install.md#archlinux) + * [:material-ubuntu: Ubuntu 24.04/22.04](install.md#ubuntu) + * [:material-debian: Debian 12/13](install.md#debian) + * [:simple-suse: openSUSE Tumbleweed](install.md#opensuse) +- Support for all major desktop environments: + - [x] :material-gnome: Gnome (GDM) + - [x] :simple-kde: KDE (SDDM) + - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* +- [Fully tested](development/tests.md) + +### Demo + +You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ + +### Presentations + +Building the largest set of AppArmor profiles: + +- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* +- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* + +### Chat + +A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org diff --git a/mkdocs.yml b/mkdocs.yml index 153af0d4e5..12783b5665 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -138,6 +138,7 @@ nav: - Home: - index.md - Getting Started: + - overview.md - concepts.md - install.md - configuration.md From daa6a1239b810dbc4458869a59a896dca42296df Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 14:20:08 +0200 Subject: [PATCH 0090/1736] feat(profile): improve protonmail-bridge-core. --- apparmor.d/profiles-m-r/protonmail-bridge-core | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index 92d379724d..493199974e 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -12,8 +12,9 @@ abi , include @{exec_path} = @{lib}/protonmail/bridge/bridge -profile protonmail-bridge-core @{exec_path} { +profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { include + include include include @@ -25,7 +26,7 @@ profile protonmail-bridge-core @{exec_path} { @{exec_path} mr, - @{bin}/pass rCx -> pass, + @{bin}/pass Cx -> pass, @{lib}/protonmail/bridge/bridge-gui ix, @@ -49,7 +50,6 @@ profile protonmail-bridge-core @{exec_path} { @{PROC}/1/cgroup r, @{PROC}/sys/net/core/somaxconn r, - deny @{bin}/pass x, deny owner @{user_passwordstore_dirs}/** r, profile pass { @@ -76,6 +76,7 @@ profile protonmail-bridge-core @{exec_path} { owner @{user_passwordstore_dirs}/ r, owner @{user_passwordstore_dirs}/.gpg-id r, + owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} rw, owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} rw, deny owner @{user_passwordstore_dirs}/**/ r, From a46967cb43e643efc925644b234093f249fdc313 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 14:56:51 +0200 Subject: [PATCH 0091/1736] feat(tunable): add papers to the list of document viewers. --- apparmor.d/tunables/multiarch.d/programs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 198776f9b3..b3e36cae76 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -76,7 +76,7 @@ @{text_editors_names} = code gedit mousepad gnome-text-editor zeditor zedit zed-cli # Document viewers -@{document_viewers_names} = evince okular *{F,f}oliate YACReader +@{document_viewers_names} = evince papers okular *{F,f}oliate YACReader # Image viewers @{image_viewers_names} = eog loupe ristretto From 043dc3fc0589d3c361dd9e4a1cdf543fab8284df Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 15:23:24 +0200 Subject: [PATCH 0092/1736] feat(profile): add paperspecs to cups backend. --- apparmor.d/groups/cups/cups-backend-beh | 1 + apparmor.d/groups/cups/cups-backend-bluetooth | 1 + apparmor.d/groups/cups/cups-backend-brf | 1 + apparmor.d/groups/cups/cups-backend-dnssd | 1 + apparmor.d/groups/cups/cups-backend-hp | 1 + apparmor.d/groups/cups/cups-backend-implicitclass | 1 + apparmor.d/groups/cups/cups-backend-ipp | 1 + apparmor.d/groups/cups/cups-backend-lpd | 1 + apparmor.d/groups/cups/cups-backend-mdns | 1 + apparmor.d/groups/cups/cups-backend-parallel | 1 + apparmor.d/groups/cups/cups-backend-pdf | 6 ++++-- apparmor.d/groups/cups/cups-backend-serial | 1 + apparmor.d/groups/cups/cups-backend-snmp | 1 + apparmor.d/groups/cups/cups-backend-socket | 1 + apparmor.d/groups/cups/cups-backend-usb | 1 + 15 files changed, 18 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/cups/cups-backend-beh b/apparmor.d/groups/cups/cups-backend-beh index e2dbc1b51a..1e9fe5b781 100644 --- a/apparmor.d/groups/cups/cups-backend-beh +++ b/apparmor.d/groups/cups/cups-backend-beh @@ -13,6 +13,7 @@ profile cups-backend-beh @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-bluetooth b/apparmor.d/groups/cups/cups-backend-bluetooth index ada4926ce6..78ffbac776 100644 --- a/apparmor.d/groups/cups/cups-backend-bluetooth +++ b/apparmor.d/groups/cups/cups-backend-bluetooth @@ -13,6 +13,7 @@ profile cups-backend-bluetooth @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-brf b/apparmor.d/groups/cups/cups-backend-brf index 27e98efc31..6d50b284f4 100644 --- a/apparmor.d/groups/cups/cups-backend-brf +++ b/apparmor.d/groups/cups/cups-backend-brf @@ -15,6 +15,7 @@ profile cups-backend-brf @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-dnssd b/apparmor.d/groups/cups/cups-backend-dnssd index f45b99216b..1009a0ef2f 100644 --- a/apparmor.d/groups/cups/cups-backend-dnssd +++ b/apparmor.d/groups/cups/cups-backend-dnssd @@ -14,6 +14,7 @@ profile cups-backend-dnssd @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-hp b/apparmor.d/groups/cups/cups-backend-hp index 6361215534..cd9af3d7f4 100644 --- a/apparmor.d/groups/cups/cups-backend-hp +++ b/apparmor.d/groups/cups/cups-backend-hp @@ -13,6 +13,7 @@ profile cups-backend-hp @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-implicitclass b/apparmor.d/groups/cups/cups-backend-implicitclass index ba85c62fae..c71295f83e 100644 --- a/apparmor.d/groups/cups/cups-backend-implicitclass +++ b/apparmor.d/groups/cups/cups-backend-implicitclass @@ -13,6 +13,7 @@ profile cups-backend-implicitclass @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-ipp b/apparmor.d/groups/cups/cups-backend-ipp index b473ecaa34..8d61f40727 100644 --- a/apparmor.d/groups/cups/cups-backend-ipp +++ b/apparmor.d/groups/cups/cups-backend-ipp @@ -13,6 +13,7 @@ profile cups-backend-ipp @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-lpd b/apparmor.d/groups/cups/cups-backend-lpd index af2901be08..89b62b5692 100644 --- a/apparmor.d/groups/cups/cups-backend-lpd +++ b/apparmor.d/groups/cups/cups-backend-lpd @@ -13,6 +13,7 @@ profile cups-backend-lpd @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-mdns b/apparmor.d/groups/cups/cups-backend-mdns index 0b9cce0dac..9e5dfbe0f9 100644 --- a/apparmor.d/groups/cups/cups-backend-mdns +++ b/apparmor.d/groups/cups/cups-backend-mdns @@ -13,6 +13,7 @@ profile cups-backend-mdns @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-parallel b/apparmor.d/groups/cups/cups-backend-parallel index a985e50427..b4340b2ed6 100644 --- a/apparmor.d/groups/cups/cups-backend-parallel +++ b/apparmor.d/groups/cups/cups-backend-parallel @@ -13,6 +13,7 @@ profile cups-backend-parallel @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-pdf b/apparmor.d/groups/cups/cups-backend-pdf index 7782ecb111..6f658b0645 100644 --- a/apparmor.d/groups/cups/cups-backend-pdf +++ b/apparmor.d/groups/cups/cups-backend-pdf @@ -14,9 +14,10 @@ profile cups-backend-pdf @{exec_path} { include capability chown, + capability dac_override, + capability dac_read_search, capability setgid, capability setuid, - capability dac_override, unix peer=(label=cupsd), @@ -30,10 +31,11 @@ profile cups-backend-pdf @{exec_path} { /usr/share/ghostscript/{,**} r, - /etc/papersize r, /etc/cups/ r, /etc/cups/cups-pdf.conf r, /etc/cups/ppd/*.ppd r, + /etc/papersize r, + /etc/paperspecs r, /var/log/cups/cups-pdf*_log w, /var/spool/cups-pdf/{,**} rw, diff --git a/apparmor.d/groups/cups/cups-backend-serial b/apparmor.d/groups/cups/cups-backend-serial index 3959a091d3..26811ab59f 100644 --- a/apparmor.d/groups/cups/cups-backend-serial +++ b/apparmor.d/groups/cups/cups-backend-serial @@ -13,6 +13,7 @@ profile cups-backend-serial @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, /dev/ttyS@{int} w, diff --git a/apparmor.d/groups/cups/cups-backend-snmp b/apparmor.d/groups/cups/cups-backend-snmp index 5badd529ac..816f6c25bb 100644 --- a/apparmor.d/groups/cups/cups-backend-snmp +++ b/apparmor.d/groups/cups/cups-backend-snmp @@ -19,6 +19,7 @@ profile cups-backend-snmp @{exec_path} { /etc/cups/snmp.conf r, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-socket b/apparmor.d/groups/cups/cups-backend-socket index 3efcf183bc..f8f36a0563 100644 --- a/apparmor.d/groups/cups/cups-backend-socket +++ b/apparmor.d/groups/cups/cups-backend-socket @@ -13,6 +13,7 @@ profile cups-backend-socket @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-usb b/apparmor.d/groups/cups/cups-backend-usb index fa21e02044..7d9dbd2370 100644 --- a/apparmor.d/groups/cups/cups-backend-usb +++ b/apparmor.d/groups/cups/cups-backend-usb @@ -21,6 +21,7 @@ profile cups-backend-usb @{exec_path} { /etc/cups/ppd/*.ppd r, /etc/papersize r, + /etc/paperspecs r, include if exists } From 00327dfae17112aac14ab572ddb1ed026797465c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 18:38:48 +0200 Subject: [PATCH 0093/1736] feat(profile): minor improvements. --- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/apt/apt-systemd-daily | 2 +- apparmor.d/groups/apt/aptitude-create-state-bundle | 2 +- apparmor.d/groups/apt/unattended-upgrade | 7 +++++-- apparmor.d/groups/grub/update-grub | 5 +++-- apparmor.d/profiles-a-f/acpi | 1 - apparmor.d/profiles-a-f/evince | 5 +++-- apparmor.d/profiles-g-l/kmod | 14 +++++++++++++- apparmor.d/profiles-m-r/mkinitramfs | 6 ++++++ apparmor.d/profiles-s-z/spice-vdagent | 2 ++ 10 files changed, 35 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 5c33a18667..947dba1492 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -177,7 +177,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{sh_path} rix, @{pager_path} rmix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, /root/ r, # For shell pwd diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index 04907876eb..08e1400b2d 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -37,7 +37,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/touch rix, @{bin}/uniq rix, @{bin}/wc rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/xargs rix, @{bin}/apt-config rPx, diff --git a/apparmor.d/groups/apt/aptitude-create-state-bundle b/apparmor.d/groups/apt/aptitude-create-state-bundle index c700e325fb..59f7a54f6a 100644 --- a/apparmor.d/groups/apt/aptitude-create-state-bundle +++ b/apparmor.d/groups/apt/aptitude-create-state-bundle @@ -16,7 +16,7 @@ profile aptitude-create-state-bundle @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/tar rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 3e60798e92..8413d99759 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -10,13 +10,14 @@ include @{exec_path} = @{bin}/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include - include include include include include + include include include + include include capability chown, @@ -65,7 +66,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{etc_ro}/login.defs r, @{etc_ro}/security/capability.conf r, - /etc/apport/report-ignore/ r, + /etc/apport/report-ignore/{,**} r, /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, @@ -89,8 +90,10 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/vmware-tools/* r, /var/log/unattended-upgrades/{,**} rw, + /var/crash/*.crash w, /var/lib/apt/periodic/unattended-upgrades-stamp w, + /var/lib/dpkg/info/ r, /var/lib/dpkg/lock rwk, /var/lib/dpkg/lock-frontend rwk, /var/lib/dpkg/updates/ r, diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index 1996b346ba..ff17c160a4 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -14,8 +14,9 @@ profile update-grub @{exec_path} { capability dac_read_search, @{exec_path} mr, - @{sh_path} rix, - @{sbin}/grub-mkconfig rPx, + + @{sh_path} rix, + @{sbin}/grub-mkconfig rPx, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-a-f/acpi b/apparmor.d/profiles-a-f/acpi index 2914180e69..3b42be2343 100644 --- a/apparmor.d/profiles-a-f/acpi +++ b/apparmor.d/profiles-a-f/acpi @@ -19,7 +19,6 @@ profile acpi @{exec_path} flags=(complain) { @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/virtual/thermal/{,**} r, - include if exists } diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 5ae754138e..b7b087309d 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -44,13 +44,14 @@ profile evince @{exec_path} { /usr/share/poppler/{,**} r, /usr/share/thumbnailers/{,*} r, - owner @{user_share_dirs}/ r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_config_dirs}/evince/{,*} rw, + owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.pdf r, owner @{tmp}/evince-@{int}/{,**} rw, - owner @{tmp}/gtkprint* rw, + owner @{tmp}/gtkprint_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 0338e39751..ccc8d69138 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -28,7 +28,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{bin}/basename rix, @{bin}/false rix, @{bin}/id rix, - @{sbin}/sysctl rPx, + @{sbin}/sysctl rCx -> sysctl, @{bin}/true rix, @{lib}/modprobe.d/{,*.conf} r, @@ -74,6 +74,18 @@ profile kmod @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/* r, deny unix (receive) type=stream, + profile sysctl { + include + + @{sbin}/sysctl mr, + + /etc/sysctl.conf r, + /etc/sysctl.d/{,**} r, + /usr/lib/sysctl.d/{,**} r, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index ad626192c5..eaf5645f36 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -96,6 +96,12 @@ profile mkinitramfs @{exec_path} { owner /var/tmp/mkinitramfs-@{rand6} rw, owner /var/tmp/mkinitramfs-*_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + @{sys}/devices/platform/ r, @{sys}/devices/platform/**/ r, @{sys}/devices/platform/**/modalias r, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 9562fec75f..c73f5f678e 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -47,6 +47,8 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/task/@{tid}/comm rw, + /dev/udmabuf rw, + include if exists } From 2bad07f5ffe85486104bb775df646bb5cc5aad6f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 18:44:59 +0200 Subject: [PATCH 0094/1736] doc: hide the date of revision on the front page. --- docs/index.md | 5 +++++ mkdocs.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/index.md b/docs/index.md index 5e6c70c563..9602207d0a 100644 --- a/docs/index.md +++ b/docs/index.md @@ -19,6 +19,11 @@ hide: display: none; } + /* Hide the date of revision */ + .md-source-file { + display: none; + } + /* Get started button */ .md-typeset .md-button--primary { color: var(--md-primary-fg-color); diff --git a/mkdocs.yml b/mkdocs.yml index 12783b5665..e5244a529c 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -15,7 +15,7 @@ repo_url: https://github.com/roddhjav/apparmor.d edit_uri: edit/main/docs/ # Copyright -copyright: Copyright © 2021-2024 Alexandre Pujol +copyright: Copyright © 2021-2025 Alexandre Pujol # Configuration theme: From f9f409716434735336e9de871cad8fcfb329cd4f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:12:24 +0200 Subject: [PATCH 0095/1736] feat(abs): add the path abstraction. --- apparmor.d/abstractions/app-launcher-root | 7 ++----- apparmor.d/abstractions/app-launcher-user | 10 +++------- apparmor.d/abstractions/common/app | 5 +---- apparmor.d/abstractions/path | 23 +++++++++++++++++++++++ apparmor.d/groups/children/child-open-any | 7 +------ 5 files changed, 30 insertions(+), 22 deletions(-) create mode 100644 apparmor.d/abstractions/path diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 0bc7dbeff6..7f7e2a673c 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -5,15 +5,12 @@ abi , + include + @{bin}/** PUx, @{sbin}/** PUx, /usr/local/{s,}bin/** PUx, - @{bin}/ r, - / r, - /usr/ r, - /usr/local/{s,}bin/ r, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 800de5106d..3f35d5882a 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -5,6 +5,8 @@ abi , + include + @{bin}/** PUx, /opt/*/** PUx, /usr/share/** PUx, @@ -18,13 +20,7 @@ @{thunderbird_path} Px, @{offices_path} PUx, - @{bin}/ r, - / r, - /usr/ r, - /usr/local/bin/ r, - - @{user_bin_dirs}/ r, - @{user_bin_dirs}/** PUx, + @{user_bin_dirs}/** PUx, include if exists diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index cc802ef060..0d63b72c8a 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -27,6 +27,7 @@ include include include + include include include @@ -39,12 +40,8 @@ /etc/{,**} r, - / r, /.* r, - /*/ r, - @{bin}/ r, @{lib}/ r, - /usr/local/bin/ r, owner /_@{int}_/ w, owner /@{uuid}/ w, owner /var/cache/ldconfig/{,**} rw, diff --git a/apparmor.d/abstractions/path b/apparmor.d/abstractions/path new file mode 100644 index 0000000000..dee241b292 --- /dev/null +++ b/apparmor.d/abstractions/path @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Common directories in $PATH, used by launchers and interactive shells. + + abi , + + @{bin}/ r, + @{bin}/*/ r, + @{sbin}/ r, + @{sbin}/*/ r, + + / r, + /usr/ r, + /usr/local/bin/ r, + /usr/local/sbin/ r, + + @{user_bin_dirs}/ r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any index 1259d7708e..446627e854 100644 --- a/apparmor.d/groups/children/child-open-any +++ b/apparmor.d/groups/children/child-open-any @@ -14,6 +14,7 @@ include profile child-open-any flags=(attach_disconnected,mediate_deleted) { include include + include @{bin}/** PUx, @{lib}/** PUx, @@ -22,12 +23,6 @@ profile child-open-any flags=(attach_disconnected,mediate_deleted) { /usr/local/bin/** PUx, /usr/share/** PUx, - @{bin}/ r, - @{user_bin_dirs}/ r, - / r, - /usr/ r, - /usr/local/bin/ r, - include if exists include if exists } From efba6e164e8dcb99e26856394f924333b302fa60 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:22:00 +0200 Subject: [PATCH 0096/1736] feat(profile): add initial profile for decibels. --- apparmor.d/groups/gnome/decibels | 37 ++++++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 38 insertions(+) create mode 100644 apparmor.d/groups/gnome/decibels diff --git a/apparmor.d/groups/gnome/decibels b/apparmor.d/groups/gnome/decibels new file mode 100644 index 0000000000..88d292b073 --- /dev/null +++ b/apparmor.d/groups/gnome/decibels @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/decibels @{bin}/org.gnome.Decibels +profile decibels @{exec_path} { + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/gjs-console rix, + + @{open_path} rPx -> child-open-help, + + /usr/share/org.gnome.Decibels/{,**} r, + + owner @{user_music_dirs}/{,**} r, + owner @{user_pictures_dirs}/{,**} r, + owner @{user_torrents_dirs}/{,**} r, + owner @{user_videos_dirs}/{,**} r, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index adced30c9f..bcebd472d1 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -77,6 +77,7 @@ cupsd attach_disconnected,complain ddcutil complain deb-systemd-helper complain deb-systemd-invoke complain +decibels complain dino attach_disconnected,complain discord complain discord-chrome-sandbox complain From 5a448cb39dda25ddf11ce446af10dda253613bc4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:23:35 +0200 Subject: [PATCH 0097/1736] feat(profile): add initial profile for papers. --- apparmor.d/groups/gnome/papers | 51 ++++++++++++++++++++++++++++++++++ dists/flags/main.flags | 2 +- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/gnome/papers diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers new file mode 100644 index 0000000000..ee829d8f39 --- /dev/null +++ b/apparmor.d/groups/gnome/papers @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/papers +profile papers @{exec_path} { + include + include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + @{exec_path} mr, + + @{open_path} Cx -> open, + + /usr/share/poppler/{,**} r, + + owner @{user_share_dirs}/gvfs-metadata/{,*} r, + + owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/gtkprint_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} rw, + + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + + profile open { + include + include + + @{browsers_path} Px, + @{help_path} Px, + @{bin}/papers Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index bcebd472d1..70d484953a 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -257,7 +257,7 @@ nvidia-persistenced complain ollama attach_disconnected,complain os-prober attach_disconnected,complain pam_kwallet_init complain -pam-tmpdir-helper complain +papers complain passimd attach_disconnected,complain pkla-admin-identities complain pkla-check-authorization complain From 8d374ed8761dfd518e7d4f09e8ec699261d76b56 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:25:27 +0200 Subject: [PATCH 0098/1736] feat(fsp): add tunables for the future systemd executor profiles. --- apparmor.d/tunables/multiarch.d/profiles | 2 ++ pkg/prebuild/prepare/fsp.go | 2 ++ 2 files changed, 4 insertions(+) diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index e966623d48..92ab19fc95 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -9,7 +9,9 @@ # Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user` @{p_systemd}=unconfined +@{p_systemd_executor}=unconfined @{p_systemd_user}=unconfined +@{p_systemd_user_executor}=unconfined # Name of the dbus daemon profiles @{p_dbus_accessibility}=dbus-accessibility diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go index e46efe0e83..0d4c230762 100644 --- a/pkg/prebuild/prepare/fsp.go +++ b/pkg/prebuild/prepare/fsp.go @@ -40,7 +40,9 @@ func (p FullSystemPolicy) Apply() ([]string, error) { return res, err } out = strings.ReplaceAll(out, "@{p_systemd}=unconfined", "@{p_systemd}=systemd") + out = strings.ReplaceAll(out, "@{p_systemd_executor}=unconfined", "@{p_systemd_executor}=systemd-executor") out = strings.ReplaceAll(out, "@{p_systemd_user}=unconfined", "@{p_systemd_user}=systemd-user") + out = strings.ReplaceAll(out, "@{p_systemd_user_executor}=unconfined", "@{p_systemd_user_executor}=systemd-user-executor") if err := path.WriteFile([]byte(out)); err != nil { return res, err } From dbd0a7d271930f6a85ceda79feab610599b54222 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:25:58 +0200 Subject: [PATCH 0099/1736] feat(tunable): add the efi variable. --- apparmor.d/tunables/multiarch.d/system | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 3f6e0f8909..d7834cc8a5 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -22,6 +22,8 @@ # Common places for temporary files @{tmp}=/tmp/ /tmp/user/@{uid}/ +# Common places for EFI +@{efi}=/boot/ /efi/ /boot/efi/ # System Variables # ---------------- From 4beb096532ab6c60c376fb4a3acf070e11e2d56b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:29:33 +0200 Subject: [PATCH 0100/1736] feat(abs): expand zsh abs to more default locations - Add support for oh-my-zsh - Add support for gitstatus & p10k - Add more zsh config dirctories. --- apparmor.d/abstractions/zsh | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index a22895c91a..ff90849c0c 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -10,24 +10,40 @@ @{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr, - /usr/share/zsh/{,**} r, /usr/local/share/zsh/{,**} r, + /usr/share/oh-my-zsh/{,**} r, + /usr/share/zsh/{,**} r, /etc/zsh/* r, - owner @{HOME}/.zshrc r, - owner @{HOME}/.zshenv r, + owner @{HOME}/.zcompdump-* rw, owner @{HOME}/.zsh_history rw, owner @{HOME}/.zsh_history.LOCK rwk, + owner @{HOME}/.zsh_history.new rw, + owner @{HOME}/.zshenv r, + owner @{HOME}/.zshrc r, owner @{HOME}/.oh-my-zsh/{,**} r, owner @{HOME}/.oh-my-zsh/log/update.lock/ w, - owner @{HOME}/.zcompdump-* rw, + owner @{user_cache_dirs}/oh-my-zsh/{,**} r, + owner @{user_cache_dirs}/p10k-@{user}/{,**} rw, + owner @{user_cache_dirs}/p10k-dump-@{user}.zsh{,.*} rw, + owner @{user_cache_dirs}/p10k-instant-prompt-@{user}.zsh{,.*} rw, owner @{user_config_dirs}/zsh/.zcompdump-* rw, owner @{user_config_dirs}/zsh/{,**} r, + owner @{user_share_dirs}/zsh/history rw, + owner @{user_share_dirs}/zsh/history.LOCK rwk, + owner @{user_share_dirs}/zsh/history.new rw, + + owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo rw, + owner @{tmp}/gitstatus.POWERLEVEL9K.*.lock rwk, + + @{PROC}/version r, + owner @{PROC}/@{pid}/loginuid r, + include if exists # vim:syntax=apparmor From d74a47764665fbdcbfd74ec8d0549b557ab1075e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:33:03 +0200 Subject: [PATCH 0101/1736] feat(tunable): add @{backup_path}. --- apparmor.d/abstractions/app-open | 7 ++----- apparmor.d/tunables/multiarch.d/paths | 3 +++ apparmor.d/tunables/multiarch.d/programs | 3 +++ 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 8c74d1f08e..27f0c96fc9 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -26,6 +26,7 @@ @{image_viewers_path} PUx, @{offices_path} PUx, @{text_editors_path} PUx, + @{backup_path} PUx, # Others @{bin}/amule Px, @@ -41,6 +42,7 @@ @{bin}/gnome-calculator Px, @{bin}/gnome-disk-image-mounter Px, @{bin}/gnome-disks Px, + @{bin}/gnome-session-quit Px, @{bin}/gnome-software Px, @{bin}/gwenview PUx, @{bin}/kgx Px, @@ -57,11 +59,6 @@ #aa:only opensuse @{lib}/YaST2/** PUx, - # Backup - @{lib}/deja-dup/deja-dup-monitor PUx, - - @{bin}/gnome-session-quit rPx, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 733f8925c7..cb889ee19c 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -69,4 +69,7 @@ # Terminal emulator @{terminal_path} = @{bin}/@{offices_names} +# Backup +@{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index b3e36cae76..c1eea10b3c 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -93,4 +93,7 @@ # Terminal emulator @{terminal_name} = kgx terminator konsole +# Backup +@{backup_names} = deja-dup borg + # vim:syntax=apparmor From 3b1fe1f931337c7e6d9428797866045effe3e0ca Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:41:43 +0200 Subject: [PATCH 0102/1736] feat(tunable): fix and use terminal_path. --- apparmor.d/abstractions/app-open | 4 ++-- apparmor.d/tunables/multiarch.d/paths | 2 +- apparmor.d/tunables/multiarch.d/programs | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 27f0c96fc9..c7d2a86c8f 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -18,6 +18,7 @@ # Labeled programs @{archive_viewers_path} PUx, + @{backup_path} PUx, @{browsers_path} Px, @{document_viewers_path} PUx, @{emails_path} PUx, @@ -25,8 +26,8 @@ @{help_path} Px, @{image_viewers_path} PUx, @{offices_path} PUx, + @{terminal_path} Px, @{text_editors_path} PUx, - @{backup_path} PUx, # Others @{bin}/amule Px, @@ -45,7 +46,6 @@ @{bin}/gnome-session-quit Px, @{bin}/gnome-software Px, @{bin}/gwenview PUx, - @{bin}/kgx Px, @{bin}/qbittorrent Px, @{bin}/qpdfview Px, @{bin}/smplayer Px, diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index cb889ee19c..059f337fd8 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -67,7 +67,7 @@ @{help_path} = @{bin}/@{help_names} # Terminal emulator -@{terminal_path} = @{bin}/@{offices_names} +@{terminal_path} = @{bin}/@{terminal_names} # Backup @{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index c1eea10b3c..cddb1a7d27 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -91,7 +91,7 @@ @{help_names} = yelp # Terminal emulator -@{terminal_name} = kgx terminator konsole +@{terminal_names} = kgx terminator konsole ptyxis # Backup @{backup_names} = deja-dup borg From 053ce04c8e040c47095b32468d8e046033a14466 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 13:09:06 +0200 Subject: [PATCH 0103/1736] feat(tunanle): add the sqlhex variable. --- apparmor.d/abstractions/common/app | 3 ++- apparmor.d/groups/flatpak/flatpak-app | 1 - apparmor.d/groups/gnome/gnome-music | 4 ++-- apparmor.d/groups/gnome/localsearch | 8 ++------ apparmor.d/groups/gnome/tracker-miner | 6 ++---- apparmor.d/profiles-a-f/dropbox | 3 ++- apparmor.d/profiles-a-f/fractal | 2 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-g-l/gpo | 3 ++- apparmor.d/profiles-g-l/gpodder | 3 ++- apparmor.d/profiles-m-r/protonmail-bridge-core | 4 ++-- apparmor.d/profiles-m-r/psi | 2 +- apparmor.d/profiles-m-r/psi-plus | 2 +- apparmor.d/profiles-m-r/quiterss | 3 ++- apparmor.d/profiles-s-z/strawberry | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 6 ++++-- apparmor.d/tunables/multiarch.d/system | 3 +++ 17 files changed, 30 insertions(+), 27 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 0d63b72c8a..99da315908 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -59,9 +59,10 @@ owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, owner @{user_games_dirs}/** rmix, - owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, + owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, + owner /var/tmp/etilqs_@{sqlhex} rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index 8d35bc8e0f..bb824c7cbc 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -82,7 +82,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, - /var/tmp/etilqs_@{hex16} rw, @{run}/.userns r, @{run}/parent/** r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 7874e95ffa..511a48987a 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -51,8 +51,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, - owner /var/tmp/etilqs_@{hex15} rw, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 263604ba7d..1503ba7475 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -47,12 +47,8 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/tracker3/files/ rw, owner @{user_cache_dirs}/tracker3/files/** rwk, - owner /var/tmp/etilqs_@{hex15} rw, - owner /var/tmp/etilqs_@{hex16} rw, - owner @{tmp}/etilqs_@{hex12}@{h} rw, - owner @{tmp}/etilqs_@{hex12}@{hex2} rw, - owner @{tmp}/etilqs_@{hex15} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index e10d81bb2c..d35f6467f7 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -63,10 +63,8 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, - owner /var/tmp/etilqs_@{hex15} rw, - owner /var/tmp/etilqs_@{hex16} rw, - owner @{tmp}/etilqs_@{hex15} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, # Allow to search user files owner @{HOME}/{,**} r, diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index eecdb2e6d5..b4baf1d0c7 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -61,7 +61,8 @@ profile dropbox @{exec_path} { # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead owner @{tmp}/dropbox-antifreeze-* rw, owner @{tmp}/#@{int} rw, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index c6746843d3..5971764f0d 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -34,7 +34,7 @@ profile fractal @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, owner @{run}/user/@{uid}/fractal/{,**} rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 75d5197aed..71addde646 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -67,7 +67,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, /var/lib/flatpak/exports/share/mime/mime.cache r, - /var/tmp/etilqs_@{hex16} rw, + /var/tmp/etilqs_@{sqlhex} rw, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index 562980d352..cebfc955fb 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -36,7 +36,8 @@ profile gpo @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index 7ccf428c3f..dd7a20eb72 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -47,7 +47,8 @@ profile gpodder @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index 493199974e..ee7adab753 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -43,8 +43,8 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw, owner @{tmp}/bridge@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/ r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 33435fa8d1..24e0c61dd2 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -54,7 +54,7 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index 32c05e55b8..1d3850ba5b 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -54,7 +54,7 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index 89395f8b50..d1194abf58 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -47,7 +47,8 @@ profile quiterss @{exec_path} { owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 6a337a66bb..84bbcf1f26 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -68,7 +68,7 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/.*/s rw, owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/kdsingleapp-daemonspudguy-strawberry w, owner @{tmp}/kdsingleapp-daemonspudguy-strawberry.lock rwk, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 67b3cf5039..6f4c120a02 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -59,11 +59,13 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{tmp}/.mount_wechat@{word6}/ rw, @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} mr, - owner /var/tmp/etilqs_* rw, - @{HOME}/.xwechat/{,**} rwk, + owner @{user_documents_dirs}/xwechat_files/{,**} rwk, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, + /dev/fuse rw, /dev/tty rw, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index d7834cc8a5..f1be21e49d 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -54,6 +54,9 @@ # System Internal # --------------- +# SQlite temporary files (hexadecimal from 12 to 16 characters) +@{sqlhex}=@{hex12} @{hex12}@{h} @{hex12}@{hex2} @{hex15} @{hex16} + # Shortcut for PCI device @{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h} @{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h} From 94991165421ca3bc422af6893792bb3aa5dfbd9f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 13:39:32 +0200 Subject: [PATCH 0104/1736] feat(profile): add initial profile for ptyxis. --- apparmor.d/groups/gnome/ptyxis | 38 +++++++++++++++++++++++ apparmor.d/groups/gnome/ptyxis-agent | 46 ++++++++++++++++++++++++++++ dists/flags/main.flags | 2 ++ 3 files changed, 86 insertions(+) create mode 100644 apparmor.d/groups/gnome/ptyxis create mode 100644 apparmor.d/groups/gnome/ptyxis-agent diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis new file mode 100644 index 0000000000..739681eae8 --- /dev/null +++ b/apparmor.d/groups/gnome/ptyxis @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ptyxis +profile ptyxis @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{lib}/ptyxis-agent Px, + @{open_path} Px -> child-open-help, + + /etc/shells r, + + owner @{user_cache_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_cache_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_cache_dirs}/org.gnome.Ptyxis/**, + + owner @{user_config_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_config_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_config_dirs}/org.gnome.Ptyxis/**, + + owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, + + owner @{PROC}/@{pid}/stat r, + + /dev/ptmx rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent new file mode 100644 index 0000000000..239993f215 --- /dev/null +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ptyxis-agent +profile ptyxis-agent @{exec_path} { + include + include + include + include + + signal send set=hup peer=unconfined, + + ptrace read, + + @{exec_path} mr, + + @{bin}/podman Px, + @{bin}/systemd-run Cx -> shell, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + owner @{PROC}/@{pid}/cmdline r, + + /dev/ptmx rw, + + profile shell { + include + include + + signal send, + + @{bin}/systemd-run mr, + @{bin}/@{shells} Ux, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 70d484953a..2cef123049 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -271,6 +271,8 @@ plymouth complain plymouth-set-default-theme attach_disconnected,complain plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted +ptyxis complain +ptyxis-agent complain qdbus complain remmina complain run-parts complain From 1fab846875cae905de7c4e194848a043793185c6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 13:47:08 +0200 Subject: [PATCH 0105/1736] feat(abs): add proc stat to the gnome common abs. --- apparmor.d/abstractions/common/gnome | 1 + apparmor.d/groups/apparmor/aa-notify | 1 - apparmor.d/groups/gnome/decibels | 1 - apparmor.d/groups/gnome/gnome-calculator | 2 -- apparmor.d/groups/gnome/gnome-characters | 1 - apparmor.d/groups/gnome/gnome-extensions-app | 1 - apparmor.d/groups/gnome/gnome-logs | 2 -- apparmor.d/groups/gnome/gnome-maps | 1 - apparmor.d/groups/gnome/gnome-text-editor | 1 - apparmor.d/groups/gnome/gnome-weather | 1 - apparmor.d/groups/gnome/papers | 1 - apparmor.d/groups/gnome/ptyxis | 2 -- apparmor.d/profiles-a-f/file-roller | 1 - apparmor.d/profiles-a-f/foliate | 1 - apparmor.d/profiles-a-f/fractal | 1 - 15 files changed, 1 insertion(+), 17 deletions(-) diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index ccb5de8b3b..056f6581bc 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -32,6 +32,7 @@ owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index b64317a574..7cb64af808 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -75,7 +75,6 @@ profile aa-notify @{exec_path} { owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/decibels b/apparmor.d/groups/gnome/decibels index 88d292b073..2bb38dfd59 100644 --- a/apparmor.d/groups/gnome/decibels +++ b/apparmor.d/groups/gnome/decibels @@ -28,7 +28,6 @@ profile decibels @{exec_path} { owner @{user_videos_dirs}/{,**} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 3f2290e6a8..2e553d9f40 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -23,8 +23,6 @@ profile gnome-calculator @{exec_path} { @{open_path} rPx -> child-open-help, - owner @{PROC}/@{pid}/stat r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 890a546919..7ee0f835eb 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -29,7 +29,6 @@ profile gnome-characters @{exec_path} { /usr/share/xml/iso-codes/{,**} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index f1e229b591..0a65c95f2e 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -22,7 +22,6 @@ profile gnome-extensions-app @{exec_path} { /usr/share/terminfo/** r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/task/@{tid}/stat r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-logs b/apparmor.d/groups/gnome/gnome-logs index 06e66a43b2..5e3ab03bdd 100644 --- a/apparmor.d/groups/gnome/gnome-logs +++ b/apparmor.d/groups/gnome/gnome-logs @@ -27,8 +27,6 @@ profile gnome-logs @{exec_path} { /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal r, /{run,var}/log/journal/remote/ r, - owner @{PROC}/@{pid}/stat r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-maps b/apparmor.d/groups/gnome/gnome-maps index 294d6229a4..7058573910 100644 --- a/apparmor.d/groups/gnome/gnome-maps +++ b/apparmor.d/groups/gnome/gnome-maps @@ -45,7 +45,6 @@ profile gnome-maps @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 693b1618f2..22823753b1 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -24,7 +24,6 @@ profile gnome-text-editor @{exec_path} { owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/gnome-weather b/apparmor.d/groups/gnome/gnome-weather index c73ff0a192..fe2bf69b2c 100644 --- a/apparmor.d/groups/gnome/gnome-weather +++ b/apparmor.d/groups/gnome/gnome-weather @@ -31,7 +31,6 @@ profile gnome-weather @{exec_path} { @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, deny owner @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index ee829d8f39..87820376cc 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -32,7 +32,6 @@ profile papers @{exec_path} { @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, profile open { include diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 739681eae8..2f7dee368d 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -28,8 +28,6 @@ profile ptyxis @{exec_path} { owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, - owner @{PROC}/@{pid}/stat r, - /dev/ptmx rw, include if exists diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index b8eedb2635..24610cd8c7 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -48,7 +48,6 @@ profile file-roller @{exec_path} { @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, include if exists } diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index f6380d1254..a07976ce9b 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -51,7 +51,6 @@ profile foliate @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/smaps r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 5971764f0d..40001da68c 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -41,7 +41,6 @@ profile fractal @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, /dev/ r, From 658c054c47a7a0ffc054b5ada18137e62c063354 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 14:46:35 +0200 Subject: [PATCH 0106/1736] feat(profile): update and enforce a few profiles. --- apparmor.d/groups/filesystem/mke2fs | 1 + apparmor.d/groups/gnome/gnome-session-binary | 1 - apparmor.d/groups/gnome/gnome-software | 14 ++-------- apparmor.d/groups/gnome/gnome-system-monitor | 8 +----- apparmor.d/groups/gnome/gnome-terminal-server | 18 ++++++------ apparmor.d/groups/gnome/gnome-tweaks | 2 +- apparmor.d/groups/gnome/kgx | 18 ++++++------ apparmor.d/groups/network/ModemManager | 3 +- apparmor.d/groups/polkit/pkttyagent | 4 +-- apparmor.d/groups/shadow/newgidmap | 2 ++ apparmor.d/groups/shadow/newuidmap | 2 ++ apparmor.d/profiles-a-f/calibre | 28 +++++++++++++------ apparmor.d/profiles-m-r/mdevctl | 1 + apparmor.d/profiles-m-r/metadata-cleaner | 14 +++------- apparmor.d/profiles-s-z/totem | 8 ++++++ apparmor.d/profiles-s-z/xsane-gimp | 18 +++++++----- dists/flags/main.flags | 22 ++------------- 17 files changed, 77 insertions(+), 87 deletions(-) diff --git a/apparmor.d/groups/filesystem/mke2fs b/apparmor.d/groups/filesystem/mke2fs index a3edbeb50b..90df8ecb1b 100644 --- a/apparmor.d/groups/filesystem/mke2fs +++ b/apparmor.d/groups/filesystem/mke2fs @@ -10,6 +10,7 @@ include @{exec_path} = @{sbin}/mke2fs @{sbin}/mkfs.ext2 @{sbin}/mkfs.ext3 @{sbin}/mkfs.ext4 profile mke2fs @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 1f17b35a35..027a1ab96c 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -103,7 +103,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { profile open flags=(attach_disconnected) { include include - include include @{bin}/env rix, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index dd872c53a8..c10261c02e 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/gnome-software profile gnome-software @{exec_path} { include - include + include include - include - include include include include @@ -71,15 +69,11 @@ profile gnome-software @{exec_path} { /var/tmp/flatpak-cache-*/** rwkl, /var/tmp/#@{int} rw, - / r, - owner @{HOME}/.var/app/{,**} rw, owner @{user_download_dirs}/*.flatpakref r, owner @{user_cache_dirs}/flatpak/{,**} rwl, - owner @{user_cache_dirs}/gnome-software/ rw, - owner @{user_cache_dirs}/gnome-software/** rwlk -> @{user_cache_dirs}/gnome-software/**, owner @{user_config_dirs}/flatpak/{,**} r, owner @{user_config_dirs}/pulse/*.conf r, @@ -94,7 +88,6 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/flatpak/overrides/* r, owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, - owner @{user_share_dirs}/gnome-software/{,**} rw, owner @{tmp}/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, @@ -123,10 +116,7 @@ profile gnome-software @{exec_path} { @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/fuse rw, @@ -166,6 +156,8 @@ profile gnome-software @{exec_path} { include include + capability setuid, + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 8df82b290b..a3d039deaa 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -9,10 +9,7 @@ include @{exec_path} = @{bin}/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include - include - include - include - include + include include capability sys_ptrace, @@ -35,7 +32,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{bin}/tr rix, - /usr/share/gnome-system-monitor/{,**} r, /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, / r, @@ -78,8 +74,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/diskstats r, @{PROC}/vmstat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 55a7f46879..837f00f686 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -19,11 +19,11 @@ profile gnome-terminal-server @{exec_path} { include include - signal (send) set=(hup) peer=htop, - signal (send) set=(term hup kill) peer=unconfined, + signal send set=(hup) peer=htop, + signal send set=(term hup kill) peer=unconfined, - ptrace (read) peer=htop, - ptrace (read) peer=unconfined, + ptrace read peer=htop, + ptrace read peer=unconfined, #aa:dbus own bus=session name=org.gnome.Terminal interface+=org.gtk.Actions @@ -39,14 +39,14 @@ profile gnome-terminal-server @{exec_path} { @{exec_path} mr, # The shell is not confined on purpose. - @{bin}/@{shells} rUx, + @{bin}/@{shells} Ux, # Some CLI program can be launched directly from Gnome Shell - @{bin}/htop rPx, - @{bin}/micro rPUx, - @{bin}/nvtop rPx, + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, - @{open_path} rPx -> child-open, + @{open_path} Px -> child-open, /etc/shells r, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index fa94d56e82..96e83b8467 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -32,7 +32,7 @@ profile gnome-tweaks @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_config_dirs}/autostart/ rw, - owner @{user_config_dirs}/autostart/*.desktop r, + owner @{user_config_dirs}/autostart/*.desktop rw, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw, owner @{user_share_dirs}/backgrounds/{,**} r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index c9177de5c4..a32a3d8c34 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -17,7 +17,7 @@ profile kgx @{exec_path} { capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, @@ -25,14 +25,14 @@ profile kgx @{exec_path} { @{bin}/@{shells} rUx, # Some CLI program can be launched directly from Gnome Shell - @{bin}/btop rPUx, - @{bin}/htop rPx, - @{bin}/micro rPUx, - @{bin}/nvtop rPx, - @{bin}/nvtop rPx, - @{bin}/vim rUx, - - @{open_path} rPx -> child-open-help, + @{bin}/btop PUx, + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, + @{bin}/nvtop Px, + @{bin}/vim Ux, + + @{open_path} Px -> child-open-help, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 1d89877090..59efc3201a 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -14,7 +14,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { include include include - include + include capability net_admin, @@ -47,7 +47,6 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/tty/ r, @{sys}/class/wwan/ r, - @{sys}/devices/@{pci}/revision r, @{sys}/devices/**/net/*/ r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/tty/*/ r, diff --git a/apparmor.d/groups/polkit/pkttyagent b/apparmor.d/groups/polkit/pkttyagent index de0eeef331..436447aefb 100644 --- a/apparmor.d/groups/polkit/pkttyagent +++ b/apparmor.d/groups/polkit/pkttyagent @@ -18,8 +18,8 @@ profile pkttyagent @{exec_path} { capability sys_nice, capability audit_write, - ptrace (read), - signal (send,receive), + ptrace read, + signal (send, receive), @{exec_path} mr, diff --git a/apparmor.d/groups/shadow/newgidmap b/apparmor.d/groups/shadow/newgidmap index 4a7196fc22..6fa555504e 100644 --- a/apparmor.d/groups/shadow/newgidmap +++ b/apparmor.d/groups/shadow/newgidmap @@ -18,6 +18,8 @@ profile newgidmap @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, /etc/subgid r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/groups/shadow/newuidmap b/apparmor.d/groups/shadow/newuidmap index 549eb06ef4..6a53bf5c18 100644 --- a/apparmor.d/groups/shadow/newuidmap +++ b/apparmor.d/groups/shadow/newuidmap @@ -18,6 +18,8 @@ profile newuidmap @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, /etc/subuid r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index e3643ab6dc..bba3dfedba 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -15,9 +15,10 @@ profile calibre @{exec_path} { include include include - include include + include include + include include include include @@ -35,11 +36,13 @@ profile calibre @{exec_path} { capability sys_ptrace, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, - unix (send, receive) type=stream peer=(addr=none, label=xorg), + # unix (send, receive) type=stream peer=(addr=none, label=xorg), unix (bind, listen) type=stream addr="@*-calibre-gui.socket", unix (bind) type=stream addr="@calibre-*", @@ -47,9 +50,10 @@ profile calibre @{exec_path} { @{sh_path} rix, @{python_path} rix, + @{bin}/env r, @{bin}/file rix, - @{sbin}/ldconfig{,.real} rix, @{bin}/uname rix, + @{sbin}/ldconfig{,.real} rix, @{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix, @{bin}/pdftoppm rPUx, # (#FIXME#) @@ -61,6 +65,7 @@ profile calibre @{exec_path} { /usr/share/calibre/{,**} r, /etc/fstab r, + /etc/httpd/conf/mime.types r, /etc/inputrc r, /etc/magic r, /etc/mime.types r, @@ -68,10 +73,15 @@ profile calibre @{exec_path} { owner @{HOME}/ r, owner "@{HOME}/Calibre Library/{,**}" rw, owner "@{HOME}/Calibre Library/metadata.db" rwk, - owner @{user_documents_dirs}/{,**} rwl, + owner @{user_books_dirs}/{,**} rwl, + owner @{user_books_dirs}/Calibre/** rwk, + owner @{user_documents_dirs}/{,**} rwl, + owner @{user_documents_dirs}/Calibre/** rwk, owner @{user_torrents_dirs}/{,**} rwl, + owner @{user_torrents_dirs}/Calibre/** rwk, owner @{user_work_dirs}/{,**} rwl, + owner @{user_work_dirs}/Calibre/** rwk, owner @{user_config_dirs}/calibre/ rw, owner @{user_config_dirs}/calibre/** rwk, @@ -82,10 +92,11 @@ profile calibre @{exec_path} { owner @{user_cache_dirs}/calibre/ rw, owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**, - owner @{tmp}/calibre_*_tmp_*/{,**} rw, - owner @{tmp}/calibre-*/{,**} rw, - owner @{tmp}/@{int}-*/ rw, - owner @{tmp}/@{int}-*/** rwl, + owner @{tmp}/@{rand8} rw, + audit owner @{tmp}/@{int}-*/ rw, + audit owner @{tmp}/@{int}-*/** rwl, + audit owner @{tmp}/calibre_@{rand8}_tmp_*/{,**} rw, + audit owner @{tmp}/calibre-@{rand8}/{,**} rw, owner /dev/shm/#@{int} rw, @@ -108,6 +119,7 @@ profile calibre @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, + /dev/tty r, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index f1b5034e66..906dcf512e 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/mdevctl profile mdevctl @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner index 4aa662cd01..808427d859 100644 --- a/apparmor.d/profiles-m-r/metadata-cleaner +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/metadata-cleaner profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include - include - include - include + include include include include @@ -20,12 +18,10 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{python_path} rix, - @{bin}/bwrap rCx -> bwrap, - @{open_path} rPx -> child-open-help, + @{bin}/bwrap Cx -> bwrap, + @{open_path} Px -> child-open-help, - /usr/share/metadata-cleaner/{,**} r, /usr/share/metadata-cleaner/src/metadatacleaner/{,*/}__pycache__/ w, - /usr/share/poppler/{,**} r, /etc/httpd/conf/mime.types r, @@ -38,10 +34,8 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny owner @{user_share_dirs}/gvfs-metadata/* r, deny owner @{user_cache_dirs}/thumbnails/** r, @@ -51,7 +45,7 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(kill) peer=metadata-cleaner, + signal receive set=(kill) peer=metadata-cleaner, @{bin}/bwrap mr, @{bin}/vendor_perl/exiftool rix, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index 64ab228ba9..fc582cae2b 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -14,6 +14,7 @@ profile totem @{exec_path} flags=(attach_disconnected) { include include include + include include network netlink raw, @@ -67,6 +68,10 @@ profile totem @{exec_path} flags=(attach_disconnected) { include capability dac_override, + capability sys_ptrace, + + network inet dgram, + network inet6 dgram, @{bin}/bwrap mr, @{bin}/totem-video-thumbnailer rix, @@ -78,8 +83,11 @@ profile totem @{exec_path} flags=(attach_disconnected) { owner @{tmp}/flatpak-seccomp-@{rand6} rw, owner @{tmp}/gnome-desktop-file-to-thumbnail.* rw, owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, + owner @{tmp}/gnome-desktop-thumbnailer.png rw, @{PROC}/sys/vm/mmap_min_addr r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm w, /dev/ r, diff --git a/apparmor.d/profiles-s-z/xsane-gimp b/apparmor.d/profiles-s-z/xsane-gimp index 41ac0b973c..4273e803dc 100644 --- a/apparmor.d/profiles-s-z/xsane-gimp +++ b/apparmor.d/profiles-s-z/xsane-gimp @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Roman Beslik +# Copyright (C) 2024-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,27 +11,30 @@ include profile xsane-gimp @{exec_path} { include include - include - - signal (receive) set=(term, kill) peer=gimp, + include network inet dgram, network inet6 dgram, network netlink raw, + signal receive set=(term, kill) peer=gimp, + @{exec_path} mr, + @{system_share_dirs}/gimp/{,**} r, @{system_share_dirs}/sane/xsane/{,**} r, - @{system_share_dirs}/snmp/mibs/{,**} r, # network + @{system_share_dirs}/snmp/mibs/{,**} r, + /etc/sane.d/{,**} r, + owner @{HOME}/.sane/{,**} rw, owner @{tmp}/xsane-*-@{rand6} rw, - @{sys}/devices/@{pci}/{model,type,vendor} r, - @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r, - # SCSI @{sys}/bus/scsi/devices/ r, + @{sys}/devices/@{pci}/{model,type,vendor} r, + @{PROC}/scsi/scsi r, + @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r, include if exists } diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2cef123049..b710f2d94c 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -9,7 +9,6 @@ systemd attach_disconnected,mediate_deleted,complain systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain -aa-notify complain akonadi_akonotes_resource complain akonadi_archivemail_agent complain akonadi_birthdays_resource complain @@ -106,7 +105,6 @@ filezilla complain finalrd complain firewall-applet attach_disconnected,complain firewall-config complain -firewalld attach_disconnected,complain flameshot complain flatpak attach_disconnected,mediate_deleted,complain flatpak-app attach_disconnected,mediate_deleted,complain @@ -117,29 +115,20 @@ flatpak-system-helper complain flatpak-validate-icon complain fstrim complain fuse-overlayfs complain -fusermount complain gdk-pixbuf-thumbnailer complain gdm-generate-config complain gdm-runtime-config complain gdm-session attach_disconnected,complain gdm-xsession complain -gimp complain gmenudbusmenuproxy complain gnome-browser-connector-host complain gnome-control-center attach_disconnected,complain gnome-control-center-goa-helper complain gnome-disk-image-mounter complain -gnome-disks complain gnome-extension-gsconnect complain gnome-extension-manager complain gnome-initial-setup complain -gnome-music attach_disconnected,complain -gnome-photos-thumbnailer complain gnome-remote-desktop-daemon complain -gnome-software complain -gnome-system-monitor attach_disconnected,complain -gnome-terminal-server complain -gnome-tweaks complain grub-bios-setup complain grub-editenv complain grub-file complain @@ -173,8 +162,8 @@ gsettings complain gvfsd-dav complain gvfsd-wsdd complain hostnamectl complain -hyprctl complain -hyprlock complain +hyprctl attach_disconnected,complain +hyprlock attach_disconnected,complain hyprpaper attach_disconnected,complain hyprpicker complain hyprpm complain @@ -184,7 +173,6 @@ im-launch complain install-info complain iwctl complain iwd complain -jitterentropy-rngd complain kaccess complain kactivitymanagerd complain kalendarac complain @@ -202,7 +190,6 @@ kded complain kernel-install complain keyboxd complain kglobalacceld complain -kgx complain kio_http_cache_cleaner complain kiod complain kioworker complain @@ -238,9 +225,6 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain -mdevctl complain -metadata-cleaner attach_disconnected,complain -mke2fs complain ModemManager attach_disconnected,complain mount attach_disconnected,complain multipath attach_disconnected,complain @@ -357,7 +341,6 @@ systemd-network-generator complain systemd-nsresourced complain systemd-nsresourcework complain systemd-portabled complain -systemd-remount-fs complain systemd-resolve complain systemd-shutdown complain systemd-sleep-tlp complain @@ -408,6 +391,5 @@ xdm-xsession complain xembedsniproxy complain xfce-session attach_disconnected,complain xsettingsd complain -xwaylandvideobridge complain zpool complain From 21abf59132bc39f72fba96bad60eed1d41a1e5cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 14:48:33 +0200 Subject: [PATCH 0107/1736] feat(profile): libvirt: simplify udev access. --- apparmor.d/groups/virt/libvirtd | 31 ++----------------------------- 1 file changed, 2 insertions(+), 29 deletions(-) diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 53dcb0703c..94fa568a37 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -162,35 +162,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/notify w, @{run}/utmp rk, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi:* r, # for motherboard info - @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, - @{run}/udev/data/+input:input@{int} r, # For mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply:* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # For sound card - @{run}/udev/data/+thunderbolt:* r, - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c6:@{int} r, # For parallel printer devices /dev/lp* - @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c21:@{int} r, # Generic SCSI access - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash - @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* - @{run}/udev/data/c108:@{int} r, # For /dev/ppp - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/+*:* r, + @{run}/udev/data/c@{int}:@{int} r, @{run}/udev/data/n@{int} r, @{sys}/bus/[a-z]*/devices/ r, From 64f02ff6084d5084339211cdcd7f5a468cab5bf2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 14:50:09 +0200 Subject: [PATCH 0108/1736] feat(profile): snapd: add journalctl subprofile. --- apparmor.d/groups/snap/snapd | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 38d8036551..c1b24176ef 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -60,7 +60,7 @@ profile snapd @{exec_path} { dbus send bus=system path=/org/freedesktop/timedate1 interface=org.freedesktop.DBus.Properties member=Get - peer=(name=org.freedesktop.timedate1, label=unconfined), + peer=(name=org.freedesktop.timedate1), @{exec_path} mrix, @@ -72,7 +72,7 @@ profile snapd @{exec_path} { @{sbin}/groupadd rPx, @{bin}/gzip rix, @{bin}/hostnamectl rPx, - @{bin}/journalctl rPx, + @{bin}/journalctl rCx -> journalctl, @{bin}/kmod rPx, @{bin}/mount rix, @{sbin}/runuser rCx -> runuser, @@ -199,6 +199,25 @@ profile snapd @{exec_path} { include if exists } + profile journalctl { + include + include + + capability net_admin, + + network netlink raw, + + @{bin}/journalctl mr, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/{,*} r, + + include if exists + } + profile runuser { include From b677d4a0b537ff1c22ab2260f418cbe348df80f5 Mon Sep 17 00:00:00 2001 From: tpaau-17DB Date: Sun, 18 May 2025 18:36:39 +0200 Subject: [PATCH 0109/1736] Fix hyprland profile. --- apparmor.d/groups/hyprland/hyprland | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 68356741d0..c06671b34e 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -31,6 +31,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/hyprland/{,**} rw, owner @{user_config_dirs}/hypr/** r, owner @{user_share_dirs}/hyprpm/** mr, + owner @{user_share_dirs}/hyprland/** rw, owner @{run}/user/@{uid}/gamescope-* rw, owner @{run}/user/@{uid}/.hyprpaper_* rw, From 10ef829d31efe2f4f9de20ef9b52b999852d489d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 19:31:33 +0200 Subject: [PATCH 0110/1736] fix(profile): more possible id than int for i2c. --- apparmor.d/groups/kde/kde-powerdevil | 10 +++++----- apparmor.d/groups/procps/htop | 6 +++--- apparmor.d/groups/xfce/xfce-sensors | 2 +- apparmor.d/profiles-m-r/monitorix | 2 +- apparmor.d/profiles-s-z/sensors | 2 +- apparmor.d/profiles-s-z/sensors-detect | 2 +- apparmor.d/profiles-s-z/sysstat-sadc | 2 +- 7 files changed, 13 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index f5ffa6a82b..ebb150ed25 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -70,12 +70,12 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, - @{sys}/devices/@{pci}/i2c-@{int}/**/dev r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/**/dev r, @{sys}/devices/**/ r, - @{sys}/devices/i2c-@{int}/name r, - @{sys}/devices/platform/**/i2c-@{int}/**/name r, - @{sys}/devices/platform/*/i2c-@{int}/name r, + @{sys}/devices/i2c-*/name r, + @{sys}/devices/platform/**/i2c-*/**/name r, + @{sys}/devices/platform/*/i2c-*/name r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index 5e1079802a..d59fde5e58 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -45,7 +45,7 @@ profile htop @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, @@ -56,8 +56,8 @@ profile htop @{exec_path} { @{sys}/devices/**/hwmon/**/{name,temp*} r, @{sys}/devices/**/power_supply/**/{uevent,type,online} r, @{sys}/devices/*/name r, - @{sys}/devices/i2c-@{int}/name r, - @{sys}/devices/platform/*/i2c-@{int}/name r, + @{sys}/devices/i2c-*/name r, + @{sys}/devices/platform/*/i2c-*/name r, @{sys}/devices/system/cpu/cpu@{int}/** r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_{cur,min,max}_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, diff --git a/apparmor.d/groups/xfce/xfce-sensors b/apparmor.d/groups/xfce/xfce-sensors index e7ee1080ba..c1bd981114 100644 --- a/apparmor.d/groups/xfce/xfce-sensors +++ b/apparmor.d/groups/xfce/xfce-sensors @@ -16,7 +16,7 @@ profile xfce-sensors @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, @{sys}/class/thermal/ r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index b640d90fd3..c708b587c6 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -95,7 +95,7 @@ profile monitorix @{exec_path} { @{PROC}/@{pids}/io r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/class/hwmon/ r, @{sys}/devices/**/thermal*/{,**} r, @{sys}/devices/**/hwmon*/{,**} r, diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index 4028680a61..ca2d43a650 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -21,7 +21,7 @@ profile sensors @{exec_path} { @{sys}/bus/i2c/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-@{int}/name r, + @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-*/name r, @{sys}/devices/@{pci}/name r, @{sys}/devices/**/hwmon*/{,**} r, diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index 96dc170428..d21cf6f565 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -27,7 +27,7 @@ profile sensors-detect @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/class/i2c-adapter/ r, @{sys}/devices/@{pci}/{class,vendor,device} r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/@{pci}/modalias r, @{sys}/devices/virtual/dmi/id/board_{version,vendor,name} r, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc index e076f313cb..9a4b5cebe4 100644 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -24,7 +24,7 @@ profile sysstat-sadc @{exec_path} { @{sys}/class/fc_host/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-*/name r, @{sys}/devices/@{pci}/net/*/duplex r, @{sys}/devices/**/net/*/duplex r, @{sys}/devices/**/net/*/speed r, From 86afef4920601f4e8babdfaf15d232ac5aed2979 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 19:33:58 +0200 Subject: [PATCH 0111/1736] build: improve `just install` --- Justfile | 13 ++++++++----- PKGBUILD | 3 ++- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/Justfile b/Justfile index 1e626dc1c0..825097a1b6 100644 --- a/Justfile +++ b/Justfile @@ -18,7 +18,7 @@ # Build setings destdir := "/" build := ".build" -pkgdest := `pwd` / ".pkg/dist" +pkgdest := `pwd` / ".pkg" pkgname := "apparmor.d" # Admin username @@ -86,13 +86,16 @@ install: #!/usr/bin/env bash set -eu -o pipefail install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log - for file in $(find "{{build}}/share" -type f -not -name "*.md" -printf "%P\n"); do + mapfile -t share < <(find "{{build}}/share" -type f -not -name "*.md" -printf "%P\n") + for file in "${share[@]}"; do install -Dm0644 "{{build}}/share/$file" "{{destdir}}/usr/share/$file" done - for file in $(find "{{build}}/apparmor.d" -type f -printf "%P\n"); do + mapfile -t aa < <(find "{{build}}/apparmor.d" -type f -printf "%P\n") + for file in "${aa[@]}"; do install -Dm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" done - for file in $(find "{{build}}/apparmor.d" -type l -printf "%P\n"); do + mapfile -t links < <(find "{{build}}/apparmor.d" -type l -printf "%P\n") + for file in "${links[@]}"; do mkdir -p "{{destdir}}/etc/apparmor.d/disable" cp -d "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" done @@ -155,7 +158,7 @@ serve: clean: @rm -rf \ debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ - .pkg/{{pkgname}}* {{build}} coverage.out + {{pkgdest}}/{{pkgname}}* {{build}} coverage.out [doc('Build the package in a clean OCI container')] package dist: diff --git a/PKGBUILD b/PKGBUILD index 58a693d343..b48e551532 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -30,7 +30,8 @@ build() { export CGO_CXXFLAGS="${CXXFLAGS}" export CGO_LDFLAGS="${LDFLAGS}" export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw" - DISTRIBUTION=arch just complain + export DISTRIBUTION=arch + just complain } package() { From 707a5e8beec085376c6bc772352289ace86633d9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 20 May 2025 21:41:52 +0200 Subject: [PATCH 0112/1736] feat(profile): firewalld move kmod into a subprofile. --- apparmor.d/groups/firewall/firewalld | 36 +++++++++++++++------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index ddf0291eec..01f853c26c 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -9,7 +9,6 @@ include @{exec_path} = @{sbin}/firewalld profile firewalld @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -21,7 +20,6 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { capability net_admin, capability net_raw, capability setpcap, - capability sys_module, network inet raw, network inet6 raw, @@ -34,15 +32,14 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{sbin}/ r, - @{bin}/alts rix, - @{sbin}/ebtables-legacy rix, - @{sbin}/ebtables-legacy-restore rix, - @{bin}/false rix, - @{sbin}/ipset rix, - @{bin}/kmod rix, - @{sbin}/modprobe rix, - @{sbin}/xtables-legacy-multi rix, - @{sbin}/xtables-nft-multi rmix, + @{bin}/alts ix, + @{bin}/false ix, + @{bin}/kmod Cx -> kmod, + @{sbin}/ebtables-legacy ix, + @{sbin}/ebtables-legacy-restore ix, + @{sbin}/ipset ix, + @{sbin}/xtables-legacy-multi ix, + @{sbin}/xtables-nft-multi mix, /usr/local/lib/@{python_name}/dist-packages/ r, @@ -58,18 +55,25 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { /var/log/firewalld rw, @{run}/firewalld/{,*} rw, - @{run}/modprobe.d/{,*.conf} r, @{run}/xtables.lock rwk, - @{sys}/module/compression r, - @{sys}/module/*/initstate r, - - @{PROC}/sys/kernel/modprobe r, @{PROC}/sys/net/ipv{4,6}/ip_forward rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pids}/net/ip_tables_names r, + profile kmod flags=(attach_disconnected) { + include + include + + capability sys_module, + + @{sys}/module/compression r, + @{sys}/module/nf_*/initstate r, + + include if exists + } + include if exists } From 85d35a4f86ac4a6a9479153a0aaf0b6da8063dae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 14:30:34 +0200 Subject: [PATCH 0113/1736] feat(profile): mkinitcpio ensure support for different kernel. fix #749 --- apparmor.d/groups/pacman/mkinitcpio | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 785f4f448d..9eafb72a92 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -84,8 +84,9 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Manage /boot / r, - /boot/ r, - /{boot,efi}/EFI/{,**} rw, + @{efi}/ r, + @{efi}/EFI/{,**} rw, + @{efi}/@{hex32}/{,**} rw, /boot/initramfs-*.img* rw, /boot/vmlinuz-* r, From facc504ae9769f3053557665d85940027ccd9fd3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 14:32:28 +0200 Subject: [PATCH 0114/1736] fix(abs): editor: use of neovim as editor. fix #749 --- apparmor.d/abstractions/app/editor | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index 1c0b87e6a6..f62e363393 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -10,7 +10,7 @@ include @{sh_path} rix, - @{bin}/nvim mix, + @{bin}/nvim mrix, @{bin}/sensible-editor mr, @{bin}/vim{,.*} mrix, @{bin}/which rix, From 58d677b5f0ba8e3ae60be71dbb0f6fcbf66ff721 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 14:48:54 +0200 Subject: [PATCH 0115/1736] fix: tweak kde related abs to ensure all common rules are allowed. fix #741 --- apparmor.d/abstractions/app/open | 4 ++++ apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/kde-strict | 4 +++- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 2b865457c2..2a43affcff 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -34,9 +34,13 @@ include include + /etc/xdg/menus/ r, + owner @{run}/user//@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + @{PROC}/sys/kernel/random/boot_id r, + # fi include if exists diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 78a98a3cf8..181339a128 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -52,7 +52,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*={.@{rand6}} rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 0f4410a123..7439cd9e97 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -28,7 +28,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*={.@{rand6}} rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, @@ -41,6 +41,8 @@ owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/trashrc r, + owner @{user_share_dirs}/#@{int} rw, + include if exists # vim:syntax=apparmor From 222125e593d0931a38650888ef1120091c520eaa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 15:01:21 +0200 Subject: [PATCH 0116/1736] fix: processing regexs --- apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/kde-strict | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 181339a128..73e5339927 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -52,7 +52,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*={.@{rand6}} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 7439cd9e97..56aa887988 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -28,7 +28,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*={.@{rand6}} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, From 6495061360d6d8ddbd695e27314ff3acb0cf37cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 20:27:44 +0200 Subject: [PATCH 0117/1736] feat(profile): add initial version for dpkg-scripts. --- apparmor.d/groups/apt/dpkg-script-apparmor | 10 +- .../{dpkg-script-udev => dpkg-script-kmod} | 11 +- apparmor.d/groups/apt/dpkg-script-linux | 45 ++++++ apparmor.d/groups/apt/dpkg-script-man | 27 ---- apparmor.d/groups/apt/dpkg-script-systemd | 64 ++++++++ apparmor.d/groups/apt/dpkg-scripts | 141 ++++++++++++++++++ dists/flags/main.flags | 6 +- 7 files changed, 263 insertions(+), 41 deletions(-) rename apparmor.d/groups/apt/{dpkg-script-udev => dpkg-script-kmod} (54%) create mode 100644 apparmor.d/groups/apt/dpkg-script-linux delete mode 100644 apparmor.d/groups/apt/dpkg-script-man create mode 100644 apparmor.d/groups/apt/dpkg-script-systemd create mode 100644 apparmor.d/groups/apt/dpkg-scripts diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 088fff84ac..585d9c59d9 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -15,12 +15,12 @@ profile dpkg-script-apparmor @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/grep ix, - @{bin}/deb-systemd-helper rPx, - @{bin}/deb-systemd-invoke rPx, - @{bin}/dpkg-divert rix, - @{bin}/systemctl rCx -> systemctl, + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg-divert ix, + @{bin}/systemctl Cx -> systemctl, /usr/share/apparmor.d/** rw, diff --git a/apparmor.d/groups/apt/dpkg-script-udev b/apparmor.d/groups/apt/dpkg-script-kmod similarity index 54% rename from apparmor.d/groups/apt/dpkg-script-udev rename to apparmor.d/groups/apt/dpkg-script-kmod index 58840ef390..f900bba170 100644 --- a/apparmor.d/groups/apt/dpkg-script-udev +++ b/apparmor.d/groups/apt/dpkg-script-kmod @@ -6,16 +6,13 @@ abi , include -@{exec_path} = /var/lib/dpkg/info/udev* -profile dpkg-script-udev @{exec_path} { +@{exec_path} = /var/lib/dpkg/info/kmod* +profile dpkg-script-kmod @{exec_path} { include - @{exec_path} mr, + @{exec_path} mrix, - @{bin}/systemd-hwdb rPx, - @{bin}/deb-systemd-invoke rPx, - - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux new file mode 100644 index 0000000000..c84d6aa4b9 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/linux* +profile dpkg-script-linux @{exec_path} { + include + include + + @{exec_path} mrix, + + @{sh_path} rix, + @{bin}/cat ix, + @{bin}/locale ix, + @{bin}/mkdir ix, + @{bin}/mkdir ix, + @{bin}/rm ix, + @{bin}/run-parts ix, + @{bin}/stty ix, + + @{bin}/dpkg-trigger Px, + @{bin}/kmod Px, + @{bin}/linux-check-removal Px, + @{bin}/linux-update-symlinks Px, + @{bin}/whiptail Px, + + /usr/share/{update,reboot}-notifier/notify-reboot-required Px, + /etc/kernel/{,header_}postinst.d/* Px, + /etc/kernel/postrm.d/* Px, + /etc/kernel/preinst.d/* Px, + /etc/kernel/prerm.d/* Px, + + /etc/kernel/*.d/ r, + + @{lib}/linux/triggers/* w, + @{lib}/modules/*/.fresh-install w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-man b/apparmor.d/groups/apt/dpkg-script-man deleted file mode 100644 index 63f5c5c78f..0000000000 --- a/apparmor.d/groups/apt/dpkg-script-man +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/man-db.* -profile dpkg-script-man @{exec_path} { - include - include - include - - capability setgid, - capability setuid, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/setpriv rix, - @{bin}/mandb rPx, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd new file mode 100644 index 0000000000..28f4b6e876 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -0,0 +1,64 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/systemd* +profile dpkg-script-systemd @{exec_path} { + include + include + + @{exec_path} mrix, + + @{sh_path} rix, + + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg Cx -> dpkg, + @{bin}/dpkg-divert Px, + @{bin}/dpkg-maintscript-helper Px, + @{bin}/journalctl Px, + @{bin}/kernel-install Px, + @{bin}/systemctl Cx -> systemctl, + @{bin}/systemd-machine-id-setup Px, + @{bin}/systemd-sysusers Px, + @{bin}/systemd-tmpfiles Px, + @{lib}/systemd/systemd-sysctl Px, + @{sbin}/pam-auth-update Px, + + /etc/systemd/system/*.wants/ rw, + /etc/systemd/system/*.wants/* rw, + + /var/lib/systemd/{,*} rw, + /var/log/journal/ rw, + + profile dpkg { + include + include + + @{bin}/dpkg mr, + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_resource, + + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + @{bin}/systemd-tty-ask-password-agent Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts new file mode 100644 index 0000000000..d644b6c3ef --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -0,0 +1,141 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/** +profile dpkg-scripts @{exec_path} { + include + include + include + + capability chown, + capability dac_read_search, + capability fowner, + capability fsetid, + capability setgid, + capability setuid, + + @{exec_path} mrix, + + # Common program found in maintainer scripts + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/run-parts rix, + + @{bin}/setpriv ix, + @{bin}/envsubst ix, + @{bin}/getent ix, + @{bin}/gzip ix, + @{bin}/helpztags ix, + @{bin}/locale ix, + @{bin}/tput ix, + @{bin}/zcat ix, + @{lib}/ubuntu-advantage/cloud-id-shim.sh ix, + @{lib}/ubuntu-advantage/postinst-migrations.sh ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/invoke-rc.d Cx -> rc, + @{sbin}/ldconfig Cx -> ldconfig, + @{sbin}/ldconfig.real Cx -> ldconfig, + @{sbin}/update-rc.d Cx -> rc, + + # Maintainer scripts can legitimately start/restart anything + @{bin}/** Px, + @{sbin}/** Px, + @{lib}/** Px, + /usr/share/** Px, + /etc/init.d/* Px, + + /var/lib/dpkg/info/*.@{dpkg_script_ext} ix, # dpkg-scripts-* + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, # dpkg-script-tmp + + # Maintainer's scripts can update a lot of files + / r, + /*/ r, + @{bin}/ r, + @{lib}/ r, + /etc/ r, + /etc/** rw, + /usr/share/*/ r, + /usr/share/*/** rw, + /var/** rw, + @{run}/** rw, + @{efi}/grub/* rw, + + /tmp/grub.@{rand10} rw, + /tmp/sed@{rand6} rw, + /tmp/tmp.@{rand10} rw, + + profile bus { + include + include + include + + dbus send bus=system path=/ + interface=org.freedesktop.DBus + member=ReloadConfig + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + + @{run}/utmp rk, + + include if exists + } + + profile rc { + include + include + + @{sbin}/update-rc.d mr, + @{sbin}/invoke-rc.d mr, + + @{coreutils_path} rix, + @{sh_path} rix, + @{bin}/systemctl rPx -> dpkg-scripts//systemctl, + + /etc/ r, + /etc/init.d/* r, + /etc/rc?.d/ r, + /etc/rc@{int}.d/ r, + /etc/rc@{int}.d/* rw, + /etc/rc@{c}.d/* rw, + + include if exists + } + + profile ldconfig { + include + include + + @{sh_path} rix, + @{sbin}/ldconfig mrix, + @{sbin}/ldconfig.real rix, + + @{lib}/ r, + /usr/local/ r, + /usr/local/lib/ r, + + owner /var/cache/ldconfig/aux-cache* rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index b710f2d94c..9aa61f15b1 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -88,8 +88,10 @@ dolphin complain downloadhelper complain dpkg-maintscript-helper complain dpkg-script-apparmor complain -dpkg-script-man complain -dpkg-script-udev complain +dpkg-script-kmod complain +dpkg-script-linux complain +dpkg-script-systemd complain +dpkg-scripts complain drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain From c446c44ded1f9239f065b341b85dec332d1cc157 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 20:32:57 +0200 Subject: [PATCH 0118/1736] feat(profile): add dpkg-script-tmp. --- apparmor.d/groups/apt/deb-systemd-invoke | 2 +- apparmor.d/groups/apt/dpkg-architecture | 9 ++-- apparmor.d/groups/apt/dpkg-db-backup | 42 +++++++++++++++ apparmor.d/groups/apt/dpkg-maintscript-helper | 6 +-- apparmor.d/groups/apt/dpkg-script-tmp | 53 +++++++++++++++++++ apparmor.d/groups/apt/dpkg-vendor | 1 - dists/flags/main.flags | 2 + 7 files changed, 104 insertions(+), 11 deletions(-) create mode 100644 apparmor.d/groups/apt/dpkg-db-backup create mode 100644 apparmor.d/groups/apt/dpkg-script-tmp diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index 63dfdaf528..0994006dae 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -21,7 +21,7 @@ profile deb-systemd-invoke @{exec_path} { @{sh_path} rix, @{bin}/systemctl rix, - @{bin}/systemd-tty-ask-password-agent rPx, + @{bin}/systemd-tty-ask-password-agent Px, include if exists } diff --git a/apparmor.d/groups/apt/dpkg-architecture b/apparmor.d/groups/apt/dpkg-architecture index a582572714..b1a23f2227 100644 --- a/apparmor.d/groups/apt/dpkg-architecture +++ b/apparmor.d/groups/apt/dpkg-architecture @@ -16,10 +16,9 @@ profile dpkg-architecture @{exec_path} { capability dac_read_search, @{exec_path} r, - /usr/bin/perl r, - @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{lib}/llvm-[0-9]*/bin/clang rix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* ix, + @{lib}/llvm-[0-9]*/bin/clang ix, @{bin}/ccache rCx -> ccache, @{bin}/dpkg rPx -> child-dpkg, @@ -28,9 +27,7 @@ profile dpkg-architecture @{exec_path} { /etc/debian_version r, - # file_inherit - owner @{tmp}/* rw, - + audit owner @{tmp}/* rw, profile ccache { include diff --git a/apparmor.d/groups/apt/dpkg-db-backup b/apparmor.d/groups/apt/dpkg-db-backup new file mode 100644 index 0000000000..d83bdbb45b --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-db-backup @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/dpkg/dpkg-db-backup +profile dpkg-db-backup @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/cmp rix, + @{bin}/cp rix, + @{bin}/date rix, + @{bin}/dirname rix, + @{bin}/gzip rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/savelog rix, + @{bin}/tar rix, + @{bin}/touch rix, + + /usr/share/dpkg/{,**} r, + + /var/lib/dpkg/ r, + /var/lib/dpkg/alternatives/{,*} r, + /var/lib/dpkg/diversions r, + /var/lib/dpkg/statoverride r, + + /var/backups/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper index b7d8675e84..dfb881e327 100644 --- a/apparmor.d/groups/apt/dpkg-maintscript-helper +++ b/apparmor.d/groups/apt/dpkg-maintscript-helper @@ -13,9 +13,9 @@ profile dpkg-maintscript-helper @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/basename rix, - @{bin}/dpkg rCx -> dpkg, + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/dpkg rCx -> dpkg, /usr/share/dpkg/sh/* r, diff --git a/apparmor.d/groups/apt/dpkg-script-tmp b/apparmor.d/groups/apt/dpkg-script-tmp new file mode 100644 index 0000000000..e6c7fbe44e --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-tmp @@ -0,0 +1,53 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} +profile dpkg-script-tmp @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mrix, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/run-parts rix, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg Px, + @{bin}/dpkg-divert Px, + @{bin}/dpkg-maintscript-helper Px, + @{bin}/kmod Cx -> kmod, + @{bin}/systemctl Cx -> systemctl, + + /etc/kernel/preinst.d/*-microcode ix, + + @{lib}/modules/*/.fresh-install w, + + profile kmod { + include + include + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + capability sys_resource, + + @{bin}/systemd-tty-ask-password-agent Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-vendor b/apparmor.d/groups/apt/dpkg-vendor index aee717257d..70d2199f22 100644 --- a/apparmor.d/groups/apt/dpkg-vendor +++ b/apparmor.d/groups/apt/dpkg-vendor @@ -13,7 +13,6 @@ profile dpkg-vendor @{exec_path} { include @{exec_path} r, - /usr/bin/perl r, /etc/dpkg/origins/* r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 9aa61f15b1..aa62f9108e 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -86,11 +86,13 @@ dmsetup complain dockerd attach_disconnected,complain dolphin complain downloadhelper complain +dpkg-db-backup complain dpkg-maintscript-helper complain dpkg-script-apparmor complain dpkg-script-kmod complain dpkg-script-linux complain dpkg-script-systemd complain +dpkg-script-tmp complain dpkg-scripts complain drkonqi complain drkonqi-coredump-cleanup complain From 9eff482ebf37d218c35cdf4cb9fcd7a3e2f618a5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 20:34:05 +0200 Subject: [PATCH 0119/1736] feat(profile): update unattended upgrade profiles. --- apparmor.d/groups/apt/unattended-upgrade | 54 ++++++++++--------- .../groups/apt/unattended-upgrade-shutdown | 4 +- apparmor.d/groups/apt/update-apt-xapian-index | 14 +++-- 3 files changed, 38 insertions(+), 34 deletions(-) diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 8413d99759..95b8b27608 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -32,7 +32,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (send) peer=apt-methods-http, + signal send peer=apt-methods-http, unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, @@ -41,26 +41,29 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{sh_path} rix, - @{bin}/echo rix, - @{bin}/gdbus rix, - @{bin}/ischroot rix, @{python_path} rix, - @{bin}/test rix, - @{bin}/touch rix, - @{bin}/uname rix, - - @{bin}/apt-listchanges rPx, - @{bin}/dpkg rPx, - @{bin}/dpkg-divert rPx, - @{sbin}/dpkg-preconfigure rPx, - @{bin}/etckeeper rPx, - @{bin}/lsb_release rPx -> lsb_release, - @{sbin}/on_ac_power rPx, - @{sbin}/sendmail rPUx, - @{lib}/apt/methods/http{,s} rPx, - @{lib}/needrestart/apt-pinvoke rPx, - @{lib}/update-notifier/update-motd-updates-available rPx, - @{lib}/zsys-system-autosnapshot rPx, + @{bin}/echo ix, + @{bin}/gdbus ix, + @{bin}/md5sum ix, + @{bin}/tar ix, + @{bin}/test ix, + @{bin}/touch ix, + @{bin}/uname ix, + + @{bin}/dpkg-deb px, + @{bin}/apt-listchanges Px, + @{bin}/dpkg Px, + @{bin}/dpkg-divert Px, + @{bin}/etckeeper Px, + @{bin}/ischroot Px, + @{bin}/lsb_release Px -> lsb_release, + @{sbin}/dpkg-preconfigure Px, + @{sbin}/on_ac_power Px, + @{sbin}/sendmail Px, + @{lib}/apt/methods/http{,s} Px, + @{lib}/needrestart/apt-pinvoke Px, + @{lib}/update-notifier/update-motd-updates-available Px, + @{lib}/zsys-system-autosnapshot Px, /usr/share/distro-info/* r, @@ -70,8 +73,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, - /etc/default/apport r, - /etc/default/grub.d/* r, + /etc/default/{,**} r, /etc/dpkg/origins/{,debian,ubuntu} r, /etc/fwupd/{,**} r, /etc/grub.d/* r, @@ -85,9 +87,13 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, /etc/profile.d/* r, + /etc/ssh/moduli r, + /etc/ssh/ssh_config r, + /etc/ufw/{,**} r, /etc/update-manager/{,**} r, - /etc/update-motd.d/* r, - /etc/vmware-tools/* r, + /etc/update-motd.d/{,**} r, + /etc/vim/{,**} r, + /etc/vmware-tools/{,**} r, /var/log/unattended-upgrades/{,**} rw, /var/crash/*.crash w, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index cd35bb5ae6..f36505e7a8 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -12,15 +12,15 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include include include + include include include @{exec_path} mr, - @{bin}/ischroot rix, + @{bin}/ischroot Px, /usr/share/unattended-upgrades/{,*} r, - /etc/apt/apt.conf.d/{,*} r, owner /var/log/unattended-upgrades/*.log* rw, diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index index 5da82090ff..f829ab3ffa 100644 --- a/apparmor.d/groups/apt/update-apt-xapian-index +++ b/apparmor.d/groups/apt/update-apt-xapian-index @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/update-apt-xapian-index profile update-apt-xapian-index @{exec_path} { include + include include include @@ -17,10 +18,13 @@ profile update-apt-xapian-index @{exec_path} { @{python_path} r, @{bin}/ r, - @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg Px -> child-dpkg, /usr/share/apt-xapian-index/{,**} r, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + /var/cache/apt-xapian-index/ rw, /var/cache/apt-xapian-index/** rwk, @@ -30,15 +34,9 @@ profile update-apt-xapian-index @{exec_path} { /var/cache/apt/ r, /var/cache/apt/** rwk, - owner @{PROC}/@{pid}/fd/ r, - /var/lib/debtags/package-tags r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # file_inherit - owner /dev/tty@{int} rw, + owner @{PROC}/@{pid}/fd/ r, include if exists } From 760eb91ac6eed4a72ddcf4a5bf2e7324e9e0591a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:06:21 +0200 Subject: [PATCH 0120/1736] feat(profile): add profile for t-methods-sq. --- apparmor.d/groups/apt/apt-methods-sqv | 42 +++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 43 insertions(+) create mode 100644 apparmor.d/groups/apt/apt-methods-sqv diff --git a/apparmor.d/groups/apt/apt-methods-sqv b/apparmor.d/groups/apt/apt-methods-sqv new file mode 100644 index 0000000000..416328cd4c --- /dev/null +++ b/apparmor.d/groups/apt/apt-methods-sqv @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/apt/methods/sqv +profile apt-methods-sqv @{exec_path} { + include + include + include + + # To handle the _apt user + capability setgid, + capability setuid, + + signal receive set=int peer=apt, + + @{exec_path} mr, + + @{bin}/sqv ix, + + /usr/share/apt/default-sequoia.config r, + /usr/share/keyrings/debian-archive-keyring.gpg r, + /usr/share/keyrings/debian-archive-keyring.pgp r, + + owner /var/lib/apt/lists/{,**} r, + + owner /tmp/apt.data.@{rand6} rw, + owner /tmp/apt.sig.@{rand6} rw, + owner /tmp/apt.sqverr.@{rand6} rw, + owner /tmp/apt.sqvout.@{rand6} rw, + + @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index aa62f9108e..d2c57b6824 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -27,6 +27,7 @@ akonadi_notes_agent complain akonadi_sendlater_agent complain akonadi_unifiedmailbox_agent complain anacron complain +apt-methods-sqv complain at complain atd complain auditctl attach_disconnected,complain From c64901353e095f45e34eccaea31e946168a52693 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:10:48 +0200 Subject: [PATCH 0121/1736] fix(profile): some fix on the dpkg-scipts profiles. --- apparmor.d/groups/apt/dpkg-script-apparmor | 5 +++-- apparmor.d/groups/apt/dpkg-script-linux | 11 ++++++----- apparmor.d/groups/apt/dpkg-script-systemd | 1 + apparmor.d/groups/apt/dpkg-script-tmp | 4 ++++ apparmor.d/groups/apt/dpkg-scripts | 4 ++-- 5 files changed, 16 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 585d9c59d9..5dba3d3cbf 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -9,10 +9,10 @@ include @{exec_path} = /var/lib/dpkg/info/apparmor* profile dpkg-script-apparmor @{exec_path} { include + include include - include - @{exec_path} mr, + @{exec_path} mrix, @{sh_path} rix, @{bin}/grep ix, @@ -21,6 +21,7 @@ profile dpkg-script-apparmor @{exec_path} { @{bin}/deb-systemd-invoke Px, @{bin}/dpkg-divert ix, @{bin}/systemctl Cx -> systemctl, + @{sbin}/apparmor_parser Px, /usr/share/apparmor.d/** rw, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index c84d6aa4b9..8b2470a6cf 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -22,11 +22,12 @@ profile dpkg-script-linux @{exec_path} { @{bin}/run-parts ix, @{bin}/stty ix, - @{bin}/dpkg-trigger Px, - @{bin}/kmod Px, - @{bin}/linux-check-removal Px, - @{bin}/linux-update-symlinks Px, - @{bin}/whiptail Px, + @{bin}/dpkg-trigger Px, + @{bin}/kmod Px, + @{bin}/linux-check-removal Px, + @{bin}/linux-update-symlinks Px, + @{bin}/whiptail Px, + @{bin}/dpkg-maintscript-helper Px, /usr/share/{update,reboot}-notifier/notify-reboot-required Px, /etc/kernel/{,header_}postinst.d/* Px, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 28f4b6e876..ccaa62a305 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -9,6 +9,7 @@ include @{exec_path} = /var/lib/dpkg/info/systemd* profile dpkg-script-systemd @{exec_path} { include + include include @{exec_path} mrix, diff --git a/apparmor.d/groups/apt/dpkg-script-tmp b/apparmor.d/groups/apt/dpkg-script-tmp index e6c7fbe44e..65e63d0760 100644 --- a/apparmor.d/groups/apt/dpkg-script-tmp +++ b/apparmor.d/groups/apt/dpkg-script-tmp @@ -10,6 +10,7 @@ include profile dpkg-script-tmp @{exec_path} flags=(attach_disconnected) { include include + include @{exec_path} mrix, @@ -22,6 +23,9 @@ profile dpkg-script-tmp @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg-maintscript-helper Px, @{bin}/kmod Cx -> kmod, @{bin}/systemctl Cx -> systemctl, + /usr/share/debconf/frontend Px, + + /usr/share/debconf/confmodule r, /etc/kernel/preinst.d/*-microcode ix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index d644b6c3ef..dcb6ca3791 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -62,8 +62,8 @@ profile dpkg-scripts @{exec_path} { @{lib}/ r, /etc/ r, /etc/** rw, - /usr/share/*/ r, - /usr/share/*/** rw, + /usr/share/*/{,**} rw, + /usr/local/share/*/{,**} rw, /var/** rw, @{run}/** rw, @{efi}/grub/* rw, From 2c880ba22001f5dcfcaa84b67df211d4925c9094 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:16:35 +0200 Subject: [PATCH 0122/1736] feat(profile): rewrite the apt stack of profiles. --- apparmor.d/groups/apt/apt | 6 ++- apparmor.d/groups/apt/apt-listchanges | 39 ++++---------- apparmor.d/groups/apt/debsums | 16 ++---- apparmor.d/groups/apt/dpkg | 29 +++++----- apparmor.d/groups/apt/dpkg-preconfigure | 70 +++++++++++-------------- apparmor.d/groups/apt/dpkg-statoverride | 18 +++++++ 6 files changed, 80 insertions(+), 98 deletions(-) create mode 100644 apparmor.d/groups/apt/dpkg-statoverride diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 947dba1492..e2e9b00f4a 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -85,8 +85,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/etckeeper rPx, @{bin}/localepurge rPx, @{bin}/ps rPx, - @{bin}/snap rPUx, - @{bin}/systemctl rCx -> systemctl, + @{bin}/snap rPx, + @{bin}/systemctl rCx -> systemctl, @{bin}/update-command-not-found rPx, @{lib}/cnf-update-db rPx, @{lib}/needrestart/apt-pinvoke rPx, @@ -138,6 +138,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { /var/log/apt/{,**} rw, /var/log/ubuntu-advantage-apt-hook.log w, + @{efi}/ r, + # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 559e58504e..35684feb53 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -14,7 +14,7 @@ profile apt-listchanges @{exec_path} { include include - #capability sys_tty_config, + capability dac_read_search, @{exec_path} r, @{python_path} r, @@ -26,11 +26,11 @@ profile apt-listchanges @{exec_path} { # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-deb rpx, - # - @{pager_path} rCx -> pager, - # Send results using email - @{bin}/exim4 rPx, + @{bin}/dpkg-deb px, + + @{pager_path} Cx -> pager, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/exim4 Px, # Send results using email /usr/share/apt-listchanges/{,**} r, @@ -50,31 +50,12 @@ profile apt-listchanges @{exec_path} { /var/cache/apt/archives/ r, - owner @{PROC}/@{pid}/fd/ r, - /tmp/ r, - owner @{tmp}/* rw, - owner @{tmp}/apt-listchanges*/ rw, - owner @{tmp}/apt-listchanges*/**/ rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.Debian*.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/NEWS.Debian.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/*-local/debian/changelog rw, - - # The following is needed when apt-listchanges uses debcconf GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, + owner @{tmp}/@{word8} rw, + owner @{tmp}/apt-listchanges@{word8}/ rw, + owner @{tmp}/apt-listchanges@{word8}/** rw, + owner @{PROC}/@{pid}/fd/ r, profile pager { include diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index 01e9ac1526..6f66426eca 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -12,28 +12,20 @@ profile debsums @{exec_path} { include include - # Needed to read files owned by other users than root. capability dac_read_search, @{exec_path} r, @{sh_path} rix, - @{bin}/{m,g,}awk rix, + @{bin}/{m,g,}awk ix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-query rpx, + @{bin}/dpkg-query px, # - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/dpkg-divert rPx -> child-dpkg-divert, - - /etc/dpkg/dpkg.cfg.d/{,*} r, - /etc/dpkg/dpkg.cfg r, - - /etc/locale.nopurge r, - - /var/lib/dpkg/info/* r, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/dpkg-divert Px -> child-dpkg-divert, # For shell pwd / r, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 93f5ebca5b..53bebdccf5 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -22,24 +22,23 @@ profile dpkg @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/cat rix, - @{bin}/deb-systemd-helper rix, - @{bin}/deb-systemd-invoke rix, - @{bin}/rm rix, - - @{bin}/dpkg-deb rpx, - @{bin}/dpkg-query rpx, - @{bin}/dpkg-split rpx, - @{bin}/systemctl rCx -> systemctl, - @{lib}/needrestart/dpkg-status rPx, - /usr/share/debian-security-support/check-support-status.hook rPx, - - @{pager_path} rPx -> child-pager, + @{bin}/cat ix, + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/rm ix, + + @{bin}/dpkg-deb px, + @{bin}/dpkg-query px, + @{bin}/dpkg-split px, + @{bin}/systemctl Cx -> systemctl, + @{lib}/needrestart/dpkg-status Px, + @{pager_path} Px -> child-pager, + /usr/share/debian-security-support/check-support-status.hook Px, # Package maintainer's scripts - /var/lib/dpkg/info/*.@{dpkg_script_ext} rPUx, + /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, /var/lib/dpkg/info/*.control r, - /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} rPUx, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, # For shell pwd /root/ r, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index ef78528639..fd67f930e1 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -11,35 +11,36 @@ include profile dpkg-preconfigure @{exec_path} { include include - include include - - #capability sys_tty_config, + include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,g,m}awk rix, - @{bin}/cat rix, - @{bin}/debconf-escape rix, - @{bin}/dialog rix, - @{bin}/expr rix, - @{bin}/locale rix, - @{bin}/readlink rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/stty rix, - @{bin}/tr rix, - @{bin}/head rix, - @{bin}/readlink rix, - @{bin}/realpath rix, - - @{bin}/findmnt rPx, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/apt-extracttemplates rPx, - @{bin}/whiptail rPx, - @{lib}/apt/apt-extracttemplates rPx, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{,g,m}awk ix, + @{bin}/cat ix, + @{bin}/debconf-escape Px, + @{bin}/dialog ix, + @{bin}/expr ix, + @{bin}/find ix, + @{bin}/head ix, + @{bin}/locale ix, + @{bin}/readlink ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/sed ix, + @{bin}/sort ix, + @{bin}/stty ix, + @{bin}/tr ix, + @{bin}/uniq ix, + + @{bin}/apt-extracttemplates Px, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/findmnt Px, + @{bin}/whiptail Px, + @{lib}/apt/apt-extracttemplates Px, /usr/share/debconf/confmodule r, /usr/share/dictionaries-common/{,*} r, @@ -59,9 +60,6 @@ profile dpkg-preconfigure @{exec_path} { /var/cache/debconf/tmp.ci/ w, - owner @{tmp}/*.template.* rw, - owner @{tmp}/*.config.* rwPUx, - /var/lib/dbus/machine-id r, owner /var/cache/debconf/ rw, owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk, @@ -73,23 +71,15 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/dictionaries-common/flag-wordlist-new w, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + owner @{tmp}/*.template.* rw, + owner @{tmp}/*.config.* rwPUx, + @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, @{run}/user/@{uid}/pk-debconf-socket rw, owner @{PROC}/@{pid}/fd/ r, - # The following is needed when dpkg-preconfigure uses debcconf GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - @{HOME}/.Xauthority r, - owner @{PROC}/@{pid}/mounts r, - - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride new file mode 100644 index 0000000000..34d6412c11 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-statoverride @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/dpkg-statoverride +profile dpkg-statoverride @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor From f033e698116aa250a14d32a442133d073b54a2d7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:21:23 +0200 Subject: [PATCH 0123/1736] feat(abs): add the pager app abstaction. --- apparmor.d/abstractions/app/pager | 37 ++++++++++++++++++++++++++ apparmor.d/groups/apt/apt | 13 +-------- apparmor.d/groups/apt/apt-listchanges | 17 +----------- apparmor.d/groups/apt/aptitude | 9 ------- apparmor.d/groups/children/child-pager | 25 +---------------- apparmor.d/profiles-m-r/mutt | 14 +--------- 6 files changed, 41 insertions(+), 74 deletions(-) create mode 100644 apparmor.d/abstractions/app/pager diff --git a/apparmor.d/abstractions/app/pager b/apparmor.d/abstractions/app/pager new file mode 100644 index 0000000000..3be45b4dd6 --- /dev/null +++ b/apparmor.d/abstractions/app/pager @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Minimal set of rules for pagers. + + abi , + + include + + capability dac_override, + capability dac_read_search, + + signal (receive) set=(stop, cont, term, kill), + + @{bin}/ r, + @{pager_path} mrix, + + @{system_share_dirs}/terminfo/{,**} r, + /usr/share/file/misc/** r, + /usr/share/nvim/{,**} r, + + @{HOME}/.lesshst r, + + owner @{HOME}/ r, + owner @{HOME}/.lesshs* rw, + owner @{HOME}/.terminfo/@{int}/* r, + owner @{user_cache_dirs}/lesshs* rw, + owner @{user_state_dirs}/ r, + owner @{user_state_dirs}/lesshs* rw, + + /dev/tty@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index e2e9b00f4a..2b103270df 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -172,18 +172,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { profile pager { include - include - - capability dac_read_search, - - @{bin}/ r, - @{sh_path} rix, - @{pager_path} rmix, - @{bin}/which rix, - - /root/ r, # For shell pwd - - owner @{HOME}/.less* rw, + include owner @{tmp}/apt-changelog-*/ r, owner @{tmp}/apt-changelog-*/*.changelog r, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 35684feb53..936d15d420 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -59,23 +59,8 @@ profile apt-listchanges @{exec_path} { profile pager { include - include + include - capability dac_read_search, - #capability sys_tty_config, - - @{pager_path} mrix, - - @{bin}/ r, - @{sh_path} rix, - @{bin}/which rix, - - owner @{HOME}/.less* rw, - - # For shell pwd - /root/ r, - - /tmp/ r, owner @{tmp}/apt-listchanges-tmp*.txt r, include if exists diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index e3a6a794b2..e60630efa1 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -171,17 +171,8 @@ profile aptitude @{exec_path} flags=(complain) { include include - @{bin}/ r, - @{editor_path} mrix, - @{sh_path} rix, - @{bin}/which rix, - - owner @{HOME}/.less* rw, owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, - # For shell pwd - /root/ r, - include if exists } diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager index e904f96dd6..8e60bce47a 100644 --- a/apparmor.d/groups/children/child-pager +++ b/apparmor.d/groups/children/child-pager @@ -15,30 +15,7 @@ include profile child-pager flags=(attach_disconnected) { include - include - - capability dac_override, - capability dac_read_search, - - signal (receive) set=(stop, cont, term, kill), - - @{bin}/ r, - @{pager_path} mr, - - @{system_share_dirs}/terminfo/{,**} r, - /usr/share/file/misc/** r, - /usr/share/nvim/{,**} r, - - @{HOME}/.lesshst r, - - owner @{HOME}/ r, - owner @{HOME}/.lesshs* rw, - owner @{HOME}/.terminfo/@{int}/* r, - owner @{user_cache_dirs}/lesshs* rw, - owner @{user_state_dirs}/ r, - owner @{user_state_dirs}/lesshs* rw, - - /dev/tty@{int} rw, + include include if exists } diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index 28006f479a..a91aba2416 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -115,19 +115,7 @@ profile mutt @{exec_path} { profile pager { include - include - - @{pager_path} mr, - - /usr/share/terminfo/** r, - /usr/share/file/misc/magic.mgc r, - - owner @{HOME}/ r, - owner @{HOME}/.lesshs* rw, - owner @{HOME}/.terminfo/@{int}/* r, - owner @{user_cache_dirs}/lesshs* rw, - owner @{user_state_dirs}/ r, - owner @{user_state_dirs}/lesshs* rw, + include # This is the file that holds the message owner /{var/,}tmp/mutt* rw, From 390cc27ab85e169efccdc6764eebc91123c54cd3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:24:01 +0200 Subject: [PATCH 0124/1736] feat(abs): add debconf common abs. --- apparmor.d/abstractions/common/debconf | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 apparmor.d/abstractions/common/debconf diff --git a/apparmor.d/abstractions/common/debconf b/apparmor.d/abstractions/common/debconf new file mode 100644 index 0000000000..c21974212d --- /dev/null +++ b/apparmor.d/abstractions/common/debconf @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include + include + include + + /usr/share/debconf/frontend rix, + /usr/share/debconf/confmodule r, + + /etc/debconf.conf r, + + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + + include if exists + +# vim:syntax=apparmor From 49155625a5aaa32d5194f12405f65d48719d3d71 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:31:03 +0200 Subject: [PATCH 0125/1736] feat(profile): rewrite debconf & add debconf-frontend. --- apparmor.d/groups/apt/aptitude | 2 +- apparmor.d/groups/apt/debconf-apt-progress | 32 +---- apparmor.d/groups/apt/debconf-frontend | 75 ++++++++++ apparmor.d/groups/apt/dpkg-script-apparmor | 2 +- apparmor.d/groups/apt/dpkg-script-linux | 2 +- apparmor.d/groups/apt/dpkg-script-systemd | 2 +- apparmor.d/groups/apt/dpkg-scripts | 2 +- apparmor.d/groups/grub/grub-check-signatures | 10 +- apparmor.d/groups/grub/grub-multi-install | 2 +- apparmor.d/profiles-a-f/frontend | 133 ------------------ apparmor.d/profiles-s-z/tasksel | 49 +------ .../profiles-s-z/update-secureboot-policy | 5 +- 12 files changed, 92 insertions(+), 224 deletions(-) create mode 100644 apparmor.d/groups/apt/debconf-frontend delete mode 100644 apparmor.d/profiles-a-f/frontend diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index e60630efa1..9254be27da 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -169,7 +169,7 @@ profile aptitude @{exec_path} flags=(complain) { profile pager { include - include + include owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, diff --git a/apparmor.d/groups/apt/debconf-apt-progress b/apparmor.d/groups/apt/debconf-apt-progress index d60668c036..1d88c829b6 100644 --- a/apparmor.d/groups/apt/debconf-apt-progress +++ b/apparmor.d/groups/apt/debconf-apt-progress @@ -10,42 +10,12 @@ include @{exec_path} = @{bin}/debconf-apt-progress profile debconf-apt-progress @{exec_path} flags=(complain) { include - include + include @{exec_path} r, @{bin}/apt-get rPx, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, - - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - - @{bin}/debconf-apt-progress rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - /etc/shadow r, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend new file mode 100644 index 0000000000..5ec13fcff2 --- /dev/null +++ b/apparmor.d/groups/apt/debconf-frontend @@ -0,0 +1,75 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/debconf/frontend +profile debconf-frontend @{exec_path} flags=(complain) { + include + include + include + include + include + include + + capability dac_read_search, + + @{exec_path} r, + + @{sh_path} rix, + @{bin}/hostname ix, + @{bin}/locale ix, + @{bin}/lsb_release Px -> lsb_release, + @{bin}/stty ix, + @{sbin}/update-secureboot-policy Px, + + # debconf apps + @{bin}/adequate Px, + @{bin}/debconf-apt-progress Px, + @{bin}/linux-check-removal Px, + @{bin}/ucf Px, + @{bin}/whiptail Px, + @{sbin}/aspell-autobuildhash Px, + @{sbin}/pam-auth-update Px, + @{lib}/tasksel/tasksel-debconf Px -> tasksel, + /usr/share/debian-security-support/check-support-status.hook Px, + + # Grub + @{lib}/grub/grub-multi-install Px, + /usr/share/grub/grub-check-signatures Px, + + # Package maintainer's scripts + /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, + /var/lib/dpkg/info/*.control r, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, + + # DKMS scipts + @{lib}/dkms/common.postinst rPUx, + @{lib}/dkms/dkms-* rPUx, + @{lib}/dkms/dkms_* rPUx, + + /usr/share/debconf/{,**} r, + + /etc/inputrc r, + /etc/shadow r, + + owner /var/cache/debconf/* rwk, + + owner @{tmp}/file* w, + owner @{tmp}/tmp.@{rand10} rw, + owner @{tmp}/updateppds.@{rand6} rw, + + @{HOME}/.Xauthority r, + + @{run}/user/@{uid}/pk-debconf-socket rw, + + owner @{PROC}/@{pid}/mounts r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 5dba3d3cbf..9de0ce0b4e 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/info/apparmor* profile dpkg-script-apparmor @{exec_path} { include - include + include include @{exec_path} mrix, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index 8b2470a6cf..52c74c192a 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/info/linux* profile dpkg-script-linux @{exec_path} { include - include + include @{exec_path} mrix, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index ccaa62a305..cb652108de 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/info/systemd* profile dpkg-script-systemd @{exec_path} { include - include + include include @{exec_path} mrix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index dcb6ca3791..32063f5c5c 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/** profile dpkg-scripts @{exec_path} { include - include + include include capability chown, diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index d33b332652..3101385956 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -9,18 +9,14 @@ include @{exec_path} = /usr/share/grub/grub-check-signatures profile grub-check-signatures @{exec_path} { include - include + include @{exec_path} mr, @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}//mktemp rix, - @{bin}//od rix, - - /usr/share/debconf/frontend rPx, - - /usr/share/debconf/confmodule r, + @{bin}/mktemp rix, + @{bin}/od rix, owner @{tmp}/tmp.@{rand10}/ rw, diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index d147b94fb6..ba79564388 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -24,7 +24,7 @@ profile grub-multi-install @{exec_path} { @{bin}/sort rix, @{bin}/touch rix, @{bin}/udevadm rPx, - /usr/share/debconf/frontend rPx, + /usr/share/debconf/frontend rix, /usr/lib/terminfo/x/xterm-256color r, /usr/share/debconf/confmodule r, diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend deleted file mode 100644 index 6d95022204..0000000000 --- a/apparmor.d/profiles-a-f/frontend +++ /dev/null @@ -1,133 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/debconf/frontend -profile frontend @{exec_path} flags=(complain) { - include - include - include - include - include - include - include - include - - capability dac_read_search, - - @{exec_path} r, - @{bin}/perl r, - - @{sh_path} rix, - @{bin}/hostname rix, - @{bin}/locale rix, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/stty rix, - @{sbin}/update-secureboot-policy rPx, - - # debconf apps - @{bin}/adequate rPx, - @{sbin}/aspell-autobuildhash rPx, - @{bin}/debconf-apt-progress rPx, - @{bin}/linux-check-removal rPx, - @{sbin}/pam-auth-update rPx, - @{bin}/ucf rPx, - @{bin}/whiptail rPx, - @{lib}/tasksel/tasksel-debconf rPx -> tasksel, - /usr/share/debian-security-support/check-support-status.hook rPx, - - # Grub - @{lib}/grub/grub-multi-install rPx, - /usr/share/grub/grub-check-signatures rPx, - - # Run the package maintainer's scripts - # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#) - #/var/lib/dpkg/info/*.{config,templates} rPUx, - #/var/lib/dpkg/info/*.{preinst,postinst} rPUx, - #/var/lib/dpkg/info/*.{prerm,postrm} rPUx, - /var/lib/dpkg/info/*.control r, - #/var/lib/dpkg/tmp.ci/{config,templates} rPUx, - #/var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx, - #/var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx, - /var/lib/dpkg/tmp.ci/control r, - /var/lib/dpkg/info/*.{config,templates} rCx -> scripts, - /var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts, - /var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, - - # DKMS scipts - # What to do with it? (#FIXME#) - @{lib}/dkms/common.postinst rPUx, - @{lib}/dkms/dkms-* rPUx, - @{lib}/dkms/dkms_* rPUx, - - /usr/share/debconf/{,**} r, - - /etc/debconf.conf r, - /etc/inputrc r, - /etc/shadow r, - - owner /var/cache/debconf/* rwk, - - owner @{tmp}/file* w, - owner @{tmp}/tmp.@{rand10} rw, - owner @{tmp}/updateppds.@{rand6} rw, - - @{HOME}/.Xauthority r, - - @{run}/user/@{uid}/pk-debconf-socket rw, - - owner @{PROC}/@{pid}/mounts r, - - profile scripts flags=(complain) { - include - include - - capability dac_read_search, - - /var/lib/dpkg/info/*.config r, - /var/lib/dpkg/info/*.{preinst,postinst} r, - /var/lib/dpkg/info/*.{prerm,postrm} r, - /var/lib/dpkg/tmp.ci/config r, - /var/lib/dpkg/tmp.ci/{preinst,postinst} r, - /var/lib/dpkg/tmp.ci/{prerm,postrm} r, - - / r, - - @{bin}/ r, - @{bin}/* rPUx, - - @{lib}/ r, - @{lib}/** rPUx, - - /usr/share/ r, - /usr/share/** rPUx, - - /etc/init.d/ r, - /etc/init.d/* rPUx, - - /etc/ r, - /etc/** rw, - /var/ r, - /var/** rw, - @{sys}/ r, - @{sys}/**/ r, - @{run}/ r, - @{run}/** rw, - /tmp/ r, - owner @{tmp}/** rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index 64b3ed4ad2..f4900f2253 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -10,32 +10,24 @@ include @{exec_path} = @{bin}/tasksel profile tasksel @{exec_path} flags=(complain) { include - include + include @{exec_path} r, @{sh_path} rix, @{bin}/tempfile rix, @{lib}/tasksel/tasksel-debconf rix, - - @{lib}/tasksel/tests/* rCx -> tasksel-tests, - - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, + @{lib}/tasksel/tests/* Cx -> tasksel-tests, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-query rpx, + @{bin}/dpkg-query px, # - @{bin}/apt-cache rPx, - - @{bin}/debconf-apt-progress rPx, - - /usr/share/tasksel/** r, + @{bin}/apt-cache Px, + @{bin}/debconf-apt-progress Px, - /usr/share/debconf/confmodule r, + /usr/share/tasksel/{,**} r, owner @{tmp}/file* w, @@ -48,35 +40,6 @@ profile tasksel @{exec_path} flags=(complain) { include if exists } - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - - @{bin}/tasksel rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - owner @{tmp}/file* w, - - /usr/share/debconf/confmodule r, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - /etc/shadow r, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index 232c92d0cd..f8581f5320 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -10,7 +10,7 @@ include @{exec_path} = @{sbin}/update-secureboot-policy profile update-secureboot-policy @{exec_path} { include - include + include @{exec_path} rm, @@ -23,12 +23,9 @@ profile update-secureboot-policy @{exec_path} { @{bin}/sort rix, @{bin}/touch rix, @{bin}/wc rix, - /usr/share/debconf/frontend rPx, / r, - /usr/share/debconf/confmodule r, - /var/lib/dkms/ r, /var/lib/shim-signed/dkms-list rw, From 6e0c646d14c17a9f2ce9ba6f4faa3afbf38c115d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:37:37 +0200 Subject: [PATCH 0126/1736] feat(profile): add profile for ischroot. --- apparmor.d/groups/apt/apt | 4 ++-- apparmor.d/groups/ubuntu/apport-gtk | 2 +- .../groups/ubuntu/check-new-release-gtk | 2 +- apparmor.d/groups/ubuntu/do-release-upgrade | 2 +- .../groups/ubuntu/list-oem-metapackages | 2 +- .../groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/ubuntu/ubuntu-advantage | 3 +-- apparmor.d/groups/ubuntu/update-manager | 2 +- .../ubuntu/update-motd-updates-available | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-g-l/ischroot | 21 +++++++++++++++++++ apparmor.d/profiles-m-r/packagekitd | 4 ++-- apparmor.d/profiles-s-z/update-initramfs | 2 +- 13 files changed, 35 insertions(+), 15 deletions(-) create mode 100644 apparmor.d/profiles-g-l/ischroot diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 2b103270df..2a0969156c 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -67,7 +67,6 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/id rix, - @{bin}/ischroot rix, @{bin}/test rix, @{bin}/touch rix, @@ -80,14 +79,15 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/df rPx, @{bin}/dmesg rPx, @{bin}/dpkg rPx, - @{sbin}/dpkg-preconfigure rPx, @{bin}/dpkg-source rcx -> dpkg-source, @{bin}/etckeeper rPx, + @{bin}/ischroot rPx, @{bin}/localepurge rPx, @{bin}/ps rPx, @{bin}/snap rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/update-command-not-found rPx, + @{sbin}/dpkg-preconfigure rPx, @{lib}/cnf-update-db rPx, @{lib}/needrestart/apt-pinvoke rPx, @{lib}/zsys-system-autosnapshot rPx, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 1307313d98..bb5cd329ca 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -41,7 +41,7 @@ profile apport-gtk @{exec_path} { @{bin}/dpkg-query rpx, @{bin}/gdb rCx -> gdb, @{bin}/gsettings rPx, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/journalctl rPx, @{sbin}/killall5 rix, @{bin}/kmod rPx, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 1ff6df2ae4..bdd2a0f54e 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -29,7 +29,7 @@ profile check-new-release-gtk @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{lib}/@{python_name}/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index 86c211f24c..e7d6687d22 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -26,7 +26,7 @@ profile do-release-upgrade @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, /usr/share/distro-info/*.csv r, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 75e4279f21..91bc4876f7 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -15,7 +15,7 @@ profile list-oem-metapackages @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{lib}/@{python_name}/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index e2bb2dc988..d5762a84ea 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -32,7 +32,7 @@ profile software-properties-gtk @{exec_path} { @{bin}/aplay rPx, @{bin}/apt-key rPx, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/ubuntu-advantage rPx, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 7d797bd974..34b6977327 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -29,13 +29,12 @@ profile ubuntu-advantage @{exec_path} { @{exec_path} mr, - @{bin}/ischroot rix, - @{bin}/apt rPx, @{bin}/apt-cache rPx, @{bin}/apt-config rPx, @{bin}/apt-get rPx, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/ischroot rPx, @{bin}/ps rPx, @{bin}/snap rPUx, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 44e0cc403a..e1636c6d5c 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -44,7 +44,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/hwe-support-status rPx, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index 776cc9bf8a..e6a3e71528 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -26,7 +26,7 @@ profile update-motd-updates-available @{exec_path} { @{bin}/dirname rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/find rix, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/mktemp rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 8d1571c1ec..ea6318156e 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -31,10 +31,10 @@ profile update-notifier @{exec_path} { @{sh_path} rix, @{bin}/ionice rix, - @{bin}/ischroot rix, @{bin}/nice rix, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/pkexec rCx -> pkexec, @{bin}/snap rPUx, diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot new file mode 100644 index 0000000000..c5b848bab6 --- /dev/null +++ b/apparmor.d/profiles-g-l/ischroot @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ischroot +profile ischroot @{exec_path} { + include + include + + @{exec_path} mr, + + @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index ca93ade6bd..873b4ef7d0 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -51,7 +51,6 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/gzip rix, - @{bin}/ischroot rix, @{sbin}/ldconfig rix, @{bin}/repo2solv rix, @{bin}/tar rix, @@ -63,7 +62,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg rPx -> child-dpkg, #aa:only apt @{bin}/fc-cache rPx, @{bin}/glib-compile-schemas rPx, - @{sbin}/install-info rPx, + @{bin}/install-info rPx, + @{bin}/ischroot rPx, @{bin}/rpm rPUx, #aa:only opensuse @{bin}/rpmdb2solv rPUx, #aa:only opensuse @{bin}/systemd-inhibit rPx, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index 51961efb34..f9e47cb527 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -22,7 +22,6 @@ profile update-initramfs @{exec_path} { @{bin}/cat rix, @{bin}/{m,g,}awk rix, @{bin}/getopt rix, - @{bin}/ischroot rix, @{bin}/ln rix, @{bin}/mv rix, @{bin}/rm rix, @@ -31,6 +30,7 @@ profile update-initramfs @{exec_path} { @{bin}/uname rix, @{bin}/dpkg-trigger rPx, + @{bin}/ischroot rPx, @{bin}/linux-version rPx, @{sbin}/mkinitramfs rPx, From 7a3016724a6a2a97e337d57187416cabb6dcdfb0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:42:34 +0200 Subject: [PATCH 0127/1736] feat(profile): update linux check scripts. --- apparmor.d/profiles-g-l/linux-check-removal | 40 ++++--------------- apparmor.d/profiles-g-l/linux-update-symlinks | 25 ++++++++++++ dists/flags/main.flags | 2 + 3 files changed, 34 insertions(+), 33 deletions(-) create mode 100644 apparmor.d/profiles-g-l/linux-update-symlinks diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 1c6ff2f03d..2c2a8ba21f 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -10,42 +10,16 @@ include @{exec_path} = @{bin}/linux-check-removal profile linux-check-removal @{exec_path} flags=(complain) { include - include - include + include - @{exec_path} r, + @{exec_path} rmix, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, + @{sh_path} rix, + @{bin}/stty rix, + @{bin}/locale rix, + @{bin}/whiptail rPx, - - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - - @{bin}/linux-check-removal rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - owner @{tmp}/file* w, - - /usr/share/debconf/confmodule r, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - include if exists - } + audit owner @{tmp}/file* w, include if exists } diff --git a/apparmor.d/profiles-g-l/linux-update-symlinks b/apparmor.d/profiles-g-l/linux-update-symlinks new file mode 100644 index 0000000000..b97a0305b5 --- /dev/null +++ b/apparmor.d/profiles-g-l/linux-update-symlinks @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/linux-update-symlinks +profile linux-update-symlinks @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/kernel-img.conf r, + + @{efi}/ r, + @{efi}/* rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index d2c57b6824..edf6789c72 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -216,6 +216,8 @@ libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain lightdm-session complain +linux-check-removal complain +linux-update-symlinks complain locale-gen complain localectl complain localsearch complain From 8755c4a1b7c036ecc0b905bf57a75b42f7c614b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:51:12 +0200 Subject: [PATCH 0128/1736] fix(profile): remove sbin on some program path Debian and opensuse do not install the same programs under /usr/sbin. This will have to be tracked by distribution. For now, sbin.list follows debian install. --- apparmor.d/groups/gnome/gnome-initial-setup | 2 +- apparmor.d/groups/kde/systemsettings | 2 +- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/utils/lspci | 2 +- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/install-info | 2 +- apparmor.d/profiles-g-l/inxi | 2 +- apparmor.d/profiles-s-z/update-alternatives | 2 +- tests/sbin.list | 3 --- 10 files changed, 9 insertions(+), 12 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index cf7dc25065..4063fc4733 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -42,7 +42,7 @@ profile gnome-initial-setup @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/locale rix, @{bin}/lscpu rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 0d71565029..e68d248b6a 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -29,7 +29,7 @@ profile systemsettings @{exec_path} { @{bin}/cat rix, @{bin}/eglinfo rPUx, @{bin}/kcminit rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/openssl rix, @{bin}/pactl rPx, @{bin}/plasma-discover rPx, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 9cf9d6a369..6af9bae96c 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -74,7 +74,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gtk{,4}-update-icon-cache rPx, @{sbin}/iconvconfig rix, @{bin}/install-catalog rPx, - @{sbin}/install-info rPx, + @{bin}/install-info rPx, @{sbin}/iscsi-iname rix, @{bin}/journalctl rPx, @{bin}/killall rix, diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index 7fc88e41a8..b390346bb2 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/lspci +@{exec_path} = @{bin}/lspci profile lspci @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index c4741b09a4..6999f5baf9 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -34,7 +34,7 @@ profile adequate @{exec_path} flags=(complain) { # shared object file): ignored. @{bin}/dpkg-query rpx, # - @{sbin}/update-alternatives rPx, + @{bin}/update-alternatives rPx, /var/lib/adequate/pending rwk, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 459efa23e0..97fad1f139 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -53,7 +53,7 @@ profile hardinfo @{exec_path} { @{bin}/glxinfo rPx, @{bin}/xdpyinfo rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/netstat rPx, @{bin}/qtchooser rPx, diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info index e7fdfd95a9..f155339b18 100644 --- a/apparmor.d/profiles-g-l/install-info +++ b/apparmor.d/profiles-g-l/install-info @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/install-info +@{exec_path} = @{bin}/install-info profile install-info @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 01d358fbfa..38b2a17a28 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -51,7 +51,7 @@ profile inxi @{exec_path} { @{bin}/glxinfo rPx, @{bin}/hddtemp rPx, @{bin}/lsblk rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/openbox rPx, @{bin}/ps rPx, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 68ddb97a58..8f08b74fa0 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/update-alternatives +@{exec_path} = @{bin}/update-alternatives profile update-alternatives @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 8697295437..82596a62a6 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -341,7 +341,6 @@ inputattach insmod install_acx100_firmware install_intersil_firmware -install-info install-sgmlcatalog installkernel integritysetup @@ -447,7 +446,6 @@ lpc lpinfo lpmove lsmod -lspci lspcmcia luksformat lvchange @@ -920,7 +918,6 @@ unix_chkpwd unix_update unix2_chkpwd uobjnew -update-alternatives update-bootloader update-ca-certificates update-catalog From a9303e82bb0310336b995210da042bbb21fdc99c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:53:04 +0200 Subject: [PATCH 0129/1736] fix: linter --- apparmor.d/groups/apt/dpkg-preconfigure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index fd67f930e1..8a9ea568ec 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -79,7 +79,7 @@ profile dpkg-preconfigure @{exec_path} { owner @{PROC}/@{pid}/fd/ r, - include if exists + include if exists } # vim:syntax=apparmor From 6650f45ee0c25967f5e85cb95c79f7b332d135f2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:54:33 +0200 Subject: [PATCH 0130/1736] feat(profile): add pycompile. --- apparmor.d/profiles-m-r/pycompile | 54 +++++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 55 insertions(+) create mode 100644 apparmor.d/profiles-m-r/pycompile diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile new file mode 100644 index 0000000000..b441d84cd0 --- /dev/null +++ b/apparmor.d/profiles-m-r/pycompile @@ -0,0 +1,54 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/py{,3}compile @{bin}/py{,3}clean +profile pycompile @{exec_path} flags=(attach_disconnected,complain) { + include + include + include + # include + + capability dac_override, + capability dac_read_search, + + @{exec_path} mr, + @{python_path} rix, + + @{bin}/dpkg rCx -> dpkg, + + @{lib}/@{python_name}/dist-packages/__pycache__/ w, + @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc w, + @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc.* w, + @{lib}/@{python_name}/dist-packages/**/__pycache__/ w, + @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc w, + @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc.* w, + + /usr/share/python3/{,**} r, + + / r, + + profile dpkg { + include + include + include + + capability dac_read_search, + + @{bin}/dpkg mr, + @{bin}/dpkg-query rpx, + + /etc/dpkg/dpkg.cfg.d/{,*} r, + /etc/dpkg/dpkg.cfg r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index edf6789c72..4332c78d9c 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -264,6 +264,7 @@ plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted ptyxis complain ptyxis-agent complain +pycompile complain qdbus complain remmina complain run-parts complain From 31e90e6c58574d45aac59a91ebd094d6a05f6919 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 19 May 2025 00:00:44 +0200 Subject: [PATCH 0131/1736] feat(profile): add kernel update/install profiles. --- apparmor.d/profiles-g-l/kdump-config | 60 ++++++++++++++++ apparmor.d/profiles-g-l/kernel | 71 +++++++++++++++++++ apparmor.d/profiles-g-l/kernel-postinst-kdump | 34 +++++++++ dists/flags/main.flags | 3 + 4 files changed, 168 insertions(+) create mode 100644 apparmor.d/profiles-g-l/kdump-config create mode 100644 apparmor.d/profiles-g-l/kernel create mode 100644 apparmor.d/profiles-g-l/kernel-postinst-kdump diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config new file mode 100644 index 0000000000..e6ec78f674 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump-config @@ -0,0 +1,60 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/kdump-config +profile kdump-config @{exec_path} { + include + + ptrace readby peer=systemd-journald, + + @{exec_path} mr, + + @{sh_path} ix, + @{bin}/basename ix, + @{bin}/cut ix, + @{bin}/file ix, + @{bin}/find ix, + @{bin}/grep ix, + @{bin}/hexdump ix, + @{bin}/ln ix, + @{bin}/logger ix, + @{bin}/rev ix, + @{bin}/run-parts ix, + @{bin}/sed ix, + @{sbin}/kexec Cx -> kexec, + @{sbin}/sysctl Cx -> sysctl, + + /etc/kernel/postinst.d/kdump-tools rPx, + + owner /var/lib/kdump/{,**} rw, + + profile sysctl { + include + + @{sbin}/sysctl mr, + + @{PROC}/sys/kernel/panic_on_oops rw, + + include if exists + } + + profile kexec { + include + + capability sys_admin, + capability sys_boot, + + @{sbin}/kexec mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel new file mode 100644 index 0000000000..2382ea0624 --- /dev/null +++ b/apparmor.d/profiles-g-l/kernel @@ -0,0 +1,71 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/kernel/{,header_}postinst.d/* /etc/kernel/postrm.d/* +@{exec_path} += /etc/kernel/preinst.d/* /etc/kernel/prerm.d/* +profile kernel @{exec_path} { + include + include + include + + capability sys_module, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{,m,g}awk rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cut rix, + @{bin}/dirname rix, + @{bin}/kmod rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/uname rix, + @{bin}/which rix, + + @{bin}/apt-config rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/systemd-detect-virt rPx, + @{bin}/update-alternatives rPx, + @{sbin}/dkms rPx, + @{sbin}/update-grub rPx, + @{sbin}/update-initramfs rPx, + @{lib}/dkms/dkms_autoinstaller rPx, + + @{lib}/modules/*/updates/ w, + @{lib}/modules/*/updates/dkms/ w, + + /etc/kernel/header_postinst.d/* r, + /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, + + # For shell pwd + / r, + /boot/ r, + + /etc/apt/apt.conf.d/ r, + /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, + /etc/modprobe.d/ r, + /etc/modprobe.d/*.conf r, + + @{run}/reboot-required w, + @{run}/reboot-required.pkgs rw, + + @{PROC}/devices r, + @{PROC}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump new file mode 100644 index 0000000000..91af3a8421 --- /dev/null +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/kernel/postinst.d/kdump-tools +profile kernel-postinst-kdump @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/du rix, + @{bin}/find rix, + @{bin}/gawk rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/sync rix, + @{sbin}/mkinitramfs rPx, + + owner /var/lib/kdump/* w, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 4332c78d9c..5f5d8dc5fe 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -192,7 +192,10 @@ kconf_update complain kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain +kdump-config complain +kernel complain kernel-install complain +kernel-postinst-kdump complain keyboxd complain kglobalacceld complain kio_http_cache_cleaner complain From b90c4073c94f06e83a16677398d338c05f5df395 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 23 May 2025 23:55:01 +0200 Subject: [PATCH 0132/1736] ci: show full journalctl log on failure. --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f04ac13814..4593fe78c1 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -55,7 +55,7 @@ jobs: - name: Reload AppArmor run: | sudo systemctl restart apparmor.service || true - sudo systemctl status apparmor.service + sudo journalctl -xeu apparmor.service - name: Ensure compatibility with some AppArmor userspace tools if: matrix.os != 'ubuntu-24.04' From f3ed1a30065065300a0b5dca307f9081f9501025 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 May 2025 00:08:57 +0200 Subject: [PATCH 0133/1736] fix: profile compilation. --- apparmor.d/profiles-g-l/linux-check-removal | 2 +- dists/flags/main.flags | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 2c2a8ba21f..40eb26b93b 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/linux-check-removal -profile linux-check-removal @{exec_path} flags=(complain) { +profile linux-check-removal @{exec_path} { include include diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 5f5d8dc5fe..d139c76221 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -219,7 +219,7 @@ libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain lightdm-session complain -linux-check-removal complain +linux-check-removal complain linux-update-symlinks complain locale-gen complain localectl complain From 3848838e53a5824417590f97c43ad0135a50e6a1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 May 2025 17:35:16 +0200 Subject: [PATCH 0134/1736] feat(profile): merge dpkg-scripts and dpkg-script-tmp. --- apparmor.d/groups/apt/dpkg-preconfigure | 2 + apparmor.d/groups/apt/dpkg-script-systemd | 2 + apparmor.d/groups/apt/dpkg-script-tmp | 57 ----------------------- apparmor.d/groups/apt/dpkg-scripts | 17 +++++-- dists/flags/main.flags | 1 - 5 files changed, 16 insertions(+), 63 deletions(-) delete mode 100644 apparmor.d/groups/apt/dpkg-script-tmp diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 8a9ea568ec..4dbfae0a8f 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -15,6 +15,8 @@ profile dpkg-preconfigure @{exec_path} { include include + capability dac_read_search, + @{exec_path} r, @{sh_path} rix, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index cb652108de..713f2981f7 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -16,6 +16,8 @@ profile dpkg-script-systemd @{exec_path} { @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/bootctl Px, @{bin}/deb-systemd-helper Px, @{bin}/deb-systemd-invoke Px, @{bin}/dpkg Cx -> dpkg, diff --git a/apparmor.d/groups/apt/dpkg-script-tmp b/apparmor.d/groups/apt/dpkg-script-tmp deleted file mode 100644 index 65e63d0760..0000000000 --- a/apparmor.d/groups/apt/dpkg-script-tmp +++ /dev/null @@ -1,57 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} -profile dpkg-script-tmp @{exec_path} flags=(attach_disconnected) { - include - include - include - - @{exec_path} mrix, - - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/run-parts rix, - @{bin}/deb-systemd-invoke Px, - @{bin}/dpkg Px, - @{bin}/dpkg-divert Px, - @{bin}/dpkg-maintscript-helper Px, - @{bin}/kmod Cx -> kmod, - @{bin}/systemctl Cx -> systemctl, - /usr/share/debconf/frontend Px, - - /usr/share/debconf/confmodule r, - - /etc/kernel/preinst.d/*-microcode ix, - - @{lib}/modules/*/.fresh-install w, - - profile kmod { - include - include - - include if exists - } - - profile systemctl { - include - include - - capability net_admin, - capability sys_ptrace, - capability sys_resource, - - @{bin}/systemd-tty-ask-password-agent Px, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 32063f5c5c..e765b334ce 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -38,6 +38,7 @@ profile dpkg-scripts @{exec_path} { @{lib}/ubuntu-advantage/postinst-migrations.sh ix, @{bin}/dbus-send Cx -> bus, + @{bin}/kmod Cx -> kmod, @{bin}/dpkg Px -> child-dpkg, @{bin}/systemctl Cx -> systemctl, @{sbin}/invoke-rc.d Cx -> rc, @@ -52,9 +53,6 @@ profile dpkg-scripts @{exec_path} { /usr/share/** Px, /etc/init.d/* Px, - /var/lib/dpkg/info/*.@{dpkg_script_ext} ix, # dpkg-scripts-* - /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, # dpkg-script-tmp - # Maintainer's scripts can update a lot of files / r, /*/ r, @@ -85,12 +83,20 @@ profile dpkg-scripts @{exec_path} { include if exists } + profile kmod { + include + include + + include if exists + } + profile systemctl { include include capability net_admin, capability sys_ptrace, + capability sys_resource, @{run}/utmp rk, @@ -99,6 +105,7 @@ profile dpkg-scripts @{exec_path} { profile rc { include + include include @{sbin}/update-rc.d mr, @@ -110,10 +117,10 @@ profile dpkg-scripts @{exec_path} { /etc/ r, /etc/init.d/* r, - /etc/rc?.d/ r, + /etc/rc@{c}.d/ r, + /etc/rc@{c}.d/* rw, /etc/rc@{int}.d/ r, /etc/rc@{int}.d/* rw, - /etc/rc@{c}.d/* rw, include if exists } diff --git a/dists/flags/main.flags b/dists/flags/main.flags index d139c76221..b1bd2fa0ee 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -93,7 +93,6 @@ dpkg-script-apparmor complain dpkg-script-kmod complain dpkg-script-linux complain dpkg-script-systemd complain -dpkg-script-tmp complain dpkg-scripts complain drkonqi complain drkonqi-coredump-cleanup complain From d5926e9411f224cf094506c9cae221b84d740b20 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 May 2025 17:48:15 +0200 Subject: [PATCH 0135/1736] feat(abs): update debconf abs. --- apparmor.d/abstractions/common/debconf | 7 +++ apparmor.d/groups/apt/debconf-frontend | 5 +- apparmor.d/groups/apt/dpkg-script-apparmor | 2 - apparmor.d/groups/apt/dpkg-script-linux | 4 -- apparmor.d/groups/apt/dpkg-script-systemd | 3 -- apparmor.d/groups/apt/dpkg-scripts | 1 - apparmor.d/groups/grub/grub-check-signatures | 7 ++- apparmor.d/profiles-g-l/linux-check-removal | 5 -- apparmor.d/profiles-m-r/needrestart | 9 +++- apparmor.d/profiles-m-r/pam-auth-update | 48 ++----------------- apparmor.d/profiles-s-z/tasksel | 9 ++-- .../profiles-s-z/update-secureboot-policy | 17 ++++--- 12 files changed, 35 insertions(+), 82 deletions(-) diff --git a/apparmor.d/abstractions/common/debconf b/apparmor.d/abstractions/common/debconf index c21974212d..1d9a6d145b 100644 --- a/apparmor.d/abstractions/common/debconf +++ b/apparmor.d/abstractions/common/debconf @@ -9,11 +9,18 @@ include include + @{sh_path} rix, + @{bin}/locale ix, + @{bin}/whiptail Px, + /usr/share/debconf/frontend rix, /usr/share/debconf/confmodule r, /etc/debconf.conf r, + /var/ r, + /var/cache/ r, + /var/cache/debconf/ r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, include if exists diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index 5ec13fcff2..a8f7057e7d 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -20,9 +20,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{exec_path} r, - @{sh_path} rix, @{bin}/hostname ix, - @{bin}/locale ix, @{bin}/lsb_release Px -> lsb_release, @{bin}/stty ix, @{sbin}/update-secureboot-policy Px, @@ -32,7 +30,6 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{bin}/debconf-apt-progress Px, @{bin}/linux-check-removal Px, @{bin}/ucf Px, - @{bin}/whiptail Px, @{sbin}/aspell-autobuildhash Px, @{sbin}/pam-auth-update Px, @{lib}/tasksel/tasksel-debconf Px -> tasksel, @@ -45,7 +42,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { # Package maintainer's scripts /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, /var/lib/dpkg/info/*.control r, - /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px -> dpkg-scripts, # DKMS scipts @{lib}/dkms/common.postinst rPUx, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 9de0ce0b4e..73b14390aa 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -10,11 +10,9 @@ include profile dpkg-script-apparmor @{exec_path} { include include - include @{exec_path} mrix, - @{sh_path} rix, @{bin}/grep ix, @{bin}/deb-systemd-helper Px, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index 52c74c192a..d6a8db4732 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -13,10 +13,7 @@ profile dpkg-script-linux @{exec_path} { @{exec_path} mrix, - @{sh_path} rix, @{bin}/cat ix, - @{bin}/locale ix, - @{bin}/mkdir ix, @{bin}/mkdir ix, @{bin}/rm ix, @{bin}/run-parts ix, @@ -26,7 +23,6 @@ profile dpkg-script-linux @{exec_path} { @{bin}/kmod Px, @{bin}/linux-check-removal Px, @{bin}/linux-update-symlinks Px, - @{bin}/whiptail Px, @{bin}/dpkg-maintscript-helper Px, /usr/share/{update,reboot}-notifier/notify-reboot-required Px, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 713f2981f7..4acafd1392 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -10,12 +10,9 @@ include profile dpkg-script-systemd @{exec_path} { include include - include @{exec_path} mrix, - @{sh_path} rix, - @{coreutils_path} rix, @{bin}/bootctl Px, @{bin}/deb-systemd-helper Px, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index e765b334ce..f1c56bd49a 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -31,7 +31,6 @@ profile dpkg-scripts @{exec_path} { @{bin}/getent ix, @{bin}/gzip ix, @{bin}/helpztags ix, - @{bin}/locale ix, @{bin}/tput ix, @{bin}/zcat ix, @{lib}/ubuntu-advantage/cloud-id-shim.sh ix, diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index 3101385956..f09ba540dd 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -13,10 +13,9 @@ profile grub-check-signatures @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/mktemp rix, - @{bin}/od rix, + @{bin}/{m,g,}awk ix, + @{bin}/mktemp ix, + @{bin}/od ix, owner @{tmp}/tmp.@{rand10}/ rw, diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 40eb26b93b..04d2f03308 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -14,12 +14,7 @@ profile linux-check-removal @{exec_path} { @{exec_path} rmix, - @{sh_path} rix, @{bin}/stty rix, - @{bin}/locale rix, - @{bin}/whiptail rPx, - - audit owner @{tmp}/file* w, include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index c2bc8b2b6f..5d5e76ed5e 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -40,7 +40,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{bin}/whiptail rPx, @{bin}/who rix, @{lib}/needrestart/* rPx, - /usr/share/debconf/frontend rix, + /usr/share/debconf/frontend rCx -> debconf, /etc/debconf.conf r, /etc/init.d/* r, @@ -97,6 +97,13 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { include if exists } + profile debconf { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 655ed9d40e..aff011389d 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -10,56 +10,18 @@ include @{exec_path} = @{sbin}/pam-auth-update profile pam-auth-update @{exec_path} flags=(complain) { include - include - include + include @{exec_path} mr, - @{bin}/md5sum rix, - @{bin}/cp rix, + @{bin}/md5sum ix, + @{bin}/cp ix, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, - - /etc/pam.d/* rw, - /var/lib/pam/* rw, /usr/share/pam{,-configs}/{,*} r, + /etc/pam.d/* rw, - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - - @{sbin}/pam-auth-update rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - # The following is needed when debconf uses GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, - - /etc/shadow r, - - include if exists - } + /var/lib/pam/* rw, include if exists } diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index f4900f2253..8a33649a0c 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -14,9 +14,8 @@ profile tasksel @{exec_path} flags=(complain) { @{exec_path} r, - @{sh_path} rix, - @{bin}/tempfile rix, - @{lib}/tasksel/tasksel-debconf rix, + @{bin}/tempfile ix, + @{lib}/tasksel/tasksel-debconf ix, @{lib}/tasksel/tests/* Cx -> tasksel-tests, # Do not strip env to avoid errors like the following: @@ -29,13 +28,11 @@ profile tasksel @{exec_path} flags=(complain) { /usr/share/tasksel/{,**} r, - owner @{tmp}/file* w, - profile tasksel-tests flags=(complain) { include - @{lib}/tasksel/tests/* r, @{sh_path} rix, + @{lib}/tasksel/tests/* r, include if exists } diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index f8581f5320..31a03ef7be 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -14,15 +14,14 @@ profile update-secureboot-policy @{exec_path} { @{exec_path} rm, - @{sh_path} rix, - @{bin}/{,m,g}awk rix, - @{bin}/dpkg-trigger rPx, - @{bin}/find rix, - @{bin}/id rix, - @{bin}/od rix, - @{bin}/sort rix, - @{bin}/touch rix, - @{bin}/wc rix, + @{bin}/{,m,g}awk ix, + @{bin}/dpkg-trigger Px, + @{bin}/find ix, + @{bin}/id ix, + @{bin}/od ix, + @{bin}/sort ix, + @{bin}/touch ix, + @{bin}/wc ix, / r, From 3e098b715205074cc2eab4b3518658f50b65d464 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 00:47:02 +0200 Subject: [PATCH 0136/1736] feat(profile): initramfs: add hooks and scripts. --- apparmor.d/profiles-m-r/initramfs-hooks | 86 +++++++++++++++++++++++ apparmor.d/profiles-m-r/initramfs-scripts | 55 +++++++++++++++ apparmor.d/profiles-m-r/mkinitramfs | 10 +-- 3 files changed, 146 insertions(+), 5 deletions(-) create mode 100644 apparmor.d/profiles-m-r/initramfs-hooks create mode 100644 apparmor.d/profiles-m-r/initramfs-scripts diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks new file mode 100644 index 0000000000..b4f3ac2f41 --- /dev/null +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -0,0 +1,86 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/initramfs-tools/hooks/** /etc/initramfs-tools/hooks/** +profile initramfs-hooks @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/ischroot Px, + @{bin}/ldd Cx -> ldd, + @{bin}/plymouth Px, + @{bin}/update-alternatives Px, + @{sbin}/blkid Px, + @{lib}/dracut/dracut-install Px, + @{lib}/initramfs-tools/bin/busybox ix, + @{lib}/klibc/bin/fstype ix, + /usr/share/mdadm/mkconf Px, + + @{bin}/* r, + @{sbin}/* r, + @{lib}/ r, + @{lib}/** r, + + /usr/share/initramfs-tools/{,**} r, + /usr/share/plymouth/{,**} r, + /usr/share/cryptsetup/initramfs/{,**} r, + + /etc/console-setup/{,**} r, + /etc/cryptsetup-initramfs/{,**} r, + /etc/crypttab r, + /etc/default/* r, + /etc/fstab r, + /etc/iscsi/*.iscsi r, + /etc/lvm/{,**} r, + /etc/mdadm/mdadm.conf r, + /etc/systemd/network/{,**} r, + /etc/udev/{,**} r, + + / r, + @{efi}/config-* r, + + /var/tmp/ r, + /var/tmp/modules_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6}/ rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + owner /var/tmp/mkinitramfs-@{rand6} rw, + owner /var/tmp/mkinitramfs-*_@{rand6} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + + @{sys}/firmware/efi/efivars/ r, + + @{PROC}/@{pid}/mounts r, + @{PROC}/cmdline r, + @{PROC}/swaps r, + + profile ldd { + include + include + + @{bin}/ldd mr, + @{bin}/* mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, + @{lib}/ld-linux.so* mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts new file mode 100644 index 0000000000..85437017b4 --- /dev/null +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -0,0 +1,55 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/initramfs-tools/scripts/** /etc/initramfs-tools/scripts/** +profile initramfs-scripts @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{sbin}/blkid Px, + @{bin}/dd ix, + @{bin}/debconf-escape Px, + @{bin}/ischroot Px, + @{bin}/ldd Cx -> ldd, + @{bin}/plymouth Px, + @{bin}/update-alternatives Px, + @{lib}/dracut/dracut-install Px, + @{lib}/initramfs-tools/bin/busybox Px, + /usr/share/mdadm/mkconf Px, + + /usr/share/initramfs-tools/{,**} r, + + /etc/cryptsetup-initramfs/{,**} r, + /etc/crypttab r, + /etc/default/console-setup r, + /etc/fstab r, + /etc/initramfs-tools/{,**} r, + /etc/mdadm/mdadm.conf r, + /etc/udev/rules.d/{,**} r, + + /var/tmp/modules_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + + profile ldd { + include + include + + @{bin}/ldd mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, + @{lib}/ld-linux.so* mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index eaf5645f36..f37029627c 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -66,11 +66,10 @@ profile mkinitramfs @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/linux-version rPx, - # What to do with it? (#FIXME#) - /usr/share/initramfs-tools/hooks/* rPUx, - /usr/share/initramfs-tools/scripts/*/* rPUx, - /etc/initramfs-tools/hooks/* rPUx, - /etc/initramfs-tools/scripts/*/* rPUx, + /usr/share/initramfs-tools/hooks/** rPx, + /usr/share/initramfs-tools/scripts/** rPx, + /etc/initramfs-tools/hooks/** rPx, + /etc/initramfs-tools/scripts/** rPx, /usr/share/initramfs-tools/{,**} r, /etc/initramfs-tools/{,**} r, @@ -106,6 +105,7 @@ profile mkinitramfs @{exec_path} { @{sys}/devices/platform/**/ r, @{sys}/devices/platform/**/modalias r, @{sys}/module/compression r, + @{sys}/module/firmware_class/parameters/path r, @{PROC}/cmdline r, @{PROC}/modules r, From c70f9b22fcdfe7ebc718f1144ec8ff5a713ffcb1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 00:50:10 +0200 Subject: [PATCH 0137/1736] feat(tunable): add more variables for profile name. --- apparmor.d/tunables/multiarch.d/profiles | 40 ++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index 92ab19fc95..ec1eff79ce 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -23,14 +23,50 @@ @{p_dbus_system}=dbus-system @{p_dbus_session}=dbus-session +@{p_accounts_daemon}=accounts-daemon +@{p_apt_news}=apt_news @{p_at_spi2_registryd}=at-spi2-registryd +@{p_avahi_daemon}=avahi-daemon +@{p_bluetoothd}=bluetoothd @{p_colord}=colord +@{p_e2scrub_all}=e2scrub_all +@{p_e2scrub}=e2scrub +@{p_file_roller}=file-roller +@{p_fprintd}=fprintd +@{p_fwupd}=fwupd +@{p_fwupdmgr}=fwupdmgr +@{p_geoclue}=geoclue @{p_gnome_shell}=gnome-shell +@{p_gsd_media_keys}=gsd-media-keys +@{p_irqbalance}=irqbalance +@{p_logrotate}=logrotate +@{p_ModemManager}=ModemManager +@{p_nm_priv_helper}=nm-priv-helper @{p_packagekitd}=packagekitd +@{p_pcscd}=pcscd +@{p_polkitd}=polkitd +@{p_power_profiles_daemon}=power-profiles-daemon +@{p_rsyslogd}=rsyslogd +@{p_rtkit_daemon}=rtkit-daemon @{p_snap}=snap +@{p_systemd_coredump}=systemd-coredump +@{p_systemd_homed}=systemd-homed +@{p_systemd_hostnamed}=systemd-hostnamed +@{p_systemd_importd}=systemd-importd +@{p_systemd_initctl}=systemd-initctl +@{p_systemd_journal_remote}=systemd-journal-remote +@{p_systemd_journald}=systemd-journald +@{p_systemd_localed}=systemd-localed @{p_systemd_logind}=systemd-logind +@{p_systemd_networkd}=systemd-networkd +@{p_systemd_oomd}=systemd-oomd +@{p_systemd_resolved}=systemd-resolved +@{p_systemd_rfkill}=systemd-rfkill +@{p_systemd_timedated}=systemd-timedated +@{p_systemd_timesyncd}=systemd-timesyncd +@{p_systemd_userdbd}=systemd-userdbd +@{p_upowerd}=upowerd @{p_xdg_desktop_portal}=xdg-desktop-portal -@{p_gsd_media_keys}=gsd-media-keys -@{p_rtkit_daemon}=rtkit-daemon + # vim:syntax=apparmor From 8b542434bdb1435ca67169bee6fa8911b3d802a7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 00:52:38 +0200 Subject: [PATCH 0138/1736] feat(profile): update kdump profiles. --- apparmor.d/profiles-g-l/kdump-config | 49 +++++++++++++++++++-- apparmor.d/profiles-g-l/kdump-tools-init | 38 ++++++++++++++++ apparmor.d/profiles-g-l/kdump_mem_estimator | 36 +++++++++++++++ dists/flags/main.flags | 2 + 4 files changed, 122 insertions(+), 3 deletions(-) create mode 100644 apparmor.d/profiles-g-l/kdump-tools-init create mode 100644 apparmor.d/profiles-g-l/kdump_mem_estimator diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index e6ec78f674..2b35162021 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -7,32 +7,69 @@ abi , include @{exec_path} = @{sbin}/kdump-config -profile kdump-config @{exec_path} { +profile kdump-config @{exec_path} flags=(attach_disconnected) { include - ptrace readby peer=systemd-journald, + capability sys_admin, + + ptrace readby peer=@{p_systemd_journald}, @{exec_path} mr, - @{sh_path} ix, + @{sh_path} rix, @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cmp ix, + @{bin}/cp ix, @{bin}/cut ix, @{bin}/file ix, @{bin}/find ix, + @{bin}/flock ix, @{bin}/grep ix, @{bin}/hexdump ix, @{bin}/ln ix, @{bin}/logger ix, + @{bin}/plymouth Px, + @{bin}/readlink ix, @{bin}/rev ix, @{bin}/run-parts ix, @{bin}/sed ix, + @{bin}/systemctl Cx -> systemctl, + @{bin}/uname ix, @{sbin}/kexec Cx -> kexec, @{sbin}/sysctl Cx -> sysctl, /etc/kernel/postinst.d/kdump-tools rPx, + /etc/kdump/{,**} r, + /etc/default/kdump-tools r, + /etc/magic r, + + / r, + @{efi}/ r, + + /var/crash/kdump_lock wk, + /var/crash/kexec_cmd w, owner /var/lib/kdump/{,**} rw, + @{sys}/firmware/efi/efivars/ r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, + @{sys}/kernel/kexec_crash_loaded r, + + @{PROC}/cmdline r, + @{PROC}/iomem r, + + profile systemctl flags=(attach_disconnected) { + include + include + + capability net_admin, + capability sys_ptrace, + + include if exists + } + profile sysctl { include @@ -51,6 +88,12 @@ profile kdump-config @{exec_path} { @{sbin}/kexec mr, + @{efi}/* r, + + owner /var/lib/kdump/* r, + + @{PROC}/iomem r, + include if exists } diff --git a/apparmor.d/profiles-g-l/kdump-tools-init b/apparmor.d/profiles-g-l/kdump-tools-init new file mode 100644 index 0000000000..b5af4dcc91 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump-tools-init @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/init.d/kdump-tools +profile kdump-tools-init @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + @{sh_path} mr, + + @{bin}/cat ix, + @{bin}/plymouth Px, + @{bin}/run-parts ix, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/kdump-config Px, + + /etc/default/kdump-tools r, + + @{PROC}/cmdline r, + + profile systemctl flags=(attach_disconnected) { + include + include + + capability net_admin, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump_mem_estimator b/apparmor.d/profiles-g-l/kdump_mem_estimator new file mode 100644 index 0000000000..b80a893436 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump_mem_estimator @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/kdump-tools/kdump_mem_estimator +profile kdump_mem_estimator @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/cat ix, + @{bin}/mkdir ix, + @{bin}/uname ix, + @{bin}/systemctl Cx -> systemctl, + @{bin}/uname ix, + + owner /var/lib/kdump/mem* w, + + profile systemctl { + include + include + + capability net_admin, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index b1bd2fa0ee..9faad80f96 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -191,7 +191,9 @@ kconf_update complain kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain +kdump_mem_estimator complain kdump-config complain +kdump-tools-init complain,attach_disconnected kernel complain kernel-install complain kernel-postinst-kdump complain From c03bcbef7a800d3d4523d4d21b41563d598358d5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:00:08 +0200 Subject: [PATCH 0139/1736] feat(profile): rewrite the needrestart profiles. --- apparmor.d/profiles-m-r/needrestart | 37 ++++++++++--------- apparmor.d/profiles-m-r/needrestart-hook | 25 +++++++++++++ .../needrestart-iucode-scan-versions | 4 +- apparmor.d/profiles-m-r/needrestart-notify | 32 ++++++++++++++++ apparmor.d/profiles-m-r/needrestart-restart | 32 ++++++++++++++++ .../needrestart-vmlinuz-get-version | 2 +- dists/flags/main.flags | 3 ++ 7 files changed, 115 insertions(+), 20 deletions(-) create mode 100644 apparmor.d/profiles-m-r/needrestart-hook create mode 100644 apparmor.d/profiles-m-r/needrestart-notify create mode 100644 apparmor.d/profiles-m-r/needrestart-restart diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 5d5e76ed5e..13838902ec 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -22,35 +22,34 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { ptrace read, - mqueue (r,getattr) type=posix /, - @{exec_path} mrix, @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, - @{bin}/locale rix, - @{python_path} rix, @{bin}/sed rix, @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, - @{sbin}/unix_chkpwd rPx, - @{bin}/whiptail rPx, @{bin}/who rix, @{lib}/needrestart/* rPx, + @{python_path} rix, + @{sbin}/unix_chkpwd rPx, + /usr/share/debconf/frontend rCx -> debconf, - /etc/debconf.conf r, + /etc/needrestart/hook.d/* rPx, + /etc/needrestart/notify.d/* rPx, + /etc/needrestart/restart.d/* rPx, + /etc/init.d/* r, /etc/needrestart/{,**} r, - /etc/needrestart/*.d/* rix, /etc/shadow r, / r, - /boot/ r, - /boot/* r, + @{efi}/ r, + @{efi}/* r, /opt/*/** r, @{bin}/* r, @{lib}/** r, @@ -59,23 +58,23 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /usr/share/** r, /var/lib/*/** r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + @{run}/systemd/sessions/* r, /tmp/@{word10}/ rw, - owner @{run}/sshd.pid r, - @{PROC}/ r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/maps r, - @{PROC}/@{pids}/stat r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/maps r, + @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, /dev/**/ r, + deny mqueue type=posix /, + profile systemctl { include include @@ -101,6 +100,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { include include + @{sbin}/needrestart Px, + include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart-hook b/apparmor.d/profiles-m-r/needrestart-hook new file mode 100644 index 0000000000..fa77834e83 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-hook @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/needrestart/hook.d/* +profile needrestart-hook @{exec_path} { + include + include + include + + @{exec_path} mr, + @{sh_path} rix, + + @{bin}/dpkg-query px, + + /tmp/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 3484ea2981..d75301fc6c 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -12,19 +12,21 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{exec_path} mr, - @{sbin}/iucode_tool rix, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/bsdtar rix, @{bin}/cat rix, + @{sbin}/iucode_tool rix, /usr/share/misc/ r, + /usr/share/misc/amd64-microcode* r, /usr/share/misc/intel-microcode* r, /etc/default/amd64-microcode r, /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, + /boot/amd64-ucode.img r, /boot/intel-ucode.img r, /boot/early_ucode.cpio r, diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify new file mode 100644 index 0000000000..dc4a30c692 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/needrestart/notify.d/* +profile needrestart-notify @{exec_path} { + include + + capability dac_read_search, + capability sys_ptrace, + + ptrace read peer=unconfined, + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/gettext.sh r, + @{bin}/sed ix, + + /etc/needrestart/notify.conf r, + + @{PROC}/@{pid}/environ r, + @{PROC}/filesystems r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart new file mode 100644 index 0000000000..2fc79b70c4 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-restart @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/needrestart/restart.d/* +profile needrestart-restart @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/systemctl Cx -> systemctl, + + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version index 655566c743..e5ee2fd8f4 100644 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -23,7 +23,7 @@ profile needrestart-vmlinuz-get-version @{exec_path} { @{bin}/rm rix, @{bin}/tail rix, @{bin}/tr rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rPx, @{bin}/xz rix, /boot/intel-ucode.img r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 9faad80f96..592b681e55 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -240,6 +240,9 @@ ModemManager attach_disconnected,complain mount attach_disconnected,complain multipath attach_disconnected,complain multipathd complain +needrestart-hook complain +needrestart-notify complain +needrestart-restart complain netplan.script attach_disconnected,complain networkctl attach_disconnected,complain networkd-dispatcher complain From 21b31a06a755026a30620afb740668cbf85c80ee Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:03:23 +0200 Subject: [PATCH 0140/1736] feat(profile): rewrite the run-parts profile. --- apparmor.d/profiles-m-r/run-parts | 143 +++--------------------------- 1 file changed, 10 insertions(+), 133 deletions(-) diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 8adb0f748d..e5d44e13ad 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -4,12 +4,6 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -# TODO: Rewrite this profile. Most of the rule should be confined directly by the calling profile -# Possible confinement depending of profile architecture: -# - As rix, -# - As rCx -> run-parts, -# - As rPx -> foo-run-parts, - abi , include @@ -116,33 +110,21 @@ profile run-parts @{exec_path} { /etc/update-motd.d/* rPx, # Kernel - /etc/kernel/header_postinst.d/ r, - /etc/kernel/header_postinst.d/dkms rCx -> kernel, - - /etc/kernel/postinst.d/ r, - /etc/kernel/postinst.d/apt-auto-removal rCx -> kernel, - /etc/kernel/postinst.d/dkms rCx -> kernel, - /etc/kernel/postinst.d/initramfs-tools rCx -> kernel, - /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel, - /etc/kernel/postinst.d/zz-update-grub rCx -> kernel, - /etc/kernel/postinst.d/zz-shim rCx -> kernel, - /etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel, - + /etc/kernel/{,header_}postinst.d/ r, + /etc/kernel/{,header_}postinst.d/* rPx, /etc/kernel/postrm.d/ r, - /etc/kernel/postrm.d/initramfs-tools rCx -> kernel, - /etc/kernel/postrm.d/zz-update-grub rCx -> kernel, - + /etc/kernel/postrm.d/* rPx, /etc/kernel/preinst.d/ r, - /etc/kernel/preinst.d/intel-microcode rCx -> kernel, - + /etc/kernel/preinst.d/* rPx, /etc/kernel/prerm.d/ r, - /etc/kernel/prerm.d/dkms rCx -> kernel, + /etc/kernel/prerm.d/* rPx, + # Finalrd /usr/share/finalrd/ r, - /usr/share/finalrd/mdadm.finalrd rPUx, - /usr/share/finalrd/open-iscsi.finalrd rPUx, + /usr/share/finalrd/mdadm.finalrd rPUx, + /usr/share/finalrd/open-iscsi.finalrd rPUx, - /usr/share/landscape/landscape-sysinfo.wrapper rPUx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, /root/ r, @@ -152,117 +134,12 @@ profile run-parts @{exec_path} { owner @{tmp}/$anacron@{rand6} rw, owner @{tmp}/file@{rand6} rw, - owner @{sys}/class/power_supply/ r, + owner @{sys}/class/power_supply/ r, @{run}/motd.dynamic.new w, /dev/tty@{int} rw, - profile motd { - include - include - - network inet dgram, - network inet6 dgram, - network netlink raw, - - @{sh_path} rix, - @{bin}/{e,}grep rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/find rix, - @{bin}/head rix, - @{bin}/id rix, - @{bin}/sort rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/hostname rPx, - - @{bin}/snap rPUx, - @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, - @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, - @{lib}/update-notifier/update-motd-reboot-required rix, - /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, - /usr/share/update-notifier/notify-updates-outdated rPx, - - / r, - /etc/default/motd-news r, - /etc/lsb-release r, - /etc/update-motd.d/* r, - - /var/cache/motd-news rw, - /var/lib/update-notifier/updates-available r, - /var/lib/ubuntu-advantage/messages/motd-esm-announce r, - - @{run}/motd.d/{,*} r, - - @{PROC}/@{pids}/mounts r, - - /dev/tty@{int} rw, - - include if exists - } - - profile kernel { - include - include - include - - capability sys_module, - - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,m,g}awk rix, - @{bin}/cat rix, - @{bin}/chmod rix, - @{bin}/cut rix, - @{bin}/dirname rix, - @{bin}/kmod rix, - @{bin}/mv rix, - @{bin}/rm rix, - @{bin}/rmdir rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/touch rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/which{,.debianutils} rix, - - @{bin}/apt-config rPx, - @{sbin}/dkms rPx, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/systemd-detect-virt rPx, - @{sbin}/update-alternatives rPx, - @{sbin}/update-grub rPUx, - @{sbin}/update-initramfs rPx, - @{lib}/dkms/dkms_autoinstaller rPx, - - @{lib}/modules/*/updates/ w, - @{lib}/modules/*/updates/dkms/ w, - - /etc/kernel/header_postinst.d/* r, - /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, - - # For shell pwd - / r, - /boot/ r, - - /etc/apt/apt.conf.d/ r, - /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, - /etc/modprobe.d/ r, - /etc/modprobe.d/*.conf r, - - @{run}/reboot-required w, - @{run}/reboot-required.pkgs rw, - - @{sys}/module/compression r, - - @{PROC}/devices r, - @{PROC}/cmdline r, - - include if exists - } - include if exists } From 649d2da8d2b33744ca892fcea4b19a304d4f2d7b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:04:07 +0200 Subject: [PATCH 0141/1736] feat(profile): expand and restrict motd. --- apparmor.d/profiles-m-r/motd | 40 ++++++++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd index fe684f6715..67f216212e 100644 --- a/apparmor.d/profiles-m-r/motd +++ b/apparmor.d/profiles-m-r/motd @@ -9,16 +9,11 @@ include @{exec_path} = /etc/update-motd.d/* profile motd @{exec_path} { include - include - include - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, + capability net_admin, @{exec_path} mr, + @{bin}/ r, @{sh_path} rix, @{coreutils_path} rix, @@ -28,7 +23,7 @@ profile motd @{exec_path} { @{bin}/snap rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/systemd-detect-virt rPx, - @{bin}/wget rix, + @{bin}/wget rCx -> wget, @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, @@ -37,26 +32,49 @@ profile motd @{exec_path} { /usr/share/update-notifier/notify-updates-outdated rPx, / r, + /etc/cloud/cloud.cfg r, + /etc/cloud/cloud.cfg.d/{,*} r, /etc/default/motd-news r, /etc/lsb-release r, /etc/update-motd.d/* r, - /etc/cloud/cloud.cfg r, - /etc/cloud/cloud.cfg.d/{,*} r, + /etc/wgetrc r, /var/cache/motd-news rw, /var/lib/update-notifier/updates-available r, /var/lib/ubuntu-advantage/messages/motd-esm-announce r, + /var/lib/cloud/instances/nocloud/cloud-config.txt r, - /tmp/tmp.@{rand10} rw, + # /tmp/tmp.@{rand10} rw, + @{run}/cloud-init/cloud.cfg r, @{run}/motd.d/{,*} r, @{run}/motd.dynamic.new rw, @{run}/reboot-required r, @{PROC}/@{pids}/mounts r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, /dev/tty@{int} rw, + profile wget { + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{bin}/wget mr, + + /tmp/tmp.@{rand10} rw, + + include if exists + } + profile systemctl { include include From 8c526b32c615bc30e4400836368f13dfb8eff87a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:09:08 +0200 Subject: [PATCH 0142/1736] feat(profile): small update on core upgrade profiles. --- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/apt/apt-methods-cdrom | 8 ++-- apparmor.d/groups/apt/apt-methods-copy | 8 ++-- apparmor.d/groups/apt/apt-methods-file | 10 ++--- apparmor.d/groups/apt/apt-methods-ftp | 8 ++-- apparmor.d/groups/apt/apt-methods-gpgv | 12 +++--- apparmor.d/groups/apt/apt-methods-http | 18 ++++---- apparmor.d/groups/apt/apt-methods-mirror | 10 ++--- apparmor.d/groups/apt/apt-methods-rred | 10 ++--- apparmor.d/groups/apt/apt-methods-rsh | 8 ++-- apparmor.d/groups/apt/apt-methods-store | 12 +++--- apparmor.d/groups/apt/deb-systemd-helper | 4 +- apparmor.d/groups/grub/grub-install | 2 +- apparmor.d/groups/grub/grub-mkdevicemap | 7 ++++ apparmor.d/profiles-a-f/e2scrub_all | 4 +- apparmor.d/profiles-a-f/finalrd | 43 ++++++++++---------- apparmor.d/profiles-g-l/glib-compile-schemas | 2 +- apparmor.d/profiles-g-l/landscape-sysinfo | 1 + apparmor.d/profiles-g-l/logrotate | 4 +- apparmor.d/profiles-m-r/multipathd | 3 +- apparmor.d/profiles-m-r/pycompile | 1 + apparmor.d/profiles-m-r/qemu-ga | 2 +- 22 files changed, 95 insertions(+), 84 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 2a0969156c..5be4284f94 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -36,7 +36,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/apt-get/system, unix bind type=stream addr=@@{udbus}/bus/apt/system, - unix type=stream peer=(label=snap), + unix type=stream peer=(label=@{p_snap}), unix (send, receive) type=stream peer=(label=apt-esm-json-hook), unix (send, receive) type=stream peer=(label=snapd), diff --git a/apparmor.d/groups/apt/apt-methods-cdrom b/apparmor.d/groups/apt/apt-methods-cdrom index 9cf47e758a..96ce36a723 100644 --- a/apparmor.d/groups/apt/apt-methods-cdrom +++ b/apparmor.d/groups/apt/apt-methods-cdrom @@ -19,10 +19,10 @@ profile apt-methods-cdrom @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-copy b/apparmor.d/groups/apt/apt-methods-copy index 6d906bf801..e2878e108d 100644 --- a/apparmor.d/groups/apt/apt-methods-copy +++ b/apparmor.d/groups/apt/apt-methods-copy @@ -20,10 +20,10 @@ profile apt-methods-copy @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index 3c2489a324..781f9714e3 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -20,11 +20,11 @@ profile apt-methods-file @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-ftp b/apparmor.d/groups/apt/apt-methods-ftp index 47c679ea17..e753b4cf85 100644 --- a/apparmor.d/groups/apt/apt-methods-ftp +++ b/apparmor.d/groups/apt/apt-methods-ftp @@ -19,10 +19,10 @@ profile apt-methods-ftp @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index db5d50f435..5f3654f6ec 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -20,12 +20,12 @@ profile apt-methods-gpgv @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=role_*, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=role_*, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index b6976e9af7..0b375c8f82 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -23,15 +23,15 @@ profile apt-methods-http @{exec_path} { network inet6 stream, network netlink raw, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=role_*, - signal (receive) peer=synaptic, - signal (receive) peer=ubuntu-advantage, - signal (receive) peer=unattended-upgrade, - signal (receive) peer=update-manager, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=role_*, + signal receive peer=synaptic, + signal receive peer=ubuntu-advantage, + signal receive peer=unattended-upgrade, + signal receive peer=update-manager, ptrace (read), diff --git a/apparmor.d/groups/apt/apt-methods-mirror b/apparmor.d/groups/apt/apt-methods-mirror index d8e3adce35..025a1c01bc 100644 --- a/apparmor.d/groups/apt/apt-methods-mirror +++ b/apparmor.d/groups/apt/apt-methods-mirror @@ -20,11 +20,11 @@ profile apt-methods-mirror @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-rred b/apparmor.d/groups/apt/apt-methods-rred index 85da35efcb..1aadac2ec9 100644 --- a/apparmor.d/groups/apt/apt-methods-rred +++ b/apparmor.d/groups/apt/apt-methods-rred @@ -20,11 +20,11 @@ profile apt-methods-rred @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, - signal (receive) set=(int) peer=packagekitd, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, + signal receive set=(int) peer=@{p_packagekitd}, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-rsh b/apparmor.d/groups/apt/apt-methods-rsh index 95d70b31f8..1b76551b99 100644 --- a/apparmor.d/groups/apt/apt-methods-rsh +++ b/apparmor.d/groups/apt/apt-methods-rsh @@ -19,10 +19,10 @@ profile apt-methods-rsh @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store index 5492fdd5e6..a6875a4326 100644 --- a/apparmor.d/groups/apt/apt-methods-store +++ b/apparmor.d/groups/apt/apt-methods-store @@ -20,12 +20,12 @@ profile apt-methods-store @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=role_*, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=role_*, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/deb-systemd-helper b/apparmor.d/groups/apt/deb-systemd-helper index 77fe1f4557..d6e89f9a07 100644 --- a/apparmor.d/groups/apt/deb-systemd-helper +++ b/apparmor.d/groups/apt/deb-systemd-helper @@ -16,8 +16,8 @@ profile deb-systemd-helper @{exec_path} { @{bin}/systemctl rCx -> systemctl, - /etc/systemd/system/* w, - /etc/systemd/user/* w, + /etc/systemd/system/{,**} rw, + /etc/systemd/user/{,**} rw, /var/lib/systemd/deb-systemd-helper-enabled/{,**} rw, /var/lib/systemd/deb-systemd-helper-masked/{,**} rw, diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 3274a5e6d3..f044b0f445 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -44,7 +44,7 @@ profile grub-install @{exec_path} flags=(complain) { @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r, - @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw, @{sys}/firmware/efi/efivars/Timeout-@{uuid} r, @{sys}/firmware/efi/fw_platform_size r, @{sys}/firmware/efi/w_platform_size r, diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap index 2a7082c64b..ca9f3ad3c1 100644 --- a/apparmor.d/groups/grub/grub-mkdevicemap +++ b/apparmor.d/groups/grub/grub-mkdevicemap @@ -10,9 +10,16 @@ include profile grub-mkdevicemap @{exec_path} { include include + include + + capability sys_admin, @{exec_path} mr, + @{PROC}/devices r, + + /dev/mapper/control rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index af10dddcd6..0079053e02 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -17,8 +17,8 @@ profile e2scrub_all @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} r, - @{bin}/readlink rix, + @{sh_path} mr, + @{bin}/readlink ix, /etc/e2scrub.conf r, diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index bc6c4cf622..d8f2f819e9 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -20,27 +20,27 @@ profile finalrd @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/cp rix, - @{bin}/dirname rix, - @{bin}/env rix, - @{bin}/find rix, - @{bin}/grep rix, - @{sbin}/ldconfig{,.real} rix, - @{bin}/ln rix, - @{bin}/mkdir rix, - @{bin}/mount rix, - @{bin}/readlink rix, - @{bin}/realpath rix, - @{bin}/rm rix, - @{bin}/run-parts rix, - @{bin}/sed rix, - @{bin}/touch rix, - - @{bin}/ldd rCx -> ldd, - @{bin}/systemd-tmpfiles rPx, - @{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd, - @{lib}/systemd/systemd-shutdown rPx, - /usr/share/finalrd/*.finalrd rix, + @{bin}/cp ix, + @{bin}/dirname ix, + @{bin}/env ix, + @{bin}/find ix, + @{bin}/grep ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/mount ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/run-parts ix, + @{bin}/sed ix, + @{bin}/touch ix, + @{sbin}/ldconfig{,.real} ix, + + @{bin}/ldd Cx -> ldd, + @{bin}/systemd-tmpfiles Px, + @{lib}/@{multiarch}/ld-linux-*so* Cx -> ldd, + @{lib}/systemd/systemd-shutdown Px, + /usr/share/finalrd/*.finalrd ix, @{bin}/{,*} r, @{lib}/{,*} r, @@ -65,6 +65,7 @@ profile finalrd @{exec_path} { profile ldd { include + include include @{bin}/* mr, diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index fcabd84c3d..59c56bb120 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/glib-compile-schemas +@{exec_path} = @{bin}/glib-compile-schemas @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas profile glib-compile-schemas @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 3b140b2bf8..1c3c98d522 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -33,6 +33,7 @@ profile landscape-sysinfo @{exec_path} { /var/log/landscape/{,**} rw, + @{run}/systemd/sessions/{,*} r, @{run}/utmp rwk, @{sys}/class/hwmon/ r, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index f74f309fee..8d3dc21718 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -21,8 +21,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability setgid, capability setuid, - signal (send) set=(hup), - signal (send) set=(term cont) peer=systemd-tty-ask-password-agent, + signal send set=hup, + signal send set=(term cont) peer=systemd-tty-ask-password-agent, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd index a07691a5ca..bbb6a87a61 100644 --- a/apparmor.d/profiles-m-r/multipathd +++ b/apparmor.d/profiles-m-r/multipathd @@ -20,7 +20,8 @@ profile multipathd @{exec_path} { network netlink raw, - unix (send, receive, connect) type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), + unix type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), + unix type=stream addr=@/org/kernel/linux/storage/multipathd, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index b441d84cd0..984fcf03cf 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -31,6 +31,7 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { /usr/share/python3/{,**} r, / r, + @{bin}/ r, profile dpkg { include diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index c6e6ca54ea..7fa668a713 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -12,7 +12,7 @@ profile qemu-ga @{exec_path} { @{exec_path} mr, - audit @{bin}/systemctl Cx -> systemctl, + @{bin}/systemctl Cx -> systemctl, /etc/qemu/qemu-ga.conf r, From 4e4f8d8a0e65e356971b0cddf86748196ef3a14c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:15:53 +0200 Subject: [PATCH 0143/1736] build: update sbin.list --- apparmor.d/groups/ubuntu/cron-ubuntu-fan | 2 +- apparmor.d/groups/virt/containerd-shim-runc-v2 | 2 +- apparmor.d/groups/virt/dockerd | 2 +- tests/sbin.list | 5 +++++ 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index eb299345c2..8f5952d9ba 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -15,7 +15,7 @@ profile cron-ubuntu-fan @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/fanctl rix, + @{sbin}/fanctl rix, @{bin}/flock rix, @{bin}/grep rix, @{bin}/id rix, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index 5a963beaca..61898a3e47 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -30,7 +30,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/runc rPUx, + @{sbin}/runc rPx, /tmp/runc-process@{int} rw, /tmp/pty@{int}/ rw, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 6b1e3537a4..c4b39ff8c6 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -72,7 +72,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/git rCx -> git, @{bin}/kmod rPx, @{bin}/ps rPx, - @{bin}/runc rUx, + @{sbin}/runc rUx, @{bin}/unpigz rix, @{sbin}/xtables-nft-multi rix, diff --git a/tests/sbin.list b/tests/sbin.list index 82596a62a6..805ab8bf10 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -46,6 +46,7 @@ arptables-nft-restore arptables-nft-save arptables-restore arptables-save +arptables-translate aspell-autobuildhash atd audisp-af_unix @@ -92,6 +93,7 @@ blogger bluetoothd bpflist-bpfcc bpftool +brctl bridge brltty brltty-setup @@ -241,7 +243,9 @@ f2fscrypt f2fslabel f2fsslower-bpfcc faillock +fanatic fancontrol +fanctl fatlabel fatresize fbtest @@ -767,6 +771,7 @@ rubyflow-bpfcc rubygc-bpfcc rubyobjnew-bpfcc rubystat-bpfcc +runc runlevel runqlat-bpfcc runqlat.bt From e7fb1860939f0c83882c7592e2f356594790fa89 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:19:32 +0200 Subject: [PATCH 0144/1736] feat(profile): update kernerl-install. --- apparmor.d/profiles-g-l/kernel-install | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index 07c058124a..614b81aeb9 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -11,22 +11,19 @@ include profile kernel-install @{exec_path} { include include + include include + capability sys_resource, + + ptrace read peer=@{p_systemd}, + @{exec_path} r, @{sh_path} rix, - + @{coreutils_path} rix, + @{bin}/kmod rCx -> kmod, @{bin}/mountpoint rix, - @{bin}/sort rix, - @{bin}/rm rix, - @{bin}/mkdir rix, - @{bin}/cp rix, - @{bin}/chown rix, - @{bin}/chmod rix, - @{bin}/basename rix, - @{pager_path} rPx -> child-pager, - @{bin}/kmod rCx -> kmod, @{lib}/kernel/install.d/ r, @{lib}/kernel/install.d/@{int2}-*.install rix, @@ -37,6 +34,7 @@ profile kernel-install @{exec_path} { @{lib}/os-release r, /etc/kernel/cmdline r, /etc/kernel/tries r, + /etc/kernel/entry-token r, /etc/machine-id r, /etc/os-release r, /var/lib/dbus/machine-id r, @@ -50,14 +48,22 @@ profile kernel-install @{exec_path} { owner /boot/loader/entries/ rw, owner /boot/loader/entries/*.conf w, + owner /tmp/kernel-install.staging.@{rand6}/{,**} rw, + owner @{tmp}/sh-thd.* rw, + @{PROC}/1/environ r, @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, profile kmod { include include + @{lib}/modules/*/modules.* w, + + @{sys}/module/compression r, + include if exists } From 17624b95d8b193a823c1f75a0cffd0a559740b5b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:21:12 +0200 Subject: [PATCH 0145/1736] feat(profile): update ucf profiles. --- apparmor.d/profiles-s-z/ucf | 11 ++++++++++- apparmor.d/profiles-s-z/ucfq | 26 +++++++++++++++++++++++++ apparmor.d/profiles-s-z/ucfr | 37 ++++++++++++++++++++++++++++++++++++ dists/flags/main.flags | 2 ++ 4 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/profiles-s-z/ucfq create mode 100644 apparmor.d/profiles-s-z/ucfr diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 86d94c7a19..0a7b992b62 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -39,7 +39,7 @@ profile ucf @{exec_path} { @{bin}/dpkg-divert rPx, @{pager_path} rCx -> child-pager, - /usr/share/debconf/frontend rPx, # TODO: rCx -> debonc-frontend, + /usr/share/debconf/frontend Cx -> debconf, # For md5sum /usr/share/** r, @@ -55,6 +55,15 @@ profile ucf @{exec_path} { owner /tmp/tmp.@{rand10} r, + deny capability sys_admin, # optional: no audit + + profile debconf { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-s-z/ucfq b/apparmor.d/profiles-s-z/ucfq new file mode 100644 index 0000000000..b6ca3e7b1c --- /dev/null +++ b/apparmor.d/profiles-s-z/ucfq @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucfq +profile ucfq @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/md5sum rix, + + /etc/ r, + /etc/default/ r, + /etc/default/grub r, + + /var/lib/ucf/* r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr new file mode 100644 index 0000000000..b38f8aae42 --- /dev/null +++ b/apparmor.d/profiles-s-z/ucfr @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucfr +profile ucfr @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/basename ix, + @{bin}/{m,g,}awk ix, + @{bin}/getopt ix, + @{bin}/grep ix, + @{bin}/id ix, + @{bin}/readlink ix, + @{bin}/sed ix, + @{bin}/dirname ix, + + /usr/share/ucf/{,**} r, + + /etc/ucf.conf r, + + / r, + + /var/lib/ucf/ r, + /var/lib/ucf/registry r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 592b681e55..e884095838 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -368,6 +368,8 @@ telegram-desktop complain totem attach_disconnected,complain tracker-writeback complain ucf complain +ucfq complain +ucfr complain udev-ata_id complain udev-bcache-export-cached complain udev-cdrom_id complain From 0a5743fa46cb62d35a1ff622d50a1fa2eaa6666c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:23:26 +0200 Subject: [PATCH 0146/1736] feat(profile): add profile for more update-* tools. --- apparmor.d/profiles-s-z/update-catalog | 26 ++++++++++++++++++ apparmor.d/profiles-s-z/update-info-dir | 24 +++++++++++++++++ apparmor.d/profiles-s-z/update-shells | 36 +++++++++++++++++++++++++ dists/flags/main.flags | 3 +++ 4 files changed, 89 insertions(+) create mode 100644 apparmor.d/profiles-s-z/update-catalog create mode 100644 apparmor.d/profiles-s-z/update-info-dir create mode 100644 apparmor.d/profiles-s-z/update-shells diff --git a/apparmor.d/profiles-s-z/update-catalog b/apparmor.d/profiles-s-z/update-catalog new file mode 100644 index 0000000000..feac2d3c5e --- /dev/null +++ b/apparmor.d/profiles-s-z/update-catalog @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-catalog +profile update-catalog @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/sgml/ r, + /etc/sgml/* r, + + /var/lib/sgml-base/*catalog rw, + /var/lib/sgml-base/*catalog.new rw, + /var/lib/sgml-base/*catalog.old w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir new file mode 100644 index 0000000000..7c835023fa --- /dev/null +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-info-dir +profile update-info-dir @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/install-info Px, + @{bin}/find ix, + @{bin}/rm ix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-shells b/apparmor.d/profiles-s-z/update-shells new file mode 100644 index 0000000000..46b6699c87 --- /dev/null +++ b/apparmor.d/profiles-s-z/update-shells @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-shells +profile update-shells @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/basename ix, + @{bin}/chmod ix, + @{bin}/chown ix, + @{bin}/dirname ix, + @{bin}/dpkg-realpath ix, + @{bin}/mv ix, + @{bin}/sync ix, + + /usr/share/debianutils/shells r, + /usr/share/debianutils/shells.d/{,**} r, + + /etc/shells r, + /etc/shells.tmp w, + + /var/lib/shells.state r, + /var/lib/shells.state.tmp w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index e884095838..9d0857ad30 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -380,8 +380,11 @@ udev-probe-bcache complain udisksctl complain udisksd attach_disconnected,complain ufw complain +update-catalog complain update-grub complain +update-info-dir complain update-secureboot-policy complain +update-shells complain userdbctl complain utempter attach_disconnected,complain veracrypt complain From a7807408b616c6b7fb51e064887415e83d18ffd7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:25:46 +0200 Subject: [PATCH 0147/1736] feat(profile): update some update-* profiles. --- apparmor.d/groups/freedesktop/update-mime-database | 2 +- apparmor.d/profiles-s-z/update-ca-certificates | 1 + apparmor.d/profiles-s-z/update-dlocatedb | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/freedesktop/update-mime-database b/apparmor.d/groups/freedesktop/update-mime-database index 6f6b397008..9efd9cccc4 100644 --- a/apparmor.d/groups/freedesktop/update-mime-database +++ b/apparmor.d/groups/freedesktop/update-mime-database @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/update-mime-database +@{exec_path} = @{bin}/update-mime-database profile update-mime-database @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index 4bc88faaee..df9c08fe44 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -33,6 +33,7 @@ profile update-ca-certificates @{exec_path} { @{bin}/test rix, @{bin}/trust rix, @{bin}/wc rix, + @{bin}/run-parts rix, @{lib}/ca-certificates/update.d/ r, @{lib}/ca-certificates/update.d/* rix, diff --git a/apparmor.d/profiles-s-z/update-dlocatedb b/apparmor.d/profiles-s-z/update-dlocatedb index 2afe8a22f0..e9d92e421f 100644 --- a/apparmor.d/profiles-s-z/update-dlocatedb +++ b/apparmor.d/profiles-s-z/update-dlocatedb @@ -26,7 +26,7 @@ profile update-dlocatedb @{exec_path} { /usr/share/dlocate/updatedb rCx -> updatedb, @{bin}/dpkg rPx -> child-dpkg, - owner @{PROC}/@{pid}/fd/2 w, + owner @{PROC}/@{pid}/fd/@{int} w, /var/lib/dlocate/dpkg-list w, From 774106b7e5cd7952850a6a63c49375997c9d4a79 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:28:08 +0200 Subject: [PATCH 0148/1736] feat(profile): update some systemd profiles. --- apparmor.d/groups/systemd/bootctl | 22 +++++++++---------- .../groups/systemd/systemd-generator-sysv | 3 ++- apparmor.d/groups/systemd/systemd-localed | 2 +- apparmor.d/groups/systemd/systemd-logind | 7 ++---- .../groups/systemd/systemd-network-generator | 2 +- apparmor.d/groups/systemd/systemd-networkd | 9 +++++++- apparmor.d/groups/systemd/systemd-remount-fs | 3 +-- apparmor.d/groups/systemd/systemd-timedated | 2 +- 8 files changed, 27 insertions(+), 23 deletions(-) diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 12fcceaea6..9508cfcf27 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -25,17 +25,17 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, - /{boot,efi}/ r, - /{boot,efi}/EFI/{,**} r, - /{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, - /{boot,efi}/EFI/BOOT/BOOTX64.EFI w, - /{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, - /{boot,efi}/EFI/systemd/systemd-boot*.efi w, - /{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw, - /{boot,efi}/loader/.#entries.srel* w, - /{boot,efi}/loader/{,**} r, - /{boot,efi}/loader/entries.srel w, - /{boot,efi}/loader/random-seed w, + @{efi}/ r, + @{efi}/EFI/{,**} r, + @{efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, + @{efi}/EFI/BOOT/BOOTX64.EFI w, + @{efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, + @{efi}/EFI/systemd/systemd-boot*.efi w, + @{efi}/loader/.#bootctlrandom-seed@{hex} rw, + @{efi}/loader/.#entries.srel* w, + @{efi}/loader/{,**} r, + @{efi}/loader/entries.srel w, + @{efi}/loader/random-seed w, /etc/kernel/entry-token r, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/systemd-generator-sysv b/apparmor.d/groups/systemd/systemd-generator-sysv index 4feb65d51c..fc290fca4c 100644 --- a/apparmor.d/groups/systemd/systemd-generator-sysv +++ b/apparmor.d/groups/systemd/systemd-generator-sysv @@ -17,9 +17,10 @@ profile systemd-generator-sysv @{exec_path} flags=(attach_disconnected) { /etc/init.d/{,**} r, /etc/rc@{int}.d/{,**} r, - @{run}/systemd/generator.late/* w, + @{run}/systemd/generator.late/** w, @{PROC}/@{pid}/cgroup r, + @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 205d8a55fc..3befcd92a9 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -14,7 +14,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { include include - unix (bind) type=stream addr=@@{udbus}/bus/systemd-localed/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-localed/system, #aa:dbus own bus=system name=org.freedesktop.locale1 diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index a56e162981..39192e7e19 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -12,11 +12,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { include include include + include include include include include - include capability chown, capability dac_override, @@ -50,8 +50,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /etc/systemd/sleep.conf.d/{,**} r, / r, - /boot/{,**} r, - /efi/{,**} r, + @{efi}/{,**} r, /swap.img r, /swap/swapfile r, /swapfile r, @@ -140,8 +139,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, - /dev/tty@{int} rw, - owner @{att}/dev/tty@{int} rw, owner /dev/shm/{,**/} rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-network-generator b/apparmor.d/groups/systemd/systemd-network-generator index e22d89629e..ceebbc5c2d 100644 --- a/apparmor.d/groups/systemd/systemd-network-generator +++ b/apparmor.d/groups/systemd/systemd-network-generator @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-network-generator -profile systemd-network-generator @{exec_path} { +profile systemd-network-generator @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index ca54508263..3d6c3a4b72 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -31,6 +31,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network, + signal receive set=usr2 peer=@{p_systemd}, + #aa:dbus own bus=system name=org.freedesktop.network1 dbus send bus=system path=/org/freedesktop/hostname1 @@ -47,14 +49,18 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /etc/machine-id r, - /etc/systemd/networkd.conf r, + /etc/systemd/network.conf r, /etc/systemd/network/{,**} r, + /etc/systemd/networkd.conf r, + /etc/systemd/networkd.conf.d/{,**} r, /etc/networkd-dispatcher/carrier.d/{,*} r, @{att}/ r, @{att}/@{run}/systemd/notify rw, + @{run}/mount/utab r, + owner @{att}/var/lib/systemd/network/ r, @{run}/systemd/network/ r, @@ -75,6 +81,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/pressure/* r, @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/version_signature r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 750f7e18bd..96b182e5f9 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -28,8 +28,7 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { @{run}/host/container-manager r, @{run}/mount/utab rw, - @{run}/mount/utab.@{rand6} rw, - @{run}/mount/utab.lock rwk, + @{run}/mount/utab.* rwk, @{sys}/devices/virtual/block/dm-@{int}/dm/name r, diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index e070afe4e7..ffed031b5f 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -15,7 +15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { capability sys_time, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-timedat/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-timedat/system, #aa:dbus own bus=system name=org.freedesktop.timedate1 From 30bbd6d56a7d673b25212727a05e52d818e9a7e4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:39:00 +0200 Subject: [PATCH 0149/1736] feat(profile): cron: cleanup direct exec. --- apparmor.d/groups/cron/cron | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index c924415689..778dd2be8d 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -38,9 +38,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { @{bin}/run-parts rCx -> run-parts, # could even be rix, as long as we are not # using the run-parts profile we are good - @{lib}/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx, - @{lib}/sysstat/debian-sa1 rPUx, - /usr/share/rsync/scripts/rrsync rPUx, + @{lib}/sysstat/debian-sa1 rPx, /etc/cron.d/{,*} r, /etc/crontab r, From 8546533ad1ec34df6e709f0ed1ff510af24e5c62 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 14:28:35 +0200 Subject: [PATCH 0150/1736] fix(build): flag generation. --- dists/flags/main.flags | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 9d0857ad30..c0af4fc778 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -193,7 +193,7 @@ kde-systemd-start-condition complain kded complain kdump_mem_estimator complain kdump-config complain -kdump-tools-init complain,attach_disconnected +kdump-tools-init complain,attach_disconnected kernel complain kernel-install complain kernel-postinst-kdump complain From 813758a1e0e58035ba568837623ba4c289db9bec Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 15:07:27 +0200 Subject: [PATCH 0151/1736] feat(profile): add debconf-escape, update dpkg-scripts. --- apparmor.d/groups/apt/debconf-escape | 19 +++++++++++++++++++ apparmor.d/groups/apt/dpkg-scripts | 15 ++++++++++++++- dists/flags/main.flags | 1 + 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/apt/debconf-escape diff --git a/apparmor.d/groups/apt/debconf-escape b/apparmor.d/groups/apt/debconf-escape new file mode 100644 index 0000000000..c64401bb07 --- /dev/null +++ b/apparmor.d/groups/apt/debconf-escape @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/debconf-escape +profile debconf-escape @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index f1c56bd49a..e18ab78dee 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -26,11 +26,12 @@ profile dpkg-scripts @{exec_path} { @{coreutils_path} rix, @{bin}/run-parts rix, - @{bin}/setpriv ix, @{bin}/envsubst ix, + @{bin}/file ix, @{bin}/getent ix, @{bin}/gzip ix, @{bin}/helpztags ix, + @{bin}/setpriv ix, @{bin}/tput ix, @{bin}/zcat ix, @{lib}/ubuntu-advantage/cloud-id-shim.sh ix, @@ -97,6 +98,18 @@ profile dpkg-scripts @{exec_path} { capability sys_ptrace, capability sys_resource, + @{bin}/systemd-tty-ask-password-agent Px, + @{pager_path} Px -> child-pager, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + @{run}/utmp rk, include if exists diff --git a/dists/flags/main.flags b/dists/flags/main.flags index c0af4fc778..6c29eba154 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -77,6 +77,7 @@ cupsd attach_disconnected,complain ddcutil complain deb-systemd-helper complain deb-systemd-invoke complain +debconf-escape complain decibels complain dino attach_disconnected,complain discord complain From 7361c21c401bfa0cf0c3eb3cb0bbcb9b534b7501 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 15:14:56 +0200 Subject: [PATCH 0152/1736] feat(profile): add mdadm-mkconf. --- apparmor.d/profiles-m-r/mdadm-mkconf | 30 ++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 31 insertions(+) create mode 100644 apparmor.d/profiles-m-r/mdadm-mkconf diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf new file mode 100644 index 0000000000..8139ac68ef --- /dev/null +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/mdadm/mkconf +profile mdadm-mkconf @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/date ix, + @{bin}/cat ix, + @{bin}/sed ix, + @{sbin}/mdadm Px, + + /etc/default/mdadm r, + + / r, + + /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 6c29eba154..e27c76bc29 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -237,6 +237,7 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain +mdadm-mkconf complain ModemManager attach_disconnected,complain mount attach_disconnected,complain multipath attach_disconnected,complain From b1435dd4914e3828de737e5ba5817ca2ddef8add Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 15:17:38 +0200 Subject: [PATCH 0153/1736] feat(profile): ubuntu: update upgrade process. --- .../groups/ubuntu/package-data-downloader | 2 ++ apparmor.d/groups/ubuntu/ubuntu-report | 2 +- .../groups/ubuntu/update-notifier-crash | 20 +++++++++++++++++++ 3 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/ubuntu/update-notifier-crash diff --git a/apparmor.d/groups/ubuntu/package-data-downloader b/apparmor.d/groups/ubuntu/package-data-downloader index c193bbe0c6..37f7f72a5b 100644 --- a/apparmor.d/groups/ubuntu/package-data-downloader +++ b/apparmor.d/groups/ubuntu/package-data-downloader @@ -14,6 +14,8 @@ profile package-data-downloader @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, /var/lib/update-notifier/package-data-downloads/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index 19273f449b..65fa3eaa0a 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -21,7 +21,7 @@ profile ubuntu-report @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, - owner @{user_cache_dirs}/ubuntu-report/{,*} r, + owner @{user_cache_dirs}/ubuntu-report/{,*} rw, include if exists } diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash new file mode 100644 index 0000000000..b3cbf7f073 --- /dev/null +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/update-notifier/update-notifier-crash +profile update-notifier-crash @{exec_path} { + include + + @{exec_path} mr, + + /usr/share/apport/apport-checkreports Px, + + include if exists +} + +# vim:syntax=apparmor From ca5b4c99bac08f2cf53aa5433d086228dfa40ed2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 16:40:29 +0200 Subject: [PATCH 0154/1736] ci: disable compatibility check with userspace tools. --- .github/workflows/main.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4593fe78c1..229aad415e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -57,11 +57,6 @@ jobs: sudo systemctl restart apparmor.service || true sudo journalctl -xeu apparmor.service - - name: Ensure compatibility with some AppArmor userspace tools - if: matrix.os != 'ubuntu-24.04' - run: | - sudo aa-enforce /etc/apparmor.d/aa-notify - - name: Show AppArmor log and rules run: | sudo aa-log From 931c20708905fd5b48f07aa492749fe178e152eb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 18:24:34 +0200 Subject: [PATCH 0155/1736] feat(profile): simplify needrestart & fix pam-auth-update. --- apparmor.d/profiles-m-r/needrestart | 19 +------------------ apparmor.d/profiles-m-r/pam-auth-update | 2 +- 2 files changed, 2 insertions(+), 19 deletions(-) diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 13838902ec..9b731fd64b 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -9,11 +9,8 @@ include @{exec_path} = @{sbin}/needrestart profile needrestart @{exec_path} flags=(attach_disconnected) { include - include - include - include + include include - include capability checkpoint_restore, capability dac_read_search, @@ -27,18 +24,13 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, - @{bin}/sed rix, - @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, - @{bin}/who rix, @{lib}/needrestart/* rPx, @{python_path} rix, @{sbin}/unix_chkpwd rPx, - /usr/share/debconf/frontend rCx -> debconf, - /etc/needrestart/hook.d/* rPx, /etc/needrestart/notify.d/* rPx, /etc/needrestart/restart.d/* rPx, @@ -96,15 +88,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { include if exists } - profile debconf { - include - include - - @{sbin}/needrestart Px, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index aff011389d..5e0cbaaf49 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -12,7 +12,7 @@ profile pam-auth-update @{exec_path} flags=(complain) { include include - @{exec_path} mr, + @{exec_path} mrix, @{bin}/md5sum ix, @{bin}/cp ix, From d575812e2906331f77dfcb7e41da44d2afa273c2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 18:27:30 +0200 Subject: [PATCH 0156/1736] fix(profile): snapd journalctl subprofile. --- apparmor.d/groups/snap/snapd | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index c1b24176ef..b652839878 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -204,6 +204,7 @@ profile snapd @{exec_path} { include capability net_admin, + capability sys_resource, network netlink raw, @@ -215,6 +216,8 @@ profile snapd @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/{,*} r, + @{run}/systemd/notify w, + include if exists } From acc35c3bd7f2dc31a0de043a660156c1f3aa9e8e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 18:28:56 +0200 Subject: [PATCH 0157/1736] ci: show files installed in sbin. --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 229aad415e..8d738eac72 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -128,6 +128,7 @@ jobs: - name: Install integration dependencies run: | bash tests/requirements.sh + find /usr/sbin/ -type f - name: Run the integration tests run: | From ead321e07e09b381313f0beeba67403f57b9827d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 23:47:44 +0200 Subject: [PATCH 0158/1736] feat(profile): improve the upgrade stack. --- apparmor.d/groups/cron/cron | 18 ++++++------------ apparmor.d/groups/snap/snapd | 2 +- apparmor.d/profiles-m-r/needrestart | 8 ++++---- apparmor.d/profiles-m-r/needrestart-hook | 2 +- apparmor.d/profiles-m-r/needrestart-notify | 9 ++++++--- apparmor.d/profiles-m-r/needrestart-restart | 2 +- apparmor.d/profiles-m-r/pam-auth-update | 2 ++ 7 files changed, 21 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 778dd2be8d..eba78ac827 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -25,20 +25,14 @@ profile cron @{exec_path} flags=(attach_disconnected) { network netlink raw, - ptrace (read) peer=unconfined, - - unix bind type=stream addr=@@{udbus}/bus/cron/system, - @{exec_path} mr, - @{sh_path} rix, - @{bin}/nice rix, - @{bin}/ionice rix, - @{bin}/exim4 rPx, - @{bin}/run-parts rCx -> run-parts, # could even be rix, as long as we are not - # using the run-parts profile we are good - - @{lib}/sysstat/debian-sa1 rPx, + @{sh_path} rix, + @{bin}/exim4 rPx, + @{bin}/ionice rix, + @{bin}/nice rix, + @{bin}/run-parts rCx -> run-parts, + @{lib}/sysstat/debian-sa1 rPx, /etc/cron.d/{,*} r, /etc/crontab r, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index b652839878..0eb3adb8c9 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -50,7 +50,7 @@ profile snapd @{exec_path} { ptrace read peer=@{p_systemd}, ptrace read peer=snap{,.*}, - signal send set=kill peer=journalctl, + signal send set=kill peer=snapd//journalctl, dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 9b731fd64b..f9e2c6ebc3 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -14,7 +14,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { capability checkpoint_restore, capability dac_read_search, - capability kill, capability sys_ptrace, ptrace read, @@ -27,13 +26,14 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, + @{bin}/who rPx, @{lib}/needrestart/* rPx, @{python_path} rix, @{sbin}/unix_chkpwd rPx, - /etc/needrestart/hook.d/* rPx, - /etc/needrestart/notify.d/* rPx, - /etc/needrestart/restart.d/* rPx, + @{etc_ro}/needrestart/hook.d/* rPx, + @{etc_ro}/needrestart/notify.d/* rPx, + @{etc_ro}/needrestart/restart.d/* rPx, /etc/init.d/* r, /etc/needrestart/{,**} r, diff --git a/apparmor.d/profiles-m-r/needrestart-hook b/apparmor.d/profiles-m-r/needrestart-hook index fa77834e83..c8c9a12c4f 100644 --- a/apparmor.d/profiles-m-r/needrestart-hook +++ b/apparmor.d/profiles-m-r/needrestart-hook @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /etc/needrestart/hook.d/* +@{exec_path} = @{etc_ro}/needrestart/hook.d/* profile needrestart-hook @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify index dc4a30c692..41fa96c4c0 100644 --- a/apparmor.d/profiles-m-r/needrestart-notify +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /etc/needrestart/notify.d/* +@{exec_path} = @{etc_ro}/needrestart/notify.d/* profile needrestart-notify @{exec_path} { include @@ -18,8 +18,11 @@ profile needrestart-notify @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/gettext.sh r, - @{bin}/sed ix, + @{bin}/fold ix, + @{bin}/gettext.sh r, + @{bin}/mail Px, + @{bin}/notify-send Px, + @{bin}/sed ix, /etc/needrestart/notify.conf r, diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart index 2fc79b70c4..b9e648602e 100644 --- a/apparmor.d/profiles-m-r/needrestart-restart +++ b/apparmor.d/profiles-m-r/needrestart-restart @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /etc/needrestart/restart.d/* +@{exec_path} = @{etc_ro}/needrestart/restart.d/* profile needrestart-restart @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 5e0cbaaf49..90cc6a4ba5 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -20,7 +20,9 @@ profile pam-auth-update @{exec_path} flags=(complain) { /usr/share/pam{,-configs}/{,*} r, /etc/pam.d/* rw, + /etc/shadow r, + /var/lib/dpkg/info/libpam-runtime.templates r, /var/lib/pam/* rw, include if exists From a8ab6da6f38f659d338c2eb6dee812d45b8cc41b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 23:53:40 +0200 Subject: [PATCH 0159/1736] feat(profile): add runit-helper. --- apparmor.d/profiles-m-r/runit-helper | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 apparmor.d/profiles-m-r/runit-helper diff --git a/apparmor.d/profiles-m-r/runit-helper b/apparmor.d/profiles-m-r/runit-helper new file mode 100644 index 0000000000..94b3816c97 --- /dev/null +++ b/apparmor.d/profiles-m-r/runit-helper @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/runit-helper/runit-helper +profile runit-helper @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/mkdir rix, + + @{run}/runit/ rw, + @{run}/runit/supervise/ w, + + include if exists +} + +# vim:syntax=apparmor From e83a9a60dc146dd78c92e6d7b10e88beeaf1ab0b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 00:18:01 +0200 Subject: [PATCH 0160/1736] feat(profile): finalize upgrade process. --- apparmor.d/groups/apt/dpkg-preconfigure | 1 - apparmor.d/groups/apt/dpkg-scripts | 16 ++++++++-------- apparmor.d/groups/browsers/firefox | 2 +- apparmor.d/groups/snap/snap | 5 +++-- apparmor.d/groups/snap/snapd | 2 ++ apparmor.d/profiles-s-z/which | 2 +- apparmor.d/profiles-s-z/whiptail | 6 ++---- 7 files changed, 17 insertions(+), 17 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 4dbfae0a8f..716cd1dc85 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -30,7 +30,6 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/head ix, @{bin}/locale ix, @{bin}/readlink ix, - @{bin}/readlink ix, @{bin}/realpath ix, @{bin}/sed ix, @{bin}/sort ix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index e18ab78dee..4fb4d04c48 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -47,11 +47,11 @@ profile dpkg-scripts @{exec_path} { @{sbin}/update-rc.d Cx -> rc, # Maintainer scripts can legitimately start/restart anything - @{bin}/** Px, - @{sbin}/** Px, - @{lib}/** Px, - /usr/share/** Px, - /etc/init.d/* Px, + @{bin}/** PUx, + @{sbin}/** PUx, + @{lib}/** PUx, + /usr/share/** PUx, + /etc/init.d/* PUx, # Maintainer's scripts can update a lot of files / r, @@ -76,9 +76,9 @@ profile dpkg-scripts @{exec_path} { include dbus send bus=system path=/ - interface=org.freedesktop.DBus - member=ReloadConfig - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + interface=org.freedesktop.DBus + member=ReloadConfig + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), include if exists } diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 7d1be84425..a561954a31 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -39,7 +39,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{bin}/plasma-browser-integration-host rPx, @{bin}/speech-dispatcher rPx, - @{sbin}/update-mime-database rPx, + @{bin}/update-mime-database rPx, @{lib}/gvfsd-metadata rPx, @{lib}/mozilla/kmozillahelper rPUx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 8549d83158..562f49dca9 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -85,8 +85,9 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/kernel/security/apparmor/features/{,**} r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/maps r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/cgroups r, @{PROC}/cmdline r, @{PROC}/sys/kernel/random/uuid r, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 0eb3adb8c9..0481af5ded 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -208,6 +208,8 @@ profile snapd @{exec_path} { network netlink raw, + signal receive set=kill peer=snapd, + @{bin}/journalctl mr, /etc/machine-id r, diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index cc95a17f93..df049741fc 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/which{.debianutils,} +@{exec_path} = @{bin}/which{,.debianutils} profile which @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index a7b98ebee1..f0efad77b7 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/whiptail -profile whiptail @{exec_path} flags=(complain) { +profile whiptail @{exec_path} { include include @@ -16,9 +16,7 @@ profile whiptail @{exec_path} flags=(complain) { @{exec_path} mr, - /etc/newt/palette.* r, - - owner @{tmp}/gpm* w, + /usr/share/terminfo/** r, include if exists } From d9430c68c190f26cca9a2291c74b4f9bba4617c0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 00:55:48 +0200 Subject: [PATCH 0161/1736] build: improve error message in the stack direcive. --- pkg/prebuild/directive/stack.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/directive/stack.go b/pkg/prebuild/directive/stack.go index f806898277..a43849228c 100644 --- a/pkg/prebuild/directive/stack.go +++ b/pkg/prebuild/directive/stack.go @@ -55,7 +55,10 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) { res := "" for name := range opt.ArgMap { - stackedProfile := prebuild.RootApparmord.Join(name).MustReadFileAsString() + stackedProfile, err := prebuild.RootApparmord.Join(name).ReadFileAsString() + if err != nil { + return "", fmt.Errorf("%s need to stack: %w", name, err) + } m := regRules.FindStringSubmatch(stackedProfile) if len(m) < 2 { return "", fmt.Errorf("no profile found in %s", name) From 780ca65953a726133f412e61020e749ca99d0850 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 00:57:37 +0200 Subject: [PATCH 0162/1736] build(fsp): set stacked variables. --- pkg/prebuild/prepare/fsp.go | 77 ++++++++++++++++++++++++++++--------- 1 file changed, 59 insertions(+), 18 deletions(-) diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go index 0d4c230762..f8d3cb17fb 100644 --- a/pkg/prebuild/prepare/fsp.go +++ b/pkg/prebuild/prepare/fsp.go @@ -5,11 +5,60 @@ package prepare import ( - "strings" + "regexp" "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" - "github.com/roddhjav/apparmor.d/pkg/util" +) + +var ( + tunables = map[string]string{ + // Set systemd profiles name + "sd": "sd", + "sdu": "sdu", + "systemd_user": "systemd-user", + "systemd": "systemd", + + // With FSP on apparmor 4.1+, the dbus profiles don't get stacked as they + "dbus_system": "dbus-system", + "dbus_session": "dbus-session", + + // Update name of stacked profiles + "apt_news": "", + "colord": "", + "e2scrub_all": "", + "e2scrub": "", + "fprintd": "", + "fwupd": "", + "fwupdmgr": "", + "geoclue": "", + "irqbalance": "", + "logrotate": "", + "ModemManager": "", + "nm_priv_helper": "", + "pcscd": "", + "polkitd": "", + "power_profiles_daemon": "", + "rsyslogd": "", + "systemd_coredump": "", + "systemd_homed": "", + "systemd_hostnamed": "", + "systemd_importd": "", + "systemd_initctl": "", + "systemd_journal_remote": "", + "systemd_journald": "", + "systemd_localed": "", + "systemd_logind": "", + "systemd_machined": "", + "systemd_networkd": "", + "systemd_oomd": "", + "systemd_resolved": "", + "systemd_rfkill": "", + "systemd_timedated": "", + "systemd_timesyncd": "", + "systemd_userdbd": "", + "upowerd": "", + } ) type FullSystemPolicy struct { @@ -33,28 +82,20 @@ func (p FullSystemPolicy) Apply() ([]string, error) { return res, err } - // Set systemd profile name + // Set profile name for FSP path := prebuild.RootApparmord.Join("tunables/multiarch.d/profiles") out, err := path.ReadFileAsString() if err != nil { return res, err } - out = strings.ReplaceAll(out, "@{p_systemd}=unconfined", "@{p_systemd}=systemd") - out = strings.ReplaceAll(out, "@{p_systemd_executor}=unconfined", "@{p_systemd_executor}=systemd-executor") - out = strings.ReplaceAll(out, "@{p_systemd_user}=unconfined", "@{p_systemd_user}=systemd-user") - out = strings.ReplaceAll(out, "@{p_systemd_user_executor}=unconfined", "@{p_systemd_user_executor}=systemd-user-executor") - if err := path.WriteFile([]byte(out)); err != nil { - return res, err - } - - // Fix conflicting x modifiers in abstractions - FIXME: Temporary solution - path = prebuild.RootApparmord.Join("abstractions/gstreamer") - out, err = path.ReadFileAsString() - if err != nil { - return res, err + for varname, profile := range tunables { + pattern := regexp.MustCompile(`(@\{p_` + varname + `}=)([^\s]+)`) + if profile == "" { + out = pattern.ReplaceAllString(out, `@{p_`+varname+`}={$2,sd//&$2,$2//&sd}`) + } else { + out = pattern.ReplaceAllString(out, `@{p_`+varname+`}=`+profile) + } } - regFixConflictX := util.ToRegexRepl([]string{`.*gst-plugin-scanner.*`, ``}) - out = regFixConflictX.Replace(out) if err := path.WriteFile([]byte(out)); err != nil { return res, err } From c07c5838e4855d97bf98f65496c302bbd305e71c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:00:08 +0200 Subject: [PATCH 0163/1736] build: add RBAC filter to the only/exclude directive. --- pkg/prebuild/cli/cli.go | 1 + pkg/prebuild/directive/filter.go | 4 ++++ pkg/prebuild/directories.go | 3 +++ 3 files changed, 8 insertions(+) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 779cd5c0c4..51636f8488 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -80,6 +80,7 @@ func Configure() { if full && paths.New("apparmor.d/groups/_full").Exist() { prepare.Register("fsp") builder.Register("fsp") + prebuild.RBAC = true } else if prebuild.SystemdDir.Exist() { prepare.Register("systemd-early") } diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index a6513f37ea..b6ec56816b 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -39,6 +39,10 @@ func init() { } func filterRuleForUs(opt *Option) bool { + if prebuild.RBAC && slices.Contains(opt.ArgList, "RBAC") { + return true + } + abiStr := fmt.Sprintf("abi%d", prebuild.ABI) if slices.Contains(opt.ArgList, abiStr) { return true diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index d5d5a72660..37cbc69bca 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -13,6 +13,9 @@ var ( // AppArmor version Version = 4.0 + // Either or not RBAC is enabled + RBAC = false + // Pkgname is the name of the package Pkgname = "apparmor.d" From f717ea7383ea32abde752af3a88dd1bf87709a25 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:01:08 +0200 Subject: [PATCH 0164/1736] feat(aa): add a mount flag. --- pkg/aa/mount.go | 2 +- pkg/aa/util.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go index bbf66b577f..72719414dd 100644 --- a/pkg/aa/mount.go +++ b/pkg/aa/mount.go @@ -29,7 +29,7 @@ func init() { "ro", "rw", "acl", "async", "atime", "bind", "dev", "diratime", "dirsync", "exec", "iversion", "loud", "mand", "move", "noacl", "noatime", "nodev", "nodiratime", "noexec", "noiversion", "nomand", - "norelatime", "nosuid", "nouser", "private", "rbind", "relatime", + "norelatime", "nosuid", "nosymfollow", "nouser", "private", "rbind", "relatime", "remount", "rprivate", "rshared", "rslave", "runbindable", "shared", "silent", "slave", "strictatime", "suid", "sync", "unbindable", "user", "verbose", diff --git a/pkg/aa/util.go b/pkg/aa/util.go index 485478fef2..5a7049d698 100644 --- a/pkg/aa/util.go +++ b/pkg/aa/util.go @@ -182,7 +182,7 @@ func toValues(kind Kind, key string, input string) ([]string, error) { continue } if !slices.Contains(req, res[idx]) { - return nil, fmt.Errorf("unrecognized %s: %s", key, res[idx]) + return nil, fmt.Errorf("unrecognized %s for rule %s: %s", key, kind, res[idx]) } } slices.SortFunc(res, func(i, j string) int { From 04b6cade644c0adfdb4b0a9bdc4f71bff78bc8ae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:17:14 +0200 Subject: [PATCH 0165/1736] feat(profile): use profile variable in rules such as in dbus, ptrace, unix... --- apparmor.d/abstractions/app/sudo | 4 ++-- apparmor.d/abstractions/base.d/complete | 2 +- .../abstractions/bus/net.hadess.PowerProfiles | 2 +- .../abstractions/bus/net.reactivated.Fprint | 6 +++--- apparmor.d/abstractions/bus/org.a11y | 10 +++++----- apparmor.d/abstractions/bus/org.bluez | 14 +++++++------- .../abstractions/bus/org.freedesktop.Accounts | 10 +++++----- .../abstractions/bus/org.freedesktop.Avahi | 10 +++++----- .../bus/org.freedesktop.ColorManager | 8 ++++---- .../abstractions/bus/org.freedesktop.GeoClue2 | 10 +++++----- .../bus/org.freedesktop.ModemManager1 | 6 +++--- .../abstractions/bus/org.freedesktop.PolicyKit1 | 8 ++++---- .../bus/org.freedesktop.RealtimeKit1 | 6 +++--- .../abstractions/bus/org.freedesktop.UPower | 8 ++++---- .../bus/org.freedesktop.UPower.PowerProfiles | 2 +- .../abstractions/bus/org.freedesktop.hostname1 | 2 +- .../abstractions/bus/org.freedesktop.locale1 | 2 +- .../abstractions/bus/org.freedesktop.login1 | 8 ++++---- .../bus/org.freedesktop.login1.Session | 8 ++++---- .../abstractions/bus/org.freedesktop.network1 | 2 +- .../abstractions/bus/org.freedesktop.resolve1 | 4 ++-- .../abstractions/bus/org.freedesktop.timedate1 | 2 +- .../abstractions/bus/org.gnome.ArchiveManager1 | 4 ++-- apparmor.d/abstractions/mapping/login | 2 +- apparmor.d/abstractions/mapping/sshd | 4 ++-- apparmor.d/groups/avahi/avahi-browse | 2 +- apparmor.d/groups/avahi/avahi-resolve | 4 ++-- apparmor.d/groups/bluetooth/bluetoothctl | 2 +- apparmor.d/groups/bluetooth/obexd | 2 +- apparmor.d/groups/bus/ibus-dconf | 1 + apparmor.d/groups/cups/cups-browsed | 2 +- apparmor.d/groups/filesystem/udisksd | 4 ++-- apparmor.d/groups/flatpak/flatpak | 4 ++-- apparmor.d/groups/freedesktop/pulseaudio | 6 +++--- apparmor.d/groups/freedesktop/upower | 2 +- apparmor.d/groups/freedesktop/xorg | 2 +- apparmor.d/groups/gnome/gdm | 4 ++-- apparmor.d/groups/gnome/gdm-session-worker | 6 +++--- apparmor.d/groups/gnome/gnome-calendar | 2 +- apparmor.d/groups/gnome/gnome-control-center | 16 ++++++++-------- apparmor.d/groups/gnome/gnome-firmware | 4 ++-- apparmor.d/groups/gnome/gnome-keyring-daemon | 2 +- apparmor.d/groups/gnome/gnome-session-binary | 2 +- apparmor.d/groups/gnome/gnome-shell | 12 ++++++------ apparmor.d/groups/gnome/gsd-color | 2 +- apparmor.d/groups/gnome/gsd-housekeeping | 8 ++++---- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 7 +------ apparmor.d/groups/gnome/loupe | 5 +++++ apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/network/NetworkManager | 6 +++--- apparmor.d/groups/network/networkd-dispatcher | 2 +- apparmor.d/groups/polkit/polkit-agent-helper | 4 ++-- apparmor.d/groups/snap/snapd | 2 +- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/systemd/homectl | 2 +- apparmor.d/groups/systemd/hostnamectl | 2 +- apparmor.d/groups/systemd/localectl | 2 +- apparmor.d/groups/systemd/loginctl | 2 +- apparmor.d/groups/systemd/networkctl | 2 +- apparmor.d/groups/systemd/resolvectl | 2 +- apparmor.d/groups/systemd/systemd-inhibit | 2 +- apparmor.d/groups/systemd/systemd-networkd | 2 +- apparmor.d/groups/systemd/systemd-timesyncd | 2 +- .../systemd/systemd-tty-ask-password-agent | 2 +- apparmor.d/groups/utils/chsh | 2 +- apparmor.d/groups/utils/login | 2 +- apparmor.d/profiles-a-f/evince | 2 +- apparmor.d/profiles-a-f/fwupdmgr | 2 +- apparmor.d/profiles-m-r/qemu-ga | 2 +- apparmor.d/tunables/multiarch.d/profiles | 6 +++--- 72 files changed, 152 insertions(+), 151 deletions(-) diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 333cbddbd3..1286b15713 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -24,8 +24,8 @@ network netlink raw, # PAM - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus (send receive) bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd.Manager diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 230e0c9d5e..06b4133424 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -18,7 +18,7 @@ signal (receive) set=(term,kill) peer=openbox, signal (receive) set=(term,kill) peer=su, - ptrace (readby) peer=systemd-coredump, + ptrace (readby) peer=@{p_systemd_coredump}, @{etc_rw}/localtime r, /etc/locale.conf r, diff --git a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles index 63f224c420..7e75609922 100644 --- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles +++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon + #aa:dbus common bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}" include if exists diff --git a/apparmor.d/abstractions/bus/net.reactivated.Fprint b/apparmor.d/abstractions/bus/net.reactivated.Fprint index 2f36600828..0241fc8897 100644 --- a/apparmor.d/abstractions/bus/net.reactivated.Fprint +++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=system name=net.reactivated.Fprint label=fprintd + #aa:dbus common bus=system name=net.reactivated.Fprint label="@{p_fprintd}" dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name="@{busname}", label=fprintd), + peer=(name="@{busname}", label="@{p_fprintd}"), dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager @@ -19,7 +19,7 @@ dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name=net.reactivated.Fprint, label=fprintd), + peer=(name=net.reactivated.Fprint, label="@{p_fprintd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index 018109a628..ef0e157076 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -9,27 +9,27 @@ dbus receive bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry member=EventListenerDeregistered - peer=(name="@{busname}", label=at-spi2-registryd), + peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), dbus send bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller interface=org.a11y.atspi.DeviceEventController member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.freedesktop.DBus.Properties member=Set - peer=(name="@{busname}", label=at-spi2-registryd), + peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket member=Embed - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), # Session bus diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez index 2969656914..201d3998cb 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -4,37 +4,37 @@ abi , - #aa:dbus common bus=system name=org.bluez label=bluetoothd + #aa:dbus common bus=system name=org.bluez label="@{p_bluetoothd}" dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name="{@{busname},org.bluez}", label=bluetoothd), + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{@{busname},org.bluez}", label=bluetoothd), + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez interface=org.bluez.AgentManager@{int} member={RegisterAgent,RequestDefaultAgent,UnregisterAgent} - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez interface=org.bluez.ProfileManager@{int} member=RegisterProfile - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.BatteryProviderManager@{int} member=RegisterProfile - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.Media@{int} member=RegisterApplication - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts index 2ad151c456..d15288d46e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts @@ -4,27 +4,27 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus common bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member={FindUserByName,ListCachedUsers} - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=*Changed - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member=UserAdded - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.DBus.Properties member=*Changed - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index e3128f9845..38e05f48c8 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -4,27 +4,27 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.Avahi label=avahi-daemon + #aa:dbus common bus=system name=org.freedesktop.Avahi label="@{p_avahi_daemon}" dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server member={GetAPIVersion,GetState,Service*New} - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member=Free - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member={ItemNew,AllForNow,CacheExhausted} - peer=(name="@{busname}", label=avahi-daemon), + peer=(name="@{busname}", label="@{p_avahi_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 27776b7767..3a63d95dcc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.ColorManager label=colord + #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}" dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=GetDevices - peer=(name="@{busname}", label=colord), + peer=(name="@{busname}", label="@{p_colord}"), dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=CreateDevice - peer=(name="@{busname}", label=colord), + peer=(name="@{busname}", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={DeviceAdded,DeviceRemoved} - peer=(name="@{busname}", label=colord), + peer=(name="@{busname}", label="@{p_colord}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index feaced7c32..9957c7b677 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -4,26 +4,26 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label=geoclue + #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=org.freedesktop.DBus, label=geoclue), + peer=(name=org.freedesktop.DBus, label="@{p_geoclue}"), dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.GeoClue2.Manager member=AddAgent - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 index 41e03f3255..4f53ba497b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 @@ -4,17 +4,17 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label=ModemManager + #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=org.freedesktop.ModemManager1, label=ModemManager), + peer=(name=org.freedesktop.ModemManager1, label="@{p_ModemManager}"), dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="@{busname}", label=ModemManager), + peer=(name="@{busname}", label="@{p_ModemManager}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index b770cdbb1d..9dfab74815 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=Changed - peer=(name="@{busname}", label=polkitd), + peer=(name="@{busname}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1, label=polkitd), + peer=(name=org.freedesktop.PolicyKit1, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization - peer=(name="@{busname}", label=polkitd), + peer=(name="@{busname}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index 0c6abbdbe8..f66fdb20a4 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -6,7 +6,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label=rtkit-daemon + #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}" dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get @@ -15,12 +15,12 @@ dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 member={MakeThreadHighPriority,MakeThreadRealtime} - peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon), + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID} - peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon), + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index ec0a2b15bd..69218b619c 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.UPower label=upowerd + #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}" dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.DBus.Properties member=GetDisplayDevice - peer=(name=org.freedesktop.UPower, label=upowerd), + peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), dbus receive bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=DeviceAdded - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles index 3d3980f81d..45e88b1037 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon + #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index e6182bead0..0a8d86be17 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/org.freedesktop.locale1 index 511a44dd66..1348c8a39b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.locale1 label=systemd-localed + #aa:dbus common bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index 7f9fc5fb77..ad368ed987 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member=PauseDeviceComplete - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session index 23ec52c8ed..f60c693019 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name="@{busname}", label=systemd-logind), + peer=(name="@{busname}", label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus receive bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={PauseDevice,Unlock} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.network1 b/apparmor.d/abstractions/bus/org.freedesktop.network1 index be11a7ceba..7583a3e9dc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.network1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.network1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.network1 label=systemd-networkd + #aa:dbus common bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 index 8c7670382e..e2c4b38865 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" dbus send bus=system path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager member={SetLink*,ResolveHostname} - peer=(name="{@{busname},org.freedesktop.resolve1}", label=systemd-resolved), + peer=(name="{@{busname},org.freedesktop.resolve1}", label="@{p_systemd_resolved}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 index 83f85c6786..8f6118355e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.timedate1 label=systemd-timedated + #aa:dbus common bus=system name=org.freedesktop.timedate1 label="@{p_systemd_timedated}" include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 index ce572e9cd5..6bfa6114b8 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label=file-roller + #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label="@{p_file_roller}" dbus send bus=session path=/org/gnome/ArchiveManager1 interface=org.gnome.ArchiveManager1 member=GetSupportedTypes - peer=(name="@{busname}", label=file-roller), + peer=(name="@{busname}", label="@{p_file_roller}"), include if exists diff --git a/apparmor.d/abstractions/mapping/login b/apparmor.d/abstractions/mapping/login index 54a8c1c7f1..7ccc2d6789 100644 --- a/apparmor.d/abstractions/mapping/login +++ b/apparmor.d/abstractions/mapping/login @@ -25,7 +25,7 @@ dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=ReleaseSession - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{etc_ro}/security/group.conf r, @{etc_ro}/security/limits.conf r, diff --git a/apparmor.d/abstractions/mapping/sshd b/apparmor.d/abstractions/mapping/sshd index bb0064956c..97f0b077eb 100644 --- a/apparmor.d/abstractions/mapping/sshd +++ b/apparmor.d/abstractions/mapping/sshd @@ -28,7 +28,7 @@ network inet6 stream, network netlink raw, - signal receive set=exists peer=systemd-journald, + signal receive set=exists peer=@{p_systemd_journald}, signal receive set=hup peer=@{p_systemd}, unix bind type=stream addr=@@{udbus}/bus/sshd/system, @@ -36,7 +36,7 @@ dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), /etc/motd r, /etc/locale.conf r, diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index 47c22d72d9..3ac729baa5 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -17,7 +17,7 @@ profile avahi-browse @{exec_path} { dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} interface=org.freedesktop.Avahi.ServiceTypeBrowser member={ItemNew,AllForNow,CacheExhausted} - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), @{exec_path} mr, diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index ff2cae183e..1a66b4726b 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -17,12 +17,12 @@ profile avahi-resolve @{exec_path} { dbus send bus=system path=/Client@{int}/AddressResolver@{int} interface=org.freedesktop.Avahi.AddressResolver member={Free,HostNameResolverNew} - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/AddressResolver@{int} interface=org.freedesktop.Avahi.AddressResolver member={Failure,Found} - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), @{exec_path} mr, diff --git a/apparmor.d/groups/bluetooth/bluetoothctl b/apparmor.d/groups/bluetooth/bluetoothctl index e408b94b92..0b075581b1 100644 --- a/apparmor.d/groups/bluetooth/bluetoothctl +++ b/apparmor.d/groups/bluetooth/bluetoothctl @@ -15,7 +15,7 @@ profile bluetoothctl @{exec_path} { network bluetooth raw, - #aa:dbus talk bus=system name=org.bluez label=bluetoothd + #aa:dbus talk bus=system name=org.bluez label="@{p_bluetoothd}" @{exec_path} mr, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 3da9b4f5de..5c1a7633e6 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -22,7 +22,7 @@ profile obexd @{exec_path} { dbus receive bus=system path=/org/bluez/obex/@{uuid} interface=org.bluez.Profile1 member=Release - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 6f66ec9b20..817d63175e 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -15,6 +15,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include include + signal receive set=kill peer=@{p_systemd_user}, signal receive set=term peer=ibus-daemon, dbus receive bus=session diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index f671ce6e9c..78e7883cbb 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -29,7 +29,7 @@ profile cups-browsed @{exec_path} { dbus receive bus=system path=/ interface=org.freedesktop.Avahi.Server member=StateChanged - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 7d4febb1f8..1ff219bbef 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -65,8 +65,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { signal receive set=int peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.UDisks2 - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @{exec_path} mr, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index c958bd2cd8..52e9e32ef2 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -41,8 +41,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain signal send peer=flatpak-app, #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.portal.Documents diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 804020b7bd..fab642571c 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -50,12 +50,12 @@ profile pulseaudio @{exec_path} { dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} interface=org.freedesktop.Avahi.ServiceResolver member=Found - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member=ItemRemove - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager @@ -65,7 +65,7 @@ profile pulseaudio @{exec_path} { dbus send bus=system path=/Client@{int}/ServiceResolver@{int} interface=org.freedesktop.Avahi.ServiceResolver member={Found,Free} - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 931b47509e..0f6f9abebe 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -13,7 +13,7 @@ profile upower @{exec_path} { include include - #aa:dbus own bus=system name=org.freedesktop.UPower label=upowerd + #aa:dbus own bus=system name=org.freedesktop.UPower label="@{p_upowerd}" @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 00e277f1f5..12c82aea30 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -48,7 +48,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member=ReleaseControl - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index e35d165a2c..435d055fad 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -34,8 +34,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.gnome.DisplayManager - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 1a05892b66..a5dac16fa1 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -49,13 +49,13 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system, - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon - #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={*Session,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index c81e591cf9..235c0ce9e1 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -32,7 +32,7 @@ profile gnome-calendar @{exec_path} { #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color - #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label=geoclue + #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1f0b6239e5..1007d55e23 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -45,18 +45,18 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control - #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label=fprintd - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}" + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label=ModemManager + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd - #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd - #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon + #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-firmware b/apparmor.d/groups/gnome/gnome-firmware index af44afbece..706c16e877 100644 --- a/apparmor.d/groups/gnome/gnome-firmware +++ b/apparmor.d/groups/gnome/gnome-firmware @@ -20,8 +20,8 @@ profile gnome-firmware @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index c62175c853..37b3b78928 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -33,7 +33,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 027a1ab96c..dc9b6812e3 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -32,7 +32,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index bfd6959596..6c781e2047 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -83,11 +83,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Talk with gnome-shell - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding @@ -103,11 +103,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=RegisterAuthenticationAgent - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent interface=org.freedesktop.PolicyKit1.AuthenticationAgent member=BeginAuthentication - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager interface=org.freedesktop.NetworkManager.AgentManager diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 92cf3fa0a2..2fe22305b0 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -28,7 +28,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Color - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 9dec92df4b..b8da39a4db 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -24,10 +24,10 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Housekeeping - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=Subscribe + peer=(name=org.freedesktop.systemd1), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 1ae8e2ada9..2a2ea034fa 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -38,7 +38,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=PowerOff - peer=(name=:*, label=systemd-logind), + peer=(name=:*, label="@{p_systemd_logind}"), dbus send bus=session path=/ interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 0d09a0e9cc..a330b76ce5 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -43,7 +43,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight member=GetBrightness - peer=(name=:*, label=upowerd), + peer=(name=:*, label="@{p_upowerd}"), dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index e5489c2b4c..4fece33663 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -36,12 +36,7 @@ profile gsd-xsettings @{exec_path} { dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=SetInputSources - peer=(name=:*, label=accounts-daemon), - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=GetId - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + peer=(name=:*, label="@{p_accounts_daemon}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 4ee0d9268d..6f783627e2 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -21,6 +21,11 @@ profile loupe @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=@{p_systemd_hostnamed}), + @{exec_path} mr, @{bin}/bwrap rCx -> bwrap, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index b4111d6d03..396f256cc8 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -58,7 +58,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=systemd-logind), + peer=(name=:*, label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 008b6bd317..85257c89df 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -46,7 +46,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher @@ -60,12 +60,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index f593db162e..8b4d53b1ce 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -16,7 +16,7 @@ profile networkd-dispatcher @{exec_path} { dbus receive bus=system path=/org/freedesktop/network1{,/link/*} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=systemd-networkd), + peer=(name=:*, label="@{p_systemd_networkd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index e663c299ee..5799ced5b0 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -35,12 +35,12 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=AuthenticationAgentResponse2 - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 0481af5ded..1add6c1c42 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -55,7 +55,7 @@ profile snapd @{exec_path} { dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager member={SetWallMessage,ScheduleShutdown} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/timedate1 interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index fe5a6f1cd9..4b99aafd61 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -56,7 +56,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl index aaae97d643..3a78c531ee 100644 --- a/apparmor.d/groups/systemd/homectl +++ b/apparmor.d/groups/systemd/homectl @@ -19,7 +19,7 @@ profile homectl @{exec_path} { signal send peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index dcbe9a46f3..6b29e260d4 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -15,7 +15,7 @@ profile hostnamectl @{exec_path} { capability net_admin, - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index b49065fd70..f9a3625ef7 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -16,7 +16,7 @@ profile localectl @{exec_path} { signal send set=cont peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.locale1 label=systemd-localed + #aa:dbus talk bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index c65bb4edd6..f516d16dbc 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -20,7 +20,7 @@ profile loginctl @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 0163f22588..5b4b3e6b5d 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -26,7 +26,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system, - #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd + #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" dbus send bus=system path=/org/freedesktop/network1{,/**} interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index 5c436f6c12..1ef3404d9c 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -15,7 +15,7 @@ profile resolvectl @{exec_path} { signal send set=cont peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit index 2be38e6ba3..ae475ff48a 100644 --- a/apparmor.d/groups/systemd/systemd-inhibit +++ b/apparmor.d/groups/systemd/systemd-inhibit @@ -14,7 +14,7 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - signal receive set=term peer=packagekitd, + signal receive set=term peer=@{p_packagekitd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 3d6c3a4b72..df1e740483 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -42,7 +42,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.hostname1 member=SetHostname - peer=(name=org.freedesktop.hostname1, label=systemd-hostnamed), + peer=(name=org.freedesktop.hostname1, label="@{p_systemd_hostnamed}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index b603b24113..2ac7f09fb5 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -22,7 +22,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet6 stream, unix (bind) type=stream addr=@@{udbus}/bus/systemd-timesyn/bus-api-timesync, - unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none), + unix (send, receive) type=dgram addr=none peer=(label=@{p_sd}, addr=none), #aa:dbus own bus=system name=org.freedesktop.timesync1 diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index bbd4b7438c..30d30b295b 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -20,7 +20,7 @@ profile systemd-tty-ask-password-agent @{exec_path} { signal receive set=(term cont winch) peer=*//systemctl, signal receive set=(term cont winch) peer=deb-systemd-invoke, signal receive set=(term cont winch) peer=default, - signal receive set=(term cont winch) peer=logrotate, + signal receive set=(term cont winch) peer=@{p_logrotate}, signal receive set=(term cont winch) peer=makepkg//sudo, signal receive set=(term cont winch) peer=role_*, signal receive set=(term cont winch) peer=rpm, diff --git a/apparmor.d/groups/utils/chsh b/apparmor.d/groups/utils/chsh index 73f097a945..e3581be31a 100644 --- a/apparmor.d/groups/utils/chsh +++ b/apparmor.d/groups/utils/chsh @@ -24,7 +24,7 @@ profile chsh @{exec_path} { network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" @{exec_path} mr, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index 6968be40e4..6227f4fc51 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -34,7 +34,7 @@ profile login @{exec_path} flags=(attach_disconnected) { ptrace read, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index b7b087309d..e07c91f3d9 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -30,7 +30,7 @@ profile evince @{exec_path} { #aa:dbus own bus=session name=org.gnome.evince - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label="@{p_gsd_media_keys}" #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} rix, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 6dffac5a6f..3c9b0a3a93 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -27,7 +27,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ + #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 7fa668a713..5173c50d87 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -34,7 +34,7 @@ profile qemu-ga @{exec_path} { unix type=stream addr=@@{udbus}/bus/shutdown/system, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" include if exists } diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index ec1eff79ce..6868ae87a4 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -8,10 +8,10 @@ # All variables that refer to a profile name should be prefixed with `p_` # Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user` -@{p_systemd}=unconfined -@{p_systemd_executor}=unconfined +@{p_sd}=unconfined +@{p_sdu}=unconfined @{p_systemd_user}=unconfined -@{p_systemd_user_executor}=unconfined +@{p_systemd}=unconfined # Name of the dbus daemon profiles @{p_dbus_accessibility}=dbus-accessibility From 217448d09a5259492a143f99808bc79213d75eaf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:18:11 +0200 Subject: [PATCH 0166/1736] doc: improve documentation on the use of some special abstraction. --- apparmor.d/abstractions/attached/base | 3 ++- apparmor.d/abstractions/attached/consoles | 3 ++- apparmor.d/abstractions/bus/own-accessibility | 3 ++- apparmor.d/abstractions/bus/own-session | 3 ++- apparmor.d/abstractions/bus/own-system | 3 ++- 5 files changed, 10 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 6a7486cf82..4c35d915df 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no - # Do not use it manually, it is automatically included in profiles when it is required. + # Do not use it manually, It automatically replaces the base abstraction in a + # profile with the attach_disconnected flag set and the re-attached path enabled. abi , diff --git a/apparmor.d/abstractions/attached/consoles b/apparmor.d/abstractions/attached/consoles index dd2275a038..f306c22736 100644 --- a/apparmor.d/abstractions/attached/consoles +++ b/apparmor.d/abstractions/attached/consoles @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no - # Do not use it manually, it is automatically included in profiles when it is required. + # Do not use it manually, It automatically replaces the consoles abstraction in a + # profile with the attach_disconnected flag set and the re-attached path enabled. abi , diff --git a/apparmor.d/abstractions/bus/own-accessibility b/apparmor.d/abstractions/bus/own-accessibility index 94968258c8..cd8e42e523 100644 --- a/apparmor.d/abstractions/bus/own-accessibility +++ b/apparmor.d/abstractions/bus/own-accessibility @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Do not use it manually, it is automatically included in a profile when it is required. +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. # Allow owning a name on DBus public bus diff --git a/apparmor.d/abstractions/bus/own-session b/apparmor.d/abstractions/bus/own-session index 8186f34cb8..91515adb04 100644 --- a/apparmor.d/abstractions/bus/own-session +++ b/apparmor.d/abstractions/bus/own-session @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Do not use it manually, it is automatically included in a profile when it is required. +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. # Allow owning a name on DBus public bus diff --git a/apparmor.d/abstractions/bus/own-system b/apparmor.d/abstractions/bus/own-system index f2ee3219c1..d48931f4fb 100644 --- a/apparmor.d/abstractions/bus/own-system +++ b/apparmor.d/abstractions/bus/own-system @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Do not use it manually, it is automatically included in a profile when it is required. +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. # Allow owning a name on DBus public bus From 4ffbf84a0094e6c51933070b27a5c58628ec2ea4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:20:37 +0200 Subject: [PATCH 0167/1736] feat(fsp): remove the default profiles. --- apparmor.d/groups/_full/bwrap | 56 ------------ apparmor.d/groups/_full/bwrap-app | 36 -------- apparmor.d/groups/_full/default | 122 --------------------------- apparmor.d/groups/_full/default-sudo | 42 --------- dists/flags/main.flags | 4 - 5 files changed, 260 deletions(-) delete mode 100644 apparmor.d/groups/_full/bwrap delete mode 100644 apparmor.d/groups/_full/bwrap-app delete mode 100644 apparmor.d/groups/_full/default delete mode 100644 apparmor.d/groups/_full/default-sudo diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap deleted file mode 100644 index 0a4b9efdfd..0000000000 --- a/apparmor.d/groups/_full/bwrap +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for bwrap. - -abi , - -include - -@{exec_path} = @{bin}/bwrap -profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) { - include - include - include - include - include - - capability dac_override, - capability dac_read_search, - capability sys_resource, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - - ptrace peer=bwrap//&bwrap-app, - - signal peer=bwrap//&bwrap-app, - signal (receive) set=(kill), - - @{bin}/** rm, - @{lib}/** rm, - /opt/*/** rm, - /usr/share/*/* rm, - - @{bin}/** Px -> bwrap//&bwrap-app, - @{bin}/xdg-dbus-proxy Px -> bwrap//&xdg-dbus-proxy, - # @{lib}/** Px -> bwrap//&bwrap-app, - /opt/*/** Px -> bwrap//&bwrap-app, - /usr/share/*/* Px -> bwrap//&bwrap-app, - - /usr/.ref rk, - - /bindfile@{rand6} rw, - - owner /var/cache/ w, - - owner @{run}/ld-so-cache-dir/* rw, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/bwrap-app b/apparmor.d/groups/_full/bwrap-app deleted file mode 100644 index b6d45478a4..0000000000 --- a/apparmor.d/groups/_full/bwrap-app +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for user sandboxed application - -abi , - -include - -profile bwrap-app flags=(attach_disconnected,mediate_deleted) { - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - ptrace peer=bwrap//&bwrap-app, - - signal peer=bwrap//&bwrap-app, - - @{bin}/** rmix, - @{lib}/** rmix, - /opt/*/** rmix, - /usr/share/*/* rmix, - - owner /var/cache/ w, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default deleted file mode 100644 index acdfc0bfff..0000000000 --- a/apparmor.d/groups/_full/default +++ /dev/null @@ -1,122 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for unconfined programs - -abi , - -include - -@{exec_path} = /** -profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { - include - include - include - include - include - include - include - include - include - include - include - include - include - - capability dac_override, - capability dac_read_search, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink dgram, - network netlink raw, - - signal receive set=hup, - - @{bin}/bwrap rPx -> bwrap, - @{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse, - @{bin}/pulseaudio rPx -> systemd//&pulseaudio, - @{bin}/su rPx -> default-sudo, - @{bin}/sudo rPx -> default-sudo, - @{bin}/systemctl rix, - @{coreutils_path} rix, - @{shells_path} rix, - - @{pager_path} rPx -> child-pager, - -# @{open_path} rPx -> child-open, - - audit @{bin}/** Pix, - audit @{lib}/** Pix, - audit /opt/*/** Pix, - audit /usr/share/*/* Pix, - - @{bin}/{,**} r, - @{lib}/{,**} r, - /usr/share/** r, - - /etc/xdg/** r, - - # Full access to user's data - / r, - /*/ r, - @{MOUNTDIRS}/ r, - @{MOUNTS}/ r, - @{MOUNTS}/** rwl, - owner @{HOME}/{,**} rwlk, - owner @{run}/user/@{uid}/{,**} rw, - owner @{tmp}/{,**} rwk, - owner @{run}/user/@{uid}/{,**} rwlk, - - @{run}/motd.dynamic.new rw, - - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/bus/pci/devices/ r, - @{sys}/class/ r, - @{sys}/class/drm/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/input/ r, - @{sys}/class/power_supply/ r, - @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/capabilities/* r, - @{sys}/devices/**/input/input@{int}/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, - - @{PROC}/cmdline r, - @{PROC}/sys/kernel/seccomp/actions_avail r, - @{PROC}/zoneinfo r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/gid_map w, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/mem r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pids}/cmdline r, - owner @{PROC}/@{pids}/environ r, - owner @{PROC}/@{pids}/task/ r, - - /dev/ r, - /dev/ptmx rwk, - /dev/tty rwk, - owner /dev/tty@{int} rw, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default-sudo b/apparmor.d/groups/_full/default-sudo deleted file mode 100644 index 6091919708..0000000000 --- a/apparmor.d/groups/_full/default-sudo +++ /dev/null @@ -1,42 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -profile default-sudo { - include - include - - capability chown, - capability mknod, - capability sys_ptrace, - - network inet dgram, - network inet6 dgram, - - ptrace (read), - - @{bin}/su mr, - - @{bin}/** Px, - @{lib}/** Px, - /opt/*/** Px, - - /var/db/sudo/lectured/ r, - /var/lib/extrausers/shadow r, - /var/lib/sudo/lectured/ r, - owner /var/db/sudo/lectured/@{uid} rw, - owner /var/lib/sudo/lectured/* rw, - - owner @{HOME}/.sudo_as_admin_successful rw, - - @{run}/ r, - @{run}/systemd/sessions/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index e27c76bc29..a73fee1295 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -1,10 +1,6 @@ # Common profile flags definition for all distributions # File format: one profile by line using the format: ' ' -bwrap attach_disconnected,mediate_deleted,complain -bwrap-app attach_disconnected,mediate_deleted,complain -default attach_disconnected,mediate_deleted,complain -default-sudo attach_disconnected,complain systemd attach_disconnected,mediate_deleted,complain systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain From 8f3f3816edd40839b0832cc67546b08eae09314e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:31:35 +0200 Subject: [PATCH 0168/1736] feat(fsp): systemd drop in files: configure stacked profile It comes as a replacement of old and unsecure config that was disabling the nnp flag. The new solution is: 1. Safe 2. Scalable as hundred of profile could be configured this way --- systemd/full/system/ModemManager.service | 2 +- systemd/full/system/archlinux-keyring-wkd-sync.service | 2 +- systemd/full/system/dbus-org.freedesktop.hostname1.service | 2 +- systemd/full/system/dbus-org.freedesktop.import1.service | 2 +- systemd/full/system/dbus-org.freedesktop.locale1.service | 2 +- systemd/full/system/dbus-org.freedesktop.login1.service | 2 +- systemd/full/system/dbus-org.freedesktop.machine1.service | 2 +- systemd/full/system/dbus-org.freedesktop.timedate1.service | 2 +- systemd/full/system/e2scrub@.service | 2 +- systemd/full/system/e2scrub_reap.service | 2 +- systemd/full/system/fprintd.service | 2 +- systemd/full/system/fwupd-refresh.service | 4 +--- systemd/full/system/geoclue.service | 6 +----- systemd/full/system/irqbalance.service | 2 +- systemd/full/system/nm-priv-helper.service | 2 +- systemd/full/system/polkit.service | 2 +- systemd/full/system/rngd.service | 2 +- systemd/full/system/systemd-homed.service | 2 +- systemd/full/system/systemd-hostnamed.service | 2 +- systemd/full/system/systemd-journald.service | 3 +-- systemd/full/system/systemd-journald@.service | 3 +-- systemd/full/system/systemd-localed.service | 2 +- systemd/full/system/systemd-logind.service | 3 +-- systemd/full/system/systemd-machined.service | 2 +- systemd/full/system/systemd-networkd.service | 2 +- systemd/full/system/systemd-resolved.service | 2 +- systemd/full/system/systemd-timedated.service | 2 +- systemd/full/system/systemd-userdbd.service | 2 +- systemd/full/system/upower.service | 2 +- 29 files changed, 29 insertions(+), 38 deletions(-) diff --git a/systemd/full/system/ModemManager.service b/systemd/full/system/ModemManager.service index 03d3528901..2d1593f199 100644 --- a/systemd/full/system/ModemManager.service +++ b/systemd/full/system/ModemManager.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&ModemManager diff --git a/systemd/full/system/archlinux-keyring-wkd-sync.service b/systemd/full/system/archlinux-keyring-wkd-sync.service index 03d3528901..b887685568 100644 --- a/systemd/full/system/archlinux-keyring-wkd-sync.service +++ b/systemd/full/system/archlinux-keyring-wkd-sync.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&archlinux-keyring-wkd-sync diff --git a/systemd/full/system/dbus-org.freedesktop.hostname1.service b/systemd/full/system/dbus-org.freedesktop.hostname1.service index 03d3528901..6d078aea95 100644 --- a/systemd/full/system/dbus-org.freedesktop.hostname1.service +++ b/systemd/full/system/dbus-org.freedesktop.hostname1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-hostnamed \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.import1.service b/systemd/full/system/dbus-org.freedesktop.import1.service index 03d3528901..0ab519541e 100644 --- a/systemd/full/system/dbus-org.freedesktop.import1.service +++ b/systemd/full/system/dbus-org.freedesktop.import1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-importd \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.locale1.service b/systemd/full/system/dbus-org.freedesktop.locale1.service index 03d3528901..2765950805 100644 --- a/systemd/full/system/dbus-org.freedesktop.locale1.service +++ b/systemd/full/system/dbus-org.freedesktop.locale1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-localed \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.login1.service b/systemd/full/system/dbus-org.freedesktop.login1.service index 03d3528901..c5728915c9 100644 --- a/systemd/full/system/dbus-org.freedesktop.login1.service +++ b/systemd/full/system/dbus-org.freedesktop.login1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-logind \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.machine1.service b/systemd/full/system/dbus-org.freedesktop.machine1.service index 03d3528901..315b1b2301 100644 --- a/systemd/full/system/dbus-org.freedesktop.machine1.service +++ b/systemd/full/system/dbus-org.freedesktop.machine1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-machined \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.timedate1.service b/systemd/full/system/dbus-org.freedesktop.timedate1.service index 03d3528901..ab04c5a456 100644 --- a/systemd/full/system/dbus-org.freedesktop.timedate1.service +++ b/systemd/full/system/dbus-org.freedesktop.timedate1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-timedated \ No newline at end of file diff --git a/systemd/full/system/e2scrub@.service b/systemd/full/system/e2scrub@.service index 03d3528901..7340b76105 100644 --- a/systemd/full/system/e2scrub@.service +++ b/systemd/full/system/e2scrub@.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&e2scrub \ No newline at end of file diff --git a/systemd/full/system/e2scrub_reap.service b/systemd/full/system/e2scrub_reap.service index 03d3528901..b903d2f0a7 100644 --- a/systemd/full/system/e2scrub_reap.service +++ b/systemd/full/system/e2scrub_reap.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&e2scrub_all \ No newline at end of file diff --git a/systemd/full/system/fprintd.service b/systemd/full/system/fprintd.service index 03d3528901..5f1f063faf 100644 --- a/systemd/full/system/fprintd.service +++ b/systemd/full/system/fprintd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&fprintd \ No newline at end of file diff --git a/systemd/full/system/fwupd-refresh.service b/systemd/full/system/fwupd-refresh.service index fa215b3f02..acd28a5a4a 100644 --- a/systemd/full/system/fwupd-refresh.service +++ b/systemd/full/system/fwupd-refresh.service @@ -1,4 +1,2 @@ [Service] -ProtectKernelModules=no -RestrictRealtime=no -ProtectKernelModules=no +AppArmorProfile=&fwupdmgr \ No newline at end of file diff --git a/systemd/full/system/geoclue.service b/systemd/full/system/geoclue.service index 4ba897659b..2c10e32f5a 100644 --- a/systemd/full/system/geoclue.service +++ b/systemd/full/system/geoclue.service @@ -1,6 +1,2 @@ [Service] -NoNewPrivileges=no -MemoryDenyWriteExecute=no -ProtectKernelTunables=no -ProtectKernelModules=no -RestrictRealtime=no +AppArmorProfile=&geoclue \ No newline at end of file diff --git a/systemd/full/system/irqbalance.service b/systemd/full/system/irqbalance.service index 03d3528901..eab67fa448 100644 --- a/systemd/full/system/irqbalance.service +++ b/systemd/full/system/irqbalance.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&irqbalance \ No newline at end of file diff --git a/systemd/full/system/nm-priv-helper.service b/systemd/full/system/nm-priv-helper.service index 03d3528901..53f99edd04 100644 --- a/systemd/full/system/nm-priv-helper.service +++ b/systemd/full/system/nm-priv-helper.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&nm-priv-helper diff --git a/systemd/full/system/polkit.service b/systemd/full/system/polkit.service index 03d3528901..b21a28baac 100644 --- a/systemd/full/system/polkit.service +++ b/systemd/full/system/polkit.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&polkitd diff --git a/systemd/full/system/rngd.service b/systemd/full/system/rngd.service index 03d3528901..c52a85d0c8 100644 --- a/systemd/full/system/rngd.service +++ b/systemd/full/system/rngd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&rngd diff --git a/systemd/full/system/systemd-homed.service b/systemd/full/system/systemd-homed.service index 03d3528901..65d4ae62e5 100644 --- a/systemd/full/system/systemd-homed.service +++ b/systemd/full/system/systemd-homed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-homed diff --git a/systemd/full/system/systemd-hostnamed.service b/systemd/full/system/systemd-hostnamed.service index 03d3528901..6d078aea95 100644 --- a/systemd/full/system/systemd-hostnamed.service +++ b/systemd/full/system/systemd-hostnamed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-hostnamed \ No newline at end of file diff --git a/systemd/full/system/systemd-journald.service b/systemd/full/system/systemd-journald.service index 0316a67c89..48f5a0156a 100644 --- a/systemd/full/system/systemd-journald.service +++ b/systemd/full/system/systemd-journald.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-journald \ No newline at end of file diff --git a/systemd/full/system/systemd-journald@.service b/systemd/full/system/systemd-journald@.service index 0316a67c89..48f5a0156a 100644 --- a/systemd/full/system/systemd-journald@.service +++ b/systemd/full/system/systemd-journald@.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-journald \ No newline at end of file diff --git a/systemd/full/system/systemd-localed.service b/systemd/full/system/systemd-localed.service index 03d3528901..2765950805 100644 --- a/systemd/full/system/systemd-localed.service +++ b/systemd/full/system/systemd-localed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-localed \ No newline at end of file diff --git a/systemd/full/system/systemd-logind.service b/systemd/full/system/systemd-logind.service index 0316a67c89..c5728915c9 100644 --- a/systemd/full/system/systemd-logind.service +++ b/systemd/full/system/systemd-logind.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-logind \ No newline at end of file diff --git a/systemd/full/system/systemd-machined.service b/systemd/full/system/systemd-machined.service index 03d3528901..315b1b2301 100644 --- a/systemd/full/system/systemd-machined.service +++ b/systemd/full/system/systemd-machined.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-machined \ No newline at end of file diff --git a/systemd/full/system/systemd-networkd.service b/systemd/full/system/systemd-networkd.service index 03d3528901..3f4b608491 100644 --- a/systemd/full/system/systemd-networkd.service +++ b/systemd/full/system/systemd-networkd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-networkd diff --git a/systemd/full/system/systemd-resolved.service b/systemd/full/system/systemd-resolved.service index 03d3528901..fd36871e46 100644 --- a/systemd/full/system/systemd-resolved.service +++ b/systemd/full/system/systemd-resolved.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-resolved diff --git a/systemd/full/system/systemd-timedated.service b/systemd/full/system/systemd-timedated.service index 03d3528901..78dd0193d1 100644 --- a/systemd/full/system/systemd-timedated.service +++ b/systemd/full/system/systemd-timedated.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-timedated diff --git a/systemd/full/system/systemd-userdbd.service b/systemd/full/system/systemd-userdbd.service index 03d3528901..d3771658d3 100644 --- a/systemd/full/system/systemd-userdbd.service +++ b/systemd/full/system/systemd-userdbd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-userdbd diff --git a/systemd/full/system/upower.service b/systemd/full/system/upower.service index 03d3528901..082e8f0fa0 100644 --- a/systemd/full/system/upower.service +++ b/systemd/full/system/upower.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&upowerd From 77d2f923b0d5a33dad1d190ea6e04836d3df3577 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:45:10 +0200 Subject: [PATCH 0169/1736] feat(profile): pacman: allow landlock to restrict itself See https://docs.kernel.org/userspace-api/landlock.html#c.sys_landlock_restrict_self fix #750 --- apparmor.d/groups/pacman/pacman | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 6af9bae96c..def1f2a28e 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -27,6 +27,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability setfcap, capability setgid, capability setuid, + capability sys_admin, capability sys_chroot, capability sys_ptrace, capability sys_resource, From a08c99dcb77b2df4fdee96de3b4fc6c6ab63b9fb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:47:49 +0200 Subject: [PATCH 0170/1736] feat(abs): console: add non owner access to /dev/tty@{u8}. Follow recent addition in attached/consoles fix #751 --- apparmor.d/abstractions/consoles.d/complete | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 apparmor.d/abstractions/consoles.d/complete diff --git a/apparmor.d/abstractions/consoles.d/complete b/apparmor.d/abstractions/consoles.d/complete new file mode 100644 index 0000000000..b8b7ad90fe --- /dev/null +++ b/apparmor.d/abstractions/consoles.d/complete @@ -0,0 +1,8 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # There are the common ways to refer to consoles + /dev/tty@{u8} rw, + +# vim:syntax=apparmor From d5002a67740e10096cb3a126b2c467e55459e895 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:52:39 +0200 Subject: [PATCH 0171/1736] fix(profile): fwupd fix #752 --- apparmor.d/profiles-a-f/fwupd | 4 +++- apparmor.d/profiles-a-f/fwupdmgr | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 71addde646..a07bb4dbaf 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -50,6 +50,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/fwupd/{,**} r, /usr/share/hwdata/* r, + /usr/share/libdrm/*.ids /usr/share/mime/mime.cache r, /etc/fwupd/{,**} rw, @@ -80,6 +81,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/**/ r, @{sys}/devices/** r, + @{sys}/**/uevent r, @{sys}/firmware/acpi/** r, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, @@ -87,9 +89,9 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, @{sys}/firmware/efi/efivars/fwupd-* rw, + @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/kernel/security/lockdown r, @{sys}/kernel/security/tpm@{int}/binary_bios_measurements r, - @{sys}/**/uevent r, @{sys}/power/mem_sleep r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 6dffac5a6f..b0a651315b 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -34,6 +34,9 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { @{bin}/dbus-launch Cx -> bus, @{bin}/pkttyagent Px, + /usr/share/terminfo/** r, + + /etc/inputrc r, /etc/machine-id r, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, From 7243c18ce2ffd4de6b66c2c390752f079b6e718d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:54:56 +0200 Subject: [PATCH 0172/1736] fix(build): conversion from abi4 to abi3. --- pkg/prebuild/builder/abi.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index 818edbb76e..2e2911f4bd 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -14,6 +14,7 @@ var ( `abi/4.0`, `abi/3.0`, ` userns,`, ` # userns,`, ` mqueue`, ` # mqueue`, + ` deny mqueue`, ` # deny mqueue`, }) ) From 0886c7bc853de38724ebbbccad21832f2bbd4600 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 27 May 2025 00:29:21 +0200 Subject: [PATCH 0173/1736] fix: rule compilation. --- apparmor.d/profiles-a-f/fwupd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index a07bb4dbaf..5fb948234b 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -50,7 +50,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/fwupd/{,**} r, /usr/share/hwdata/* r, - /usr/share/libdrm/*.ids + /usr/share/libdrm/*.ids r, /usr/share/mime/mime.cache r, /etc/fwupd/{,**} rw, From 11f3529530aa1710de623c8bb3214637a0047985 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 27 May 2025 00:29:35 +0200 Subject: [PATCH 0174/1736] ci: ensure failing compiling the profile fail the job. --- .github/workflows/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 8d738eac72..4baa4a7761 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -54,8 +54,10 @@ jobs: - name: Reload AppArmor run: | - sudo systemctl restart apparmor.service || true - sudo journalctl -xeu apparmor.service + if ! sudo systemctl restart apparmor.service; then + sudo journalctl -xeu apparmor.service + exit 1 + fi - name: Show AppArmor log and rules run: | From bf22a7786c39d3b56b87095bfd4479769b88ec1a Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Tue, 27 May 2025 11:44:26 +0000 Subject: [PATCH 0175/1736] Broken login: Update systemd-logind Today I was not able to log into my Arch Linux system. After chrooting into the system, performing aa-log and adding the rule to systemd-logind the problem was fixed. --- apparmor.d/groups/systemd/systemd-logind | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 39192e7e19..64081f326e 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -139,6 +139,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, + /dev/tty@{int} rw, owner /dev/shm/{,**/} rw, include if exists From 47bafeb67bacc6abb89eb74f9a7044cfdfae0cd4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 15:06:52 +0200 Subject: [PATCH 0176/1736] feat(fsp): rewrite the systemd profile. --- apparmor.d/groups/_full/systemd | 259 ++++++++++++-------------------- 1 file changed, 92 insertions(+), 167 deletions(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index e1a9918e1a..eec9b33d99 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -11,24 +11,47 @@ # Distributions and other programs can add rules in the usr/systemd.d directory -# TODO: rework this to get a controlled environment: (cf security model) +# Overall architecture of the systemd profiles: +# systemd # PID 1, entrypoint, requires "Early policy" +# ├── systemd # To restart itself +# ├── systemd-generators-* # Systemd system and environment generators +# └── sd # Internal service starter and config handler, handles all services +# ├── Px or px, # Any service with profile +# ├── Px -> # Any service without profile defined in the unit file (see systemd/full/systemd) +# ├── &* # Stacked service as defined in the unit file (see systemd/full/systemd) +# ├── sd-mount # Handles all mounts from services +# ├── sd//systemctl # Internal system systemctl +# └── systemd-user # Profile for 'systemd --user' +# ├── systemd-user # To restart itself +# ├── systemd-user-generators-* # Systemd user and environment generators +# └── sdu # Handles all user services +# ├── Px or px, # Any user service with profile +# ├── Px -> # Any user service without profile defined in the unit file (see systemd/full/systemd) +# ├── &* # Stacked user service as defined in the unit file (see systemd/full/systemd) +# └── sdu//systemctl # Internal user systemctl + +# Advantages: +# - Differentiate systemd (PID 1) and `system --user` +# - Keep `systemd` and systemd-user as mininal as possible, and transition to less privileged profiles. +# - Allow the executor profiles to handled stacked profiles. +# - Most additions need to be done in the `sd`/`sdu` profile, not in `systemd`/`systemd-user`. +# - Dedicated `sd-mount` profile for most mount from the unit services. + + +# TODO: rework this to get a controlled environment: # - No global allow anymore: in high security environments, we must manage the list # of program/service that can be started by systemd and ensure that they are all # listed and confined. Programs not listed will not be able to start. # - Outside common systemd service, the list may have to be automatically # generated at install time, in `/etc/apparmor.d/usr/systemd.d/exec` -# - Stop disabling nnp flags in systemd dropin files. -# - Each systemd services in `systemd-service` (when the service is more complex than foo.service -> Exec=/usr/bin/foo) -# need they own profile, profile name configured as a dropin unit file. -# - When this is done: the fallback profile as root will not be needed. abi , include +@{exec_path} = @{lib}/systemd/systemd profile systemd flags=(attach_disconnected,mediate_deleted) { include - include include include include @@ -43,16 +66,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { capability dac_read_search, capability fowner, capability fsetid, - capability mknod, + capability kill, capability net_admin, + capability net_bind_service, capability perfmon, - capability setfcap, - capability setgid, capability setpcap, - capability setuid, capability sys_admin, - capability sys_chroot, - capability sys_nice, + capability sys_boot, capability sys_ptrace, capability sys_resource, capability sys_tty_config, @@ -62,164 +82,82 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { network inet6 dgram, network inet6 stream, network netlink raw, + network vsock stream, mount fstype=autofs systemd-1 -> @{PROC}/sys/fs/binfmt_misc/, - mount fstype=autofs systemd-1 -> /efi/, - mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/, - mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/, - mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, - mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, - mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, - mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, - mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=tmpfs tmpfs -> /dev/shm/, + mount fstype=autofs systemd-1 -> @{efi}/, mount fstype=tmpfs tmpfs -> /tmp/, - mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/, - mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, - mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, - mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, - - mount /dev/** -> /boot/{,efi/}, - mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, - mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**, - mount options=(rw bind) @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/, - mount options=(rw move) -> @{sys}/fs/fuse/connections/, - mount options=(rw move) -> @{sys}/kernel/config/, - mount options=(rw move) -> @{sys}/kernel/debug/, - mount options=(rw move) -> @{sys}/kernel/tracing/, - mount options=(rw move) -> /dev/hugepages/, - mount options=(rw move) -> /dev/mqueue/, - mount options=(rw move) -> /efi/, - mount options=(rw move) -> /tmp/, - mount options=(rw move) @{run}/systemd/namespace-@{rand6}/{,**} -> @{run}/systemd/mount-rootfs/{,**}, - mount options=(rw rbind) -> @{run}/systemd/mount-rootfs/{,**}, - mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, - mount options=(rw rshared) -> /, + mount options=(rw rslave) -> /, - mount options=(rw rslave) -> /dev/, - mount options=(rw slave) -> @{run}/systemd/incoming/, remount @{HOME}/{,**}, remount @{HOMEDIRS}/, remount @{MOUNTDIRS}/, remount @{MOUNTS}/{,**}, - remount @{run}/systemd/mount-rootfs/{,**}, - remount @{run}/systemd/unit-root/{,**}, - remount /, remount /snap/{,**}, - remount options=(ro bind) /boot/{,efi/}, - remount options=(ro noexec noatime bind) /var/snap/{,**}, - remount options=(ro nosuid bind) /dev/, - remount options=(ro nosuid nodev bind) /dev/hugepages/, - remount options=(ro nosuid nodev bind) /var/, - remount options=(ro nosuid nodev noexec bind) /boot/, - remount options=(ro nosuid nodev noexec bind) /dev/mqueue/, - remount options=(ro nosuid nodev noexec bind) /efi/, - remount options=(ro nosuid noexec bind) /dev/pts/, - - umount /, - umount /dev/shm/, - umount @{PROC}/sys/fs/binfmt_misc/, - umount @{run}/systemd/mount-rootfs/{,**}, - umount @{run}/systemd/namespace-@{rand6}/{,**}, - umount @{run}/systemd/unit-root/{,**}, + remount options=(ro bind nodev noexec nosuid) /dev/mqueue/, + remount options=(ro bind nodev nosuid) /dev/hugepages/, + remount options=(ro bind noexec nosuid) /dev/pts/, + remount options=(ro bind nosuid) /dev/, + remount options=(ro bind) @{efi}/, + remount options=(ro bind) /, - pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, - pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/, + umount @{PROC}/sys/fs/binfmt_misc/, + umount @{run}/credentials/*/, mqueue (read getattr) type=posix /, - change_profile, - - signal receive set=(rtmin+23) peer=plymouthd, - signal receive set=(term hup cont), signal send, ptrace (read, readby), - unix send type=dgram, - - unix receive type=dgram peer=(label=systemd-timesyncd), - unix (send, receive, connect) type=stream peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd), + unix type=dgram, + unix type=stream, #aa:dbus own bus=system name=org.freedesktop.systemd1 - # For stacked profiles - #aa:dbus own bus=system name=org.freedesktop.network1 - #aa:dbus own bus=system name=org.freedesktop.oom1 - #aa:dbus own bus=system name=org.freedesktop.resolve1 - #aa:dbus own bus=system name=org.freedesktop.timesync1 - - @{bin}/** Px, - @{sbin}/** Px, - @{lib}/** Px, - /etc/cron.*/* Px, - /etc/init.d/* Px, - /etc/update-motd.d/* Px, - /usr/share/*/** Px, - - # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) - @{lib}/systemd/systemd-executor ix, - - # Systemd user: systemd --user - @{lib}/systemd/systemd px -> systemd-user, - - # Unit services using systemctl - @{bin}/systemctl Cx -> systemctl, - - # Unit services - @{bin}/mount ix, - @{bin}/kill ix, - - # Shell based systemd unit services - # TODO: create unit profile for all of them - @{sbin}/ldconfig Px -> systemd-service, - @{bin}/mandb Px -> systemd-service, - @{bin}/savelog Px -> systemd-service, - @{coreutils_path} Px -> systemd-service, - @{sh_path} Px -> systemd-service, - - # Systemd profiles that need be stacked - #aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd - @{lib}/systemd/systemd-networkd px -> systemd//&systemd-networkd, - @{lib}/systemd/systemd-oomd px -> systemd//&systemd-oomd, - @{lib}/systemd/systemd-resolved px -> systemd//&systemd-resolved, - @{lib}/systemd/systemd-timesyncd px -> systemd//&systemd-timesyncd, - - @{lib}/ r, - / r, - /*/ r, - /boot/efi/ r, - /snap/*/@{int}/ r, - /var/cache/*/ r, - /var/lib/*/ r, - /var/tmp/ r, + @{exec_path} mrix, + @{sh_path} mr, + + # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor mPx -> sd, + + # Systemd system generators. Profiles must exist + @{lib}/netplan/generate mPx, + @{lib}/systemd/system-environment-generators/* mPx, + @{lib}/systemd/system-generators/* mPx, @{etc_ro}/environment r, @{etc_ro}/environment.d/{,**} r, - /etc/acpi/events/{,**} r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, - /etc/credstore.encrypted/{,**} r, - /etc/credstore/{,**} r, /etc/default/{,**} r, - /etc/machine-id r, /etc/modules-load.d/{,**} r, /etc/networkd-dispatcher/{,**} r, /etc/systemd/{,**} r, + /etc/systemd/system/** w, /etc/udev/hwdb.d/{,**} r, - /etc/systemd/system/multi-user.target.wants/{,*} w, - /var/log/dmesg rw, - /var/lib/systemd/{,**} rw, - owner /var/tmp/systemd-private-*/{,**} rw, + #aa:only pacman + # It is unclear why this is needed here and not in sd + /etc/pacman.d/gnupg/S.dirmngr w, + /etc/pacman.d/gnupg/S.gpg-agent w, + /etc/pacman.d/gnupg/S.gpg-agent.browser w, + /etc/pacman.d/gnupg/S.gpg-agent.extra w, + /etc/pacman.d/gnupg/S.gpg-agent.ssh w, + /etc/pacman.d/gnupg/S.keyboxd w, - /tmp/namespace-dev-@{rand6}/{,**} rw, - /tmp/systemd-private-*/{,**} rw, + @{efi}/ r, + /snap/*/@{int}/ r, + + /tmp/ r, + /var/tmp/ r, + owner /tmp/systemd-private-*/{,**} rw, + owner /var/tmp/systemd-private-*/{,**} rw, - @{att}/@{run}/systemd/journal/socket r, @{att}/@{run}/systemd/journal/dev-log r, + @{att}/@{run}/systemd/journal/socket r, + @{att}/@{run}/systemd/notify r, @{run}/ rw, @{run}/* rw, @@ -228,10 +166,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{run}/credentials/{,**} rw, @{run}/systemd/{,**} rw, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, - @{run}/udev/data/+module:configfs r, @{run}/udev/data/+module:fuse r, @{run}/udev/data/c4:@{int} r, # For TTY devices @@ -242,37 +176,28 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/n@{int} r, @{run}/udev/tags/systemd/ r, + @{sys}/**/uevent r, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/power_supply/ r, - @{sys}/class/sound/ r, - @{sys}/devices/@{pci}/** r, - @{sys}/devices/**/net/** r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/console/active r, @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/fuse/connections/ r, @{sys}/fs/pstore/ r, @{sys}/kernel/**/ r, - @{sys}/module/**/uevent r, @{sys}/module/apparmor/parameters/enabled r, + @{sys}/module/vt/parameters/default_utf8 r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/coredump_filter r, - @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/gid_map rw, - @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/setgroups rw, @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/uid_map rw, @{PROC}/cmdline r, @{PROC}/devices r, @{PROC}/pressure/* r, @@ -280,32 +205,32 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/fs/binfmt_misc/ r, @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/* r, - @{PROC}/sysvipc/{shm,sem,msg} r, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/oom_score_adj rw, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sysvipc/msg r, + @{PROC}/sysvipc/sem r, + @{PROC}/sysvipc/shm r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/1/coredump_filter r, + owner @{PROC}/1/fdinfo/@{int} r, + owner @{PROC}/1/gid_map r, + owner @{PROC}/1/oom_score_adj rw, + owner @{PROC}/1/setgroups r, + owner @{PROC}/1/uid_map r, /dev/autofs r, + /dev/dri/card@{int} rw, /dev/input/ r, /dev/kmsg w, + /dev/tty rw, /dev/tty@{int} rw, owner /dev/console rwk, - owner /dev/dri/card@{int} rw, owner /dev/hugepages/ rw, - owner /dev/initctl rw, owner /dev/input/event@{int} rw, owner /dev/mqueue/ rw, owner /dev/rfkill rw, - owner /dev/shm/ rw, + owner /dev/shm/ r, owner /dev/ttyS@{int} rwk, - profile systemctl { - include - include - - include if exists - include if exists - } - include if exists include if exists } From 3dc8a74ec09ceb8f18c6a69e7d6b61f8b40f81f6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 15:16:26 +0200 Subject: [PATCH 0177/1736] feat(fsp): rewrite the systemd-user profile. --- apparmor.d/groups/_full/systemd-user | 85 ++++++---------------------- 1 file changed, 17 insertions(+), 68 deletions(-) diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index b0b3272a1a..3b0d01709e 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -11,8 +11,6 @@ # Distributions and other programs can add rules in the usr/systemd-user.d directory -# TODO: rework this to get a controlled environment. cf comments in systemd profile. - abi , include @@ -27,76 +25,46 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { network netlink raw, - signal send set=(term, cont, kill), - signal receive set=hup peer=@{p_systemd}, + signal send, + + ptrace read, - ptrace read peer=@{p_systemd}, + unix type=dgram peer=(label=@{p_sdu}), unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system, unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus own bus=session name=org.freedesktop.systemd1 - @{exec_path} mr, - - @{bin}/** Px, - @{lib}/** Px, - /etc/cron.*/* Px, - /opt/*/** Px, - /usr/share/*/** Px, - - # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) - @{lib}/systemd/systemd-executor ix, - - # Unit services using systemctl - @{bin}/systemctl Cx -> systemctl, - - # Shell based ystemd unit services - @{coreutils_path} Px -> systemd-user-service, - @{sh_path} Px -> systemd-user-service, - - # Dbus needs to be started without environment scrubbing - @{bin}/dbus-broker px -> dbus-session, - @{bin}/dbus-broker-launch px -> dbus-session, - @{bin}/dbus-daemon px -> dbus-session, - @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, + @{exec_path} mrix, - # Audio profiles need to be stacked - #aa:stack pipewire pipewire-media-session pipewire-pulse pulseaudio wireplumber - @{bin}/pipewire Px -> systemd-user//&pipewire, - @{bin}/pipewire-media-session Px -> systemd-user//&pipewire-media-session, - @{bin}/pipewire-pulse Px -> systemd-user//&pipewire-pulse, - @{bin}/pulseaudio Px -> systemd-user//&pulseaudio, - @{bin}/wireplumber Px -> systemd-user//&wireplumber, + # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor mPx -> sdu, - /usr/ r, - /usr/share/defaults/**.conf r, + # Systemd user generators. Profiles must exist + @{lib}/systemd/user-environment-generators/* Px, + @{lib}/systemd/user-generators/* Px, + @{etc_ro}/environment r, /etc/systemd/user.conf r, /etc/systemd/user.conf.d/{,**} r, /etc/systemd/user/{,**} r, - / r, - - owner @{HOME}/.local/ w, - owner @{user_config_dirs}/systemd/user/{,**} rw, - @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/ rw, owner @{run}/user/@{uid}/** rwkl, @{run}/mount/utab r, @{run}/systemd/notify w, + @{run}/systemd/oom/io.systemd.ManagedOOM rw, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, @{run}/udev/data/+module:configfs r, @{run}/udev/data/+module:fuse r, - @{run}/udev/data/b254:@{int} r, # for /dev/zram* @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c116:@{int} r, # for ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/n@{int} r, @{run}/udev/tags/systemd/ r, @@ -108,14 +76,11 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/uevent r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, - @{sys}/module/apparmor/parameters/enabled r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/stat r, - @{PROC}/1/environ r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/stat r, @{PROC}/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @@ -124,20 +89,14 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/threads-max r, - owner @{PROC}/@{pid}/coredump_filter r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pids}/fd/ r, - owner @{PROC}/@{pids}/oom_score_adj rw, - - /dev/kmsg w, - /dev/tty rw, deny capability bpf, deny capability dac_override, @@ -149,16 +108,6 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { deny capability sys_boot, deny capability sys_resource, - profile systemctl { - include - include - - deny capability net_admin, - - include if exists - include if exists - } - include if exists include if exists } From dd2187552bf671f0075ae269e14d52bd0f75718e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:35:28 +0200 Subject: [PATCH 0178/1736] feat(fsp): remove the now deprecated generic system service profiles. --- apparmor.d/groups/_full/systemd-service | 77 -------------------- apparmor.d/groups/_full/systemd-user-service | 23 ------ dists/flags/main.flags | 1 - 3 files changed, 101 deletions(-) delete mode 100644 apparmor.d/groups/_full/systemd-service delete mode 100644 apparmor.d/groups/_full/systemd-user-service diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service deleted file mode 100644 index a53193cc52..0000000000 --- a/apparmor.d/groups/_full/systemd-service +++ /dev/null @@ -1,77 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for generic systemd unit services. Only used by tiny systemd services -# that start a shell or use context specific programs. - -# It does not specify an attachment path because it is intended to be used only -# via "Px -> systemd-service" exec transitions from the systemd profile. - -abi , - -include - -profile systemd-service flags=(attach_disconnected) { - include - include - include - - capability dac_read_search, - capability chown, - capability fsetid, - - @{sbin}/ldconfig rix, - @{bin}/savelog rix, - @{bin}/systemctl rix, - @{bin}/gzip rix, - @{coreutils_path} rix, - @{sh_path} rmix, - - # ifup@.service - @{bin}/ifup rPx, - - # shadow.service - @{sbin}/pwck rPx, - @{sbin}/grpck rPx, - - @{bin}/grub-editenv rPx, - @{bin}/ibus-daemon rPx, - - @{bin}/* r, - @{lib}/ r, - - /var/cache/ldconfig/{,**} rw, - - / r, - - /boot/grub/grubenv rw, - /boot/grub/ w, - - /var/spool/cron/atjobs/ r, - - /var/log/ r, - /var/log/dmesg rw, - /var/log/dmesg.* rwl -> /var/log/dmesg, - - # man-db.service - /usr/{,local/}share/man/{,**} r, - /etc/manpath.config r, - /var/cache/man/{,**} rwk, - - # snapd.system-shutdown.service - @{run}/initramfs/shutdown rw, - @{run}/initramfs/ rw, - - # cockpit.socket - @{run}/cockpit/@{rand8} rw, - @{run}/cockpit/motd w, - - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/systemd-user-service b/apparmor.d/groups/_full/systemd-user-service deleted file mode 100644 index 0cb9efa493..0000000000 --- a/apparmor.d/groups/_full/systemd-user-service +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for generic systemd unit services. Only used by tiny systemd services -# that start a shell or use context specific programs. - -# It does not specify an attachment path because it is intended to be used only -# via "Px -> systemd-user-service" exec transitions from the systemd-user profile. - -abi , - -include - -profile systemd-user-service flags=(attach_disconnected) { - include - include - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index a73fee1295..5a6c7c526e 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -2,7 +2,6 @@ # File format: one profile by line using the format: ' ' systemd attach_disconnected,mediate_deleted,complain -systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain akonadi_akonotes_resource complain From 5940f0117b85538f3f91840a58a7583dbcc579bc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:37:56 +0200 Subject: [PATCH 0179/1736] feat(fsp): add the new sdu profile as service and stacked profile manager for user. --- apparmor.d/groups/_full/sdu | 124 ++++++++++++++++++++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 apparmor.d/groups/_full/sdu diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu new file mode 100644 index 0000000000..5ceb669f0c --- /dev/null +++ b/apparmor.d/groups/_full/sdu @@ -0,0 +1,124 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd-user profile. + +# sdu is a profile for SystemD-executor run as User, it is used to run all services +# files and to encapsulate stacked services profiles (hence the short name). +# It aims at reducing the size of the systemd-user profile. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sdu.d directory + +abi , + +include + +@{exec_path} = @{bin}/systemd-executor +profile sdu flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + include + + network netlink raw, + + change_profile, + + ptrace read, + + unix type=dgram peer=(label=@{p_systemd_user}), + + dbus bus=session, + + @{exec_path} mr, + + @{bin}/** mPx, + @{sbin}/** mPx, + @{lib}/** Px, + /etc/cron.*/* Px, + /opt/*/** Px, + /usr/share/*/** Px, + + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + + # Shell based user unit services + @{sh_path} Cx -> shell, + + # Dbus needs to be started without environment scrubbing + @{bin}/dbus-broker px -> dbus-session, + @{bin}/dbus-broker-launch px -> dbus-session, + @{bin}/dbus-daemon px -> dbus-session, + @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, + + / r, + @{bin}/* r, + @{sbin}/* r, + /usr/share/** r, + + owner @{desktop_local_dirs}/ w, + owner @{desktop_local_dirs}/state/ w, + owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, + + owner @{run}/user/@{uid}/pipewire-@{int} rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, + owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, + owner @{run}/user/@{uid}/pulse/pid rw, + + owner @{user_state_dirs}/wireplumber/ r, + owner @{user_state_dirs}/wireplumber/stream-properties rw, + owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw, + + @{run}/systemd/users/@{uid} r, + @{run}/systemd/users/@{int} r, + + @{run}/udev/data/c116:@{int} r, # for ALSA + + @{sys}/bus/ r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/sound/seq/uevent r, + @{sys}/devices/virtual/sound/timer/uevent r, + + @{sys}/module/apparmor/parameters/enabled r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, + + @{PROC}/pressure/* r, + @{PROC}/sys/fs/nr_open r, + owner @{PROC}/@{pid}/attr/apparmor/exec w, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + profile shell flags=(attach_disconnected,mediate_deleted,complain) { + include + + @{sh_path} mr, + @{bin}/systemctl Px -> sdu//systemctl, + + include if exists + } + + profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { + include + include + + audit capability net_admin, + + owner @{run}/user/@{uid}/systemd/private rw, + + include if exists + include if exists + } + + include if exists + include if exists +} + +# vim:syntax=apparmor From 9125686973a11c2a297d16621ec2859a061bf8bb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:44:00 +0200 Subject: [PATCH 0180/1736] feat(fsp): add the new sdu profile as service and stacked profile manager for system. --- apparmor.d/groups/_full/sd | 246 +++++++++++++++++++++++++++++++++++++ 1 file changed, 246 insertions(+) create mode 100644 apparmor.d/groups/_full/sd diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd new file mode 100644 index 0000000000..974bc35445 --- /dev/null +++ b/apparmor.d/groups/_full/sd @@ -0,0 +1,246 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd is a profile for SystemD-executor run as root, it is used to run all services +# files and to encapsulate stacked services profiles (hence the short name). +# It aims at reducing the size of the systemd profile. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd.d directory + +abi , + +include + +@{exec_path} = @{bin}/systemd-executor +profile sd flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + include + include + include + include + + userns, + + capability audit_control, + capability audit_write, + capability bpf, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability linux_immutable, + capability mknod, + capability net_admin, + capability net_raw, + capability perfmon, + capability setfcap, + capability setgid, + capability setpcap, + capability setuid, + capability sys_admin, + capability sys_nice, + capability sys_ptrace, + capability sys_rawio, + capability sys_resource, + capability sys_time, + capability sys_tty_config, + capability syslog, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 raw, + network inet6 stream, + network netlink raw, + network packet dgram, + network packet raw, + network qipcrtr dgram, + + mount -> @{run}/systemd/mount-rootfs/{,**}, + mount -> @{run}/systemd/namespace-@{rand6}/{,**}, + mount options=(rw move) /dev/shm/ -> @{run}/credentials/*/, + mount options=(rw rshared) -> /, + mount options=(rw rslave) -> /, + mount options=(rw rslave) -> /dev/, + mount options=(rw slave) -> @{run}/systemd/incoming/, + mount fstype=tmpfs options=(rw nodev noexec nosuid nosymfollow) tmpfs -> /dev/shm/, + mount fstype=tmpfs options=(rw nodev strictatime) tmpfs -> @{run}/systemd/unit-private-tmp/, + + remount /dev/shm/, + remount @{run}/systemd/mount-rootfs/{,**}, + + umount /, + umount /dev/shm/, + umount @{run}/systemd/mount-rootfs/{,**}, + + pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, + + change_profile, + + mqueue (read getattr) type=posix /, + + signal peer=sd//&*, + signal receive peer=@{p_systemd}, + signal send, + + ptrace read, + + unix type=dgram peer=(label=@{p_systemd}), + unix type=dgram peer=(label=systemd-timesyncd), + unix type=stream, + + dbus bus=system, + + @{exec_path} mr, + + @{bin}/** mPx, + @{sbin}/** mPx, + @{lib}/** Px, + /etc/cron.*/* Px, + /etc/init.d/* Px, + /etc/update-motd.d/* Px, + /usr/share/*/** Px, + + # Systemd user: systemd --user + @{lib}/systemd/systemd px -> systemd-user, + + # Mount operations from services and systemd + @{bin}/mount Px -> sd-mount, + @{bin}/umount Px -> sd-umount, + + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + + # Unit services + @{bin}/kill Cx -> kill, + + # Used by very basic services, ideally should be replaced by a unit profiles + @{sh_path} ix, + @{bin}/false ix, + @{bin}/true ix, + + # Required due to stacked profiles + @{bin}/grpck ix, + @{bin}/gzip ix, + @{bin}/install ix, + @{bin}/pwck ix, + @{bin}/readlink ix, + @{lib}/colord-sane ix, + @{lib}/systemd/systemd-nsresourcework ix, + @{lib}/systemd/systemd-userwork ix, + + / r, + @{att}/ r, + @{bin}/{,**} r, + @{lib}/{,**} r, + @{sbin}/{,*} r, + /usr/share/** r, + /etc/** rk, + /home/ r, + + @{efi}/ r, + @{efi}/** rw, + + @{att}/var/lib/systemd/*/ r, + + /var/cache/*/ rw, + /var/cache/*/** rwk, + /var/lib/*/ rw, + /var/lib/*/** rwk, + /var/lib/systemd/*/ r, + /var/log/** rw, + /var/log/journal/** rwl -> /var/log/journal/**, + + @{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{user_share_dirs}/icc/edid-@{hex32}.icc r, + + @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, + @{att}/@{run}/systemd/notify rw, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Home rw, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, + + @{run}/ rw, + @{run}/* rw, + @{run}/*/ rw, + @{run}/*/* rw, + @{run}/systemd/{,**} rw, + owner @{run}/*/** rw, + + @{run}/udev/**/ r, + @{run}/udev/data/* r, + + @{sys}/** r, + @{sys}/fs/bpf/systemd/{,**} w, + @{sys}/firmware/efi/efivars/** w, + @{sys}/fs/cgroup/{,**} w, + + @{PROC}/@{pid}/attr/apparmor/exec w, + @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/gid_map w, + @{PROC}/@{pid}/limits r, + @{PROC}/@{pid}/loginuid rw, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/oom_score_adj rw, + @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/setgroups r, + @{PROC}/@{pid}/setgroups w, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/uid_map r, + @{PROC}/@{pid}/uid_map w, + @{PROC}/cmdline r, + @{PROC}/interrupts r, + @{PROC}/irq/@{int}/node r, + @{PROC}/irq/@{int}/smp_affinity r, + @{PROC}/kmsg r, + @{PROC}/modules r, + @{PROC}/pressure/* r, + @{PROC}/swaps r, + @{PROC}/sys/** r, + @{PROC}/sys/kernel/random/write_wakeup_threshold w, + @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/sysvipc/* r, + @{PROC}/version_signature r, + + /dev/** rwk, + + profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { + include + include + + include if exists + include if exists + } + + profile kill flags=(attach_disconnected,mediate_deleted,complain) { + include + + signal send, + + @{bin}/kill mr, + + include if exists + } + + include if exists + include if exists +} + +# vim:syntax=apparmor From a194f28c21f15ee0ffd693eb5612ce198bcc75ab Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:59:02 +0200 Subject: [PATCH 0181/1736] feat(fsp): add sd-mount. --- apparmor.d/groups/_full/sd-mount | 71 ++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 apparmor.d/groups/_full/sd-mount diff --git a/apparmor.d/groups/_full/sd-mount b/apparmor.d/groups/_full/sd-mount new file mode 100644 index 0000000000..7f7dede600 --- /dev/null +++ b/apparmor.d/groups/_full/sd-mount @@ -0,0 +1,71 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd-mount is a subprofile of sd responsible to handle mounting operation. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd-mount.d directory + +abi , + +include + +@{exec_path} = @{bin}/mount +profile sd-mount flags=(complain) { + include + include + + capability dac_read_search, + capability sys_admin, + + mount -> @{efi}/, + mount -> @{HOME}/{,**}, + mount -> @{HOMEDIRS}/, + mount -> @{MOUNTDIRS}/, + mount -> @{MOUNTS}/{,**}, + mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/, + mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/, + mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, + mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, + mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, + mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, + mount fstype=squashfs options=(ro nodev) /dev/loop@{int} -> /snap/*/@{int}/, + mount fstype=tmpfs options=(rw nodev noexec nosuid) tmpfs -> @{run}/lock/, + mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, + mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, + + mount options=(rw move) -> @{efi}, + mount options=(rw move) -> @{HOME}/{,**}, + mount options=(rw move) -> @{HOMEDIRS}/, + mount options=(rw move) -> @{MOUNTDIRS}/, + mount options=(rw move) -> @{MOUNTS}/{,**}, + mount options=(rw move) -> @{sys}/fs/fuse/connections/, + mount options=(rw move) -> @{sys}/kernel/config/, + mount options=(rw move) -> @{sys}/kernel/debug/, + mount options=(rw move) -> @{sys}/kernel/tracing/, + mount options=(rw move) -> /dev/hugepages/, + mount options=(rw move) -> /dev/mqueue/, + mount options=(rw move) -> /tmp/, + + @{exec_path} mr, + + /var/lib/snapd/snaps/*.snap r, + + @{run}/ r, + owner @{run}/mount/ rw, + owner @{run}/mount/utab{,.*} rwk, + + @{PROC}/@{pid}/mountinfo r, + + /dev/loop-control rw, + + include if exists + include if exists +} + +# vim:syntax=apparmor From 8ff829542d4fea4e9366e7ed03a387637eb24c95 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:13:04 +0200 Subject: [PATCH 0182/1736] feat(profile): add profile for some named minimal systemd service. --- .../cloud-init-hotplugd.service | 22 +++++++ .../systemd-service/debug-shell.service | 19 ++++++ .../groups/systemd-service/dmesg.service | 62 +++++++++++++++++++ .../systemd-service/grub-common.service | 28 +++++++++ .../groups/systemd-service/ldconfig.service | 23 +++++++ .../groups/systemd-service/man-db.service | 39 ++++++++++++ .../systemd-service/secureboot-db.service | 27 ++++++++ .../groups/systemd-service/shadow.service | 23 +++++++ .../snapd.system-shutdown.service | 28 +++++++++ .../system-update-cleanup.service | 22 +++++++ .../systemd-service/usb_modeswitch.service | 17 +++++ 11 files changed, 310 insertions(+) create mode 100644 apparmor.d/groups/systemd-service/cloud-init-hotplugd.service create mode 100644 apparmor.d/groups/systemd-service/debug-shell.service create mode 100644 apparmor.d/groups/systemd-service/dmesg.service create mode 100644 apparmor.d/groups/systemd-service/grub-common.service create mode 100644 apparmor.d/groups/systemd-service/ldconfig.service create mode 100644 apparmor.d/groups/systemd-service/man-db.service create mode 100644 apparmor.d/groups/systemd-service/secureboot-db.service create mode 100644 apparmor.d/groups/systemd-service/shadow.service create mode 100644 apparmor.d/groups/systemd-service/snapd.system-shutdown.service create mode 100644 apparmor.d/groups/systemd-service/system-update-cleanup.service create mode 100644 apparmor.d/groups/systemd-service/usb_modeswitch.service diff --git a/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service new file mode 100644 index 0000000000..1b585c0cc1 --- /dev/null +++ b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /bin/bash -c 'read args <&3; echo "args=$args"; \ +# exec /usr/bin/cloud-init devel hotplug-hook $args; \ +# exit 0' + +abi , + +include + +profile cloud-init-hotplugd.service { + include + + @{sh_path} ix, + @{bin}/cloud-init Px, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/debug-shell.service b/apparmor.d/groups/systemd-service/debug-shell.service new file mode 100644 index 0000000000..9f8e235cfe --- /dev/null +++ b/apparmor.d/groups/systemd-service/debug-shell.service @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=/usr/bin/bash + +abi , + +include + +profile debug-shell.service { + include + + all, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/dmesg.service b/apparmor.d/groups/systemd-service/dmesg.service new file mode 100644 index 0000000000..4c67f680a8 --- /dev/null +++ b/apparmor.d/groups/systemd-service/dmesg.service @@ -0,0 +1,62 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=-/usr/bin/savelog -m640 -q -p -n -c 5 /var/log/dmesg +# ExecStart=/bin/journalctl --boot 0 --dmesg --output short-monotonic --quiet --no-pager --no-hostname +# ExecStartPost=/bin/chgrp adm /var/log/dmesg +# ExecStartPost=/bin/chmod 0640 /var/log/dmesg + +abi , + +include + +profile dmesg.service flags=(attach_disconnected) { + include + include + + capability chown, + capability fsetid, + + ptrace read peer=@{p_systemd}, + + @{sh_path} r, + @{bin}/basename ix, + @{bin}/chgrp rix, + @{bin}/chmod rix, + @{bin}/chown ix, + @{bin}/date ix, + @{bin}/dirname ix, + @{bin}/gzip ix, + @{bin}/gzip ix, + @{bin}/journalctl r, + @{bin}/ln ix, + @{bin}/mv ix, + @{bin}/rm ix, + @{bin}/savelog rix, + @{bin}/touch ix, + + /etc/machine-id r, + + /var/log/ r, + /var/log/dmesg rw, + /var/log/dmesg.* rwl -> /var/log/dmesg, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* rw, + + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/grub-common.service b/apparmor.d/groups/systemd-service/grub-common.service new file mode 100644 index 0000000000..4abd74fb10 --- /dev/null +++ b/apparmor.d/groups/systemd-service/grub-common.service @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=/bin/sh -c '[ -s /boot/grub/grubenv ] || rm -f /boot/grub/grubenv; mkdir -p /boot/grub' +# ExecStart=grub-editenv /boot/grub/grubenv unset recordfail +# ExecStartPost=/bin/sh -c 'if grub-editenv /boot/grub/grubenv list | grep -q initrdless_boot_fallback_triggered=1; then echo "grub: GRUB_FORCE_PARTUUID set, initrdless boot paniced, fallback triggered."; fi' + +abi , + +include + +profile grub-common.service { + include + + @{sh_path} rix, + @{bin}/grep ix, + @{bin}/grub-editenv rix, + @{bin}/mkdir ix, + @{bin}/rm ix, + + /boot/grub/ w, + /boot/grub/grubenv rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/ldconfig.service b/apparmor.d/groups/systemd-service/ldconfig.service new file mode 100644 index 0000000000..f7d193e9ec --- /dev/null +++ b/apparmor.d/groups/systemd-service/ldconfig.service @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /sbin/ldconfig -X + +abi , + +include + +profile ldconfig.service { + include + + @{lib}/ r, + @{sbin}/ldconfig r, + + /var/cache/ldconfig/aux-cache rw, + /var/cache/ldconfig/aux-cache~ rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/man-db.service b/apparmor.d/groups/systemd-service/man-db.service new file mode 100644 index 0000000000..24b34fc258 --- /dev/null +++ b/apparmor.d/groups/systemd-service/man-db.service @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man +# ExecStart=/usr/bin/mandb --quiet + +abi , + +include + +profile man-db.service flags=(attach_disconnected) { + include + include + + @{bin}/install ix, + @{bin}/mandb r, + + /usr/{,local/}share/man/{,**} r, + + /etc/man_db.conf r, + /etc/manpath.config r, + + /usr/share/man/{,**} r, + /usr/local/man/{,**} r, + /usr/local/share/man/{,**} r, + + /usr/{,share/}man/{,**} r, + /usr/local/{,share/}man/{,**} r, + + /usr/share/**/man/man@{u8}/*.@{int}.gz r, + + owner /var/cache/man/ rw, + owner /var/cache/man/** rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/secureboot-db.service b/apparmor.d/groups/systemd-service/secureboot-db.service new file mode 100644 index 0000000000..a951747be2 --- /dev/null +++ b/apparmor.d/groups/systemd-service/secureboot-db.service @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f +# ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose + +abi , + +include + +profile secureboot-db.service flags=(complain) { + include + + @{bin}/chattr ix, + @{bin}/sbkeysync PUx, + + @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, + @{sys}/firmware/efi/efivars/db-@{uuid} rw, + @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/shadow.service b/apparmor.d/groups/systemd-service/shadow.service new file mode 100644 index 0000000000..95f780b891 --- /dev/null +++ b/apparmor.d/groups/systemd-service/shadow.service @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile shadow.service flags=(attach_disconnected) { + include + include + + @{sh_path} rix, + @{sbin}/grpck Px -> &grpck, + @{sbin}/pwck Px -> &pwck, + + /etc/machine-id r, + /etc/shadow r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service new file mode 100644 index 0000000000..e8939006e9 --- /dev/null +++ b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /bin/mount /run -o remount,exec +# /bin/mkdir -p /run/initramfs +# /bin/cp /usr/lib/snapd/system-shutdown /run/initramfs/shutdown + +abi , + +include + +profile snapd.system-shutdown.service { + include + + audit @{bin}/cp ix, + audit @{bin}/mkdir ix, + audit @{bin}/mount ix, + + @{lib}/snapd/system-shutdown r, + + @{run}/initramfs/ rw, + @{run}/initramfs/shutdown rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/system-update-cleanup.service b/apparmor.d/groups/systemd-service/system-update-cleanup.service new file mode 100644 index 0000000000..4166cb76c2 --- /dev/null +++ b/apparmor.d/groups/systemd-service/system-update-cleanup.service @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=rm -fv /system-update /etc/system-update + +abi , + +include + +profile system-update-cleanup.service { + include + + @{bin}/rm ix, + + /etc/system-update w, + /system-update w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/usb_modeswitch.service b/apparmor.d/groups/systemd-service/usb_modeswitch.service new file mode 100644 index 0000000000..00a62c933d --- /dev/null +++ b/apparmor.d/groups/systemd-service/usb_modeswitch.service @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile usb_modeswitch.service { + include + + @{sbin}/usb_modeswitch_dispatcher ix, + + include if exists +} + +# vim:syntax=apparmor From 1aa0142a6aa0b31732fdf286fea14e3600b2f76e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:20:32 +0200 Subject: [PATCH 0183/1736] feat(fsp): add/update systemd drop in files with AppArmorProfile set to the target profile. --- systemd/full/system/apport-coredump-hook@.service | 2 ++ systemd/full/system/apt-news.service | 2 ++ systemd/full/system/bluetooth.service | 2 +- systemd/full/system/cloud-init-hotplugd.service | 2 ++ systemd/full/system/colord.service | 2 ++ systemd/full/system/debug-shell.service | 2 ++ systemd/full/system/dmesg.service | 2 ++ systemd/full/system/fwupd.service | 2 ++ systemd/full/system/grub-common.service | 2 ++ systemd/full/system/ldconfig.service | 2 ++ systemd/full/system/logrotate.service | 2 ++ systemd/full/system/low-memory-monitor.service | 3 --- systemd/full/system/man-db.service | 2 ++ systemd/full/system/paccache.service | 2 -- systemd/full/system/passim.service | 2 -- systemd/full/system/pcscd.service | 2 ++ systemd/full/system/power-profiles-daemon.service | 2 ++ systemd/full/system/reflector.service | 2 -- systemd/full/system/rsyslog.service | 2 ++ systemd/full/system/secureboot-db.service | 2 ++ systemd/full/system/shadow.service | 3 +-- systemd/full/system/snapd.system-shutdown.service | 2 ++ systemd/full/system/system-update-cleanup.service | 2 ++ systemd/full/system/systemd-coredump@.service | 2 ++ systemd/full/system/systemd-initctl.service | 2 ++ systemd/full/system/systemd-journal-remote.service | 2 ++ systemd/full/system/systemd-nsresourced.service | 2 ++ systemd/full/system/systemd-oomd.service | 2 ++ systemd/full/system/systemd-rfkill.service | 2 ++ systemd/full/system/systemd-timesyncd.service | 2 ++ systemd/full/system/usb_modeswitch@.service | 2 ++ 31 files changed, 52 insertions(+), 12 deletions(-) create mode 100644 systemd/full/system/apport-coredump-hook@.service create mode 100644 systemd/full/system/apt-news.service create mode 100644 systemd/full/system/cloud-init-hotplugd.service create mode 100644 systemd/full/system/colord.service create mode 100644 systemd/full/system/debug-shell.service create mode 100644 systemd/full/system/dmesg.service create mode 100644 systemd/full/system/fwupd.service create mode 100644 systemd/full/system/grub-common.service create mode 100644 systemd/full/system/ldconfig.service create mode 100644 systemd/full/system/logrotate.service delete mode 100644 systemd/full/system/low-memory-monitor.service create mode 100644 systemd/full/system/man-db.service delete mode 100644 systemd/full/system/paccache.service delete mode 100644 systemd/full/system/passim.service create mode 100644 systemd/full/system/pcscd.service create mode 100644 systemd/full/system/power-profiles-daemon.service delete mode 100644 systemd/full/system/reflector.service create mode 100644 systemd/full/system/rsyslog.service create mode 100644 systemd/full/system/secureboot-db.service create mode 100644 systemd/full/system/snapd.system-shutdown.service create mode 100644 systemd/full/system/system-update-cleanup.service create mode 100644 systemd/full/system/systemd-coredump@.service create mode 100644 systemd/full/system/systemd-initctl.service create mode 100644 systemd/full/system/systemd-journal-remote.service create mode 100644 systemd/full/system/systemd-nsresourced.service create mode 100644 systemd/full/system/systemd-oomd.service create mode 100644 systemd/full/system/systemd-rfkill.service create mode 100644 systemd/full/system/systemd-timesyncd.service create mode 100644 systemd/full/system/usb_modeswitch@.service diff --git a/systemd/full/system/apport-coredump-hook@.service b/systemd/full/system/apport-coredump-hook@.service new file mode 100644 index 0000000000..73bbc99d82 --- /dev/null +++ b/systemd/full/system/apport-coredump-hook@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&apport \ No newline at end of file diff --git a/systemd/full/system/apt-news.service b/systemd/full/system/apt-news.service new file mode 100644 index 0000000000..d7bf885ddc --- /dev/null +++ b/systemd/full/system/apt-news.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&apt_news diff --git a/systemd/full/system/bluetooth.service b/systemd/full/system/bluetooth.service index 03d3528901..5cccff422a 100644 --- a/systemd/full/system/bluetooth.service +++ b/systemd/full/system/bluetooth.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&bluetoothd \ No newline at end of file diff --git a/systemd/full/system/cloud-init-hotplugd.service b/systemd/full/system/cloud-init-hotplugd.service new file mode 100644 index 0000000000..a2a121fc37 --- /dev/null +++ b/systemd/full/system/cloud-init-hotplugd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&cloud-init-hotplugd.service diff --git a/systemd/full/system/colord.service b/systemd/full/system/colord.service new file mode 100644 index 0000000000..9a64fbc26c --- /dev/null +++ b/systemd/full/system/colord.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&colord diff --git a/systemd/full/system/debug-shell.service b/systemd/full/system/debug-shell.service new file mode 100644 index 0000000000..f895f79410 --- /dev/null +++ b/systemd/full/system/debug-shell.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=debug-shell.service \ No newline at end of file diff --git a/systemd/full/system/dmesg.service b/systemd/full/system/dmesg.service new file mode 100644 index 0000000000..d4647117b8 --- /dev/null +++ b/systemd/full/system/dmesg.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=dmesg.service \ No newline at end of file diff --git a/systemd/full/system/fwupd.service b/systemd/full/system/fwupd.service new file mode 100644 index 0000000000..5054a73d66 --- /dev/null +++ b/systemd/full/system/fwupd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&fwupd \ No newline at end of file diff --git a/systemd/full/system/grub-common.service b/systemd/full/system/grub-common.service new file mode 100644 index 0000000000..8520aea760 --- /dev/null +++ b/systemd/full/system/grub-common.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=grub-common.service \ No newline at end of file diff --git a/systemd/full/system/ldconfig.service b/systemd/full/system/ldconfig.service new file mode 100644 index 0000000000..1b2a9c287a --- /dev/null +++ b/systemd/full/system/ldconfig.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=ldconfig.service \ No newline at end of file diff --git a/systemd/full/system/logrotate.service b/systemd/full/system/logrotate.service new file mode 100644 index 0000000000..bc984e0255 --- /dev/null +++ b/systemd/full/system/logrotate.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&logrotate \ No newline at end of file diff --git a/systemd/full/system/low-memory-monitor.service b/systemd/full/system/low-memory-monitor.service deleted file mode 100644 index dabf76f3a5..0000000000 --- a/systemd/full/system/low-memory-monitor.service +++ /dev/null @@ -1,3 +0,0 @@ -[Service] -NoNewPrivileges=no - diff --git a/systemd/full/system/man-db.service b/systemd/full/system/man-db.service new file mode 100644 index 0000000000..d3a78dd80e --- /dev/null +++ b/systemd/full/system/man-db.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=man-db.service \ No newline at end of file diff --git a/systemd/full/system/paccache.service b/systemd/full/system/paccache.service deleted file mode 100644 index 03d3528901..0000000000 --- a/systemd/full/system/paccache.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/passim.service b/systemd/full/system/passim.service deleted file mode 100644 index 03d3528901..0000000000 --- a/systemd/full/system/passim.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/pcscd.service b/systemd/full/system/pcscd.service new file mode 100644 index 0000000000..8d39f3f26e --- /dev/null +++ b/systemd/full/system/pcscd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pcscd diff --git a/systemd/full/system/power-profiles-daemon.service b/systemd/full/system/power-profiles-daemon.service new file mode 100644 index 0000000000..45c5ed93b6 --- /dev/null +++ b/systemd/full/system/power-profiles-daemon.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&power-profiles-daemon \ No newline at end of file diff --git a/systemd/full/system/reflector.service b/systemd/full/system/reflector.service deleted file mode 100644 index 03d3528901..0000000000 --- a/systemd/full/system/reflector.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/rsyslog.service b/systemd/full/system/rsyslog.service new file mode 100644 index 0000000000..6b49a73f09 --- /dev/null +++ b/systemd/full/system/rsyslog.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&rsyslogd diff --git a/systemd/full/system/secureboot-db.service b/systemd/full/system/secureboot-db.service new file mode 100644 index 0000000000..722781b8a6 --- /dev/null +++ b/systemd/full/system/secureboot-db.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=secureboot-db.service diff --git a/systemd/full/system/shadow.service b/systemd/full/system/shadow.service index dabf76f3a5..52d2f644c3 100644 --- a/systemd/full/system/shadow.service +++ b/systemd/full/system/shadow.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no - +AppArmorProfile=&shadow.service diff --git a/systemd/full/system/snapd.system-shutdown.service b/systemd/full/system/snapd.system-shutdown.service new file mode 100644 index 0000000000..7953d522a6 --- /dev/null +++ b/systemd/full/system/snapd.system-shutdown.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=snapd.system-shutdown.service \ No newline at end of file diff --git a/systemd/full/system/system-update-cleanup.service b/systemd/full/system/system-update-cleanup.service new file mode 100644 index 0000000000..24c914f77f --- /dev/null +++ b/systemd/full/system/system-update-cleanup.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=system-update-cleanup.service \ No newline at end of file diff --git a/systemd/full/system/systemd-coredump@.service b/systemd/full/system/systemd-coredump@.service new file mode 100644 index 0000000000..d136247092 --- /dev/null +++ b/systemd/full/system/systemd-coredump@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-coredump diff --git a/systemd/full/system/systemd-initctl.service b/systemd/full/system/systemd-initctl.service new file mode 100644 index 0000000000..e44c8767fe --- /dev/null +++ b/systemd/full/system/systemd-initctl.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-initctl \ No newline at end of file diff --git a/systemd/full/system/systemd-journal-remote.service b/systemd/full/system/systemd-journal-remote.service new file mode 100644 index 0000000000..e08cf75a9f --- /dev/null +++ b/systemd/full/system/systemd-journal-remote.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-journal-remote \ No newline at end of file diff --git a/systemd/full/system/systemd-nsresourced.service b/systemd/full/system/systemd-nsresourced.service new file mode 100644 index 0000000000..2dc668b80d --- /dev/null +++ b/systemd/full/system/systemd-nsresourced.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-nsresourced diff --git a/systemd/full/system/systemd-oomd.service b/systemd/full/system/systemd-oomd.service new file mode 100644 index 0000000000..c384626ee6 --- /dev/null +++ b/systemd/full/system/systemd-oomd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-oomd diff --git a/systemd/full/system/systemd-rfkill.service b/systemd/full/system/systemd-rfkill.service new file mode 100644 index 0000000000..4abf222d5c --- /dev/null +++ b/systemd/full/system/systemd-rfkill.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-rfkill diff --git a/systemd/full/system/systemd-timesyncd.service b/systemd/full/system/systemd-timesyncd.service new file mode 100644 index 0000000000..0cd6fefbfb --- /dev/null +++ b/systemd/full/system/systemd-timesyncd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-timesyncd diff --git a/systemd/full/system/usb_modeswitch@.service b/systemd/full/system/usb_modeswitch@.service new file mode 100644 index 0000000000..0eca1db25c --- /dev/null +++ b/systemd/full/system/usb_modeswitch@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=usb_modeswitch.service \ No newline at end of file From d5a65ba8319d63faa358abfc55c51e5fd77bc3f3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:26:18 +0200 Subject: [PATCH 0184/1736] feat(profile): add a few small profile needed by fsp. --- apparmor.d/profiles-a-f/e2scrub | 18 ++++++++++++++++ .../open-iscsi-net-interface-handler | 19 +++++++++++++++++ apparmor.d/profiles-s-z/u-d-c-print-pci-ids | 19 +++++++++++++++++ .../udev-bridge-network-interface | 21 +++++++++++++++++++ 4 files changed, 77 insertions(+) create mode 100644 apparmor.d/profiles-a-f/e2scrub create mode 100644 apparmor.d/profiles-m-r/open-iscsi-net-interface-handler create mode 100644 apparmor.d/profiles-s-z/u-d-c-print-pci-ids create mode 100644 apparmor.d/profiles-s-z/udev-bridge-network-interface diff --git a/apparmor.d/profiles-a-f/e2scrub b/apparmor.d/profiles-a-f/e2scrub new file mode 100644 index 0000000000..2e7e88487c --- /dev/null +++ b/apparmor.d/profiles-a-f/e2scrub @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/e2scrub +profile e2scrub @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler b/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler new file mode 100644 index 0000000000..2593b78ac7 --- /dev/null +++ b/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/open-iscsi/net-interface-handler +profile open-iscsi-net-interface-handler @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + @{sh_path} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/u-d-c-print-pci-ids b/apparmor.d/profiles-s-z/u-d-c-print-pci-ids new file mode 100644 index 0000000000..2ae7f66ef3 --- /dev/null +++ b/apparmor.d/profiles-s-z/u-d-c-print-pci-ids @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/u-d-c-print-pci-ids +profile u-d-c-print-pci-ids @{exec_path} { + include + + @{exec_path} mr, + @{sh_path} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-bridge-network-interface b/apparmor.d/profiles-s-z/udev-bridge-network-interface new file mode 100644 index 0000000000..7e3ba52f97 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-bridge-network-interface @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/bridge-network-interface +profile udev-bridge-network-interface @{exec_path} { + include + + @{exec_path} mr, + @{sh_path} r, + + /etc/default/bridge-utils r, + + include if exists +} + +# vim:syntax=apparmor From 3984cf8accfaf48badb6f6ad9916a392bde499d5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:27:55 +0200 Subject: [PATCH 0185/1736] feat(profile): initial profile for pollinate. --- apparmor.d/profiles-m-r/pollinate | 48 +++++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 49 insertions(+) create mode 100644 apparmor.d/profiles-m-r/pollinate diff --git a/apparmor.d/profiles-m-r/pollinate b/apparmor.d/profiles-m-r/pollinate new file mode 100644 index 0000000000..5a10cc9e29 --- /dev/null +++ b/apparmor.d/profiles-m-r/pollinate @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pollinate +profile pollinate @{exec_path} { + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/curl rix, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg-query rpx, + @{bin}/hostname rix, + @{bin}/logger rix, + @{bin}/systemd-detect-virt rPx, + @{bin}/xxd rix, + + /etc/cloud/build.info r, + /etc/default/pollinate r, + /etc/lsb-release r, + /etc/pollinate/{,**} r, + + owner /var/cache/pollinate/seeded w, + + owner /tmp/pollinate.@{rand12}/{,**} rw, + + @{PROC}/uptime r, + + /dev/urandom w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 5a6c7c526e..2736540a80 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -266,6 +266,7 @@ plymouth complain plymouth-set-default-theme attach_disconnected,complain plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted +pollinate complain ptyxis complain ptyxis-agent complain pycompile complain From 7f684ee5ddd420231cf92381e3e86b9f52468456 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:29:52 +0200 Subject: [PATCH 0186/1736] feat(profile): integrate fsp with apt and ubuntu. --- apparmor.d/groups/apt/apt-methods-http | 5 +++-- apparmor.d/groups/apt/dpkg-script-apparmor | 1 + apparmor.d/groups/apt/dpkg-script-systemd | 3 +++ apparmor.d/groups/apt/dpkg-scripts | 3 +++ apparmor.d/groups/apt/unattended-upgrade | 2 ++ apparmor.d/groups/ubuntu/cron-ubuntu-fan | 8 +------- apparmor.d/groups/ubuntu/update-notifier-crash | 9 +++++++++ 7 files changed, 22 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 0b375c8f82..7fb3a2cc41 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/apt/methods/http{,s} -profile apt-methods-http @{exec_path} { +profile apt-methods-http @{exec_path} flags=(attach_disconnected) { include include include @@ -23,10 +23,11 @@ profile apt-methods-http @{exec_path} { network inet6 stream, network netlink raw, + signal receive peer=@{p_apt_news}, + signal receive peer=@{p_packagekitd}, signal receive peer=apt-get, signal receive peer=apt, signal receive peer=aptitude, - signal receive peer=@{p_packagekitd}, signal receive peer=role_*, signal receive peer=synaptic, signal receive peer=ubuntu-advantage, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 73b14390aa..e9a03f2823 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -30,6 +30,7 @@ profile dpkg-script-apparmor @{exec_path} { /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, /var/lib/dpkg/info/*.list r, + /var/lib/dpkg/info/format r, /var/lib/dpkg/status r, /var/lib/dpkg/triggers/File r, /var/lib/dpkg/triggers/Unincorp r, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 4acafd1392..8ca92515ce 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -32,6 +32,9 @@ profile dpkg-script-systemd @{exec_path} { /etc/systemd/system/*.wants/ rw, /etc/systemd/system/*.wants/* rw, + /etc/pam.d/sed@{rand6} rw, + /etc/pam.d/common-password rw, + /var/lib/systemd/{,*} rw, /var/log/journal/ rw, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 4fb4d04c48..3102b23bb4 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -47,6 +47,7 @@ profile dpkg-scripts @{exec_path} { @{sbin}/update-rc.d Cx -> rc, # Maintainer scripts can legitimately start/restart anything + # PU is only used as a safety fallback. @{bin}/** PUx, @{sbin}/** PUx, @{lib}/** PUx, @@ -75,6 +76,8 @@ profile dpkg-scripts @{exec_path} { include include + capability dac_read_search, + dbus send bus=system path=/ interface=org.freedesktop.DBus member=ReloadConfig diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 95b8b27608..c2d94e25a1 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -30,6 +30,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_nice, + network inet dgram, + network inet6 dgram, network netlink raw, signal send peer=apt-methods-http, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index 8f5952d9ba..3ca55909df 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -15,20 +15,14 @@ profile cron-ubuntu-fan @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/fanctl rix, - @{bin}/flock rix, + @{sbin}/fanctl rPx, @{bin}/grep rix, - @{bin}/id rix, @{sbin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, - @{bin}/touch rix, /etc/network/fan r, - @{run}/ubuntu-fan/ rw, - @{run}/ubuntu-fan/.lock rwk, - include if exists } diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index b3cbf7f073..3ad03eb054 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -12,8 +12,17 @@ profile update-notifier-crash @{exec_path} { @{exec_path} mr, + @{bin}/systemctl Cx -> systemctl, + /usr/share/apport/apport-checkreports Px, + profile systemctl { + include + include + + include if exists + } + include if exists } From 38c6e35a1b0e5af40b06a50484e4b95a86f45581 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:33:37 +0200 Subject: [PATCH 0187/1736] feat(profile): add some ubuntu specific profiles. --- apparmor.d/groups/ubuntu/apt_news | 39 +++++++++++++++++++++++++ apparmor.d/groups/ubuntu/fanctl | 33 +++++++++++++++++++++ apparmor.d/groups/ubuntu/ubuntu-fan-net | 24 +++++++++++++++ dists/flags/ubuntu.flags | 3 ++ 4 files changed, 99 insertions(+) create mode 100644 apparmor.d/groups/ubuntu/apt_news create mode 100644 apparmor.d/groups/ubuntu/fanctl create mode 100644 apparmor.d/groups/ubuntu/ubuntu-fan-net diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news new file mode 100644 index 0000000000..faf15dfbe4 --- /dev/null +++ b/apparmor.d/groups/ubuntu/apt_news @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/lib/ubuntu-advantage/apt_news.py +profile apt_news @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + capability chown, + capability kill, + capability setgid, + capability setuid, + + signal send set=int peer=apt-methods-*, + + @{exec_path} mr, + + @{lib}/apt/methods/* Px, + + /etc/ubuntu-advantage/uaclient.conf r, + + @{run}/ubuntu-advantage/ rw, + @{run}/ubuntu-advantage/apt-news/{,**} rw, + + owner @{run}/ubuntu-advantage/apt-news/** rw, + + @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl new file mode 100644 index 0000000000..ef278da63f --- /dev/null +++ b/apparmor.d/groups/ubuntu/fanctl @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/fanctl +profile fanctl @{exec_path} flags=(attach_disconnected) { + include + + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/flock ix, + @{bin}/id ix, + @{bin}/touch ix, + @{bin}/mkdir ix, + @{bin}/ip ix, + @{bin}/sed ix, + + /etc/network/fan r, + + @{run}/ubuntu-fan/ rw, + @{run}/ubuntu-fan/.lock rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/ubuntu-fan-net b/apparmor.d/groups/ubuntu/ubuntu-fan-net new file mode 100644 index 0000000000..f9d7c01f53 --- /dev/null +++ b/apparmor.d/groups/ubuntu/ubuntu-fan-net @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ubuntu-fan/fan-net +profile ubuntu-fan-net @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} mr, + @{bin}/{m,g,}awk ix, + @{bin}/grep ix, + @{bin}/networkctl Px, + @{sbin}/fanctl Px, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index a6d6bcc850..7339702a2d 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -1,12 +1,14 @@ apport attach_disconnected,complain apport-checkreports complain apport-gtk complain +apt_news attach_disconnected,complain apt-esm-hook complain apt-esm-json-hook complain apt-helper complain check-new-release-gtk complain do-release-upgrade complain dpkg-genbuildinfo complain +fanctl attach_disconnected,complain hwe-support-status complain list-oem-metapackages complain livepatch-notification complain @@ -18,6 +20,7 @@ software-properties-gtk complain ubuntu-advantage complain ubuntu-advantage-notification complain ubuntu-distro-info complain +ubuntu-fan-net attach_disconnected,complain ubuntu-report complain update-manager attach_disconnected,complain update-motd-fsck-at-reboot complain From 28d9d48de457eb5d2db6a065d1341386479bc27f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:39:35 +0200 Subject: [PATCH 0188/1736] feat(profile): small update to systemd profiles. --- apparmor.d/groups/systemd/bootctl | 27 ++++++++----------- apparmor.d/groups/systemd/homectl | 2 +- .../systemd/systemd-generator-ds-identify | 4 +-- apparmor.d/groups/systemd/systemd-logind | 2 +- .../systemd/systemd-networkd-wait-online | 2 +- apparmor.d/groups/systemd/systemd-nsresourced | 7 +++-- 6 files changed, 21 insertions(+), 23 deletions(-) diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 9508cfcf27..f7d001c703 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/bootctl -profile bootctl @{exec_path} flags=(attach_disconnected) { +profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -17,27 +17,22 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - signal (send) peer=child-pager, + signal send peer=child-pager, - ptrace (read) peer=unconfined, + ptrace read peer=unconfined, @{exec_path} mr, @{pager_path} rPx -> child-pager, @{efi}/ r, - @{efi}/EFI/{,**} r, - @{efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, - @{efi}/EFI/BOOT/BOOTX64.EFI w, - @{efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, - @{efi}/EFI/systemd/systemd-boot*.efi w, - @{efi}/loader/.#bootctlrandom-seed@{hex} rw, - @{efi}/loader/.#entries.srel* w, - @{efi}/loader/{,**} r, - @{efi}/loader/entries.srel w, - @{efi}/loader/random-seed w, - - /etc/kernel/entry-token r, + @{efi}/@{hex32}/ rw, + @{efi}/EFI/{,**} rwl, + @{efi}/loader/ rw, + @{efi}/loader/** rwl -> @{efi}/loader/#@{int}, + + /etc/kernel/.#entry-token@{hex16} rw, + /etc/kernel/entry-token rw, /etc/machine-id r, /etc/machine-info r, @@ -63,7 +58,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r, - @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl index 3a78c531ee..3c962e3095 100644 --- a/apparmor.d/groups/systemd/homectl +++ b/apparmor.d/groups/systemd/homectl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/homectl -profile homectl @{exec_path} { +profile homectl @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify index 346e7d94eb..ba6141d863 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify @@ -12,16 +12,16 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { include include - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, @{exec_path} mr, @{sh_path} rix, - @{sbin}/blkid rPx, @{bin}/grep rix, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, @{bin}/uname rix, + @{sbin}/blkid rPx, /etc/cloud/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 39192e7e19..b1869b16b5 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -30,7 +30,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { mqueue getattr type=posix /, mqueue r type=posix /, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-logind/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-logind/system, #aa:dbus own bus=system name=org.freedesktop.login1 diff --git a/apparmor.d/groups/systemd/systemd-networkd-wait-online b/apparmor.d/groups/systemd/systemd-networkd-wait-online index 0d5e407304..c36b5af396 100644 --- a/apparmor.d/groups/systemd/systemd-networkd-wait-online +++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-networkd-wait-online -profile systemd-networkd-wait-online @{exec_path} flags=(complain) { +profile systemd-networkd-wait-online @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-nsresourced b/apparmor.d/groups/systemd/systemd-nsresourced index d1beae4280..97dcb3b057 100644 --- a/apparmor.d/groups/systemd/systemd-nsresourced +++ b/apparmor.d/groups/systemd/systemd-nsresourced @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-nsresourced -profile systemd-nsresourced @{exec_path} { +profile systemd-nsresourced @{exec_path} flags=(attach_disconnected) { include include @@ -19,7 +19,7 @@ profile systemd-nsresourced @{exec_path} { @{exec_path} mr, - @{lib}/systemd/systemd-nsresourcework Px -> systemd-nsresourced//&systemd-nsresourcework, + @{lib}/systemd/systemd-nsresourcework ix, # no new privs @{run}/systemd/nsresource/ rw, @{run}/systemd/nsresource/** rw, @@ -32,6 +32,9 @@ profile systemd-nsresourced @{exec_path} { @{sys}/kernel/btf/vmlinux r, @{sys}/kernel/security/lsm r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, + include if exists } From 581a55c7269cccd518baf9f65c5078edecaffcb4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:40:49 +0200 Subject: [PATCH 0189/1736] feat(profile): update systemd-homework/homed as they get stacked. --- apparmor.d/groups/systemd/systemd-homed | 20 ++++++-- apparmor.d/groups/systemd/systemd-homework | 58 +++++++++++++++++++++- 2 files changed, 73 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index a89cd90f89..c53be3a353 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -14,6 +14,8 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { include include + userns, + capability chown, capability dac_override, capability dac_read_search, @@ -24,6 +26,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { capability setpcap, capability setuid, capability sys_admin, + capability sys_ptrace, capability sys_resource, network inet dgram, @@ -32,16 +35,24 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { network inet6 raw, network netlink raw, - mount options=(rw, rslave) -> @{run}/, - mount /dev/dm-@{int} -> @{run}/systemd/user-home-mount/, + mount -> @{run}/systemd/user-home-mount/, + mount options=(rw private) -> @{run}/systemd/user-home-mount/, + mount options=(rw rslave) -> @{run}/, + + umount @{run}/systemd/user-home-mount/, + + signal (send receive) set=kill peer=systemd-homed//&systemd-homework, + + ptrace read peer=systemd-homed//&systemd-homework, unix bind type=stream addr=@@{udbus}/bus/systemd-homed/system, #aa:dbus own bus=system name=org.freedesktop.home1 + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd @{exec_path} mr, - @{lib}/systemd/systemd-homework rPx -> systemd-homed//&systemd-homework, + @{lib}/systemd/systemd-homework rPx -> &systemd-homework, @{sbin}/mkfs.btrfs rPx, @{sbin}/mkfs.fat rPx, @{sbin}/mke2fs rPx, @@ -74,9 +85,12 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/devices r, @{PROC}/pressure/* r, + @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/uid_map w, /dev/loop-control rwk, diff --git a/apparmor.d/groups/systemd/systemd-homework b/apparmor.d/groups/systemd/systemd-homework index f0fe98a168..b81c196f84 100644 --- a/apparmor.d/groups/systemd/systemd-homework +++ b/apparmor.d/groups/systemd/systemd-homework @@ -7,14 +7,68 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-homework -profile systemd-homework @{exec_path} { +profile systemd-homework @{exec_path} flags=(attach_disconnected) { include - include include + include + include + + userns, + + capability chown, + capability fowner, + capability fsetid, + capability setfcap, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_resource, + + network netlink raw, + + mount options=(rw rslave) -> @{run}/, + mount -> @{run}/systemd/user-home-mount/, + + umount @{run}/systemd/user-home-mount/, + + signal (send receive) set=kill peer=systemd-homed//&systemd-homework, + + ptrace read peer=systemd-homed//&systemd-homework, @{exec_path} mr, + @{sbin}/mkfs.btrfs rPx, + @{sbin}/mkfs.fat rPx, + @{sbin}/mke2fs rPx, + /etc/machine-id r, + /etc/skel/{,**} r, + + /var/cache/systemd/home/{,**} rw, + + @{HOMEDIRS}/ r, + @{HOMEDIRS}/.#homework@{user}.* rw, + @{HOMEDIRS}/@{user}.home rw, + + @{run}/ r, + @{run}/cryptsetup/ r, + @{run}/cryptsetup/* rwk, + @{run}/systemd/user-home-mount/ rw, + @{run}/systemd/user-home-mount/@{user}/{,**} rw, + + @{sys}/fs/ r, + + @{PROC}/devices r, + @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/uid_map w, + + /dev/loop-control rwk, + /dev/loop@{int} rw, + /dev/mapper/control rw, include if exists } From 9325dd5ca0cb1f37bda1d2abd90333cacb2d9958 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:43:19 +0200 Subject: [PATCH 0190/1736] feat(profile): revisit systemd-udevd and ensure most program get transitionned confined. --- apparmor.d/groups/systemd/systemd-udevd | 66 ++++++++++++++----------- 1 file changed, 36 insertions(+), 30 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 3861056b82..9c993e0d5d 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -37,44 +37,45 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{sh_path} rix, - @{coreutils_path} rix, - @{pager_path} rPx -> child-pager, - @{bin}/*-print-pci-ids rix, - @{sbin}/alsactl rPUx, - @{bin}/ddcutil rPx, - @{sbin}/dmsetup rPx, - @{sbin}/ethtool rix, - @{sbin}/issue-generator rPx, - @{sbin}/kdump-config rPUx, - @{bin}/kmod rPx, - @{bin}/logger rix, - @{bin}/ls rix, - @{sbin}/lvm rPx, - @{bin}/mknod rix, - @{sbin}/multipath rPx, - @{bin}/nfsrahead rix, - @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, - @{bin}/setfacl rix, - @{bin}/sg_inq rix, - @{bin}/snap rPx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-run rix, - @{bin}/unshare rix, - @{bin}/vmmouse_detect rPUx, + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/logger rix, + @{bin}/ls rix, + @{bin}/mknod rix, + @{bin}/nfsrahead rix, + @{bin}/setfacl rix, + @{bin}/sg_inq rix, + @{bin}/systemd-run rix, # TODO: rCx -> run, + @{bin}/unshare rix, + @{sbin}/ethtool rix, + + @{bin}/ddcutil rPx, + @{bin}/kmod rCx -> kmod, + @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, + @{bin}/snap rPx, + @{bin}/systemctl rCx -> systemctl, + @{bin}/vmmouse_detect rPx, + @{pager_path} rPx -> child-pager, + @{sbin}/alsactl rPx, + @{sbin}/dmsetup rPx, + @{sbin}/issue-generator rPx, + @{sbin}/kdump-config rPx, + @{sbin}/lvm rPx, + @{sbin}/multipath rPx, + @{sbin}/u-d-c-print-pci-ids rPx, @{lib}/crda/* rPUx, @{lib}/gdm-runtime-config rPx, @{lib}/nfsrahead rPUx, - @{lib}/open-iscsi/net-interface-handler rPUx, + @{lib}/open-iscsi/net-interface-handler rPx, @{lib}/pm-utils/power.d/* rPUx, @{lib}/snapd/snap-device-helper rPx, @{lib}/systemd/systemd-* rPx, @{lib}/udev/* rPUx, /usr/share/hplip/config_usb_printer.py rPUx, - /etc/console-setup/*.sh rPUx, - /etc/network/cloud-ifupdown-helper rPUx, + /etc/console-setup/*.sh rPUx, + /etc/network/cloud-ifupdown-helper rPUx, /etc/default/* r, /etc/machine-id r, @@ -120,6 +121,13 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { /dev/ rw, /dev/** rwk, + profile kmod flags=(attach_disconnected,complain) { + include + include + + include if exists + } + profile systemctl flags=(attach_disconnected,complain) { include include @@ -127,8 +135,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, - # / r, - include if exists } From 32a9806219898f6c5a25b7efb3a15320ff7af24a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:52:40 +0200 Subject: [PATCH 0191/1736] feat(fsp): update systemd user drop in files with AppArmorProfile set to the target profile. --- systemd/full/user/filter-chain.service | 2 ++ systemd/full/user/pipewire-media-session.service | 5 ----- systemd/full/user/pipewire-pulse.service | 2 ++ systemd/full/user/pipewire.service | 2 ++ systemd/full/user/wireplumber.service | 2 ++ systemd/full/user/wireplumber@.service | 2 ++ 6 files changed, 10 insertions(+), 5 deletions(-) create mode 100644 systemd/full/user/filter-chain.service delete mode 100644 systemd/full/user/pipewire-media-session.service create mode 100644 systemd/full/user/pipewire-pulse.service create mode 100644 systemd/full/user/pipewire.service create mode 100644 systemd/full/user/wireplumber.service create mode 100644 systemd/full/user/wireplumber@.service diff --git a/systemd/full/user/filter-chain.service b/systemd/full/user/filter-chain.service new file mode 100644 index 0000000000..4dd212f513 --- /dev/null +++ b/systemd/full/user/filter-chain.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/pipewire-media-session.service b/systemd/full/user/pipewire-media-session.service deleted file mode 100644 index c392e82fe4..0000000000 --- a/systemd/full/user/pipewire-media-session.service +++ /dev/null @@ -1,5 +0,0 @@ -[Service] -NoNewPrivileges=no -MemoryDenyWriteExecute=no -LockPersonality=no -RestrictNamespaces=no diff --git a/systemd/full/user/pipewire-pulse.service b/systemd/full/user/pipewire-pulse.service new file mode 100644 index 0000000000..1d35a493ef --- /dev/null +++ b/systemd/full/user/pipewire-pulse.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire-pulse \ No newline at end of file diff --git a/systemd/full/user/pipewire.service b/systemd/full/user/pipewire.service new file mode 100644 index 0000000000..4dd212f513 --- /dev/null +++ b/systemd/full/user/pipewire.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/wireplumber.service b/systemd/full/user/wireplumber.service new file mode 100644 index 0000000000..c47175f403 --- /dev/null +++ b/systemd/full/user/wireplumber.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&wireplumber \ No newline at end of file diff --git a/systemd/full/user/wireplumber@.service b/systemd/full/user/wireplumber@.service new file mode 100644 index 0000000000..c47175f403 --- /dev/null +++ b/systemd/full/user/wireplumber@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&wireplumber \ No newline at end of file From 60b91279162036a7d1a55df72d40977387fe1336 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:53:47 +0200 Subject: [PATCH 0192/1736] feat(profile): update pipewire profiles. --- apparmor.d/groups/freedesktop/pipewire-pulse | 8 +++++++- apparmor.d/groups/freedesktop/pulseaudio | 6 +++--- apparmor.d/groups/freedesktop/wireplumber | 4 ++++ 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index 530fa97dba..fddbe02f7b 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -11,15 +11,18 @@ include profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { include include + include + include include capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, @{bin}/pactl rix, + @{bin}/pipewire mr, /usr/share/pipewire/{,**} r, @@ -38,6 +41,9 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/module/apparmor/parameters/enabled r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index fab642571c..05e4c3ec2a 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -82,9 +82,9 @@ profile pulseaudio @{exec_path} { owner @{desktop_cache_dirs}/gstreamer-1.0/ rw, owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{desktop_config_dirs}/dconf/user r, - owner @{desktop_config_dirs}/pulse/{,**} rw, - owner @{desktop_config_dirs}/pulse/cookie k, + owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_config_dirs}/pulse/{,**} rw, + owner @{desktop_config_dirs}/pulse/cookie k, owner @{HOME}/.pulse/{,**} rw, owner @{user_config_dirs}/ w, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index aa6928298d..0925bad91b 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -75,6 +75,10 @@ profile wireplumber @{exec_path} { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{PROC}/1/cgroup r, + @{PROC}/1/cmdline r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, From d9cfef3e5d5a0bc035383e82d4cc69a9a25c0435 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:03:11 +0200 Subject: [PATCH 0193/1736] refractor(profile): move systemd generators to their own group --- .../{systemd => systemd-generators}/systemd-generator-bless-boot | 0 .../{systemd => systemd-generators}/systemd-generator-cloud-init | 0 .../{systemd => systemd-generators}/systemd-generator-cryptsetup | 0 .../{systemd => systemd-generators}/systemd-generator-debug | 0 .../{systemd => systemd-generators}/systemd-generator-ds-identify | 0 .../systemd-generator-environment-arch | 0 .../systemd-generator-environment-flatpak | 0 .../systemd-generator-friendly-recovery | 0 .../{systemd => systemd-generators}/systemd-generator-fstab | 0 .../{systemd => systemd-generators}/systemd-generator-getty | 0 .../{systemd => systemd-generators}/systemd-generator-gpt-auto | 0 .../systemd-generator-hibernate-resume | 0 .../systemd-generator-integritysetup | 0 .../{systemd => systemd-generators}/systemd-generator-ostree | 0 .../{systemd => systemd-generators}/systemd-generator-rc-local | 0 .../groups/{systemd => systemd-generators}/systemd-generator-run | 0 .../{systemd => systemd-generators}/systemd-generator-snapd | 0 .../{systemd => systemd-generators}/systemd-generator-sshd-socket | 0 .../systemd-generator-system-update | 0 .../groups/{systemd => systemd-generators}/systemd-generator-sysv | 0 .../systemd-generator-user-autostart | 0 .../systemd-generator-user-environment | 0 .../{systemd => systemd-generators}/systemd-generator-veritysetup | 0 23 files changed, 0 insertions(+), 0 deletions(-) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-bless-boot (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-cloud-init (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-cryptsetup (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-debug (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-ds-identify (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-environment-arch (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-environment-flatpak (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-friendly-recovery (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-fstab (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-getty (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-gpt-auto (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-hibernate-resume (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-integritysetup (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-ostree (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-rc-local (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-run (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-snapd (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-sshd-socket (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-system-update (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-sysv (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-user-autostart (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-user-environment (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-veritysetup (100%) diff --git a/apparmor.d/groups/systemd/systemd-generator-bless-boot b/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-bless-boot rename to apparmor.d/groups/systemd-generators/systemd-generator-bless-boot diff --git a/apparmor.d/groups/systemd/systemd-generator-cloud-init b/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-cloud-init rename to apparmor.d/groups/systemd-generators/systemd-generator-cloud-init diff --git a/apparmor.d/groups/systemd/systemd-generator-cryptsetup b/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-cryptsetup rename to apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup diff --git a/apparmor.d/groups/systemd/systemd-generator-debug b/apparmor.d/groups/systemd-generators/systemd-generator-debug similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-debug rename to apparmor.d/groups/systemd-generators/systemd-generator-debug diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-ds-identify rename to apparmor.d/groups/systemd-generators/systemd-generator-ds-identify diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-arch b/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-environment-arch rename to apparmor.d/groups/systemd-generators/systemd-generator-environment-arch diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak b/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-environment-flatpak rename to apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak diff --git a/apparmor.d/groups/systemd/systemd-generator-friendly-recovery b/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-friendly-recovery rename to apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery diff --git a/apparmor.d/groups/systemd/systemd-generator-fstab b/apparmor.d/groups/systemd-generators/systemd-generator-fstab similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-fstab rename to apparmor.d/groups/systemd-generators/systemd-generator-fstab diff --git a/apparmor.d/groups/systemd/systemd-generator-getty b/apparmor.d/groups/systemd-generators/systemd-generator-getty similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-getty rename to apparmor.d/groups/systemd-generators/systemd-generator-getty diff --git a/apparmor.d/groups/systemd/systemd-generator-gpt-auto b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-gpt-auto rename to apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto diff --git a/apparmor.d/groups/systemd/systemd-generator-hibernate-resume b/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-hibernate-resume rename to apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume diff --git a/apparmor.d/groups/systemd/systemd-generator-integritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-integritysetup rename to apparmor.d/groups/systemd-generators/systemd-generator-integritysetup diff --git a/apparmor.d/groups/systemd/systemd-generator-ostree b/apparmor.d/groups/systemd-generators/systemd-generator-ostree similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-ostree rename to apparmor.d/groups/systemd-generators/systemd-generator-ostree diff --git a/apparmor.d/groups/systemd/systemd-generator-rc-local b/apparmor.d/groups/systemd-generators/systemd-generator-rc-local similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-rc-local rename to apparmor.d/groups/systemd-generators/systemd-generator-rc-local diff --git a/apparmor.d/groups/systemd/systemd-generator-run b/apparmor.d/groups/systemd-generators/systemd-generator-run similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-run rename to apparmor.d/groups/systemd-generators/systemd-generator-run diff --git a/apparmor.d/groups/systemd/systemd-generator-snapd b/apparmor.d/groups/systemd-generators/systemd-generator-snapd similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-snapd rename to apparmor.d/groups/systemd-generators/systemd-generator-snapd diff --git a/apparmor.d/groups/systemd/systemd-generator-sshd-socket b/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-sshd-socket rename to apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket diff --git a/apparmor.d/groups/systemd/systemd-generator-system-update b/apparmor.d/groups/systemd-generators/systemd-generator-system-update similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-system-update rename to apparmor.d/groups/systemd-generators/systemd-generator-system-update diff --git a/apparmor.d/groups/systemd/systemd-generator-sysv b/apparmor.d/groups/systemd-generators/systemd-generator-sysv similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-sysv rename to apparmor.d/groups/systemd-generators/systemd-generator-sysv diff --git a/apparmor.d/groups/systemd/systemd-generator-user-autostart b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-user-autostart rename to apparmor.d/groups/systemd-generators/systemd-generator-user-autostart diff --git a/apparmor.d/groups/systemd/systemd-generator-user-environment b/apparmor.d/groups/systemd-generators/systemd-generator-user-environment similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-user-environment rename to apparmor.d/groups/systemd-generators/systemd-generator-user-environment diff --git a/apparmor.d/groups/systemd/systemd-generator-veritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-veritysetup rename to apparmor.d/groups/systemd-generators/systemd-generator-veritysetup From 3d76c98c4b65355203da9ffc4d1693b174d79163 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:05:34 +0200 Subject: [PATCH 0194/1736] feat(profile): add more systemd-generator profiles. --- .../systemd-generator-environment-snapd | 18 +++++++ .../systemd-generator-import | 31 ++++++++++++ .../systemd-generator-openvpn | 27 +++++++++++ .../systemd-generators/systemd-generator-ssh | 48 +++++++++++++++++++ .../systemd-generators/systemd-generator-tpm2 | 30 ++++++++++++ dists/flags/main.flags | 9 +++- 6 files changed, 161 insertions(+), 2 deletions(-) create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-import create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-openvpn create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-ssh create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-tpm2 diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd new file mode 100644 index 0000000000..b18bd6bd50 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-environment-generators/snapd-env-generator +profile systemd-generator-environment-snapd @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-import b/apparmor.d/groups/systemd-generators/systemd-generator-import new file mode 100644 index 0000000000..36ff4e5ffc --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-import @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-import-generator +profile systemd-generator-import @{exec_path} flags=(attach_disconnected) { + include + + capability sys_ptrace, + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + / r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn new file mode 100644 index 0000000000..780c63d569 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/openvpn-generator +profile systemd-generator-openvpn @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/ls ix, + @{bin}/mkdir ix, + + /etc/default/openvpn r, + /etc/openvpn/ r, + + @{run}/systemd/generator/openvpn.service.wants/{,**} w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ssh b/apparmor.d/groups/systemd-generators/systemd-generator-ssh new file mode 100644 index 0000000000..efb56468ef --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ssh @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-ssh-generator +profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) { + include + + capability net_admin, + + network vsock stream, + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{sbin}/sshd r, + + @{run}/ r, + @{run}/systemd/ r, + @{run}/systemd/generator/ r, + @{run}/systemd/generator/sockets.target.wants/ rw, + @{run}/systemd/generator/sockets.target.wants/*.socket w, + @{run}/systemd/generator/sshd-*.service w, + @{run}/systemd/generator/sshd-*.socket rw, + @{run}/systemd/system/ r, + @{run}/systemd/transient/ r, + + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + /dev/vsock r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 new file mode 100644 index 0000000000..4d601d0f93 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-tpm2-generator +profile systemd-generator-tpm2 @{exec_path} flags=(attach_disconnected) { + include + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{sys}/class/tpmrm/ r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2736540a80..6a030fe631 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -329,19 +329,24 @@ systemd-generator-debug attach_disconnected,complain systemd-generator-ds-identify attach_disconnected,complain systemd-generator-environment-arch complain systemd-generator-environment-flatpak complain +systemd-generator-environment-snapd attach_disconnected,complain systemd-generator-friendly-recover attach_disconnected,complain systemd-generator-fstab attach_disconnected,complain systemd-generator-getty attach_disconnected,complain systemd-generator-gpt-auto attach_disconnected,complain systemd-generator-hibernate-resume attach_disconnected,complain +systemd-generator-import attach_disconnected,complain systemd-generator-integritysetup attach_disconnected,complain +systemd-generator-openvpn attach_disconnected,complain systemd-generator-ostree attach_disconnected,complain systemd-generator-rc-local attach_disconnected,complain systemd-generator-run attach_disconnected,complain systemd-generator-snapd attach_disconnected,complain +systemd-generator-ssh attach_disconnected,complain systemd-generator-sshd-socket attach_disconnected,complain systemd-generator-system-update attach_disconnected,complain systemd-generator-sysv attach_disconnected,complain +systemd-generator-tpm2 attach_disconnected,complain systemd-generator-user-autostart attach_disconnected,complain systemd-generator-user-environment attach_disconnected,complain systemd-generator-veritysetup attach_disconnected,complain @@ -350,8 +355,8 @@ systemd-homework complain systemd-inhibit attach_disconnected,complain systemd-journald attach_disconnected,mediate_deleted systemd-mount complain -systemd-network-generator complain -systemd-nsresourced complain +systemd-network-generator attach_disconnected,complain +systemd-nsresourced attach_disconnected,complain systemd-nsresourcework complain systemd-portabled complain systemd-resolve complain From 89a17146103cadf12e83543d1f5cc3504fcca2b0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:14:54 +0200 Subject: [PATCH 0195/1736] fix(profile): a few linting fixes. --- apparmor.d/groups/_full/sd | 4 ++-- apparmor.d/groups/_full/sd-mount | 2 +- apparmor.d/groups/_full/sdu | 2 +- apparmor.d/groups/ubuntu/fanctl | 2 +- apparmor.d/groups/ubuntu/update-notifier-crash | 2 +- apparmor.d/profiles-s-z/wsdd | 2 +- tests/sbin.list | 1 - 7 files changed, 7 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 974bc35445..106e368174 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -131,10 +131,10 @@ profile sd flags=(attach_disconnected,mediate_deleted) { @{bin}/true ix, # Required due to stacked profiles - @{bin}/grpck ix, + @{sbin}/grpck ix, @{bin}/gzip ix, @{bin}/install ix, - @{bin}/pwck ix, + @{sbin}/pwck ix, @{bin}/readlink ix, @{lib}/colord-sane ix, @{lib}/systemd/systemd-nsresourcework ix, diff --git a/apparmor.d/groups/_full/sd-mount b/apparmor.d/groups/_full/sd-mount index 7f7dede600..1572a8f6de 100644 --- a/apparmor.d/groups/_full/sd-mount +++ b/apparmor.d/groups/_full/sd-mount @@ -36,7 +36,7 @@ profile sd-mount flags=(complain) { mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, mount fstype=squashfs options=(ro nodev) /dev/loop@{int} -> /snap/*/@{int}/, mount fstype=tmpfs options=(rw nodev noexec nosuid) tmpfs -> @{run}/lock/, - mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, + mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, mount options=(rw move) -> @{efi}, diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index 5ceb669f0c..411a8c3ad6 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -98,7 +98,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { profile shell flags=(attach_disconnected,mediate_deleted,complain) { include - + @{sh_path} mr, @{bin}/systemctl Px -> sdu//systemctl, diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl index ef278da63f..deee33dafb 100644 --- a/apparmor.d/groups/ubuntu/fanctl +++ b/apparmor.d/groups/ubuntu/fanctl @@ -19,7 +19,7 @@ profile fanctl @{exec_path} flags=(attach_disconnected) { @{bin}/id ix, @{bin}/touch ix, @{bin}/mkdir ix, - @{bin}/ip ix, + @{sbin}/ip ix, @{bin}/sed ix, /etc/network/fan r, diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index 3ad03eb054..dee094aa1c 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -19,7 +19,7 @@ profile update-notifier-crash @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 7aa812f79f..20575b2a89 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/wsdd +@{exec_path} = @{bin}/wsdd profile wsdd @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 805ab8bf10..676bc4d56d 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -1016,7 +1016,6 @@ wpa_supplicant wqlat-bpfcc writeback.bt wrmsr -wsdd xfs_admin xfs_bmap xfs_copy From e771ef77b8c9343f29a07c32c7d3955620a12169 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:18:39 +0200 Subject: [PATCH 0196/1736] tests(packer): update base images content. --- .../cloud-init/archlinux-gnome.user-data.yml | 35 +-------- tests/cloud-init/archlinux-kde.user-data.yml | 37 +--------- tests/cloud-init/archlinux.yml | 72 ++++++++++++++++--- tests/cloud-init/debian.yml | 32 +++++++++ tests/cloud-init/debian13-gnome.user-data.yml | 9 +++ tests/cloud-init/ubuntu.yml | 39 +++++++++- 6 files changed, 145 insertions(+), 79 deletions(-) create mode 100644 tests/cloud-init/debian13-gnome.user-data.yml diff --git a/tests/cloud-init/archlinux-gnome.user-data.yml b/tests/cloud-init/archlinux-gnome.user-data.yml index c292993c1e..d33f685b62 100644 --- a/tests/cloud-init/archlinux-gnome.user-data.yml +++ b/tests/cloud-init/archlinux-gnome.user-data.yml @@ -1,39 +1,6 @@ #cloud-config -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Applications - - firefox - - chromium - - terminator - - # Install Graphical Interface - - gnome - - gnome-extra - - seahorse - - alacarte +packages: *gnome-packages runcmd: # Regenerate grub.cfg diff --git a/tests/cloud-init/archlinux-kde.user-data.yml b/tests/cloud-init/archlinux-kde.user-data.yml index c89b3a25c8..cb4c4d3b0b 100644 --- a/tests/cloud-init/archlinux-kde.user-data.yml +++ b/tests/cloud-init/archlinux-kde.user-data.yml @@ -1,41 +1,6 @@ #cloud-config -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Applications - - firefox - - chromium - - terminator - - # Install Graphical Interface - - plasma-meta - - sddm - - ark - - dolphin - - konsole - - okular +packages: *kde-packages runcmd: # Regenerate grub.cfg diff --git a/tests/cloud-init/archlinux.yml b/tests/cloud-init/archlinux.yml index d860f1a1e9..5299efda02 100644 --- a/tests/cloud-init/archlinux.yml +++ b/tests/cloud-init/archlinux.yml @@ -1,37 +1,93 @@ #cloud-config -# Core packages for Archlinux core-packages: &core-packages - # Install core packages - apparmor - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 - qemu-guest-agent - rng-tools - spice-vdagent + - vim + - wget - # Install usefull core packages +gnome-packages: &gnome-packages + # Core packages for Archlinux + - apparmor + - base-devel - bash-completion + - docker - git - htop + - just - man - pass - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent - vim - wget -# Core desktop packages for Archlinux -desktop-packages: &desktop-packages - # Install basic services + # Desktop packages for Archlinux - networkmanager - cups - cups-pdf - system-config-printer - - # Install Applications + - chromium - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - alacarte + - gnome + - gnome-extra + - ptyxis + - seahorse + +kde-packages: &kde-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer - chromium + - firefox + - spice-vdagent - terminator + # Install Graphical Interface + - plasma-meta + - sddm + - ark + - dolphin + - konsole + - okular + # Enable AppArmor in kernel parameters grub-enable-apparmor: &grub-enable-apparmor path: /etc/default/grub diff --git a/tests/cloud-init/debian.yml b/tests/cloud-init/debian.yml index cead162a4e..ea3012ad27 100644 --- a/tests/cloud-init/debian.yml +++ b/tests/cloud-init/debian.yml @@ -3,45 +3,77 @@ # Core packages for Debian core-packages: &core-packages - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim gnome-packages: &desktop-packages # Core packages for Debian - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # Gnome packages for Debian - spice-vdagent - task-gnome-desktop - terminator + - loupe + - ptyxis kde-packages: &kubuntu-packages # Core packages for Debian - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # KDE packages for Debian diff --git a/tests/cloud-init/debian13-gnome.user-data.yml b/tests/cloud-init/debian13-gnome.user-data.yml new file mode 100644 index 0000000000..0d5adfe17d --- /dev/null +++ b/tests/cloud-init/debian13-gnome.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *gnome-packages + +runcmd: *debian13-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu.yml b/tests/cloud-init/ubuntu.yml index ba640e3afb..14db33251d 100644 --- a/tests/cloud-init/ubuntu.yml +++ b/tests/cloud-init/ubuntu.yml @@ -1,50 +1,81 @@ #cloud-config -# Core packages for Ubuntu core-packages: &core-packages - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - golang-go - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim desktop-packages: &desktop-packages # Core packages for Ubuntu - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - golang-go - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # Desktop packages for Ubuntu - spice-vdagent - terminator - ubuntu-desktop + - loupe + - ptyxis kubuntu-packages: &kubuntu-packages # Core packages for Ubuntu - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - golang-go - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # Desktop packages for Ubuntu @@ -74,3 +105,9 @@ desktop-runcmd: &desktop-runcmd # Finally, remove things only installed as dependencies of other things # we have already removed. - apt-get -y autoremove + + # Ensure systemd-networkd is disabled + - systemctl disable systemd-networkd-wait-online.service + + # Ensure auditd is enabled + - systemctl enable systemd-journald-audit.socket From d9e6e686e0186d94fab9a9fdecc7d2c48255d3d7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 01:44:09 +0200 Subject: [PATCH 0197/1736] build: ignore all rule in abi3. --- pkg/prebuild/builder/abi.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index 818edbb76e..5fba837d5f 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -14,6 +14,7 @@ var ( `abi/4.0`, `abi/3.0`, ` userns,`, ` # userns,`, ` mqueue`, ` # mqueue`, + ` all`, ` # all`, }) ) From 2282128cbddc1017740071b8058c54bf7868e90c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:43:57 +0200 Subject: [PATCH 0198/1736] feat(fsp): setup RBAC mapping in auth enabled profiles. --- apparmor.d/groups/ssh/sshd | 15 ++++++++------- apparmor.d/groups/utils/chfn | 1 + apparmor.d/groups/utils/chsh | 1 + apparmor.d/groups/utils/login | 3 ++- apparmor.d/groups/utils/su | 5 +++-- apparmor.d/mappings/sudo/base | 30 ++++++++++++++++++++++++++++++ 6 files changed, 45 insertions(+), 10 deletions(-) create mode 100644 apparmor.d/mappings/sudo/base diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 4b99aafd61..cc12a9eecf 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -25,6 +25,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { include include include + include #aa:only RBAC capability audit_write, capability chown, @@ -60,13 +61,13 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/@{shells} rUx, - @{bin}/false rix, - @{sbin}/nologin rPx, - @{bin}/passwd rPx, - @{lib}/{openssh,ssh}/sftp-server rPx, - @{lib}/{openssh,ssh}/sshd-auth rPx, - @{lib}/{openssh,ssh}/sshd-session rix, + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{bin}/false ix, + @{sbin}/nologin Px, + @{bin}/passwd Px, + @{lib}/{openssh,ssh}/sftp-server Px, + @{lib}/{openssh,ssh}/sshd-auth Px, + @{lib}/{openssh,ssh}/sshd-session ix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, diff --git a/apparmor.d/groups/utils/chfn b/apparmor.d/groups/utils/chfn index 45b50c7adc..824d92bf46 100644 --- a/apparmor.d/groups/utils/chfn +++ b/apparmor.d/groups/utils/chfn @@ -15,6 +15,7 @@ profile chfn @{exec_path} { include include include + include #aa:only RBAC capability audit_write, capability chown, diff --git a/apparmor.d/groups/utils/chsh b/apparmor.d/groups/utils/chsh index e3581be31a..a630a77339 100644 --- a/apparmor.d/groups/utils/chsh +++ b/apparmor.d/groups/utils/chsh @@ -15,6 +15,7 @@ profile chsh @{exec_path} { include include include + include #aa:only RBAC capability audit_write, capability chown, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index 6227f4fc51..c350014984 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -14,6 +14,7 @@ profile login @{exec_path} flags=(attach_disconnected) { include include include + include #aa:only RBAC capability audit_write, capability chown, @@ -38,7 +39,7 @@ profile login @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{shells_path} rUx, + @{shells_path} Ux, #aa:exclude RBAC @{etc_ro}/environment r, @{etc_ro}/security/group.conf r, diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index 81e299d236..c4e83ddfa6 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -12,6 +12,7 @@ profile su @{exec_path} { include include include + include #aa:only RBAC capability chown, # pseudo-terminal @@ -21,8 +22,8 @@ profile su @{exec_path} { @{exec_path} mr, - @{bin}/@{shells} rUx, - @{sbin}/nologin rPx, + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{sbin}/nologin Px, @{etc_ro}/default/su r, /etc/default/locale r, diff --git a/apparmor.d/mappings/sudo/base b/apparmor.d/mappings/sudo/base new file mode 100644 index 0000000000..95e3955015 --- /dev/null +++ b/apparmor.d/mappings/sudo/base @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# It is used by su/sudo to run pre login scripts (as root) such as the motd. +# After the login, Apparmor libpam will transition to the roles defined in +# other files under + + @{shells_path} rCx -> shell, + + profile shell flags=(attach_disconnected) { + include + include + include + + @{shells_path} rix, + @{bin}/env rix, + @{bin}/run-parts rix, #aa:only apt + + #aa:only apt + /etc/update-motd.d/ r, + /etc/update-motd.d/* rPx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, + + @{run}/motd.dynamic.new rw, #aa:only apt + + include if exists + } + +# vim:syntax=apparmor From 6c6e1c3456fce34164cf54189dc23080db02b54c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:49:16 +0200 Subject: [PATCH 0199/1736] feat(profile): minor fsp related improvment. --- apparmor.d/groups/freedesktop/colord | 5 +++-- apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/network/tailscaled | 2 +- .../groups/systemd-service/snapd.system-shutdown.service | 6 +++--- apparmor.d/groups/ubuntu/fanctl | 2 +- apparmor.d/profiles-g-l/ischroot | 2 +- 6 files changed, 10 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 031ba06051..ee2cdf42ea 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -23,6 +23,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.ColorManager @{exec_path} mrix, + @{lib}/colord-sane ix, /etc/machine-id r, /etc/sane.d/{,**} r, @@ -44,8 +45,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { owner /var/lib/snmp/mibs/{iana,ietf}/ r, owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, - @{att}/@{desktop_share_dirs}/icc/edid-*.icc r, - @{att}/@{user_share_dirs}/icc/edid-*.icc r, + @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index c4c24efc91..de86431002 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -56,7 +56,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/umount rPx, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/zfs rPx, @{bin}/zpool rPx, /etc/grub.d/{,**} rix, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index fa6cd8ddda..bb877ec1a3 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -31,7 +31,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { ptrace (read), - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service index e8939006e9..ce819a7916 100644 --- a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service +++ b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service @@ -13,9 +13,9 @@ include profile snapd.system-shutdown.service { include - audit @{bin}/cp ix, - audit @{bin}/mkdir ix, - audit @{bin}/mount ix, + @{bin}/cp ix, + @{bin}/mkdir ix, + @{bin}/mount ix, @{lib}/snapd/system-shutdown r, diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl index deee33dafb..ef278da63f 100644 --- a/apparmor.d/groups/ubuntu/fanctl +++ b/apparmor.d/groups/ubuntu/fanctl @@ -19,7 +19,7 @@ profile fanctl @{exec_path} flags=(attach_disconnected) { @{bin}/id ix, @{bin}/touch ix, @{bin}/mkdir ix, - @{sbin}/ip ix, + @{bin}/ip ix, @{bin}/sed ix, /etc/network/fan r, diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot index c5b848bab6..4e087343af 100644 --- a/apparmor.d/profiles-g-l/ischroot +++ b/apparmor.d/profiles-g-l/ischroot @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/ischroot -profile ischroot @{exec_path} { +profile ischroot @{exec_path} flags=(attach_disconnected) { include include From d76bc0b3be0cd9452083ed253d9cb46def7a5541 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:50:20 +0200 Subject: [PATCH 0200/1736] feat(profile): add initial profile for systemd-initctl. --- apparmor.d/groups/systemd/systemd-initctl | 27 +++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 28 insertions(+) create mode 100644 apparmor.d/groups/systemd/systemd-initctl diff --git a/apparmor.d/groups/systemd/systemd-initctl b/apparmor.d/groups/systemd/systemd-initctl new file mode 100644 index 0000000000..05f32a7f66 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-initctl @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-initctl +profile systemd-initctl @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability net_admin, + + unix type=stream addr=@@{udbus}/bus/systemd-initctl/, + + @{exec_path} mr, + + @{run}/initctl rw, + @{run}/systemd/notify rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 6a030fe631..e73dd4cd5b 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -353,6 +353,7 @@ systemd-generator-veritysetup attach_disconnected,complain systemd-homed attach_disconnected,complain systemd-homework complain systemd-inhibit attach_disconnected,complain +systemd-initctl attach_disconnected,complain systemd-journald attach_disconnected,mediate_deleted systemd-mount complain systemd-network-generator attach_disconnected,complain From af82a9caa6358a64d0037761a40e286d6018f283 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:52:42 +0200 Subject: [PATCH 0201/1736] feat(profile): add profiles for whoopsie. --- apparmor.d/profiles-s-z/whoopsie | 31 ++++++++++++++++++ apparmor.d/profiles-s-z/whoopsie-preferences | 34 ++++++++++++++++++++ dists/flags/main.flags | 2 ++ 3 files changed, 67 insertions(+) create mode 100644 apparmor.d/profiles-s-z/whoopsie create mode 100644 apparmor.d/profiles-s-z/whoopsie-preferences diff --git a/apparmor.d/profiles-s-z/whoopsie b/apparmor.d/profiles-s-z/whoopsie new file mode 100644 index 0000000000..16a0e5a5e3 --- /dev/null +++ b/apparmor.d/profiles-s-z/whoopsie @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whoopsie +profile whoopsie @{exec_path} { + include + include + + capability setgid, + capability setuid, + + @{exec_path} mr, + + /var/crash/ r, + + /var/lib/whoopsie/ rw, + /var/lib/whoopsie/whoopsie-id rw, + /var/lib/whoopsie/whoopsie-id.@{rand6} rw, + + owner @{run}/lock/whoopsie/ rw, + owner @{run}/lock/whoopsie/lock rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whoopsie-preferences b/apparmor.d/profiles-s-z/whoopsie-preferences new file mode 100644 index 0000000000..3b720d0daf --- /dev/null +++ b/apparmor.d/profiles-s-z/whoopsie-preferences @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whoopsie-preferences +profile whoopsie-preferences @{exec_path} { + include + include + include + + #aa:dbus own bus=system name=com.ubuntu.WhoopsiePreferences + + @{exec_path} mr, + + @{bin}/systemctl Cx -> systemctl, + + /etc/whoopsie w, + /etc/whoopsie.@{rand6} rw, + + profile systemctl { + include + include + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index e73dd4cd5b..77ea8761fa 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -404,6 +404,8 @@ waybar attach_disconnected,complain wechat attach_disconnected,complain wechat-appimage attach_disconnected,complain wg-quick complain +whoopsie complain +whoopsie-preferences complain wsdd complain xdg-dbus-proxy attach_disconnected,complain xdg-desktop-icon complain From 8452eb44f18e96aa9de83c74e0902aabdcad336d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 15:48:38 +0200 Subject: [PATCH 0202/1736] feat(abs): minor improvement & cosmetic. --- apparmor.d/abstractions/app/kmod | 2 +- apparmor.d/abstractions/app/pager | 2 +- apparmor.d/abstractions/app/sudo | 4 +++- apparmor.d/abstractions/base.d/complete | 6 ++++-- apparmor.d/abstractions/bus/org.freedesktop.Avahi | 2 +- apparmor.d/abstractions/consoles.d/complete | 7 +++++++ apparmor.d/abstractions/freedesktop.org.d/complete | 2 +- apparmor.d/abstractions/gnome.d/complete | 2 +- apparmor.d/abstractions/vulkan.d/complete | 1 + apparmor.d/abstractions/webkit | 2 +- apparmor.d/abstractions/zsh | 1 + 11 files changed, 22 insertions(+), 9 deletions(-) create mode 100644 apparmor.d/abstractions/consoles.d/complete diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index 86bb7d78a8..6c889bd604 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -7,9 +7,9 @@ include + @{bin}/kmod mr, @{sbin}/depmod mr, @{sbin}/insmod mr, - @{bin}/kmod mr, @{sbin}/lsmod mr, @{sbin}/modinfo mr, @{sbin}/modprobe mr, diff --git a/apparmor.d/abstractions/app/pager b/apparmor.d/abstractions/app/pager index 3be45b4dd6..1557b78efb 100644 --- a/apparmor.d/abstractions/app/pager +++ b/apparmor.d/abstractions/app/pager @@ -12,7 +12,7 @@ capability dac_override, capability dac_read_search, - signal (receive) set=(stop, cont, term, kill), + signal receive set=(stop, cont, term, kill), @{bin}/ r, @{pager_path} mrix, diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 1286b15713..1c47490cd2 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -3,7 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Minimal set of rules for sudo. Interactive sudo need more rules. +# Minimal set of rules for sudo. abi , @@ -24,6 +24,8 @@ network netlink raw, # PAM + unix type=stream addr=@@{udbus}/bus/sudo/system, + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 06b4133424..ecfe09bb57 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -3,14 +3,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + # Systemd: allow to receive any signal from the systemd profiles stack + signal receive peer=@{p_systemd}, + signal receive peer=@{p_systemd_user}, + # Allow to receive some signals from new well-known profiles signal (receive) peer=btop, signal (receive) peer=htop, signal (receive) peer=sudo, signal (receive) peer=top, signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, - signal (receive) set=(cont,term) peer=@{p_systemd_user}, - signal (receive) set=(cont,term) peer=@{p_systemd}, signal (receive) set=(hup term) peer=login, signal (receive) set=(hup) peer=xinit, signal (receive) set=(term,kill) peer=gnome-shell, diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index 38e05f48c8..b002d6fa42 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -9,7 +9,7 @@ dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + peer=(name=org.freedesktop.Avahi), dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server diff --git a/apparmor.d/abstractions/consoles.d/complete b/apparmor.d/abstractions/consoles.d/complete new file mode 100644 index 0000000000..ce7bb73bac --- /dev/null +++ b/apparmor.d/abstractions/consoles.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + /dev/tty@{u8} rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 4724c694a3..220883c29f 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -16,7 +16,7 @@ /opt/*/**.{desktop,png} r, /etc/gnome/defaults.list r, - /etc/xfce4/defaults.list r, + /etc/xfce4/defaults.list r, /var/lib/snapd/desktop/applications/{,**} r, /var/lib/snapd/desktop/icons/{,**} r, diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 71e76f9dad..3dece8578e 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -6,7 +6,7 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=@{busname}, label=gnome-shell), /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, diff --git a/apparmor.d/abstractions/vulkan.d/complete b/apparmor.d/abstractions/vulkan.d/complete index 8e5b68c08b..67f83516e1 100644 --- a/apparmor.d/abstractions/vulkan.d/complete +++ b/apparmor.d/abstractions/vulkan.d/complete @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only /etc/glvnd/egl_vendor.d/{,*.json} r, diff --git a/apparmor.d/abstractions/webkit b/apparmor.d/abstractions/webkit index 9481d4fece..c9a2752503 100644 --- a/apparmor.d/abstractions/webkit +++ b/apparmor.d/abstractions/webkit @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Minimal set of rules for webkit UI. +# Minimal set of rules for webkit GTK UI. abi , diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index ff90849c0c..02eacfb623 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -12,6 +12,7 @@ /usr/local/share/zsh/{,**} r, /usr/share/oh-my-zsh/{,**} r, + /usr/share/zsh-theme-*/{,**} r, /usr/share/zsh/{,**} r, /etc/zsh/* r, From 86202b0fbf9502671d5e053da7d55699127501c5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 15:53:37 +0200 Subject: [PATCH 0203/1736] feat(fsp): small fsp improvement. --- apparmor.d/groups/_full/sd | 21 ++++++++++++++++++++- apparmor.d/groups/_full/systemd | 1 + apparmor.d/groups/_full/systemd-user | 1 + apparmor.d/groups/flatpak/flatpak-app | 2 +- 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 106e368174..44b3a9b7d4 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -18,7 +18,7 @@ abi , include @{exec_path} = @{bin}/systemd-executor -profile sd flags=(attach_disconnected,mediate_deleted) { +profile sd flags=(attach_disconnected,mediate_deleted,complain) { include include include @@ -42,6 +42,7 @@ profile sd flags=(attach_disconnected,mediate_deleted) { capability linux_immutable, capability mknod, capability net_admin, + capability net_bind_service, capability net_raw, capability perfmon, capability setfcap, @@ -57,6 +58,8 @@ profile sd flags=(attach_disconnected,mediate_deleted) { capability sys_tty_config, capability syslog, + network alg seqpacket, + network bluetooth, network inet dgram, network inet stream, network inet6 dgram, @@ -84,6 +87,22 @@ profile sd flags=(attach_disconnected,mediate_deleted) { umount /dev/shm/, umount @{run}/systemd/mount-rootfs/{,**}, + # mount tmpfs -> @{run}/lock/, + # mount tmpfs -> @{sys}/fs/cgroup/, + # mount cgroup -> @{sys}/fs/cgroup/systemd/, + # audit mount /dev/** -> /boot/{,efi/}, + # audit mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, + # audit mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, + + # audit remount @{run}/systemd/unit-root/{,**}, + # audit remount options=(ro noexec noatime bind) /var/snap/{,**}, + # audit remount options=(ro nosuid nodev bind) /var/, + # audit remount options=(ro nosuid nodev noexec bind) /boot/, + + # audit umount @{PROC}/sys/fs/binfmt_misc/, + # audit umount @{run}/systemd/namespace-@{rand6}/{,**}, + # audit umount @{run}/systemd/unit-root/{,**}, + pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, change_profile, diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index eec9b33d99..b7c12c6bdc 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -219,6 +219,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /dev/autofs r, /dev/dri/card@{int} rw, + /dev/initctl w, /dev/input/ r, /dev/kmsg w, /dev/tty rw, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 3b0d01709e..ed531c58b8 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -91,6 +91,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/threads-max r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index bb824c7cbc..a816e58b8e 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -65,7 +65,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { @{bin}/gtk{,4}-update-icon-cache rPx -> flatpak-app//>k-update-icon-cache, @{bin}/update-desktop-database rPx -> flatpak-app//&update-desktop-database, - @{sbin}/update-mime-database rPx -> flatpak-app//&update-mime-database, + @{bin}/update-mime-database rPx -> flatpak-app//&update-mime-database, @{bin}/xdg-dbus-proxy rPx -> flatpak-app//&xdg-dbus-proxy, @{lib}/kf5/kioslave5 rPx, From eb84df319d1fb40226623307f423af8f553d9816 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 16:00:38 +0200 Subject: [PATCH 0204/1736] feat(profile): update gnome profiles. --- .../freedesktop/xdg-desktop-portal-gnome | 16 ++++++++-- .../groups/freedesktop/xdg-desktop-portal-gtk | 5 --- .../freedesktop/xdg-user-dirs-gtk-update | 4 +-- apparmor.d/groups/gnome/gjs-console | 7 +++-- apparmor.d/groups/gnome/gnome-characters | 1 - apparmor.d/groups/gnome/gnome-control-center | 4 +++ .../groups/gnome/gnome-extension-gsconnect | 3 +- apparmor.d/groups/gnome/gnome-session-binary | 2 ++ apparmor.d/groups/gnome/gnome-shell | 31 ++++++++++--------- apparmor.d/groups/gnome/gsd-color | 4 +-- apparmor.d/groups/gnome/gsd-xsettings | 6 +++- apparmor.d/groups/gnome/loupe | 11 ++++++- apparmor.d/groups/gnome/nautilus | 10 +++++- apparmor.d/groups/gnome/ptyxis | 2 ++ apparmor.d/groups/gnome/ptyxis-agent | 2 +- apparmor.d/groups/gvfs/gvfsd-dnssd | 13 ++++---- apparmor.d/groups/gvfs/gvfsd-network | 12 ++----- 17 files changed, 83 insertions(+), 50 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index ac321fd07b..1355aa22bb 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -17,6 +17,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -27,8 +28,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { network unix stream, - signal (receive) set=term peer=gdm, - signal (receive) set=(hup term) peer=gdm-session-worker, + signal receive set=term peer=gdm, + signal receive set=(hup term) peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal @@ -40,6 +41,11 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { member=RunningApplicationsChanged peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + dbus send bus=session path=/org/gtk/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, / r, @@ -63,12 +69,16 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, + owner @{tmp}/gtkprint_ppd_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} r, + owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw, @{run}/mount/utab r, owner @{PROC}/@{pid}/ r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index b77ad03d7c..fc11b0700d 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -47,11 +47,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-shell), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, /usr/share/gdm/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 224bc2337a..6418629650 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -9,9 +9,9 @@ include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} { include + include + include include - include - include include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 012ca7ee0a..fdaa4e8255 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -14,12 +14,13 @@ include @{exec_path} = @{bin}/gjs-console profile gjs-console @{exec_path} flags=(attach_disconnected) { include - include + include include include include include include + include include include include @@ -28,7 +29,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (receive) set=(term hup) peer=gdm*, + unix type=stream peer=(label=gnome-shell), + + signal receive set=(term hup) peer=gdm*, #aa:dbus own bus=session name=org.freedesktop.Notifications #aa:dbus own bus=session name=org.gnome.ScreenSaver diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 7ee0f835eb..a43168866f 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -29,7 +29,6 @@ profile gnome-characters @{exec_path} { /usr/share/xml/iso-codes/{,**} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1007d55e23..2f9077d191 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -39,8 +39,12 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.bluez.obex.Agent1 #aa:dbus talk bus=session name=org.bluez.obex label=obexd + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Power label=gsd-power + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index ee9c147b6b..104d95fb39 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -65,9 +65,10 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index dc9b6812e3..8b0ea63076 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -60,6 +60,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter/autostart/{,*.desktop} r, /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, + /usr/share/gnome-shell/extensions/ r, /usr/share/gnome-shell/extensions/*/metadata.json r, /usr/share/gnome/autostart/{,*.desktop} r, @@ -69,6 +70,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, + owner @{gdm_config_dirs}/user-dirs.dirs r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_share_dirs}/applications/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 6c781e2047..1099f254d7 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -56,11 +56,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix stream, - ptrace (read), - ptrace (readby) peer=pipewire, + ptrace read, + ptrace readby peer=pipewire, - signal (receive) set=(term, hup) peer=gdm*, - signal (send), + signal receive set=(term, hup) peer=gdm*, + signal send, unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), unix (send,receive) type=stream addr=none peer=(label=xkbcomp), @@ -185,8 +185,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/gnome-shell/extensions/*/** rPUx, /opt/**/share/icons/{,**} r, - /snap/*/@{uid}/**.png r, - /usr/share/**.{png,jpg,svg} r, + /snap/*/@{uid}/**.@{image_ext} r, + /usr/share/**.@{image_ext} r, /usr/share/**/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/byobu/desktop/byobu* r, @@ -241,25 +241,28 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, - owner @{HOME}/.mozilla/native-messaging-hosts/ r, - owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json rw, - owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json.@{rand6} rw, + owner @{HOME}/.mozilla/native-messaging-hosts/ rw, + owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, - owner @{HOME}/.var/app/**.{png,jpg,svg} r, + owner @{HOME}/.var/app/**.@{image_ext} r, owner @{HOME}/.var/app/**/ r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, - owner @{user_games_dirs}/**.{png,jpg,svg} r, - owner @{user_music_dirs}/**.{png,jpg,svg} r, + owner @{user_games_dirs}/**.@{image_ext} r, + owner @{user_music_dirs}/**.@{image_ext} r, owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw, + owner @{user_config_dirs}/**/NativeMessagingHosts/ rw, + owner @{user_config_dirs}/**/NativeMessagingHosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{user_config_dirs}/background r, owner @{user_config_dirs}/ibus/ w, owner @{user_config_dirs}/monitors.xml{,~} rwl, owner @{user_config_dirs}/tiling-assistant/{,**} rw, owner @{user_share_dirs}/backgrounds/{,**} rw, + owner @{user_share_dirs}/dbus-1/services/ r, + owner @{user_share_dirs}/dbus-1/services/org.gnome.shell.*.service{,.@{rand6}} rw, owner @{user_share_dirs}/desktop-directories/{,**} r, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, @@ -267,9 +270,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, + owner @{user_share_dirs}/icons/**/org.gnome.shell.*.svg{,.@{rand6}} w, - owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop rw, - owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop.@{rand6} w, + owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 2fe22305b0..56445aeac7 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -45,10 +45,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-*.icc rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}icc rw, owner @{user_share_dirs}/icc/ rw, - owner @{user_share_dirs}/icc/edid-*.icc rw, + owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 4fece33663..abf30bc407 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -17,6 +17,7 @@ profile gsd-xsettings @{exec_path} { include include include + include include include include @@ -33,16 +34,19 @@ profile gsd-xsettings @{exec_path} { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.XSettings #aa:dbus own bus=session name=org.gtk.Settings + #aa:dbus talk bus=session name=org.gnome.Mutter.X11 label=gnome-shell + dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=SetInputSources peer=(name=:*, label="@{p_accounts_daemon}"), @{exec_path} mr, + @{sh_path} mr, @{bin}/cat rix, @{bin}/sed rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/busctl rPx, @{bin}/pactl rPx, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 6f783627e2..d89d4d6f92 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -9,14 +9,20 @@ include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include + include + include + include include include include include + include include include include + unix type=stream peer=(label=loupe//bwrap), + signal send set=kill peer=loupe//bwrap, #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @@ -37,7 +43,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/glycin/{,**} rw, - @{run}/mount/utab r, + @{run}/mount/utab r, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @@ -56,6 +63,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include + unix type=stream peer=(label=loupe), + signal receive set=kill peer=loupe, @{bin}/bwrap mr, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 60bbfb344b..ebf9756735 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -28,13 +28,21 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { mqueue r type=posix /, + unix type=stream peer=(label=gnome-shell), + #aa:dbus own bus=session name=org.freedesktop.FileManager1 #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}" #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + dbus send bus=session path=/org/gnome/Mutter/ServiceChannel + interface=org.gnome.Mutter.ServiceChannel + member=OpenWaylandServiceConnection + peer=(name=@{busname}, label=gnome-shell), dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine interface=org.gtk.private.CommandLine diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 2f7dee368d..a6f7e5b631 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -28,6 +28,8 @@ profile ptyxis @{exec_path} { owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, + owner /tmp/#@{int} w, + /dev/ptmx rw, include if exists diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 239993f215..ce60a26c38 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -24,7 +24,7 @@ profile ptyxis-agent @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/cmdline r, /dev/ptmx rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index fd9b5a22d0..9af8be00ae 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -13,14 +13,10 @@ profile gvfsd-dnssd @{exec_path} { include include include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker label=gvfsd - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=:*, label=gvfsd-network), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable @@ -32,6 +28,11 @@ profile gvfsd-dnssd @{exec_path} { member=Spawned peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member={MountLocation,LookupMount,RegisterMount} + peer=(name="@{busname}", label=gvfsd), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index adda9b958c..cd64d81ada 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,6 +11,8 @@ include profile gvfsd-network @{exec_path} { include include + include + include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} @@ -30,16 +32,6 @@ profile gvfsd-network @{exec_path} { member={MountLocation,LookupMount,RegisterMount} peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name="@{busname}", label=gvfsd-dnssd), - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name="@{busname}", label=gnome-control-center), - @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, From 55e4b27c2b4b43488edb7b155fd3e5efd0733a18 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 16:02:20 +0200 Subject: [PATCH 0205/1736] feat(tunable): add the archive_path variable. --- apparmor.d/profiles-a-f/atool | 6 +++--- apparmor.d/profiles-a-f/file-roller | 14 +------------- apparmor.d/profiles-s-z/unmkinitramfs | 6 +----- apparmor.d/profiles-s-z/xarchiver | 13 +------------ apparmor.d/tunables/multiarch.d/paths | 3 +++ apparmor.d/tunables/multiarch.d/programs | 3 +++ 6 files changed, 12 insertions(+), 33 deletions(-) diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool index 99cb0fed61..2782aacc04 100644 --- a/apparmor.d/profiles-a-f/atool +++ b/apparmor.d/profiles-a-f/atool @@ -19,9 +19,9 @@ profile atool @{exec_path} { @{bin}/7z rix, @{bin}/arc rix, @{bin}/arj rix, + @{bin}/bzip rix, @{bin}/bzip2 rix, @{bin}/bzip2 rix, - @{bin}/bzip rix, @{bin}/compress rix, @{bin}/cpio rix, @{bin}/gunzip rix, @@ -30,16 +30,15 @@ profile atool @{exec_path} { @{bin}/jar rix, @{bin}/lha rix, @{bin}/lrunzip rix, + @{bin}/lrz rix, @{bin}/lrzcat rix, @{bin}/lrzip rix, - @{bin}/lrz rix, @{bin}/lrztar rix, @{bin}/lrzuntar rix, @{bin}/lzip rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/lzop rix, - @{lib}/p7zip/7z rix, @{bin}/rar rix, @{bin}/tar rix, @{bin}/unace rix, @@ -48,6 +47,7 @@ profile atool @{exec_path} { @{bin}/unzip rix, @{bin}/xz rix, @{bin}/zip rix, + @{lib}/p7zip/7z rix, /etc/atool.conf r, owner @{HOME}/.atoolrc r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 24610cd8c7..e7bfafaac5 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -26,19 +26,7 @@ profile file-roller @{exec_path} { @{bin}/rm rix, # Archivers - @{bin}/7z rix, - @{bin}/7zz rix, - @{bin}/ar rix, - @{bin}/bzip2 rix, - @{bin}/cpio rix, - @{bin}/gzip rix, - @{bin}/tar rix, - @{bin}/unrar-nonfree rix, - @{bin}/unzip rix, - @{bin}/xz rix, - @{bin}/zip rix, - @{bin}/zstd rix, - @{lib}/p7zip/7z rix, + @{archive_path} rix, # Full access to user's data @{MOUNTS}/** rw, diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 6b5607ed17..3ee5309700 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -18,22 +18,18 @@ profile unmkinitramfs @{exec_path} { @{exec_path} r, @{sh_path} rix, + @{archive_path} rix, @{bin}/{,e}grep rix, - @{bin}/bzip2 rix, @{bin}/cat rix, - @{bin}/cpio rix, @{bin}/dd rix, @{bin}/getopt rix, - @{bin}/gzip rix, @{bin}/lz4cat rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/rm rix, - @{bin}/xz rix, @{bin}/xzcat rix, - @{bin}/zstd rix, /boot/ r, owner /boot/initrd.img-* r, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 0037700082..f38a692248 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -28,18 +28,7 @@ profile xarchiver @{exec_path} { @{bin}/cp rix, # Archivers - @{bin}/7z rix, - @{lib}/p7zip/7z rix, - @{bin}/unrar-nonfree rix, - @{bin}/zip rix, - @{bin}/unzip rix, - @{bin}/tar rix, - @{bin}/xz rix, - @{bin}/bzip2 rix, - @{bin}/cpio rix, - @{bin}/gzip rix, - @{bin}/zstd rix, - # For deb packages + @{archive_path} rix, @{bin}/{,@{multiarch}-}ar rix, @{open_path} rPx -> child-open, diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 059f337fd8..cca5443706 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -72,4 +72,7 @@ # Backup @{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor +# Archives +@{archive_path} = @{bin}/@{archive_names} @{lib}/p7zip/7z + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index cddb1a7d27..a7cbaf8310 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -96,4 +96,7 @@ # Backup @{backup_names} = deja-dup borg +# Archives +@{archive_names} = 7z 7zz ar bzip2 cpio gzip lzip rar tar unrar-nonfree unzip xz zip zstd + # vim:syntax=apparmor From 71a473712c15ee71fe39ce021577b052fea2528f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 23:58:02 +0200 Subject: [PATCH 0206/1736] tests: rewrite and expand the profile check to more files. Rewrite: Speed up the checking by not using grep anymore and only using bash, also make it parallel Revisit the way result are shown. Expand: Also scan for mapping files and abstaction completion. Adapt the scan accordingly. --- tests/check.sh | 382 +++++++++++++++++++++++++++++++++---------------- 1 file changed, 261 insertions(+), 121 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 02ae718125..25c82e3d16 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # Usage: make check @@ -8,101 +8,250 @@ set -eu -o pipefail -readonly APPARMORD="apparmor.d" -readonly HEADERS=( - "# apparmor.d - Full set of apparmor profiles" - "# Copyright (C) " - "# SPDX-License-Identifier: GPL-2.0-only" -) - -_die() { - echo -e "\033[1;31m ✗ Error: \033[0m$*" - exit 1 +RES=$(mktemp) +echo "false" >"$RES" +MAX_JOBS=$(nproc) +declare WITH_CHECK +readonly MAX_JOBS APPARMORD="apparmor.d" +readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" +_msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } +_warn() { + local type="$1" file="$2" + shift 2 + printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" +} +_err() { + local type="$1" file="$2" + shift 2 + printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" + echo "true" >"$RES" } -_ensure_header() { - local file="$1" - for header in "${HEADERS[@]}"; do - if ! grep -q "^$header" "$file"; then - _die "$file does not contain '$header'" +_in_array() { + local item needle="$1" + shift + for item in "$@"; do + if [[ "${item}" == "${needle}" ]]; then + return 0 fi done + return 1 +} + +_is_enabled() { + _in_array "$1" "${WITH_CHECK[@]}" } -_ensure_indentation() { +_wait() { + local -n job=$1 + job=$((job + 1)) + if ((job >= MAX_JOBS)); then + wait -n + job=$((job - 1)) + fi +} + +_check() { local file="$1" - local in_profile=false - local first_line_after_profile=true local line_number=0 while IFS= read -r line; do line_number=$((line_number + 1)) - if [[ "$line" =~ $'\t' ]]; then - _die "$file:$line_number: tabs are not allowed." + # Guidelines check + _check_abi + _check_include + _check_profile + _check_subprofiles + + # Style check + if [[ $line_number -lt 10 ]]; then + _check_header fi + _check_tabs + _check_trailing + _check_indentation + _check_vim + + done <"$file" - if [[ "$line" =~ ^profile ]]; then - in_profile=true - first_line_after_profile=true + # Results + _res_abi + _res_include + _res_profile + _res_subprofiles + _res_header + _res_vim +} - elif [[ "$line" =~ [[:space:]]+$ ]]; then - _die "$file:$line_number: line has trailing whitespace." +# Guidelines check: https://apparmor.pujol.io/development/guidelines/ - elif $in_profile; then - if $first_line_after_profile; then - local leading_spaces="${line%%[! ]*}" - local num_spaces=${#leading_spaces} - if ((num_spaces != 2)); then - _die "$file: profile must have a two-space indentation." - fi - first_line_after_profile=false - - else - local leading_spaces="${line%%[! ]*}" - local num_spaces=${#leading_spaces} - - if ((num_spaces % 2 != 0)); then - ok=false - for offset in 5 11; do - num_spaces=$((num_spaces - offset)) - if ((num_spaces < 0)); then - break - fi - if ((num_spaces % 2 == 0)); then - ok=true - break - fi - done - - if ! $ok; then - _die "$file:$line_number: invalid indentation." +RES_ABI=false +readonly ABI_SYNTAX='abi ,' +_check_abi() { + _is_enabled abi || return 0 + if [[ "$line" =~ ^' '*"$ABI_SYNTAX" ]]; then + RES_ABI=true + fi +} +_res_abi() { + _is_enabled abi || return 0 + if ! $RES_ABI; then + _err guideline "$file" "missing 'abi ,'" + fi +} + +RES_INCLUDE=false +_check_include() { + _is_enabled include || return 0 + if [[ "$line" =~ ^.*"${include}"$ ]]; then + RES_INCLUDE=true + fi +} +_res_include() { + _is_enabled include || return 0 + if ! $RES_INCLUDE; then + _err guideline "$file" "missing '$include'" + fi +} + +RES_PROFILE=false +_check_profile() { + _is_enabled profile || return 0 + if [[ "$line" =~ ^"profile $name" ]]; then + RES_PROFILE=true + fi +} +_res_profile() { + _is_enabled profile || return 0 + if ! $RES_PROFILE; then + _err guideline "$file" "missing profile name: 'profile $name'" + fi +} + +# Style check + +readonly HEADERS=( + "# apparmor.d - Full set of apparmor profiles" + "# Copyright (C) " + "# SPDX-License-Identifier: GPL-2.0-only" +) +_RES_HEADER=(false false false) +_check_header() { + _is_enabled header || return 0 + for idx in "${!HEADERS[@]}"; do + if [[ "$line" == "${HEADERS[$idx]}"* ]]; then + _RES_HEADER[idx]=true + break + fi + done +} +_res_header() { + _is_enabled header || return 0 + for idx in "${!_RES_HEADER[@]}"; do + if ${_RES_HEADER[$idx]}; then + continue + fi + _err style "$file" "missing header: '${HEADERS[$idx]}'" + done +} + +_check_tabs() { + _is_enabled tabs || return 0 + if [[ "$line" =~ $'\t' ]]; then + _err style "$file:$line_number" "tabs are not allowed" + fi +} + +_check_trailing() { + _is_enabled trailing || return 0 + if [[ "$line" =~ [[:space:]]+$ ]]; then + _err style "$file:$line_number" "line has trailing whitespace" + fi +} + +_CHECK_IN_PROFILE=false +_CHECK_FIRST_LINE_AFTER_PROFILE=true +_check_indentation() { + _is_enabled indentation || return 0 + if [[ "$line" =~ ^profile ]]; then + _CHECK_IN_PROFILE=true + _CHECK_FIRST_LINE_AFTER_PROFILE=true + + elif $_CHECK_IN_PROFILE; then + if $_CHECK_FIRST_LINE_AFTER_PROFILE; then + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} + if ((num_spaces != 2)); then + _err style "$file:$line_number" "profile must have a two-space indentation" + fi + _CHECK_FIRST_LINE_AFTER_PROFILE=false + + else + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} + + if ((num_spaces % 2 != 0)); then + ok=false + for offset in 5 11; do + num_spaces=$((num_spaces - offset)) + if ((num_spaces < 0)); then + break + fi + if ((num_spaces % 2 == 0)); then + ok=true + break fi + done + + if ! $ok; then + _err style "$file:$line_number" "invalid indentation" fi fi fi - done <"$file" + fi } -_ensure_include() { - local file="$1" - local include="$2" - if ! grep -q "^ *${include}$" "$file"; then - _die "$file does not contain '$include'" +_CHEK_IN_SUBPROFILE=false +declare -A _RES_SUBPROFILES +_check_subprofiles() { + _is_enabled subprofiles || return 0 + if [[ "$line" =~ ^(' ')+'profile '(.*)' {' ]]; then + indentation="${BASH_REMATCH[1]}" + subprofile="${BASH_REMATCH[2]}" + subprofile="${subprofile%% *}" + include="${indentation}include if exists " + _RES_SUBPROFILES["$subprofile"]="$name//$subprofile does not contain '$include'" + _CHEK_IN_SUBPROFILE=true + elif $_CHEK_IN_SUBPROFILE; then + if [[ "$line" == *"$include" ]]; then + _RES_SUBPROFILES["$subprofile"]=true + + fi fi } +_res_subprofiles() { + _is_enabled subprofiles || return 0 + for msg in "${_RES_SUBPROFILES[@]}"; do + if [[ $msg == true ]]; then + continue + fi + _err guideline "$file" "$msg" + done +} -_ensure_abi() { - local file="$1" - if ! grep -q "^ *abi ," "$file"; then - _die "$file does not contain 'abi ,'" +readonly VIM_SYNTAX="# vim:syntax=apparmor" +RES_VIM=false +_check_vim() { + _is_enabled vim || return 0 + if [[ "$line" =~ ^"$VIM_SYNTAX" ]]; then + RES_VIM=true fi } - -_ensure_vim() { - local file="$1" - if ! grep -q "^# vim:syntax=apparmor" "$file"; then - _die "$file does not contain '# vim:syntax=apparmor'" +_res_vim() { + _is_enabled vim || return 0 + if ! $RES_VIM; then + _err style "$file" "missing vim syntax: '$VIM_SYNTAX'" fi } @@ -117,69 +266,60 @@ check_sbin() { } check_profiles() { - echo -e "\033[1m ⋅ \033[0mChecking if all profiles contain:" - echo " - apparmor.d header & license" - echo " - Check indentation: 2 spaces" - echo " - Check for trailing whitespaces" - echo " - 'abi ,'" - echo " - 'profile '" - echo " - 'include if exists '" - echo " - include if exists local for subprofiles" - echo " - vim:syntax=apparmor" - directories=("$APPARMORD/groups/*" "$APPARMORD/profiles-*-*") - # shellcheck disable=SC2068 - for dir in ${directories[@]}; do - for file in $(find "$dir" -maxdepth 1 -type f); do - case "$file" in */README.md) continue ;; esac + _msg "Checking profiles" + mapfile -t files < <( + find "$APPARMORD" \( -path "$APPARMORD/abstractions" -o -path "$APPARMORD/local" -o -path "$APPARMORD/tunables" -o -path "$APPARMORD/mappings" \) \ + -prune -o -type f -print + ) + jobs=0 + WITH_CHECK=(abi include profile header tabs trailing indentation subprofiles vim) + for file in "${files[@]}"; do + ( name="$(basename "$file")" name="${name/.apparmor.d/}" include="include if exists " - _ensure_header "$file" - _ensure_indentation "$file" - _ensure_include "$file" "$include" - _ensure_abi "$file" - _ensure_vim "$file" - if ! grep -q "^profile $name" "$file"; then - _die "$name does not contain 'profile $name'" - fi - mapfile -t subrofiles < <(grep "^ *profile*" "$file" | awk '{print $2}') - for subprofile in "${subrofiles[@]}"; do - include="include if exists " - if ! grep -q "^ *${include}$" "$file"; then - _die "$name: $name//$subprofile does not contain '$include'" - fi - done - done + _check "$file" + ) & + _wait jobs done + wait } check_abstractions() { - echo -e "\033[1m ⋅ \033[0mChecking if all abstractions contain:" - echo " - apparmor.d header & license" - echo " - Check indentation: 2 spaces" - echo " - Check for trailing whitespaces" - echo " - 'abi ,'" - echo " - 'include if exists '" - echo " - vim:syntax=apparmor" - directories=( - "$APPARMORD/abstractions/" "$APPARMORD/abstractions/app/" - "$APPARMORD/abstractions/attached/" - "$APPARMORD/abstractions/bus/" "$APPARMORD/abstractions/common/" - ) - for dir in "${directories[@]}"; do - for file in $(find "$dir" -maxdepth 1 -type f); do + _msg "Checking abstractions" + mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*") + jobs=0 + WITH_CHECK=(abi include header tabs trailing indentation vim) + for file in "${files[@]}"; do + ( name="$(basename "$file")" - root="${dir/${APPARMORD}\/abstractions\//}" - include="include if exists " - _ensure_header "$file" - _ensure_indentation "$file" - _ensure_include "$file" "$include" - _ensure_abi "$file" - _ensure_vim "$file" - done + absdir="${file/${APPARMORD}\//}" + include="include if exists <${absdir}.d>" + _check "$file" + ) & + _wait jobs done + wait + + mapfile -t files < <( + find "$APPARMORD/abstractions" -type f -path "$APPARMORD/abstractions/*.d/*" + find "$APPARMORD/mappings" -type f + ) + # shellcheck disable=SC2034 + jobs=0 + WITH_CHECK=(header tabs trailing indentation vim) + for file in "${files[@]}"; do + _check "$file" & + _wait jobs + done + wait } check_sbin check_profiles check_abstractions + +FAIL=$(cat "$RES") +if [[ "$FAIL" == "true" ]]; then + exit 1 +fi From fff0df39ba61e862e7d62897b0126e0c2eb91835 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 23:59:14 +0200 Subject: [PATCH 0207/1736] tests: add more check for sbin path Also look for path that should not use sbin. --- tests/check.sh | 40 +++++++++++++++++++++++++++++++++------- 1 file changed, 33 insertions(+), 7 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 25c82e3d16..09a2e105bb 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -256,13 +256,39 @@ _res_vim() { } check_sbin() { - echo -e "\033[1m ⋅ \033[0mEnsuring '@{sbin}' is used in all profiles:" - while IFS= read -r name; do - mapfile -t files < <(grep --files-with-matches --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d) - for file in "${files[@]}"; do - _die "$file contains '@{bin}/$name' instead of '@{sbin}/$name'" - done - done Date: Mon, 2 Jun 2025 20:41:20 +0200 Subject: [PATCH 0208/1736] test: add some security checks. --- tests/check.sh | 81 ++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 78 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 09a2e105bb..59463246ef 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -12,7 +12,7 @@ RES=$(mktemp) echo "false" >"$RES" MAX_JOBS=$(nproc) declare WITH_CHECK -readonly MAX_JOBS APPARMORD="apparmor.d" +readonly RES MAX_JOBS APPARMORD="apparmor.d" readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } _warn() { @@ -58,6 +58,12 @@ _check() { while IFS= read -r line; do line_number=$((line_number + 1)) + # Rules checks + _check_abstractions + _check_directory_mark + _check_equivalent + _check_too_wide + # Guidelines check _check_abi _check_include @@ -84,13 +90,82 @@ _check() { _res_vim } +# Rules checks: security, compatibility and rule issues + +readonly ABS="abstractions" +readonly ABS_DANGEROUS=(dbus-session dbus-system dbus-accessibility user-tmp) +declare -A ABS_DEPRECATED=( + ["nameservice"]="nameservice-strict" + ["bash"]="shell" + ["X"]="X-strict" + ["dbus-accessibility-strict"]="bus-accessibility" + ["dbus-network-manager-strict"]="bus/org.freedesktop.NetworkManager" + ["dbus-session-strict"]="bus-session" + ["dbus-system-strict"]="bus-system" +) +_check_abstractions() { + _is_enabled abstractions || return 0 + + local absname + for absname in "${ABS_DANGEROUS[@]}"; do + if [[ "$line" == *"<$ABS/$absname>"* ]]; then + _err security "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'" + fi + done + for absname in "${!ABS_DEPRECATED[@]}"; do + if [[ "$line" == *"<$ABS/$absname>"* ]]; then + _err security "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" + fi + done +} + +readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}') +_check_directory_mark() { + _is_enabled directory_mark || return 0 + for pattern in "${DIRECTORIES[@]}"; do + if [[ "$line" == *"$pattern"* ]]; then + [[ "$line" == *'='* ]] && continue + if [[ ! "$line" == *"$pattern/"* ]]; then + _err issue "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" + fi + fi + done +} + +declare -A EQUIVALENTS=( + ["awk"]="{m,g,}awk" + ["grep"]="{,e}grep" + ["which"]="which{,.debianutils}" +) +_check_equivalent() { + _is_enabled equivalent || return 0 + local prgmname + for prgmname in "${!EQUIVALENTS[@]}"; do + if [[ "$line" == *"/$prgmname"* ]]; then + if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then + _err compatibility "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" + fi + fi + done +} + +readonly TOOWIDE=('/**' '/tmp/**' '/var/tmp/**' '@{tmp}/**' '/etc/**' '/dev/shm/**' '@{run}/user/@{uid}/**') +_check_too_wide() { + _is_enabled too_wide || return 0 + for pattern in "${TOOWIDE[@]}"; do + if [[ "$line" == *" $pattern "* ]]; then + _err security "$file:$line_number" "rule too wide: '$pattern'" + fi + done +} + # Guidelines check: https://apparmor.pujol.io/development/guidelines/ RES_ABI=false readonly ABI_SYNTAX='abi ,' _check_abi() { _is_enabled abi || return 0 - if [[ "$line" =~ ^' '*"$ABI_SYNTAX" ]]; then + if [[ "$line" == *"$ABI_SYNTAX" ]]; then RES_ABI=true fi } @@ -104,7 +179,7 @@ _res_abi() { RES_INCLUDE=false _check_include() { _is_enabled include || return 0 - if [[ "$line" =~ ^.*"${include}"$ ]]; then + if [[ "$line" == *"${include}"* ]]; then RES_INCLUDE=true fi } From c8f2a435f877367866fa811d4d897238c0d6108b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Jun 2025 23:59:41 +0200 Subject: [PATCH 0209/1736] tests: remove symbolic link from sbin. --- tests/sbin.list | 288 +++++------------------------------------------- 1 file changed, 30 insertions(+), 258 deletions(-) diff --git a/tests/sbin.list b/tests/sbin.list index 676bc4d56d..d2b5c44bc8 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -21,7 +21,6 @@ acpid acpidump add-shell addgnupghome -addgroup addpart adduser agetty @@ -31,24 +30,15 @@ alsa-info.sh alsa-init alsabat-test alsactl -alternatives anacron +apache2 apparmor_parser apparmor_status applygnupgdefaults aptd argdist-bpfcc -arp arpd -arptables -arptables-nft -arptables-nft-restore -arptables-nft-save -arptables-restore -arptables-save -arptables-translate aspell-autobuildhash -atd audisp-af_unix audisp-filter audisp-syslog @@ -90,26 +80,18 @@ blockdev blogctl blogd blogger -bluetoothd bpflist-bpfcc bpftool brctl bridge -brltty brltty-setup btrfs btrfs-convert +btrfs-find-root btrfs-image -btrfsck btrfsdist-bpfcc btrfsslower-bpfcc btrfstune -cache_check -cache_dump -cache_metadata_size -cache_repair -cache_restore -cache_writeback cachestat-bpfcc cachetop-bpfcc capable-bpfcc @@ -120,7 +102,6 @@ cgdisk chat chcpu check_mail_queue -check-bios-nx checkproc chgpasswd chkstat-polkit @@ -135,7 +116,6 @@ coldreboot compactsnoop-bpfcc complain config.postfix -cpgr cppw cpudist-bpfcc cpuunclaimed-bpfcc @@ -153,17 +133,13 @@ cryptdisks_start cryptdisks_stop cryptsetup ctrlaltdel -ctstat cups-browsed cups-genppd.5.3 cups-genppdupdate cupsaccept cupsctl cupsd -cupsdisable -cupsenable cupsfilter -cupsreject dbslower-bpfcc dbstat-bpfcc dcb @@ -173,14 +149,9 @@ dcstat-bpfcc ddns-confgen deadlock-bpfcc debugfs -debugfs.reiserfs -debugreiserfs decode -defrag.f2fs -delgroup delpart deluser -depmod devlink dhcpcd dirtop-bpfcc @@ -192,7 +163,6 @@ dmfilemapd dmidecode dmraid dmsetup -dmstats dnsmasq dosfsck dosfslabel @@ -213,34 +183,37 @@ e2undo e4crypt e4defrag eapol_test -ebtables -ebtables-nft -ebtables-nft-restore -ebtables-nft-save -ebtables-restore -ebtables-save -ebtables-translate ec_access efibootdump efibootmgr enforce -era_check -era_dump -era_invalidate -era_restore ethtool eventlogadm -exec execsnoop-bpfcc execsnoop.bt exfat2img exfatlabel +exicyclog +exigrep +exim_checkaccess +exim_convert4r4 +exim_dbmbuild +exim_dumpdb +exim_fixdb +exim_id_update +exim_lock +exim_msgdate +exim_tidydb +exim4 +eximstats +exinext +exipick +exiqgrep +exiqsumm exitsnoop-bpfcc +exiwhat ext4dist-bpfcc ext4slower-bpfcc -f2fs_io -f2fscrypt -f2fslabel f2fsslower-bpfcc faillock fanatic @@ -251,7 +224,6 @@ fatresize fbtest fdformat fdisk -fibmap.f2fs filefrag filegone-bpfcc filelife-bpfcc @@ -270,7 +242,6 @@ fsck.exfat fsck.ext2 fsck.ext3 fsck.ext4 -fsck.f2fs fsck.fat fsck.minix fsck.msdos @@ -295,7 +266,6 @@ gethostlatency-bpfcc gethostlatency.bt getpcaps getsysinfo -getty getweb gnome-menus-blacklist gpart @@ -308,7 +278,6 @@ groupmod grpck grpconv grpunconv -grub-bios-setup grub-install grub-macbless grub-mkconfig @@ -328,62 +297,30 @@ grub2-reboot grub2-set-default grub2-sparc64-setup grub2-switch-to-blscfg -halt hardirqs-bpfcc -hc-ifscan hdparm hwclock hwinfo iconvconfig -ifconfig ifrename ifstat import-openSUSE-build-key -init inject-bpfcc inputattach -insmod install_acx100_firmware install_intersil_firmware install-sgmlcatalog installkernel integritysetup invoke-rc.d -ip -ip6tables -ip6tables-apply -ip6tables-legacy ip6tables-legacy-batch -ip6tables-legacy-restore -ip6tables-legacy-save -ip6tables-nft -ip6tables-nft-restore -ip6tables-nft-save -ip6tables-restore -ip6tables-restore-translate -ip6tables-save -ip6tables-translate -ipmaddr ipp-usb ippevepcl ippeveprinter ippeveps ipset -ipset-translate -iptables iptables-apply -iptables-legacy iptables-legacy-batch -iptables-legacy-restore -iptables-legacy-save -iptables-nft -iptables-nft-restore -iptables-nft-save -iptables-restore -iptables-restore-translate -iptables-save -iptables-translate -iptunnel irqbalance irqbalance-ui isadump @@ -397,8 +334,6 @@ isosize ispell-autobuildhash isserial issue-generator -iucode_tool -iucode-tool iw iwconfig iwevent @@ -427,7 +362,6 @@ killsnoop.bt klockstat-bpfcc klogd kpartx -kvm-ok kvmexit-bpfcc ldattach ldconfig @@ -449,29 +383,11 @@ lpadmin lpc lpinfo lpmove -lsmod -lspcmcia luksformat -lvchange -lvconvert -lvcreate -lvdisplay -lvextend lvm lvm_import_vdo -lvmconfig -lvmdevices -lvmdiskscan lvmdump lvmpolld -lvmsadc -lvmsar -lvreduce -lvremove -lvrename -lvresize -lvs -lvscan lwepgen lxc lxd @@ -484,7 +400,6 @@ mdflush-bpfcc mdflush.bt mdmon memleak-bpfcc -mii-tool mk_isdnhwdb mkdict mkdosfs @@ -500,10 +415,6 @@ mkfs.ext4 mkfs.f2fs mkfs.fat mkfs.minix -mkfs.msdos -mkfs.ntfs -mkfs.reiserfs -mkfs.vfat mkfs.xfs mkhomedir_helper mkill @@ -515,8 +426,6 @@ mkreiserfs mksubvolume mkswap ModemManager -modinfo -modprobe mount.cifs mount.ddi mount.fuse @@ -533,12 +442,9 @@ mpathpersist multipath multipathc multipathd -mysqld mysqld_qslower-bpfcc -nameif naptime.bt needrestart -netplan netqtop-bpfcc NetworkManager newusers @@ -574,7 +480,6 @@ opensnoop.bt openvpn overlayroot-chroot ownership -packer pam_extrausers_chkpwd pam_extrausers_update pam_getenv @@ -583,13 +488,11 @@ pam_timestamp_check pam-auth-update pam-config paperconfig -parse.f2fs parted partprobe partx pbl pccardctl -pcilmr pcscd pdata_tools perlcalls-bpfcc @@ -598,11 +501,9 @@ perlstat-bpfcc phpcalls-bpfcc phpflow-bpfcc phpstat-bpfcc -pidofproc pidpersec-bpfcc pidpersec.bt pivot_root -plipconfig pluginviewer plymouth-set-default-theme plymouthd @@ -618,7 +519,7 @@ postmap postmulti postqueue postsuper -poweroff +posttls-finger ppchcalls-bpfcc pppd pppdump @@ -627,15 +528,6 @@ pppstats pptp pptpsetup profile-bpfcc -pvchange -pvck -pvcreate -pvdisplay -pvmove -pvremove -pvresize -pvs -pvscan pwck pwconv pwhistory_helper @@ -647,108 +539,30 @@ pythongc-bpfcc pythonstat-bpfcc qemu-ga qmqp-source -rarp -rcapparmor -rcauditd -rcautofs -rcavahi-daemon -rcavahi-dnsconfd -rcblk-availability -rcbolt -rcbtrfsmaintenance-refresh -rcca-certificates -rcchrony-wait -rcchronyd -rccolord -rccron -rccups -rccups-browsed -rccups-lpd -rcdbus -rcdisplay-manager -rcdm-event -rcdnsmasq -rcfancontrol +qshape rcfirewalld -rcflatpak-system-helper -rcfstrim -rcfwupd -rcfwupd-offline-update -rcfwupd-refresh -rcgpm -rcirqbalance -rcissue-add-ssh-keys -rcissue-generator -rckexec-load -rclm_sensors -rclogrotate -rclvm2-lvmpolld -rclvm2-monitor -rcmariadb -rcmcelog -rcmdmonitor -rcModemManager -rcmultipathd -rcmysql -rcnetwork -rcnfs-client -rcnmb rcopenvpn -rcostree-prepare-root -rcostree-remount -rcpackagekit -rcpackagekit-offline-update rcpcscd -rcpkcs11_eventmgr -rcpostfix -rcrng-tools -rcrpcbind -rcrsyncd -rcrtkit-daemon -rcsddm -rcsmartd -rcsmb -rcsnmpd -rcsnmptrapd -rcspeech-dispatcherd -rcspice-vdagentd -rcsshd -rctuned -rcudisks2 -rcupower -rcusbmuxd -rcwpa_supplicant -rcwsdd rcxdm rcxvnc rdma rdmaucma-bpfcc -rdmsr readahead-bpfcc readprofile -reboot -refresh_initrd +realm regdbdump -reiserfsck -reiserfstune remove-default-ispell remove-default-wordlist remove-shell request-key reset-trace-bpfcc -resize_reiserfs -resize.f2fs resize2fs resizepart -resolvconf rfkill -rmmod -rmt rmt-tar rndc rndc-confgen rngd -route routel rpc.gssd rpc.idmapd @@ -757,7 +571,6 @@ rpc.svcgssd rpcbind rpcctl rpcdebug -rpcinfo rpmconfigcheck rsyncd rsyslogd @@ -765,14 +578,12 @@ rtacct rtcwake rtkitctl rtmon -rtstat rubycalls-bpfcc rubyflow-bpfcc rubygc-bpfcc rubyobjnew-bpfcc rubystat-bpfcc runc -runlevel runqlat-bpfcc runqlat.bt runqlen-bpfcc @@ -792,8 +603,6 @@ sensors-detect service set_polkit_default_privs setcap -setconsole -setpci setuids.bt setup-nsssysinit.sh setvesablank @@ -805,12 +614,9 @@ shim-install shmsnoop-bpfcc showconsole showmount -shutdown skdump sktest slabratetop-bpfcc -slattach -sload.f2fs sm-notify smart_agetty smartctl @@ -828,12 +634,12 @@ spice-vdagentd ss sshd sshd-gen-keys-start +sshd.hmac ssllatency.bt sslsniff-bpfcc sslsnoop.bt sssd stackcount-bpfcc -start_daemon start-statd start-stop-daemon startproc @@ -855,6 +661,7 @@ sysconf_addword syscount-bpfcc syscount.bt sysctl +syslog2eximlog sysusers2shadow tarcat tc @@ -881,33 +688,20 @@ tcpsynbl-bpfcc tcpsynbl.bt tcptop-bpfcc tcptracer-bpfcc -tcptraceroute tcptraceroute.db -telinit thermald -thin_check -thin_delta -thin_dump -thin_ls -thin_metadata_size -thin_repair -thin_restore -thin_rmap -thin_trim threadsnoop-bpfcc threadsnoop.bt tipc tlp tplist-bpfcc trace-bpfcc -traceroute tsig-keygen ttysnoop-bpfcc tune.exfat tune2fs tuned tuned-adm -tunefs.reiserfs tunelp u-d-c-print-pci-ids ucalls @@ -923,21 +717,21 @@ unix_chkpwd unix_update unix2_chkpwd uobjnew -update-bootloader +update-alternatives update-ca-certificates update-catalog update-cracklib -update-default-aspell update-default-ispell update-default-wordlist update-dictcommon-aspell update-dictcommon-hunspell +update-exim4.conf +update-exim4.conf.template update-fonts-alias update-fonts-dir update-fonts-scale update-grub update-grub-gfxpayload -update-grub2 update-gsfontmap update-icon-caches update-ieee-data @@ -973,30 +767,10 @@ vfscount-bpfcc vfscount.bt vfsstat-bpfcc vfsstat.bt -vgcfgbackup -vgcfgrestore -vgchange -vgck -vgconvert -vgcreate -vgdisplay -vgexport -vgextend -vgimport -vgimportclone -vgimportdevices -vgmerge -vgmknodes -vgreduce -vgremove -vgrename -vgs -vgscan -vgsplit vhangup -vigr vipw virt-what +virt-what-cvm virtiostat-bpfcc virtlockd virtlogd @@ -1015,7 +789,6 @@ wpa_passphrase wpa_supplicant wqlat-bpfcc writeback.bt -wrmsr xfs_admin xfs_bmap xfs_copy @@ -1032,6 +805,7 @@ xfs_metadump xfs_mkfile xfs_ncheck xfs_property +xfs_protofile xfs_quota xfs_repair xfs_rtcp @@ -1043,9 +817,7 @@ xfsdist.bt xfsslower-bpfcc xkbctrl xtables-legacy-multi -xtables-monitor xtables-nft-multi -yast yast2 zdump zerofree From 6ed873aad375bea4734ec5321049e597aec02c32 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 5 Jun 2025 00:35:43 +0200 Subject: [PATCH 0210/1736] feat(profile): update sbin list and ensure the profiles use the good variable (sbin or bin). --- apparmor.d/abstractions/app/kmod | 6 ------ apparmor.d/groups/apt/apt-listchanges | 2 +- apparmor.d/groups/apt/debsecan | 2 +- apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/cron/anacron | 2 +- apparmor.d/groups/cron/cron | 2 +- apparmor.d/groups/cron/cron-apt | 4 ++-- apparmor.d/groups/cron/cron-exim4-base | 6 +++--- apparmor.d/groups/cron/crontab | 2 +- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/filesystem/btrfs-find-root | 2 +- apparmor.d/groups/firewall/firewalld | 4 ++-- apparmor.d/groups/grub/grub-bios-setup | 2 +- apparmor.d/groups/grub/update-grub | 2 +- apparmor.d/groups/kde/sddm-xsession | 2 +- apparmor.d/groups/network/iwctl | 2 +- apparmor.d/groups/network/mullvad-daemon | 2 +- apparmor.d/groups/network/openvpn | 6 +++--- apparmor.d/groups/network/tailscale | 2 +- apparmor.d/groups/network/tailscaled | 2 +- apparmor.d/groups/network/wg-quick | 2 +- apparmor.d/groups/pacman/mkinitcpio | 5 +---- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/pacman/pacman-hook-depmod | 1 - apparmor.d/groups/ubuntu/cron-ubuntu-fan | 2 +- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- apparmor.d/groups/virt/cockpit-bridge | 2 +- apparmor.d/groups/virt/cockpit-update-motd | 2 +- apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/profiles-a-f/acpi-powerbtn | 1 - apparmor.d/profiles-a-f/adduser | 2 +- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-a-f/atd | 4 ++-- apparmor.d/profiles-a-f/check-bios-nx | 2 +- apparmor.d/profiles-a-f/claws-mail | 2 +- apparmor.d/profiles-a-f/deluser | 4 ++-- apparmor.d/profiles-a-f/dhclient-script | 2 +- apparmor.d/profiles-a-f/exim4 | 2 +- apparmor.d/profiles-a-f/fail2ban-server | 2 +- apparmor.d/profiles-g-l/ifup | 2 +- apparmor.d/profiles-g-l/inxi | 4 ++-- apparmor.d/profiles-g-l/ip | 2 +- apparmor.d/profiles-g-l/ipcalc | 2 +- apparmor.d/profiles-g-l/kernel | 2 +- apparmor.d/profiles-m-r/initramfs-hooks | 2 +- apparmor.d/profiles-m-r/initramfs-scripts | 2 +- apparmor.d/profiles-m-r/modprobed-db | 2 +- apparmor.d/profiles-s-z/setpci | 2 +- apparmor.d/profiles-s-z/syncthing | 2 +- apparmor.d/profiles-s-z/update-alternatives | 2 +- apparmor.d/profiles-s-z/wechat | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 2 +- apparmor.d/profiles-s-z/wpa-action | 2 +- tests/sbin.list | 16 ++++++++++++++++ 54 files changed, 75 insertions(+), 70 deletions(-) diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index 6c889bd604..b6beeb7f60 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -8,12 +8,6 @@ include @{bin}/kmod mr, - @{sbin}/depmod mr, - @{sbin}/insmod mr, - @{sbin}/lsmod mr, - @{sbin}/modinfo mr, - @{sbin}/modprobe mr, - @{sbin}/rmmod mr, @{lib}/modprobe.d/ r, @{lib}/modprobe.d/*.conf r, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 936d15d420..0ee42f5a4f 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -30,7 +30,7 @@ profile apt-listchanges @{exec_path} { @{pager_path} Cx -> pager, @{bin}/dpkg Px -> child-dpkg, - @{bin}/exim4 Px, # Send results using email + @{sbin}/exim4 Px, # Send results using email /usr/share/apt-listchanges/{,**} r, diff --git a/apparmor.d/groups/apt/debsecan b/apparmor.d/groups/apt/debsecan index c9448c7fb9..c67b1dfb5e 100644 --- a/apparmor.d/groups/apt/debsecan +++ b/apparmor.d/groups/apt/debsecan @@ -27,7 +27,7 @@ profile debsecan @{exec_path} { @{sh_path} rix, # Send results using email - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index dbd02ff6c1..ab230a43bc 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -40,7 +40,7 @@ profile reportbug @{exec_path} { @{bin}/stty rix, /usr/share/reportbug/handle_bugscript rix, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{bin}/apt-cache rPx, @{bin}/debconf-show rPx, @{bin}/debsums rPx, diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/groups/cron/anacron index 1322108d4a..3756c1d032 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/groups/cron/anacron @@ -17,7 +17,7 @@ profile anacron @{exec_path} { @{sh_path} rix, @{bin}/run-parts rCx -> run-parts, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, / r, /etc/anacrontab r, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index eba78ac827..e91f9b4195 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -28,7 +28,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{bin}/ionice rix, @{bin}/nice rix, @{bin}/run-parts rCx -> run-parts, diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index 81e5761d79..0d5d5a0818 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/cron-apt +@{exec_path} = @{bin}/cron-apt profile cron-apt @{exec_path} { include include @@ -46,7 +46,7 @@ profile cron-apt @{exec_path} { @{bin}/apt-get rPx, @{bin}/apt-file rPx, @{bin}/aptitude{,-curses} rPx, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, /usr/share/cron-apt/{,*} r, diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base index 2970f8d42a..784dfae193 100644 --- a/apparmor.d/groups/cron/cron-exim4-base +++ b/apparmor.d/groups/cron/cron-exim4-base @@ -34,10 +34,10 @@ profile cron-exim4-base @{exec_path} { @{bin}/hostname rix, @{bin}/xargs rix, @{bin}/find rix, - @{bin}/eximstats rix, + @{sbin}/eximstats rix, - @{bin}/exim4 rPx, - @{bin}/exim_tidydb rix, + @{sbin}/exim4 rPx, + @{sbin}/exim_tidydb rix, @{sbin}/start-stop-daemon rix, @{sbin}/runuser rix, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index 156d5e820c..d240454f5b 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/crontab +@{exec_path} = @{bin}/crontab profile crontab @{exec_path} { include include diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 91dd32f512..6eeeaa414a 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -54,7 +54,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/gs rix, @{bin}/gsc rix, @{bin}/hostname rix, - @{sbin}/ippfind rix, + @{bin}/ippfind rix, @{bin}/mktemp rix, @{bin}/printenv rix, @{python_path} rix, diff --git a/apparmor.d/groups/filesystem/btrfs-find-root b/apparmor.d/groups/filesystem/btrfs-find-root index eef4b68236..cec2bbb619 100644 --- a/apparmor.d/groups/filesystem/btrfs-find-root +++ b/apparmor.d/groups/filesystem/btrfs-find-root @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfs-find-root +@{exec_path} = @{sbin}/btrfs-find-root profile btrfs-find-root @{exec_path} { include include diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 01f853c26c..57a0baa209 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -35,8 +35,8 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/alts ix, @{bin}/false ix, @{bin}/kmod Cx -> kmod, - @{sbin}/ebtables-legacy ix, - @{sbin}/ebtables-legacy-restore ix, + @{bin}/ebtables-legacy ix, + @{bin}/ebtables-legacy-restore ix, @{sbin}/ipset ix, @{sbin}/xtables-legacy-multi ix, @{sbin}/xtables-nft-multi mix, diff --git a/apparmor.d/groups/grub/grub-bios-setup b/apparmor.d/groups/grub/grub-bios-setup index 9ccd02275c..b0d606701a 100644 --- a/apparmor.d/groups/grub/grub-bios-setup +++ b/apparmor.d/groups/grub/grub-bios-setup @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/grub-bios-setup +@{exec_path} = @{bin}/grub-bios-setup profile grub-bios-setup @{exec_path} { include include diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index ff17c160a4..d4460a3cf3 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/update-grub{2,} +@{exec_path} = @{sbin}/update-grub profile update-grub @{exec_path} { include include diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index 0ae174b09c..b5cceee955 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -37,7 +37,7 @@ profile sddm-xsession @{exec_path} { @{bin}/sed rix, @{bin}/stat rix, @{bin}/tail rix, - @{sbin}/tcsh rix, + @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, @{bin}/which{,.*} rix, diff --git a/apparmor.d/groups/network/iwctl b/apparmor.d/groups/network/iwctl index eddcaedf7f..0b5bd090ec 100644 --- a/apparmor.d/groups/network/iwctl +++ b/apparmor.d/groups/network/iwctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/iwctl +@{exec_path} = @{bin}/iwctl profile iwctl @{exec_path} { include diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index ecd23ce535..6c4c41e6c9 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -33,7 +33,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/ip rix, + @{bin}/ip rix, "/opt/Mullvad VPN/resources/openvpn" rix, "/opt/Mullvad VPN/resources/*.so*" mr, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index f4fcfa50d1..6431ee98a4 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -61,7 +61,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{run}/openvpn/*.{pid,status} rw, @{run}/systemd/journal/dev-log r, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/systemd-ask-password rPx, @{lib}/nm-openvpn-service-openvpn-helper rPx, /etc/openvpn/force-user-traffic-via-vpn.sh rCx -> force-user-traffic-via-vpn, @@ -83,7 +83,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cut rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/which rix, @{sbin}/xtables-nft-multi rix, @@ -110,7 +110,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/env rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{sbin}/nft rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/network/tailscale b/apparmor.d/groups/network/tailscale index 096fe276cf..4e5bba684d 100644 --- a/apparmor.d/groups/network/tailscale +++ b/apparmor.d/groups/network/tailscale @@ -23,7 +23,7 @@ profile tailscale @{exec_path} { @{exec_path} mr, - @{sbin}/ip rPx, + @{bin}/ip rPx, owner @{run}/tailscale/tailscaled.sock rw, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index bb877ec1a3..8162dff1e3 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -35,7 +35,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/resolvectl rPx, @{sbin}/xtables-nft-multi rix, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index e8ece5c884..c89a12a476 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -21,7 +21,7 @@ profile wg-quick @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, - @{sbin}/ip rPx, + @{bin}/ip rPx, @{bin}/mv rix, @{sbin}/nft rix, @{bin}/readlink rix, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 9eafb72a92..1f1fc66eb9 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -42,10 +42,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/zcat rix, @{bin}/zstd rix, - @{bin}/{depmod,insmod} rPx, - @{bin}/{kmod,lsmod} rPx, - @{bin}/{modinfo,rmmod} rPx, - @{sbin}/modprobe rPx, + @{bin}/kmod rPx, @{bin}/plymouth rPx, @{sbin}/plymouth-set-default-theme rPx, @{bin}/sbctl rPx, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 6af9bae96c..6cf3b824cc 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -97,7 +97,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/update-ca-trust rPx, @{bin}/update-desktop-database rPx, @{sbin}/update-grub rPx, - @{sbin}/update-mime-database rPx, + @{bin}/update-mime-database rPx, @{bin}/vercmp rix, @{bin}/which rix, @{bin}/xmlcatalog rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index fe1bc5781b..ce41d6ae8e 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -16,7 +16,6 @@ profile pacman-hook-depmod @{exec_path} { @{bin}/basename rix, @{bin}/bash rix, - @{sbin}/depmod rPx, @{bin}/kmod rPx, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index 3ca55909df..9fd065db32 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -17,7 +17,7 @@ profile cron-ubuntu-fan @{exec_path} { @{sh_path} rix, @{sbin}/fanctl rPx, @{bin}/grep rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 575481de2c..916279378e 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -25,7 +25,7 @@ profile subiquity-console-conf @{exec_path} { @{sh_path} rix, @{bin}/cat rix, @{bin}/grep rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/mv rix, @{bin}/sleep rix, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 87ffb3f4ad..b6111750b1 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -38,7 +38,7 @@ profile cockpit-bridge @{exec_path} { @{bin}/cat ix, @{bin}/date ix, @{bin}/find ix, - @{sbin}/ip ix, + @{bin}/ip ix, @{python_path} ix, @{bin}/test ix, @{bin}/file ix, diff --git a/apparmor.d/groups/virt/cockpit-update-motd b/apparmor.d/groups/virt/cockpit-update-motd index d71eb9ec1d..1de016aeaf 100644 --- a/apparmor.d/groups/virt/cockpit-update-motd +++ b/apparmor.d/groups/virt/cockpit-update-motd @@ -15,7 +15,7 @@ profile cockpit-update-motd @{exec_path} { @{sh_path} rix, @{bin}/hostname rix, - @{sbin}/ip rPx, + @{bin}/ip rPx, @{bin}/sed rix, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 94fa568a37..4d730602da 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -116,7 +116,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sbin}/virtlogd rPx, @{sh_path} rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{sbin}/nft rix, @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index bf7daf85e9..fd1d0af03a 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -17,7 +17,6 @@ profile acpi-powerbtn flags=(attach_disconnected) { @{bin}/pgrep rix, @{bin}/pinky rix, @{bin}/sed rix, - @{sbin}/shutdown rix, /etc/acpi/powerbtn.sh rix, @{bin}/dbus-send Cx -> bus, diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index d971d22f39..039518b51d 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/adduser @{sbin}/group +@{exec_path} = @{sbin}/adduser profile adduser @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index 6999f5baf9..c4741b09a4 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -34,7 +34,7 @@ profile adequate @{exec_path} flags=(complain) { # shared object file): ignored. @{bin}/dpkg-query rpx, # - @{bin}/update-alternatives rPx, + @{sbin}/update-alternatives rPx, /var/lib/adequate/pending rwk, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index aa0a365fd3..aea3cbf011 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/atd +@{exec_path} = @{bin}/atd profile atd @{exec_path} { include include @@ -28,7 +28,7 @@ profile atd @{exec_path} { @{sh_path} rix, @{sbin}/sendmail rPUx, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/ r, diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx index 965e0dc3ac..c44b6eaa5e 100644 --- a/apparmor.d/profiles-a-f/check-bios-nx +++ b/apparmor.d/profiles-a-f/check-bios-nx @@ -25,7 +25,7 @@ profile check-bios-nx @{exec_path} { @{bin}/kmod rCx -> kmod, - @{sbin}/rdmsr rPx, + @{sbin}/rdmsr rPx, owner @{PROC}/@{pid}/fd/@{int} rw, diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index cecb0e22d1..bb7dfd3b88 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -31,7 +31,7 @@ profile claws-mail @{exec_path} flags=(complain) { @{bin}/gpgconf rCx -> gpg, @{bin}/orage rPUx, - @{bin}/exim4 rPUx, + @{sbin}/exim4 rPUx, @{bin}/geany rPUx, /usr/share/publicsuffix/*.dafsa r, diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 1f5d6f0a75..3505126ad7 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/deluser @{sbin}/delgroup +@{exec_path} = @{sbin}/deluser profile deluser @{exec_path} { include include @@ -20,7 +20,7 @@ profile deluser @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{sbin}/crontab rPx, + @{bin}/crontab rPx, @{bin}/gpasswd rPx, @{sbin}/groupdel rPx, @{bin}/mount rCx -> mount, diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index d5505ff861..9a7e77902a 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -28,7 +28,7 @@ profile dhclient-script @{exec_path} { @{bin}/fold rix, @{bin}/head rix, @{bin}/hostname rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mv rix, diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4 index 9aaccaa16a..3af283014e 100644 --- a/apparmor.d/profiles-a-f/exim4 +++ b/apparmor.d/profiles-a-f/exim4 @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/exim4 +@{exec_path} = @{sbin}/exim4 profile exim4 @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index 21d2a1cf82..629208bc62 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -21,7 +21,7 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{sbin}/xtables-nft-multi rix, - @{sbin}/iptables rix, + @{bin}/iptables rix, @{bin}/ r, @{python_path} r, diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 42169dd6d3..3c641f8e19 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -19,7 +19,7 @@ profile ifup @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{sbin}/route rix, @{bin}/seq rix, @{bin}/sleep rix, diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 38b2a17a28..e80875ca2f 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -32,7 +32,7 @@ profile inxi @{exec_path} { @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{sbin}/ip rCx -> ip, + @{bin}/ip rCx -> ip, @{bin}/kmod rCx -> kmod, @{bin}/systemctl rCx -> systemctl, @{bin}/udevadm rCx -> udevadm, @@ -115,7 +115,7 @@ profile inxi @{exec_path} { network netlink raw, - @{sbin}/ip mr, + @{bin}/ip mr, @{sys}/devices/@{pci}/net/*/{duplex,address,speed,operstate} r, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 3495bcc80c..bcb521c014 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/ip +@{exec_path} = @{bin}/ip profile ip @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/ipcalc b/apparmor.d/profiles-g-l/ipcalc index 628728846c..c6dfa762a0 100644 --- a/apparmor.d/profiles-g-l/ipcalc +++ b/apparmor.d/profiles-g-l/ipcalc @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/ipcalc +@{exec_path} = @{bin}/ipcalc profile ipcalc @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index 2382ea0624..133cf8ae7d 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -38,7 +38,7 @@ profile kernel @{exec_path} { @{bin}/apt-config rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/systemd-detect-virt rPx, - @{bin}/update-alternatives rPx, + @{sbin}/update-alternatives rPx, @{sbin}/dkms rPx, @{sbin}/update-grub rPx, @{sbin}/update-initramfs rPx, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index b4f3ac2f41..aeb125ef27 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -18,7 +18,7 @@ profile initramfs-hooks @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{bin}/update-alternatives Px, + @{sbin}/update-alternatives Px, @{sbin}/blkid Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox ix, diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts index 85437017b4..485520ca07 100644 --- a/apparmor.d/profiles-m-r/initramfs-scripts +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -20,7 +20,7 @@ profile initramfs-scripts @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{bin}/update-alternatives Px, + @{sbin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox Px, /usr/share/mdadm/mkconf Px, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index 8b8968464c..cd2ddc0e68 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/modprobed-db +@{exec_path} = @{bin}/modprobed-db profile modprobed-db @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index b45dd3986b..019e89e23d 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/setpci +@{exec_path} = @{bin}/setpci profile setpci @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 8b66b652f2..6ff0fe7e94 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -23,7 +23,7 @@ profile syncthing @{exec_path} { @{exec_path} mrix, @{open_path} rPx -> child-open, - @{sbin}/ip rix, + @{bin}/ip rix, /usr/share/mime/{,**} r, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 8f08b74fa0..68ddb97a58 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-alternatives +@{exec_path} = @{sbin}/update-alternatives profile update-alternatives @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index d0fc54b7c7..e23d4db43e 100755 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -33,7 +33,7 @@ profile wechat @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir ix, @{bin}/gawk rix, @{bin}/lsblk rPx, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/xdg-user-dir rix, @{open_path} rpx -> child-open-strict, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 6f4c120a02..023644eb0b 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -38,7 +38,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir ix, @{bin}/gawk rix, @{bin}/lsblk rPx, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/xdg-user-dir rix, @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action index b2cfe0091f..b6764ba0ee 100644 --- a/apparmor.d/profiles-s-z/wpa-action +++ b/apparmor.d/profiles-s-z/wpa-action @@ -24,7 +24,7 @@ profile wpa-action @{exec_path} { @{bin}/cat rix, @{bin}/date rix, @{bin}/ifup rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/ln rix, @{bin}/logger rix, @{bin}/rm rix, diff --git a/tests/sbin.list b/tests/sbin.list index d2b5c44bc8..15373846cd 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -37,6 +37,7 @@ apparmor_status applygnupgdefaults aptd argdist-bpfcc +arp arpd aspell-autobuildhash audisp-af_unix @@ -64,6 +65,7 @@ biolatency.bt biolatpcts-bpfcc biopattern-bpfcc biosdecode +biosdecode biosnoop-bpfcc biosnoop.bt biostacks.bt @@ -102,6 +104,7 @@ cgdisk chat chcpu check_mail_queue +check-bios-nx checkproc chgpasswd chkstat-polkit @@ -161,6 +164,7 @@ dmevent_tool dmeventd dmfilemapd dmidecode +dmidecode dmraid dmsetup dnsmasq @@ -236,6 +240,7 @@ flushb fonts-config fsadm fsck +fsck. fsck.btrfs fsck.cramfs fsck.exfat @@ -302,6 +307,7 @@ hdparm hwclock hwinfo iconvconfig +ifconfig ifrename ifstat import-openSUSE-build-key @@ -334,6 +340,7 @@ isosize ispell-autobuildhash isserial issue-generator +iucode_tool iw iwconfig iwevent @@ -362,6 +369,7 @@ killsnoop.bt klockstat-bpfcc klogd kpartx +kvm-ok kvmexit-bpfcc ldattach ldconfig @@ -386,6 +394,7 @@ lpmove luksformat lvm lvm_import_vdo +lvmconfig lvmdump lvmpolld lwepgen @@ -405,6 +414,7 @@ mkdict mkdosfs mke2fs mkfs +mkfs. mkfs.bfs mkfs.btrfs mkfs.cramfs @@ -480,6 +490,7 @@ opensnoop.bt openvpn overlayroot-chroot ownership +ownership pam_extrausers_chkpwd pam_extrausers_update pam_getenv @@ -547,6 +558,7 @@ rcxdm rcxvnc rdma rdmaucma-bpfcc +rdmsr readahead-bpfcc readprofile realm @@ -558,11 +570,13 @@ request-key reset-trace-bpfcc resize2fs resizepart +resolvconf rfkill rmt-tar rndc rndc-confgen rngd +route routel rpc.gssd rpc.idmapd @@ -778,6 +792,7 @@ visudo vmcore-dmesg vncsession vpddecode +vpddecode vpnc vpnc-disconnect wakeuptime-bpfcc @@ -789,6 +804,7 @@ wpa_passphrase wpa_supplicant wqlat-bpfcc writeback.bt +wrmsr xfs_admin xfs_bmap xfs_copy From f0355f36b9fd74725e086790db305de6c25edafa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 5 Jun 2025 00:36:30 +0200 Subject: [PATCH 0211/1736] tests: show error line in sbin check. --- tests/check.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 59463246ef..add9b06853 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -338,7 +338,7 @@ check_sbin() { jobs=0 for name in "${sbin[@]}"; do ( - mapfile -t files < <(grep --files-with-matches --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d) + mapfile -t files < <(grep --line-number --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d | cut -d: -f1,2) for file in "${files[@]}"; do _err compatibility "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" done @@ -349,7 +349,7 @@ check_sbin() { local pattern='[[:alnum:]_.-]+' # Pattern for valid file names jobs=0 - mapfile -t files < <(grep --files-with-matches --recursive -E "(^|[[:space:]])@{sbin}/$pattern([[:space:]]|$)" apparmor.d) + mapfile -t files < <(grep --line-number --recursive -E "(^|[[:space:]])@{sbin}/$pattern([[:space:]]|$)" apparmor.d | cut -d: -f1,2) for file in "${files[@]}"; do ( while read -r match; do @@ -359,7 +359,7 @@ check_sbin() { _err compatibility "$file" "contains '@{sbin}/$name' but it is not in sbin.list" fi fi - done < <(grep --only-matching -E "@\{sbin\}/$pattern" "$file") + done < <(grep --only-matching -E "@\{sbin\}/$pattern" "${file%%:*}") ) & _wait jobs done From edcbaa1b94f511e4b3db9642718887dc98f93511 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 10 Jun 2025 23:01:24 +0200 Subject: [PATCH 0212/1736] fix: add gpartedbin back to sbin.list. --- tests/sbin.list | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/sbin.list b/tests/sbin.list index 15373846cd..a17f154489 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -275,6 +275,7 @@ getweb gnome-menus-blacklist gpart gparted +gpartedbin gpm groupadd groupdel From 65f96447530dccb2928b682d76c37cfb0164a76e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 10 Jun 2025 23:37:59 +0200 Subject: [PATCH 0213/1736] fix: linter check. --- apparmor.d/groups/gvfs/gvfsd-wsdd | 2 +- apparmor.d/groups/steam/steam | 4 ++-- apparmor.d/profiles-g-l/hw-probe | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 0064d682bf..209971ac28 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -34,7 +34,7 @@ profile gvfsd-wsdd @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{sbin}/wsdd rPx, + @{bin}/wsdd rPx, @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 11e863972f..73c78f2ed1 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -71,7 +71,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsof rix, - @{sbin}/lspci rCx -> lspci, + @{bin}/lspci rCx -> lspci, @{bin}/tar rix, @{bin}/which{,.debianutils} rix, @{bin}/xdg-icon-resource rPx, @@ -408,7 +408,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { unix receive type=stream, - @{sbin}/lspci mr, + @{bin}/lspci mr, owner @{HOME}/.steam/steam.pipe r, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index fc6b8775b6..f518a18f02 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -65,7 +65,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsblk rPx, @{bin}/lscpu rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/memtester rPx, @{bin}/nmcli rPx, From a4737546f76fe1f4aaa65d2ad7d5663c3a317c5d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 10 Jun 2025 23:58:24 +0200 Subject: [PATCH 0214/1736] tests: update sbin.list --- apparmor.d/profiles-g-l/haveged | 2 +- tests/sbin.list | 43 ++++++++++++++++++++++++++++++--- 2 files changed, 40 insertions(+), 5 deletions(-) diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index 910e9a2f09..5773a73fb6 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -9,7 +9,7 @@ abi , include -@{exec_path} = @{bin}/haveged +@{exec_path} = @{sbin}/haveged profile haveged @{exec_path} { include diff --git a/tests/sbin.list b/tests/sbin.list index a17f154489..1adc90ee8c 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -1,3 +1,5 @@ +a2enmod +a2query aa-audit aa-autodep aa-cleanprof @@ -32,6 +34,7 @@ alsabat-test alsactl anacron apache2 +apache2ctl apparmor_parser apparmor_status applygnupgdefaults @@ -65,7 +68,6 @@ biolatency.bt biolatpcts-bpfcc biopattern-bpfcc biosdecode -biosdecode biosnoop-bpfcc biosnoop.bt biostacks.bt @@ -103,6 +105,7 @@ cfdisk cgdisk chat chcpu +check_forensic check_mail_queue check-bios-nx checkproc @@ -164,7 +167,6 @@ dmevent_tool dmeventd dmfilemapd dmidecode -dmidecode dmraid dmsetup dnsmasq @@ -191,6 +193,8 @@ ec_access efibootdump efibootmgr enforce +ephemeral-disk-warning +escapesrc ethtool eventlogadm execsnoop-bpfcc @@ -264,8 +268,12 @@ g13-syshelp gdisk gdm gdm3 +genccode +gencmn genl +gennorm2 genprof +gensprep getcap gethostlatency-bpfcc gethostlatency.bt @@ -304,10 +312,19 @@ grub2-set-default grub2-sparc64-setup grub2-switch-to-blscfg hardirqs-bpfcc +haveged hdparm +httxt2dbm +hv_fcopy_daemon +hv_get_dhcp_info +hv_get_dns_info +hv_kvp_daemon +hv_set_ifconfig +hv_vss_daemon hwclock hwinfo iconvconfig +icupkg ifconfig ifrename ifstat @@ -321,6 +338,7 @@ installkernel integritysetup invoke-rc.d ip6tables-legacy-batch +ipmaddr ipp-usb ippevepcl ippeveprinter @@ -328,6 +346,7 @@ ippeveps ipset iptables-apply iptables-legacy-batch +iptunnel irqbalance irqbalance-ui isadump @@ -392,6 +411,7 @@ lpadmin lpc lpinfo lpmove +lsvmbus luksformat lvm lvm_import_vdo @@ -410,6 +430,7 @@ mdflush-bpfcc mdflush.bt mdmon memleak-bpfcc +mii-tool mk_isdnhwdb mkdict mkdosfs @@ -453,7 +474,9 @@ mpathpersist multipath multipathc multipathd +mysqld mysqld_qslower-bpfcc +nameif naptime.bt needrestart netqtop-bpfcc @@ -468,6 +491,7 @@ nfsiostat nfsslower-bpfcc nfsstat nft +nginx nmbd nodegc-bpfcc nodestat-bpfcc @@ -480,6 +504,7 @@ ntfscp ntfslabel ntfsresize ntfsundelete +nvme offcputime-bpfcc offwaketime-bpfcc on_ac_power @@ -491,7 +516,6 @@ opensnoop.bt openvpn overlayroot-chroot ownership -ownership pam_extrausers_chkpwd pam_extrausers_update pam_getenv @@ -510,12 +534,17 @@ pdata_tools perlcalls-bpfcc perlflow-bpfcc perlstat-bpfcc +pg_updatedicts +php-fpm8.3 phpcalls-bpfcc +phpenmod phpflow-bpfcc +phpquery phpstat-bpfcc pidpersec-bpfcc pidpersec.bt pivot_root +plipconfig pluginviewer plymouth-set-default-theme plymouthd @@ -552,6 +581,7 @@ pythonstat-bpfcc qemu-ga qmqp-source qshape +rarp rcfirewalld rcopenvpn rcpcscd @@ -632,6 +662,7 @@ showmount skdump sktest slabratetop-bpfcc +slattach sm-notify smart_agetty smartctl @@ -646,6 +677,7 @@ sofdsnoop-bpfcc softirqs-bpfcc solisten-bpfcc spice-vdagentd +split-logfile ss sshd sshd-gen-keys-start @@ -754,6 +786,7 @@ update-inetd update-info-dir update-initramfs update-java-alternatives +update-language update-locale update-mime update-passwd @@ -762,6 +795,9 @@ update-rc.d update-secureboot-policy update-shells update-smart-drivedb +update-texmf +update-texmf-config +update-tl-stacked-conffile update-xmlcatalog upgrade-from-grub-legacy usb_modeswitch @@ -793,7 +829,6 @@ visudo vmcore-dmesg vncsession vpddecode -vpddecode vpnc vpnc-disconnect wakeuptime-bpfcc From e3bd48bd758601e17cef0d6825268e4cad55ead8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Jun 2025 22:55:17 +0200 Subject: [PATCH 0215/1736] build: justfile: add group. --- Justfile | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/Justfile b/Justfile index 825097a1b6..4021b0e5a8 100644 --- a/Justfile +++ b/Justfile @@ -64,24 +64,34 @@ help: @just --list --unsorted @echo -e "\nSee https://apparmor.pujol.io/development/ for more information." +[group('build')] [doc('Build the go programs')] build: @go build -o {{build}}/ ./cmd/aa-log @go build -o {{build}}/ ./cmd/prebuild +[group('build')] [doc('Prebuild the profiles in enforced mode')] enforce: build @./{{build}}/prebuild +[group('build')] [doc('Prebuild the profiles in complain mode')] complain: build @./{{build}}/prebuild --complain +[group('build')] [doc('Prebuild the profiles in FSP mode')] fsp: build + @./{{build}}/prebuild --full + +[group('build')] +[doc('Prebuild the profiles in FSP mode (complain)')] +fsp-complain: build @./{{build}}/prebuild --complain --full -[doc('Install the profiles')] +[group('build')] +[doc('Install prebuild profiles')] install: #!/usr/bin/env bash set -eu -o pipefail @@ -108,26 +118,31 @@ install: install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" done +[group('packages')] [doc('Build & install apparmor.d on Arch based systems')] pkg: @makepkg --syncdeps --install --cleanbuild --force --noconfirm +[group('packages')] [doc('Build & install apparmor.d on Debian based systems')] dpkg: @bash dists/build.sh dpkg @sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb +[group('packages')] [doc('Build & install apparmor.d on OpenSUSE based systems')] rpm: @bash dists/build.sh rpm @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm +[group('tests')] [doc('Run the unit tests')] tests: @go test ./cmd/... -v -cover -coverprofile=coverage.out @go test ./pkg/... -v -cover -coverprofile=coverage.out @go tool cover -func=coverage.out +[group('linter')] [doc('Run the linters')] lint: golangci-lint run @@ -138,18 +153,22 @@ lint: tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm +[group('linter')] [doc('Run style checks on the profiles')] check: @bash tests/check.sh +[group('docs')] [doc('Generate the man pages')] man: @pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md +[group('docs')] [doc('Build the documentation')] docs: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict +[group('docs')] [doc('Serve the documentation')] serve: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve @@ -160,6 +179,7 @@ clean: debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ {{pkgdest}}/{{pkgname}}* {{build}} coverage.out +[group('packages')] [doc('Build the package in a clean OCI container')] package dist: #!/usr/bin/env bash @@ -175,6 +195,7 @@ package dist: fi bash dists/docker.sh $dist $version +[group('vm')] [doc('Build the VM image')] img dist flavor: (package dist) @mkdir -p {{base_dir}} @@ -192,6 +213,7 @@ img dist flavor: (package dist) -var output_dir={{output_dir}} \ tests/packer/ +[group('vm')] [doc('Create the machine')] create dist flavor: @cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 @@ -211,33 +233,40 @@ create dist flavor: --sound model=ich9 \ --noautoconsole +[group('vm')] [doc('Start a machine')] up dist flavor: @virsh {{c}} start {{prefix}}{{dist}}-{{flavor}} +[group('vm')] [doc('Stops the machine')] halt dist flavor: @virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}} +[group('vm')] [doc('Reboot the machine')] reboot dist flavor: @virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}} +[group('vm')] [doc('Destroy the machine')] destroy dist flavor: @virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true @virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram @rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 +[group('vm')] [doc('Connect to the machine')] ssh dist flavor: @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` +[group('vm')] [doc('List the machines')] list: @echo -e '\033[1m Id Distribution Flavor State\033[0m' @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' +[group('vm')] [doc('List the VM images')] images: #!/usr/bin/env bash @@ -254,6 +283,7 @@ images: } ' +[group('vm')] [doc('List the VM images that can be created')] available: #!/usr/bin/env bash @@ -270,6 +300,8 @@ available: } ' + +[group('tests')] [doc('Run the integration tests on the machine')] integration dist flavor: @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ @@ -280,12 +312,13 @@ integration dist flavor: @bats --recursive --timing --print-output-on-failure Projects/integration/ - +[group('internal')] get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ head -1 | \ grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' +[group('internal')] get_osinfo dist: #!/usr/bin/env python3 osinfo = { From 3291d9a370f5972f67ba5d524f90312f7fbd49eb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Jun 2025 22:56:18 +0200 Subject: [PATCH 0216/1736] fix: use mappings/sudo in su. --- apparmor.d/groups/utils/su | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index c4e83ddfa6..866da3d6a4 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -12,7 +12,7 @@ profile su @{exec_path} { include include include - include #aa:only RBAC + include #aa:only RBAC capability chown, # pseudo-terminal From cdd45bcd608545b4d84ca7826c5cf69e73883b39 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 11 Jun 2025 17:53:27 +0200 Subject: [PATCH 0217/1736] add xkeyboard-config-2 ressources --- apparmor.d/abstractions/desktop | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 73e5339927..e44377ea39 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -77,6 +77,7 @@ /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/xkeyboard-config-2/{,**} r, include if exists From c947fe6c6cb2a9cf4102f9f951d875c0af33039c Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 12 Jun 2025 10:48:53 +0200 Subject: [PATCH 0218/1736] complete xkeyboard-config-2 permissions --- apparmor.d/abstractions/X-strict | 1 + apparmor.d/abstractions/desktop | 1 - apparmor.d/groups/systemd/systemd-localed | 1 + apparmor.d/groups/ubuntu/software-properties-gtk | 1 + 4 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index d3e2cef4f3..9330d2223f 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -12,6 +12,7 @@ /usr/share/X11/{,**} r, /usr/share/xsessions/{,*.desktop} r, # Available Xsessions + /usr/share/xkeyboard-config-2/{,**} r, /etc/X11/cursors/{,**} r, diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index e44377ea39..73e5339927 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -77,7 +77,6 @@ /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/xkeyboard-config-2/{,**} r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 3befcd92a9..75d382c408 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -23,6 +23,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { /usr/share/kbd/keymaps/{,**} r, /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, /etc/.#locale.conf@{hex16} rw, /etc/.#vconsole.conf* rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index d5762a84ea..64c83f5c88 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -45,6 +45,7 @@ profile software-properties-gtk @{exec_path} { /usr/share/X11/xkb/{,**} r, /usr/share/xml/iso-codes/{,**} r, /usr/share/software-properties/gtkbuilder/* r, + /usr/share/xkeyboard-config-2/{,**} r, /etc/apport/blacklist.d/{,*} r, /etc/default/apport r, From 5216cbdcdefc716848bbf762ea5de92a41c52ce2 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 12 Jun 2025 10:54:00 +0200 Subject: [PATCH 0219/1736] add more xkeyboard-config-2 ressources --- apparmor.d/abstractions/desktop | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 73e5339927..f53627fcc1 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -27,6 +27,7 @@ /usr/{local/,}share/ r, /usr/{local/,}share/glib-@{version}/schemas/** r, /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, + /usr/share/xkeyboard-config-2/{,**} r, /etc/gnome/* r, /etc/xdg/{,*-}mimeapps.list r, From 1f7e019500a87027fd03f89e148e52b71946e4c0 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 12 Jun 2025 16:23:05 +0200 Subject: [PATCH 0220/1736] clean desktop abstraction --- apparmor.d/abstractions/desktop | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index f53627fcc1..73e5339927 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -27,7 +27,6 @@ /usr/{local/,}share/ r, /usr/{local/,}share/glib-@{version}/schemas/** r, /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, - /usr/share/xkeyboard-config-2/{,**} r, /etc/gnome/* r, /etc/xdg/{,*-}mimeapps.list r, From 8118bf3d23052e3319c73c29f36e376212ccb8b2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 21:48:07 +0200 Subject: [PATCH 0221/1736] fix: pinentry gtk need access to its cmdline. fix #768 --- apparmor.d/profiles-m-r/pinentry-gtk | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/apparmor.d/profiles-m-r/pinentry-gtk b/apparmor.d/profiles-m-r/pinentry-gtk index a0244956d3..d07a64a5ae 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk +++ b/apparmor.d/profiles-m-r/pinentry-gtk @@ -11,16 +11,12 @@ include profile pinentry-gtk @{exec_path} { include include - include - include include - include + include @{exec_path} mr, - /usr/share/gtk-@{int}.@{int}/{,**} r, - - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, + @{PROC}/@{pid}/cmdline r, owner /dev/tty@{int} r, From 4cb6de3d2d440f08766a0dc1aa23df220a913418 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 21:50:22 +0200 Subject: [PATCH 0222/1736] fix(profile): ufw: allow kmod. fix #765 --- apparmor.d/groups/firewall/ufw | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw index b7f1336413..3b931fb2b5 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -32,11 +32,13 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{python_path} rix, @{bin}/ r, @{bin}/cat rix, + @{bin}/echo rix, @{bin}/env r, + @{bin}/kmod rCx -> kmod, + @{lib}/ufw/ufw-init rix, @{sbin}/sysctl rix, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, - @{lib}/ufw/ufw-init rix, /etc/default/ufw rw, /etc/ufw/ rw, @@ -56,6 +58,18 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/ipv{4,6}/** rw, @{PROC}/sys/kernel/modprobe r, + profile kmod flags=(attach_disconnected) { + include + include + + capability sys_module, + + @{sys}/module/compression r, + @{sys}/module/*/initstate r, + + include if exists + } + include if exists } From d3aa4ae4a12c6a1be645282aacf829be39f8e564 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:01:08 +0200 Subject: [PATCH 0223/1736] fix(abs): ensure generic app can run widevine. fix #764 --- apparmor.d/abstractions/common/app | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 99da315908..efb3c838bc 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -54,7 +54,7 @@ @{MOUNTS}/** rwl, owner @{HOME}/ r, owner @{HOME}/.var/app/** rmix, - owner @{HOME}/** rwlk -> @{HOME}/**, + owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, owner @{user_games_dirs}/** rmix, @@ -122,6 +122,7 @@ owner @{PROC}/@{pid}/fd/@{int} rw, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/io r, + owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mounts r, From 110f4ea40e7d806790952b2a7451a14f1e70e734 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:01:40 +0200 Subject: [PATCH 0224/1736] feat(abs): mesa: add /var/cache as fallback location. --- apparmor.d/abstractions/mesa.d/complete | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index a191663674..1d718c0b19 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -2,6 +2,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + # Fallback location when @{user_cache_dirs} is not available + /var/cache/mesa_shader_cache_db/ rw, + /var/cache/mesa_shader_cache_db/index rw, + /var/cache/mesa_shader_cache_db/marker rw, + /var/cache/mesa_shader_cache_db/part@{int}/ rw, + /var/cache/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk, + /var/cache/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, + /var/cache/mesa_shader_cache/ rw, + /var/cache/mesa_shader_cache/@{hex2}/ rw, + /var/cache/mesa_shader_cache/@{hex2}/@{hex38} rw, + /var/cache/mesa_shader_cache/@{hex2}/@{hex38}.tmp rwk, + /var/cache/mesa_shader_cache/index rw, + /var/cache/mesa_shader_cache/marker rw, + # Extra Mesa rules for desktop environments owner @{desktop_cache_dirs}/ w, owner @{desktop_cache_dirs}/mesa_shader_cache_db/ rw, From 2941334b7ccca275cd7dbd409709d452069bd19f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:04:55 +0200 Subject: [PATCH 0225/1736] fix(profile): brave flag & stacked helper. fix #763 --- apparmor.d/groups/browsers/brave | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index cc3d18b58e..0decb0d4b4 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -14,11 +14,13 @@ include @{cache_dirs} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} @{exec_path} = @{lib_dirs}/@{name} -profile brave @{exec_path} { +profile brave @{exec_path} flags=(attach_disconnected) { include include - unix (send, receive) type=stream peer=(label=brave-crashpad-handler), + unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler), + + signal receive peer=brave//&brave-crashpad-handler, #aa:dbus own bus=session name=org.mpris.MediaPlayer2.brave path=/org/mpris/MediaPlayer2 From 07007f93c4a5a81de933485a931db7377440f949 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:06:55 +0200 Subject: [PATCH 0226/1736] fix(fsp): ignore not yet used mappings. --- apparmor.d/groups/utils/chfn | 1 - apparmor.d/groups/utils/chsh | 1 - 2 files changed, 2 deletions(-) diff --git a/apparmor.d/groups/utils/chfn b/apparmor.d/groups/utils/chfn index 824d92bf46..45b50c7adc 100644 --- a/apparmor.d/groups/utils/chfn +++ b/apparmor.d/groups/utils/chfn @@ -15,7 +15,6 @@ profile chfn @{exec_path} { include include include - include #aa:only RBAC capability audit_write, capability chown, diff --git a/apparmor.d/groups/utils/chsh b/apparmor.d/groups/utils/chsh index a630a77339..e3581be31a 100644 --- a/apparmor.d/groups/utils/chsh +++ b/apparmor.d/groups/utils/chsh @@ -15,7 +15,6 @@ profile chsh @{exec_path} { include include include - include #aa:only RBAC capability audit_write, capability chown, From 5ae1cc854da90f275ea6144d60a587e98bec461b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:20:13 +0200 Subject: [PATCH 0227/1736] fix(profile): pacman: add integration witn limine. fix #756 --- apparmor.d/groups/pacman/pacman | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 14753416f5..e72c626671 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -81,6 +81,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/killall rix, @{sbin}/ldconfig rix, @{sbin}/locale-gen rPx, + @{bin}/limine-install rPUx, @{bin}/mkinitcpio rPx, @{sbin}/needrestart rPx, @{bin}/pacdiff rPx, From b88cf164ec5c3b8764068911f93cb240c7c19620 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:38:37 +0200 Subject: [PATCH 0228/1736] feat(profile): gnome-shell: allow some basic tools needed by some extensions. fix #705 --- apparmor.d/groups/gnome/gnome-shell | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 1099f254d7..b97d6d5680 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -170,6 +170,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/gjs-console rPx, @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, + @{bin}/sensors rPx, @{bin}/tecla rPx, @{bin}/Xwayland rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @@ -386,8 +387,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sh_path} mr, - @{bin}/pmap rix, - @{bin}/grep rix, + @{bin}/cat rix, + @{bin}/grep rix, + @{bin}/kmod rPx -> gnome-shell//lsmod, + @{bin}/pmap rix, @{sys}/devices/system/node/ r, @@ -400,6 +403,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include if exists } + profile lsmod flags=(attach_disconnected,mediate_deleted) { + include + include + + @{sys}/module/{,**} r, + + include if exists + } + profile pkexec { include include From 8fa7c49a6512c3e3a3b6171f64159273e894f9b6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:42:11 +0200 Subject: [PATCH 0229/1736] feat(profile): add firefox crashhelper --- apparmor.d/abstractions/app/firefox | 1 + .../groups/browsers/firefox-crashhelper | 26 +++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 apparmor.d/groups/browsers/firefox-crashhelper diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 73cb820709..1ea0c3b862 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -58,6 +58,7 @@ @{lib_dirs}/{,**} r, @{lib_dirs}/*.so mr, + @{lib_dirs}/crashhelper rPx, @{lib_dirs}/crashreporter rPx, @{lib_dirs}/minidump-analyzer rPx, @{lib_dirs}/pingsender rPx, diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper new file mode 100644 index 0000000000..55443a3303 --- /dev/null +++ b/apparmor.d/groups/browsers/firefox-crashhelper @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = firefox{,.sh,-esr,-bin} +@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{config_dirs} = @{HOME}/.mozilla/ +@{cache_dirs} = @{user_cache_dirs}/mozilla/ + +@{exec_path} = @{lib_dirs}/crashhelper +profile firefox-crashhelper @{exec_path} { + include + + @{exec_path} mr, + + owner "@{config_dirs}/firefox/Crash Reports/" rw, + owner "@{config_dirs}/firefox/Crash Reports/crash_helper_server.log" rw, + + include if exists +} + +# vim:syntax=apparmor From 011de3c301600addf6cc9ab763f61b378302c0f8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:48:16 +0200 Subject: [PATCH 0230/1736] feat(profile): flatpak: ensure remote can be added/removed. see #690 --- apparmor.d/groups/flatpak/flatpak | 2 ++ apparmor.d/groups/flatpak/flatpak-system-helper | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 52e9e32ef2..c34ae962f8 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -96,6 +96,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{tmp}/#@{int} rw, owner @{tmp}/ostree-gpg-@{rand6}/{,**} rw, + owner @{tmp}/remote-summary-sig.@{rand6} rw, + owner @{tmp}/remote-summary.@{rand6} rw, owner /dev/shm/flatpak*/{,**} rw, @{run}/.userns r, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index dfaa920aca..1381a1483d 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -40,7 +40,7 @@ profile flatpak-system-helper @{exec_path} { /etc/flatpak/{,**} r, /etc/machine-id r, - /usr/share/flatpak/remotes.d/ r, + /usr/share/flatpak/remotes.d/{,**} r, /usr/share/flatpak/triggers/ r, /usr/share/mime/mime.cache r, @@ -51,8 +51,8 @@ profile flatpak-system-helper @{exec_path} { owner /{var/,}tmp/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, - /tmp/remote-summary-sig.@{rand6} r, - /tmp/remote-summary.@{rand6} r, + @{tmp}/remote-summary-sig.@{rand6} r, + @{tmp}/remote-summary.@{rand6} r, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, From 34f9a53a3bb8e4ab7a20127631765960ef012f29 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:53:36 +0200 Subject: [PATCH 0231/1736] ci: start dropping ci tests on ubuntu 22.04. --- .github/workflows/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4baa4a7761..cac8fce430 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,8 +23,6 @@ jobs: mode: default - os: ubuntu-24.04 mode: full-system-policy - - os: ubuntu-22.04 - mode: default steps: - name: Check out repository code uses: actions/checkout@v4 From eeebcf91f3b374d2ac83fd40b9c5e7d2bace1cdf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:05:50 +0200 Subject: [PATCH 0232/1736] feat(abs): add base-strict. For now, it is only a restructuring of the base abstraction with awareness of the apparmor.d architecture. --- apparmor.d/abstractions/base-strict | 131 ++++++++++++++++++++++ apparmor.d/abstractions/crypto.d/complete | 8 ++ apparmor.d/abstractions/glibc | 41 +++++++ apparmor.d/abstractions/ld | 23 ++++ apparmor.d/abstractions/locale | 26 +++++ 5 files changed, 229 insertions(+) create mode 100644 apparmor.d/abstractions/base-strict create mode 100644 apparmor.d/abstractions/glibc create mode 100644 apparmor.d/abstractions/ld create mode 100644 apparmor.d/abstractions/locale diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict new file mode 100644 index 0000000000..0f4382bfed --- /dev/null +++ b/apparmor.d/abstractions/base-strict @@ -0,0 +1,131 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + # Do not use it manually, It automatically replaces the base abstraction in + # profiles when the re-attached mode is enabled. + + # For now, it is only a restructuring of the base abstraction with awareness + # of the apparmor.d architecture. + + abi , + + include + include + include + include + + # Allow us to signal ourselves + signal peer=@{profile_name}, + + # Checking for PID existence is quite common so add it by default for now + signal (receive, send) set=exists, + + #aa:exclude RBAC + # Allow unconfined processes to send us signals by default + signal receive peer=unconfined, + + # Systemd: allow to receive any signal from the systemd profiles stack + signal receive peer=@{p_systemd}, + signal receive peer=@{p_systemd_user}, + + # Htop like programs can send any signal to any process + signal receive peer=btop, + signal receive peer=htop, + signal receive peer=top, + signal receive set=(cont,term,kill,stop) peer=gnome-system-monitor, + + # Allow to receive termination signal from manager such as sudo, login, shutdown or systemd + signal receive peer=su, + signal receive peer=sudo, + signal receive set=(cont,term,kill,stop) peer=gnome-shell, + signal receive set=(cont,term,kill,stop) peer=login, + signal receive set=(cont,term,kill,stop) peer=openbox, + signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, + signal receive set=(cont,term,kill,stop) peer=xinit, + + # Allow other processes to read our /proc entries, futexes, perf tracing and + # kcmp for now (they will need 'read' in the first place). Administrators can + # override with: + # deny ptrace readby ... + ptrace readby, + + # Allow other processes to trace us by default (they will need 'trace' in + # the first place). Administrators can override with: + # deny ptrace tracedby ... + ptrace tracedby, + + # Allow us to ptrace read ourselves + ptrace read peer=@{profile_name}, + + # Allow us to create and use abstract and anonymous sockets + unix peer=(label=@{profile_name}), + + # Allow unconfined processes to us via unix sockets + unix receive peer=(label=unconfined), + + # Allow communication to children profiles + signal peer=@{profile_name}//*, + unix type=stream peer=(label=@{profile_name}//*), + + # Allow us to create abstract and anonymous sockets + unix create, + + # Allow us to getattr, getopt, setop and shutdown on unix sockets + unix (getattr, getopt, setopt, shutdown), + + # Allow all programs to use common libraries + @{lib}/** r, + @{lib}/**.so* m, + @{lib}/@{multiarch}/**.so* m, + @{lib}/@{multiarch}/** r, + + # Some applications will display license information + /usr/share/common-licenses/** r, + + # Allow access to the uuidd daemon (this daemon is a thin wrapper around + # time and getrandom()/{,u}random and, when available, runs under an + # unprivilged, dedicated user). + @{run}/uuidd/request r, + + # Transparent hugepage support + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + # Systemd's equivalent of /dev/log + @{run}/systemd/journal/dev-log w, + + # Systemd native journal API (see sd_journal_print(4)) + @{run}/systemd/journal/socket w, + + # Nested containers and anything using systemd-cat need this. 'r' shouldn't + # be required but applications fail without it. journald doesn't leak + # anything when reading so this is ok. + @{run}/systemd/journal/stdout rw, + + # Allow determining the highest valid capability of the running kernel + @{PROC}/sys/kernel/cap_last_cap r, + + # Controls how core dump files are named + @{PROC}/sys/kernel/core_pattern r, + + # Sometimes used to determine kernel/user interfaces to use + @{PROC}/sys/kernel/version r, + + # Harmless and frequently used + /dev/null rw, + /dev/random r, + /dev/urandom r, + /dev/zero rw, + + # The __canary_death_handler function writes a time-stamped log + # message to /dev/log for logging by syslogd. So, /dev/log, timezones, + # and localisations of date should be available EVERYWHERE, so + # StackGuard, FormatGuard, etc., alerts can be properly logged. + /dev/log w, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/crypto.d/complete b/apparmor.d/abstractions/crypto.d/complete index a163af66d8..8fb84d2611 100644 --- a/apparmor.d/abstractions/crypto.d/complete +++ b/apparmor.d/abstractions/crypto.d/complete @@ -4,7 +4,15 @@ include + # FIPS-140-2 versions of some crypto libraries need to access their + # associated integrity verification file, or they will abort. + @{lib}/.lib*.so*.hmac r, + @{lib}/@{multiarch}/.lib*.so*.hmac r, + @{etc_ro}/gnutls/config r, @{etc_ro}/gnutls/pkcs11.conf r, + # Used to determine if Linux is running in FIPS mode + @{PROC}/sys/crypto/fips_enabled r, + # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/glibc b/apparmor.d/abstractions/glibc new file mode 100644 index 0000000000..aa6e14416e --- /dev/null +++ b/apparmor.d/abstractions/glibc @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # Used by Glibc when binding to ephemeral ports + @{etc_ro}/bindresvport.blacklist r, + + # Depending on which Glibc routine uses this file, base may not be the + # best place -- but many profiles require it, and it is quite harmless. + @{PROC}/sys/kernel/ngroups_max r, + + # Glibc's sysconf(3) routine to determine free memory, etc + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/cpu/online r, + @{sys}/devices/system/cpu/possible r, + @{PROC}/cpuinfo r, + @{PROC}/meminfo r, + @{PROC}/stat r, + + # Glibc's *printf protections read the maps file + @{PROC}/@{pid}/auxv r, + @{PROC}/@{pid}/maps r, + @{PROC}/@{pid}/status r, + + # Glibc statvfs + @{PROC}/filesystems r, + + # Glibc malloc (man 5 proc) + @{PROC}/sys/vm/overcommit_memory r, + + # Recent glibc uses /dev/full in preference to /dev/null for programs + # that don't have open fds at exec() + /dev/full rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/ld b/apparmor.d/abstractions/ld new file mode 100644 index 0000000000..21ac745e27 --- /dev/null +++ b/apparmor.d/abstractions/ld @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # ld.so.cache and ld are used to load shared libraries. + # As such, they can be used everywhere + + abi , + + /opt/*-linux-uclibc/lib/ld-uClibc*so* mr, + + @{etc_ro}/ld.so.cache mr, + @{etc_ro}/ld.so.conf r, + @{etc_ro}/ld.so.conf.d/ r, + @{etc_ro}/ld.so.conf.d/*.conf r, + @{etc_ro}/ld.so.preload r, + @{etc_ro}/ld-musl-*.path r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/locale b/apparmor.d/abstractions/locale new file mode 100644 index 0000000000..873c303f50 --- /dev/null +++ b/apparmor.d/abstractions/locale @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{etc_ro}/locale.alias r, + @{etc_ro}/locale.conf r, + @{etc_ro}/locale/** r, + @{etc_ro}/localtime r, + @{etc_rw}/localtime r, + + /usr/share/**/locale/** r, + /usr/share/locale-bundle/** r, + /usr/share/locale-langpack/** r, + /usr/share/locale/ r, + /usr/share/locale/** r, + /usr/share/X11/locale/** r, + /usr/share/zoneinfo{,-icu}/ r, + /usr/share/zoneinfo{,-icu}/** r, + + include if exists + +# vim:syntax=apparmor From 7dd860f2770ea0f7668e891ac7c59e2dc4808cee Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:15:07 +0200 Subject: [PATCH 0233/1736] feat(profile): minor update & cosmetic. --- apparmor.d/abstractions/app/firefox | 4 +++- apparmor.d/abstractions/common/game | 4 ++-- apparmor.d/groups/apparmor/aa-log | 2 -- apparmor.d/groups/apparmor/aa-status | 4 ++-- apparmor.d/groups/bluetooth/bluetoothd | 3 ++- apparmor.d/groups/bluetooth/obexd | 2 ++ apparmor.d/groups/gnome/evolution-calendar-factory | 4 ++-- apparmor.d/groups/gnome/gnome-initial-setup | 2 +- apparmor.d/groups/gnome/gsd-color | 2 +- .../groups/gnome/org.gnome.NautilusPreviewer | 1 + apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/kde/ksmserver-logout-greeter | 1 - apparmor.d/groups/ssh/sshd | 8 +++++--- .../systemd-generators/systemd-generator-ssh | 4 ++++ .../systemd-generators/systemd-generator-tpm2 | 1 + apparmor.d/groups/systemd/systemd-localed | 1 + apparmor.d/groups/utils/lspci | 4 ---- apparmor.d/profiles-a-f/fwupd | 1 + apparmor.d/profiles-g-l/haveged | 7 +++---- apparmor.d/profiles-g-l/linuxqq | 2 +- apparmor.d/profiles-m-r/mandb | 8 ++++---- apparmor.d/profiles-m-r/mimetype | 1 - apparmor.d/profiles-m-r/needrestart-notify | 2 +- apparmor.d/profiles-m-r/pam-auth-update | 3 ++- apparmor.d/profiles-m-r/pcscd | 14 +++++++------- 25 files changed, 47 insertions(+), 40 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 1ea0c3b862..d988f608cd 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -26,7 +26,7 @@ include include include - include + include include include include @@ -126,6 +126,8 @@ @{sys}/devices/**/uevent r, @{sys}/devices/power/events/energy-* r, @{sys}/devices/power/type r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_sku r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 3b4a982f1e..6b97b014c5 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -6,9 +6,9 @@ # wine, proton, game launchers should use this abstraction. # This abstraction uses the following tunables: -# - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories +# - @{XDG_GAMESSTUDIO_DIR}/ for game studio and game engines specific directories # (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d") -# - @{user_games_dirs} for user specific game directories (eg: steam storage dir) +# - @{user_games_dirs}/ for user specific game directories (eg: steam storage dir) abi , diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log index 03352e8bfd..1a3e0aeffe 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -21,8 +21,6 @@ profile aa-log @{exec_path} { /var/log/audit/* r, /var/log/syslog* r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - /dev/tty@{int} rw, profile journalctl { diff --git a/apparmor.d/groups/apparmor/aa-status b/apparmor.d/groups/apparmor/aa-status index 17de744396..9badb78c11 100644 --- a/apparmor.d/groups/apparmor/aa-status +++ b/apparmor.d/groups/apparmor/aa-status @@ -22,8 +22,8 @@ profile aa-status @{exec_path} { @{sys}/module/apparmor/parameters/enabled r, @{PROC}/ r, - @{PROC}/@{pids}/attr/apparmor/current r, - @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pid}/attr/apparmor/current r, + @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/mounts r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index 8ca699aaf0..aa84eebd94 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -45,7 +45,8 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{run}/sdp rw, owner @{run}/systemd/notify w, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard @{sys}/devices/@{pci}/rfkill@{int}/name r, @{sys}/devices/@{pci}/**/{uevent,name} r, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 5c1a7633e6..efb5f42e4a 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -31,6 +31,8 @@ profile obexd @{exec_path} { owner @{HOME}/bluetooth/* rw, + @{run}/systemd/users/@{uid} r, + include if exists } diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 25f8ecc7f2..fba734ad4f 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -71,8 +71,8 @@ profile evolution-calendar-factory @{exec_path} { owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, owner @{user_share_dirs}/evolution/calendar/{,**} rwk, - owner @{user_share_dirs}/evolution/tasks/system/ w, - owner @{user_share_dirs}/evolution/tasks/system/tasks.ics* rw, + owner @{user_share_dirs}/evolution/memos/system/{,**} rw, + owner @{user_share_dirs}/evolution/tasks/system/{,**} rw, owner @{user_share_dirs}/gvfs-metadata/{,*} r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 4063fc4733..40b8bc9b5f 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -42,7 +42,7 @@ profile gnome-initial-setup @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/locale rix, @{bin}/lscpu rPx, - @{bin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 56445aeac7..1b12a68cda 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -45,7 +45,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-@{hex32}icc rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index db440bf4cd..f084e7b126 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -39,6 +39,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index de86431002..87c3d4104b 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/grub-mkconfig +@{exec_path} = @{sbin}/grub-mkconfig @{sbin}/grub2-mkconfig profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index 01fe51783e..67e56c3c64 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -53,7 +53,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/dev/i915/perf_stream_paranoid r, owner @{PROC}/@{pid}/exe r, - owner @{PROC}/@{pid}/status r, include if exists } diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index cc12a9eecf..a514e7c99c 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -29,8 +29,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) { capability audit_write, capability chown, - capability dac_read_search, capability dac_override, + capability dac_read_search, capability fowner, capability kill, capability net_bind_service, @@ -50,9 +50,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (receive) set=(hup) peer=@{p_systemd}, + unix type=stream peer=(label=sshd-session), + + signal receive set=hup peer=@{p_systemd}, - ptrace (read,trace) peer=@{p_systemd}, + ptrace (read trace) peer=@{p_systemd}, dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ssh b/apparmor.d/groups/systemd-generators/systemd-generator-ssh index efb56468ef..0f6aa11d9e 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ssh +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ssh @@ -30,8 +30,12 @@ profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) { @{run}/systemd/system/ r, @{run}/systemd/transient/ r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/firmware/dmi/entries/*/raw r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 index 4d601d0f93..ee5d924cc0 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 +++ b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 @@ -15,6 +15,7 @@ profile systemd-generator-tpm2 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sys}/class/tpmrm/ r, + @{sys}/devices/**/tpm/tpm@{int}/tpm_version_major r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 75d382c408..104a141ce8 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -21,6 +21,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /usr/share/kbd/keymaps/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, /usr/share/xkeyboard-config-2/{,**} r, diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index b390346bb2..0ae22a03af 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -13,12 +13,8 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include include - capability sys_admin, - @{exec_path} mr, - /app/lib/libzypak-preload-host*.so rm, - /usr/share/hwdata/pci.ids r, /usr/share/misc/pci.ids r, /usr/share/misc/pci.ids.gz r, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 5fb948234b..961b55c970 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -52,6 +52,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/hwdata/* r, /usr/share/libdrm/*.ids r, /usr/share/mime/mime.cache r, + /usr/share/misc/*.ids r, /etc/fwupd/{,**} rw, /etc/lsb-release r, diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index 5773a73fb6..527629202b 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -20,10 +20,9 @@ profile haveged @{exec_path} { @{sys}/devices/system/cpu/cpu@{int}/cache/ r, @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/poolsize r, - @{PROC}/sys/kernel/random/write_wakeup_threshold w, - owner @{PROC}/@{pid}/status r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/poolsize r, + @{PROC}/sys/kernel/random/write_wakeup_threshold w, /dev/random w, diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index 3f31344001..dd653bd615 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -29,7 +29,7 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} r, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{lib_dirs}/chrome_crashpad_handler ix, @{lib_dirs}/resources/app/{,**} m, @{open_path} rPx -> child-open-strict, diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index 4826337d0a..cd825471dd 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/mandb -profile mandb @{exec_path} flags=(complain) { +profile mandb @{exec_path} { include include include @@ -20,9 +20,6 @@ profile mandb @{exec_path} flags=(complain) { /etc/man_db.conf r, /etc/manpath.config r, - /var/cache/man/ r, - /var/cache/man/** rwk, - /usr/share/man/{,**} r, /usr/local/man/{,**} r, /usr/local/share/man/{,**} r, @@ -32,6 +29,9 @@ profile mandb @{exec_path} flags=(complain) { /usr/share/**/man/man@{u8}/*.@{int}.gz r, + owner /var/cache/man/ rw, + owner /var/cache/man/** rwk, + owner @{user_share_dirs}/man/** rwk, include if exists diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index d6823da9ba..cf8431c7a0 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -13,7 +13,6 @@ profile mimetype @{exec_path} { include @{exec_path} r, - /usr/bin/perl r, /usr/share/mime/**.xml r, /usr/share/mime/globs r, diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify index 41fa96c4c0..9b3525fa58 100644 --- a/apparmor.d/profiles-m-r/needrestart-notify +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -13,7 +13,7 @@ profile needrestart-notify @{exec_path} { capability dac_read_search, capability sys_ptrace, - ptrace read peer=unconfined, + ptrace read, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 90cc6a4ba5..947fb2f4ee 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -14,8 +14,9 @@ profile pam-auth-update @{exec_path} flags=(complain) { @{exec_path} mrix, - @{bin}/md5sum ix, @{bin}/cp ix, + @{bin}/md5sum ix, + @{bin}/stty ix, /usr/share/pam{,-configs}/{,*} r, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index 67e0ee74ea..d5bcc42931 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -16,13 +16,13 @@ profile pcscd @{exec_path} { network netlink raw, - ptrace (read) peer=@{p_systemd_user}, - ptrace (read) peer=gsd-smartcard, - ptrace (read) peer=keepassxc, - ptrace (read) peer=pkcs11-register, - ptrace (read) peer=rngd, - ptrace (read) peer=scdaemon, - ptrace (read) peer=veracrypt, + ptrace read peer=@{p_systemd_user}, + ptrace read peer=gsd-smartcard, + ptrace read peer=keepassxc, + ptrace read peer=pkcs11-register, + ptrace read peer=rngd, + ptrace read peer=scdaemon, + ptrace read peer=veracrypt, @{exec_path} mr, From 1118d2ffc5bdde1def44447be76715d55f10bd5a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:17:45 +0200 Subject: [PATCH 0234/1736] build: use the base-strict abstraction automatically. --- apparmor.d/abstractions/attached/base | 6 +++--- pkg/prebuild/builder/attach.go | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 4c35d915df..e394c5b99a 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -8,14 +8,14 @@ abi , - include + include @{att}/@{run}/systemd/journal/dev-log w, @{att}/@{run}/systemd/journal/socket w, @{att}/@{run}/systemd/journal/stdout rw, - deny /apparmor/.null rw, - deny @{att}/apparmor/.null rw, + /apparmor/.null rw, + @{att}/apparmor/.null rw, include if exists diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index f7f0c9bed8..aeafcbf7d8 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -49,6 +49,10 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { } else { insert = "@{att} = /\n" + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) } return strings.Replace(profile, origin, insert+origin, 1), nil From 390a8b1b011dbb335c1054ea5124a02423925da2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:20:03 +0200 Subject: [PATCH 0235/1736] build: add the fsp-debug build command. --- Justfile | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/Justfile b/Justfile index 4021b0e5a8..109cfed3bd 100644 --- a/Justfile +++ b/Justfile @@ -90,6 +90,11 @@ fsp: build fsp-complain: build @./{{build}}/prebuild --complain --full +[group('build')] +[doc('Prebuild the profiles in FSP mode (debug)')] +fsp-debug: build + @./{{build}}/prebuild --complain --full --debug + [group('build')] [doc('Install prebuild profiles')] install: @@ -312,13 +317,13 @@ integration dist flavor: @bats --recursive --timing --print-output-on-failure Projects/integration/ -[group('internal')] +[private] get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ head -1 | \ grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' -[group('internal')] +[private] get_osinfo dist: #!/usr/bin/env python3 osinfo = { From d01b7ce7d6e0a701e59c9eb3adf780cefb7935b0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:42:30 +0200 Subject: [PATCH 0236/1736] chore: cleanup linter issue. --- apparmor.d/abstractions/base-strict | 2 +- pkg/aa/apparmor_test.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 0f4382bfed..818a4937f0 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -8,7 +8,7 @@ # Do not use it manually, It automatically replaces the base abstraction in # profiles when the re-attached mode is enabled. - # For now, it is only a restructuring of the base abstraction with awareness + # For now, it is only a restructuring of the base abstraction with awareness # of the apparmor.d architecture. abi , diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index 71be0ba0a2..172cfc2b5f 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -223,11 +223,11 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { &Include{IfExists: true, IsMagic: true, Path: "local/aa-status"}, &Capability{Names: []string{"dac_read_search"}}, &File{Path: "@{exec_path}", Access: []string{"m", "r"}}, - &File{Path: "@{PROC}/@{pids}/attr/apparmor/current", Access: []string{"r"}}, + &File{Path: "@{PROC}/@{pid}/attr/apparmor/current", Access: []string{"r"}}, &File{Path: "@{PROC}/", Access: []string{"r"}}, &File{Path: "@{sys}/module/apparmor/parameters/enabled", Access: []string{"r"}}, &File{Path: "@{sys}/kernel/security/apparmor/profiles", Access: []string{"r"}}, - &File{Path: "@{PROC}/@{pids}/attr/current", Access: []string{"r"}}, + &File{Path: "@{PROC}/@{pid}/attr/current", Access: []string{"r"}}, &Include{IsMagic: true, Path: "abstractions/consoles"}, &File{Owner: true, Path: "@{PROC}/@{pid}/mounts", Access: []string{"r"}}, &Include{IsMagic: true, Path: "abstractions/base"}, From fc45e5ee66b7b9b2c3d0c15fd095991b591a2313 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 17 Jun 2025 00:18:39 +0200 Subject: [PATCH 0237/1736] feat(fsp): add initial sd-umount. --- apparmor.d/groups/_full/sd-umount | 34 +++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 apparmor.d/groups/_full/sd-umount diff --git a/apparmor.d/groups/_full/sd-umount b/apparmor.d/groups/_full/sd-umount new file mode 100644 index 0000000000..e5d67f0a95 --- /dev/null +++ b/apparmor.d/groups/_full/sd-umount @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd-umount is a subprofile of sd responsible to handle unmounting operation. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd-umount.d directory + +abi , + +include + +@{exec_path} = @{bin}/umount +profile sd-umount flags=(complain) { + include + + capability sys_admin, + + umount @{efi}, + + @{exec_path} mr, + + @{PROC}/@{pid}/mountinfo r, + + include if exists + include if exists +} + +# vim:syntax=apparmor From 0478e62f56d238d82e873b4174645597249ade77 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 17 Jun 2025 00:19:43 +0200 Subject: [PATCH 0238/1736] feat(fsp): sd/sdu: improve integration with stacked profiles. --- apparmor.d/groups/_full/sd | 5 +++-- apparmor.d/groups/_full/sdu | 16 ++++++++++++++-- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 44b3a9b7d4..48172638e4 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -165,6 +165,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { @{lib}/{,**} r, @{sbin}/{,*} r, /usr/share/** r, + /etc/*/ w, /etc/** rk, /home/ r, @@ -181,8 +182,8 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { /var/log/** rw, /var/log/journal/** rwl -> /var/log/journal/**, - @{desktop_share_dirs}/icc/edid-@{hex32}.icc r, - @{user_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, @{att}/@{run}/systemd/notify rw, diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index 411a8c3ad6..c9338fd22e 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -24,6 +24,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { include include include + include network netlink raw, @@ -71,16 +72,27 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, owner @{run}/user/@{uid}/pulse/pid rw, - owner @{user_state_dirs}/wireplumber/ r, + owner @{user_state_dirs}/wireplumber/ rw, owner @{user_state_dirs}/wireplumber/stream-properties rw, owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw, @{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{int} r, - @{run}/udev/data/c116:@{int} r, # for ALSA + @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) + @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, + @{sys}/bus/media/devices/ r, + @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, + @{sys}/devices/**/device:*/{,**/}path r, + @{sys}/devices/**/sound/**/pcm_class r, + @{sys}/devices/**/sound/**/uevent r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/sound/seq/uevent r, From e7f25571d0865cd08bceac7c4e5bba845a8805a2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 17 Jun 2025 00:22:34 +0200 Subject: [PATCH 0239/1736] chore(profile): rename netplan.script to netplan. --- apparmor.d/groups/network/{netplan.script => netplan} | 8 ++++---- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- dists/flags/main.flags | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) rename apparmor.d/groups/network/{netplan.script => netplan} (81%) diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan similarity index 81% rename from apparmor.d/groups/network/netplan.script rename to apparmor.d/groups/network/netplan index 094726865a..5855131a8b 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan @@ -7,7 +7,7 @@ abi , include @{exec_path} = /usr/share/netplan/netplan.script -profile netplan.script @{exec_path} flags=(attach_disconnected) { +profile netplan @{exec_path} flags=(attach_disconnected) { include include include @@ -33,7 +33,7 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { @{run}/udev/rules.d/90-netplan.rules rw, @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw, - include if exists + include if exists } profile systemctl { @@ -42,10 +42,10 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { capability net_admin, - include if exists + include if exists } - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 916279378e..840e33cdda 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -38,7 +38,7 @@ profile subiquity-console-conf @{exec_path} { @{sbin}/sshd rPx, @{bin}/snap rPUx, /usr/lib/snapd/snap-recovery-chooser rPUx, - /usr/share/netplan/netplan.script rPUx, # TODO: rPx, + /usr/share/netplan/netplan.script rPx, /usr/share/subiquity/{,**} r, /usr/share/subiquity/console-conf-tui rix, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 77ea8761fa..71670d4d71 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -240,7 +240,7 @@ multipathd complain needrestart-hook complain needrestart-notify complain needrestart-restart complain -netplan.script attach_disconnected,complain +netplan attach_disconnected,complain networkctl attach_disconnected,complain networkd-dispatcher complain nm-online complain From 0e4cc45a5b19e7503f51914cda745da46732b449 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 20:03:53 +0200 Subject: [PATCH 0240/1736] tests: simplify sbin check. --- tests/check.sh | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index add9b06853..b1783bf8ed 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -353,11 +353,9 @@ check_sbin() { for file in "${files[@]}"; do ( while read -r match; do - if [[ $match =~ (@\{sbin\}/($pattern)) ]]; then - name="${BASH_REMATCH[2]}" - if ! _in_array "$name" "${sbin[@]}"; then - _err compatibility "$file" "contains '@{sbin}/$name' but it is not in sbin.list" - fi + name="${match/\@\{sbin\}\//}" + if ! _in_array "$name" "${sbin[@]}"; then + _err compatibility "$file" "contains '@{sbin}/$name' but it is not in sbin.list" fi done < <(grep --only-matching -E "@\{sbin\}/$pattern" "${file%%:*}") ) & From d2dbf771cc7fb08235b8305afb967053c25a38cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:07:17 +0200 Subject: [PATCH 0241/1736] feat(profiles): ensure we use {,e}grep instead of grep. --- apparmor.d/groups/apt/apt-systemd-daily | 2 +- apparmor.d/groups/apt/dpkg-script-apparmor | 2 +- apparmor.d/groups/browsers/torbrowser-launcher | 2 +- apparmor.d/groups/browsers/torbrowser-start | 2 +- apparmor.d/groups/cron/cron-ntp | 2 +- apparmor.d/groups/cron/cron-popularity-contest | 2 +- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/display-manager/xdm-xsession | 2 +- apparmor.d/groups/filesystem/lvmpolld | 2 +- apparmor.d/groups/freedesktop/plymouth-set-default-theme | 2 +- apparmor.d/groups/gnome/gnome-control-center | 2 +- apparmor.d/groups/gnome/gnome-session | 2 +- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/kde/kde-powerdevil | 2 +- apparmor.d/groups/kde/startplasma | 2 +- apparmor.d/groups/network/nm-dispatcher | 2 +- apparmor.d/groups/pacman/aurpublish | 2 +- apparmor.d/groups/pacman/pacman-key | 2 +- apparmor.d/groups/ssh/ssh-agent-launch | 2 +- .../groups/systemd-generators/systemd-generator-ds-identify | 2 +- apparmor.d/groups/systemd-service/grub-common.service | 2 +- apparmor.d/groups/systemd/systemd-sleep-grub | 2 +- apparmor.d/groups/ubuntu/cron-ubuntu-fan | 2 +- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- apparmor.d/groups/ubuntu/ubuntu-fan-net | 2 +- apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot | 2 +- apparmor.d/groups/whonix/anondate | 2 +- apparmor.d/groups/whonix/pam-info | 2 +- apparmor.d/groups/whonix/rads | 2 +- apparmor.d/groups/whonix/sdwdate | 2 +- apparmor.d/groups/whonix/systemcheck-canary | 2 +- apparmor.d/groups/whonix/torbrowser-wrapper | 2 +- apparmor.d/profiles-a-f/blkdeactivate | 2 +- apparmor.d/profiles-a-f/ddcutil | 2 +- apparmor.d/profiles-a-f/finalrd | 2 +- apparmor.d/profiles-g-l/gpu-manager | 2 +- apparmor.d/profiles-g-l/install-catalog | 2 +- apparmor.d/profiles-g-l/kdump-config | 2 +- apparmor.d/profiles-g-l/landscape-sysinfo.wrapper | 2 +- apparmor.d/profiles-g-l/language-validate | 2 +- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-g-l/logrotate | 2 +- apparmor.d/profiles-m-r/modprobed-db | 2 +- apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version | 2 +- apparmor.d/profiles-m-r/pass | 2 +- apparmor.d/profiles-s-z/secure-time-sync | 2 +- apparmor.d/profiles-s-z/spotify | 2 +- apparmor.d/profiles-s-z/syncoid | 2 +- apparmor.d/profiles-s-z/sysstat-sa | 2 +- apparmor.d/profiles-s-z/tlp | 2 +- apparmor.d/profiles-s-z/ucfr | 2 +- apparmor.d/profiles-s-z/update-cracklib | 2 +- apparmor.d/profiles-s-z/veracrypt | 2 +- apparmor.d/profiles-s-z/whatis | 2 +- apparmor.d/profiles-s-z/zed | 2 +- 55 files changed, 55 insertions(+), 55 deletions(-) diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index 08e1400b2d..bd2f7fbb05 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -25,7 +25,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/env rix, @{bin}/find rix, @{bin}/flock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, @{bin}/ls rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index e9a03f2823..122e4541e8 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -13,7 +13,7 @@ profile dpkg-script-apparmor @{exec_path} { @{exec_path} mrix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/deb-systemd-helper Px, @{bin}/deb-systemd-invoke Px, diff --git a/apparmor.d/groups/browsers/torbrowser-launcher b/apparmor.d/groups/browsers/torbrowser-launcher index 0f6273107d..4969a14c3d 100644 --- a/apparmor.d/groups/browsers/torbrowser-launcher +++ b/apparmor.d/groups/browsers/torbrowser-launcher @@ -32,7 +32,7 @@ profile torbrowser-launcher @{exec_path} flags=(attach_disconnected) { @{bin}/gpg{,2} Cx -> gpg, @{bin}/gpgconf Cx -> gpg, @{bin}/gpgsm Cx -> gpg, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/sed ix, @{bin}/tail ix, diff --git a/apparmor.d/groups/browsers/torbrowser-start b/apparmor.d/groups/browsers/torbrowser-start index 58bb31ac80..ce6a3678c2 100644 --- a/apparmor.d/groups/browsers/torbrowser-start +++ b/apparmor.d/groups/browsers/torbrowser-start @@ -22,7 +22,7 @@ profile torbrowser-start @{exec_path} { @{bin}/expr ix, @{bin}/file ix, @{bin}/getconf ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/id ix, @{bin}/ln ix, @{bin}/mkdir ix, diff --git a/apparmor.d/groups/cron/cron-ntp b/apparmor.d/groups/cron/cron-ntp index 17ab7f7457..7221cc6e1b 100644 --- a/apparmor.d/groups/cron/cron-ntp +++ b/apparmor.d/groups/cron/cron-ntp @@ -14,7 +14,7 @@ profile cron-ntp @{exec_path} { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/sed rix, include if exists diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index 63a6640961..fa6e9874f8 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -18,7 +18,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/cat rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mktemp rix, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 6eeeaa414a..b3658b7386 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -50,7 +50,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cp rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gs rix, @{bin}/gsc rix, @{bin}/hostname rix, diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index 052180a99c..d110fb83bb 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -25,7 +25,7 @@ profile xdm-xsession @{exec_path} { @{bin}/fortune rPUx, @{bin}/gpg-agent rPx, @{bin}/gpg-connect-agent rPx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, @{bin}/manpath rix, @{bin}/readlink rix, diff --git a/apparmor.d/groups/filesystem/lvmpolld b/apparmor.d/groups/filesystem/lvmpolld index 4168ad4fec..cce01b0d03 100644 --- a/apparmor.d/groups/filesystem/lvmpolld +++ b/apparmor.d/groups/filesystem/lvmpolld @@ -13,7 +13,7 @@ profile lvmpolld @{exec_path} { include @{exec_path} rm, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/umount rPx, @{run}/lvmpolld.pid rwk, diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index b9b2cfd458..da13572e53 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -15,7 +15,7 @@ profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/plymouth rPx, /usr/share/plymouth/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 2f9077d191..85b3268dd4 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -67,7 +67,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/@{shells} rUx, @{bin}/gcm-viewer rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, @{bin}/sed rix, @{bin}/tecla rPx, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index e0ff334db7..1f29958d1b 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -20,7 +20,7 @@ profile gnome-session @{exec_path} { @{bin}/find rix, @{bin}/gettext rix, @{bin}/gettext.sh r, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/head rix, @{bin}/id rix, @{bin}/locale rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b97d6d5680..e977af95eb 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -388,7 +388,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sh_path} mr, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kmod rPx -> gnome-shell//lsmod, @{bin}/pmap rix, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index ebb150ed25..45c3828554 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -24,7 +24,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sh_path} rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kcminit rPx, @{bin}/sed rix, @{bin}/uname rPx, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index b69d7fdb95..004b89d57c 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -21,7 +21,7 @@ profile startplasma @{exec_path} { @{sh_path} rix, @{bin}/env rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kapplymousetheme rPUx, @{bin}/kdeinit5_shutdown rPUx, @{bin}/ksplashqml rPUx, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 87207e2b73..87a418153b 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -42,7 +42,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/chronyc rPUx, @{bin}/date rix, @{bin}/gawk rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/id rix, @{sbin}/invoke-rc.d rCx -> invoke-rc, @{bin}/logger rix, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index a7a7bf225d..df9af9fefd 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -30,7 +30,7 @@ profile aurpublish @{exec_path} { @{bin}/gettext rix, @{bin}/git rPx, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/makepkg rix, @{bin}/mkdir rix, @{bin}/mktemp rix, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 287bc026ab..025d87b296 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -22,7 +22,7 @@ profile pacman-key @{exec_path} { @{bin}/chmod rix, @{bin}/gettext rix, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ngettext rix, @{bin}/pacman-conf rPx, @{bin}/touch rix, diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch index c9f0c63733..86bd0866f1 100644 --- a/apparmor.d/groups/ssh/ssh-agent-launch +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -15,7 +15,7 @@ profile ssh-agent-launch @{exec_path} { @{sh_path} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/getopt rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ssh-agent rPx, /etc/X11/Xsession.options r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify index ba6141d863..daa877efe4 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify @@ -17,7 +17,7 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, @{bin}/uname rix, diff --git a/apparmor.d/groups/systemd-service/grub-common.service b/apparmor.d/groups/systemd-service/grub-common.service index 4abd74fb10..f8cf34f25c 100644 --- a/apparmor.d/groups/systemd-service/grub-common.service +++ b/apparmor.d/groups/systemd-service/grub-common.service @@ -14,7 +14,7 @@ profile grub-common.service { include @{sh_path} rix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/grub-editenv rix, @{bin}/mkdir ix, @{bin}/rm ix, diff --git a/apparmor.d/groups/systemd/systemd-sleep-grub b/apparmor.d/groups/systemd/systemd-sleep-grub index b2b42bf44f..38be5772ff 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-grub +++ b/apparmor.d/groups/systemd/systemd-sleep-grub @@ -14,7 +14,7 @@ profile systemd-sleep-grub @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/uname rix, /etc/sysconfig/bootloader r, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index 9fd065db32..a80a4f7293 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -16,7 +16,7 @@ profile cron-ubuntu-fan @{exec_path} { @{sh_path} rix, @{sbin}/fanctl rPx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 840e33cdda..dc67817ed4 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -24,7 +24,7 @@ profile subiquity-console-conf @{exec_path} { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/ubuntu/ubuntu-fan-net b/apparmor.d/groups/ubuntu/ubuntu-fan-net index f9d7c01f53..74fe835513 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-fan-net +++ b/apparmor.d/groups/ubuntu/ubuntu-fan-net @@ -14,7 +14,7 @@ profile ubuntu-fan-net @{exec_path} { @{sh_path} mr, @{bin}/{m,g,}awk ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/networkctl Px, @{sbin}/fanctl Px, diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index 0573f38bfc..c244f2902d 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -18,7 +18,7 @@ profile update-motd-fsck-at-reboot @{exec_path} { @{bin}/cat rix, @{bin}/cut rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/id rix, @{bin}/mount rCx -> mount, @{bin}/stat rix, diff --git a/apparmor.d/groups/whonix/anondate b/apparmor.d/groups/whonix/anondate index 27e4eb594d..325535ccea 100644 --- a/apparmor.d/groups/whonix/anondate +++ b/apparmor.d/groups/whonix/anondate @@ -19,7 +19,7 @@ profile anondate @{exec_path} { @{bin}/cat rix, @{bin}/cp rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/minimum-unixtime-show rix, @{bin}/rm rix, @{bin}/systemd-cat rix, diff --git a/apparmor.d/groups/whonix/pam-info b/apparmor.d/groups/whonix/pam-info index 1cc3e7668f..23ab3aeb4a 100644 --- a/apparmor.d/groups/whonix/pam-info +++ b/apparmor.d/groups/whonix/pam-info @@ -15,7 +15,7 @@ profile pam-info @{exec_path} { @{sh_path} rix, @{sbin}/faillock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/str_replace rix, @{bin}/wc rix, @{bin}/whoami rix, diff --git a/apparmor.d/groups/whonix/rads b/apparmor.d/groups/whonix/rads index e76570b34e..10f30b50b6 100644 --- a/apparmor.d/groups/whonix/rads +++ b/apparmor.d/groups/whonix/rads @@ -20,7 +20,7 @@ profile rads @{exec_path} { @{bin}/chvt rix, @{bin}/free rix, @{bin}/gawk rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/mkdir rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/whonix/sdwdate b/apparmor.d/groups/whonix/sdwdate index d34f8087ca..dbe561ab61 100644 --- a/apparmor.d/groups/whonix/sdwdate +++ b/apparmor.d/groups/whonix/sdwdate @@ -30,7 +30,7 @@ profile sdwdate @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{lib}/helper-scripts/* rix, @{bin}/url_to_unixtime rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{lib}/helper-scripts/ r, @{lib}/sdwdate/ r, diff --git a/apparmor.d/groups/whonix/systemcheck-canary b/apparmor.d/groups/whonix/systemcheck-canary index 4130d9cd9d..17bedc43bc 100644 --- a/apparmor.d/groups/whonix/systemcheck-canary +++ b/apparmor.d/groups/whonix/systemcheck-canary @@ -14,7 +14,7 @@ profile systemcheck-canary @{exec_path} { @{exec_path} mr, @{bin}/sleep rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/whoami rix, @{bin}/cat rix, @{bin}/date rix, diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper index fc20ad0fba..c86d91099c 100644 --- a/apparmor.d/groups/whonix/torbrowser-wrapper +++ b/apparmor.d/groups/whonix/torbrowser-wrapper @@ -20,7 +20,7 @@ profile torbrowser-wrapper @{exec_path} { @{bin}/basename ix, @{bin}/cp ix, @{bin}/dirname ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/id ix, @{bin}/mkdir ix, @{bin}/mktemp ix, diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index d567822676..83806e753f 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -16,7 +16,7 @@ profile blkdeactivate @{exec_path} flags=(complain) { @{sh_path} rix, @{sbin}/dmsetup rPUx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/touch rix, @{bin}/lsblk rPx, @{sbin}/lvm rPx, diff --git a/apparmor.d/profiles-a-f/ddcutil b/apparmor.d/profiles-a-f/ddcutil index c752dcbb86..7c353bf65f 100644 --- a/apparmor.d/profiles-a-f/ddcutil +++ b/apparmor.d/profiles-a-f/ddcutil @@ -21,7 +21,7 @@ profile ddcutil @{exec_path} { @{bin}/find rix, @{bin}/sed rix, @{bin}/xargs rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, / r, diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index d8f2f819e9..b22730a279 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -24,7 +24,7 @@ profile finalrd @{exec_path} { @{bin}/dirname ix, @{bin}/env ix, @{bin}/find ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/ln ix, @{bin}/mkdir ix, @{bin}/mount ix, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 795c92f002..779dd8e67e 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -17,7 +17,7 @@ profile gpu-manager @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, /etc/modprobe.d/{,**} r, /usr/lib/modprobe.d/{,**} r, diff --git a/apparmor.d/profiles-g-l/install-catalog b/apparmor.d/profiles-g-l/install-catalog index b1a56c41d6..6a26d4dea3 100644 --- a/apparmor.d/profiles-g-l/install-catalog +++ b/apparmor.d/profiles-g-l/install-catalog @@ -16,7 +16,7 @@ profile install-catalog @{exec_path} { @{sh_path} rix, @{bin}/basename rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index 2b35162021..f8b75f7427 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -25,7 +25,7 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { @{bin}/file ix, @{bin}/find ix, @{bin}/flock ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/hexdump ix, @{bin}/ln ix, @{bin}/logger ix, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index aeac3e6a11..056b2d83c1 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -25,7 +25,7 @@ profile landscape-sysinfo.wrapper @{exec_path} { @{bin}/cut rix, @{bin}/date rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/landscape-sysinfo rPx, / r, diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index bf999b79ee..80f914fabf 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -15,7 +15,7 @@ profile language-validate @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, /usr/share/locale-langpack/{,*} r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 191ac5782d..8cc8a65e14 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -43,7 +43,7 @@ profile libreoffice @{exec_path} { @{sh_path} rix, @{bin}/basename rix, @{bin}/dirname rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ls rix, @{bin}/paperconf rix, @{bin}/sed rix, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 8d3dc21718..0dee9ed6a0 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -30,7 +30,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, @{sbin}/invoke-rc.d rix, @{bin}/kill rix, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index cd2ddc0e68..0131431522 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -19,7 +19,7 @@ profile modprobed-db @{exec_path} { @{bin}/cut rix, @{bin}/gawk rix, @{bin}/getent rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/logname rix, @{bin}/md5sum rix, @{bin}/rm rix, diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version index e5ee2fd8f4..4474c1bfc8 100644 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -15,7 +15,7 @@ profile needrestart-vmlinuz-get-version @{exec_path} { @{sh_path} rix, @{bin}/bzip2 rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gunzip rix, @{bin}/gzip rix, @{bin}/lzop rix, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 5ae5df7e61..d13099bc3a 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -24,7 +24,7 @@ profile pass @{exec_path} { @{bin}/env r, @{bin}/find ix, @{bin}/getopt ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/head ix, @{bin}/mkdir ix, @{bin}/mktemp ix, diff --git a/apparmor.d/profiles-s-z/secure-time-sync b/apparmor.d/profiles-s-z/secure-time-sync index 51016373d9..9c3f6d9df7 100644 --- a/apparmor.d/profiles-s-z/secure-time-sync +++ b/apparmor.d/profiles-s-z/secure-time-sync @@ -23,7 +23,7 @@ profile secure-time-sync @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/curl rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/id rPx, @{bin}/sed rix, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 1a0bd0ea92..dfd488a484 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -28,7 +28,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} mr, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{open_path} rPx -> child-open-strict, diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index 821a3fd638..e275fb764c 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -15,7 +15,7 @@ profile syncoid @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/mbuffer rix, @{bin}/perl rix, @{bin}/ps rPx, diff --git a/apparmor.d/profiles-s-z/sysstat-sa b/apparmor.d/profiles-s-z/sysstat-sa index 37f5e3ca12..9dcc199bcf 100644 --- a/apparmor.d/profiles-s-z/sysstat-sa +++ b/apparmor.d/profiles-s-z/sysstat-sa @@ -17,7 +17,7 @@ profile sysstat-sa @{exec_path} { @{sh_path} rix, @{bin}/date ix, @{bin}/find ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/rm ix, @{bin}/sar.sysstat ix, @{bin}/xargs ix, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index c01edd9ec7..9faea6e3e6 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -32,7 +32,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/cp rix, @{sbin}/ethtool rix, @{bin}/flock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{sbin}/hdparm rPx, @{bin}/head rix, @{bin}/id rPx, diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr index b38f8aae42..add5c5b646 100644 --- a/apparmor.d/profiles-s-z/ucfr +++ b/apparmor.d/profiles-s-z/ucfr @@ -16,7 +16,7 @@ profile ucfr @{exec_path} { @{bin}/basename ix, @{bin}/{m,g,}awk ix, @{bin}/getopt ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/id ix, @{bin}/readlink ix, @{bin}/sed ix, diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index b7f00b263c..8f848b0ada 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -21,7 +21,7 @@ profile update-cracklib @{exec_path} { @{bin}/env rix, @{bin}/file rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, @{bin}/install rix, @{bin}/install rix, diff --git a/apparmor.d/profiles-s-z/veracrypt b/apparmor.d/profiles-s-z/veracrypt index 1e5417b15c..b9b92a7219 100644 --- a/apparmor.d/profiles-s-z/veracrypt +++ b/apparmor.d/profiles-s-z/veracrypt @@ -30,7 +30,7 @@ profile veracrypt @{exec_path} { @{sh_path} rix, @{open_path} rPx -> child-open-help, @{sbin}/dmsetup rPx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kmod rix, @{sbin}/ldconfig rix, @{sbin}/losetup rCx -> losetup, diff --git a/apparmor.d/profiles-s-z/whatis b/apparmor.d/profiles-s-z/whatis index 43fa8ff095..3febd0b0bd 100644 --- a/apparmor.d/profiles-s-z/whatis +++ b/apparmor.d/profiles-s-z/whatis @@ -13,7 +13,7 @@ profile whatis @{exec_path} { include @{exec_path} mr, - @{bin}/grep rix, + @{bin}/{,e}grep rix, /usr/{,**/}man/{,**/}{,whatis} r, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index bb160a5e55..b131897d49 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -23,7 +23,7 @@ profile zed @{exec_path} { @{bin}/diff rix, @{bin}/expr rix, @{bin}/flock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/hostname rix, @{bin}/logger rix, @{bin}/ls rix, From be62e5186f739b2316fc8ac2c22c3a5be37ad163 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:16:16 +0200 Subject: [PATCH 0242/1736] feat(profiles): ensure we use which{,.debianutils} instead of which. --- apparmor.d/abstractions/app/editor | 2 +- apparmor.d/groups/apt/apt-systemd-daily | 2 +- apparmor.d/groups/apt/aptitude-create-state-bundle | 2 +- apparmor.d/groups/browsers/brave-wrapper | 2 +- apparmor.d/groups/browsers/chrome-wrapper | 2 +- apparmor.d/groups/browsers/msedge-wrapper | 2 +- apparmor.d/groups/cron/cron-apt-compat | 2 +- apparmor.d/groups/cron/cron-apt-xapian-index | 3 +-- apparmor.d/groups/cron/cron-aptitude | 2 +- apparmor.d/groups/cron/cron-mlocate | 2 +- apparmor.d/groups/cron/cron-plocate | 2 +- apparmor.d/groups/cron/cron-popularity-contest | 2 +- apparmor.d/groups/display-manager/x11-xsession | 2 +- apparmor.d/groups/gnome/gdm-xsession | 2 +- apparmor.d/groups/kde/sddm-xsession | 2 +- apparmor.d/groups/network/openvpn | 2 +- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/ubuntu/apport-gtk | 2 +- apparmor.d/profiles-a-f/anyremote | 2 +- apparmor.d/profiles-a-f/aspell-autobuildhash | 2 +- apparmor.d/profiles-a-f/claws-mail | 2 +- apparmor.d/profiles-g-l/ganyremote | 2 +- apparmor.d/profiles-g-l/gsmartcontrol-root | 2 +- apparmor.d/profiles-g-l/kanyremote | 2 +- apparmor.d/profiles-g-l/kernel | 2 +- apparmor.d/profiles-m-r/mumble-overlay | 2 +- apparmor.d/profiles-m-r/openbox | 2 +- apparmor.d/profiles-m-r/os-prober | 2 +- apparmor.d/profiles-m-r/pass | 2 +- apparmor.d/profiles-m-r/pokemmo | 2 +- apparmor.d/profiles-m-r/protonmail-bridge-core | 2 +- apparmor.d/profiles-s-z/ucf | 2 +- apparmor.d/profiles-s-z/update-pciids | 2 +- apparmor.d/profiles-s-z/uupdate | 2 +- apparmor.d/profiles-s-z/xinit | 2 +- 35 files changed, 35 insertions(+), 36 deletions(-) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index f62e363393..2bd14077b7 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -13,7 +13,7 @@ @{bin}/nvim mrix, @{bin}/sensible-editor mr, @{bin}/vim{,.*} mrix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, /usr/share/nvim/{,**} r, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index bd2f7fbb05..4f0d4e36b2 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -37,7 +37,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/touch rix, @{bin}/uniq rix, @{bin}/wc rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/xargs rix, @{bin}/apt-config rPx, diff --git a/apparmor.d/groups/apt/aptitude-create-state-bundle b/apparmor.d/groups/apt/aptitude-create-state-bundle index 59f7a54f6a..a2f5e2050c 100644 --- a/apparmor.d/groups/apt/aptitude-create-state-bundle +++ b/apparmor.d/groups/apt/aptitude-create-state-bundle @@ -16,7 +16,7 @@ profile aptitude-create-state-bundle @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/tar rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/groups/browsers/brave-wrapper b/apparmor.d/groups/browsers/brave-wrapper index 7001da3fef..b4f70689c8 100644 --- a/apparmor.d/groups/browsers/brave-wrapper +++ b/apparmor.d/groups/browsers/brave-wrapper @@ -23,7 +23,7 @@ profile brave-wrapper @{exec_path} { @{bin}/mkdir rix, @{bin}/readlink rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib_dirs}/brave rPx, diff --git a/apparmor.d/groups/browsers/chrome-wrapper b/apparmor.d/groups/browsers/chrome-wrapper index 0a97d4052e..709eb79a13 100644 --- a/apparmor.d/groups/browsers/chrome-wrapper +++ b/apparmor.d/groups/browsers/chrome-wrapper @@ -22,7 +22,7 @@ profile chrome-wrapper @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir rix, @{bin}/readlink rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib_dirs}/chrome rPx, diff --git a/apparmor.d/groups/browsers/msedge-wrapper b/apparmor.d/groups/browsers/msedge-wrapper index 3da31e332a..8268db2e1d 100644 --- a/apparmor.d/groups/browsers/msedge-wrapper +++ b/apparmor.d/groups/browsers/msedge-wrapper @@ -22,7 +22,7 @@ profile msedge-wrapper @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir rix, @{bin}/readlink rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib_dirs}/msedge rPx, diff --git a/apparmor.d/groups/cron/cron-apt-compat b/apparmor.d/groups/cron/cron-apt-compat index 1778d4b7e6..fcf5e44309 100644 --- a/apparmor.d/groups/cron/cron-apt-compat +++ b/apparmor.d/groups/cron/cron-apt-compat @@ -22,7 +22,7 @@ profile cron-apt-compat @{exec_path} { @{bin}/dd rix, @{bin}/cksum rix, @{bin}/cut rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/sleep rix, include if exists diff --git a/apparmor.d/groups/cron/cron-apt-xapian-index b/apparmor.d/groups/cron/cron-apt-xapian-index index 83eb224288..15f93efecc 100644 --- a/apparmor.d/groups/cron/cron-apt-xapian-index +++ b/apparmor.d/groups/cron/cron-apt-xapian-index @@ -14,9 +14,8 @@ profile cron-apt-xapian-index @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/{,e}grep rix, - @{bin}/nice rix, @{bin}/ionice rix, diff --git a/apparmor.d/groups/cron/cron-aptitude b/apparmor.d/groups/cron/cron-aptitude index a471b28449..82b33e8ab6 100644 --- a/apparmor.d/groups/cron/cron-aptitude +++ b/apparmor.d/groups/cron/cron-aptitude @@ -17,7 +17,7 @@ profile cron-aptitude @{exec_path} { @{bin}/cp rix, @{bin}/date rix, @{bin}/basename rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/dirname rix, @{bin}/rm rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/cron/cron-mlocate b/apparmor.d/groups/cron/cron-mlocate index ec96909388..f91956bcd0 100644 --- a/apparmor.d/groups/cron/cron-mlocate +++ b/apparmor.d/groups/cron/cron-mlocate @@ -15,7 +15,7 @@ profile cron-mlocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, diff --git a/apparmor.d/groups/cron/cron-plocate b/apparmor.d/groups/cron/cron-plocate index 0604eba3a4..7f52d1a14a 100644 --- a/apparmor.d/groups/cron/cron-plocate +++ b/apparmor.d/groups/cron/cron-plocate @@ -15,7 +15,7 @@ profile cron-plocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index fa6e9874f8..44d3a546f7 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -74,7 +74,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/mv rix, @{bin}/rm rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{sh_path} rix, /var/log/ r, diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index 4eb916aabf..361a30b268 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -34,7 +34,7 @@ profile x11-xsession @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 9804ddcb02..03e77816c0 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -35,7 +35,7 @@ profile gdm-xsession @{exec_path} { @{bin}/tr rix, @{bin}/truncate rix, @{bin}/tty rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/zsh rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index b5cceee955..f27f3dc3c0 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -40,7 +40,7 @@ profile sddm-xsession @{exec_path} { @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.*} rix, + @{bin}/which{,.debianutils} rix, @{bin}/zsh rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 6431ee98a4..a6ff1a9398 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -84,7 +84,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cut rix, @{bin}/ip rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{sbin}/xtables-nft-multi rix, /etc/iproute2/rt_tables r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index e72c626671..e9f3bf807a 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -101,7 +101,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{sbin}/update-grub rPx, @{bin}/update-mime-database rPx, @{bin}/vercmp rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/xmlcatalog rix, @{lib}/systemd/systemd-* rPx, @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rPx, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index bb5cd329ca..5a4e130a0d 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -52,7 +52,7 @@ profile apport-gtk @{exec_path} { @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib}/{,colord/}colord-sane rPx, @{lib}/@{multiarch}/ld*.so* rix, /usr/share/apport/root_info_wrapper rix, diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index 6af2cd38d7..43ecdb0cd0 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -41,7 +41,7 @@ profile anyremote @{exec_path} { @{bin}/tail rix, @{bin}/tr rix, @{bin}/wc rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/convert-im6.q16 rCx -> imagemagic, @{bin}/killall rCx -> killall, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index 43edd32333..a10df83949 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -20,7 +20,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { @{bin}/gzip rix, @{bin}/precat rix, @{bin}/prezip-bin rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/zcat rix, @{bin}/dpkg-trigger rPx, diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index bb7dfd3b88..263bb5794e 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -24,7 +24,7 @@ profile claws-mail @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgsm rCx -> gpg, diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index b2dc7b92d4..727bf8cdf8 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -30,7 +30,7 @@ profile ganyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, diff --git a/apparmor.d/profiles-g-l/gsmartcontrol-root b/apparmor.d/profiles-g-l/gsmartcontrol-root index 515d2234c9..4fdb1084b3 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol-root +++ b/apparmor.d/profiles-g-l/gsmartcontrol-root @@ -15,7 +15,7 @@ profile gsmartcontrol-root @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/pkexec rCx -> pkexec, diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index 10e0857993..91eb37c581 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -31,7 +31,7 @@ profile kanyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, @{bin}/head rix, diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index 133cf8ae7d..6bc2c89619 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -33,7 +33,7 @@ profile kernel @{exec_path} { @{bin}/touch rix, @{bin}/tr rix, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/apt-config rPx, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/profiles-m-r/mumble-overlay b/apparmor.d/profiles-m-r/mumble-overlay index c077f38369..86792860c8 100644 --- a/apparmor.d/profiles-m-r/mumble-overlay +++ b/apparmor.d/profiles-m-r/mumble-overlay @@ -16,7 +16,7 @@ profile mumble-overlay @{exec_path} { @{sh_path} rix, @{bin}/file rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/glxgears rPx, diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index e4e8a36e20..8992907929 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -58,7 +58,7 @@ profile openbox @{exec_path} { @{lib}/@{multiarch}/openbox-xdg-autostart rix, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, # Apps allowed to run @{bin}/* rPUx, diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index 162c0b7432..da853aa9a5 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -51,7 +51,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{bin}/udevadm rPx, @{bin}/umount rix, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib}/newns rix, @{lib}/os-prober/* rix, @{lib}/os-probes/{,**} rix, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index d13099bc3a..096f0316aa 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -40,7 +40,7 @@ profile pass @{exec_path} { @{bin}/tr ix, @{bin}/tree ix, @{bin}/tty ix, - @{bin}/which ix, + @{bin}/which{,.debianutils} ix, @{bin}/git Cx -> git, @{bin}/gpg{2,} Cx -> gpg, diff --git a/apparmor.d/profiles-m-r/pokemmo b/apparmor.d/profiles-m-r/pokemmo index 111b157c5a..324b08f17f 100644 --- a/apparmor.d/profiles-m-r/pokemmo +++ b/apparmor.d/profiles-m-r/pokemmo @@ -37,7 +37,7 @@ profile pokemmo @{exec_path} flags=(attach_disconnected) { @{bin}/java ix, @{bin}/perl ix, - @{bin}/which ix, + @{bin}/which{,.debianutils} ix, @{lib}/jvm/java-@{int}-openjdk/bin/java ix, # Installer diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index ee7adab753..45c6766e36 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -72,7 +72,7 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { @{bin}/tail rix, @{bin}/tree rix, @{bin}/tty rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, owner @{user_passwordstore_dirs}/ r, owner @{user_passwordstore_dirs}/.gpg-id r, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 0a7b992b62..3c3374d851 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -33,7 +33,7 @@ profile ucf @{exec_path} { @{bin}/seq rix, @{bin}/stat rix, @{bin}/tr rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/dpkg-query rpx, @{bin}/dpkg-divert rPx, diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids index bba603690c..901dae9a0a 100644 --- a/apparmor.d/profiles-s-z/update-pciids +++ b/apparmor.d/profiles-s-z/update-pciids @@ -24,7 +24,7 @@ profile update-pciids @{exec_path} { @{bin}/chmod rix, @{bin}/echo rix, @{bin}/cat rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/bunzip2 rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/profiles-s-z/uupdate b/apparmor.d/profiles-s-z/uupdate index eb26a49672..88a6cd4065 100644 --- a/apparmor.d/profiles-s-z/uupdate +++ b/apparmor.d/profiles-s-z/uupdate @@ -18,7 +18,7 @@ profile uupdate @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/basename rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{,e}grep rix, @{bin}/getopt rix, diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 61151a7db3..9abc02350a 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -35,7 +35,7 @@ profile xinit @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, /etc/X11/xinit/xinitrc rix, /etc/X11/xinit/xserverrc rix, From 27907e5a17e3720e6b369ea62256eb7d36551b92 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:27:34 +0200 Subject: [PATCH 0243/1736] feat(profiles): ensure we use {m,g,}awk instead of awk. --- apparmor.d/groups/network/nm-dispatcher | 2 +- apparmor.d/groups/whonix/rads | 2 +- apparmor.d/profiles-g-l/kernel-postinst-kdump | 2 +- apparmor.d/profiles-m-r/modprobed-db | 2 +- apparmor.d/profiles-s-z/tomb | 3 +-- apparmor.d/profiles-s-z/wechat | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 2 +- 7 files changed, 7 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 87a418153b..029a5e39a0 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -41,7 +41,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/chown rix, @{bin}/chronyc rPUx, @{bin}/date rix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/{,e}grep rix, @{bin}/id rix, @{sbin}/invoke-rc.d rCx -> invoke-rc, diff --git a/apparmor.d/groups/whonix/rads b/apparmor.d/groups/whonix/rads index 10f30b50b6..8bdeb2c138 100644 --- a/apparmor.d/groups/whonix/rads +++ b/apparmor.d/groups/whonix/rads @@ -19,7 +19,7 @@ profile rads @{exec_path} { @{bin}/cat rix, @{bin}/chvt rix, @{bin}/free rix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/{,e}grep rix, @{bin}/mkdir rix, @{bin}/rm rix, diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index 91af3a8421..e1358ec29a 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -14,7 +14,7 @@ profile kernel-postinst-kdump @{exec_path} { @{bin}/du rix, @{bin}/find rix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sync rix, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index 0131431522..90bf73cf34 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -17,7 +17,7 @@ profile modprobed-db @{exec_path} { @{bin}/cat rix, @{bin}/cp rix, @{bin}/cut rix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/getent rix, @{bin}/{,e}grep rix, @{bin}/logname rix, diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 508ac6effd..93e29bcfa5 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -27,7 +27,7 @@ profile tomb @{exec_path} { @{exec_path} mr, @{bin}/{,e,f}grep rix, - @{bin}/awk rix, + @{bin}/{m,g,}awk rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/chmod rix, @@ -41,7 +41,6 @@ profile tomb @{exec_path} { @{bin}/env rix, @{bin}/file rix, @{bin}/findmnt rix, - @{bin}/gawk rix, @{bin}/getent rix, @{bin}/gettext rix, @{bin}/hostname rix, diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index e23d4db43e..b7ad3a2e88 100755 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -31,7 +31,7 @@ profile wechat @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{lib_dirs}/crashpad_handler ix, @{bin}/mkdir ix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/lsblk rPx, @{bin}/ip rix, @{bin}/xdg-user-dir rix, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 023644eb0b..55155f2b88 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -36,7 +36,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/wechat-appimage.AppImage ix, /tmp/.mount_wechat??????/AppRun ix, @{bin}/mkdir ix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/lsblk rPx, @{bin}/ip rix, @{bin}/xdg-user-dir rix, From 033a7475e08db25afacdeca23f8aab1786d7d70a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:35:13 +0200 Subject: [PATCH 0244/1736] tests: enforce equivalent tests. --- tests/check.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index b1783bf8ed..801e811149 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -134,6 +134,7 @@ _check_directory_mark() { declare -A EQUIVALENTS=( ["awk"]="{m,g,}awk" + ["gawk"]="{m,g,}awk" ["grep"]="{,e}grep" ["which"]="which{,.debianutils}" ) @@ -371,7 +372,10 @@ check_profiles() { -prune -o -type f -print ) jobs=0 - WITH_CHECK=(abi include profile header tabs trailing indentation subprofiles vim) + WITH_CHECK=( + equivalent + abi include profile header tabs trailing indentation subprofiles vim + ) for file in "${files[@]}"; do ( name="$(basename "$file")" @@ -388,7 +392,10 @@ check_abstractions() { _msg "Checking abstractions" mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*") jobs=0 - WITH_CHECK=(abi include header tabs trailing indentation vim) + WITH_CHECK=( + equivalent + abi include header tabs trailing indentation vim + ) for file in "${files[@]}"; do ( name="$(basename "$file")" @@ -406,7 +413,10 @@ check_abstractions() { ) # shellcheck disable=SC2034 jobs=0 - WITH_CHECK=(header tabs trailing indentation vim) + WITH_CHECK=( + equivalent + header tabs trailing indentation vim + ) for file in "${files[@]}"; do _check "$file" & _wait jobs From f29041576e234e3d4873da2434d4fd3298c2b01d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:55:20 +0200 Subject: [PATCH 0245/1736] feat(profile): move away from old or too wide abstractions. --- .../groups/browsers/opera-crashreporter | 2 +- apparmor.d/groups/filesystem/udiskie | 10 ++--- apparmor.d/groups/hyprland/hyprpm | 1 - apparmor.d/groups/network/nm-dhcp-helper | 2 +- apparmor.d/groups/usb/usbguard-applet-qt | 18 +++----- apparmor.d/groups/virt/libvirtd | 3 +- apparmor.d/profiles-a-f/atftpd | 8 +++- apparmor.d/profiles-a-f/dhclient-script | 8 +++- apparmor.d/profiles-a-f/dumpcap | 8 ++-- apparmor.d/profiles-a-f/ffplay | 3 +- apparmor.d/profiles-a-f/fritzing | 44 ++++++++----------- apparmor.d/profiles-g-l/light-locker | 12 ++--- apparmor.d/profiles-m-r/mkvtoolnix-gui | 10 ++--- apparmor.d/profiles-m-r/netstat | 8 +++- apparmor.d/profiles-m-r/pcb-gtk | 8 +--- apparmor.d/profiles-s-z/sing-box | 1 - apparmor.d/profiles-s-z/tftp | 8 +++- apparmor.d/profiles-s-z/vsftpd | 8 +++- apparmor.d/profiles-s-z/youtube-dl | 4 +- 19 files changed, 82 insertions(+), 84 deletions(-) diff --git a/apparmor.d/groups/browsers/opera-crashreporter b/apparmor.d/groups/browsers/opera-crashreporter index 01661215a8..eb67ede59a 100644 --- a/apparmor.d/groups/browsers/opera-crashreporter +++ b/apparmor.d/groups/browsers/opera-crashreporter @@ -17,7 +17,7 @@ profile opera-crashreporter @{exec_path} { include include include - include + include include ptrace (trace, read) peer=opera, diff --git a/apparmor.d/groups/filesystem/udiskie b/apparmor.d/groups/filesystem/udiskie index a6a2e2ad38..53b726c23b 100644 --- a/apparmor.d/groups/filesystem/udiskie +++ b/apparmor.d/groups/filesystem/udiskie @@ -11,16 +11,12 @@ include profile udiskie @{exec_path} { include include - include - include + include include - include - include + include include - include include - include - include + include @{exec_path} r, @{python_path} r, diff --git a/apparmor.d/groups/hyprland/hyprpm b/apparmor.d/groups/hyprland/hyprpm index 3a58788083..149128b1e9 100644 --- a/apparmor.d/groups/hyprland/hyprpm +++ b/apparmor.d/groups/hyprland/hyprpm @@ -11,7 +11,6 @@ profile hyprpm @{exec_path} { include include include - include network inet dgram, network inet stream, diff --git a/apparmor.d/groups/network/nm-dhcp-helper b/apparmor.d/groups/network/nm-dhcp-helper index 5e93bdbf5e..3e232154e9 100644 --- a/apparmor.d/groups/network/nm-dhcp-helper +++ b/apparmor.d/groups/network/nm-dhcp-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/{,NetworkManager/}nm-dhcp-helper profile nm-dhcp-helper @{exec_path} { include - include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/usb/usbguard-applet-qt b/apparmor.d/groups/usb/usbguard-applet-qt index a76398dd93..558b9093c3 100644 --- a/apparmor.d/groups/usb/usbguard-applet-qt +++ b/apparmor.d/groups/usb/usbguard-applet-qt @@ -10,22 +10,21 @@ include @{exec_path} = @{bin}/usbguard-applet-qt profile usbguard-applet-qt @{exec_path} { include - include - include - include + include + include include - include include - include - include - include include + include # Needed? ptrace (read), @{exec_path} mr, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + owner @{user_config_dirs}/USBGuard/ rw, owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#@{int}, @@ -37,11 +36,6 @@ profile usbguard-applet-qt @{exec_path} { owner @{PROC}/@{pid}/cmdline r, - /usr/share/hwdata/pnp.ids r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - include if exists } diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 4d730602da..844af4443d 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -17,8 +17,9 @@ include @{exec_path} = @{sbin}/libvirtd profile libvirtd @{exec_path} flags=(attach_disconnected) { include + include + include include - include include include include diff --git a/apparmor.d/profiles-a-f/atftpd b/apparmor.d/profiles-a-f/atftpd index dc7f2bf366..2444bd128d 100644 --- a/apparmor.d/profiles-a-f/atftpd +++ b/apparmor.d/profiles-a-f/atftpd @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/atftpd profile atftpd @{exec_path} { include - include + include # For libwrap (TCP Wrapper) support include @@ -18,6 +18,12 @@ profile atftpd @{exec_path} { capability setgid, capability setuid, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, # FTP dirs (add "w" if you need write permissions and hence upload files) diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 9a7e77902a..3967512b89 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -10,13 +10,19 @@ include @{exec_path} = @{bin}/dhclient-script profile dhclient-script @{exec_path} { include - include + include include capability net_admin, capability sys_admin, audit capability sys_module, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, @{sh_path} mrix, diff --git a/apparmor.d/profiles-a-f/dumpcap b/apparmor.d/profiles-a-f/dumpcap index 634aebd02a..a1050aa947 100644 --- a/apparmor.d/profiles-a-f/dumpcap +++ b/apparmor.d/profiles-a-f/dumpcap @@ -10,16 +10,14 @@ include @{exec_path} = @{bin}/dumpcap profile dumpcap @{exec_path} { include + include + include include - include - include # To capture packekts capability net_raw, capability net_admin, - signal (receive) peer=wireshark, - network inet dgram, network inet6 dgram, network netlink raw, @@ -27,6 +25,8 @@ profile dumpcap @{exec_path} { network packet raw, network bluetooth raw, + signal (receive) peer=wireshark, + dbus (eavesdrop) bus=session, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay index a4dec5d349..4152ed49aa 100644 --- a/apparmor.d/profiles-a-f/ffplay +++ b/apparmor.d/profiles-a-f/ffplay @@ -11,10 +11,9 @@ include profile ffplay @{exec_path} { include include - include + include include include - include network inet stream, network inet6 stream, diff --git a/apparmor.d/profiles-a-f/fritzing b/apparmor.d/profiles-a-f/fritzing index 18b990bbc6..c57323c6a9 100644 --- a/apparmor.d/profiles-a-f/fritzing +++ b/apparmor.d/profiles-a-f/fritzing @@ -10,16 +10,13 @@ include @{exec_path} = @{bin}/fritzing{,.real} profile fritzing @{exec_path} { include - include - include - include + include + include include - include - include include - include - include + include include + include network inet dgram, network inet6 dgram, @@ -30,26 +27,25 @@ profile fritzing @{exec_path} { @{exec_path} mrix, + /usr/share/fritzing/{,**} r, + /usr/share/hwdata/pnp.ids r, + + /etc/debian_version r, + /etc/fstab r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + owner @{user_config_dirs}/Fritzing/ rw, owner @{user_config_dirs}/Fritzing/** rwkl -> @{user_config_dirs}/Fritzing/**, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/ rw, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/** rw, - /usr/share/fritzing/{,**} r, - - /usr/share/hwdata/pnp.ids r, - - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - /etc/fstab r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, + owner @{run}/lock/LCK..ttyACM[0-9]* rwk, - /etc/debian_version r, + @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]* @{sys}/bus/ r, @{sys}/class/ r, @@ -57,15 +53,13 @@ profile fritzing @{exec_path} { @{sys}/devices/**/tty*/uevent r, @{sys}/devices/**/tty/**/uevent r, - @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]* + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, /dev/ttyS@{int} rw, /dev/ttyACM@{int} rw, - owner @{run}/lock/LCK..ttyACM[0-9]* rwk, - include if exists } diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index 8d2fcdcc87..60189d9118 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -11,19 +11,12 @@ include profile light-locker @{exec_path} { include include - include - include - include + include include - include include - include @{exec_path} mr, - @{PROC}/1/cgroup r, - owner @{PROC}/@{pid}/cgroup r, - # when locking the screen and switching/closing sessions @{run}/systemd/sessions/* r, @@ -33,6 +26,9 @@ profile light-locker @{exec_path} { @{sys}/devices/@{pci}/subsystem_vendor r, @{sys}/devices/@{pci}/subsystem_device r, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index 835e1a3913..4e0ace19ad 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -10,19 +10,15 @@ include @{exec_path} = @{bin}/mkvtoolnix-gui profile mkvtoolnix-gui @{exec_path} { include - include + include include - include - include - include - include + include include - include include include + include include include - include signal (send) set=(term, kill) peer=mkvmerge, diff --git a/apparmor.d/profiles-m-r/netstat b/apparmor.d/profiles-m-r/netstat index e19884997e..a23a095e9e 100644 --- a/apparmor.d/profiles-m-r/netstat +++ b/apparmor.d/profiles-m-r/netstat @@ -13,12 +13,18 @@ include profile netstat @{exec_path} { include include - include + include capability dac_read_search, capability sys_ptrace, capability syslog, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + ptrace (trace,read), @{exec_path} rmix, diff --git a/apparmor.d/profiles-m-r/pcb-gtk b/apparmor.d/profiles-m-r/pcb-gtk index e736299fae..2f057f2a75 100644 --- a/apparmor.d/profiles-m-r/pcb-gtk +++ b/apparmor.d/profiles-m-r/pcb-gtk @@ -10,13 +10,9 @@ include @{exec_path} = @{bin}/pcb-gtk profile pcb-gtk @{exec_path} { include - include - include - include + include include - include - include - include + include include include diff --git a/apparmor.d/profiles-s-z/sing-box b/apparmor.d/profiles-s-z/sing-box index 9f395735ef..1890510ae6 100644 --- a/apparmor.d/profiles-s-z/sing-box +++ b/apparmor.d/profiles-s-z/sing-box @@ -12,7 +12,6 @@ include profile sing-box @{exec_path} { include include - include capability net_bind_service, diff --git a/apparmor.d/profiles-s-z/tftp b/apparmor.d/profiles-s-z/tftp index 33f6fe6dc9..bb0a1c37b3 100644 --- a/apparmor.d/profiles-s-z/tftp +++ b/apparmor.d/profiles-s-z/tftp @@ -10,9 +10,15 @@ include @{exec_path} = @{bin}/tftp profile tftp @{exec_path} { include - include + include include + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, include if exists diff --git a/apparmor.d/profiles-s-z/vsftpd b/apparmor.d/profiles-s-z/vsftpd index 2b6af35615..8fe33af50e 100644 --- a/apparmor.d/profiles-s-z/vsftpd +++ b/apparmor.d/profiles-s-z/vsftpd @@ -12,7 +12,7 @@ profile vsftpd @{exec_path} { include include include - include + include include # To be able to listen on ports < 1024 @@ -41,6 +41,12 @@ profile vsftpd @{exec_path} { capability dac_read_search, # If session_support=YES, vsftpd will also try and update utmp and wtmp + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, # To validate allowed users shells diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index 381e878fad..d0b1c19887 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -13,13 +13,11 @@ profile youtube-dl @{exec_path} { include include include - include - include + include include include include include - include network inet dgram, network inet6 dgram, From 3ffff07f3fb386e980d9bb7bc763824bef2e6c5e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 20 Jun 2025 00:00:48 +0200 Subject: [PATCH 0246/1736] tests: enforce abstractions test. --- apparmor.d/profiles-m-r/rsyslogd | 14 +++++--------- tests/check.sh | 10 +++++----- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 599fac88f3..80d75a928b 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -7,15 +7,10 @@ abi , include -# Debugging the syslogger can be difficult if it can't write to the file -# that the kernel is logging denials to. In these cases, you can do the -# following: -# watch -n 1 'dmesg | tail -5' - @{exec_path} = @{sbin}/rsyslogd profile rsyslogd @{exec_path} { include - include + include capability chown, # For creating new log files and changing their owner/group capability net_admin, # For remote logs @@ -24,18 +19,19 @@ profile rsyslogd @{exec_path} { capability sys_nice, capability syslog, + network inet dgram, + network inet6 dgram, + signal receive set=hup peer=@{p_systemd}, @{exec_path} mr, + @{sh_path} mr, @{lib}/@{multiarch}/rsyslog/*.so mr, /etc/rsyslog.conf r, /etc/rsyslog.d/{,**} r, - /etc/CA/*.crt r, - /etc/CA/*.key r, - /var/log/** rw, /var/spool/rsyslog/ r, /var/spool/rsyslog/** rw, diff --git a/tests/check.sh b/tests/check.sh index 801e811149..28adc7710d 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -93,7 +93,7 @@ _check() { # Rules checks: security, compatibility and rule issues readonly ABS="abstractions" -readonly ABS_DANGEROUS=(dbus-session dbus-system dbus-accessibility user-tmp) +readonly ABS_DANGEROUS=(dbus dbus-session dbus-system dbus-accessibility user-tmp) declare -A ABS_DEPRECATED=( ["nameservice"]="nameservice-strict" ["bash"]="shell" @@ -142,7 +142,7 @@ _check_equivalent() { _is_enabled equivalent || return 0 local prgmname for prgmname in "${!EQUIVALENTS[@]}"; do - if [[ "$line" == *"/$prgmname"* ]]; then + if [[ "$line" == *"/$prgmname "* ]]; then if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then _err compatibility "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" fi @@ -373,7 +373,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - equivalent + abstractions equivalent abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -393,7 +393,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*") jobs=0 WITH_CHECK=( - equivalent + abstractions equivalent abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -414,7 +414,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - equivalent + abstractions equivalent header tabs trailing indentation vim ) for file in "${files[@]}"; do From bb6ca01718dad6cd91055c8d2c825143d00ca2f6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:36:23 +0200 Subject: [PATCH 0247/1736] feat(profile): ufw: integrate ufw-init in ufw, use sysctl in subprofile. --- apparmor.d/groups/firewall/ufw | 22 ++++++++++++++++++---- apparmor.d/groups/firewall/ufw-init | 21 +++++++++++++++++++-- 2 files changed, 37 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw index 3b931fb2b5..39517ee6c8 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -30,13 +30,12 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{python_path} rix, - @{bin}/ r, + @{sbin}/ r, @{bin}/cat rix, - @{bin}/echo rix, @{bin}/env r, @{bin}/kmod rCx -> kmod, - @{lib}/ufw/ufw-init rix, - @{sbin}/sysctl rix, + @{lib}/ufw/ufw-init rPx, + @{sbin}/sysctl rCx -> sysctl, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, @@ -70,6 +69,21 @@ profile ufw @{exec_path} flags=(attach_disconnected) { include if exists } + profile sysctl { + include + include + + capability net_admin, + + @{sbin}/sysctl mr, + + /etc/ufw/sysctl.conf r, + + @{PROC}/sys/net/ipv{4,6}/** rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init index 5c0521790c..aae80b87d9 100644 --- a/apparmor.d/groups/firewall/ufw-init +++ b/apparmor.d/groups/firewall/ufw-init @@ -11,6 +11,7 @@ profile ufw-init @{exec_path} { include include + capability dac_read_search, capability net_admin, network inet dgram, @@ -22,7 +23,8 @@ profile ufw-init @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/sysctl rix, + @{bin}/echo rix, + @{sbin}/sysctl rCx -> sysctl, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, @@ -30,7 +32,22 @@ profile ufw-init @{exec_path} { /etc/ufw/* r, @{PROC}/@{pid}/net/ip_tables_names r, - @{PROC}/sys/net/ipv{4,6}/** rw, + # @{PROC}/sys/net/ipv{4,6}/** rw, + + profile sysctl { + include + include + + capability net_admin, + + @{sbin}/sysctl mr, + + /etc/ufw/sysctl.conf r, + + @{PROC}/sys/net/ipv{4,6}/** rw, + + include if exists + } include if exists } From ea45cec24d5cbf9c66feb859740b802cf46ececf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:43:02 +0200 Subject: [PATCH 0248/1736] feat(fsp): improve fsp profiles. --- apparmor.d/groups/_full/sd | 24 ++++++------------------ apparmor.d/groups/_full/sdu | 2 ++ apparmor.d/groups/_full/systemd | 5 ++++- apparmor.d/groups/_full/systemd-user | 2 +- 4 files changed, 13 insertions(+), 20 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 48172638e4..da14cabf33 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -86,22 +86,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { umount /, umount /dev/shm/, umount @{run}/systemd/mount-rootfs/{,**}, - - # mount tmpfs -> @{run}/lock/, - # mount tmpfs -> @{sys}/fs/cgroup/, - # mount cgroup -> @{sys}/fs/cgroup/systemd/, - # audit mount /dev/** -> /boot/{,efi/}, - # audit mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, - # audit mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, - - # audit remount @{run}/systemd/unit-root/{,**}, - # audit remount options=(ro noexec noatime bind) /var/snap/{,**}, - # audit remount options=(ro nosuid nodev bind) /var/, - # audit remount options=(ro nosuid nodev noexec bind) /boot/, - - # audit umount @{PROC}/sys/fs/binfmt_misc/, - # audit umount @{run}/systemd/namespace-@{rand6}/{,**}, - # audit umount @{run}/systemd/unit-root/{,**}, + umount @{run}/systemd/namespace-@{rand6}/{,**}, pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, @@ -150,20 +135,22 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { @{bin}/true ix, # Required due to stacked profiles - @{sbin}/grpck ix, + @{bin}/find ix, @{bin}/gzip ix, @{bin}/install ix, - @{sbin}/pwck ix, @{bin}/readlink ix, @{lib}/colord-sane ix, @{lib}/systemd/systemd-nsresourcework ix, @{lib}/systemd/systemd-userwork ix, + @{sbin}/grpck ix, + @{sbin}/pwck ix, / r, @{att}/ r, @{bin}/{,**} r, @{lib}/{,**} r, @{sbin}/{,*} r, + /usr/local/{,**} r, /usr/share/** r, /etc/*/ w, /etc/** rk, @@ -179,6 +166,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { /var/lib/*/ rw, /var/lib/*/** rwk, /var/lib/systemd/*/ r, + /var/log/ r, /var/log/** rw, /var/log/journal/** rwl -> /var/log/journal/**, diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index c9338fd22e..80d8c1fb97 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -108,6 +108,8 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + deny capability net_admin, + profile shell flags=(attach_disconnected,mediate_deleted,complain) { include diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index b7c12c6bdc..184084fed4 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -50,7 +50,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd -profile systemd flags=(attach_disconnected,mediate_deleted) { +profile systemd flags=(attach_disconnected,mediate_deleted,complain) { include include include @@ -129,9 +129,11 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{etc_ro}/environment r, @{etc_ro}/environment.d/{,**} r, + /etc/acpi/events/{,**} r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, /etc/default/{,**} r, + /etc/machine-id r, /etc/modules-load.d/{,**} r, /etc/networkd-dispatcher/{,**} r, /etc/systemd/{,**} r, @@ -186,6 +188,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/console/active r, + @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/fuse/connections/ r, @{sys}/fs/pstore/ r, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index ed531c58b8..a5bb4d926b 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -16,7 +16,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd -profile systemd-user flags=(attach_disconnected,mediate_deleted) { +profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { include include include From cd619d280a5ba23537114e74ed8fa4c294e00559 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:44:43 +0200 Subject: [PATCH 0249/1736] feat(profile): update apt profiles. --- apparmor.d/groups/apt/apt-methods-http | 3 ++- apparmor.d/groups/apt/dpkg-script-systemd | 5 +++++ apparmor.d/groups/apt/dpkg-scripts | 11 +++++++++++ apparmor.d/groups/apt/dpkg-statoverride | 1 + apparmor.d/groups/apt/unattended-upgrade | 2 +- 5 files changed, 20 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 7fb3a2cc41..61be160dc6 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -71,7 +71,8 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) { owner @{tmp}/aptitude-root.*/aptitude-download-* rw, owner @{tmp}/apt-changelog-*/*.changelog rw, - @{run}/ubuntu-advantage/aptnews.json rw, + @{run}/ubuntu-advantage/aptnews.json rw, + owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw, @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 8ca92515ce..722e72c53e 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -42,8 +42,13 @@ profile dpkg-script-systemd @{exec_path} { include include + capability dac_read_search, + @{bin}/dpkg mr, + /etc/dpkg/dpkg.cfg r, + /etc/dpkg/dpkg.cfg.d/{,*} r, + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 3102b23bb4..e16d25bf2d 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -58,7 +58,12 @@ profile dpkg-scripts @{exec_path} { / r, /*/ r, @{bin}/ r, + @{bin}/* w, @{lib}/ r, + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/**.pyc w, + @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, + /etc/ r, /etc/** rw, /usr/share/*/{,**} rw, @@ -71,6 +76,8 @@ profile dpkg-scripts @{exec_path} { /tmp/sed@{rand6} rw, /tmp/tmp.@{rand10} rw, + @{PROC}/@{pid}/fd/ r, + profile bus { include include @@ -104,6 +111,10 @@ profile dpkg-scripts @{exec_path} { @{bin}/systemd-tty-ask-password-agent Px, @{pager_path} Px -> child-pager, + /etc/machine-id r, + + /var/lib/systemd/catalog/database r, + /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal* r, diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride index 34d6412c11..d2e02f613f 100644 --- a/apparmor.d/groups/apt/dpkg-statoverride +++ b/apparmor.d/groups/apt/dpkg-statoverride @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/dpkg-statoverride profile dpkg-statoverride @{exec_path} flags=(complain) { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index c2d94e25a1..fa6929f35a 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -101,7 +101,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /var/crash/*.crash w, /var/lib/apt/periodic/unattended-upgrades-stamp w, - /var/lib/dpkg/info/ r, + /var/lib/dpkg/info/{,*} r, /var/lib/dpkg/lock rwk, /var/lib/dpkg/lock-frontend rwk, /var/lib/dpkg/updates/ r, From 5eb08f8de57803664d700b7d05fa7023f6b499b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:47:49 +0200 Subject: [PATCH 0250/1736] feat(profile): improve pacman profiles. --- apparmor.d/groups/pacman/pacman-hook-code | 6 +++--- apparmor.d/groups/pacman/pacman-key | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index 2496d7a9b4..ee23781f44 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/share/code-{features,marketplace}/patch.py +@{exec_path} = /usr/share/code-{features,marketplace}{,-insiders}/patch.py profile pacman-hook-code @{exec_path} { include include @@ -20,8 +20,8 @@ profile pacman-hook-code @{exec_path} { @{lib}/code/product.json rw, - /usr/share/code-{features,marketplace}/{,*} r, - /usr/share/code-{features,marketplace}/cache.json rw, + /usr/share/code-{features,marketplace}{,-insiders}/{,*} r, + /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw, include if exists } diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 025d87b296..a5cee6fa90 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -21,10 +21,10 @@ profile pacman-key @{exec_path} { @{bin}/bash rix, @{bin}/chmod rix, @{bin}/gettext rix, - @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpg{,2} rCx -> &gpg, @{bin}/{,e}grep rix, @{bin}/ngettext rix, - @{bin}/pacman-conf rPx, + @{bin}/pacman-conf rPx -> &pacman-conf, @{bin}/touch rix, @{bin}/tput rix, @{bin}/vercmp rix, From 03d7ef55896e0d5b7bf5348000fbdcab26737490 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:52:22 +0200 Subject: [PATCH 0251/1736] feat(profile): add profile for sshd session. It is only a first draft as recent update in sshd, split sshd in multiple binaries, it will allow us to also split the confinement in multiple profile. --- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/ssh/sshd-session | 85 ++++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/ssh/sshd-session diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index a514e7c99c..75438c9576 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -69,7 +69,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{bin}/passwd Px, @{lib}/{openssh,ssh}/sftp-server Px, @{lib}/{openssh,ssh}/sshd-auth Px, - @{lib}/{openssh,ssh}/sshd-session ix, + @{lib}/{openssh,ssh}/sshd-session Px, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session new file mode 100644 index 0000000000..e74696334e --- /dev/null +++ b/apparmor.d/groups/ssh/sshd-session @@ -0,0 +1,85 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{openssh,ssh}/sshd-session +profile sshd-session @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include #aa:only RBAC + + capability audit_write, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + + # sshd doesn't require net_admin. libpam-systemd tries to + # use it if available to set the send/receive buffers size, + # but will fall back to a non-privileged version if it fails. + deny capability net_admin, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + unix type=stream peer=(label=sshd), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + @{exec_path} mr, + + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{lib}/{openssh,ssh}/sshd-auth Px, + + @{etc_rw}/motd r, + @{etc_rw}/motd.d/{,**} r, + /etc/machine-id r, + /etc/motd r, + + /var/lib/lastlog/ r, + /var/lib/lastlog/lastlog2.db rwk, + /var/lib/lastlog/lastlog2.db-journal rw, + + /var/lib/wtmpdb/ w, + + owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + + owner @{user_cache_dirs}/{,motd*} rw, + + @{att}/@{run}/systemd/sessions/@{int}.ref w, + + @{run}/motd.d/{,*} r, + @{run}/motd.dynamic rw, + @{run}/motd.dynamic.new rw, + + @{PROC}/1/limits r, + owner @{PROC}/@{pid}/loginuid rw, + owner @{PROC}/@{pid}/uid_map r, + + /dev/ptmx rw, + + include if exists +} + +# vim:syntax=apparmor From 226cb23073efb628f344c5c1985a543564671ee0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:53:26 +0200 Subject: [PATCH 0252/1736] feat(profile): small improvement to steam. --- apparmor.d/groups/steam/steam | 4 ++++ apparmor.d/groups/steam/steamerrorreporter | 2 -- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 73c78f2ed1..151a3e1613 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -109,6 +109,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix, @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, + @{runtime_dirs}/pressure-vessel/@{bin}/pv-* rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web, @{runtime_dirs}/run{,.sh} rix, @@ -370,6 +371,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { /dev/hidraw@{int} rw, /dev/tty rw, + @{att}/dev/dri/renderD128 rw, + include if exists } @@ -380,6 +383,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability dac_override, capability dac_read_search, + capability sys_ptrace, unix receive type=stream, diff --git a/apparmor.d/groups/steam/steamerrorreporter b/apparmor.d/groups/steam/steamerrorreporter index b4d5f3e686..d438c604d8 100644 --- a/apparmor.d/groups/steam/steamerrorreporter +++ b/apparmor.d/groups/steam/steamerrorreporter @@ -34,8 +34,6 @@ profile steamerrorreporter @{exec_path} flags=(attach_disconnected) { owner @{tmp}/dumps/ r, owner @{tmp}/dumps/*_log.txt rw, - owner @{PROC}/@{pid}/status r, - include if exists } From 6735b8e5f8ffa64a43297a3ff1318ef49376d388 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:55:22 +0200 Subject: [PATCH 0253/1736] feat(profile): zram: move kmod to its own subprofile. --- apparmor.d/groups/systemd/zram-generator | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index d156d88a4a..473848ef3b 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -11,16 +11,13 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { include include - capability sys_module, - @{exec_path} mr, - @{bin}/kmod rix, + @{bin}/kmod rCx, @{bin}/systemd-detect-virt rPx, @{lib}/systemd/systemd-makefs rPx, /etc/systemd/zram-generator.conf r, - /etc/modprobe.d/{,**} r, owner @{run}/systemd/generator/{,*/}var-cache-makepkg.mount rw, owner @{run}/systemd/generator/dev-zram@{int}.swap rw, @@ -29,12 +26,18 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { @{sys}/block/zram@{int}/* rw, @{sys}/devices/virtual/block/zram@{int}/* rw, - @{sys}/module/compression r, @{PROC}/crypto r, owner /dev/pts/@{int} rw, + profile kmod { + include + include + + include if exists + } + include if exists } From 0483f476ed72c35993313a7edd4a9f3d2ddb9239 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:56:54 +0200 Subject: [PATCH 0254/1736] fix(profile): aa-enforce: ensure looking path in sbin is allowed. --- apparmor.d/groups/apparmor/aa-enforce | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/apparmor/aa-enforce b/apparmor.d/groups/apparmor/aa-enforce index fcf7dc7248..1743fd9d0b 100644 --- a/apparmor.d/groups/apparmor/aa-enforce +++ b/apparmor.d/groups/apparmor/aa-enforce @@ -16,7 +16,7 @@ profile aa-enforce @{exec_path} { @{exec_path} mr, - @{bin}/ r, + @{sbin}/ r, @{sbin}/apparmor_parser rPx, /usr/share/terminfo/** r, From 24a9da865f9daddc28e73793c9a8a724f9105592 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:05:47 +0200 Subject: [PATCH 0255/1736] chore: update sbin.list --- apparmor.d/profiles-a-f/atd | 2 +- tests/sbin.list | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index aea3cbf011..783d210fb1 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/atd +@{exec_path} = @{sbin}/atd profile atd @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 1adc90ee8c..1d0eb5b970 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -43,6 +43,7 @@ argdist-bpfcc arp arpd aspell-autobuildhash +atd audisp-af_unix audisp-filter audisp-syslog @@ -313,6 +314,7 @@ grub2-sparc64-setup grub2-switch-to-blscfg hardirqs-bpfcc haveged +hc-ifscan hdparm httxt2dbm hv_fcopy_daemon From e222816d32d5103399dac03651ac2ef222d72647 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:08:44 +0200 Subject: [PATCH 0256/1736] feat(profile): virt: move privileged actions to subprofle. --- apparmor.d/groups/virt/containerd | 6 ++-- apparmor.d/groups/virt/dockerd | 42 +++++++++++++++++++++++++-- apparmor.d/groups/virt/libvirtd | 9 +++++- apparmor.d/groups/virt/virt-aa-helper | 1 - 4 files changed, 49 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 598ec7ca9d..95d332a45b 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -87,10 +87,8 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{run}/nri/nri.sock rw, @{run}/systemd/notify w, - /tmp/cri-containerd.apparmor.d@{int} rwl, - /tmp/ctd-volume@{int}/{,**} rw, - owner @{tmp}/** rwkl, - owner /var/tmp/** rwkl, + /tmp/cri-containerd.apparmor.d@{int} rwl, + /tmp/ctd-volume@{int}/{,**} rw, @{sys}/fs/cgroup/kubepods/** r, @{sys}/kernel/security/apparmor/profiles r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index c4b39ff8c6..abd6c90ecb 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -70,11 +70,12 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{lib}/docker/docker-init rCx -> init, @{bin}/docker-proxy rPx, @{bin}/git rCx -> git, - @{bin}/kmod rPx, + @{bin}/kmod rCx -> kmod, @{bin}/ps rPx, @{sbin}/runc rUx, @{bin}/unpigz rix, - @{sbin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rCx -> nft, + @{sbin}/xtables-legacy-multi rCx -> nft, # Docker needs full access of the containers it manages. # TODO: should be in a sub profile started with pivot_root, not supported yet. @@ -128,13 +129,48 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/net/ip_tables_names r, owner @{PROC}/@{pid}/task/@{tid}/mountinfo r, owner @{PROC}/@{pid}/uid_map r, /dev/ r, /dev/**/ r, + profile nft flags=(attach_disconnected) { + include + + capability net_admin, + capability net_raw, + + network inet raw, + network inet6 raw, + network netlink raw, + + @{sbin}/xtables-nft-multi rix, + @{sbin}/xtables-legacy-multi rix, + @{bin}/kmod rPx -> dockerd//kmod, + + @{PROC}/@{pid}/net/ip{,6}_tables_names r, + @{PROC}/sys/kernel/modprobe r, + + @{run}/xtables.lock rwk, + + include if exists + } + + profile kmod { + include + include + + capability sys_module, + + @{run}/xtables.lock r, + + @{sys}/module/compression r, + @{sys}/module/*/initstate r, + + include if exists + } + profile init flags=(attach_disconnected) { include diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 844af4443d..a0d636883f 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -106,7 +106,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sbin}/dmidecode rPx, @{sbin}/dnsmasq rPx, - @{bin}/kmod rPx, + @{bin}/kmod rCx -> kmod, @{sbin}/lvm rPUx, @{bin}/mdevctl rPx, @{bin}/swtpm rPx, @@ -245,6 +245,13 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { audit deny @{sys}/kernel/security/apparmor/matching rwxl, audit deny @{sys}/kernel/security/apparmor/.* rwxl, + profile kmod { + include + include + + include if exists + } + profile qemu_bridge_helper { include diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index 81ec217b90..53afe60122 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -45,7 +45,6 @@ profile virt-aa-helper @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/net/psched r, deny @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/status r, # For gl enabled graphics /dev/dri/{,*} r, From f8250f7e0cc8e70fe679fac2374bad8690e24e09 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:22:25 +0200 Subject: [PATCH 0257/1736] feat(profile): move kmod in subprofile. --- apparmor.d/profiles-g-l/hw-probe | 18 +++++++++++++----- apparmor.d/profiles-g-l/kernel | 13 ++++++++----- apparmor.d/profiles-g-l/kmod | 9 +-------- 3 files changed, 22 insertions(+), 18 deletions(-) diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index f518a18f02..3fbb9b0fd7 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -61,7 +61,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sbin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, - @{bin}/kmod rix, + @{bin}/kmod rCx -> kmod, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsblk rPx, @{bin}/lscpu rPx, @@ -98,19 +98,27 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/* r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/* r, - @{sys}/module/*/ r, - @{sys}/module/*/{coresize,refcnt} r, - @{sys}/module/*/holders/ r, @{PROC}/bus/input/devices r, @{PROC}/cmdline r, @{PROC}/interrupts r, @{PROC}/ioports r, - @{PROC}/modules r, @{PROC}/scsi/scsi r, /dev/{,**} r, + profile kmod { + include + include + + capability sys_module, + + @{sys}/module/compression r, + + include if exists + } + + profile pacman flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index 6bc2c89619..d375a1bdda 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -13,8 +13,6 @@ profile kernel @{exec_path} { include include - capability sys_module, - @{exec_path} mr, @{sh_path} rix, @@ -24,7 +22,7 @@ profile kernel @{exec_path} { @{bin}/chmod rix, @{bin}/cut rix, @{bin}/dirname rix, - @{bin}/kmod rix, + @{bin}/kmod rCx -> kmod, @{bin}/mv rix, @{bin}/rm rix, @{bin}/rmdir rix, @@ -56,8 +54,6 @@ profile kernel @{exec_path} { /etc/apt/apt.conf.d/ r, /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, - /etc/modprobe.d/ r, - /etc/modprobe.d/*.conf r, @{run}/reboot-required w, @{run}/reboot-required.pkgs rw, @@ -65,6 +61,13 @@ profile kernel @{exec_path} { @{PROC}/devices r, @{PROC}/cmdline r, + profile kmod { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index ccc8d69138..a793bf7076 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/{kmod,lsmod,depmod,insmod,rmmod,modinfo,modprobe} profile kmod @{exec_path} flags=(attach_disconnected) { include - include + include include capability dac_read_search, @@ -31,14 +31,10 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{sbin}/sysctl rCx -> sysctl, @{bin}/true rix, - @{lib}/modprobe.d/{,*.conf} r, @{lib}/modules/*/modules.* rw, @{run}/modprobe.d/{,*.conf} r, - /etc/depmod.d/{,**} r, - /etc/modprobe.d/{,*.conf} r, - /tmp/**/*.ko{,.zst} r, /usr/src/*/*.ko r, /var/lib/dkms/**/module/*.ko r, @@ -66,9 +62,6 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{sys}/module/{,**} r, - @{PROC}/cmdline r, - @{PROC}/modules r, - /dev/tty@{int} rw, deny @{user_share_dirs}/gvfs-metadata/* r, From 0572688c592a181b4b35b7e29573302d3b3718b9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:27:06 +0200 Subject: [PATCH 0258/1736] feat(profile): small general upgrade. --- .../groups/systemd-service/dmesg.service | 1 + .../groups/systemd-service/man-db.service | 2 ++ apparmor.d/groups/ubuntu/esm_cache | 19 +++++++++++++++++++ apparmor.d/groups/ubuntu/update-manager | 6 +++--- apparmor.d/groups/usb/lsusb | 2 ++ apparmor.d/groups/whonix/sdwdate | 2 +- apparmor.d/profiles-a-f/e2scrub_all | 1 + apparmor.d/profiles-g-l/gitstatusd | 5 +++++ apparmor.d/profiles-g-l/gpu-manager | 2 +- apparmor.d/profiles-g-l/hddtemp | 18 +++--------------- apparmor.d/profiles-g-l/ischroot | 2 ++ apparmor.d/profiles-g-l/landscape-sysinfo | 6 +++--- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-m-r/needrestart-notify | 2 +- apparmor.d/profiles-m-r/pycompile | 9 +++------ apparmor.d/profiles-m-r/rsyslogd | 7 ++++--- apparmor.d/profiles-s-z/update-initramfs | 3 +++ apparmor.d/profiles-s-z/whiptail | 2 ++ 18 files changed, 57 insertions(+), 34 deletions(-) create mode 100644 apparmor.d/groups/ubuntu/esm_cache diff --git a/apparmor.d/groups/systemd-service/dmesg.service b/apparmor.d/groups/systemd-service/dmesg.service index 4c67f680a8..0a46f6ed92 100644 --- a/apparmor.d/groups/systemd-service/dmesg.service +++ b/apparmor.d/groups/systemd-service/dmesg.service @@ -17,6 +17,7 @@ profile dmesg.service flags=(attach_disconnected) { capability chown, capability fsetid, + capability sys_admin, ptrace read peer=@{p_systemd}, diff --git a/apparmor.d/groups/systemd-service/man-db.service b/apparmor.d/groups/systemd-service/man-db.service index 24b34fc258..c3bfa7c32f 100644 --- a/apparmor.d/groups/systemd-service/man-db.service +++ b/apparmor.d/groups/systemd-service/man-db.service @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man +# ExecStart=/usr/bin/find /var/cache/man -type f -name *.gz -atime +6 -delete # ExecStart=/usr/bin/mandb --quiet abi , @@ -13,6 +14,7 @@ profile man-db.service flags=(attach_disconnected) { include include + @{bin}/find ix, @{bin}/install ix, @{bin}/mandb r, diff --git a/apparmor.d/groups/ubuntu/esm_cache b/apparmor.d/groups/ubuntu/esm_cache new file mode 100644 index 0000000000..2596d6c12e --- /dev/null +++ b/apparmor.d/groups/ubuntu/esm_cache @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/lib/ubuntu-advantage/esm_cache.py +profile esm_cache @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index e1636c6d5c..0e0dcdb0b4 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -51,9 +51,9 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{bin}/uname rix, @{lib}/apt/methods/http{,s} rPx, - @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, + @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, + @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/usb/lsusb b/apparmor.d/groups/usb/lsusb index f824343d67..b5a24940d0 100644 --- a/apparmor.d/groups/usb/lsusb +++ b/apparmor.d/groups/usb/lsusb @@ -21,6 +21,8 @@ profile lsusb @{exec_path} { /etc/udev/hwdb.bin r, + /dev/bus/usb/@{int}/@{int} w, + include if exists } diff --git a/apparmor.d/groups/whonix/sdwdate b/apparmor.d/groups/whonix/sdwdate index dbe561ab61..1e4850e7ad 100644 --- a/apparmor.d/groups/whonix/sdwdate +++ b/apparmor.d/groups/whonix/sdwdate @@ -30,7 +30,7 @@ profile sdwdate @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{lib}/helper-scripts/* rix, @{bin}/url_to_unixtime rix, - @{bin}/{,e}grep rix, + @{bin}/{,e}grep rix, @{lib}/helper-scripts/ r, @{lib}/sdwdate/ r, diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index 0079053e02..e5d13f1de9 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -12,6 +12,7 @@ profile e2scrub_all @{exec_path} flags=(attach_disconnected) { include include + capability setuid, capability sys_admin, capability sys_rawio, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index a62ce7fded..8901ade9cc 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -9,6 +9,9 @@ include @{exec_path} = /usr/share/zsh-theme-powerlevel@{int}k/gitstatus/usrbin/gitstatusd{,-*} profile gitstatusd @{exec_path} { include + include + + signal receive set=term peer=*//shell, @{exec_path} mr, @@ -18,6 +21,8 @@ profile gitstatusd @{exec_path} { owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, + owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo r, + # Silencer deny capability dac_read_search, deny capability dac_override, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 779dd8e67e..719625dbd7 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -16,7 +16,7 @@ profile gpu-manager @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{sh_path} rix, @{bin}/{,e}grep rix, /etc/modprobe.d/{,**} r, diff --git a/apparmor.d/profiles-g-l/hddtemp b/apparmor.d/profiles-g-l/hddtemp index e96a45237f..55d2abb5dd 100644 --- a/apparmor.d/profiles-g-l/hddtemp +++ b/apparmor.d/profiles-g-l/hddtemp @@ -10,32 +10,20 @@ include @{exec_path} = @{bin}/hddtemp profile hddtemp @{exec_path} { include + include + include - # To remove the following errors: - # /dev/sda: Permission denied + capability sys_admin, capability sys_rawio, - # There's the following error in strace: - # ioctl(3, HDIO_DRIVE_CMD, 0x7ffdfeafc074) = -1 EACCES (Permission denied) - # This should be covered by CAP_SYS_RAWIO instead. - # (see: https://www.kernel.org/doc/Documentation/ioctl/hdio.rst) - # It looks like hddtemp works just fine without it. - deny capability sys_admin, - network inet stream, network inet6 stream, @{exec_path} mr, - # Monitored hard drives - /dev/sd[a-z]* r, - # Database file that allows hddtemp to recognize supported drives /etc/hddtemp.db r, - # Needed when the hddtemp daemon is started in the TCP/IP mode - /etc/gai.conf r, - include if exists } diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot index 4e087343af..8c18782f99 100644 --- a/apparmor.d/profiles-g-l/ischroot +++ b/apparmor.d/profiles-g-l/ischroot @@ -13,6 +13,8 @@ profile ischroot @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /var/lib/update-notifier/tmp.@{rand10} w, + @{PROC}/@{pid}/mountinfo r, include if exists diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 1c3c98d522..5eb5dac060 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -27,9 +27,9 @@ profile landscape-sysinfo @{exec_path} { @{bin}/who rix, - @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/ w, - @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/**.pyc w, - @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/**.pyc.@{u64} w, + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/**.pyc w, + @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, /var/log/landscape/{,**} rw, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 8cc8a65e14..b21642cf88 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -13,6 +13,7 @@ profile libreoffice @{exec_path} { include include include + include include include include @@ -109,7 +110,6 @@ profile libreoffice @{exec_path} { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify index 9b3525fa58..82465ceb2d 100644 --- a/apparmor.d/profiles-m-r/needrestart-notify +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -9,6 +9,7 @@ include @{exec_path} = @{etc_ro}/needrestart/notify.d/* profile needrestart-notify @{exec_path} { include + include capability dac_read_search, capability sys_ptrace, @@ -27,7 +28,6 @@ profile needrestart-notify @{exec_path} { /etc/needrestart/notify.conf r, @{PROC}/@{pid}/environ r, - @{PROC}/filesystems r, include if exists } diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index 984fcf03cf..b684c3094e 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -21,12 +21,9 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { @{bin}/dpkg rCx -> dpkg, - @{lib}/@{python_name}/dist-packages/__pycache__/ w, - @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc w, - @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc.* w, - @{lib}/@{python_name}/dist-packages/**/__pycache__/ w, - @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc w, - @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc.* w, + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/*.pyc w, + @{lib}/@{python_name}/**/__pycache__/*.pyc.* w, /usr/share/python3/{,**} r, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 80d75a928b..ede981f580 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -12,11 +12,12 @@ profile rsyslogd @{exec_path} { include include - capability chown, # For creating new log files and changing their owner/group - capability net_admin, # For remote logs - capability setgid, # For downgrading privileges + capability dac_override, + capability dac_read_search, + capability setgid, capability setuid, capability sys_nice, + capability sys_tty_config, capability syslog, network inet dgram, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index f9e47cb527..472de33438 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -28,12 +28,15 @@ profile update-initramfs @{exec_path} { @{bin}/sha1sum rix, @{bin}/sync rix, @{bin}/uname rix, + @{bin}/run-parts rix, @{bin}/dpkg-trigger rPx, @{bin}/ischroot rPx, @{bin}/linux-version rPx, @{sbin}/mkinitramfs rPx, + /etc/initramfs/post-update.d/* rPUx, + /var/lib/initramfs-tools/* w, # For shell pwd diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index f0efad77b7..a42a63312e 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -18,6 +18,8 @@ profile whiptail @{exec_path} { /usr/share/terminfo/** r, + /etc/newt/palette.* r, + include if exists } From 4d201ea417f3b32bc7e276ef4548f1c128a68301 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:35:38 +0200 Subject: [PATCH 0259/1736] feat(profile): add lsb-release Use it instead of lsb_release. --- apparmor.d/abstractions/app/chromium | 5 ++- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/groups/apt/apt-listbugs | 2 +- apparmor.d/groups/apt/command-not-found | 2 +- apparmor.d/groups/apt/debconf-frontend | 2 +- apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/apt/synaptic | 2 +- apparmor.d/groups/apt/unattended-upgrade | 2 +- apparmor.d/groups/grub/grub-install | 2 +- apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/grub/grub-probe | 2 +- apparmor.d/groups/kde/dolphin | 2 +- apparmor.d/groups/kde/drkonqi | 2 +- apparmor.d/groups/ubuntu/apport-gtk | 2 +- .../groups/ubuntu/check-new-release-gtk | 2 +- apparmor.d/groups/ubuntu/do-release-upgrade | 2 +- apparmor.d/groups/ubuntu/hwe-support-status | 2 +- .../groups/ubuntu/software-properties-dbus | 2 +- .../groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/ubuntu/update-manager | 2 +- .../ubuntu/update-motd-updates-available | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-a-f/aspell-autobuildhash | 2 +- .../profiles-a-f/check-support-status-hook | 2 +- apparmor.d/profiles-a-f/discord | 2 +- apparmor.d/profiles-a-f/dropbox | 2 +- apparmor.d/profiles-a-f/filezilla | 2 +- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/hw-probe | 2 +- apparmor.d/profiles-g-l/kodi | 2 +- apparmor.d/profiles-g-l/lsb-release | 40 +++++++++++++++++++ apparmor.d/profiles-m-r/mumble | 2 +- apparmor.d/profiles-m-r/murmurd | 2 +- apparmor.d/profiles-m-r/psi | 2 +- apparmor.d/profiles-m-r/psi-plus | 2 +- 36 files changed, 77 insertions(+), 36 deletions(-) create mode 100644 apparmor.d/profiles-g-l/lsb-release diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 666387d0ae..e555d34753 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -37,7 +37,7 @@ include include include - include + include include include include @@ -78,7 +78,7 @@ @{lib_dirs}/chrome-sandbox rPx, # Desktop integration - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/xdg-desktop-menu rPx, @{bin}/xdg-email rPx, @{bin}/xdg-icon-resource rPx, @@ -202,6 +202,7 @@ owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index d988f608cd..5e3bc15cbe 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -65,7 +65,7 @@ @{lib_dirs}/plugin-container rPx, # Desktop integration - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/@{name}/{,**} r, /usr/share/doc/{,**} r, diff --git a/apparmor.d/groups/apt/apt-listbugs b/apparmor.d/groups/apt/apt-listbugs index 7ce8961b99..a60457ec85 100644 --- a/apparmor.d/groups/apt/apt-listbugs +++ b/apparmor.d/groups/apt/apt-listbugs @@ -53,7 +53,7 @@ profile apt-listbugs @{exec_path} { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 35f8940eea..b42649d7cb 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -22,7 +22,7 @@ profile command-not-found @{exec_path} { @{exec_path} r, @{python_path} r, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/snap rPx, @{lib}/ r, diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index a8f7057e7d..4660755d6f 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -21,7 +21,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{exec_path} r, @{bin}/hostname ix, - @{bin}/lsb_release Px -> lsb_release, + @{bin}/lsb_release Px, @{bin}/stty ix, @{sbin}/update-secureboot-policy Px, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index ab230a43bc..e58c9d8b3c 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -47,7 +47,7 @@ profile reportbug @{exec_path} { @{bin}/dlocate rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg-query rpx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{pager_path} rPx -> child-pager, @{bin}/systemctl rCx -> systemctl, @{lib}/firefox/firefox rPUx, # App allowed to open diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index 651fac1bae..36e299a0ce 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -47,7 +47,7 @@ profile synaptic @{exec_path} { @{bin}/dpkg rPx, @{sbin}/dpkg-preconfigure rPx, @{bin}/localepurge rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/ps rPx, @{bin}/software-properties-gtk rPx, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index fa6929f35a..0d4d2ee33c 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -58,7 +58,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg-divert Px, @{bin}/etckeeper Px, @{bin}/ischroot Px, - @{bin}/lsb_release Px -> lsb_release, + @{bin}/lsb_release Px, @{sbin}/dpkg-preconfigure Px, @{sbin}/on_ac_power Px, @{sbin}/sendmail Px, diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index f044b0f445..6c45cac399 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -21,7 +21,7 @@ profile grub-install @{exec_path} flags=(complain) { @{sh_path} rix, @{sbin}/efibootmgr rix, @{bin}/kmod rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/udevadm rPx, /usr/share/grub/{,**} r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 87c3d4104b..1b5d261259 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -39,7 +39,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/head rix, @{bin}/id rPx, @{bin}/ls rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/mktemp rix, @{bin}/mount rPx, @{bin}/mountpoint rix, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 6d0ec6a72f..e1037c6b7f 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -19,7 +19,7 @@ profile grub-probe @{exec_path} { @{exec_path} mr, /{usr/,}{local/,}{s,}bin/zpool rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{sbin}/lvm rPx, @{bin}/udevadm rPx, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 802ba0a96c..eebade917c 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -33,7 +33,7 @@ profile dolphin @{exec_path} { @{lib}/libheif/*.so* mr, @{bin}/ldd rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{lib}/{,@{multiarch}/}utempter/utempter rPx, @{thunderbird_path} rPx, diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index fbadf053be..e04180ff44 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -24,7 +24,7 @@ profile drkonqi @{exec_path} { @{exec_path} mr, @{bin}/plasmashell r, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/drkonqi/{,**} r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 5a4e130a0d..4940653a31 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -46,7 +46,7 @@ profile apport-gtk @{exec_path} { @{sbin}/killall5 rix, @{bin}/kmod rPx, @{bin}/ldd rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/md5sum rix, @{bin}/pkexec rCx -> pkexec, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index bdd2a0f54e..65a19e0e04 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -30,7 +30,7 @@ profile check-new-release-gtk @{exec_path} { @{bin}/dpkg rPx, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{lib}/@{python_name}/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, @{lib}/@{python_name}/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index e7d6687d22..2d3eebbc2f 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -27,7 +27,7 @@ profile do-release-upgrade @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/distro-info/*.csv r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status index 3b4280e33c..d5ad6e06cf 100644 --- a/apparmor.d/groups/ubuntu/hwe-support-status +++ b/apparmor.d/groups/ubuntu/hwe-support-status @@ -15,7 +15,7 @@ profile hwe-support-status @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/distro-info/{,**} r, diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index c4c7956496..8d55ec0b78 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -30,7 +30,7 @@ profile software-properties-dbus @{exec_path} { @{python_path} rix, @{bin}/env rix, @{bin}/apt-key rPx, # Changing trusted keys - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /etc/apt/apt.conf.d/10periodic w, /etc/apt/sources.list{,.save} rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 64c83f5c88..bb31d88670 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -33,7 +33,7 @@ profile software-properties-gtk @{exec_path} { @{bin}/apt-key rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/ubuntu-advantage rPx, /usr/share/distro-info/*.csv r, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 0e0dcdb0b4..d69e7a4c4d 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -45,7 +45,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg rPx -> child-dpkg, @{bin}/hwe-support-status rPx, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, @{bin}/uname rix, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index e6a3e71528..88967baf85 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -27,7 +27,7 @@ profile update-motd-updates-available @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/find rix, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index ea6318156e..6c4dc4d77e 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -35,7 +35,7 @@ profile update-notifier @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index c4741b09a4..b7a62fc82b 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -90,7 +90,7 @@ profile adequate @{exec_path} flags=(complain) { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index a10df83949..e8a83892a8 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -62,7 +62,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index 39f30c5fe2..8101b30083 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -84,7 +84,7 @@ profile check-support-status-hook @{exec_path} { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 53038a6d75..ddcd99adde 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -31,7 +31,7 @@ profile discord @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{lib_dirs}/chrome-sandbox rix, @{lib_dirs}/chrome_crashpad_handler rix, diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index b4baf1d0c7..15f86bcf59 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -39,7 +39,7 @@ profile dropbox @{exec_path} { @{bin}/{,@{multiarch}-}objdump rix, @{open_path} rPx -> child-open-strict, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, owner @{HOME}/ r, owner @{config_dirs}/ rw, diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 4463ac5817..366c2aed65 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -38,7 +38,7 @@ profile filezilla @{exec_path} { @{bin}/fzsftp rPx, # When using SFTP protocol @{bin}/fzputtygen rPUx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/filezilla/{,**} r, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 97fad1f139..b63a9e5ed7 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -46,7 +46,7 @@ profile hardinfo @{exec_path} { @{bin}/valgrind{,.bin} rix, @{lib}/@{multiarch}/valgrind/memcheck-*-linux rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{bin}/ccache rCx -> ccache, @{bin}/kmod rCx -> kmod, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 3fbb9b0fd7..802cb85ae1 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -62,7 +62,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, @{bin}/kmod rCx -> kmod, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/lsblk rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index 016dceae05..5b90dd3eff 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -34,7 +34,7 @@ profile kodi @{exec_path} { @{bin}/mv rix, @{bin}/uname rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/kodi/{,**} r, /usr/share/publicsuffix/* r, diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release new file mode 100644 index 0000000000..23bada3ecc --- /dev/null +++ b/apparmor.d/profiles-g-l/lsb-release @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Note: named "lsb-release" to not conflict with upstreamed "lsb_release" that +# does attach @{bin}/lsb_release. + +abi , + +include + +@{exec_path} = @{bin}/lsb_release +profile lsb-release @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/find rix, + @{bin}/getopt rix, + @{bin}/head rix, + @{bin}/sed rix, + @{bin}/tr rix, + + #aa:only apt + @{bin}/dpkg-query px, + + /etc/ r, + /etc/*-release r, + /etc/lsb-release r, + /etc/lsb-release.d/{,*} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble index 48ed42d84b..a85eb6790e 100644 --- a/apparmor.d/profiles-m-r/mumble +++ b/apparmor.d/profiles-m-r/mumble @@ -30,7 +30,7 @@ profile mumble @{exec_path} { @{exec_path} mrix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{browsers_path} rPx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index 9d7663ebbe..2065dd8141 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -29,7 +29,7 @@ profile murmurd @{exec_path} { @{exec_path} mr, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /etc/mumble-server.ini r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 24e0c61dd2..02bf3bc567 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -34,7 +34,7 @@ profile psi @{exec_path} { @{bin}/aplay rCx -> aplay, @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index 1d3850ba5b..a455df0e97 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -34,7 +34,7 @@ profile psi-plus @{exec_path} { @{bin}/aplay rCx -> aplay, @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, From 43278aeda277619b5fe24252db8a9eea7dd8b02c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:36:52 +0200 Subject: [PATCH 0260/1736] feat(profile): rewrite the profile for hw-probe. --- apparmor.d/groups/utils/lsscsi | 24 ++++++++++++++ apparmor.d/profiles-g-l/hw-probe | 56 ++++++++++---------------------- 2 files changed, 41 insertions(+), 39 deletions(-) create mode 100644 apparmor.d/groups/utils/lsscsi diff --git a/apparmor.d/groups/utils/lsscsi b/apparmor.d/groups/utils/lsscsi new file mode 100644 index 0000000000..f0e7b4df29 --- /dev/null +++ b/apparmor.d/groups/utils/lsscsi @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsscsi +profile lsscsi @{exec_path} { + include + include + + @{exec_path} mr, + + / r, + + /dev/ r, + /dev/** r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 802cb85ae1..2b91fc612e 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -11,7 +11,6 @@ include profile hw-probe @{exec_path} flags=(attach_disconnected) { include include - include capability sys_admin, @@ -37,28 +36,18 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/acpi rPx, @{bin}/amixer rPx, @{bin}/aplay rPx, - @{sbin}/biosdecode rPx, @{bin}/cpuid rPx, @{bin}/cpupower rPx, @{bin}/curl rCx -> curl, @{bin}/df rPx, - @{sbin}/dkms rPx, @{bin}/dmesg rPx, - @{sbin}/dmidecode rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/edid-decode rPx, - @{sbin}/ethtool rCx -> netconfig, - @{sbin}/fdisk rPx, @{bin}/glxgears rPx, @{bin}/glxinfo rPx, @{bin}/hciconfig rPx, - @{sbin}/hdparm rPx, - @{sbin}/hwinfo rPx, @{bin}/i2cdetect rPx, - @{sbin}/ifconfig rCx -> netconfig, @{bin}/inxi rPx, - @{sbin}/iw rCx -> netconfig, - @{sbin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, @{bin}/kmod rCx -> kmod, @@ -66,14 +55,13 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/lsblk rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, + @{bin}/lsscsi rPx, @{bin}/lsusb rPx, @{bin}/memtester rPx, @{bin}/nmcli rPx, @{bin}/pacman rCx -> pacman, - @{sbin}/rfkill rPx, @{bin}/rpm rCx -> rpm, @{bin}/sensors rPx, - @{sbin}/smartctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-analyze rPx, @{bin}/udevadm rCx -> udevadm, @@ -83,12 +71,20 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/xdpyinfo rPx, @{bin}/xinput rPx, @{bin}/xrandr rPx, + @{sbin}/biosdecode rPx, + @{sbin}/dkms rPx, + @{sbin}/dmidecode rPx, + @{sbin}/fdisk rPx, + @{sbin}/hdparm rPx, + @{sbin}/hwinfo rPx, + @{sbin}/rfkill rPx, + @{sbin}/smartctl rPx, /etc/modprobe.d/{,*.conf} r, owner @{HOME}/HW_PROBE/{,**} rw, - audit owner @{tmp}/*/ rw, + owner @{tmp}/@{rand10}/ rw, owner @{tmp}/*/cpu_perf rw, @{sys}/class/drm/ r, @@ -118,6 +114,13 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { include if exists } + profile curl flags=(attach_disconnected) { + include + + @{bin}/curl mr, + + include if exists + } profile pacman flags=(attach_disconnected) { include @@ -199,31 +202,6 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { include if exists } - profile netconfig flags=(attach_disconnected) { - include - - # Not needed - deny capability net_admin, - deny capability net_raw, - - network inet dgram, - network inet6 dgram, - network ipx dgram, - network ax25 dgram, - network appletalk dgram, - network netlink raw, - - @{sbin}/iw mr, - @{sbin}/ifconfig mr, - @{sbin}/iwconfig mr, - @{sbin}/ethtool mr, - - owner @{PROC}/@{pid}/net/if_inet6 r, - owner @{PROC}/@{pid}/net/dev r, - - include if exists - } - profile systemctl flags=(attach_disconnected) { include include From f443c71c7bb2db3f66440d9d230d994dacc3df4e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 21:05:53 +0200 Subject: [PATCH 0261/1736] tests: allow empty abstractions directory. --- tests/check.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 28adc7710d..8b847db6ff 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -390,7 +390,7 @@ check_profiles() { check_abstractions() { _msg "Checking abstractions" - mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*") + mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( abstractions equivalent @@ -408,8 +408,8 @@ check_abstractions() { wait mapfile -t files < <( - find "$APPARMORD/abstractions" -type f -path "$APPARMORD/abstractions/*.d/*" - find "$APPARMORD/mappings" -type f + find "$APPARMORD/abstractions" -type f -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true + find "$APPARMORD/mappings" -type f 2>/dev/null || true ) # shellcheck disable=SC2034 jobs=0 From 1aee62f52cb02cbdb054c233a350f4f07d828e48 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 21:07:02 +0200 Subject: [PATCH 0262/1736] feat(abs): mappings: add support for role from the sshd-session profile. --- apparmor.d/abstractions/mapping/sshd | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/abstractions/mapping/sshd b/apparmor.d/abstractions/mapping/sshd index 97f0b077eb..0f75127101 100644 --- a/apparmor.d/abstractions/mapping/sshd +++ b/apparmor.d/abstractions/mapping/sshd @@ -15,6 +15,8 @@ capability audit_write, capability chown, capability dac_read_search, + capability fowner, + capability fsetid, capability kill, capability setgid, capability setuid, @@ -25,12 +27,14 @@ # but will fall back to a non-privileged version if it fails. deny capability net_admin, + network inet stream, network inet6 stream, network netlink raw, signal receive set=exists peer=@{p_systemd_journald}, signal receive set=hup peer=@{p_systemd}, + unix bind type=stream addr=@@{udbus}/bus/sshd-session/system, unix bind type=stream addr=@@{udbus}/bus/sshd/system, dbus send bus=system path=/org/freedesktop/login1 From 0366543c39cb495e7129aee373055133b2324823 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 21:09:37 +0200 Subject: [PATCH 0263/1736] feat(profile): add console-setup profiles. --- apparmor.d/profiles-a-f/console-setup-cached | 36 +++++++++++++++++++ .../profiles-a-f/console-setup-keyboard | 31 ++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 apparmor.d/profiles-a-f/console-setup-cached create mode 100644 apparmor.d/profiles-a-f/console-setup-keyboard diff --git a/apparmor.d/profiles-a-f/console-setup-cached b/apparmor.d/profiles-a-f/console-setup-cached new file mode 100644 index 0000000000..332f05341f --- /dev/null +++ b/apparmor.d/profiles-a-f/console-setup-cached @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/console-setup/cached_setup_font.sh /etc/console-setup/cached_setup_terminal.sh +profile console-setup-cached @{exec_path} { + include + include + + capability sys_tty_config, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/gzip rix, + @{bin}/ls ix, + @{bin}/mkdir ix, + @{bin}/setfont ix, + + /usr/share/consolefonts/{,**} r, + + @{run}/console-setup/ w, + @{run}/console-setup/font-loaded w, + + /dev/ r, + /dev/tty rw, + /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/console-setup-keyboard b/apparmor.d/profiles-a-f/console-setup-keyboard new file mode 100644 index 0000000000..1f4045e2e8 --- /dev/null +++ b/apparmor.d/profiles-a-f/console-setup-keyboard @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/console-setup/keyboard-setup.sh /etc/console-setup/cached_setup_keyboard.sh +profile console-setup-keyboard @{exec_path} { + include + include + + capability sys_tty_config, + + @{exec_path} mrix, + + @{sh_path} rix, + @{bin}/gzip rix, + @{bin}/kbd_mode rix, + @{bin}/loadkeys rix, + + /etc/console-setup/{,**} r, + + /dev/tty@{int} rw, + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 9cb74ff384fd8bcdeade0e7eb016fabf79321651 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 2 Jul 2025 23:22:12 +0200 Subject: [PATCH 0264/1736] feat(abs): general update --- apparmor.d/abstractions/app-open | 2 +- apparmor.d/abstractions/app/firefox | 3 ++- apparmor.d/abstractions/bus-session | 2 +- apparmor.d/abstractions/bus/org.freedesktop.NetworkManager | 7 ++++++- apparmor.d/abstractions/disks-read | 6 ++++++ 5 files changed, 16 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index c7d2a86c8f..59724f0191 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -39,7 +39,7 @@ @{bin}/extension-manager Px, @{bin}/filezilla Px, @{bin}/flameshot Px, - @{bin}/gimp{,3} Px, + @{bin}/gimp{,-3.0} Px, @{bin}/gnome-calculator Px, @{bin}/gnome-disk-image-mounter Px, @{bin}/gnome-disks Px, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 5e3bc15cbe..1dd15f9d8a 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -99,7 +99,8 @@ owner @{tmp}/@{name}/* rwk, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, - owner @{tmp}/remote-settings-startup-bundle- w, + owner @{tmp}/remote-settings-startup-bundle- rw, + owner @{tmp}/remote-settings-startup-bundle-.tmp rw, owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/* rwk, owner @{tmp}/tmp-*.xpi rw, diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index 38d39a4891..a1226d8e78 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -6,7 +6,7 @@ unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/session, - dbus send bus=session path=/org/freedesktop/DBus + dbus send bus=session path=/org/freedesktop/{dbus,DBus} interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index 0f188e05a1..78f0de9de2 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -8,7 +8,7 @@ dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects + member={GetManagedObjects,InterfacesRemoved} peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager @@ -51,6 +51,11 @@ member=Updated peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} + interface=org.freedesktop.NetworkManager.Connection.Active + member=StateChanged + peer=(name=@{busname}, label=NetworkManager), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 62e24b70df..e1bf312984 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -44,6 +44,12 @@ @{sys}/devices/virtual/block/loop@{int}/ r, @{sys}/devices/virtual/block/loop@{int}/** r, + # Xen PVH devices + @{sys}/devices/vbd-@{int}/block/** r, + + # Channel subsystem for IBM Z + @{sys}/devices/css@{int}/** r, + # LUKS/LVM (device-mapper) devices /dev/dm-@{int} rk, /dev/mapper/{,*} r, From f47babab8492b9b273da5e985f41cf2a1cddbba2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 15:21:01 +0200 Subject: [PATCH 0265/1736] fix(profile): pci slot adress. --- apparmor.d/abstractions/common/app | 1 + apparmor.d/groups/filesystem/udisksd | 1 + apparmor.d/profiles-s-z/zed | 1 + apparmor.d/profiles-s-z/zpool | 1 + 4 files changed, 4 insertions(+) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index efb3c838bc..a3fb2c5ef0 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -78,6 +78,7 @@ @{sys}/bus/ r, @{sys}/bus/*/devices/ r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/class/*/ r, @{sys}/devices/** r, diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 1ff219bbef..ab3813973b 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -121,6 +121,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/bus/scsi/devices/ r, @{sys}/class/ r, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index b131897d49..893cead5b6 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -46,6 +46,7 @@ profile zed @{exec_path} { owner @{tmp}/tmp.* rw, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/module/zfs/parameters/zfs_zevent_len_max rw, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 2cb997fd74..e6033d9d28 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -31,6 +31,7 @@ profile zpool @{exec_path} { @{sys}/module/zfs/** r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{PROC}/@{pids}/mountinfo r, From e5b6d5dd19e03cb488f748c84b5acb22c7e191ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 15:21:50 +0200 Subject: [PATCH 0266/1736] feat(profile): update nvidia tools. --- apparmor.d/profiles-m-r/nvidia-settings | 18 +++++++++++++++--- apparmor.d/profiles-m-r/nvidia-smi | 1 + 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index 9e5944bfff..771bbb3b64 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/nvidia-settings -profile nvidia-settings @{exec_path} { +profile nvidia-settings @{exec_path} flags=(attach_disconnected) { include include include @@ -21,8 +21,20 @@ profile nvidia-settings @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/config r, - - @{PROC}/devices r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/cpumap r, + + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/config r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 + /dev/nvidia-caps/ rw, + /dev/nvidia-caps/nvidia-cap@{int} r, + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index 143808f76c..9ea391400d 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -21,6 +21,7 @@ profile nvidia-smi @{exec_path} { @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, From 223f611dfcb92f9cae02e9965491f8580b01a0ba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:53:15 +0200 Subject: [PATCH 0267/1736] feat(abs): nvidia: ensure cuda is supported, cleanup common local path. --- apparmor.d/abstractions/nvidia-strict | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index ebaced47ff..6fe8157738 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -6,18 +6,21 @@ @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, + /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so.* mr, + /usr/share/nvidia/nvidia-application-profiles-* r, /etc/nvidia/nvidia-application-profiles-* r, /etc/vdpau_wrapper.cfg r, - owner @{HOME}/.cache/nvidia/ w, - owner @{HOME}/.cache/nvidia/GLCache/ rw, - owner @{HOME}/.cache/nvidia/GLCache/** rwk, + owner @{HOME}/.nv/ w, owner @{HOME}/.nv/ComputeCache/ w, owner @{HOME}/.nv/ComputeCache/** rw, owner @{HOME}/.nv/ComputeCache/index rwk, owner @{HOME}/.nv/nvidia-application-profiles-* r, + owner @{user_cache_dirs}/nvidia/ w, + owner @{user_cache_dirs}/nvidia/GLCache/ rw, + owner @{user_cache_dirs}/nvidia/GLCache/** rwk, @{sys}/devices/system/memory/block_size_bytes r, @{sys}/module/nvidia/version r, From 13680be0a6a0421bdc2a59ec03284b55debd57ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:53:53 +0200 Subject: [PATCH 0268/1736] feat(fsp): sdu: add consoles --- apparmor.d/groups/_full/sdu | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index 80d8c1fb97..f9c50b65f0 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -23,6 +23,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { include include include + include include include @@ -108,6 +109,8 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/kmsg w, + deny capability net_admin, profile shell flags=(attach_disconnected,mediate_deleted,complain) { @@ -123,10 +126,10 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { include include - audit capability net_admin, - owner @{run}/user/@{uid}/systemd/private rw, + deny capability net_admin, + include if exists include if exists } From 3b040aa5ca46513bd7058882c6bcde4b3f5d85dc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:54:49 +0200 Subject: [PATCH 0269/1736] feat(profile): improve dpkg-scripts. --- apparmor.d/groups/apt/dpkg-scripts | 4 +++- apparmor.d/groups/apt/unattended-upgrade-shutdown | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index e16d25bf2d..d3994d0ec9 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -11,6 +11,7 @@ profile dpkg-scripts @{exec_path} { include include include + include capability chown, capability dac_read_search, @@ -24,6 +25,7 @@ profile dpkg-scripts @{exec_path} { # Common program found in maintainer scripts @{sh_path} rix, @{coreutils_path} rix, + @{python_path} rix, @{bin}/run-parts rix, @{bin}/envsubst ix, @@ -51,8 +53,8 @@ profile dpkg-scripts @{exec_path} { @{bin}/** PUx, @{sbin}/** PUx, @{lib}/** PUx, + /etc/** PUx, /usr/share/** PUx, - /etc/init.d/* PUx, # Maintainer's scripts can update a lot of files / r, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index f36505e7a8..1fb667fae3 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -20,6 +20,10 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { @{bin}/ischroot Px, + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/**.pyc w, + @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, + /usr/share/unattended-upgrades/{,*} r, owner /var/log/unattended-upgrades/*.log* rw, From f56163afb184d93df751f2ce571d90cd9b08ecbc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:56:24 +0200 Subject: [PATCH 0270/1736] feat(profile): ensure xdg portal can start any sandboxing tool. --- apparmor.d/groups/freedesktop/xdg-document-portal | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 91a203d3a9..93cac619e4 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -39,8 +39,9 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/flatpak rPUx, + @{bin}/flatpak rPx, @{bin}/fusermount{,3} rCx -> fusermount, + @{bin}/snap rPx, / r, owner @{att}/ r, @@ -64,6 +65,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { profile fusermount flags=(attach_disconnected) { include + include include capability dac_read_search, From 4f2abda92f0cfd1c2b412a23582c4ac253954d73 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:58:20 +0200 Subject: [PATCH 0271/1736] feat(profile): improve gnome programs. --- apparmor.d/groups/gnome/epiphany-search-provider | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 3 +++ apparmor.d/groups/gnome/gnome-shell | 12 +++++++++--- apparmor.d/groups/gnome/gnome-text-editor | 1 + apparmor.d/groups/gnome/tracker-extract | 1 + 5 files changed, 15 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index e66450d09c..2168382e0b 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -29,6 +29,7 @@ profile epiphany-search-provider @{exec_path} { @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, owner @{user_cache_dirs}/epiphany/{,**} rwk, + owner @{user_config_dirs}/epiphany/{,**} rw, owner @{user_share_dirs}/epiphany/{,**} rwk, owner @{tmp}/ContentRuleList-@{rand6} rw, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 104d95fb39..7cb982ca70 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -16,6 +16,7 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include include include include @@ -29,6 +30,8 @@ profile gnome-extension-gsconnect @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index e977af95eb..acae2d6013 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -173,6 +173,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/sensors rPx, @{bin}/tecla rPx, @{bin}/Xwayland rPx, + @{bin}/nvidia-smi rPx, # FIXME; for extension only + @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/mutter-x11-frames rPx, #aa:exec polkit-agent-helper @@ -227,6 +229,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw, owner @{gdm_cache_dirs}/libgweather/ r, + owner @{gdm_cache_dirs}/nvidia/GLCache/ rw, + owner @{gdm_cache_dirs}/nvidia/GLCache/** rwk, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/ibus/ rw, owner @{gdm_config_dirs}/ibus/bus/ rw, @@ -234,11 +238,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_config_dirs}/pulse/ rw, owner @{gdm_config_dirs}/pulse/client.conf r, owner @{gdm_config_dirs}/pulse/cookie rwk, + owner @{gdm_local_dirs}/ w, + owner @{gdm_share_dirs}/ w, owner @{gdm_share_dirs}/applications/{,**} r, owner @{gdm_share_dirs}/gnome-shell/{,**} rw, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, @@ -263,7 +269,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/dbus-1/services/ r, - owner @{user_share_dirs}/dbus-1/services/org.gnome.shell.*.service{,.@{rand6}} rw, + owner @{user_share_dirs}/dbus-1/services/org.gnome.Shell.*.service{,.@{rand6}} rw, owner @{user_share_dirs}/desktop-directories/{,**} r, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, @@ -271,7 +277,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, - owner @{user_share_dirs}/icons/**/org.gnome.shell.*.svg{,.@{rand6}} w, + owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w, owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 22823753b1..c399eadc75 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -15,6 +15,7 @@ profile gnome-text-editor @{exec_path} { include include + #aa:dbus own bus=session name=org.gnome.TextEditor #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 83bf18b9b9..e8612f7b6c 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -70,6 +70,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} r, From 705eb11510c0d692173368609b1a10f419337800 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 22:04:18 +0200 Subject: [PATCH 0272/1736] feat(profile): improve some dbus rules. --- apparmor.d/groups/bluetooth/bluetoothd | 2 +- apparmor.d/groups/gvfs/gvfsd-dnssd | 5 +++++ apparmor.d/groups/gvfs/gvfsd-http | 4 ++++ apparmor.d/groups/gvfs/gvfsd-trash | 6 +----- apparmor.d/groups/network/mullvad-gui | 3 +++ apparmor.d/groups/ssh/sshd | 5 +++++ apparmor.d/groups/virt/cockpit-wsinstance-factory | 3 +++ apparmor.d/profiles-s-z/virt-manager | 6 ++++++ 8 files changed, 28 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index aa84eebd94..e5443f5056 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -32,7 +32,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved + member={InterfacesRemoved,InterfacesAdded} peer=(name=org.freedesktop.DBus), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 9af8be00ae..6c61dbba4b 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -33,6 +33,11 @@ profile gvfsd-dnssd @{exec_path} { member={MountLocation,LookupMount,RegisterMount} peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 2fe0a1e2bc..92d6fbf644 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -24,6 +24,10 @@ profile gvfsd-http @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 9acfd6c86d..e13f870c72 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,6 +11,7 @@ include profile gvfsd-trash @{exec_path} { include include + include include include include @@ -21,11 +22,6 @@ profile gvfsd-trash @{exec_path} { #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name="@{busname}", label="{gnome-shell,nautilus}"), - dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 6075f14b2a..c36d34e3f2 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -14,6 +14,9 @@ include @{exec_path} = @{lib_dirs}/mullvad-gui profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include + include + include + include include network inet stream, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 75438c9576..2494dc2c24 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -61,6 +61,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) { member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + dbus send bus=system path=/org/freedesktop/home1 + interface=org.freedesktop.home1.Manager + member=GetUserRecordByName + peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), + @{exec_path} mrix, @{bin}/@{shells} Ux, #aa:exclude RBAC diff --git a/apparmor.d/groups/virt/cockpit-wsinstance-factory b/apparmor.d/groups/virt/cockpit-wsinstance-factory index b14a1e36fc..99db4d614f 100644 --- a/apparmor.d/groups/virt/cockpit-wsinstance-factory +++ b/apparmor.d/groups/virt/cockpit-wsinstance-factory @@ -9,6 +9,9 @@ include @{exec_path} = @{lib}/cockpit/cockpit-wsinstance-factory profile cockpit-wsinstance-factory @{exec_path} { include + include + + unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system, capability net_admin, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 7c0443daee..fa17f5b1bb 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,6 +12,10 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include + include + include + include + include include include include @@ -28,6 +32,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.virt-manager.virt-manager + @{exec_path} rix, @{sh_path} rix, From bfc6c51821b87fdca893c54555bf5ca5a060528b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 22:08:28 +0200 Subject: [PATCH 0273/1736] feat(profile): update some core system profiles. --- apparmor.d/profiles-a-f/dkms | 4 ++-- apparmor.d/profiles-a-f/fprintd | 3 +-- apparmor.d/profiles-a-f/fwupd | 11 +++++++---- apparmor.d/profiles-g-l/hw-probe | 16 +++++++++++----- apparmor.d/profiles-g-l/hwinfo | 6 +++++- apparmor.d/profiles-g-l/i2cdetect | 5 +++++ apparmor.d/profiles-g-l/kernel | 6 ++++-- apparmor.d/profiles-g-l/kernel-install | 3 +++ apparmor.d/profiles-m-r/pycompile | 2 +- apparmor.d/profiles-s-z/sysstat-sadc | 4 +++- 10 files changed, 42 insertions(+), 18 deletions(-) diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 0a01e5db50..a0d5b08f95 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -30,13 +30,14 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/bc rix, @{bin}/clang-@{version} rix, @{bin}/gcc rix, + @{bin}/g++ rix, @{bin}/getconf rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @{bin}/ld rix, @{bin}/ld.lld rix, @{bin}/llvm-objcopy rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/make rix, @{bin}/objcopy rix, @{bin}/pahole rix, @@ -101,7 +102,6 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner @{tmp}/sh-thd.* rw, owner @{tmp}/tmp.* rw, - @{PROC}/cpuinfo r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/vm/overcommit_memory r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 182d9013d4..1d00dce883 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -32,8 +32,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, - @{sys}/devices/@{pci}/hidraw/hidraw@{int}/uevent r, - @{sys}/devices/virtual/**/hidraw/hidraw@{int}/uevent r, + @{sys}/devices/**/hidraw/hidraw@{int}/uevent r, include if exists } diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 961b55c970..cf5989227c 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -62,12 +62,15 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /etc/machine-id r, /var/lib/dbus/machine-id r, - /boot/{,**} r, - /boot/EFI/*/.goutputstream-@{rand6} rw, - /boot/EFI/*/fw/fwupd-*.cap{,.*} rw, - /boot/EFI/*/fwupdx@{int}.efi rw, + @{efi}/{,**} r, + @{efi}/EFI/*/.goutputstream-@{rand6} rw, + @{efi}/EFI/*/fw/fwupd-*.cap{,.*} rw, + @{efi}/EFI/*/fwupdx@{int}.efi rw, @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, + @{MOUNTDIRS}/*/{,@{efi}/} r, + @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, + /var/lib/flatpak/exports/share/mime/mime.cache r, /var/tmp/etilqs_@{sqlhex} rw, owner /var/cache/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 2b91fc612e..7390732019 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -33,6 +33,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/uname rix, + @{bin}/vulkaninfo rPUx, @{bin}/acpi rPx, @{bin}/amixer rPx, @{bin}/aplay rPx, @@ -55,7 +56,6 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/lsblk rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, - @{bin}/lsscsi rPx, @{bin}/lsusb rPx, @{bin}/memtester rPx, @{bin}/nmcli rPx, @@ -76,12 +76,15 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sbin}/dmidecode rPx, @{sbin}/fdisk rPx, @{sbin}/hdparm rPx, + @{bin}/boltctl rPUx, @{sbin}/hwinfo rPx, @{sbin}/rfkill rPx, @{sbin}/smartctl rPx, /etc/modprobe.d/{,*.conf} r, + @{efi}/EFI/{,**} r, + owner @{HOME}/HW_PROBE/{,**} rw, owner @{tmp}/@{rand10}/ rw, @@ -107,9 +110,9 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { include include - capability sys_module, + capability syslog, - @{sys}/module/compression r, + @{sys}/module/{,**} r, include if exists } @@ -169,9 +172,12 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{run}/log/ rw, /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 4919d2fb21..3149752083 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -28,6 +28,7 @@ profile hwinfo @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/udevadm rCx -> udevadm, @{sbin}/acpidump rPUx, + @{bin}/lsscsi rPx, @{sbin}/dmraid rPUx, @@ -39,7 +40,7 @@ profile hwinfo @{exec_path} { @{sys}/bus/{,**/} r, @{sys}/class/*/ r, - @{sys}/devices/@{pci}/** r, + @{sys}/devices/@{pci}/{,**} r, @{sys}/devices/**/{modalias,uevent} r, @{sys}/devices/**/input/**/dev r, @{sys}/devices/virtual/net/*/{type,carrier,address} r, @@ -70,9 +71,12 @@ profile hwinfo @{exec_path} { include include + capability sys_module, + owner @{tmp}/hwinfo*.txt rw, @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/module/compression r, include if exists } diff --git a/apparmor.d/profiles-g-l/i2cdetect b/apparmor.d/profiles-g-l/i2cdetect index 5ce4da0bb3..f101c56e66 100644 --- a/apparmor.d/profiles-g-l/i2cdetect +++ b/apparmor.d/profiles-g-l/i2cdetect @@ -13,8 +13,13 @@ profile i2cdetect @{exec_path} { @{exec_path} mr, + @{sys}/class/i2c-dev/ r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + owner @{PROC}/@{pid}/mounts r, + /dev/i2c-@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index d375a1bdda..c3155ce751 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -34,13 +34,15 @@ profile kernel @{exec_path} { @{bin}/which{,.debianutils} rix, @{bin}/apt-config rPx, + @{bin}/bootctl rPx, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/kernel-install rPx, @{bin}/systemd-detect-virt rPx, - @{sbin}/update-alternatives rPx, + @{lib}/dkms/dkms_autoinstaller rPx, @{sbin}/dkms rPx, + @{sbin}/update-alternatives rPx, @{sbin}/update-grub rPx, @{sbin}/update-initramfs rPx, - @{lib}/dkms/dkms_autoinstaller rPx, @{lib}/modules/*/updates/ w, @{lib}/modules/*/updates/dkms/ w, diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index 614b81aeb9..96d0974171 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -41,6 +41,8 @@ profile kernel-install @{exec_path} { @{lib}/modules/*/modules.* w, + @{efi}/@{hex32}/** rw, + owner /boot/{vmlinuz,initrd.img}-* r, owner /boot/[a-f0-9]*/*/ rw, owner /boot/[a-f0-9]*/*/{linux,initrd} w, @@ -52,6 +54,7 @@ profile kernel-install @{exec_path} { owner @{tmp}/sh-thd.* rw, + @{PROC}/@{pid}/mountinfo r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index b684c3094e..c308dcd915 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -11,7 +11,7 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { include include include - # include + include capability dac_override, capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc index 9a4b5cebe4..dfdd005242 100644 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -24,8 +24,10 @@ profile sysstat-sadc @{exec_path} { @{sys}/class/fc_host/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-*/name r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/ r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/name r, @{sys}/devices/@{pci}/net/*/duplex r, + @{sys}/devices/**/i2c-*/name r, @{sys}/devices/**/net/*/duplex r, @{sys}/devices/**/net/*/speed r, @{sys}/devices/virtual/net/*/duplex r, From af8c66e9bf456a5770584bf03019548ee67d5020 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 22:14:25 +0200 Subject: [PATCH 0274/1736] feat(profile): upgrade cockpit profiles. --- apparmor.d/groups/virt/cockpit-certificate-helper | 1 + apparmor.d/groups/virt/cockpit-desktop | 2 ++ apparmor.d/groups/virt/cockpit-tls | 3 +++ apparmor.d/groups/virt/cockpit-ws | 4 +++- 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper index ac9dd5f6f6..303fd074c7 100644 --- a/apparmor.d/groups/virt/cockpit-certificate-helper +++ b/apparmor.d/groups/virt/cockpit-certificate-helper @@ -21,6 +21,7 @@ profile cockpit-certificate-helper @{exec_path} { @{bin}/openssl rix, @{bin}/rm rix, @{bin}/sscg rix, + @{bin}/sync rix, @{bin}/tr rix, /etc/machine-id r, diff --git a/apparmor.d/groups/virt/cockpit-desktop b/apparmor.d/groups/virt/cockpit-desktop index c2a7455ce7..bb1ba03bfe 100644 --- a/apparmor.d/groups/virt/cockpit-desktop +++ b/apparmor.d/groups/virt/cockpit-desktop @@ -10,6 +10,8 @@ include profile cockpit-desktop @{exec_path} { include + userns, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls index 0037b132cc..7bf43ed4ae 100644 --- a/apparmor.d/groups/virt/cockpit-tls +++ b/apparmor.d/groups/virt/cockpit-tls @@ -17,6 +17,9 @@ profile cockpit-tls @{exec_path} flags=(attach_disconnected) { /etc/cockpit/ws-certs.d/{,**} r, + @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock r, + @{att}/@{run}/cockpit/wsinstance/https-factory.sock rw, + owner @{run}/cockpit/tls/{,**} rw, include if exists diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index 7b07791195..8e3478072c 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/cockpit/cockpit-ws -profile cockpit-ws @{exec_path} { +profile cockpit-ws @{exec_path} flags=(attach_disconnected) { include include include @@ -21,6 +21,8 @@ profile cockpit-ws @{exec_path} { /usr/share/pixmaps/{,**} r, /etc/cockpit/ws-certs.d/ r, + @{run}/cockpit/wsinstance/https@@{hex64}.sock r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, From c2740ffe241a13c85c53d7a8d99d4946b5509414 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 22:15:04 +0200 Subject: [PATCH 0275/1736] feat(profile): xwayland: add integration with desktop local paths. --- apparmor.d/groups/freedesktop/xwayland | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 03b418684e..9b329e06a4 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -29,6 +29,11 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /usr/share/fonts/{,**} r, /usr/share/ghostscript/fonts/{,**} r, + / r, + + owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, + owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, + owner @{tmp}/server-@{int}.xkm rwk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, owner @{run}/user/@{uid}/server-@{int}.xkm rw, From 8042dd4a348fc3778c107d94a9ef1e70c11ec181 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:09:34 +0200 Subject: [PATCH 0276/1736] chore: replace make full by make fsp. --- Makefile | 8 ++++++-- docs/full-system-policy.md | 17 ++++++++--------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/Makefile b/Makefile index 8bc8757bca..854d39f164 100644 --- a/Makefile +++ b/Makefile @@ -22,8 +22,12 @@ build: enforce: build @./${BUILD}/prebuild -.PHONY: full -full: build +.PHONY: fsp +fsp: build + @./${BUILD}/prebuild --full + +.PHONY: fsp-complain +fsp-complain: build @./${BUILD}/prebuild --complain --full .PHONY: install diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index c747cb7397..016ed8ada7 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -27,7 +27,6 @@ Particularly: - Every system application will be **blocked** if they do not have a profile. - Any non-standard system app need to be explicitly profiled and allowed to run. For instance, if you want to use your own proxy or VPN software, you need to ensure it is correctly profiled and allowed to run in the `systemd` profile. - Desktop environment must be explicitly supported, your UI will not start otherwise. Again, it is a **feature**. -- FSP mode will run unknown user application into the `default` profile. It might be enough for your application. If not you have to make a profile for it. - In FSP mode, all sandbox managers **must** have a profile. Then user sandboxed applications (flatpak, snap, etc) will work as expected. - PID 1 is the last program that should be confined. It does not make sense to confine only PID. All other programs must be confined first. @@ -47,11 +46,11 @@ Optimize=compress-fast === ":material-arch: Archlinux" - In `PKGBUILD`, replace `make` by `make full`: + In `PKGBUILD`, replace `make` by `make fsp`: ```diff - make - + make full + + make fsp ``` Then, build the package with: `make pkg` @@ -62,7 +61,7 @@ Optimize=compress-fast ```make override_dh_auto_build: - make full + make fsp ``` Then, build the package with: `make dpkg` @@ -73,25 +72,25 @@ Optimize=compress-fast ```make override_dh_auto_build: - make full + make fsp ``` Then, build the package with: `make dpkg` === ":simple-suse: openSUSE" - In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build full` + In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build fsp` ```diff - %make_build - + %make_build full + + %make_build fsp ``` Then, build the package with: `make rpm` === ":material-home: Partial Install" - Use the `make full` command to build instead of `make` + Use the `make fsp` command to build instead of `make` ## Structure @@ -149,7 +148,7 @@ In addition to the `systemd` profiles, a full system policy needs to ensure that The main fallback profile (`default`) is not intended to be used by privileged program or service. Such programs **must** have they dedicated profile and would break otherwise. -Additionally, special user access can be setup using PAM rules set such as a random shell interactively opened (as user or as root). +Additionally, special user access can be setup using PAM rules set such as a random shell interactively opened (as user or as root). [apparmor-wiki]: https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy [full]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/_full From 6b5fad404bc8d979371d9efc7812c4e50d82bd25 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:19:35 +0200 Subject: [PATCH 0277/1736] feat(profile): add free --- apparmor.d/groups/procps/free | 19 +++++++++++++++++++ tests/integration/procps/free.bats | 18 ++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 apparmor.d/groups/procps/free create mode 100644 tests/integration/procps/free.bats diff --git a/apparmor.d/groups/procps/free b/apparmor.d/groups/procps/free new file mode 100644 index 0000000000..56075ae1c6 --- /dev/null +++ b/apparmor.d/groups/procps/free @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/free +profile free @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/procps/free.bats b/tests/integration/procps/free.bats new file mode 100644 index 0000000000..dcc216bfa8 --- /dev/null +++ b/tests/integration/procps/free.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "free: Display system memory" { + free +} + +@test "free: Display memory in GB" { + free -g +} + +@test "free: Display memory in human-readable units" { + free -h +} From 771dd9b589e15c66038a28e1d469391f25a962bd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:22:26 +0200 Subject: [PATCH 0278/1736] feat(profile): add pidof --- apparmor.d/groups/procps/pidof | 18 ++++++++++++++++++ tests/integration/procps/pidof.bats | 19 +++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 apparmor.d/groups/procps/pidof create mode 100644 tests/integration/procps/pidof.bats diff --git a/apparmor.d/groups/procps/pidof b/apparmor.d/groups/procps/pidof new file mode 100644 index 0000000000..3413eb6c3b --- /dev/null +++ b/apparmor.d/groups/procps/pidof @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pidof +profile pidof @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/procps/pidof.bats b/tests/integration/procps/pidof.bats new file mode 100644 index 0000000000..ec20cbe86a --- /dev/null +++ b/tests/integration/procps/pidof.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pidof: List all process IDs with given name" { + pidof systemd + pidof bash +} + +@test "pidof: List a single process ID with given name" { + pidof -s bash +} + +@test "pidof: List process IDs including scripts with given name" { + pidof -x bash +} From c85ed58fa98935d9d475496f02347a2319ce4992 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:30:21 +0200 Subject: [PATCH 0279/1736] feat(profile): add vmstat --- apparmor.d/groups/procps/vmstat | 27 +++++++++++++++++++++++++++ tests/integration/procps/vmstat.bats | 25 +++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 apparmor.d/groups/procps/vmstat create mode 100644 tests/integration/procps/vmstat.bats diff --git a/apparmor.d/groups/procps/vmstat b/apparmor.d/groups/procps/vmstat new file mode 100644 index 0000000000..1276222a23 --- /dev/null +++ b/apparmor.d/groups/procps/vmstat @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/vmstat +profile vmstat @{exec_path} { + include + include + + @{exec_path} mr, + + @{sys}/block/ r, + @{sys}/devices/system/node/ r, + + @{PROC}/diskstats r, + @{PROC}/slabinfo r, + @{PROC}/uptime r, + @{PROC}/vmstat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/procps/vmstat.bats b/tests/integration/procps/vmstat.bats new file mode 100644 index 0000000000..e5900a3240 --- /dev/null +++ b/tests/integration/procps/vmstat.bats @@ -0,0 +1,25 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "vmstat: Display virtual memory statistics" { + vmstat + vmstat --active + vmstat --forks +} + +@test "vmstat: Display disk statistics" { + vmstat --disk + vmstat --disk-sum +} + +@test "vmstat: Display slabinfo" { + sudo vmstat --slabs +} + +@test "vmstat: Display reports every second for 3 times" { + vmstat 1 3 +} From e6939f4968d50bff639882e5bc34d81ea462ff4e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:37:07 +0200 Subject: [PATCH 0280/1736] feat(profile): add pgrep. --- apparmor.d/groups/procps/pgrep | 22 ++++++++++++++++++++++ tests/integration/procps/pgrep.bats | 19 +++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 apparmor.d/groups/procps/pgrep create mode 100644 tests/integration/procps/pgrep.bats diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep new file mode 100644 index 0000000000..950aeb99e7 --- /dev/null +++ b/apparmor.d/groups/procps/pgrep @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pgrep +profile pgrep @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{PROC}/tty/drivers r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/procps/pgrep.bats b/tests/integration/procps/pgrep.bats new file mode 100644 index 0000000000..9fd6b92f80 --- /dev/null +++ b/tests/integration/procps/pgrep.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pgrep: Return PIDs of any running processes with a matching command string" { + pgrep systemd +} + +@test "pgrep: Search for processes including their command-line options" { + pgrep --full 'systemd' +} + +@test "pgrep: Search for processes run by a specific user" { + pgrep --euid root systemd-udevd +} + From e30372b729467fdb4aeafd6be6c206354b4077d8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:52:29 +0200 Subject: [PATCH 0281/1736] ci: use fsp instead of full command. --- .github/workflows/main.yml | 2 +- .gitlab-ci.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index cac8fce430..973287e72f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -38,7 +38,7 @@ jobs: - name: Build the apparmor.d package run: | if [[ ${{ matrix.mode }} == full-system-policy ]]; then - echo -e "\noverride_dh_auto_build:\n\tmake full" >> debian/rules + echo -e "\noverride_dh_auto_build:\n\tmake fsp" >> debian/rules fi if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then # Test with Re-attach disconnected path diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f697637faf..8adab16ab1 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -117,7 +117,7 @@ whonix: variables: DISTRIBUTION: whonix before_script: - - echo "\noverride_dh_auto_build:\n\tmake full" >> debian/rules + - echo "\noverride_dh_auto_build:\n\tmake fsp" >> debian/rules opensuse: stage: build From 277bd7f46aa43ad90ca8242cfb823e4ef3f68044 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:53:37 +0200 Subject: [PATCH 0282/1736] feat(profile): ensure gtk-query-immodule is not version dependent. --- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/profiles-g-l/gtk-query-immodules | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index e9f3bf807a..ff43e2196f 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -71,7 +71,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gio-querymodules rPx, @{bin}/glib-compile-schemas rPx, @{sbin}/groupadd rPx, - @{bin}/gtk-query-immodules-{2,3}.0 rPx, + @{bin}/gtk-query-immodules-* rPx, @{bin}/gtk{,4}-update-icon-cache rPx, @{sbin}/iconvconfig rix, @{bin}/install-catalog rPx, diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index 5097696988..e6d37db446 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0 @{lib}/@{multiarch}/libgtk-*/gtk-query-immodules-* +@{exec_path} = @{bin}/gtk-query-immodules-* @{lib}/@{multiarch}/libgtk-*/gtk-query-immodules-* profile gtk-query-immodules @{exec_path} { include include From e6b044376f7ef7f2a6850bf0461927b5432eeb0c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:14:24 +0200 Subject: [PATCH 0283/1736] fix(profile): update archlinux-keyring requirements. fix #784 --- apparmor.d/groups/gpg/gpg | 5 ++--- apparmor.d/groups/pacman/pacman-key | 3 ++- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 247c6e4ac6..f05f6492e5 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -33,9 +33,8 @@ profile gpg @{exec_path} { /etc/inputrc r, #aa:only pacman - /etc/pacman.d/gnupg/gpg.conf r, - /etc/pacman.d/gnupg/pubring.gpg r, - /etc/pacman.d/gnupg/trustdb.gpg r, + /etc/pacman.d/gnupg/ rw, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, #aa:only apt owner /etc/apt/keyrings/ rw, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index a5cee6fa90..9e3bde1881 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -34,7 +34,8 @@ profile pacman-key @{exec_path} { /usr/share/pacman/keyrings/{,*} r, /usr/share/terminfo/** r, - /etc/pacman.d/gnupg/* rw, + /etc/pacman.d/gnupg/ rw, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, /dev/tty rw, From 51cb732ecaeb6e2c7cf7c9f936c4c26c9b9bf561 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:17:13 +0200 Subject: [PATCH 0284/1736] fix(profile): ensure hyprland can integrate with wine/proton fix #783 --- apparmor.d/groups/hyprland/hyprland | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index c06671b34e..9f2e7583d9 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -14,6 +14,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_ptrace, From b754c1134c8be44034893bb4accee769dcc4ea63 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:37:49 +0200 Subject: [PATCH 0285/1736] fix(profile) wechat profile permissions fix #772 --- apparmor.d/profiles-s-z/wechat | 0 apparmor.d/profiles-s-z/wechat-appimage | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 apparmor.d/profiles-s-z/wechat mode change 100755 => 100644 apparmor.d/profiles-s-z/wechat-appimage diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat old mode 100755 new mode 100644 diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage old mode 100755 new mode 100644 From d6f4ff57b65bc641c96775c38aa7bbce55f4aff6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:47:39 +0200 Subject: [PATCH 0286/1736] fix: linter check. --- apparmor.d/groups/gpg/gpg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index f05f6492e5..1a3f7f4d97 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -34,7 +34,7 @@ profile gpg @{exec_path} { #aa:only pacman /etc/pacman.d/gnupg/ rw, - /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, #aa:only apt owner /etc/apt/keyrings/ rw, From 1b1a4c11ac22ab1aba9fd4bbff3619593a2454b6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:51:18 +0200 Subject: [PATCH 0287/1736] feat(profile): gpg: improve integration with access to gpg-agent. --- apparmor.d/groups/gpg/gpg | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 1a3f7f4d97..7ebb9e3a4e 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -68,6 +68,7 @@ profile gpg @{exec_path} { owner /tmp/@{int}@{int} rw, owner @{run}/user/@{uid}/gnupg/d.*/ rw, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, From e9fbc3503636273f0d36697a38f4f061049a38d4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:52:26 +0200 Subject: [PATCH 0288/1736] feat(profile): minor sshd improvement. --- apparmor.d/groups/ssh/sshd-auth | 2 ++ apparmor.d/groups/ssh/sshd-session | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/apparmor.d/groups/ssh/sshd-auth b/apparmor.d/groups/ssh/sshd-auth index cb4defc0f1..c1601b8134 100644 --- a/apparmor.d/groups/ssh/sshd-auth +++ b/apparmor.d/groups/ssh/sshd-auth @@ -24,6 +24,8 @@ profile sshd-auth @{exec_path} { @{exec_path} mr, @{sbin}/sshd.hmac r, + /etc/gss/mech.d/{,*} r, + include if exists } diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session index e74696334e..5f09af5cc3 100644 --- a/apparmor.d/groups/ssh/sshd-session +++ b/apparmor.d/groups/ssh/sshd-session @@ -47,6 +47,11 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) { member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + dbus send bus=system path=/org/freedesktop/home1 + interface=org.freedesktop.home1.Manager + member=GetUserRecordByName + peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), + @{exec_path} mr, @{bin}/@{shells} Ux, #aa:exclude RBAC From 51560bbbf562a7e47ffe4776a1092e3aa78709ec Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:53:29 +0200 Subject: [PATCH 0289/1736] feat(profile): update mullvad. --- apparmor.d/groups/network/mullvad-daemon | 13 +++++++++---- apparmor.d/groups/network/mullvad-gui | 2 ++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 6c4c41e6c9..9573d7044d 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -10,6 +10,7 @@ include @{exec_path} += /opt/Mullvad*/resources/mullvad-daemon profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { include + include include capability dac_override, @@ -39,7 +40,8 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { "/opt/Mullvad VPN/resources/*.so*" mr, "/opt/Mullvad VPN/resources/*" r, - /etc/mullvad-vpn/{,*} r, + /etc/mullvad-vpn/ rw, + /etc/mullvad-vpn/* r, /etc/mullvad-vpn/@{uuid} rw, /etc/mullvad-vpn/*.json rw, @{etc_rw}/resolv.conf rw, @@ -49,16 +51,19 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { owner /var/log/mullvad-vpn/{,*} rw, owner /var/log/private/mullvad-vpn/*.log rw, + owner @{tmp}/@{uuid} rw, + owner @{tmp}/talpid-openvpn-@{uuid} rw, + @{run}/NetworkManager/resolv.conf r, owner @{run}/mullvad-vpn rw, @{sys}/fs/cgroup/net_cls/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, + @{sys}/fs/cgroup/system.slice/cpu.max r, + @{sys}/fs/cgroup/system.slice/mullvad-daemon.service/cpu.max r, - owner @{tmp}/@{uuid} rw, - owner @{tmp}/talpid-openvpn-@{uuid} rw, - + @{PROC}/@{pid}/cgroup r, @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw, @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index c36d34e3f2..ae9b4cb7f8 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -37,6 +37,8 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/mullvad-vpn rw, + /dev/tty rw, deny @{user_share_dirs}/gvfs-metadata/* r, From 35ae596fd98800f52057f338f214f736aad094e0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:56:31 +0200 Subject: [PATCH 0290/1736] feat(profile): general update on some core profiles. --- apparmor.d/profiles-a-f/dkms | 5 +++-- apparmor.d/profiles-g-l/gimp | 4 ++++ apparmor.d/profiles-g-l/libreoffice | 3 ++- apparmor.d/profiles-m-r/initramfs-hooks | 6 +++--- apparmor.d/profiles-m-r/mdadm-mkconf | 1 + apparmor.d/profiles-m-r/nvidia-smi | 2 +- apparmor.d/profiles-m-r/ollama | 7 +++++++ apparmor.d/profiles-m-r/power-profiles-daemon | 3 +++ apparmor.d/profiles-s-z/speech-dispatcher | 6 +++++- apparmor.d/profiles-s-z/terminator | 1 + apparmor.d/profiles-s-z/update-shells | 4 +++- apparmor.d/profiles-s-z/virt-manager | 1 + apparmor.d/profiles-s-z/whoopsie | 2 ++ 13 files changed, 36 insertions(+), 9 deletions(-) diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index a0d5b08f95..5a08851435 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -29,8 +29,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/as rix, @{bin}/bc rix, @{bin}/clang-@{version} rix, - @{bin}/gcc rix, @{bin}/g++ rix, + @{bin}/gcc rix, @{bin}/getconf rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @@ -44,8 +44,9 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/readelf rix, @{bin}/rpm rPUx, @{bin}/strip rix, - @{sbin}/update-secureboot-policy rPUx, + @{bin}/xz rix, @{bin}/zstd rix, + @{sbin}/update-secureboot-policy rPUx, @{lib}/gcc/@{multiarch}/@{version}/* rix, @{lib}/linux-kbuild-*/scripts/** rix, diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index b335650d88..67b625d620 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -28,6 +28,7 @@ profile gimp @{exec_path} { @{python_path} rix, @{bin}/env rix, + @{bin}/gimp-debug-tool-3.0 rix, @{bin}/gimp-script-fu-interpreter-* rix, @{bin}/gjs-console rix, @{bin}/lua rix, @@ -41,6 +42,7 @@ profile gimp @{exec_path} { /usr/share/gimp/{,**} r, /usr/share/mypaint-data/{,**} r, + /usr/share/poppler/{,**} r, /usr/share/xml/iso-codes/{,**} r, /etc/fstab r, @@ -68,6 +70,8 @@ profile gimp @{exec_path} { owner @{tmp}/gimp/{,**} rw, + @{run}/mount/utab r, + @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index b21642cf88..4bed50f13e 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -81,6 +81,7 @@ profile libreoffice @{exec_path} { /etc/papersize r, /etc/xdg/* r, + /var/tmp/ r, owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, owner @{user_cache_dirs}/libreoffice/{,**} rw, @@ -93,7 +94,7 @@ profile libreoffice @{exec_path} { owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/user-places.xbel r, - owner @{tmp}/ r, + @{tmp}/ r, owner @{tmp}/.java_pid@{int}{,.tmp} rw, owner @{tmp}/@{hex} rw, owner @{tmp}/@{rand6} rwk, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index aeb125ef27..5896df049e 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -25,10 +25,10 @@ profile initramfs-hooks @{exec_path} { @{lib}/klibc/bin/fstype ix, /usr/share/mdadm/mkconf Px, - @{bin}/* r, - @{sbin}/* r, + @{bin}/* mr, + @{sbin}/* mr, @{lib}/ r, - @{lib}/** r, + @{lib}/** mr, /usr/share/initramfs-tools/{,**} r, /usr/share/plymouth/{,**} r, diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf index 8139ac68ef..c922942ec5 100644 --- a/apparmor.d/profiles-m-r/mdadm-mkconf +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -19,6 +19,7 @@ profile mdadm-mkconf @{exec_path} { @{sbin}/mdadm Px, /etc/default/mdadm r, + /etc/mdadm/mdadm.conf r, / r, diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index 9ea391400d..1d6d62e2bd 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -25,7 +25,7 @@ profile nvidia-smi @{exec_path} { /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, - /dev/nvidia-caps/nvidia-cap@{int} r, + /dev/nvidia-caps/nvidia-cap@{int} rw, /dev/nvidia-uvm rw, /dev/nvidia-uvm-tools r, diff --git a/apparmor.d/profiles-m-r/ollama b/apparmor.d/profiles-m-r/ollama index 7b55218025..73447e33e8 100644 --- a/apparmor.d/profiles-m-r/ollama +++ b/apparmor.d/profiles-m-r/ollama @@ -38,8 +38,15 @@ profile ollama @{exec_path} flags=(attach_disconnected) { owner @{tmp}/ollama@{int}/{,**} rw, owner @{tmp}/ollama@{int}/runners/{,**} mr, + @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/devices/@{pci}/drm/card@{int}/*/ r, + @{sys}/devices/@{pci}/mem_info_vram_total r, + @{sys}/devices/@{pci}/mem_info_vram_used r, @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, @{PROC}/devices r, @{PROC}/sys/net/core/somaxconn r, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 43f27b2fcf..636f417540 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -30,10 +30,13 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+platform:* r, @{run}/udev/data/+power_supply:* r, + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{sys}/bus/ r, @{sys}/bus/platform/devices/ r, @{sys}/class/ r, + @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, @{sys}/devices/**/power_supply/*/scope r, @{sys}/devices/**/uevent r, diff --git a/apparmor.d/profiles-s-z/speech-dispatcher b/apparmor.d/profiles-s-z/speech-dispatcher index 652a7d9ed5..0267d68897 100644 --- a/apparmor.d/profiles-s-z/speech-dispatcher +++ b/apparmor.d/profiles-s-z/speech-dispatcher @@ -20,16 +20,20 @@ profile speech-dispatcher @{exec_path} { @{exec_path} mr, @{sh_path} ix, + @{lib}/speech-dispatcher-modules/* ix, @{lib}/speech-dispatcher/** r, @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix, /etc/machine-id r, /etc/speech-dispatcher/{,**} r, + owner @{user_config_dirs}/speech-dispatcher/{,**} r, + owner @{run}/user/@{uid}/speech-dispatcher/ rw, owner @{run}/user/@{uid}/speech-dispatcher/** rwk, - owner @{user_config_dirs}/speech-dispatcher/{,**} r, + owner /dev/shm/sem.@{rand6} rw, + owner /dev/shm/sem.speechd-modules-dummy-@{int} rwl -> /dev/shm/sem.@{rand6}, include if exists } diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 679a0fd32a..5c79d0efe1 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/terminator profile terminator @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/profiles-s-z/update-shells b/apparmor.d/profiles-s-z/update-shells index 46b6699c87..5922c1a147 100644 --- a/apparmor.d/profiles-s-z/update-shells +++ b/apparmor.d/profiles-s-z/update-shells @@ -17,12 +17,14 @@ profile update-shells @{exec_path} { @{bin}/chmod ix, @{bin}/chown ix, @{bin}/dirname ix, - @{bin}/dpkg-realpath ix, + @{bin}/dpkg-realpath rix, @{bin}/mv ix, @{bin}/sync ix, + @{bin}/readlink ix, /usr/share/debianutils/shells r, /usr/share/debianutils/shells.d/{,**} r, + /usr/share/dpkg/sh/dpkg-error.sh r, /etc/shells r, /etc/shells.tmp w, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index fa17f5b1bb..aed85abe31 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -84,6 +84,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + @{run}/libvirt/libvirt-sock rw, @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/profiles-s-z/whoopsie b/apparmor.d/profiles-s-z/whoopsie index 16a0e5a5e3..0c03f4a768 100644 --- a/apparmor.d/profiles-s-z/whoopsie +++ b/apparmor.d/profiles-s-z/whoopsie @@ -25,6 +25,8 @@ profile whoopsie @{exec_path} { owner @{run}/lock/whoopsie/ rw, owner @{run}/lock/whoopsie/lock rwk, + @{sys}/devices/virtual/dmi/id/product_uuid r, + include if exists } From 06d23ac72cc646cee3ea0e5417f0b50e3092b1ef Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 2 Jul 2025 05:29:55 +0200 Subject: [PATCH 0291/1736] Fix strawberry profile --- apparmor.d/profiles-s-z/strawberry | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 84bbcf1f26..611c8462d6 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -69,8 +69,8 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, owner @{tmp}/etilqs_@{sqlhex} rw, - owner @{tmp}/kdsingleapp-daemonspudguy-strawberry w, - owner @{tmp}/kdsingleapp-daemonspudguy-strawberry.lock rwk, + owner @{tmp}/kdsingleapp-*-strawberry w, + owner @{tmp}/kdsingleapp-*-strawberry.lock rwk, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, owner @{tmp}/strawberry-cover-@{rand6}.jpg rwl -> @{tmp}/#@{int}, owner @{tmp}/strawberry*[0-9] w, From e92f2fb453ea53d4a6da31bc61f95466e2be47a4 Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 29 Jun 2025 19:35:08 +0200 Subject: [PATCH 0292/1736] ouch: allow listing archive contents --- apparmor.d/profiles-m-r/ouch | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch index a5b62ca93f..d0bb4a1ed3 100644 --- a/apparmor.d/profiles-m-r/ouch +++ b/apparmor.d/profiles-m-r/ouch @@ -17,11 +17,16 @@ profile ouch @{exec_path} { owner @{HOME}/.tmp@{rand6}/{,**} rw, owner @{HOME}/.tmp-ouch@{rand6}/{,**} rw, + owner /tmp/ w, + owner /tmp/.tmp@{rand6}/{,**} rw, + owner /tmp/.tmp-ouch@{rand6}/{,**} rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } From 2e9d450fde3d0499762d5961f4f881e81decb105 Mon Sep 17 00:00:00 2001 From: EricLin0509 Date: Mon, 23 Jun 2025 17:58:52 +0800 Subject: [PATCH 0293/1736] Fix tlp start issue --- apparmor.d/profiles-s-z/tlp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 9faea6e3e6..7c0a3d2c8d 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -16,6 +16,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_read_search, capability sys_nice, @@ -48,6 +49,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/udevadm rCx -> udevadm, @{bin}/uname rix, + @{bin}/timeout rix, /usr/share/tlp/tlp-readconfs rix, / r, @@ -104,7 +106,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { include include - @{run}/tlp/lock_tlp rw, + @{run}/tlp/lock_tlp rw, # file_inherit include if exists } From d855eeccd746b8ecaeaf3cc7f144715909d5136f Mon Sep 17 00:00:00 2001 From: EricLin0509 Date: Mon, 23 Jun 2025 18:01:31 +0800 Subject: [PATCH 0294/1736] Not use tabs --- apparmor.d/profiles-s-z/tlp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 7c0a3d2c8d..3eb0800f93 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -49,7 +49,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/udevadm rCx -> udevadm, @{bin}/uname rix, - @{bin}/timeout rix, + @{bin}/timeout rix, /usr/share/tlp/tlp-readconfs rix, / r, From 97d5fe3f6865217f16d05876235ce68b4572312d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 11 Jul 2025 19:37:40 +0200 Subject: [PATCH 0295/1736] feat(abs): user-read/write: allow files directly on the home directory. --- apparmor.d/abstractions/user-read-strict | 1 + apparmor.d/abstractions/user-write-strict | 1 + 2 files changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/user-read-strict b/apparmor.d/abstractions/user-read-strict index f7eb186b50..9626bb0bcc 100644 --- a/apparmor.d/abstractions/user-read-strict +++ b/apparmor.d/abstractions/user-read-strict @@ -8,6 +8,7 @@ abi , owner @{HOME}/ r, + owner @{HOME}/[^.]* rk, owner @{MOUNTS}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} rk, diff --git a/apparmor.d/abstractions/user-write-strict b/apparmor.d/abstractions/user-write-strict index 026825b27a..88d52203e7 100644 --- a/apparmor.d/abstractions/user-write-strict +++ b/apparmor.d/abstractions/user-write-strict @@ -8,6 +8,7 @@ abi , owner @{HOME}/ r, + owner @{HOME}/[^.]* wl, owner @{MOUNTS}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} wl, From a79e46acdd3768be0ab4f58ac026057a41274ad7 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 18 Jun 2025 22:27:18 +0200 Subject: [PATCH 0296/1736] add profile for whois --- apparmor.d/profiles-s-z/whois | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 apparmor.d/profiles-s-z/whois diff --git a/apparmor.d/profiles-s-z/whois b/apparmor.d/profiles-s-z/whois new file mode 100644 index 0000000000..8353f81d0f --- /dev/null +++ b/apparmor.d/profiles-s-z/whois @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whois +profile whois @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /etc/whois.conf r, + + include if exists +} + +# vim:syntax=apparmor From 8fc70859aaef7cc20181ac6d115a6ff8ca5a9162 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 18 Jun 2025 22:35:59 +0200 Subject: [PATCH 0297/1736] fix include --- apparmor.d/profiles-s-z/whois | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/whois b/apparmor.d/profiles-s-z/whois index 8353f81d0f..a1549db033 100644 --- a/apparmor.d/profiles-s-z/whois +++ b/apparmor.d/profiles-s-z/whois @@ -21,7 +21,7 @@ profile whois @{exec_path} { /etc/whois.conf r, - include if exists + include if exists } # vim:syntax=apparmor From 2c1d235ef02b11750dd5cc812e24dfc188b173f7 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sat, 21 Jun 2025 12:27:14 +0200 Subject: [PATCH 0298/1736] Hardening kioworker with reagrd to ps See #711 --- apparmor.d/groups/kde/kioworker | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 1d091fd093..61e910c88d 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -38,7 +38,7 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, - @{bin}/gs rPUx, + @{bin}/gs rix, #aa:exec kio_http_cache_cleaner From cdb64e14bab522751c7cec2b51cdbdb1ebadf05e Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 16 Jul 2025 18:37:52 +0200 Subject: [PATCH 0299/1736] add texstudio --- apparmor.d/profiles-s-z/texstudio | 48 +++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 apparmor.d/profiles-s-z/texstudio diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio new file mode 100644 index 0000000000..836a9a6ab5 --- /dev/null +++ b/apparmor.d/profiles-s-z/texstudio @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/texstudio +profile texstudio @{exec_path} { + include + include + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/pdflatex ix, + @{bin}/pdftex ix, + @{bin}/kpsewhich ix, + @{bin}/gsettings ix, + @{bin}/which ix, + + /usr/share/texmf-dist/{,**} r, + /usr/share/doc/texstudio/{,**} r, + /usr/share/hunspell/{,**} r, + /usr/share/texstudio/{,**} r, + /usr/share/poppler/{,**} r, + + /etc/texmf/{,**} r, + /etc/machine-id r, + + /var/lib/texmf/{,**} r, + + owner @{user_config_dirs}/texstudio/{,**} rwlk, + owner /tmp/qtsingleapp-TeXstu-** rw, + owner /tmp/qtsingleapp-TeXstu-**-lockfile rwk, + + ## silencer + deny owner /usr/share/hunspell/en_US-large.ign w, + + include if exists +} + +# vim:syntax=apparmor From d120792297b4902b1bc4fb640833c2c619f77796 Mon Sep 17 00:00:00 2001 From: valoq Date: Fri, 18 Jul 2025 11:27:21 +0200 Subject: [PATCH 0300/1736] fix ci --- apparmor.d/profiles-s-z/texstudio | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio index 836a9a6ab5..4a42a8eff1 100644 --- a/apparmor.d/profiles-s-z/texstudio +++ b/apparmor.d/profiles-s-z/texstudio @@ -15,14 +15,14 @@ profile texstudio @{exec_path} { include include include - + @{exec_path} mr, @{bin}/pdflatex ix, @{bin}/pdftex ix, @{bin}/kpsewhich ix, @{bin}/gsettings ix, - @{bin}/which ix, + @{bin}/which{,.debianutils} ix, /usr/share/texmf-dist/{,**} r, /usr/share/doc/texstudio/{,**} r, From 7b6f2353fdbf4f7fce1ef27c1e25d4aa9f3b6bb3 Mon Sep 17 00:00:00 2001 From: valoq Date: Fri, 18 Jul 2025 11:29:42 +0200 Subject: [PATCH 0301/1736] remove white space --- apparmor.d/profiles-s-z/texstudio | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio index 4a42a8eff1..52e9e53e68 100644 --- a/apparmor.d/profiles-s-z/texstudio +++ b/apparmor.d/profiles-s-z/texstudio @@ -41,7 +41,7 @@ profile texstudio @{exec_path} { ## silencer deny owner /usr/share/hunspell/en_US-large.ign w, - + include if exists } From 7a47914542ce3e45e85e759f1e38a9cdee244a00 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:07:33 +0200 Subject: [PATCH 0302/1736] tests: add test file for whois. --- tests/integration/whois.bats | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 tests/integration/whois.bats diff --git a/tests/integration/whois.bats b/tests/integration/whois.bats new file mode 100644 index 0000000000..fd1cba5fac --- /dev/null +++ b/tests/integration/whois.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "whois: Get information about a domain name" { + whois google.fr +} + +@test "whois: Get information about an IP address" { + whois 8.8.8.8 +} + +@test "whois: Get abuse contact for an IP address" { + whois -b 8.8.8.8 +} + From 8020c2c63d0c578e147b8ee9230010dc4aca44a7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:09:41 +0200 Subject: [PATCH 0303/1736] feat(profile): update pacman profiles. --- apparmor.d/groups/pacman/makepkg | 5 +++-- apparmor.d/groups/pacman/paccache | 1 + apparmor.d/groups/pacman/pacman | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index 30650d80c0..583d0b9c08 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -11,6 +11,7 @@ profile makepkg @{exec_path} { include include include + include include include include @@ -72,8 +73,8 @@ profile makepkg @{exec_path} { owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index f537afdb35..8bf1aed6a2 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -36,6 +36,7 @@ profile paccache @{exec_path} flags=(attach_disconnected) { /etc/pacman.conf r, /etc/pacman.d/{,**} r, + /etc/pacman.d/gnupg/** rwlk -> /etc/pacman.d/gnupg/**, /var/cache/pacman/pkg/{,*} rw, /var/lib/pacman/{,**} r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index ff43e2196f..01543d63f5 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -187,7 +187,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include if exists } - profile systemctl { + profile systemctl flags=(attach_disconnected) { include include From 03b174a2d42c6d36e3f979a92e35f06f1f6b1f5c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:11:18 +0200 Subject: [PATCH 0304/1736] feat(profile): simplify modprobe-nvidia. --- apparmor.d/groups/children/child-modprobe-nvidia | 3 --- 1 file changed, 3 deletions(-) diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 9b331a8ce3..61191fe9d2 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -20,7 +20,6 @@ include profile child-modprobe-nvidia flags=(attach_disconnected) { include include - include capability chown, capability fsetid, @@ -35,8 +34,6 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/config r, - @{PROC}/sys/kernel/modprobe r, - @{PROC}/devices r, @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, From 881402dc2166b735712e40134558568512059ee8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:17:26 +0200 Subject: [PATCH 0305/1736] feat(profile): improve some systemd profiles. --- apparmor.d/groups/systemd/systemd-coredump | 2 +- apparmor.d/groups/systemd/systemd-machined | 22 ++++++++++++++++++- .../systemd/systemd-tty-ask-password-agent | 3 ++- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 52efea3dba..2f6d81fdbb 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -39,7 +39,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, - owner @{HOME}/**.so r, + owner @{HOME}/**.so* r, /var/lib/systemd/coredump/{,**} rwl, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index b37f2300bf..b9244ece6e 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -10,6 +10,7 @@ include profile systemd-machined @{exec_path} flags=(attach_disconnected) { include include + include include include @@ -21,6 +22,7 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { capability kill, capability mknod, capability setgid, + capability setuid, capability sys_admin, capability sys_chroot, capability sys_ptrace, @@ -31,26 +33,44 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + signal send set=rtmin+6 peer=systemd-nspawn, + + ptrace read peer=systemd-nspawn, + #aa:dbus own bus=system name=org.freedesktop.machine1 #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @{exec_path} mr, - /var/lib/machines/{,**} rw, /etc/machine-id r, + / r, + @{att}/ r, + + owner /var/lib/machines/ rw, + owner /var/lib/machines/** rwk, + + owner @{run}/systemd/nspawn/ w, + owner @{run}/systemd/nspawn/locks/ w, + owner @{run}/systemd/nspawn/locks/** rwk, + @{run}/systemd/machine/{,**} rw, @{run}/systemd/machines/{,**} rw, @{run}/systemd/notify w, @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/gid_map r, + @{PROC}/@{pid}/setgroups r, + @{PROC}/@{pid}/uid_map r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, /dev/ptmx rw, /dev/pts/@{int} rw, + /dev/pts/ptmx rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 30d30b295b..b318bf3dd5 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -17,10 +17,11 @@ profile systemd-tty-ask-password-agent @{exec_path} { capability net_admin, capability sys_resource, + signal receive set=(term cont winch) peer=@{p_logrotate}, signal receive set=(term cont winch) peer=*//systemctl, signal receive set=(term cont winch) peer=deb-systemd-invoke, signal receive set=(term cont winch) peer=default, - signal receive set=(term cont winch) peer=@{p_logrotate}, + signal receive set=(term cont winch) peer=machinectl, signal receive set=(term cont winch) peer=makepkg//sudo, signal receive set=(term cont winch) peer=role_*, signal receive set=(term cont winch) peer=rpm, From c6030de00ae7566cd0267d2a10bfa6d00858a41a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:49:34 +0200 Subject: [PATCH 0306/1736] build: add just command for local and dev install. --- Justfile | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/Justfile b/Justfile index 109cfed3bd..7753ad2d1a 100644 --- a/Justfile +++ b/Justfile @@ -95,7 +95,7 @@ fsp-complain: build fsp-debug: build @./{{build}}/prebuild --complain --full --debug -[group('build')] +[group('install')] [doc('Install prebuild profiles')] install: #!/usr/bin/env bash @@ -123,6 +123,35 @@ install: install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" done +[group('install')] +[doc('Locally install prebuild profiles')] +local +args: + #!/usr/bin/env bash + set -eu -o pipefail + install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log + mapfile -t abs < <(find "{{build}}/apparmor.d/abstractions" -type f -printf "%P\n") + for file in "${abs[@]}"; do + install -Dm0644 "{{build}}/apparmor.d/abstractions/$file" "{{destdir}}/etc/apparmor.d/abstractions/$file" + done; + mapfile -t tunables < <(find "{{build}}/apparmor.d/tunables" -type f -printf "%P\n") + for file in "${tunables[@]}"; do + install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file" + done; + echo "Warning: profile dependencies fallback to unconfined." + for file in {{args}}; do + grep -Ei 'rPx|rpx' "{{build}}/apparmor.d/$file" || true + sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file" + install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" + done; + systemctl restart apparmor || sudo journalctl -xeu apparmor.service + +[group('install')] +[doc('Prebuild, install, and load a dev profile')] +dev name: + go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}` + sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}} + sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service + [group('packages')] [doc('Build & install apparmor.d on Arch based systems')] pkg: From 72b136578dd1e5db2efa5b60790fcafd679dd72a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:12:46 +0200 Subject: [PATCH 0307/1736] fix(profile): ensure wc is in pacman-hook-perl fix #786 --- apparmor.d/groups/pacman/pacman-hook-perl | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl index 07539ae958..aa2be8b09f 100644 --- a/apparmor.d/groups/pacman/pacman-hook-perl +++ b/apparmor.d/groups/pacman/pacman-hook-perl @@ -20,6 +20,7 @@ profile pacman-hook-perl @{exec_path} { @{bin}/find rix, @{bin}/pacman rPx, @{bin}/sed rix, + @{bin}/wc rix, /dev/tty rw, /dev/tty@{int} rw, From 38b165ff319da0177f2fc983921fd6c80bbe360e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:13:50 +0200 Subject: [PATCH 0308/1736] feat(profile): minor apt improvement. --- apparmor.d/groups/apt/apt | 1 + apparmor.d/groups/apt/apt-methods-sqv | 1 + apparmor.d/groups/apt/dpkg-scripts | 1 + 3 files changed, 3 insertions(+) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 5be4284f94..9bdabb1c2e 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -64,6 +64,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/cat rix, @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/id rix, diff --git a/apparmor.d/groups/apt/apt-methods-sqv b/apparmor.d/groups/apt/apt-methods-sqv index 416328cd4c..0dcd7da0d7 100644 --- a/apparmor.d/groups/apt/apt-methods-sqv +++ b/apparmor.d/groups/apt/apt-methods-sqv @@ -18,6 +18,7 @@ profile apt-methods-sqv @{exec_path} { capability setuid, signal receive set=int peer=apt, + signal receive set=int peer=packagekitd, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index d3994d0ec9..44e4790c4c 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -65,6 +65,7 @@ profile dpkg-scripts @{exec_path} { @{lib}/@{python_name}/**/__pycache__/ w, @{lib}/@{python_name}/**/__pycache__/**.pyc w, @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, + @{lib}/modules/*/.fresh-install w, /etc/ r, /etc/** rw, From d9d762aaaa939e29048ea75715a71f6f96f675af Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:16:29 +0200 Subject: [PATCH 0309/1736] fix(profile): systemd-coredump: also allow sbin --- apparmor.d/groups/systemd/systemd-coredump | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 2f6d81fdbb..2bd25ec168 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -33,6 +33,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{lib}/** r, / r, @{bin}/* r, + @{sbin}/* r, /opt/** r, @{user_lib_dirs}/** r, From 2f1022dc8de00f29472a0fe1c5c8ed8bd7ed8c78 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:19:29 +0200 Subject: [PATCH 0310/1736] feat(profile): general minor update to profiles. --- apparmor.d/profiles-a-f/alacarte | 7 ++++++- apparmor.d/profiles-a-f/birdtray | 2 +- apparmor.d/profiles-a-f/code-extension-git-askpass | 4 ++-- apparmor.d/profiles-a-f/dkms | 1 + apparmor.d/profiles-g-l/git | 3 ++- apparmor.d/profiles-m-r/needrestart-restart | 1 + apparmor.d/profiles-m-r/pass | 2 +- apparmor.d/profiles-s-z/wechat | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 3 ++- apparmor.d/profiles-s-z/wechat-universal | 4 ++-- 10 files changed, 19 insertions(+), 10 deletions(-) diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index eed67619de..700c6d517e 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/alacarte -profile alacarte @{exec_path} { +profile alacarte @{exec_path} flags=(attach_disconnected) { include include include @@ -30,6 +30,11 @@ profile alacarte @{exec_path} { owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index c63a8de7ce..771560c6b7 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -40,7 +40,7 @@ profile birdtray @{exec_path} { owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/*.msf r, owner @{user_config_dirs}/ulduzsoft/ rw, - owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*, + owner @{user_config_dirs}/ulduzsoft/* rwkl -> @{user_config_dirs}/ulduzsoft/*, owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int}, diff --git a/apparmor.d/profiles-a-f/code-extension-git-askpass b/apparmor.d/profiles-a-f/code-extension-git-askpass index 5a31889b9d..674432b2ef 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-askpass +++ b/apparmor.d/profiles-a-f/code-extension-git-askpass @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh +@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh @{lib}/code/extensions/git/dist/ssh-askpass.sh profile code-extension-git-askpass @{exec_path} { include @@ -23,7 +23,7 @@ profile code-extension-git-askpass @{exec_path} { /usr/share/terminfo/** r, - owner @{tmp}/tmp.* rw, + owner @{tmp}/tmp.@{rand10} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 5a08851435..7c594c9004 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -32,6 +32,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/g++ rix, @{bin}/gcc rix, @{bin}/getconf rix, + @{bin}/hostname rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @{bin}/ld rix, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 457e79d2aa..a0ea6393eb 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -133,7 +133,8 @@ profile git @{exec_path} flags=(attach_disconnected) { @{bin}/ssh mr, @{bin}/ksshaskpass ix, - + @{lib}/code/extensions/git/dist/ssh-askpass.sh Px, + @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config r, diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart index b9e648602e..964ff1a746 100644 --- a/apparmor.d/profiles-m-r/needrestart-restart +++ b/apparmor.d/profiles-m-r/needrestart-restart @@ -13,6 +13,7 @@ profile needrestart-restart @{exec_path} { @{exec_path} mr, @{bin}/systemctl Cx -> systemctl, + @{sh_path} r, /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 096f0316aa..7e432a8388 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -40,7 +40,7 @@ profile pass @{exec_path} { @{bin}/tr ix, @{bin}/tree ix, @{bin}/tty ix, - @{bin}/which{,.debianutils} ix, + @{bin}/which{,.debianutils} rix, @{bin}/git Cx -> git, @{bin}/gpg{2,} Cx -> gpg, diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index b7ad3a2e88..cb554fc6b8 100644 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -14,9 +14,9 @@ include @{exec_path} = @{lib_dirs}/wechat profile wechat @{exec_path} flags=(attach_disconnected) { include - include include include + include include network netlink raw, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 55155f2b88..9f8c203380 100644 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -14,10 +14,11 @@ include @{exec_path} = @{bin}/wechat @{lib_dirs}/wechat-appimage.Appimage /tmp/.mount_wechat??????/user/bin/wechat profile wechat-appimage @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include network netlink raw, network netlink dgram, diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 21e1eee10b..cd8958e8ee 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -14,10 +14,10 @@ include @{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat profile wechat-universal @{exec_path} flags=(attach_disconnected) { include - include include - include include + include + include include network netlink raw, From f183ae709f4ffeea0443145cfcaf45d34d1dac62 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:23:37 +0200 Subject: [PATCH 0311/1736] chore: fix linter issue. --- apparmor.d/profiles-g-l/git | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index a0ea6393eb..c9373c7ae6 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -134,7 +134,7 @@ profile git @{exec_path} flags=(attach_disconnected) { @{bin}/ssh mr, @{bin}/ksshaskpass ix, @{lib}/code/extensions/git/dist/ssh-askpass.sh Px, - + @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config r, From 033354314f0e98b9f9e00ce240a634b42d731b9c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 19 Jul 2025 17:54:02 +0200 Subject: [PATCH 0312/1736] doc: minor documentation update. --- docs/configuration.md | 2 +- docs/development/roadmap.md | 8 ++++---- docs/development/vm.md | 31 +++++++++++++++++++++++-------- docs/full-system-policy.md | 10 ++++++++++ 4 files changed, 38 insertions(+), 13 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index fd8a5d38c0..5e1c7992f3 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -41,7 +41,7 @@ You can extend any profile with your own rules by creating a file in the `/etc/a **Example** -By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behaviour by creating a local profile addition file for `nautilus`: +By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behavior by creating a local profile addition file for `nautilus`: 1. Create the file `/etc/apparmor.d/local/nautilus` and add the following rules in it: ```sh diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index 75cbcdd106..b42467e3dd 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -22,13 +22,13 @@ This is the current list of features that must be implemented to get to a stable - [ ] **General improvements** - [ ] Provide a proper fix for [#74](https://github.com/roddhjav/apparmor.d/issues/74), [#80](https://github.com/roddhjav/apparmor.d/issues/80) & [#235](https://github.com/roddhjav/apparmor.d/issues/235) - - [ ] The apt/dpkg profiles needs to be reworked + - [x] The apt/dpkg profiles needs to be reworked - [ ] Build system - [ ] Continuous release on the main branch, ~2 releases per week - [ ] Provide packages repo for ubuntu/debian - [ ] Provide complain/enforced packages version - - [ ] Add a `just` target to install the profiles in the right place + - [x] Add a `just` target to install the profiles in the right place - [ ] Fully drop the Makefile in favor of `just` ## Next features @@ -41,9 +41,9 @@ This is the current list of features that must be implemented to get to a stable - [ ] Fully rewrite the way user data is allowed / denied. The current implementation requires too much configuration to be usable by everyone. - [ ] Add a prompt listener to handle the user data access. -- [ ] **[Full System Policy](https://github.com/roddhjav/apparmor.d/issues/252)** +- [x] **[Full System Policy](https://github.com/roddhjav/apparmor.d/issues/252)** - [ ] Debug tool to show the profiles transition tree, and ensure no profile is missing - - [ ] Remove the `default` profile + - [x] Remove the `default` profile ## Done diff --git a/docs/development/vm.md b/docs/development/vm.md index 66630022ef..1edddba76b 100644 --- a/docs/development/vm.md +++ b/docs/development/vm.md @@ -14,22 +14,42 @@ $ just ``` Available recipes: help # Show this help message + clean # Remove all build artifacts + + [build] build # Build the go programs enforce # Prebuild the profiles in enforced mode complain # Prebuild the profiles in complain mode fsp # Prebuild the profiles in FSP mode - install # Install the profiles + fsp-complain # Prebuild the profiles in FSP mode (complain) + fsp-debug # Prebuild the profiles in FSP mode (debug) + + [install] + install # Install prebuild profiles + local +names # Locally install prebuild profiles + dev name # Prebuild, install, and load a dev profile + + [packages] pkg # Build & install apparmor.d on Arch based systems dpkg # Build & install apparmor.d on Debian based systems rpm # Build & install apparmor.d on OpenSUSE based systems + package dist # Build the package in a clean OCI container + + [tests] tests # Run the unit tests + init dist flavor # Install dependencies for the bats integration tests + integration dist flavor # Run the integration tests on the machine + + [linter] lint # Run the linters check # Run style checks on the profiles + + [docs] man # Generate the man pages docs # Build the documentation serve # Serve the documentation - clean # Remove all build artifacts - package dist # Build the package in a clean OCI container + + [vm] img dist flavor # Build the VM image create dist flavor # Create the machine up dist flavor # Start a machine @@ -40,13 +60,8 @@ Available recipes: list # List the machines images # List the VM images available # List the VM images that can be created - init dist flavor # Install dependencies for the bats integration tests - integration dist flavor # Run the integration tests on the machine - get_ip dist flavor - get_osinfo dist See https://apparmor.pujol.io/development/ for more information. - ``` ## Requirements diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index 016ed8ada7..b523a1c384 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -137,6 +137,16 @@ To work as intended, userland services started by `systemd --user` **should** ha @{lib}/foo rPx -> systemd//&foo, ``` +### Role Based Access Control (RBAC) + +In FSP, interactive shell from the user must be confined. This is done through [pam_apparmor](https://gitlab.com/apparmor/apparmor/-/wikis/pam_apparmor). It provides [Role-based access controls (RBAC)](https://en.wikipedia.org/wiki/Role-based_access_control) that can restrict interactive shell to well-defined role. The role needs to be defined. This project ship with a default set of roles, but you can create your own. The default roles are: + +- **`user`**: This is the default role. It is used for any user that does not have a specific role defined. It has access to the user home directory and other sensitive files. + +- **`admin`**: This role is used for any user that has administrative access. It has access to the system files and directories, but not to the user home directory. + +- **`system`**: This role is used for any user that has system access. It has access to the system files and directories, but not to the user home directory. + ### Fallback In addition to the `systemd` profiles, a full system policy needs to ensure that no programs run in an unconfined state at any time. The fallback profiles consist of a set generic specialized profiles: From ee328ecea8e2b7f071ee25380cb28dd62ca50c98 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 19 Jul 2025 17:58:06 +0200 Subject: [PATCH 0313/1736] fix(profile): ensure gpg has access to pacman public keyring. #788 --- apparmor.d/groups/gpg/gpg | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 7ebb9e3a4e..6a01796ff4 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -29,6 +29,7 @@ profile gpg @{exec_path} { @{lib}/{,gnupg/}scdaemon rPx, /usr/share/terminfo/** r, + /usr/share/pacman/keyrings/** r, #aa:only pacman /etc/inputrc r, From bba6f253adda95e072e9b92095f2913738d2abcf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 13:22:29 +0200 Subject: [PATCH 0314/1736] doc: add link to the last talk. --- README.md | 4 ++++ docs/overview.md | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/README.md b/README.md index ddb1e79b35..c1c7726c5d 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,10 @@ Building the largest set of AppArmor profiles: - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* +Lessons learned while making an AppArmor Play machine: + +- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))* + ## Installation Please see [apparmor.pujol.io/install](https://apparmor.pujol.io/install) diff --git a/docs/overview.md b/docs/overview.md index fb6712a14c..20a5a454f7 100644 --- a/docs/overview.md +++ b/docs/overview.md @@ -43,6 +43,10 @@ Building the largest set of AppArmor profiles: - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* +Lessons learned while making an AppArmor Play machine: + +- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))* + ### Chat A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org From cf76e2e71411238a48de625334fc8092fc5f9492 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 13:35:53 +0200 Subject: [PATCH 0315/1736] build(arch): sync pkgbuild with the with aur version. --- PKGBUILD | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index b48e551532..dfbb46735a 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -8,9 +8,9 @@ pkgver=0.001 pkgrel=1 pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') -url="https://github.com/roddhjav/$pkgname" +url="https://github.com/roddhjav/apparmor.d" license=('GPL-2.0-only') -depends=('apparmor') +depends=('apparmor>=4.1.0' 'apparmor<5.0.0') makedepends=('go' 'git' 'rsync' 'just') conflicts=("$pkgname-git") From 101248b37e235d9176918fc99b23fe370b773ffb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:06:58 +0200 Subject: [PATCH 0316/1736] feat(profile): minor profile update. --- apparmor.d/abstractions/bus/org.freedesktop.systemd1 | 5 +++++ apparmor.d/groups/freedesktop/wireplumber | 2 +- apparmor.d/groups/gnome/gnome-session-check | 5 +++++ apparmor.d/groups/network/dhcpcd | 2 ++ apparmor.d/groups/snap/snapd | 1 + apparmor.d/groups/ssh/sshd | 1 + .../groups/systemd-generators/systemd-generator-import | 4 ++-- apparmor.d/groups/ubuntu/apport | 6 ++++-- apparmor.d/groups/ubuntu/package-system-locked | 2 +- apparmor.d/groups/utils/who | 2 ++ apparmor.d/groups/virt/libvirtd | 1 + 11 files changed, 25 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 46297b4844..341cf58cec 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -11,6 +11,11 @@ member={GetUnit,StartUnit,StartTransientUnit} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=ListUnitsByPatterns + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,StartUnit,StartTransientUnit} diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 0925bad91b..debf19f25f 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -52,7 +52,7 @@ profile wireplumber @{exec_path} { owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, - /dev/shm/lttng-ust-wait-@{int} r, + /dev/shm/lttng-ust-wait-@{int} rw, owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, owner /dev/shm/lttng-ust-wait-@{int}-@{int} rw, diff --git a/apparmor.d/groups/gnome/gnome-session-check b/apparmor.d/groups/gnome/gnome-session-check index 2a0b4965f4..44755aef20 100644 --- a/apparmor.d/groups/gnome/gnome-session-check +++ b/apparmor.d/groups/gnome/gnome-session-check @@ -10,12 +10,17 @@ include profile gnome-session-check @{exec_path} { include include + include @{exec_path} mr, @{lib}/gnome-session-check-accelerated-gl-helper ix, @{lib}/gnome-session-check-accelerated-gles-helper ix, + /usr/share/gnome-session/hardware-compatibility r, + + @{PROC}/cmdline r, + include if exists } diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index 7f47b9975e..51cf215f94 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -40,6 +40,8 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{lib}/dhcpcd/dhcpcd-run-hooks rix, + /usr/share/dhcpcd/{,**} r, + /etc/dhcpcd.conf r, /etc/resolv.conf rw, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 1add6c1c42..5f08856934 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -110,6 +110,7 @@ profile snapd @{exec_path} { /etc/modprobe.d/{,**/} r, /etc/modules-load.d/{,**/} r, /etc/modules-load.d/*snap* rw, + /etc/polkit-1/rules.d/{,**/} r, /etc/systemd/system/{,**/} r, /etc/systemd/system/snap* rw, /etc/systemd/user/{,**/} rw, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 2494dc2c24..63f2c13706 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -32,6 +32,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability dac_read_search, capability fowner, + capability fsetid, capability kill, capability net_bind_service, capability setgid, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-import b/apparmor.d/groups/systemd-generators/systemd-generator-import index 36ff4e5ffc..de3753aaf5 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-import +++ b/apparmor.d/groups/systemd-generators/systemd-generator-import @@ -16,13 +16,13 @@ profile systemd-generator-import @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + / r, + @{PROC}/@{pid}/cgroup r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, - / r, - /dev/kmsg w, include if exists diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 8219ef1853..9f3fd29993 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -28,8 +28,8 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/{,e,f}grep rix, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/dpkg-divert rPx -> child-dpkg-divert, + @{bin}/dpkg rPx -> &child-dpkg, + @{bin}/dpkg-divert rPx -> &child-dpkg-divert, @{bin}/gdbus rix, @{bin}/md5sum rix, @@ -37,6 +37,8 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{etc_ro}/login.defs r, /etc/apport/report-ignore/{,**} r, + /etc/dpkg/dpkg.cfg r, + /etc/dpkg/dpkg.cfg.d/{,**} r, /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index 7398fc4044..8cf3ed885a 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -17,7 +17,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - mqueue r type=posix /, + mqueue (read,getattr) type=posix /, ptrace (read), diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who index 3da07f89d5..fd49b2becd 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/groups/utils/who @@ -18,6 +18,8 @@ profile who @{exec_path} { @{exec_path} mr, + @{run}/systemd/sessions/* r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/zed/**/data.mdb rw, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index a0d636883f..c90e80af97 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -86,6 +86,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), unix (send, receive) type=stream addr=none peer=(label=unconfined), + unix (send, receive) type=stream addr=none peer=(label=virt-manager), # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, From f364ab5e48296838ce76e2d6368435caf5a6ea5e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:13:40 +0200 Subject: [PATCH 0317/1736] feat(profile): firefox: improve crashreporter. --- apparmor.d/groups/browsers/firefox-crashhelper | 2 +- apparmor.d/groups/browsers/firefox-crashreporter | 11 ++++++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper index 55443a3303..55af7c2e28 100644 --- a/apparmor.d/groups/browsers/firefox-crashhelper +++ b/apparmor.d/groups/browsers/firefox-crashhelper @@ -12,7 +12,7 @@ include @{cache_dirs} = @{user_cache_dirs}/mozilla/ @{exec_path} = @{lib_dirs}/crashhelper -profile firefox-crashhelper @{exec_path} { +profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) { include @{exec_path} mr, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 1c418eef4b..8feccaa938 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -28,22 +28,23 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - @{exec_path} mr, + @{exec_path} mrix, @{bin}/curl rix, @{bin}/mv rix, @{lib_dirs}/minidump-analyzer rPx, - @{bin}/mv rix, - owner "@{config_dirs}/firefox/Crash Reports/{,**}" rw, owner @{config_dirs}/firefox/*.*/crashes/{,**} rw, owner @{config_dirs}/firefox/*.*/crashes/events/@{uuid} rw, owner @{config_dirs}/firefox/*.*/extensions/*.xpi r, owner @{config_dirs}/firefox/*.*/minidumps/{,**} rw, owner @{config_dirs}/firefox/*.*/minidumps//@{uuid}.{dmp,extra} r, + owner @{config_dirs}/firefox/*.*/prefs.js r, + owner @{config_dirs}/firefox/*.*/storage-sync-v2.sqlite-shm r, owner @{config_dirs}/firefox/*.*/storage/default/* r, + owner @{config_dirs}/firefox/Profile*/*.sqlite-shm r, owner @{cache_dirs}/firefox/*.*/** r, @@ -54,10 +55,14 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, /dev/dri/card@{int} rw, /dev/dri/renderD128 rw, + /dev/nvidia@{int} r, + /dev/nvidiactl r, # Silencer deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, From cba7355142b9bc0a20adae21f129a47e100baa92 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:14:30 +0200 Subject: [PATCH 0318/1736] feat(abs): update nvidia GLCache. --- apparmor.d/abstractions/nvidia-strict | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 6fe8157738..c3aa8e8056 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -18,6 +18,8 @@ owner @{HOME}/.nv/ComputeCache/** rw, owner @{HOME}/.nv/ComputeCache/index rwk, owner @{HOME}/.nv/nvidia-application-profiles-* r, + + @{user_cache_dirs}/nvidia/GLCache/@{hex32}/ rw, owner @{user_cache_dirs}/nvidia/ w, owner @{user_cache_dirs}/nvidia/GLCache/ rw, owner @{user_cache_dirs}/nvidia/GLCache/** rwk, From e490a11c1a2ecfadd2cbc0759d77f4706bc2ee61 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:25:41 +0200 Subject: [PATCH 0319/1736] feat(profile): add hwclock. --- apparmor.d/groups/utils/hwclock | 30 ++++++++++++++++++++++++++++ tests/integration/utils/hwclock.bats | 6 +++--- tests/requirements.sh | 3 ++- 3 files changed, 35 insertions(+), 4 deletions(-) create mode 100644 apparmor.d/groups/utils/hwclock diff --git a/apparmor.d/groups/utils/hwclock b/apparmor.d/groups/utils/hwclock new file mode 100644 index 0000000000..d1433a605c --- /dev/null +++ b/apparmor.d/groups/utils/hwclock @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/hwclock +profile hwclock @{exec_path} { + include + include + + capability audit_write, + capability sys_time, + + network netlink raw, + + @{exec_path} mr, + + /etc/adjtime rw, + + @{sys}/devices/pnp@{int}/*/rtc/rtc@{int}/{,*} r, + + /dev/rtc@{int} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/hwclock.bats b/tests/integration/utils/hwclock.bats index 88c981c315..4a1bc0f83d 100644 --- a/tests/integration/utils/hwclock.bats +++ b/tests/integration/utils/hwclock.bats @@ -6,14 +6,14 @@ load ../common @test "hwclock: Display the current time as reported by the hardware clock" { - hwclock + sudo hwclock } @test "hwclock: Write the current software clock time to the hardware clock (sometimes used during system setup)" { - hwclock --systohc + sudo hwclock --systohc } @test "hwclock: Write the current hardware clock time to the software clock" { - hwclock --hctosys + sudo hwclock --hctosys } diff --git a/tests/requirements.sh b/tests/requirements.sh index 52d7cb36bc..085ad8c7c7 100644 --- a/tests/requirements.sh +++ b/tests/requirements.sh @@ -21,7 +21,8 @@ debian | ubuntu | whonix) sudo apt update -y sudo apt install -y \ bats bats-support \ - cpuid dfc systemd-userdbd systemd-homed tlp network-manager flatpak + cpuid dfc systemd-userdbd systemd-homed tlp network-manager flatpak \ + util-linux-extra ;; opensuse*) ;; From d4d4f3ae4b4ad994ea633dbebd4b879f8a69621a Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 27 Jul 2025 17:13:11 +0200 Subject: [PATCH 0320/1736] add xournalpp --- apparmor.d/profiles-s-z/xournalpp | 44 +++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 apparmor.d/profiles-s-z/xournalpp diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp new file mode 100644 index 0000000000..7d74ce7da6 --- /dev/null +++ b/apparmor.d/profiles-s-z/xournalpp @@ -0,0 +1,44 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xournalpp +profile xournalpp @{exec_path} { + include + include + include + include + include + include + include + include + include + + @{exec_path} mr, + + /usr/share/xournalpp/** r, + + /etc/machine-id r, + /etc/pipewire/jack.conf.d/ r, + + owner @{user_config_dirs}/xournalpp/** rw, + owner @{user_cache_dirs}/xournalpp/** rw, + + /dev/snd/controlC@{int} w, + /dev/snd/pcmC@{rand4} rw, + + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + include if exists +} + +# vim:syntax=apparmor From fc421183a024cb3abb4c3343ed7a1954f53e4511 Mon Sep 17 00:00:00 2001 From: valoq Date: Tue, 29 Jul 2025 14:19:17 +0200 Subject: [PATCH 0321/1736] xournalpp improvements --- apparmor.d/profiles-s-z/xournalpp | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp index 7d74ce7da6..6442fe8b91 100644 --- a/apparmor.d/profiles-s-z/xournalpp +++ b/apparmor.d/profiles-s-z/xournalpp @@ -8,11 +8,10 @@ include @{exec_path} = @{bin}/xournalpp profile xournalpp @{exec_path} { - include include + include include include - include include include include @@ -20,16 +19,15 @@ profile xournalpp @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open-browsers, + /usr/share/xournalpp/** r, /etc/machine-id r, /etc/pipewire/jack.conf.d/ r, - owner @{user_config_dirs}/xournalpp/** rw, - owner @{user_cache_dirs}/xournalpp/** rw, - - /dev/snd/controlC@{int} w, - /dev/snd/pcmC@{rand4} rw, + owner @{user_config_dirs}/xournalpp/{,**} rw, + owner @{user_cache_dirs}/xournalpp/{,**} rw, @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @@ -38,6 +36,9 @@ profile xournalpp @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/snd/controlC@{int} w, + /dev/snd/pcmC@{rand4} rw, + include if exists } From 9e4db4373e89361b65c2009245b3242087eb830d Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 31 Jul 2025 09:22:28 -0600 Subject: [PATCH 0322/1736] Add support for MD RAID devices to the disk-read/write abstractions (#796) --- apparmor.d/abstractions/disks-read | 6 ++++++ apparmor.d/abstractions/disks-write | 3 +++ 2 files changed, 9 insertions(+) diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index e1bf312984..872b0c5520 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -81,6 +81,11 @@ # CD-ROM /dev/sr@{int} rk, + # MD RAID devices + /dev/md@{int} rk, + @{sys}/devices/virtual/block/md@{int}/ r, + @{sys}/devices/virtual/block/md@{int}/** r, + # Lookup block device by major:minor numbers # See: https://apparmor.pujol.io/development/internal/#udev-rules @@ -91,6 +96,7 @@ @{run}/udev/data/b2:@{int} r, # for /dev/fd* @{run}/udev/data/b7:@{int} r, # for /dev/loop* @{run}/udev/data/b8:@{int} r, # for /dev/sd* + @{run}/udev/data/b9:@{int} r, # for /dev/md* @{run}/udev/data/b11:@{int} r, # for /dev/sr* @{run}/udev/data/b43:@{int} r, # for /dev/nbd* @{run}/udev/data/b179:@{int} r, # for /dev/mmcblk* diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index ce0a05dd53..a525180422 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -41,6 +41,9 @@ # CD-ROM /dev/sr@{int} w, + # MD RAID devices + /dev/md@{int} w, + include if exists # vim:syntax=apparmor From 8b280b5ef02803eaaf1aeb82173170f0dfe861fd Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 31 Jul 2025 09:00:05 -0600 Subject: [PATCH 0323/1736] Allow sbctl to parse DMI data This path is hard coded in "dmi/dmi.go" --- apparmor.d/profiles-s-z/sbctl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index 9dbbf0933e..ef007a32ce 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -26,6 +26,8 @@ profile sbctl @{exec_path} { @{lib}/fwupd/efi/{,**} rw, @{lib}/systemd/boot/efi/systemd-boot*.efi.signed rw, + @{sys}/devices/virtual/dmi/id/* r, + @{sys}/firmware/efi/efivars/db-@{uuid} rw, @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/firmware/efi/efivars/PK-@{uuid} rw, From ed06dac70239aa8f4eca700ae79c87fe9aa6ef49 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:45:44 +0200 Subject: [PATCH 0324/1736] feat(profile): add lsipc --- apparmor.d/groups/utils/lsipc | 33 ++++++++++++++++++++++++++++++ tests/integration/utils/lsipc.bats | 16 +++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 apparmor.d/groups/utils/lsipc create mode 100644 tests/integration/utils/lsipc.bats diff --git a/apparmor.d/groups/utils/lsipc b/apparmor.d/groups/utils/lsipc new file mode 100644 index 0000000000..12c8d333c8 --- /dev/null +++ b/apparmor.d/groups/utils/lsipc @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsipc +profile lsipc @{exec_path} { + include + include + + @{exec_path} mr, + + @{PROC}/sys/fs/mqueue/msg_max r, + @{PROC}/sys/fs/mqueue/msgsize_max r, + @{PROC}/sys/fs/mqueue/queues_max r, + @{PROC}/sys/kernel/msgmax r, + @{PROC}/sys/kernel/msgmnb r, + @{PROC}/sys/kernel/msgmni r, + @{PROC}/sys/kernel/sem r, + @{PROC}/sys/kernel/shmall r, + @{PROC}/sys/kernel/shmmax r, + @{PROC}/sys/kernel/shmmni r, + @{PROC}/sysvipc/msg r, + @{PROC}/sysvipc/sem r, + @{PROC}/sysvipc/shm r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lsipc.bats b/tests/integration/utils/lsipc.bats new file mode 100644 index 0000000000..a18126982b --- /dev/null +++ b/tests/integration/utils/lsipc.bats @@ -0,0 +1,16 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsipc: Show information about all active IPC facilities" { + lsipc +} + +@test "lsipc: Show information about active shared memory segments, message queues or sempahore sets" { + lsipc --shmems + lsipc --queues + lsipc --semaphores +} From f516e1140a200f13506be2f8720640ef45f1f9cc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:46:22 +0200 Subject: [PATCH 0325/1736] feat(profile): add lsfd --- apparmor.d/groups/utils/lsfd | 59 +++++++++++++++++++++++++++++++ tests/integration/utils/lsfd.bats | 19 ++++++++++ 2 files changed, 78 insertions(+) create mode 100644 apparmor.d/groups/utils/lsfd create mode 100644 tests/integration/utils/lsfd.bats diff --git a/apparmor.d/groups/utils/lsfd b/apparmor.d/groups/utils/lsfd new file mode 100644 index 0000000000..6b30f63a94 --- /dev/null +++ b/apparmor.d/groups/utils/lsfd @@ -0,0 +1,59 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsfd +profile lsfd @{exec_path} flags=(attach_disconnected) { + include + include + + capability checkpoint_restore, + capability dac_read_search, + capability sys_admin, + capability sys_ptrace, + capability sys_resource, + capability syslog, + + network netlink dgram, + network netlink raw, + + ptrace read, + ptrace trace, + + mqueue (read create delete getattr) type=posix /.lsfd-mqueue-nodev-test:@{int}, + + @{exec_path} mr, + + / r, + @{att}/ r, + + owner @{att}/.lsfd-mqueue-nodev-test:@{int} rw, + + @{run}/ r, + @{run}/netns/ r, + + @{sys}/kernel/cpu_byteorder r, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/net/* r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/devices r, + @{PROC}/misc r, + @{PROC}/partitions r, + @{PROC}/tty/drivers r, + owner @{PROC}/@{pid}/syscall r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lsfd.bats b/tests/integration/utils/lsfd.bats new file mode 100644 index 0000000000..bf0c4de0c7 --- /dev/null +++ b/tests/integration/utils/lsfd.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsfd: List all open file descriptors" { + lsfd +} + +@test "lsfd: List all files kept open by a specific program" { + sudo lsfd --filter 'PID == 1' +} + +@test "lsfd: List open IPv4 or IPv6 sockets" { + sudo lsfd -i4 + sudo lsfd -i6 +} From 926a6fdcb9047ff8e8c1d9e7b1b309ee09fee1a8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:55:36 +0200 Subject: [PATCH 0326/1736] feat(profile): add lslocks --- apparmor.d/groups/utils/lslocks | 33 ++++++++++++++++++++++++++++ tests/integration/utils/lslocks.bats | 22 +++++++++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 apparmor.d/groups/utils/lslocks create mode 100644 tests/integration/utils/lslocks.bats diff --git a/apparmor.d/groups/utils/lslocks b/apparmor.d/groups/utils/lslocks new file mode 100644 index 0000000000..5fbcdbc8f8 --- /dev/null +++ b/apparmor.d/groups/utils/lslocks @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lslocks +profile lslocks @{exec_path} flags=(attach_disconnected) { + include + + capability dac_read_search, + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/locks r, + owner @{PROC}/@{pid}/ r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lslocks.bats b/tests/integration/utils/lslocks.bats new file mode 100644 index 0000000000..042834cae5 --- /dev/null +++ b/tests/integration/utils/lslocks.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lslocks: List all local system locks" { + sudo lslocks +} + +@test "lslocks: List locks producing a raw output (no columns), and without column headers" { + sudo lslocks --raw --noheadings +} + +@test "lslocks: List locks by PID input" { + sudo lslocks --pid "$(sudo lslocks --raw --noheadings --output PID | head -1)" +} + +@test "lslocks: List locks with JSON output to stdout" { + lslocks --json +} From 8b03cff0cfc824a0c1ecd0f8df1b8c715bb2f969 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:58:57 +0200 Subject: [PATCH 0327/1736] feat(profile): add lslogins. --- apparmor.d/groups/utils/lslogins | 33 +++++++++++++++++++++++++++ tests/integration/utils/lslogins.bats | 27 ++++++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 apparmor.d/groups/utils/lslogins create mode 100644 tests/integration/utils/lslogins.bats diff --git a/apparmor.d/groups/utils/lslogins b/apparmor.d/groups/utils/lslogins new file mode 100644 index 0000000000..7393b47c00 --- /dev/null +++ b/apparmor.d/groups/utils/lslogins @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lslogins +profile lslogins @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/.pwd.lock w, + /etc/.pwd.lock wk, + /etc/login.defs r, + /etc/shadow r, + + /var/log/lastlog r, + /var/log/wtmp rk, + + @{run}/systemd/userdb/ r, + + @{PROC}/ r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lslogins.bats b/tests/integration/utils/lslogins.bats new file mode 100644 index 0000000000..aa2df69b4a --- /dev/null +++ b/tests/integration/utils/lslogins.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lslogins: Display users in the system" { + lslogins + sudo lslogins +} + +@test "lslogins: Display user accounts" { + lslogins --user-accs +} + +@test "lslogins: Display last logins" { + lslogins --last +} + +@test "lslogins: Display system accounts" { + lslogins --system-accs +} + +@test "lslogins: Display supplementary groups" { + lslogins --supp-groups +} From 4f265c6d58a21c8dc98f2f65403d189cc24dddbe Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 15:04:37 +0200 Subject: [PATCH 0328/1736] feat(profile): add lsns. --- apparmor.d/groups/utils/lsns | 42 +++++++++++++++++++++++++++++++ tests/integration/utils/lsns.bats | 31 +++++++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 apparmor.d/groups/utils/lsns create mode 100644 tests/integration/utils/lsns.bats diff --git a/apparmor.d/groups/utils/lsns b/apparmor.d/groups/utils/lsns new file mode 100644 index 0000000000..3d4d42efc7 --- /dev/null +++ b/apparmor.d/groups/utils/lsns @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsns +profile lsns @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability net_admin, + capability sys_ptrace, + capability dac_read_search, + + network, + + ptrace read, + ptrace trace, + + @{exec_path} mr, + + @{att}/ r, + + @{run}/*/netns/** r, + @{run}/*/ns/** r, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lsns.bats b/tests/integration/utils/lsns.bats new file mode 100644 index 0000000000..c7e6563e2e --- /dev/null +++ b/tests/integration/utils/lsns.bats @@ -0,0 +1,31 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsns: List all namespaces" { + lsns + sudo lsns +} + +@test "lsns: List namespaces in JSON format" { + sudo lsns --json +} + +@test "lsns: List namespaces associated with the specified process" { + sudo lsns --task 1 +} + +@test "lsns: List the specified type of namespaces only" { + sudo lsns --type mnt + sudo lsns --type net + sudo lsns --type ipc + sudo lsns --type user + sudo lsns --type pid + sudo lsns --type uts + sudo lsns --type cgroup + sudo lsns --type time +} + From fd0092d431103e5be29ac9060e1400204d57ece3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 16:34:49 +0200 Subject: [PATCH 0329/1736] fix(profile): fix issues raised in tests. --- apparmor.d/groups/utils/lslocks | 2 ++ apparmor.d/groups/utils/lsns | 2 ++ apparmor.d/profiles-m-r/initramfs-hooks | 2 ++ apparmor.d/profiles-m-r/initramfs-scripts | 1 + apparmor.d/profiles-m-r/mdadm-mkconf | 1 + apparmor.d/profiles-m-r/mkinitramfs | 2 ++ 6 files changed, 10 insertions(+) diff --git a/apparmor.d/groups/utils/lslocks b/apparmor.d/groups/utils/lslocks index 5fbcdbc8f8..44d2e1d019 100644 --- a/apparmor.d/groups/utils/lslocks +++ b/apparmor.d/groups/utils/lslocks @@ -17,6 +17,8 @@ profile lslocks @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sys}/devices/**/block/** r, + @{PROC}/ r, @{PROC}/@{pid}/ r, @{PROC}/@{pid}/comm r, diff --git a/apparmor.d/groups/utils/lsns b/apparmor.d/groups/utils/lsns index 3d4d42efc7..7fbf568967 100644 --- a/apparmor.d/groups/utils/lsns +++ b/apparmor.d/groups/utils/lsns @@ -28,6 +28,8 @@ profile lsns @{exec_path} flags=(attach_disconnected) { @{run}/*/netns/** r, @{run}/*/ns/** r, + @{sys}/devices/**/block/** r, + @{PROC}/ r, @{PROC}/@{pid}/ r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 5896df049e..15f8f66d6f 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/initramfs-tools/hooks/** /etc/initramfs-tools/hooks/** profile initramfs-hooks @{exec_path} { include + include include @{exec_path} mr, @@ -70,6 +71,7 @@ profile initramfs-hooks @{exec_path} { profile ldd { include + include include @{bin}/ldd mr, diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts index 485520ca07..4d38ab9c15 100644 --- a/apparmor.d/profiles-m-r/initramfs-scripts +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/initramfs-tools/scripts/** /etc/initramfs-tools/scripts/** profile initramfs-scripts @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf index c922942ec5..489068ec8d 100644 --- a/apparmor.d/profiles-m-r/mdadm-mkconf +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/mdadm/mkconf profile mdadm-mkconf @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index f37029627c..e67bb55fe6 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -88,6 +88,7 @@ profile mkinitramfs @{exec_path} { owner /boot/initrd.img-*.new rw, /var/tmp/ r, + /var/tmp/mkinitramfs_@{rand6}/** w, /var/tmp/modules_@{rand6} rw, owner /var/tmp/mkinitramfs_@{rand6} rw, owner /var/tmp/mkinitramfs_@{rand6}/ rw, @@ -98,6 +99,7 @@ profile mkinitramfs @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** w, owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, From c09b5d85a46b391ad8ee9768f43839cb9a1c584a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:21:49 +0200 Subject: [PATCH 0330/1736] feat(profile): update systemd profiles. --- Justfile | 71 +++++++++++++------ apparmor.d/groups/systemd/bootctl | 7 +- apparmor.d/groups/systemd/busctl | 7 ++ apparmor.d/groups/systemd/journalctl | 3 + apparmor.d/groups/systemd/networkctl | 3 + apparmor.d/groups/systemd/systemd-localed | 4 +- apparmor.d/groups/systemd/systemd-machined | 3 + apparmor.d/groups/systemd/systemd-networkd | 4 ++ .../groups/systemd/systemd-nsresourcework | 2 + apparmor.d/groups/systemd/systemd-userwork | 1 + apparmor.d/groups/systemd/userdbctl | 3 +- 11 files changed, 80 insertions(+), 28 deletions(-) diff --git a/Justfile b/Justfile index 7753ad2d1a..f9ce13c36b 100644 --- a/Justfile +++ b/Justfile @@ -2,18 +2,8 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: -# just -# just img ubuntu24 server -# just vm ubuntu24 server -# just up ubuntu24 server -# just ssh ubuntu24 server -# just halt ubuntu24 server -# just destroy ubuntu24 server -# just list -# just images -# just available -# just clean +# Usage: `just` +# See https://apparmor.pujol.io/development/ for more information. # Build setings destdir := "/" @@ -125,7 +115,7 @@ install: [group('install')] [doc('Locally install prebuild profiles')] -local +args: +local +names: #!/usr/bin/env bash set -eu -o pipefail install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log @@ -138,7 +128,7 @@ local +args: install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file" done; echo "Warning: profile dependencies fallback to unconfined." - for file in {{args}}; do + for file in {{names}}; do grep -Ei 'rPx|rpx' "{{build}}/apparmor.d/$file" || true sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file" install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" @@ -336,15 +326,52 @@ available: [group('tests')] -[doc('Run the integration tests on the machine')] -integration dist flavor: - @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ - cp -rf /home/user/Projects/apparmor.d/tests/integration/ /home/user/Projects - @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ - sudo umount /home/user/Projects/apparmor.d - @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ - @bats --recursive --timing --print-output-on-failure Projects/integration/ +[doc('Install dependencies for the integration tests')] +init: + @bash tests/requirements.sh +[group('tests')] +[doc('Run the integration tests')] +integration: + bats --recursive --pretty --timing --print-output-on-failure tests/integration + +[group('tests')] +[doc('Install dependencies for the integration tests (machine)')] +tests-init dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init + +[group('tests')] +[doc('Synchronize the integration tests (machine)')] +tests-sync dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ + +[group('tests')] +[doc('Re-synchronize the integration tests (machine)')] +tests-resync dist flavor: (tests-mount dist flavor) \ + (tests-sync dist flavor) \ + (tests-umount dist flavor) + +[group('tests')] +[doc('Unmout the integration tests (machine)')] +tests-umount dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + sudo umount /home/{{username}}/Projects/apparmor.d + +[group('tests')] +[doc('Run the integration tests (machine)')] +tests-run dist flavor name="": + ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + TERM=xterm \ + bats --recursive --pretty --timing --print-output-on-failure \ + /home/{{username}}/Projects/tests/integration/{{name}} + +[group('tests')] +[doc('Mount integration tests (machine)')] +tests-mount dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4 [private] get_ip dist flavor: diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index f7d001c703..47e8737fe2 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -13,6 +13,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + capability linux_immutable, capability mknod, capability net_admin, capability sys_resource, @@ -47,8 +48,8 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r, - @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r, - @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw, @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, @@ -59,7 +60,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, - @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, + @{sys}/firmware/efi/efivars/OsIndications-@{uuid} rw, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index c31b288365..04ed76e721 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -48,6 +48,13 @@ profile busctl @{exec_path} flags=(attach_disconnected) { member={GetConnectionCredentials,ListNames,ListActivatableNames} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=system + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + dbus send bus=system + interface=org.freedesktop.DBus.Properties + member={GetAll,Get}, + @{exec_path} mr, @{pager_path} rPx -> child-pager, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index ef62e37cde..c852b37566 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -30,6 +30,9 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, + @{bin}/* r, + @{sbin}/* r, + /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 5b4b3e6b5d..0fd89c199c 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -11,6 +11,7 @@ include profile networkctl @{exec_path} flags=(attach_disconnected) { include include + include capability net_admin, capability sys_module, @@ -52,6 +53,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/netif/io.systemd.Network rw, + @{run}/systemd/netif/links/ r, @{run}/systemd/netif/leases/@{int} r, @{run}/systemd/netif/links/@{int} r, @{run}/systemd/netif/state r, @@ -63,6 +65,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { @{PROC}/1/cgroup r, @{PROC}/cmdline r, + @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 104a141ce8..c15eaf5b20 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -33,8 +33,8 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { /etc/default/locale rw, /etc/locale.conf rw, /etc/vconsole.conf rw, - /etc/X11/xorg.conf.d/ r, - /etc/X11/xorg.conf.d/.#*.confd* rw, + /etc/X11/xorg.conf.d/ rw, + /etc/X11/xorg.conf.d/.#*.conf@{hex} rw, /etc/X11/xorg.conf.d/*.conf rw, @{att}/@{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index b9244ece6e..520080082b 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -37,6 +37,8 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { ptrace read peer=systemd-nspawn, + unix type=stream addr=@@{udbus}/bus/systemd-machine/system, + #aa:dbus own bus=system name=org.freedesktop.machine1 #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @@ -71,6 +73,7 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, /dev/pts/@{int} rw, /dev/pts/ptmx rw, + /dev/vsock r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index df1e740483..5105c69b83 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -60,9 +60,13 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/notify rw, @{run}/mount/utab r, + @{run}/systemd/resolve/resolv.conf r, owner @{att}/var/lib/systemd/network/ r, + owner /var/lib/systemd/network/ rw, + owner /var/lib/systemd/network/** rwk, + @{run}/systemd/network/ r, @{run}/systemd/network/*.network r, owner @{run}/systemd/netif/** rw, diff --git a/apparmor.d/groups/systemd/systemd-nsresourcework b/apparmor.d/groups/systemd/systemd-nsresourcework index 734717c44a..5b8d53398f 100644 --- a/apparmor.d/groups/systemd/systemd-nsresourcework +++ b/apparmor.d/groups/systemd/systemd-nsresourcework @@ -16,6 +16,8 @@ profile systemd-nsresourcework @{exec_path} { @{exec_path} mr, + @{run}/systemd/nsresource/registry/ r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork index 29641fd748..2521c655ee 100644 --- a/apparmor.d/groups/systemd/systemd-userwork +++ b/apparmor.d/groups/systemd/systemd-userwork @@ -18,6 +18,7 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/gshadow r, /etc/machine-id r, /etc/shadow r, diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index 97625db38d..fa7c132973 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/userdbctl -profile userdbctl @{exec_path} { +profile userdbctl @{exec_path} flags=(attach_disconnected) { include include include @@ -29,6 +29,7 @@ profile userdbctl @{exec_path} { @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/gid_map r, + owner @{PROC}/@{pid}/setgroups r, owner @{PROC}/@{pid}/uid_map r, include if exists From a731badeff2b0723aad5b5dba309a2cc2018ca35 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:24:15 +0200 Subject: [PATCH 0331/1736] feat(profile): improvement raised by unit tests. --- apparmor.d/groups/ubuntu/apport | 10 +++++++ apparmor.d/groups/utils/fstrim | 2 ++ apparmor.d/groups/utils/uuidd | 6 +++- apparmor.d/groups/utils/zramctl | 4 ++- apparmor.d/profiles-g-l/kdump-config | 15 +++++++--- apparmor.d/profiles-g-l/kernel-postinst-kdump | 28 +++++++++++++++++-- apparmor.d/profiles-m-r/initramfs-hooks | 5 ++-- apparmor.d/profiles-m-r/mdadm-mkconf | 1 + apparmor.d/profiles-m-r/mkinitramfs | 24 ++++++++-------- apparmor.d/profiles-m-r/needrestart | 1 + apparmor.d/profiles-s-z/tlp | 3 ++ 11 files changed, 77 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 9f3fd29993..fbc433c05b 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -49,7 +49,17 @@ profile apport @{exec_path} flags=(attach_disconnected) { owner /var/cache/apt/pkgcache.bin.@{rand6} rw, owner /var/log/apport.log rw, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + @{run}/apport.lock rwk, + @{run}/log/journal/ r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/environ r, diff --git a/apparmor.d/groups/utils/fstrim b/apparmor.d/groups/utils/fstrim index a6ada04d54..250794671f 100644 --- a/apparmor.d/groups/utils/fstrim +++ b/apparmor.d/groups/utils/fstrim @@ -26,6 +26,8 @@ profile fstrim @{exec_path} flags=(attach_disconnected) { /boot/efi/ r, /var/ r, + @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/utils/uuidd b/apparmor.d/groups/utils/uuidd index 7879145372..52f52b4a29 100644 --- a/apparmor.d/groups/utils/uuidd +++ b/apparmor.d/groups/utils/uuidd @@ -11,6 +11,8 @@ profile uuidd @{exec_path} flags=(attach_disconnected) { include include + capability dac_override, + network inet dgram, @{exec_path} mr, @@ -18,9 +20,11 @@ profile uuidd @{exec_path} flags=(attach_disconnected) { owner /var/lib/libuuid/clock.txt rwk, owner /var/lib/libuuid/clock-cont.txt rwk, - @{run}/uuidd/request rw, @{att}/@{run}/uuidd/request rw, + @{run}/uuidd/request rw, + @{run}/uuidd/uuidd.pid rwk, + include if exists } diff --git a/apparmor.d/groups/utils/zramctl b/apparmor.d/groups/utils/zramctl index 91697be736..a5fa2eb750 100644 --- a/apparmor.d/groups/utils/zramctl +++ b/apparmor.d/groups/utils/zramctl @@ -13,8 +13,10 @@ profile zramctl @{exec_path} { @{exec_path} mr, + @{sys}/devices/virtual/block/zram{int}/disksize w, + @{sys}/devices/virtual/block/zram{int}/reset w, @{sys}/devices/virtual/block/zram@{int}/ r, - @{sys}/devices/virtual/block/zram@{int}/comp_algorithm r, + @{sys}/devices/virtual/block/zram@{int}/comp_algorithm rw, @{sys}/devices/virtual/block/zram@{int}/disksize r, @{sys}/devices/virtual/block/zram@{int}/max_comp_streams r, @{sys}/devices/virtual/block/zram@{int}/mm_stat r, diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index f8b75f7427..b6f9150243 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -17,6 +17,7 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, + @{bin}/{,e}grep ix, @{bin}/basename ix, @{bin}/cat ix, @{bin}/cmp ix, @@ -25,13 +26,13 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { @{bin}/file ix, @{bin}/find ix, @{bin}/flock ix, - @{bin}/{,e}grep ix, @{bin}/hexdump ix, @{bin}/ln ix, @{bin}/logger ix, @{bin}/plymouth Px, @{bin}/readlink ix, @{bin}/rev ix, + @{bin}/rm ix, @{bin}/run-parts ix, @{bin}/sed ix, @{bin}/systemctl Cx -> systemctl, @@ -48,9 +49,15 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { / r, @{efi}/ r, - /var/crash/kdump_lock wk, - /var/crash/kexec_cmd w, - owner /var/lib/kdump/{,**} rw, + /var/crash/kdump_lock wk, + /var/crash/kexec_cmd w, + /var/lib/kdump/{,**} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index e1358ec29a..4790c5cb78 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -12,15 +12,32 @@ profile kernel-postinst-kdump @{exec_path} { @{exec_path} mr, + @{sh_path} r, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/cp rix, @{bin}/du rix, @{bin}/find rix, - @{bin}/{m,g,}awk rix, + @{bin}/kmod rCx -> kmod, + @{bin}/ischroot rPx, + @{bin}/linux-version rPx, + @{bin}/mkdir rix, + @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sync rix, + @{bin}/cut rix, @{sbin}/mkinitramfs rPx, - owner /var/lib/kdump/* w, + / r, + + /etc/initramfs-tools/conf.d/{,**} r, + /etc/initramfs-tools/initramfs.conf r, + + owner /var/lib/kdump/** rw, + + owner /tmp/tmp.@{rand10}/ rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, @@ -28,6 +45,13 @@ profile kernel-postinst-kdump @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + profile kmod { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 15f8f66d6f..14a83ffbb7 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -16,14 +16,15 @@ profile initramfs-hooks @{exec_path} { @{sh_path} rix, @{coreutils_path} rix, + @{bin}/fc-cache ix, @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{sbin}/update-alternatives Px, - @{sbin}/blkid Px, + @{bin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox ix, @{lib}/klibc/bin/fstype ix, + @{sbin}/blkid Px, /usr/share/mdadm/mkconf Px, @{bin}/* mr, diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf index 489068ec8d..1201389052 100644 --- a/apparmor.d/profiles-m-r/mdadm-mkconf +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -25,6 +25,7 @@ profile mdadm-mkconf @{exec_path} { / r, /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index e67bb55fe6..df76eb4add 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -47,13 +47,16 @@ profile mkinitramfs @{exec_path} { @{bin}/rmdir rix, @{bin}/sed rix, @{bin}/sort rix, + @{bin}/stat rix, @{bin}/touch rix, @{bin}/tr rix, @{bin}/tsort rix, + @{bin}/uname rix, @{bin}/uniq rix, @{bin}/xargs rix, @{bin}/xz rix, @{bin}/zstd rix, + @{sbin}/blkid rPx, @{lib}/dracut/dracut-install rix, @{bin}/find rCx -> find, @@ -87,6 +90,9 @@ profile mkinitramfs @{exec_path} { owner /boot/config-* r, owner /boot/initrd.img-*.new rw, + owner /var/lib/kdump/initramfs-tools/** rw, + owner /var/lib/kdump/initrd.* rw, + /var/tmp/ r, /var/tmp/mkinitramfs_@{rand6}/** w, /var/tmp/modules_@{rand6} rw, @@ -102,13 +108,17 @@ profile mkinitramfs @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** w, owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, + @{sys}/bus/ r, + @{sys}/bus/*/drivers/ r, @{sys}/devices/platform/ r, @{sys}/devices/platform/**/ r, @{sys}/devices/platform/**/modalias r, @{sys}/module/compression r, @{sys}/module/firmware_class/parameters/path r, + @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @{PROC}/modules r, owner @{PROC}/@{pid}/fd/ r, @@ -143,18 +153,8 @@ profile mkinitramfs @{exec_path} { @{sh_path} rix, @{sbin}/ldconfig.real rix, - owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf r, - owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf.d/{,*.conf} r, - - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/ r, - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/ r, - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/*.so* rw, - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/*.so* rw, - - owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.cache{,~} rw, - - owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/ rw, - owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/aux-cache{,~} rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index f9e2c6ebc3..ceac5436b4 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -23,6 +23,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, + @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 3eb0800f93..0dccf1a238 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -71,6 +71,8 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+platform:* r, @{sys}/bus/pci/devices/ r, + @{sys}/bus/pci/drivers/*/ r, + @{sys}/bus/platform/devices/ r, @{sys}/class/drm/ r, @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @@ -80,6 +82,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/class r, @{sys}/devices/**/net/**/uevent r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, + @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/net/**/uevent r, @{sys}/firmware/acpi/platform_profile* rw, From 0c2385fef902c6838a69a83953b70bd5b5beaf64 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:25:28 +0200 Subject: [PATCH 0332/1736] tests: update tests dependencies. --- tests/requirements.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/requirements.sh b/tests/requirements.sh index 085ad8c7c7..efc357ad47 100644 --- a/tests/requirements.sh +++ b/tests/requirements.sh @@ -16,13 +16,16 @@ DISTRIBUTION="$(_lsb_release)" case "$DISTRIBUTION" in arch) + sudo pacman -Syu --noconfirm \ + bats bats-support \ + pacman-contrib tlp flatpak networkmanager ;; debian | ubuntu | whonix) sudo apt update -y sudo apt install -y \ bats bats-support \ - cpuid dfc systemd-userdbd systemd-homed tlp network-manager flatpak \ - util-linux-extra + cpuid dfc systemd-boot systemd-userdbd systemd-homed systemd-container tlp \ + network-manager systemd-container flatpak util-linux-extra ;; opensuse*) ;; From d579b330117b5e11d42b11a87f9e342e1b0b609a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:32:27 +0200 Subject: [PATCH 0333/1736] tests: add a few integration tests. --- tests/integration/apt/apt.bats | 18 +++++++++-- tests/integration/apt/dpkg-query.bats | 27 ++++++++++++++++ tests/integration/apt/dpkg-reconfigure.bats | 12 ++++++++ tests/integration/pacman/paccache.bats | 22 +++++++++++++ tests/integration/pacman/pacman-key.bats | 34 +++++++++++++++++++++ tests/integration/pacman/pacman.bats | 34 +++++++++++++++++++++ tests/integration/procps/sysctl.bats | 4 +-- tests/integration/procps/uptime.bats | 18 +++++++++++ tests/integration/systemd/bootctl.bats | 22 +++++++++++++ tests/integration/systemd/busctl.bats | 27 ++++++++++++++++ tests/integration/systemd/homectl.bats | 2 +- tests/integration/systemd/journalctl.bats | 30 ++++++++++++++++++ tests/integration/systemd/localectl.bats | 23 ++++++++++++++ tests/integration/systemd/machinectl.bats | 26 ++++++++++++++++ tests/integration/systemd/networkctl.bats | 18 +++++++++++ tests/integration/utils/fstrim.bats | 14 +++++++++ 16 files changed, 325 insertions(+), 6 deletions(-) create mode 100644 tests/integration/apt/dpkg-query.bats create mode 100644 tests/integration/apt/dpkg-reconfigure.bats create mode 100644 tests/integration/pacman/paccache.bats create mode 100644 tests/integration/pacman/pacman-key.bats create mode 100644 tests/integration/pacman/pacman.bats create mode 100644 tests/integration/procps/uptime.bats create mode 100644 tests/integration/systemd/bootctl.bats create mode 100644 tests/integration/systemd/busctl.bats create mode 100644 tests/integration/systemd/journalctl.bats create mode 100644 tests/integration/systemd/localectl.bats create mode 100644 tests/integration/systemd/machinectl.bats create mode 100644 tests/integration/systemd/networkctl.bats create mode 100644 tests/integration/utils/fstrim.bats diff --git a/tests/integration/apt/apt.bats b/tests/integration/apt/apt.bats index a436f6e9f2..4be0edd8d4 100644 --- a/tests/integration/apt/apt.bats +++ b/tests/integration/apt/apt.bats @@ -25,14 +25,26 @@ setup_file() { sudo apt install -y pass } -@test "apt: Remove a package (using 'purge' instead also removes its configuration files)" { - sudo apt remove -y pass +@test "apt: Remove a package and its configuration files" { + sudo apt purge -y pass } @test "apt: Upgrade all installed packages to their newest available versions" { sudo apt upgrade -y } +@test "apt: Upgrade installed packages, but remove obsolete packages and install additional packages to meet new dependencies" { + sudo apt dist-upgrade -y +} + +@test "apt: Clean the local repository - removing package files (.deb) from interrupted downloads that can no longer be downloaded" { + sudo apt autoclean +} + +@test "apt: Remove all packages that are no longer needed" { + sudo apt autoremove +} + @test "apt: List all packages" { apt list } @@ -41,6 +53,6 @@ setup_file() { apt list --installed } -@test "apt-moo: Print a cow easter egg" { +@test "apt: Print a cow easter egg" { apt moo } diff --git a/tests/integration/apt/dpkg-query.bats b/tests/integration/apt/dpkg-query.bats new file mode 100644 index 0000000000..39259e0a09 --- /dev/null +++ b/tests/integration/apt/dpkg-query.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "dpkg-query: List all installed packages" { + dpkg-query --list +} + +@test "dpkg-query: List installed packages matching a pattern" { + dpkg-query --list 'libc6*' +} + +@test "dpkg-query: List all files installed by a package" { + dpkg-query --listfiles libc6 +} + +@test "dpkg-query: Show information about a package" { + dpkg-query --status libc6 +} + +@test "dpkg-query: Search for packages that own files matching a pattern" { + dpkg-query --search /etc/ld.so.conf.d +} + diff --git a/tests/integration/apt/dpkg-reconfigure.bats b/tests/integration/apt/dpkg-reconfigure.bats new file mode 100644 index 0000000000..f6aec98ea4 --- /dev/null +++ b/tests/integration/apt/dpkg-reconfigure.bats @@ -0,0 +1,12 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "dpkg-reconfigure: Reconfigure one or more packages" { + sudo apt install -y pass + sudo dpkg-reconfigure pass +} + diff --git a/tests/integration/pacman/paccache.bats b/tests/integration/pacman/paccache.bats new file mode 100644 index 0000000000..b2e1369e2e --- /dev/null +++ b/tests/integration/pacman/paccache.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "paccache: Perform a dry-run and show the number of candidate packages for deletion" { + sudo paccache -d +} + +@test "paccache: Move candidate packages to a directory instead of deleting them" { + sudo paccache -m "$USER_BUILD_DIRS" +} + +@test "paccache: Remove all but the 3 most recent package versions from the `pacman` cache" { + sudo paccache -r +} + +@test "paccache: Set the number of package versions to keep" { + sudo paccache -rk 3 +} diff --git a/tests/integration/pacman/pacman-key.bats b/tests/integration/pacman/pacman-key.bats new file mode 100644 index 0000000000..82e34a3791 --- /dev/null +++ b/tests/integration/pacman/pacman-key.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pacman-key: Initialize the 'pacman' keyring" { + sudo pacman-key --init +} + +@test "pacman-key: Add the default Arch Linux keys" { + sudo pacman-key --populate +} + +@test "pacman-key: List keys from the public keyring" { + pacman-key --list-keys +} + +@test "pacman-key: Receive a key from a key server" { + sudo pacman-key --recv-keys 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Print the fingerprint of a specific key" { + pacman-key --finger 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Sign an imported key locally" { + sudo pacman-key --lsign-key 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Remove a specific key" { + sudo pacman-key --delete 06A26D531D56C42D66805049C5469996F0DF68EC +} diff --git a/tests/integration/pacman/pacman.bats b/tests/integration/pacman/pacman.bats new file mode 100644 index 0000000000..575a65bc16 --- /dev/null +++ b/tests/integration/pacman/pacman.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pacman: Synchronize and update all packages" { + sudo pacman -Syu --noconfirm +} + +@test "pacman: Install a new package" { + sudo pacman -S --noconfirm pass pass-otp +} + +@test "pacman: Remove a package and its dependencies" { + sudo pacman -Rs --noconfirm pass-otp +} + +@test "pacman: List installed packages and versions" { + pacman -Q +} + +@test "pacman: List only the explicitly installed packages and versions" { + pacman -Qe +} + +@test "pacman: List orphan packages (installed as dependencies but not actually required by any package)" { + pacman -Qtdq +} + +@test "pacman: Empty the entire 'pacman' cache" { + sudo pacman -Scc --noconfirm +} diff --git a/tests/integration/procps/sysctl.bats b/tests/integration/procps/sysctl.bats index 2f284070ab..66720c4340 100644 --- a/tests/integration/procps/sysctl.bats +++ b/tests/integration/procps/sysctl.bats @@ -21,6 +21,6 @@ load ../common sysctl fs.file-max } -@test "sysctl: Apply changes from `/etc/sysctl.conf`" { - sysctl -p +@test "sysctl: Apply changes from '/etc/sysctl.conf'" { + sudo sysctl -p } diff --git a/tests/integration/procps/uptime.bats b/tests/integration/procps/uptime.bats new file mode 100644 index 0000000000..7d9361d5a6 --- /dev/null +++ b/tests/integration/procps/uptime.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "uptime: Print current time, uptime, number of logged-in users and other information" { + uptime +} + +@test "uptime: Show only the amount of time the system has been booted for" { + uptime --pretty +} + +@test "uptime: Print the date and time the system booted up at" { + uptime --since +} diff --git a/tests/integration/systemd/bootctl.bats b/tests/integration/systemd/bootctl.bats new file mode 100644 index 0000000000..2dfb39a7f5 --- /dev/null +++ b/tests/integration/systemd/bootctl.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "bootctl: Show information about the system firmware and the bootloaders" { + sudo bootctl status +} + +@test "bootctl: Show all available bootloader entries" { + sudo bootctl list +} + +@test "bootctl: Install 'systemd-boot' into the EFI system partition" { + sudo bootctl install +} + +@test "bootctl: Remove all installed versions of 'systemd-boot' from the EFI system partition" { + sudo bootctl remove +} diff --git a/tests/integration/systemd/busctl.bats b/tests/integration/systemd/busctl.bats new file mode 100644 index 0000000000..ef3e973e92 --- /dev/null +++ b/tests/integration/systemd/busctl.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "busctl: Show all peers on the bus, by their service names" { + busctl list +} + +@test "busctl: Show process information and credentials of a bus service, a process, or the owner of the bus (if no parameter is specified)" { + busctl status 1 + busctl status org.freedesktop.DBus +} + +@test "busctl: Show an object tree of one or more services (or all services if no service is specified)" { + busctl tree org.freedesktop.DBus +} + +@test "busctl: Show interfaces, methods, properties and signals of the specified object on the specified service" { + busctl introspect org.freedesktop.login1 /org/freedesktop/login1 +} + +@test "busctl: Retrieve the current value of one or more object properties" { + busctl get-property org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager Docked +} diff --git a/tests/integration/systemd/homectl.bats b/tests/integration/systemd/homectl.bats index 0bdd625c4c..bb3b382270 100644 --- a/tests/integration/systemd/homectl.bats +++ b/tests/integration/systemd/homectl.bats @@ -16,7 +16,7 @@ setup_file() { } @test "homectl: Create a user account and their associated home directory" { - sudo homectl create user2 + printf "user2\nuser2" | sudo homectl create user2 } @test "homectl: List user accounts and their associated home directories" { diff --git a/tests/integration/systemd/journalctl.bats b/tests/integration/systemd/journalctl.bats new file mode 100644 index 0000000000..9eeb7c9fe0 --- /dev/null +++ b/tests/integration/systemd/journalctl.bats @@ -0,0 +1,30 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "journalctl: Show all messages with priority level 3 (errors) from this boot" { + sudo journalctl -b --priority=3 +} + +@test "journalctl: Show only the last N lines of the journal" { + sudo journalctl --lines 100 +} + +@test "journalctl: Show all messages by a specific [u]nit" { + sudo journalctl --unit apparmor.service +} + +@test "journalctl: Show all messages by a specific process" { + sudo journalctl _PID=1 +} + +@test "journalctl: Show all messages by a specific executable" { + sudo journalctl /usr/bin/bootctl +} + +@test "journalctl: Delete journal logs which are older than 10 seconds" { + sudo journalctl --vacuum-time=10s +} diff --git a/tests/integration/systemd/localectl.bats b/tests/integration/systemd/localectl.bats new file mode 100644 index 0000000000..5d82683a27 --- /dev/null +++ b/tests/integration/systemd/localectl.bats @@ -0,0 +1,23 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "localectl: Show the current settings of the system locale and keyboard mapping" { + localectl +} + +@test "localectl: List available locales" { + localectl list-locales +} + +@test "localectl: Set a system locale variable" { + sudo localectl set-locale LANG=en_US.UTF-8 +} + +@test "localectl: Set the system keyboard mapping for the console and X11" { + sudo localectl set-keymap uk +} + diff --git a/tests/integration/systemd/machinectl.bats b/tests/integration/systemd/machinectl.bats new file mode 100644 index 0000000000..d9ba384449 --- /dev/null +++ b/tests/integration/systemd/machinectl.bats @@ -0,0 +1,26 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "importctl: Import an image as a machine" { + sudo importctl pull-tar --force --class=machine -N https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64-root.tar.xz noble +} + +@test "machinectl: Display a list of available images" { + sudo machinectl list-images +} + +@test "machinectl: Start a machine as a service using systemd-nspawn" { + sudo machinectl start noble +} + +@test "machinectl: Display a list of running machines" { + sudo machinectl list +} + +@test "machinectl: Stop a running machine" { + sudo machinectl stop noble +} diff --git a/tests/integration/systemd/networkctl.bats b/tests/integration/systemd/networkctl.bats new file mode 100644 index 0000000000..81418ba01f --- /dev/null +++ b/tests/integration/systemd/networkctl.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "networkctl: List existing links with their status" { + sudo networkctl list +} + +@test "networkctl: Show an overall network status" { + sudo networkctl status +} + +@test "networkctl: Reload configuration files (.netdev and .network)" { + sudo networkctl reload +} diff --git a/tests/integration/utils/fstrim.bats b/tests/integration/utils/fstrim.bats new file mode 100644 index 0000000000..dff1083e2c --- /dev/null +++ b/tests/integration/utils/fstrim.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "fstrim: Trim unused blocks on all mounted partitions that support it" { + sudo fstrim --all +} + +@test "fstrim: Trim unused blocks on a specified partition" { + sudo fstrim --verbose / +} From ac3e0fea59923648b75f46684702632d5d29bf80 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:34:31 +0200 Subject: [PATCH 0334/1736] fix: profile compilation issue. --- apparmor.d/groups/utils/zramctl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/utils/zramctl b/apparmor.d/groups/utils/zramctl index a5fa2eb750..29428a96f5 100644 --- a/apparmor.d/groups/utils/zramctl +++ b/apparmor.d/groups/utils/zramctl @@ -13,13 +13,13 @@ profile zramctl @{exec_path} { @{exec_path} mr, - @{sys}/devices/virtual/block/zram{int}/disksize w, - @{sys}/devices/virtual/block/zram{int}/reset w, @{sys}/devices/virtual/block/zram@{int}/ r, @{sys}/devices/virtual/block/zram@{int}/comp_algorithm rw, @{sys}/devices/virtual/block/zram@{int}/disksize r, + @{sys}/devices/virtual/block/zram@{int}/disksize w, @{sys}/devices/virtual/block/zram@{int}/max_comp_streams r, @{sys}/devices/virtual/block/zram@{int}/mm_stat r, + @{sys}/devices/virtual/block/zram@{int}/reset w, @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, From b878ce1ea23b6287ea6875e7aced36d13a10104c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 01:04:37 +0200 Subject: [PATCH 0335/1736] chore: fix linter issues. --- apparmor.d/profiles-g-l/kernel-postinst-kdump | 4 ++-- apparmor.d/profiles-m-r/initramfs-hooks | 2 +- apparmor.d/profiles-m-r/needrestart | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index 4790c5cb78..50606695ab 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -18,7 +18,7 @@ profile kernel-postinst-kdump @{exec_path} { @{bin}/cp rix, @{bin}/du rix, @{bin}/find rix, - @{bin}/kmod rCx -> kmod, + @{bin}/kmod rCx -> kmod, @{bin}/ischroot rPx, @{bin}/linux-version rPx, @{bin}/mkdir rix, @@ -49,7 +49,7 @@ profile kernel-postinst-kdump @{exec_path} { include include - include if exists + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 14a83ffbb7..18610de279 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -20,7 +20,7 @@ profile initramfs-hooks @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{bin}/update-alternatives Px, + @{sbin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox ix, @{lib}/klibc/bin/fstype ix, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index ceac5436b4..5a65b40a9c 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -23,7 +23,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, - @{bin}/stty rix, + @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, From f6914a87302f9026215234ea36d6dfcf10d6607e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 22:17:03 +0200 Subject: [PATCH 0336/1736] fix(profile): various fixes from issue raised by the CI. --- apparmor.d/groups/apt/dpkg-script-systemd | 7 ++++++- apparmor.d/groups/systemd/bootctl | 1 + apparmor.d/groups/systemd/localectl | 4 ++++ apparmor.d/groups/systemd/systemd-localed | 4 ++++ apparmor.d/groups/systemd/systemd-userdbd | 1 + apparmor.d/groups/virt/dockerd | 1 + apparmor.d/profiles-g-l/kernel-install | 1 + 7 files changed, 18 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 722e72c53e..6c76e6f707 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -11,6 +11,8 @@ profile dpkg-script-systemd @{exec_path} { include include + capability dac_read_search, + @{exec_path} mrix, @{coreutils_path} rix, @@ -21,7 +23,7 @@ profile dpkg-script-systemd @{exec_path} { @{bin}/dpkg-divert Px, @{bin}/dpkg-maintscript-helper Px, @{bin}/journalctl Px, - @{bin}/kernel-install Px, + @{bin}/kernel-install mrPx, @{bin}/systemctl Cx -> systemctl, @{bin}/systemd-machine-id-setup Px, @{bin}/systemd-sysusers Px, @@ -35,11 +37,14 @@ profile dpkg-script-systemd @{exec_path} { /etc/pam.d/sed@{rand6} rw, /etc/pam.d/common-password rw, + @{efi}/ r, + /var/lib/systemd/{,*} rw, /var/log/journal/ rw, profile dpkg { include + include include capability dac_read_search, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 47e8737fe2..70a91197fd 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -16,6 +16,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability linux_immutable, capability mknod, capability net_admin, + capability sys_rawio, capability sys_resource, signal send peer=child-pager, diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index f9a3625ef7..0d46dbfed9 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -17,6 +17,10 @@ profile localectl @{exec_path} { signal send set=cont peer=child-pager, #aa:dbus talk bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" + dbus send bus=system path=/org/freedesktop/locale1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.locale1), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index c15eaf5b20..e98bef0095 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -17,6 +17,10 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/systemd-localed/system, #aa:dbus own bus=system name=org.freedesktop.locale1 + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=Reload + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index 20e940b1db..f9fad36937 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -33,6 +33,7 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) @{att}/@{run}/systemd/notify w, @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}/@{run}/systemd/userdb/io.systemd.Home rw, + @{att}/@{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/userdb/{,**} rw, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index abd6c90ecb..c21fa27886 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -73,6 +73,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/kmod rCx -> kmod, @{bin}/ps rPx, @{sbin}/runc rUx, + @{bin}/runc rUx, #aa:lint ignore @{bin}/unpigz rix, @{sbin}/xtables-nft-multi rCx -> nft, @{sbin}/xtables-legacy-multi rCx -> nft, diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index 96d0974171..be5d877a98 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -14,6 +14,7 @@ profile kernel-install @{exec_path} { include include + capability sys_rawio, capability sys_resource, ptrace read peer=@{p_systemd}, From b2910ae59329af14143c384c307cbe7f42a47665 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 22:22:13 +0200 Subject: [PATCH 0337/1736] tests(check): add support for '#aa:lint ignore' inline directive to disable linting. --- pkg/prebuild/directive/core.go | 3 +++ tests/check.sh | 17 ++++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/directive/core.go b/pkg/prebuild/directive/core.go index 6138eec0cd..cde9470dc3 100644 --- a/pkg/prebuild/directive/core.go +++ b/pkg/prebuild/directive/core.go @@ -106,6 +106,9 @@ func Run(file *paths.Path, profile string) (string, error) { opt := NewOption(file, match) drtv, ok := Directives[opt.Name] if !ok { + if opt.Name == "lint" { + continue + } return "", fmt.Errorf("unknown directive '%s' in %s", opt.Name, opt.File) } profile, err = drtv.Apply(opt, profile) diff --git a/tests/check.sh b/tests/check.sh index 8b847db6ff..39d7f8158c 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -51,12 +51,24 @@ _wait() { fi } +readonly _IGNORE_LINT="#aa:lint ignore" +_ignore_lint() { + local line="$1" + if [[ "$line" == *"$_IGNORE_LINT"* ]]; then + return 0 + fi + return 1 +} + _check() { local file="$1" local line_number=0 while IFS= read -r line; do line_number=$((line_number + 1)) + if _ignore_lint "$line"; then + continue + fi # Rules checks _check_abstractions @@ -339,7 +351,10 @@ check_sbin() { jobs=0 for name in "${sbin[@]}"; do ( - mapfile -t files < <(grep --line-number --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d | cut -d: -f1,2) + mapfile -t files < <( + grep --line-number --recursive -P "(^|[[:space:]])@{bin}/$name([[:space:]]|$)(?!.*$_IGNORE_LINT)" apparmor.d | + cut -d: -f1,2 + ) for file in "${files[@]}"; do _err compatibility "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" done From ef9b93b866109751be1f00d308190dd923e06698 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 23:00:48 +0200 Subject: [PATCH 0338/1736] tests(check): enable more linter rule. --- tests/check.sh | 58 +++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 55 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 39d7f8158c..708b2fe997 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -75,6 +75,8 @@ _check() { _check_directory_mark _check_equivalent _check_too_wide + _check_transition + _check_useless # Guidelines check _check_abi @@ -137,6 +139,7 @@ _check_directory_mark() { for pattern in "${DIRECTORIES[@]}"; do if [[ "$line" == *"$pattern"* ]]; then [[ "$line" == *'='* ]] && continue + [[ "$line" =~ ^[[:space:]]*# ]] && continue if [[ ! "$line" == *"$pattern/"* ]]; then _err issue "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" fi @@ -172,6 +175,55 @@ _check_too_wide() { done } +readonly TRANSITION_MUST_CI=( # Must transition to 'ix' or 'Cx' + chgrp chmod chown cp find head install link ln ls mkdir mktemp mv rm rmdir + sed shred stat tail tee test timeout touch truncate unlink +) +readonly TRANSITION_MUST_PC=( # Must transition to 'Px' + ischroot +) +readonly TRANSITION_MUST_C=( # Must transition to 'Cx' + sysctl kmod pgrep pkexec sudo systemctl udevadm + fusermount fusermount3 fusermount{,3} + nvim vim sensible-editor +) +_check_transition() { + _is_enabled transition || return 0 + for prgmname in "${!TRANSITION_MUST_CI[@]}"; do + if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then + _err security "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_CI[$prgmname]} should be used inherited: 'ix' | 'Cx'" + fi + done + for prgmname in "${!TRANSITION_MUST_PC[@]}"; do + if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then + _err security "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_PC[$prgmname]} should transition to another (sub)profile with 'Px' or 'Cx'" + fi + done + for prgmname in "${!TRANSITION_MUST_C[@]}"; do + if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then + _warn security "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_C[$prgmname]} should transition to a subprofile with 'Cx'" + fi + done +} + +readonly USELESS=( + '@{PROC}/filesystems' '@{PROC}/sys/kernel/cap_last_cap' + '@{PROC}/meminfo' '@{PROC}/stat' '@{PROC}/cpuinfo' + '@{sys}/devices/system/cpu/online' '@{sys}/devices/system/cpu/possible' + '/usr/share/locale/' +) +_check_useless() { + _is_enabled useless || return 0 + for rule in "${!USELESS[@]}"; do + if [[ "$line" == *"${USELESS[$rule]}"* ]]; then + _err issue "$file:$line_number" "rule already included in the base abstraction, remove it" + fi + done +} + # Guidelines check: https://apparmor.pujol.io/development/guidelines/ RES_ABI=false @@ -388,7 +440,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - abstractions equivalent + abstractions directory_mark equivalent useless transition abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -408,7 +460,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( - abstractions equivalent + abstractions directory_mark equivalent too_wide abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -429,7 +481,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - abstractions equivalent + abstractions directory_mark equivalent too_wide header tabs trailing indentation vim ) for file in "${files[@]}"; do From 85383ed361d80027f1527891dda1463a4e112cfc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 23:08:55 +0200 Subject: [PATCH 0339/1736] fix: newly detected linter issues. --- apparmor.d/abstractions/common/app | 6 +++--- apparmor.d/groups/browsers/epiphany | 1 - apparmor.d/groups/gpg/scdaemon | 2 +- apparmor.d/profiles-a-f/adequate | 2 -- apparmor.d/profiles-g-l/kernel-install | 3 +++ 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index a3fb2c5ef0..15b730fb20 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -56,11 +56,11 @@ owner @{HOME}/.var/app/** rmix, owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, + owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore owner @{user_games_dirs}/** rmix, - owner @{tmp}/** rmwk, - owner /dev/shm/** rwlk -> /dev/shm/**, + owner @{tmp}/** rmwk, #aa:lint ignore + owner /dev/shm/** rwlk -> /dev/shm/**, #aa:lint ignore owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, owner /var/tmp/etilqs_@{sqlhex} rw, diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 636bbf9d3d..86b293e8d0 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -51,7 +51,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { owner @{tmp}/WebKit-Media-@{rand6} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Epiphany-@{int}.scope/memory.* r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index 5d2cafd950..729455f7f9 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -25,7 +25,7 @@ profile scdaemon @{exec_path} { owner /etc/pacman.d/gnupg/S.scdaemon rw, owner @{HOME}/@{XDG_GPG_DIR}/scdaemon.conf r, - owner @{HOME}/@{XDG_GPG_DIR}common.conf r, + owner @{HOME}/@{XDG_GPG_DIR}/common.conf r, owner @{HOME}/@{XDG_GPG_DIR}/reader_@{int}.status rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index b7a62fc82b..da8f64bc22 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -54,14 +54,12 @@ profile adequate @{exec_path} flags=(complain) { @{bin}/* mr, /usr/games/* mr, - @{lib}{,x}/** mr, @{lib}/@{multiarch}/** mr, /usr/share/** r, /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} mr, @{lib}/@{multiarch}/ld-*.so rix, - @{lib}{,x}32/ld-*.so rix, include if exists } diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index be5d877a98..bd1438f960 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -42,7 +42,10 @@ profile kernel-install @{exec_path} { @{lib}/modules/*/modules.* w, + / r, + @{efi}/@{hex32}/** rw, + @{efi}/loader/entries.srel r, owner /boot/{vmlinuz,initrd.img}-* r, owner /boot/[a-f0-9]*/*/ rw, From f1a96db3172334c50303024aeb07fbd6f821ce18 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 23:11:20 +0200 Subject: [PATCH 0340/1736] feat(profile): add missing update-alternatives & mdadm profiles. --- apparmor.d/profiles-a-f/dracut-install | 26 +++++++++++++++++ apparmor.d/profiles-m-r/mdadm | 39 ++++++++++++++++++++++++++ dists/flags/main.flags | 2 ++ 3 files changed, 67 insertions(+) create mode 100644 apparmor.d/profiles-a-f/dracut-install create mode 100644 apparmor.d/profiles-m-r/mdadm diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install new file mode 100644 index 0000000000..2000635d36 --- /dev/null +++ b/apparmor.d/profiles-a-f/dracut-install @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/dracut/dracut-install +profile dracut-install @{exec_path} { + include + + @{exec_path} mr, + + /etc/modprobe.d/{,**} r, + + @{sys}/devices/platform/{,**/} r, + @{sys}/devices/platform/**/modalias r, + @{sys}/module/compression r, + + @{PROC}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm new file mode 100644 index 0000000000..7601f16df2 --- /dev/null +++ b/apparmor.d/profiles-m-r/mdadm @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/mdadm +profile mdadm @{exec_path} { + include + include + + capability sys_admin, + + mqueue (read getattr) type=posix /, + + @{exec_path} mr, + + @{run}/initctl r, + + /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + + @{sys}/bus/pci/drivers/*/ r, + @{sys}/devices/@{pci}/class r, + @{sys}/devices/@{pci}/device r, + @{sys}/devices/@{pci}/vendor r, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/cmdline r, + @{PROC}/kcore r, + @{PROC}/partitions r, + + /dev/**/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 71670d4d71..3aeab3192c 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -90,6 +90,7 @@ dpkg-script-kmod complain dpkg-script-linux complain dpkg-script-systemd complain dpkg-scripts complain +dracut-install complain drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain @@ -232,6 +233,7 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain +mdadm complain mdadm-mkconf complain ModemManager attach_disconnected,complain mount attach_disconnected,complain From 8f7e373f6270b172ffdd09b325c4228952cdcb51 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 23:21:53 +0200 Subject: [PATCH 0341/1736] fix: update-alternatives is **not** installed in sbin. --- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-g-l/kernel | 2 +- apparmor.d/profiles-m-r/initramfs-hooks | 2 +- apparmor.d/profiles-m-r/initramfs-scripts | 2 +- apparmor.d/profiles-s-z/update-alternatives | 2 +- tests/sbin.list | 1 - 6 files changed, 5 insertions(+), 6 deletions(-) diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index da8f64bc22..7025f97877 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -34,7 +34,7 @@ profile adequate @{exec_path} flags=(complain) { # shared object file): ignored. @{bin}/dpkg-query rpx, # - @{sbin}/update-alternatives rPx, + @{bin}/update-alternatives rPx, /var/lib/adequate/pending rwk, diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index c3155ce751..b718f7d18b 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -38,9 +38,9 @@ profile kernel @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/kernel-install rPx, @{bin}/systemd-detect-virt rPx, + @{bin}/update-alternatives rPx, @{lib}/dkms/dkms_autoinstaller rPx, @{sbin}/dkms rPx, - @{sbin}/update-alternatives rPx, @{sbin}/update-grub rPx, @{sbin}/update-initramfs rPx, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 18610de279..14a83ffbb7 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -20,7 +20,7 @@ profile initramfs-hooks @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{sbin}/update-alternatives Px, + @{bin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox ix, @{lib}/klibc/bin/fstype ix, diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts index 4d38ab9c15..d280c145ab 100644 --- a/apparmor.d/profiles-m-r/initramfs-scripts +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -21,7 +21,7 @@ profile initramfs-scripts @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{sbin}/update-alternatives Px, + @{bin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox Px, /usr/share/mdadm/mkconf Px, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 68ddb97a58..8f08b74fa0 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/update-alternatives +@{exec_path} = @{bin}/update-alternatives profile update-alternatives @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 1d0eb5b970..a8b4394783 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -766,7 +766,6 @@ unix_chkpwd unix_update unix2_chkpwd uobjnew -update-alternatives update-ca-certificates update-catalog update-cracklib From 18212c9ff7a0fe96d3ae6299d76503ca3a32dad2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 00:03:06 +0200 Subject: [PATCH 0342/1736] tests: re-enable apt tests. --- tests/integration/apt/apt.bats | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/tests/integration/apt/apt.bats b/tests/integration/apt/apt.bats index 4be0edd8d4..3f13d4ea46 100644 --- a/tests/integration/apt/apt.bats +++ b/tests/integration/apt/apt.bats @@ -5,10 +5,6 @@ load ../common -setup_file() { - skip -} - @test "apt: Update the list of available packages and versions" { sudo apt update } @@ -38,11 +34,11 @@ setup_file() { } @test "apt: Clean the local repository - removing package files (.deb) from interrupted downloads that can no longer be downloaded" { - sudo apt autoclean + sudo apt autoclean -y } @test "apt: Remove all packages that are no longer needed" { - sudo apt autoremove + sudo apt autoremove -y } @test "apt: List all packages" { From 5a08ffc9ba485878eba448366459f2ef55625274 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 00:19:35 +0200 Subject: [PATCH 0343/1736] fix(profile): apply fixes raised by tests --- apparmor.d/abstractions/bus/org.freedesktop.Avahi | 5 +++++ .../abstractions/bus/org.freedesktop.systemd1 | 2 +- apparmor.d/abstractions/common/electron | 2 +- .../groups/freedesktop/xdg-user-dirs-gtk-update | 7 ++++++- .../groups/systemd/systemd-machine-id-setup | 1 + apparmor.d/groups/ubuntu/update-notifier | 1 - apparmor.d/groups/ubuntu/update-notifier-crash | 15 +++++++++++++-- apparmor.d/profiles-a-f/dracut-install | 1 + apparmor.d/profiles-m-r/mdadm | 1 + 9 files changed, 29 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index b002d6fa42..b683cf128f 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -26,6 +26,11 @@ member={ItemNew,AllForNow,CacheExhausted} peer=(name="@{busname}", label="@{p_avahi_daemon}"), + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 341cf58cec..4fb1764bc4 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -8,7 +8,7 @@ dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager - member={GetUnit,StartUnit,StartTransientUnit} + member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), dbus send bus=system path=/org/freedesktop/systemd1 diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 8134f86811..6216ec9399 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -75,6 +75,7 @@ @{PROC}/ r, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, owner @{PROC}/@{pid}/cgroup r, @@ -88,7 +89,6 @@ owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/status r, owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 6418629650..b2ae65450b 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -12,14 +12,19 @@ profile xdg-user-dirs-gtk-update @{exec_path} { include include include - include + include + include @{exec_path} mr, + @{bin}/xdg-user-dirs-update Px, + owner @{user_config_dirs}/gtk-3.0/bookmarks* rw, owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, + owner @{tmp}/dirs-@{rand6} rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index f3f27b5236..c791e63751 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -31,6 +31,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { /etc/machine-id rw, /var/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 6c4dc4d77e..361290980f 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -85,7 +85,6 @@ profile update-notifier @{exec_path} { profile systemctl { include include - include dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index dee094aa1c..d65c77a08b 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -9,17 +9,28 @@ include @{exec_path} = @{lib}/update-notifier/update-notifier-crash profile update-notifier-crash @{exec_path} { include + include @{exec_path} mr, - @{bin}/systemctl Cx -> systemctl, - + @{bin}/{,e}grep ix, + @{bin}/groups Px, + @{bin}/systemctl Cx -> systemctl, + @{bin}/which{,.debianutils} ix, + @{sh_path} mr, /usr/share/apport/apport-checkreports Px, + owner @{HOME}/ r, + profile systemctl { include include + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnitFileState + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + include if exists } diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install index 2000635d36..6deb06eb65 100644 --- a/apparmor.d/profiles-a-f/dracut-install +++ b/apparmor.d/profiles-a-f/dracut-install @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/dracut/dracut-install profile dracut-install @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 7601f16df2..15adcb9e68 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -9,6 +9,7 @@ include @{exec_path} = @{sbin}/mdadm profile mdadm @{exec_path} { include + include include capability sys_admin, From 4a3a98c77d3fefb403a1bb775bca51a088006451 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 18:46:17 +0200 Subject: [PATCH 0344/1736] fix(profile): fixes for issues raised by newly enabled tests. --- apparmor.d/groups/apt/dpkg-preconfigure | 1 + apparmor.d/groups/apt/dpkg-script-linux | 12 +++++++++++- apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/network/netplan-generate | 1 + apparmor.d/profiles-s-z/ucf | 12 ++---------- 5 files changed, 16 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 716cd1dc85..66131c6e7b 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -36,6 +36,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/stty ix, @{bin}/tr ix, @{bin}/uniq ix, + @{bin}/which{,.debianutils} ix, @{bin}/apt-extracttemplates Px, @{bin}/dpkg Px -> child-dpkg, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index d6a8db4732..24c6c74df3 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -19,11 +19,14 @@ profile dpkg-script-linux @{exec_path} { @{bin}/run-parts ix, @{bin}/stty ix, + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg-maintscript-helper Px, @{bin}/dpkg-trigger Px, @{bin}/kmod Px, @{bin}/linux-check-removal Px, @{bin}/linux-update-symlinks Px, - @{bin}/dpkg-maintscript-helper Px, + @{bin}/systemctl Cx -> systemctl, /usr/share/{update,reboot}-notifier/notify-reboot-required Px, /etc/kernel/{,header_}postinst.d/* Px, @@ -36,6 +39,13 @@ profile dpkg-script-linux @{exec_path} { @{lib}/linux/triggers/* w, @{lib}/modules/*/.fresh-install w, + profile systemctl { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 44e4790c4c..5743ab9048 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -80,6 +80,7 @@ profile dpkg-scripts @{exec_path} { /tmp/tmp.@{rand10} rw, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, profile bus { include diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate index 64f8399e1b..74ed20aafb 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan-generate @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/netplan/generate profile netplan-generate @{exec_path} flags=(attach_disconnected) { include + include include capability chown, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 3c3374d851..9e459f2611 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/ucf profile ucf @{exec_path} { include + include include include @@ -17,11 +18,11 @@ profile ucf @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/cp rix, @{bin}/dirname rix, - @{bin}/{m,g,}awk rix, @{bin}/getopt rix, @{bin}/id rix, @{bin}/md5sum rix, @@ -39,8 +40,6 @@ profile ucf @{exec_path} { @{bin}/dpkg-divert rPx, @{pager_path} rCx -> child-pager, - /usr/share/debconf/frontend Cx -> debconf, - # For md5sum /usr/share/** r, @@ -57,13 +56,6 @@ profile ucf @{exec_path} { deny capability sys_admin, # optional: no audit - profile debconf { - include - include - - include if exists - } - include if exists } From 7d2229cd05134f491a671f4f2e61b9216dc07420 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 23:18:00 +0200 Subject: [PATCH 0345/1736] build: fully replace make by just. --- .github/workflows/main.yml | 17 +-- .gitlab-ci.yml | 11 +- Justfile | 6 +- Makefile | 100 ------------------ debian/apparmor.d.hide | 2 +- debian/control | 1 + debian/rules | 8 +- dists/apparmor.d.spec | 5 +- dists/build.sh | 2 +- dists/ignore/main.ignore | 2 +- docs/development/build.md | 2 +- docs/development/roadmap.md | 2 +- docs/development/tests.md | 6 +- docs/development/workflow.md | 14 +-- docs/enforce.md | 44 ++++---- docs/full-system-policy.md | 42 ++++---- docs/install.md | 19 ++-- tests/check.sh | 2 +- .../cloud-init/archlinux-cosmic.user-data.yml | 1 + tests/cloud-init/archlinux-xfce.user-data.yml | 1 + tests/cloud-init/opensuse.yml | 2 +- tests/packer/src/aa-update | 6 +- 22 files changed, 113 insertions(+), 182 deletions(-) delete mode 100644 Makefile diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 973287e72f..a3d7b3266d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -9,9 +9,14 @@ jobs: - name: Check out repository code uses: actions/checkout@v4 + - name: Install linter dependencies + run: | + sudo apt-get update -q + sudo apt-get install -y just + - name: Run basic profile linter check run: | - make check + just check build: runs-on: ${{ matrix.os }} @@ -32,13 +37,13 @@ jobs: sudo apt-get update -q sudo apt-get install -y \ devscripts debhelper config-package-dev \ - auditd apparmor-profiles apparmor-utils + auditd apparmor-profiles apparmor-utils just sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real - name: Build the apparmor.d package run: | if [[ ${{ matrix.mode }} == full-system-policy ]]; then - echo -e "\noverride_dh_auto_build:\n\tmake fsp" >> debian/rules + sed -e "s/just complain/just fsp-complain/" -i debian/rules fi if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then # Test with Re-attach disconnected path @@ -95,7 +100,7 @@ jobs: sudo apt-get update -q sudo apt-get install -y \ apparmor-profiles apparmor-utils \ - bats bats-support + bats bats-support just - name: Install apparmor.d run: | @@ -127,12 +132,12 @@ jobs: - name: Install integration dependencies run: | - bash tests/requirements.sh + just init find /usr/sbin/ -type f - name: Run the integration tests run: | - make integration + just integration - name: Show final AppArmor logs if: always() diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8adab16ab1..7b4c135191 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -66,7 +66,7 @@ check: stage: test image: registry.gitlab.com/roddhjav/builders/archlinux script: - - make check + - just check # Package Build # ------------- @@ -84,13 +84,12 @@ archlinux: debian: stage: build - image: registry.gitlab.com/roddhjav/builders/debian:12 + image: registry.gitlab.com/roddhjav/builders/debian:trixie script: - sudo chown -R build:build /builds/ - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - - sudo apt-get update -q && sudo apt-get install -y config-package-dev lsb-release - - sudo apt-get install -y -t bookworm-backports golang-go + - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl - bash dists/build.sh dpkg artifacts: expire_in: 1 day @@ -105,7 +104,7 @@ ubuntu: script: - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release + - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl - bash dists/build.sh dpkg artifacts: expire_in: 1 day @@ -117,7 +116,7 @@ whonix: variables: DISTRIBUTION: whonix before_script: - - echo "\noverride_dh_auto_build:\n\tmake fsp" >> debian/rules + - sed -e "s/just complain/just fsp-complain/" -i debian/rules opensuse: stage: build diff --git a/Justfile b/Justfile index f9ce13c36b..7a84af1be8 100644 --- a/Justfile +++ b/Justfile @@ -157,7 +157,7 @@ dpkg: [doc('Build & install apparmor.d on OpenSUSE based systems')] rpm: @bash dists/build.sh rpm - @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm + @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm [group('tests')] [doc('Run the unit tests')] @@ -213,8 +213,8 @@ package dist: if [[ $dist =~ ubuntu([0-9]+) ]]; then version="${BASH_REMATCH[1]}.04" dist="ubuntu" - elif [[ $dist =~ debian([0-9]+) ]]; then - version="${BASH_REMATCH[1]}" + elif [[ $dist == debian ]]; then + version="trixie" dist="debian" fi bash dists/docker.sh $dist $version diff --git a/Makefile b/Makefile deleted file mode 100644 index 854d39f164..0000000000 --- a/Makefile +++ /dev/null @@ -1,100 +0,0 @@ -#!/usr/bin/make -f -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -DESTDIR ?= / -BUILD ?= .build -PKGDEST ?= ${PWD}/.pkg -PKGNAME := apparmor.d -PROFILES = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*))) - -.PHONY: all -all: build - @./${BUILD}/prebuild --complain - -.PHONY: build -build: - @go build -o ${BUILD}/ ./cmd/aa-log - @go build -o ${BUILD}/ ./cmd/prebuild - -.PHONY: enforce -enforce: build - @./${BUILD}/prebuild - -.PHONY: fsp -fsp: build - @./${BUILD}/prebuild --full - -.PHONY: fsp-complain -fsp-complain: build - @./${BUILD}/prebuild --complain --full - -.PHONY: install -install: - @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log - @for file in $(shell find "${BUILD}/share" -type f -not -name "*.md" -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/share/$${file}" "${DESTDIR}/usr/share/$${file}"; \ - done; - @for file in $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @for file in $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n"); do \ - mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \ - cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @for file in ${BUILD}/systemd/system/*; do \ - service="$$(basename "$$file")"; \ - install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \ - done; - @for file in ${BUILD}/systemd/user/*; do \ - service="$$(basename "$$file")"; \ - install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \ - done - - -.PHONY: $(PROFILES) -$(PROFILES): - @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log - @for file in $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \ - done; - @for file in $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \ - done; - @echo "Warning: profile dependencies fallback to unconfined." - @for file in ${@}; do \ - grep 'rPx' "${BUILD}/apparmor.d/$${file}"; \ - sed -i -e "s/rPx/rPUx/g" "${BUILD}/apparmor.d/$${file}"; \ - install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @systemctl restart apparmor || sudo journalctl -xeu apparmor.service - -.PHONY: dev -name ?= -dev: - @go run ./cmd/prebuild --complain --file $(shell find apparmor.d -iname ${name}) - @sudo install -Dm644 ${BUILD}/apparmor.d/${name} /etc/apparmor.d/${name} - @sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service - -.PHONY: pkg -pkg: - @makepkg --syncdeps --install --cleanbuild --force --noconfirm - -.PHONY: dpkg -dpkg: - @bash dists/build.sh dpkg - @sudo dpkg -i ${PKGDEST}/${PKGNAME}_*.deb - -.PHONY: rpm -rpm: - @bash dists/build.sh rpm - @sudo rpm -ivh --force ${PKGDEST}/${PKGNAME}-*.rpm - -.PHONY: check -check: - @bash tests/check.sh - -.PHONY: integration -integration: - @bats --recursive --timing --print-output-on-failure tests/integration/ diff --git a/debian/apparmor.d.hide b/debian/apparmor.d.hide index 20725a1338..8fc1d019d1 100644 --- a/debian/apparmor.d.hide +++ b/debian/apparmor.d.hide @@ -1 +1 @@ -# This file is generated by "make", all edit will be lost. +# This file is generated by "just", all edit will be lost. diff --git a/debian/control b/debian/control index 7f2028b0ee..56ad928ba2 100644 --- a/debian/control +++ b/debian/control @@ -6,6 +6,7 @@ Build-Depends: debhelper (>= 13.4), debhelper-compat (= 13), golang-any, config-package-dev, + just, Homepage: https://github.com/roddhjav/apparmor.d Vcs-Browser: https://github.com/roddhjav/apparmor.d Vcs-Git: https://github.com/roddhjav/apparmor.d.git diff --git a/debian/rules b/debian/rules index a30a693df4..d78e652ca0 100755 --- a/debian/rules +++ b/debian/rules @@ -9,5 +9,9 @@ # golang/1.19 compresses debug symbols itself. override_dh_dwz: -# do not run 'make check' by default as it can be long for dev package -override_dh_auto_test: +override_dh_auto_build: + just complain + +override_dh_auto_install: + just destdir="${CURDIR}/debian/apparmor.d" install + diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index 339d880366..bf97705a60 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -15,6 +15,7 @@ URL: https://github.com/roddhjav/apparmor.d Source0: %{name}-%{version}.tar.gz Requires: apparmor-profiles BuildRequires: distribution-release +BuildRequires: just BuildRequires: golang-packaging BuildRequires: apparmor-profiles @@ -25,10 +26,10 @@ AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most %autosetup %build -%make_build +just complain %install -%make_install +just destdir="%{buildroot}" install %posttrans rm -f /var/cache/apparmor/* 2>/dev/null diff --git a/dists/build.sh b/dists/build.sh index 1f2e204c24..9b9f9e765d 100644 --- a/dists/build.sh +++ b/dists/build.sh @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: make [ dpkg | pkg | rpm ] +# Usage: just [ dpkg | pkg | rpm ] set -eu -o pipefail diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index 3cccf4c056..0665edf85f 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -2,7 +2,7 @@ # File format: one ignore by line, it can be a profile name or a directory to ignore # Contains profiles and configuration for full system confinement, only included -# when built with 'make full' +# when built with 'just fsp' apparmor.d/groups/_full # Provided by other packages diff --git a/docs/development/build.md b/docs/development/build.md index 5145a84168..eaa2487a24 100644 --- a/docs/development/build.md +++ b/docs/development/build.md @@ -2,7 +2,7 @@ title: Building the profiles --- -The profiles in `apparmor.d` must not be used directly. They need to be prebuilt (by running `make`). This page documents all possibles prebuild tasks. It is not intended to be read by end user, and it is only targeted at developers and maintainers. +The profiles in `apparmor.d` must not be used directly. They need to be prebuilt (by running `just complain`). This page documents all possibles prebuild tasks. It is not intended to be read by end user, and it is only targeted at developers and maintainers. The build system is fully configurable, general usage can be seen with: ```sh diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index b42467e3dd..2585208e51 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -29,7 +29,7 @@ This is the current list of features that must be implemented to get to a stable - [ ] Provide packages repo for ubuntu/debian - [ ] Provide complain/enforced packages version - [x] Add a `just` target to install the profiles in the right place - - [ ] Fully drop the Makefile in favor of `just` + - [x] Fully drop the Makefile in favor of `just` ## Next features diff --git a/docs/development/tests.md b/docs/development/tests.md index df614b4fe0..4bf421d926 100644 --- a/docs/development/tests.md +++ b/docs/development/tests.md @@ -6,12 +6,12 @@ Misconfigured AppArmor profiles is one of the most effective ways to break someo **Current** -- [x] **[Build:](https://gitlab.com/roddhjav/apparmor.d/-/pipelines)** `make` +- [x] **[Build:](https://gitlab.com/roddhjav/apparmor.d/-/pipelines)** `just complain` - Build the profiles for all supported distributions. - All CI jobs validate the profiles syntax and ensure they can be safely loaded into a kernel. - Ensure the profile entry point (`@{exec_path}`) is defined. -- [x] **[Checks:](https://github.com/roddhjav/apparmor.d/blob/main/tests/check.sh)** `make check` checks basic style of profiles: +- [x] **[Checks:](https://github.com/roddhjav/apparmor.d/blob/main/tests/check.sh)** `just check` checks basic style of profiles: - Ensure apparmor.d header & licence - Ensure 2 spaces indentation - Ensure local include for profile and subprofiles @@ -19,7 +19,7 @@ Misconfigured AppArmor profiles is one of the most effective ways to break someo - Ensure modern profile naming - Ensure `vim:syntax=apparmor` -- [x] **[Integration Tests:](integration.md)** `just integration ` +- [x] **[Integration Tests:](integration.md)** `just test-run ` - Run simple CLI commands to ensure no logs are raised. - Uses the [bats](https://github.com/bats-core/bats-core) test system. - Run in the Github Action as well as in all local [test VM](vm.md). diff --git a/docs/development/workflow.md b/docs/development/workflow.md index 7737e3775e..786d77c938 100644 --- a/docs/development/workflow.md +++ b/docs/development/workflow.md @@ -57,7 +57,7 @@ profile foo @{exec_path} { ## Development Install -It is not recommended installing the full project *"manually"* (with `make`, `sudo make install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream (see `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`). +It is not recommended installing the full project *"manually"* (with `just complain`, `sudo just install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream (see `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`). Instead, install an individual profile or the development package, the following way. @@ -66,25 +66,25 @@ Instead, install an individual profile or the development package, the following === ":material-arch: Archlinux" ```sh - make pkg + just pkg ``` === ":material-ubuntu: Ubuntu" ```sh - make dpkg + just dpkg ``` === ":material-debian: Debian" ```sh - make dpkg + just dpkg ``` === ":simple-suse: openSUSE" ```sh - make rpm + just rpm ``` === ":material-docker: Docker" @@ -102,7 +102,7 @@ Instead, install an individual profile or the development package, the following **Format** ```sh -make dev name= +just dev ``` **Exampe** @@ -110,7 +110,7 @@ make dev name= : Testing the profile `pass` ``` - make dev name=pass + just dev pass ``` This: diff --git a/docs/enforce.md b/docs/enforce.md index 692cbd1e36..51eec0980f 100644 --- a/docs/enforce.md +++ b/docs/enforce.md @@ -13,50 +13,56 @@ The default package configuration installs all profiles in *complain* mode. This === ":material-arch: Archlinux" - In the `PKGBUILD`, replace `make` by `make enforce`: + In the `PKGBUILD`, replace `just complain` by `just enforce`: ```diff - - make DISTRIBUTION=arch - + make enforce DISTRIBUTION=arch + - just complain + + just enforce ``` - Then, build the package with: `make pkg` + Then, build the package with: `just pkg` === ":material-ubuntu: Ubuntu" - In `debian/rules`, add the following lines: + In `debian/rules`, replace `just complain` by `just enforce`: - ```make - override_dh_auto_build: - make enforce + ```diff + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just enforce ``` - Then, build the package with: `make dpkg` + Then, build the package with: `just dpkg` === ":material-debian: Debian" - In `debian/rules`, add the following lines: + In `debian/rules`, replace `just complain` by `just enforce`: - ```make - override_dh_auto_build: - make enforce + ```diff + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just enforce ``` - Then, build the package with: `make dpkg` + Then, build the package with: `just dpkg` === ":simple-suse: openSUSE" - In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build enforce` + In `dists/apparmor.d.spec`, replace `just complain` by `just enforce`: ```diff - - %make_build - + %make_build enforce + %build + - just complain + %build + + just enforce ``` - Then, build the package with: `make rpm` + Then, build the package with: `just rpm` === ":material-home: Partial Install" - Use the `make enforce` command to build instead of `make` + Use the `just enforce` command to build instead of `just complain` [aur]: https://aur.archlinux.org/packages/apparmor.d-git diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index b523a1c384..a5ac57f11d 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -35,7 +35,7 @@ Particularly: ## Installation -This feature is only enabled when the project is built with `make full`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. Once `apparmor.d` has been installed in FSP mode, it is required to reboot to apply the changes. +This feature is only enabled when the project is built with `just fsp`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. Once `apparmor.d` has been installed in FSP mode, it is required to reboot to apply the changes. In `/etc/apparmor/parser.conf` ensure you have: ``` @@ -46,51 +46,57 @@ Optimize=compress-fast === ":material-arch: Archlinux" - In `PKGBUILD`, replace `make` by `make fsp`: + In `PKGBUILD`, replace `just complain` by `just fsp-complain`: ```diff - - make - + make fsp + - just complain + + just fsp-complain ``` - Then, build the package with: `make pkg` + Then, build the package with: `just pkg` === ":material-ubuntu: Ubuntu" - In `debian/rules`, add the following lines: + In `debian/rules`, replace `just complain` by `just fsp-complain`: ```make - override_dh_auto_build: - make fsp + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just fsp-complain ``` - Then, build the package with: `make dpkg` + Then, build the package with: `just dpkg` === ":material-debian: Debian" - In `debian/rules`, add the following lines: + In `debian/rules`, replace `just complain` by `just fsp-complain`: ```make - override_dh_auto_build: - make fsp + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just fsp-complain ``` - Then, build the package with: `make dpkg` + Then, build the package with: `just dpkg` === ":simple-suse: openSUSE" - In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build fsp` + In `dists/apparmor.d.spec`, replace `just complain` by `just fsp-complain`: ```diff - - %make_build - + %make_build fsp + %build + - just complain + %build + + just fsp-complain ``` - Then, build the package with: `make rpm` + Then, build the package with: `just rpm` === ":material-home: Partial Install" - Use the `make fsp` command to build instead of `make` + Use the `just fsp-complain` command to build instead of `just complain` ## Structure diff --git a/docs/install.md b/docs/install.md index a18185fbf2..416ad0f152 100644 --- a/docs/install.md +++ b/docs/install.md @@ -84,7 +84,7 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf If you have `devscripts` installed, you can use the one liner: ```sh - make dpkg + just dpkg ``` !!! warning @@ -110,19 +110,26 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf If you have `devscripts` installed, you can use the one liner: ```sh - make dpkg + just dpkg ``` !!! note - You may need golang from the backports repository to build: + **Debian 12 user will need to:** + 1. Install Golang from the backports repository: ```sh echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list sudo apt update sudo apt install -t bookworm-backports golang-go ``` + 2. Install [just](https://github.com/casey/just) locally, and ignore the dependence. E.g: + ```sh + pipx install rust-just + sed '/just/d' -i debian/control + ``` + !!! warning **Beware**: do not install a `.deb` made for Ubuntu on Debian as the packages are different. @@ -144,15 +151,15 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed. ```sh - make - sudo make profile-names... + just complain + sudo just local profile-names... ``` !!! warning Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77)) - For instance, `sudo make pass` gives: + For instance, `sudo just local pass` gives: ```sh Warning: profile dependencies fallback to unconfined. @{bin}/wl-{copy,paste} rPx, diff --git a/tests/check.sh b/tests/check.sh index 708b2fe997..f00d8aec14 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -3,7 +3,7 @@ # Copyright (C) 2024-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: make check +# Usage: just check # shellcheck disable=SC2044 set -eu -o pipefail diff --git a/tests/cloud-init/archlinux-cosmic.user-data.yml b/tests/cloud-init/archlinux-cosmic.user-data.yml index be623e625e..9ed6c1d926 100644 --- a/tests/cloud-init/archlinux-cosmic.user-data.yml +++ b/tests/cloud-init/archlinux-cosmic.user-data.yml @@ -10,6 +10,7 @@ packages: # Install usefull core packages - bash-completion + - just - git - htop - man diff --git a/tests/cloud-init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml index 54329bfb8d..5bab9bf081 100644 --- a/tests/cloud-init/archlinux-xfce.user-data.yml +++ b/tests/cloud-init/archlinux-xfce.user-data.yml @@ -11,6 +11,7 @@ packages: # Install usefull core packages - bash-completion - git + - just - htop - man - pass diff --git a/tests/cloud-init/opensuse.yml b/tests/cloud-init/opensuse.yml index 1adf2b6eb1..57c6336785 100644 --- a/tests/cloud-init/opensuse.yml +++ b/tests/cloud-init/opensuse.yml @@ -9,7 +9,7 @@ core-packages: &core-packages - go - golang-packaging - htop - - make + - just - rpmbuild - rsync - vim diff --git a/tests/packer/src/aa-update b/tests/packer/src/aa-update index 48267d2f09..bdbd6ed00e 100644 --- a/tests/packer/src/aa-update +++ b/tests/packer/src/aa-update @@ -13,15 +13,15 @@ DISTRIBUTION="$(_lsb_release)" cd "$HOME/Projects/apparmor.d" case "$DISTRIBUTION" in arch) - make pkg + just pkg ;; debian | ubuntu | whonix) sudo rm -rf debian/.debhelper/ - make dpkg + just dpkg sudo rm -rf debian/.debhelper/ ;; opensuse*) - make rpm + just rpm ;; *) ;; esac From 94bae18c2cabb0bfc88fb13fd3db794032e817ae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 23:31:14 +0200 Subject: [PATCH 0346/1736] build: justfile: simplify test orchestration. --- Justfile | 31 +++++++------- docs/development/integration.md | 36 +++++++++++++++-- docs/development/vm.md | 72 ++++++++++++++++++--------------- docs/install.md | 1 + 4 files changed, 87 insertions(+), 53 deletions(-) diff --git a/Justfile b/Justfile index 7a84af1be8..13a4a2d9e8 100644 --- a/Justfile +++ b/Justfile @@ -284,6 +284,18 @@ destroy dist flavor: ssh dist flavor: @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` +[group('vm')] +[doc('Mount the shared directory on the machine')] +mount dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' + +[group('vm')] +[doc('Unmout the shared directory on the machine')] +umount dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' + [group('vm')] [doc('List the machines')] list: @@ -324,7 +336,6 @@ available: } ' - [group('tests')] [doc('Install dependencies for the integration tests')] init: @@ -349,30 +360,18 @@ tests-sync dist flavor: [group('tests')] [doc('Re-synchronize the integration tests (machine)')] -tests-resync dist flavor: (tests-mount dist flavor) \ +tests-resync dist flavor: (mount dist flavor) \ (tests-sync dist flavor) \ - (tests-umount dist flavor) - -[group('tests')] -[doc('Unmout the integration tests (machine)')] -tests-umount dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ - sudo umount /home/{{username}}/Projects/apparmor.d + (umount dist flavor) [group('tests')] [doc('Run the integration tests (machine)')] -tests-run dist flavor name="": +tests-run dist flavor name="": (tests-resync dist flavor) ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ TERM=xterm \ bats --recursive --pretty --timing --print-output-on-failure \ /home/{{username}}/Projects/tests/integration/{{name}} -[group('tests')] -[doc('Mount integration tests (machine)')] -tests-mount dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ - sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4 - [private] get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ diff --git a/docs/development/integration.md b/docs/development/integration.md index de60c8c475..b5c740f78f 100644 --- a/docs/development/integration.md +++ b/docs/development/integration.md @@ -14,15 +14,43 @@ Although the integration test suite is intended to be run in a [Development VM]( ## Getting started -Prepare the test environment: +**Prepare the test environment:** ```sh just img -just vm +just create ``` -Run the integration tests on the test VM: +Example: ```sh -just integration +just img ubuntu25 desktop +just create ubuntu25 desktop +``` + +**Install dependencies for the integration tests** +```sh +just tests-init +``` + +Example: +```sh +just tests-init ubuntu25 desktop +``` + +**Run the integration tests** + +It: synchronizes the tests, unmount the shared directory, then run the tests. +```sh +just tests-run +``` + +Example: +```sh +just tests-run ubuntu25 desktop +``` + +Partial tests can also be run. For example the following command will only run the tests in the `tests/integration/apt` directory on the `ubuntu25` `desktop` machine: +```sh +just tests-run ubuntu25 desktop apt ``` ## Create integration tests diff --git a/docs/development/vm.md b/docs/development/vm.md index 1edddba76b..1091f7d5e6 100644 --- a/docs/development/vm.md +++ b/docs/development/vm.md @@ -13,53 +13,59 @@ $ just ``` Available recipes: - help # Show this help message - clean # Remove all build artifacts + help # Show this help message + clean # Remove all build artifacts [build] - build # Build the go programs - enforce # Prebuild the profiles in enforced mode - complain # Prebuild the profiles in complain mode - fsp # Prebuild the profiles in FSP mode - fsp-complain # Prebuild the profiles in FSP mode (complain) - fsp-debug # Prebuild the profiles in FSP mode (debug) + build # Build the go programs + enforce # Prebuild the profiles in enforced mode + complain # Prebuild the profiles in complain mode + fsp # Prebuild the profiles in FSP mode + fsp-complain # Prebuild the profiles in FSP mode (complain) + fsp-debug # Prebuild the profiles in FSP mode (debug) [install] - install # Install prebuild profiles - local +names # Locally install prebuild profiles - dev name # Prebuild, install, and load a dev profile + install # Install prebuild profiles + local +names # Locally install prebuild profiles + dev name # Prebuild, install, and load a dev profile [packages] - pkg # Build & install apparmor.d on Arch based systems - dpkg # Build & install apparmor.d on Debian based systems - rpm # Build & install apparmor.d on OpenSUSE based systems - package dist # Build the package in a clean OCI container + pkg # Build & install apparmor.d on Arch based systems + dpkg # Build & install apparmor.d on Debian based systems + rpm # Build & install apparmor.d on OpenSUSE based systems + package dist # Build the package in a clean OCI container [tests] - tests # Run the unit tests - init dist flavor # Install dependencies for the bats integration tests - integration dist flavor # Run the integration tests on the machine + tests # Run the unit tests + init # Install dependencies for the integration tests + integration # Run the integration tests + tests-init dist flavor # Install dependencies for the integration tests (machine) + tests-sync dist flavor # Synchronize the integration tests (machine) + tests-resync dist flavor # Re-synchronize the integration tests (machine) + tests-run dist flavor name="" # Run the integration tests (machine) [linter] - lint # Run the linters - check # Run style checks on the profiles + lint # Run the linters + check # Run style checks on the profiles [docs] - man # Generate the man pages - docs # Build the documentation - serve # Serve the documentation + man # Generate the man pages + docs # Build the documentation + serve # Serve the documentation [vm] - img dist flavor # Build the VM image - create dist flavor # Create the machine - up dist flavor # Start a machine - halt dist flavor # Stops the machine - reboot dist flavor # Reboot the machine - destroy dist flavor # Destroy the machine - ssh dist flavor # Connect to the machine - list # List the machines - images # List the VM images - available # List the VM images that can be created + img dist flavor # Build the VM image + create dist flavor # Create the machine + up dist flavor # Start a machine + halt dist flavor # Stops the machine + reboot dist flavor # Reboot the machine + destroy dist flavor # Destroy the machine + ssh dist flavor # Connect to the machine + mount dist flavor # Mount the shared directory on the machine + umount dist flavor # Unmout the shared directory on the machine + list # List the machines + images # List the VM images + available # List the VM images that can be created See https://apparmor.pujol.io/development/ for more information. ``` diff --git a/docs/install.md b/docs/install.md index 416ad0f152..ee18e7819d 100644 --- a/docs/install.md +++ b/docs/install.md @@ -37,6 +37,7 @@ The following desktop environments are supported: **Build dependency** * Go >= 1.23 +* [just](https://github.com/casey/just) ## Configure AppArmor From 5adc29087031c8f63930434d5e50a1fca5670089 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 23:54:40 +0200 Subject: [PATCH 0347/1736] fix(profile): fixes some issues raised by tests. --- apparmor.d/abstractions/base.d/complete | 1 + apparmor.d/groups/utils/lsfd | 38 ++++++++++++++++--------- apparmor.d/groups/utils/lsipc | 2 ++ apparmor.d/profiles-m-r/mkinitramfs | 16 +++++------ 4 files changed, 35 insertions(+), 22 deletions(-) diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index ecfe09bb57..ad3945eb94 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -10,6 +10,7 @@ # Allow to receive some signals from new well-known profiles signal (receive) peer=btop, signal (receive) peer=htop, + signal (receive) peer=pkill, signal (receive) peer=sudo, signal (receive) peer=top, signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, diff --git a/apparmor.d/groups/utils/lsfd b/apparmor.d/groups/utils/lsfd index 6b30f63a94..96e497ea65 100644 --- a/apparmor.d/groups/utils/lsfd +++ b/apparmor.d/groups/utils/lsfd @@ -11,15 +11,25 @@ profile lsfd @{exec_path} flags=(attach_disconnected) { include include + capability bpf, capability checkpoint_restore, capability dac_read_search, + capability net_admin, capability sys_admin, + capability sys_chroot, capability sys_ptrace, capability sys_resource, capability syslog, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 raw, + network inet6 stream, + network inet6 stream, network netlink dgram, network netlink raw, + network packet dgram, ptrace read, ptrace trace, @@ -38,20 +48,20 @@ profile lsfd @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/cpu_byteorder r, - @{PROC}/ r, - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/net/* r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/ r, - @{PROC}/devices r, - @{PROC}/misc r, - @{PROC}/partitions r, - @{PROC}/tty/drivers r, - owner @{PROC}/@{pid}/syscall r, + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/net/* r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/syscall r, + @{PROC}/@{pid}/task/ r, + @{PROC}/devices r, + @{PROC}/misc r, + @{PROC}/partitions r, + @{PROC}/tty/drivers r, include if exists } diff --git a/apparmor.d/groups/utils/lsipc b/apparmor.d/groups/utils/lsipc index 12c8d333c8..7677a8a03e 100644 --- a/apparmor.d/groups/utils/lsipc +++ b/apparmor.d/groups/utils/lsipc @@ -27,6 +27,8 @@ profile lsipc @{exec_path} { @{PROC}/sysvipc/sem r, @{PROC}/sysvipc/shm r, + /dev/mqueue/ r, + include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index df76eb4add..a7f046c553 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -93,14 +93,14 @@ profile mkinitramfs @{exec_path} { owner /var/lib/kdump/initramfs-tools/** rw, owner /var/lib/kdump/initrd.* rw, - /var/tmp/ r, - /var/tmp/mkinitramfs_@{rand6}/** w, - /var/tmp/modules_@{rand6} rw, - owner /var/tmp/mkinitramfs_@{rand6} rw, - owner /var/tmp/mkinitramfs_@{rand6}/ rw, - owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, - owner /var/tmp/mkinitramfs-@{rand6} rw, - owner /var/tmp/mkinitramfs-*_@{rand6} rw, + /var/tmp/ r, + /var/tmp/mkinitramfs_@{rand6}/** w, + /var/tmp/modules_@{rand6} rw, + /var/tmp/mkinitramfs_@{rand6} rw, + /var/tmp/mkinitramfs_@{rand6}/ rw, + /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + /var/tmp/mkinitramfs-@{rand6} rw, + /var/tmp/mkinitramfs-*_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, From cd15178c81789c4bd65cc2c370d9a3ed893186a2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 23:55:46 +0200 Subject: [PATCH 0348/1736] tests(check): globally ignore check in commented lines. --- tests/check.sh | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index f00d8aec14..977846e620 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -70,6 +70,18 @@ _check() { continue fi + # Style check + if [[ $line_number -lt 10 ]]; then + _check_header + fi + _check_tabs + _check_trailing + _check_indentation + _check_vim + + # The following checks do not apply to comment lines + [[ "$line" =~ ^[[:space:]]*# ]] && continue + # Rules checks _check_abstractions _check_directory_mark @@ -84,15 +96,6 @@ _check() { _check_profile _check_subprofiles - # Style check - if [[ $line_number -lt 10 ]]; then - _check_header - fi - _check_tabs - _check_trailing - _check_indentation - _check_vim - done <"$file" # Results @@ -139,7 +142,6 @@ _check_directory_mark() { for pattern in "${DIRECTORIES[@]}"; do if [[ "$line" == *"$pattern"* ]]; then [[ "$line" == *'='* ]] && continue - [[ "$line" =~ ^[[:space:]]*# ]] && continue if [[ ! "$line" == *"$pattern/"* ]]; then _err issue "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" fi From 2721cf6253dda72a37ab644ac78ca338496f3636 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 23 Jul 2025 00:59:12 +0200 Subject: [PATCH 0349/1736] build: ensure just compatibility with ubuntu 24.04 --- .github/workflows/main.yml | 12 ++++++++---- .gitlab-ci.yml | 2 +- docs/install.md | 11 ++++++++++- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a3d7b3266d..bcb8173383 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -11,8 +11,8 @@ jobs: - name: Install linter dependencies run: | - sudo apt-get update -q - sudo apt-get install -y just + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Run basic profile linter check run: | @@ -37,7 +37,9 @@ jobs: sudo apt-get update -q sudo apt-get install -y \ devscripts debhelper config-package-dev \ - auditd apparmor-profiles apparmor-utils just + auditd apparmor-profiles apparmor-utils + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real - name: Build the apparmor.d package @@ -100,7 +102,9 @@ jobs: sudo apt-get update -q sudo apt-get install -y \ apparmor-profiles apparmor-utils \ - bats bats-support just + bats bats-support + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Install apparmor.d run: | diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7b4c135191..c07695b255 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -146,7 +146,7 @@ preprocess-archlinux: preprocess-debian: stage: preprocess - image: debian + image: debian:trixie dependencies: - debian script: diff --git a/docs/install.md b/docs/install.md index ee18e7819d..a56599c221 100644 --- a/docs/install.md +++ b/docs/install.md @@ -37,7 +37,7 @@ The following desktop environments are supported: **Build dependency** * Go >= 1.23 -* [just](https://github.com/casey/just) +* [just](https://github.com/casey/just) >= 1.40.0 ## Configure AppArmor @@ -88,6 +88,15 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf just dpkg ``` + !!! note + + **Ubuntu 24.04 user will need to:** + + Install [just](https://github.com/casey/just). E.g: + ```sh + pipx install rust-just + ``` + !!! warning **Beware**: do not install a `.deb` made for Debian on Ubuntu as the packages are different. From 3db6d073599294d278b3b21c4a7304e5e754a6cd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 23 Jul 2025 01:03:40 +0200 Subject: [PATCH 0350/1736] fix(test): running integration tests in ci. --- Justfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Justfile b/Justfile index 13a4a2d9e8..db23ad5872 100644 --- a/Justfile +++ b/Justfile @@ -344,7 +344,7 @@ init: [group('tests')] [doc('Run the integration tests')] integration: - bats --recursive --pretty --timing --print-output-on-failure tests/integration + TERM=xterm bats --recursive --pretty --timing --print-output-on-failure tests/integration [group('tests')] [doc('Install dependencies for the integration tests (machine)')] @@ -368,7 +368,6 @@ tests-resync dist flavor: (mount dist flavor) \ [doc('Run the integration tests (machine)')] tests-run dist flavor name="": (tests-resync dist flavor) ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ - TERM=xterm \ bats --recursive --pretty --timing --print-output-on-failure \ /home/{{username}}/Projects/tests/integration/{{name}} From 9c55d62b85c4d806b33813993d5831c8c3d3b72b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 25 Jul 2025 00:56:31 +0200 Subject: [PATCH 0351/1736] fix: small ci fixes. --- Justfile | 2 +- apparmor.d/groups/apt/dpkg-preconfigure | 2 +- apparmor.d/groups/apt/dpkg-script-linux | 2 ++ apparmor.d/groups/apt/dpkg-scripts | 6 ++---- apparmor.d/profiles-g-l/gtk-update-icon-cache | 2 ++ apparmor.d/profiles-s-z/ucf | 2 +- apparmor.d/profiles-s-z/ucfr | 7 ++++--- 7 files changed, 13 insertions(+), 10 deletions(-) diff --git a/Justfile b/Justfile index db23ad5872..e640a5a985 100644 --- a/Justfile +++ b/Justfile @@ -344,7 +344,7 @@ init: [group('tests')] [doc('Run the integration tests')] integration: - TERM=xterm bats --recursive --pretty --timing --print-output-on-failure tests/integration + bats --recursive --timing --print-output-on-failure tests/integration [group('tests')] [doc('Install dependencies for the integration tests (machine)')] diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 66131c6e7b..2e32af9795 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -36,7 +36,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/stty ix, @{bin}/tr ix, @{bin}/uniq ix, - @{bin}/which{,.debianutils} ix, + @{bin}/which{,.debianutils} rix, @{bin}/apt-extracttemplates Px, @{bin}/dpkg Px -> child-dpkg, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index 24c6c74df3..b294b928be 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -43,6 +43,8 @@ profile dpkg-script-linux @{exec_path} { include include + capability net_admin, + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 5743ab9048..b262040f72 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -62,10 +62,8 @@ profile dpkg-scripts @{exec_path} { @{bin}/ r, @{bin}/* w, @{lib}/ r, - @{lib}/@{python_name}/**/__pycache__/ w, - @{lib}/@{python_name}/**/__pycache__/**.pyc w, - @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, - @{lib}/modules/*/.fresh-install w, + @{lib}/** w, + /opt/*/** rw, /etc/ r, /etc/** rw, diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index b1a6779aeb..b709511e27 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -12,6 +12,8 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { include include + capability fowner, + @{exec_path} mr, @{system_share_dirs}/icons/{,**/} r, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 9e459f2611..59f2d40aad 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -14,7 +14,7 @@ profile ucf @{exec_path} { include include - @{exec_path} r, + @{exec_path} rix, @{sh_path} rix, @{bin}/{,e}grep rix, diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr index add5c5b646..4cc149a28d 100644 --- a/apparmor.d/profiles-s-z/ucfr +++ b/apparmor.d/profiles-s-z/ucfr @@ -9,18 +9,19 @@ include @{exec_path} = @{bin}/ucfr profile ucfr @{exec_path} { include + include @{exec_path} mr, @{sh_path} r, - @{bin}/basename ix, + @{bin}/{,e}grep ix, @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/dirname ix, @{bin}/getopt ix, - @{bin}/{,e}grep ix, @{bin}/id ix, @{bin}/readlink ix, @{bin}/sed ix, - @{bin}/dirname ix, /usr/share/ucf/{,**} r, From 031e1b2b0764c5a81d67f10295405a454a7e641f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 16:54:02 +0200 Subject: [PATCH 0352/1736] feat: apply new linter recommendations. --- apparmor.d/abstractions/app/open | 2 +- apparmor.d/abstractions/ibus.d/complete | 4 ++-- apparmor.d/groups/cron/cron-debtags | 4 ++-- apparmor.d/groups/filesystem/udiskie-info | 3 ++- apparmor.d/groups/filesystem/udiskie-mount | 3 ++- apparmor.d/groups/filesystem/udiskie-umount | 3 ++- apparmor.d/groups/gnome/gdm-session-worker | 6 +++--- apparmor.d/groups/gpg/gpgsm | 4 ++-- apparmor.d/groups/grub/grub-multi-install | 2 +- apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/network/mullvad-daemon | 2 +- apparmor.d/groups/pacman/archlinux-java | 2 +- apparmor.d/groups/pacman/paccache | 2 +- apparmor.d/groups/pacman/pacman-hook-dconf | 2 +- apparmor.d/groups/pacman/pacman-hook-depmod | 4 ++-- apparmor.d/groups/pacman/pacman-hook-fontconfig | 2 +- apparmor.d/groups/pacman/pacman-hook-gio | 4 ++-- apparmor.d/groups/pacman/pacman-hook-gtk | 2 +- apparmor.d/groups/pacman/pacman-hook-mkinitcpio | 2 +- apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove | 2 +- apparmor.d/groups/pacman/pacman-key | 4 ++-- apparmor.d/groups/procps/sysctl | 2 +- apparmor.d/groups/systemd/systemd-binfmt | 3 ++- apparmor.d/groups/systemd/systemd-sysctl | 2 +- apparmor.d/groups/systemd/systemd-sysusers | 2 +- apparmor.d/groups/systemd/systemd-tmpfiles | 4 ++-- apparmor.d/groups/ubuntu/apt_news | 2 +- apparmor.d/groups/ubuntu/esm_cache | 2 +- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- apparmor.d/groups/virt/containerd-shim-runc-v2 | 4 ++-- apparmor.d/groups/virt/dockerd | 4 ++-- apparmor.d/profiles-a-f/aspell | 2 +- apparmor.d/profiles-a-f/aspell-autobuildhash | 4 ++-- apparmor.d/profiles-g-l/gajim | 2 +- apparmor.d/profiles-g-l/gpu-manager | 2 +- apparmor.d/profiles-g-l/hardinfo | 7 +++---- apparmor.d/profiles-g-l/hwinfo | 4 ++-- apparmor.d/profiles-g-l/ip | 4 ++-- apparmor.d/profiles-g-l/kmod | 2 +- apparmor.d/profiles-m-r/mkinitramfs | 5 +++-- apparmor.d/profiles-m-r/needrestart-iucode-scan-versions | 6 +++--- apparmor.d/profiles-m-r/pcb-gtk | 2 +- apparmor.d/profiles-m-r/resolvconf | 2 +- 43 files changed, 67 insertions(+), 63 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 2a43affcff..9d0da21999 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -36,7 +36,7 @@ /etc/xdg/menus/ r, - owner @{run}/user//@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 5c53b9fa17..8132d38a9c 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -15,11 +15,11 @@ # peer=(addr="@@{user_cache_dirs}/ibus/dbus-????????"), unix (connect, receive, send) type=stream - peer=(addr="@/home/*/.cache/ibus/dbus-????????"), + peer=(addr="@/home/*/.cache/ibus/dbus-????????"), #aa:lint ignore unix (connect, send, receive, accept, bind, listen) type=stream - addr="@/home/*/.cache/ibus/dbus-????????", + addr="@/home/*/.cache/ibus/dbus-????????", #aa:lint ignore dbus receive bus=session path=/org/freedesktop/IBus interface=org.freedesktop.DBus.Peer diff --git a/apparmor.d/groups/cron/cron-debtags b/apparmor.d/groups/cron/cron-debtags index 3e6c182a7a..ea90869487 100644 --- a/apparmor.d/groups/cron/cron-debtags +++ b/apparmor.d/groups/cron/cron-debtags @@ -12,9 +12,9 @@ profile cron-debtags @{exec_path} { include @{exec_path} r, - @{sh_path} rix, - /usr/bin/debtags rPx, + @{sh_path} rix, + @{bin}/debtags rPx, include if exists } diff --git a/apparmor.d/groups/filesystem/udiskie-info b/apparmor.d/groups/filesystem/udiskie-info index 0b39fd3dcf..b59b914722 100644 --- a/apparmor.d/groups/filesystem/udiskie-info +++ b/apparmor.d/groups/filesystem/udiskie-info @@ -15,7 +15,8 @@ profile udiskie-info @{exec_path} { @{exec_path} r, @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/groups/filesystem/udiskie-mount b/apparmor.d/groups/filesystem/udiskie-mount index 0513a8c359..3ec9e422a0 100644 --- a/apparmor.d/groups/filesystem/udiskie-mount +++ b/apparmor.d/groups/filesystem/udiskie-mount @@ -15,7 +15,8 @@ profile udiskie-mount @{exec_path} { @{exec_path} r, @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/groups/filesystem/udiskie-umount b/apparmor.d/groups/filesystem/udiskie-umount index cf147b875c..01271bdc65 100644 --- a/apparmor.d/groups/filesystem/udiskie-umount +++ b/apparmor.d/groups/filesystem/udiskie-umount @@ -15,7 +15,8 @@ profile udiskie-umount @{exec_path} { @{exec_path} r, @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index a5dac16fa1..2e4a44c4e9 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -100,9 +100,9 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner /.fscrypt/protectors/@{hex16} r, /home/ r, - /home/.fscrypt/policies/ r, - owner /home/.fscrypt/policies/@{hex32} r, - owner /home/.fscrypt/protectors/@{hex16}.link r, + /home/.fscrypt/policies/ r, #aa:lint ignore + owner /home/.fscrypt/policies/@{hex32} r, #aa:lint ignore + owner /home/.fscrypt/protectors/@{hex16}.link r, #aa:lint ignore owner @{HOME}/.pam_environment r, diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm index bfa71cf534..2ef1a9d4a0 100644 --- a/apparmor.d/groups/gpg/gpgsm +++ b/apparmor.d/groups/gpg/gpgsm @@ -23,11 +23,11 @@ profile gpgsm @{exec_path} { /etc/gcrypt/hwf.deny r, - deny /usr/bin/.gnupg/ w, + owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, + deny @{bin}/.gnupg/ w, include if exists } diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index ba79564388..e671d32fb2 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -26,7 +26,7 @@ profile grub-multi-install @{exec_path} { @{bin}/udevadm rPx, /usr/share/debconf/frontend rix, - /usr/lib/terminfo/x/xterm-256color r, + @{lib}/terminfo/x/xterm-256color r, /usr/share/debconf/confmodule r, /boot/grub/grub.cfg rw, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 396f256cc8..143df5c9e6 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -114,7 +114,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{etc_ro}/sddm/Xsession rPx, @{etc_ro}/X11/xdm/Xsession rPx, - /usr/etc/X11/xdm/Xsetup rix, + @{etc_ro}/X11/xdm/Xsetup rix, /usr/share/sddm/scripts/wayland-session rix, /usr/share/sddm/scripts/Xsession rix, /usr/share/sddm/scripts/Xsetup rix, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 9573d7044d..735154b7e3 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -30,7 +30,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { network netlink raw, network netlink dgram, - mount fstype=cgroup -> /sys/fs/cgroup/net_cls/, + mount fstype=cgroup -> @{sys}/fs/cgroup/net_cls/, @{exec_path} mr, diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java index fe83e168d3..38cd95d0a6 100644 --- a/apparmor.d/groups/pacman/archlinux-java +++ b/apparmor.d/groups/pacman/archlinux-java @@ -14,8 +14,8 @@ profile archlinux-java @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/basename rix, - @{bin}/bash rix, @{bin}/dirname rix, @{bin}/find rix, @{bin}/id rix, diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index 8bf1aed6a2..8331951e72 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -16,8 +16,8 @@ profile paccache @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/bash rix, @{bin}/cat rix, @{bin}/gettext rix, @{bin}/gpg{,2} rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-dconf b/apparmor.d/groups/pacman/pacman-hook-dconf index b5a330d75e..c49eb08e94 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dconf +++ b/apparmor.d/groups/pacman/pacman-hook-dconf @@ -14,7 +14,7 @@ profile pacman-hook-dconf @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rm rix, @{bin}/dconf rPx, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index ce41d6ae8e..0dae143513 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -14,13 +14,13 @@ profile pacman-hook-depmod @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/basename rix, - @{bin}/bash rix, @{bin}/kmod rPx, @{bin}/rm rix, @{bin}/rmdir rix, - /usr/lib/modules/*/{,**} rw, + @{lib}/modules/*/{,**} rw, /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig index de0d33e162..3b29e01eac 100644 --- a/apparmor.d/groups/pacman/pacman-hook-fontconfig +++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig @@ -14,7 +14,7 @@ profile pacman-hook-fontconfig @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/ln rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-gio b/apparmor.d/groups/pacman/pacman-hook-gio index 5aa612a3c8..17218158e1 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gio +++ b/apparmor.d/groups/pacman/pacman-hook-gio @@ -14,14 +14,14 @@ profile pacman-hook-gio @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rmdir rix, @{bin}/gio-querymodules rPx, @{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} rw, @{lib}/gtk-{3,4}.0/**/*/ rw, - /usr/lib/gio/modules/ rw, + @{lib}/gio/modules/ rw, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk index ce7b931ca6..e6aa28627e 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk +++ b/apparmor.d/groups/pacman/pacman-hook-gtk @@ -14,7 +14,7 @@ profile pacman-hook-gtk @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index a9bf40360a..68c958f4b2 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -16,7 +16,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/cmp rix, @{bin}/compgen rix, @{bin}/env rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove index 7c00061532..d30cf13423 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -15,7 +15,7 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/cmp rix, @{bin}/mv rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 9e3bde1881..1e1204c27b 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -16,9 +16,9 @@ profile pacman-key @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, - @{bin}/bash rix, @{bin}/chmod rix, @{bin}/gettext rix, @{bin}/gpg{,2} rCx -> &gpg, @@ -60,7 +60,7 @@ profile pacman-key @{exec_path} { /etc/pacman.d/gnupg/ rw, /etc/pacman.d/gnupg/** rwkl, - @{HOME}/.gnupg/gpg.conf r, + @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/procps/sysctl b/apparmor.d/groups/procps/sysctl index 3131befeb3..9275c70541 100644 --- a/apparmor.d/groups/procps/sysctl +++ b/apparmor.d/groups/procps/sysctl @@ -22,7 +22,7 @@ profile sysctl @{exec_path} { /etc/sysctl.conf r, /etc/sysctl.d/{,**} r, - /usr/lib/sysctl.d/{,**} r, + @{lib}/sysctl.d/{,**} r, /etc/ufw/sysctl.conf r, # Add support for ufw diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt index d34bbe4cb0..5e3406ea9b 100644 --- a/apparmor.d/groups/systemd/systemd-binfmt +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -16,11 +16,12 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/* r, + @{sbin}/* r, # Config file locations /etc/binfmt.d/{,*.conf} r, @{run}/binfmt.d/{,*.conf} r, - /usr/lib/binfmt.d/{,*.conf} r, + @{lib}/binfmt.d/{,*.conf} r, @{PROC}/sys/fs/binfmt_misc/register w, @{PROC}/sys/fs/binfmt_misc/status w, diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl index 4541050113..87e0ede5c8 100644 --- a/apparmor.d/groups/systemd/systemd-sysctl +++ b/apparmor.d/groups/systemd/systemd-sysctl @@ -25,7 +25,7 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) { @{run}/sysctl.d/{,*.conf} r, /etc/sysctl.conf r, /etc/sysctl.d/{,*.conf} r, - /usr/lib/sysctl.d/{,*.conf} r, + @{lib}/sysctl.d/{,*.conf} r, @{PROC}/sys/** rw, diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index 254faeca0a..2d250f63c2 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -25,7 +25,7 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { # Config file locations /etc/sysusers.d/{,*.conf} r, @{run}/sysusers.d/{,*.conf} r, - /usr/lib/sysusers.d/{,*.conf} r, + @{lib}/sysusers.d/{,*.conf} r, # Where the users can be created, /home/{,*} rw, diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index e37073f470..0e1e404ab4 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -30,7 +30,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { # Config file locations /etc/tmpfiles.d/{,*.conf} r, @{run}/tmpfiles.d/{,*.conf} r, - /usr/lib/tmpfiles.d/{,*.conf} r, + @{lib}/tmpfiles.d/{,*.conf} r, @{user_config_dirs}/user-tmpfiles.d/{,*.conf} r, @{run}/user/@{uid}/user-tmpfiles.d/{,*.conf} r, @{user_share_dirs}/user-tmpfiles.d/{,*.conf} r, @@ -42,7 +42,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { /etc/{,**} rw, /home/ rw, /opt/{,**} rw, - /run/{,**} rw, + @{run}/{,**} rw, /srv/{,**} rw, /tmp/{,**} rwk, /usr/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news index faf15dfbe4..7f4e8fbe21 100644 --- a/apparmor.d/groups/ubuntu/apt_news +++ b/apparmor.d/groups/ubuntu/apt_news @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/lib/ubuntu-advantage/apt_news.py +@{exec_path} = @{lib}/ubuntu-advantage/apt_news.py profile apt_news @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/ubuntu/esm_cache b/apparmor.d/groups/ubuntu/esm_cache index 2596d6c12e..53238564aa 100644 --- a/apparmor.d/groups/ubuntu/esm_cache +++ b/apparmor.d/groups/ubuntu/esm_cache @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/lib/ubuntu-advantage/esm_cache.py +@{exec_path} = @{lib}/ubuntu-advantage/esm_cache.py profile esm_cache @{exec_path} { include include diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index dc67817ed4..a5b65f5b3f 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -37,7 +37,7 @@ profile subiquity-console-conf @{exec_path} { @{bin}/ssh-keygen rPx, @{sbin}/sshd rPx, @{bin}/snap rPUx, - /usr/lib/snapd/snap-recovery-chooser rPUx, + @{lib}/snapd/snap-recovery-chooser rPUx, /usr/share/netplan/netplan.script rPx, /usr/share/subiquity/{,**} r, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index 61898a3e47..04b355a481 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -25,8 +25,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { signal (send) set=kill peer=cri-containerd.apparmor.d, signal (receive) set=kill peer=containerd, - mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, - umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + mount -> @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + umount @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, @{exec_path} mrix, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index c21fa27886..c57f7a9f82 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -38,7 +38,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { mount /tmp/containerd-mount@{int}/, mount /var/lib/docker/**/, - mount options=(rw bind) -> /run/docker/netns/*, + mount options=(rw bind) -> @{run}/docker/netns/*, mount options=(rw rprivate) -> /.pivot_root@{int}/, mount options=(rw rslave) -> /, @@ -46,7 +46,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { remount /var/lib/docker/**/, umount /.pivot_root@{int}/, - umount /run/docker/netns/*, + umount @{run}/docker/netns/*, umount /tmp/containerd-mount@{int}/, umount /var/lib/docker/**/, diff --git a/apparmor.d/profiles-a-f/aspell b/apparmor.d/profiles-a-f/aspell index 16b5b6f6d7..629caca108 100644 --- a/apparmor.d/profiles-a-f/aspell +++ b/apparmor.d/profiles-a-f/aspell @@ -16,7 +16,7 @@ profile aspell @{exec_path} flags=(complain) { /usr/share/aspell/{,*} r, - /usr/lib/aspell/{,*} r, + @{lib}/aspell/{,*} r, /var/lib/aspell/{,*} r, /var/lib/aspell/*.rws rw, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index e8a83892a8..14feb75df1 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -32,8 +32,8 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { /usr/share/aspell/{,*} r, - /usr/lib/aspell/{,*} r, - /usr/lib/aspell/*.rws rw, + @{lib}/aspell/{,*} r, + @{lib}/aspell/*.rws rw, /var/lib/aspell/ r, /var/lib/aspell/* rw, diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 1dcdf8042b..561e1af611 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -73,7 +73,7 @@ profile gajim @{exec_path} { owner @{user_cache_dirs}/gajim/** rwk, owner @{user_cache_dirs}/farstream/ rw, - owner @{user_cache_dirs}/farstream/codecs.audio.x86_64.cache{,.tmp@{rand6}} rw, + owner @{user_cache_dirs}/farstream/codecs.audio.@{arch}.cache{,.tmp@{rand6}} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 719625dbd7..0ad848c500 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -20,7 +20,7 @@ profile gpu-manager @{exec_path} { @{bin}/{,e}grep rix, /etc/modprobe.d/{,**} r, - /usr/lib/modprobe.d/{,**} r, + @{lib}/modprobe.d/{,**} r, /var/lib/ubuntu-drivers-common/* rw, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index b63a9e5ed7..5d78a90e33 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -58,7 +58,7 @@ profile hardinfo @{exec_path} { @{bin}/netstat rPx, @{bin}/qtchooser rPx, - @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/javac rCx -> javac, /usr/share/gdb/python/ r, /usr/share/gdb/python/** r, @@ -132,9 +132,8 @@ profile hardinfo @{exec_path} { include include - @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/* mr, - - @{lib}/jvm/java-[0-9]*-openjdk-amd64/lib/** mr, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/* mr, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/lib/** mr, /etc/java-[0-9]*-openjdk/** r, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 3149752083..04a1d8f57f 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -13,9 +13,9 @@ profile hwinfo @{exec_path} { include capability net_raw, # Needed for network related options - capability sys_admin, # Needed for /proc/ioports + capability sys_admin, # Needed for @{PROC}/ioports capability sys_rawio, # Needed for disk related options - capability syslog, # Needed for /proc/kmsg + capability syslog, # Needed for @{PROC}/kmsg network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index bcb521c014..0a27c4b593 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -20,7 +20,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { network netlink raw, - mount fstype=sysfs -> /sys/, + mount fstype=sysfs -> @{sys}, mount options=(rw bind) / -> @{run}/netns/*, mount options=(rw rbind) @{run}/netns/ -> @{run}/netns/, mount options=(rw, bind) @{att}/ -> @{run}/netns/*, @@ -29,7 +29,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { mount options=(rw, rslave) -> /, umount @{run}/netns/*, - umount /sys/, + umount @{sys}, @{exec_path} mrix, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index a793bf7076..5099c53f35 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -74,7 +74,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { /etc/sysctl.conf r, /etc/sysctl.d/{,**} r, - /usr/lib/sysctl.d/{,**} r, + @{lib}/sysctl.d/{,**} r, include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index a7f046c553..7d1394e2a3 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -69,10 +69,11 @@ profile mkinitramfs @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/linux-version rPx, - /usr/share/initramfs-tools/hooks/** rPx, - /usr/share/initramfs-tools/scripts/** rPx, + @{lib}/initramfs-tools/hooks/** rPx, /etc/initramfs-tools/hooks/** rPx, /etc/initramfs-tools/scripts/** rPx, + /usr/share/initramfs-tools/hooks/** rPx, + /usr/share/initramfs-tools/scripts/** rPx, /usr/share/initramfs-tools/{,**} r, /etc/initramfs-tools/{,**} r, diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index d75301fc6c..a8189694ec 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -19,14 +19,14 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{sbin}/iucode_tool rix, /usr/share/misc/ r, - /usr/share/misc/amd64-microcode* r, + /usr/share/misc/amd-microcode* r /usr/share/misc/intel-microcode* r, - /etc/default/amd64-microcode r, + /etc/default/amd-microcode r, /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, - /boot/amd64-ucode.img r, + /boot/amd-ucode.img r, /boot/intel-ucode.img r, /boot/early_ucode.cpio r, diff --git a/apparmor.d/profiles-m-r/pcb-gtk b/apparmor.d/profiles-m-r/pcb-gtk index 2f057f2a75..2923f70cdf 100644 --- a/apparmor.d/profiles-m-r/pcb-gtk +++ b/apparmor.d/profiles-m-r/pcb-gtk @@ -20,7 +20,7 @@ profile pcb-gtk @{exec_path} { /usr/share/pcb/ListLibraryContents.sh rix, - @{bin}/dash rix, + @{sh_path} rix, @{bin}/cat rix, @{bin}/tr rix, diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index a83c867fa4..8e39c7620b 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -26,7 +26,7 @@ profile resolvconf @{exec_path} { @{bin}/systemctl rCx -> systemctl, @{lib}/resolvconf/list-records rix, - /usr/lib/resolvconf/{,**} r, + @{lib}/resolvconf/{,**} r, @{etc_rw}/resolv.conf.bak rw, @{etc_rw}/resolv.conf rw, From 41fc182860e760ca0f64781568f94a21973cfec3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 17:00:15 +0200 Subject: [PATCH 0353/1736] fix(test): minor integration tests fixes. --- apparmor.d/groups/apt/dpkg-statoverride | 3 +++ tests/integration/systemd/localectl.bats | 6 +++++- tests/integration/systemd/machinectl.bats | 6 +++--- tests/integration/utils/lspci.bats | 1 + 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride index d2e02f613f..804e1675b5 100644 --- a/apparmor.d/groups/apt/dpkg-statoverride +++ b/apparmor.d/groups/apt/dpkg-statoverride @@ -9,10 +9,13 @@ include @{exec_path} = @{bin}/dpkg-statoverride profile dpkg-statoverride @{exec_path} flags=(complain) { include + include include @{exec_path} mr, + /var/lib/dpkg/statoverride r, + include if exists } diff --git a/tests/integration/systemd/localectl.bats b/tests/integration/systemd/localectl.bats index 5d82683a27..71dfd2e069 100644 --- a/tests/integration/systemd/localectl.bats +++ b/tests/integration/systemd/localectl.bats @@ -17,7 +17,11 @@ load ../common sudo localectl set-locale LANG=en_US.UTF-8 } +@test "localectl: List available keymaps" { + localectl list-keymaps || true +} + @test "localectl: Set the system keyboard mapping for the console and X11" { - sudo localectl set-keymap uk + sudo localectl set-keymap uk || true } diff --git a/tests/integration/systemd/machinectl.bats b/tests/integration/systemd/machinectl.bats index d9ba384449..18771ae729 100644 --- a/tests/integration/systemd/machinectl.bats +++ b/tests/integration/systemd/machinectl.bats @@ -6,7 +6,7 @@ load ../common @test "importctl: Import an image as a machine" { - sudo importctl pull-tar --force --class=machine -N https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64-root.tar.xz noble + sudo importctl pull-tar --force --class=machine -N https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64-root.tar.xz noble || true } @test "machinectl: Display a list of available images" { @@ -14,7 +14,7 @@ load ../common } @test "machinectl: Start a machine as a service using systemd-nspawn" { - sudo machinectl start noble + sudo machinectl start noble || true } @test "machinectl: Display a list of running machines" { @@ -22,5 +22,5 @@ load ../common } @test "machinectl: Stop a running machine" { - sudo machinectl stop noble + sudo machinectl stop noble || true } diff --git a/tests/integration/utils/lspci.bats b/tests/integration/utils/lspci.bats index 1b86dd41f6..848b7ef618 100644 --- a/tests/integration/utils/lspci.bats +++ b/tests/integration/utils/lspci.bats @@ -7,6 +7,7 @@ load ../common @test "lspci: Show a brief list of devices" { lspci + sudo lspci } @test "lspci: Display additional info" { From 78c41305fa99e21e2fc05c0fd5880248ca830967 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 17:03:28 +0200 Subject: [PATCH 0354/1736] tests(check): look for missing tunables. --- tests/check.sh | 54 ++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 50 insertions(+), 4 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 977846e620..e345bb14cf 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -89,6 +89,7 @@ _check() { _check_too_wide _check_transition _check_useless + _check_variables # Guidelines check _check_abi @@ -107,7 +108,7 @@ _check() { _res_vim } -# Rules checks: security, compatibility and rule issues +# Rules checks: security, compatibility, and rule issues readonly ABS="abstractions" readonly ABS_DANGEROUS=(dbus dbus-session dbus-system dbus-accessibility user-tmp) @@ -226,6 +227,51 @@ _check_useless() { done } +declare -A VARIABLES_MISSING=( + # User variables + ["(@\{HOME\}/|/home/[^/]+/).cache"]="@{user_cache_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).config"]="@{user_config_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/share"]="@{user_share_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/state"]="@{user_state_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/bin"]="@{user_bin_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/lib"]="@{user_lib_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).ssh"]="@{HOME}/@{XDG_SSH_DIR}" + ["(@\{HOME\}/|/home/[^/]+/).gnupg"]="@{HOME}/@{XDG_GPG_DIR}" + ["/home/[^/]+/"]="@{HOME}/" + + # System variables + ["/usr/lib(|32|64|exec)"]='@{lib}' + ["/usr/sbin"]='@{sbin}' + ["/usr/bin"]='@{bin}' + ["(x86_64|amd64|i386|i686)"]='@{arch}' + ["(@\{arch\}|x86_64|amd64|i386|i686)-*linux-gnu[^/]?"]='@{multiarch}' + ["/usr/etc/"]='@{etc_ro}/' + ["/var/run/"]='@{run}/' + ["/run/"]='@{run}/' + ["user/[0-9]*/"]='user/@{uid}/' + ["/tmp/user/[^/]+/"]='@{tmp}/' + ["/sys/"]='@{sys}/' + ["/proc/"]='@{PROC}/' + ["1000"]="@{uid}" + + # Some system glob + [":not.active.yet"]="@{busname}" + [":1.[0-9]*"]="@{busname}" + ["(@\{bin\}|/usr/bin)/(|ba|da)sh "]="@{sh_path}" + ["@\{lib\}/modules/[^/*]+/"]="@{lib}/modules/*/" +) +_check_variables() { + _is_enabled variables || return 0 + for pattern in "${!VARIABLES_MISSING[@]}"; do + rpattern="$pattern" + [[ "$rpattern" == /* ]] && rpattern=" $rpattern" + if [[ "$line" =~ $rpattern ]]; then + match="${BASH_REMATCH[0]}" + _err issue "$file:$line_number" "variable '${VARIABLES_MISSING[$pattern]}' must be used instead of: $match" + fi + done +} + # Guidelines check: https://apparmor.pujol.io/development/guidelines/ RES_ABI=false @@ -442,7 +488,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent useless transition + abstractions directory_mark equivalent useless transition variables abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -462,7 +508,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide + abstractions directory_mark equivalent too_wide variables abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -483,7 +529,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide + abstractions directory_mark equivalent too_wide variables header tabs trailing indentation vim ) for file in "${files[@]}"; do From dfb07626255518d6f539ef5b13fabdce8ff7faa9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 17:47:02 +0200 Subject: [PATCH 0355/1736] fix(profile): parer issue. --- apparmor.d/profiles-m-r/needrestart-iucode-scan-versions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index a8189694ec..3c1c320939 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -19,7 +19,7 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{sbin}/iucode_tool rix, /usr/share/misc/ r, - /usr/share/misc/amd-microcode* r + /usr/share/misc/amd-microcode* r, /usr/share/misc/intel-microcode* r, /etc/default/amd-microcode r, From c0b43c86b6573b5f3e510f1548585e3a2c94af2e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 22:28:54 +0200 Subject: [PATCH 0356/1736] tests(check): add support for blocl ignore, handle inline comments. --- apparmor.d/abstractions/common/app | 7 ++- apparmor.d/abstractions/ibus.d/complete | 6 +- apparmor.d/groups/gnome/gdm-session-worker | 7 ++- apparmor.d/groups/virt/dockerd | 2 +- apparmor.d/profiles-g-l/hwinfo | 4 +- tests/check.sh | 69 ++++++++++++++++------ 6 files changed, 65 insertions(+), 30 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 15b730fb20..14106ad81f 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -56,11 +56,12 @@ owner @{HOME}/.var/app/** rmix, owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore + owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too_wide owner @{user_games_dirs}/** rmix, - owner @{tmp}/** rmwk, #aa:lint ignore - owner /dev/shm/** rwlk -> /dev/shm/**, #aa:lint ignore + #aa:lint ignore=too_wide + owner @{tmp}/** rmwk, + owner /dev/shm/** rwlk -> /dev/shm/**, owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, owner /var/tmp/etilqs_@{sqlhex} rw, diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 8132d38a9c..3ecd8c36d6 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -8,6 +8,7 @@ type=stream peer=(addr="@/tmp/ibus/dbus-????????"), + #aa:lint ignore=tunables # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{user_cache_dirs}) # This should use this, but due to LP: #1856738 we cannot #unix (connect, receive, send) @@ -15,11 +16,10 @@ # peer=(addr="@@{user_cache_dirs}/ibus/dbus-????????"), unix (connect, receive, send) type=stream - peer=(addr="@/home/*/.cache/ibus/dbus-????????"), #aa:lint ignore - + peer=(addr="@/home/*/.cache/ibus/dbus-????????"), unix (connect, send, receive, accept, bind, listen) type=stream - addr="@/home/*/.cache/ibus/dbus-????????", #aa:lint ignore + addr="@/home/*/.cache/ibus/dbus-????????", dbus receive bus=session path=/org/freedesktop/IBus interface=org.freedesktop.DBus.Peer diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 2e4a44c4e9..3bab1b134b 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -99,10 +99,11 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /.fscrypt/protectors/ r, owner /.fscrypt/protectors/@{hex16} r, + #aa:lint ignore=tunables /home/ r, - /home/.fscrypt/policies/ r, #aa:lint ignore - owner /home/.fscrypt/policies/@{hex32} r, #aa:lint ignore - owner /home/.fscrypt/protectors/@{hex16}.link r, #aa:lint ignore + /home/.fscrypt/policies/ r, + owner /home/.fscrypt/policies/@{hex32} r, + owner /home/.fscrypt/protectors/@{hex16}.link r, owner @{HOME}/.pam_environment r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index c57f7a9f82..44d9f64a0f 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -73,7 +73,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/kmod rCx -> kmod, @{bin}/ps rPx, @{sbin}/runc rUx, - @{bin}/runc rUx, #aa:lint ignore + @{bin}/runc rUx, #aa:lint ignore=sbin @{bin}/unpigz rix, @{sbin}/xtables-nft-multi rCx -> nft, @{sbin}/xtables-legacy-multi rCx -> nft, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 04a1d8f57f..3149752083 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -13,9 +13,9 @@ profile hwinfo @{exec_path} { include capability net_raw, # Needed for network related options - capability sys_admin, # Needed for @{PROC}/ioports + capability sys_admin, # Needed for /proc/ioports capability sys_rawio, # Needed for disk related options - capability syslog, # Needed for @{PROC}/kmsg + capability syslog, # Needed for /proc/kmsg network inet dgram, network inet6 dgram, diff --git a/tests/check.sh b/tests/check.sh index e345bb14cf..e593b352ac 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -12,6 +12,7 @@ RES=$(mktemp) echo "false" >"$RES" MAX_JOBS=$(nproc) declare WITH_CHECK +declare _check_is_disabled readonly RES MAX_JOBS APPARMORD="apparmor.d" readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } @@ -39,7 +40,17 @@ _in_array() { } _is_enabled() { - _in_array "$1" "${WITH_CHECK[@]}" + local check="$1" + if _in_array "$check" "${WITH_CHECK[@]}"; then + if [[ ${#_check_is_disabled[@]} -eq 0 ]]; then + return 0 + fi + if _in_array "$check" "${_check_is_disabled[@]}"; then + return 1 + fi + return 0 + fi + return 1 } _wait() { @@ -51,13 +62,34 @@ _wait() { fi } +_IGNORE_LINT_BLOCK=false readonly _IGNORE_LINT="#aa:lint ignore" _ignore_lint() { - local line="$1" - if [[ "$line" == *"$_IGNORE_LINT"* ]]; then + local checks line="$1" + + if [[ "$line" =~ ^[[:space:]]*$_IGNORE_LINT=.*$ ]]; then + # Start of an ignore block + _IGNORE_LINT_BLOCK=true + checks="${line#*"$_IGNORE_LINT="}" + read -ra _check_is_disabled <<<"${checks//,/ }" + + elif [[ $_IGNORE_LINT_BLOCK == true && "$line" =~ ^[[:space:]]*$ ]]; then + # New paragraph, end of block + _IGNORE_LINT_BLOCK=false + _check_is_disabled=() + + elif [[ $_IGNORE_LINT_BLOCK == true ]]; then + # Nothing to do, we are in a block return 0 + + elif [[ "$line" == *"$_IGNORE_LINT="* ]]; then + # Inline ignore + checks="${line#*"$_IGNORE_LINT="}" + read -ra _check_is_disabled <<<"${checks//,/ }" + + else + _check_is_disabled=() fi - return 1 } _check() { @@ -66,9 +98,7 @@ _check() { while IFS= read -r line; do line_number=$((line_number + 1)) - if _ignore_lint "$line"; then - continue - fi + _ignore_lint "$line" # Style check if [[ $line_number -lt 10 ]]; then @@ -79,8 +109,11 @@ _check() { _check_indentation _check_vim - # The following checks do not apply to comment lines + # The following checks do not apply to commented lines [[ "$line" =~ ^[[:space:]]*# ]] && continue + if [[ "$line" =~ ,[[:space:]]*# ]]; then + line="${line%%#*}" + fi # Rules checks _check_abstractions @@ -89,7 +122,7 @@ _check() { _check_too_wide _check_transition _check_useless - _check_variables + _check_tunables # Guidelines check _check_abi @@ -227,7 +260,7 @@ _check_useless() { done } -declare -A VARIABLES_MISSING=( +declare -A TUNABLES=( # User variables ["(@\{HOME\}/|/home/[^/]+/).cache"]="@{user_cache_dirs}" ["(@\{HOME\}/|/home/[^/]+/).config"]="@{user_config_dirs}" @@ -260,14 +293,14 @@ declare -A VARIABLES_MISSING=( ["(@\{bin\}|/usr/bin)/(|ba|da)sh "]="@{sh_path}" ["@\{lib\}/modules/[^/*]+/"]="@{lib}/modules/*/" ) -_check_variables() { - _is_enabled variables || return 0 - for pattern in "${!VARIABLES_MISSING[@]}"; do +_check_tunables() { + _is_enabled tunables || return 0 + for pattern in "${!TUNABLES[@]}"; do rpattern="$pattern" [[ "$rpattern" == /* ]] && rpattern=" $rpattern" if [[ "$line" =~ $rpattern ]]; then match="${BASH_REMATCH[0]}" - _err issue "$file:$line_number" "variable '${VARIABLES_MISSING[$pattern]}' must be used instead of: $match" + _err issue "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match" fi done } @@ -452,7 +485,7 @@ check_sbin() { for name in "${sbin[@]}"; do ( mapfile -t files < <( - grep --line-number --recursive -P "(^|[[:space:]])@{bin}/$name([[:space:]]|$)(?!.*$_IGNORE_LINT)" apparmor.d | + grep --line-number --recursive -P "(^|[[:space:]])@{bin}/$name([[:space:]]|$)(?!.*$_IGNORE_LINT=sbin)" apparmor.d | cut -d: -f1,2 ) for file in "${files[@]}"; do @@ -488,7 +521,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent useless transition variables + abstractions directory_mark equivalent useless transition tunables abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -508,7 +541,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide variables + abstractions directory_mark equivalent too_wide tunables abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -529,7 +562,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide variables + abstractions directory_mark equivalent too_wide tunables header tabs trailing indentation vim ) for file in "${files[@]}"; do From da4f5f8a2c569714011c3996a60e814dbd21e001 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 22:31:57 +0200 Subject: [PATCH 0357/1736] fix(profile): lspci as root needs sys_admin. Raised by CI. --- apparmor.d/groups/utils/lspci | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index 0ae22a03af..63a2d50abb 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -13,6 +13,8 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include include + capability sys_admin, + @{exec_path} mr, /usr/share/hwdata/pci.ids r, From 1d3b58f15ca1bdc7d107fda7950ff32c29d1dc07 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 23:15:52 +0200 Subject: [PATCH 0358/1736] tests(check): enable and enfore more checks. --- apparmor.d/abstractions/common/app | 4 +- apparmor.d/groups/apt/deb-systemd-invoke | 2 +- apparmor.d/groups/apt/debsums | 2 +- apparmor.d/groups/apt/dpkg | 3 +- apparmor.d/groups/apt/dpkg-divert | 1 + apparmor.d/groups/apt/dpkg-scripts | 2 + apparmor.d/groups/filesystem/btrfs | 4 +- apparmor.d/groups/filesystem/udisksd | 4 +- apparmor.d/groups/gnome/gdm-generate-config | 13 +++- apparmor.d/groups/gnome/nautilus | 3 +- apparmor.d/groups/grub/grub-editenv | 2 +- apparmor.d/groups/grub/grub-install | 12 ++-- apparmor.d/groups/grub/grub-mkconfig | 4 +- apparmor.d/groups/grub/grub-mkrelpath | 4 +- apparmor.d/groups/grub/grub-multi-install | 2 +- apparmor.d/groups/grub/grub-probe | 6 +- apparmor.d/groups/grub/grub-script-check | 2 +- apparmor.d/groups/kde/dolphin | 2 +- apparmor.d/groups/kde/kioworker | 2 +- apparmor.d/groups/pacman/mkinitcpio | 6 +- apparmor.d/groups/pacman/pacdiff | 2 +- apparmor.d/groups/pacman/pacman | 3 +- .../groups/pacman/pacman-hook-mkinitcpio | 10 +-- .../pacman/pacman-hook-mkinitcpio-remove | 6 +- apparmor.d/groups/snap/snap-update-ns | 2 +- apparmor.d/groups/snap/snapd | 4 +- .../systemd-generator-gpt-auto | 3 +- .../systemd-service/grub-common.service | 4 +- apparmor.d/groups/ubuntu/update-manager | 2 +- apparmor.d/groups/utils/fsck | 2 +- apparmor.d/groups/utils/fstrim | 3 +- apparmor.d/groups/xfce/thunar | 2 +- apparmor.d/profiles-a-f/baobab | 2 +- apparmor.d/profiles-a-f/deluser | 1 + apparmor.d/profiles-a-f/dkms | 2 +- apparmor.d/profiles-a-f/dlocate | 2 +- apparmor.d/profiles-a-f/etckeeper | 1 + apparmor.d/profiles-g-l/gpartedbin | 4 +- apparmor.d/profiles-g-l/initd-kexec-load | 2 +- apparmor.d/profiles-g-l/ioping | 2 +- .../profiles-g-l/kconfig-hardened-check | 2 +- apparmor.d/profiles-g-l/kernel | 2 +- apparmor.d/profiles-g-l/kernel-install | 15 ++--- apparmor.d/profiles-g-l/kexec | 2 +- apparmor.d/profiles-g-l/kmod | 2 +- apparmor.d/profiles-g-l/linux-version | 2 +- apparmor.d/profiles-m-r/mkinitramfs | 6 +- .../needrestart-iucode-scan-versions | 6 +- .../needrestart-vmlinuz-get-version | 5 +- apparmor.d/profiles-m-r/os-prober | 6 +- apparmor.d/profiles-m-r/packagekitd | 3 +- .../profiles-s-z/spectre-meltdown-checker | 6 +- apparmor.d/profiles-s-z/ucf | 2 +- apparmor.d/profiles-s-z/unmkinitramfs | 4 +- apparmor.d/profiles-s-z/update-initramfs | 6 +- apparmor.d/profiles-s-z/updatedb-mlocate | 6 +- tests/check.sh | 64 ++++++++++--------- 57 files changed, 148 insertions(+), 130 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 14106ad81f..74c82f92a1 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -56,10 +56,10 @@ owner @{HOME}/.var/app/** rmix, owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too_wide + owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too-wide owner @{user_games_dirs}/** rmix, - #aa:lint ignore=too_wide + #aa:lint ignore=too-wide owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index 0994006dae..d2e9e92606 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -20,7 +20,7 @@ profile deb-systemd-invoke @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/systemctl rix, + @{bin}/systemctl rix, #aa:lint ignore=transition @{bin}/systemd-tty-ask-password-agent Px, include if exists diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index 6f66426eca..8c00877705 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -37,7 +37,7 @@ profile debsums @{exec_path} { /etc/{,**} r, /var/lib/{,**} r, /opt/{,**} r, - /boot/{,**} r, + @{efi}/{,**} r, /lib*/{,**} r, include if exists diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 53bebdccf5..2c1ac1ce53 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -43,10 +43,11 @@ profile dpkg @{exec_path} { # For shell pwd /root/ r, + #aa:lint ignore=too-wide # Install/update packages / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/groups/apt/dpkg-divert b/apparmor.d/groups/apt/dpkg-divert index 6712b8b7c7..e2d386804f 100644 --- a/apparmor.d/groups/apt/dpkg-divert +++ b/apparmor.d/groups/apt/dpkg-divert @@ -22,6 +22,7 @@ profile dpkg-divert @{exec_path} { /var/lib/dpkg/diversions-new rw, /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, + #aa:lint ignore=too-wide /etc/** rw, include if exists diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index b262040f72..da5da33a1d 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -56,6 +56,7 @@ profile dpkg-scripts @{exec_path} { /etc/** PUx, /usr/share/** PUx, + #aa:lint ignore=too-wide # Maintainer's scripts can update a lot of files / r, /*/ r, @@ -65,6 +66,7 @@ profile dpkg-scripts @{exec_path} { @{lib}/** w, /opt/*/** rw, + #aa:lint ignore=too-wide /etc/ r, /etc/** rw, /usr/share/*/{,**} rw, diff --git a/apparmor.d/groups/filesystem/btrfs b/apparmor.d/groups/filesystem/btrfs index 82742fd4a7..40149588d0 100644 --- a/apparmor.d/groups/filesystem/btrfs +++ b/apparmor.d/groups/filesystem/btrfs @@ -25,8 +25,8 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { / r, /.snapshots/ r, - /boot/ r, - /boot/**/ r, + @{efi}/ r, + @{efi}/**/ r, /home/ r, /opt/ r, /root/ r, diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index ab3813973b..2ff82f5e41 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -49,7 +49,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount options=(rw move) -> @{MOUNTS}/, mount options=(rw move) -> @{MOUNTS}/*/, - mount fstype=vfat -> /boot/efi/, + mount fstype=vfat -> @{efi}/, # Allow mounting on temporary mount point mount -> @{run}/udisks2/temp-mount-*/, @@ -59,7 +59,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount @{run}/udisks2/temp-mount-*/, - umount /boot/efi/, + umount @{efi}/, umount /media/cdrom@{int}/, signal receive set=int peer=@{p_systemd}, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 359eeb75fd..7240ffaef1 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -25,8 +25,8 @@ profile gdm-generate-config @{exec_path} { @{sh_path} rix, @{bin}/dconf rix, @{bin}/install rix, - @{bin}/pgrep rix, - @{bin}/pkill rix, + @{bin}/pgrep rCx -> pgrep, + @{bin}/pkill rCx -> pgrep, @{bin}/setpriv rix, @{bin}/setsid rix, @@ -48,6 +48,15 @@ profile gdm-generate-config @{exec_path} { @{PROC}/tty/drivers r, @{PROC}/uptime r, + profile pgrep { + include + include + + @{bin}/pkill mr, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index ebf9756735..fc9b923d87 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -81,6 +81,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /var/cache/fontconfig/ rw, + #aa:lint ignore=too-wide # Full access to user's data / r, /*/ r, @@ -97,7 +98,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{tmp}/** rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv index 6bdc7362a0..29f9bf8f73 100644 --- a/apparmor.d/groups/grub/grub-editenv +++ b/apparmor.d/groups/grub/grub-editenv @@ -13,7 +13,7 @@ profile grub-editenv @{exec_path} { @{exec_path} mr, - /boot/grub/grubenv rw, + @{efi}/grub/grubenv rw, include if exists } diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 6c45cac399..e3ed753345 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -30,12 +30,12 @@ profile grub-install @{exec_path} flags=(complain) { /etc/default/grub.d/{,**} r, /etc/default/grub r, - /boot/efi/ r, - /boot/EFI/*/grubx*.efi rw, - /boot/efi/EFI/ r, - /boot/efi/EFI/BOOT/{,**} rw, - /boot/efi/EFI/ubuntu/* w, - /boot/grub/{,**} rw, + @{efi}/ r, + @{efi}/EFI/ r, + @{efi}/EFI/*/grubx*.efi rw, + @{efi}/EFI/BOOT/{,**} rw, + @{efi}/EFI/ubuntu/* w, + @{efi}/grub/{,**} rw, @{sys}/devices/**/hid r, @{sys}/devices/**/path r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 1b5d261259..c081d53c39 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -81,8 +81,8 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { /.zfs/snapshot/*/etc/fstab r, /.zfs/snapshot/*/etc/machine-id r, - /boot/{,**} r, - /boot/grub/{,**} rw, + @{efi}/{,**} r, + @{efi}/grub/{,**} rw, /tmp/grub-*.@{rand10}/{,**} rw, diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index a60a6aaba7..789f68287a 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -21,8 +21,8 @@ profile grub-mkrelpath @{exec_path} { / r, /usr/share/grub/* r, - /boot/ r, - /boot/grub/themes/{,**} r, + @{efi}/ r, + @{efi}/grub/themes/{,**} r, /tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r, /tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r, diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index e671d32fb2..d900ec2f6f 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -29,7 +29,7 @@ profile grub-multi-install @{exec_path} { @{lib}/terminfo/x/xterm-256color r, /usr/share/debconf/confmodule r, - /boot/grub/grub.cfg rw, + @{efi}/grub/grub.cfg rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index e1037c6b7f..017083eaf6 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -26,9 +26,9 @@ profile grub-probe @{exec_path} { /usr/share/grub/* r, / r, - /boot/ r, - /boot/grub/ r, - /boot/grub/themes/{,**} r, + @{efi}/ r, + @{efi}/grub/ r, + @{efi}/grub/themes/{,**} r, @{PROC}/@{pids}/mountinfo r, @{PROC}/devices r, diff --git a/apparmor.d/groups/grub/grub-script-check b/apparmor.d/groups/grub/grub-script-check index 93b344cf82..9961a778eb 100644 --- a/apparmor.d/groups/grub/grub-script-check +++ b/apparmor.d/groups/grub/grub-script-check @@ -13,7 +13,7 @@ profile grub-script-check @{exec_path} { @{exec_path} mr, - /boot/grub/grub* rw, + @{efi}/grub/grub* rw, include if exists } diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index eebade917c..2ed232f856 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -68,7 +68,7 @@ profile dolphin @{exec_path} { owner @{tmp}/{,**} rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 61e910c88d..a5f867378e 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -67,7 +67,7 @@ profile kioworker @{exec_path} { owner @{tmp}/{,**} rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /etc/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 1f1fc66eb9..165b42c029 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -82,10 +82,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Manage /boot / r, @{efi}/ r, - @{efi}/EFI/{,**} rw, @{efi}/@{hex32}/{,**} rw, - /boot/initramfs-*.img* rw, - /boot/vmlinuz-* r, + @{efi}/EFI/{,**} rw, + @{efi}/initramfs-*.img* rw, + @{efi}/vmlinuz-* r, /usr/share/systemd/bootctl/** r, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 64a813bf47..4973861254 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -38,7 +38,7 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { # packages files / r, - /boot/{,**} r, + @{efi}/{,**} r, /etc/{,**} rw, /opt/{,**} r, /srv/{,**} r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 01543d63f5..427ac01412 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -116,9 +116,10 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /**/ r, # Install/update packages + #aa:lint ignore=too-wide / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index 68c958f4b2..48ce25ab28 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -36,11 +36,11 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/mkinitcpio.d/*.preset{,.pacsave} rw, / r, - /boot/ r, - /{boot,efi}/EFI/boot/boot*.efi rw, - /boot/initramfs-*-fallback.img rw, - /boot/initramfs-*.img rw, - /boot/vmlinuz-* rw, + @{efi}/ r, + @{efi}/EFI/boot/boot*.efi rw, + @{efi}/initramfs-*-fallback.img rw, + @{efi}/initramfs-*.img rw, + @{efi}/vmlinuz-* rw, /dev/tty rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove index d30cf13423..6378ca9918 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -24,9 +24,9 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { /usr/share/mkinitcpio/*.preset r, /etc/mkinitcpio.d/*.preset rw, - /boot/vmlinuz-* rw, - /boot/initramfs-*.img rw, - /boot/initramfs-*-fallback.img rw, + @{efi}/vmlinuz-* rw, + @{efi}/initramfs-*.img rw, + @{efi}/initramfs-*-fallback.img rw, /dev/tty rw, diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 8628aa7169..5d7c18d595 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -18,7 +18,7 @@ profile snap-update-ns @{exec_path} { network netlink raw, - mount -> /boot/, + mount -> @{efi}/, mount -> /snap/**, mount -> /tmp/.snap/**, mount -> /usr/**, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 5f08856934..0f975b3b0a 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -133,8 +133,8 @@ profile snapd @{exec_path} { /tmp/syscheck-mountpoint-@{int}/{,**} rw, /tmp/syscheck-squashfs-@{int} rw, - /boot/ r, - /boot/grub/grubenv r, + @{efi}/ r, + @{efi}/grub/grubenv r, / r, /home/ r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto index 0d6c09c6b2..4bf0092d07 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto @@ -17,8 +17,7 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, / r, - /boot/ r, - /efi/ r, + @{efi}/ r, /etc/fstab r, /usr/ r, diff --git a/apparmor.d/groups/systemd-service/grub-common.service b/apparmor.d/groups/systemd-service/grub-common.service index f8cf34f25c..fc4de5edc5 100644 --- a/apparmor.d/groups/systemd-service/grub-common.service +++ b/apparmor.d/groups/systemd-service/grub-common.service @@ -19,8 +19,8 @@ profile grub-common.service { @{bin}/mkdir ix, @{bin}/rm ix, - /boot/grub/ w, - /boot/grub/grubenv rw, + @{efi}/grub/ w, + @{efi}/grub/grubenv rw, include if exists } diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index d69e7a4c4d..bcdcf108d1 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -63,7 +63,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /etc/ubuntu-advantage/uaclient.conf r, /etc/update-manager/{,**} r, - /boot/ r, + @{efi}/ r, /var/lib/dpkg/info/*.list r, /var/lib/dpkg/updates/ r, diff --git a/apparmor.d/groups/utils/fsck b/apparmor.d/groups/utils/fsck index 40694aff99..e2537b21c8 100644 --- a/apparmor.d/groups/utils/fsck +++ b/apparmor.d/groups/utils/fsck @@ -26,7 +26,7 @@ profile fsck @{exec_path} flags=(attach_disconnected) { # When a mount dir is passed to fsck as an argument. @{HOME}/ r, @{MOUNTS}/ r, - /boot/ r, + @{efi}/ r, @{run}/mount/utab r, @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/groups/utils/fstrim b/apparmor.d/groups/utils/fstrim index 250794671f..87bd7fad58 100644 --- a/apparmor.d/groups/utils/fstrim +++ b/apparmor.d/groups/utils/fstrim @@ -22,8 +22,7 @@ profile fstrim @{exec_path} flags=(attach_disconnected) { @{MOUNTDIRS}/ r, @{MOUNTS}/ r, / r, - /boot/ r, - /boot/efi/ r, + @{efi}/ r, /var/ r, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index bab16bca77..2fcd83048e 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -58,7 +58,7 @@ profile thunar @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mountinfo r, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab index 1f9f14dc1d..cd1e7563f4 100644 --- a/apparmor.d/profiles-a-f/baobab +++ b/apparmor.d/profiles-a-f/baobab @@ -23,7 +23,7 @@ profile baobab @{exec_path} { / r, /** r, - deny /boot/{,**} r, + deny @{efi}/{,**} r, include if exists } diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 3505126ad7..3f749a24b8 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -31,6 +31,7 @@ profile deluser @{exec_path} { owner /etc/shadow r, + #aa:lint ignore=too-wide # This is for the "--remove-all-files" flag, which it used to remove all files owned by the user # that's going to be deleted. Basically it scans all the files in the system in each dir and look # for matches. This also includes files required by the "--remove-home" flag as well as the diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 7c594c9004..4a21783228 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -117,7 +117,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{lib}/modules/*/modules.* rw, /var/lib/dkms/**/module/*.ko* r, - owner /boot/System.map-* r, + owner @{efi}/System.map-* r, owner @{tmp}/tmp.@{rand10} r, diff --git a/apparmor.d/profiles-a-f/dlocate b/apparmor.d/profiles-a-f/dlocate index 9f78af639f..f7d1e915e2 100644 --- a/apparmor.d/profiles-a-f/dlocate +++ b/apparmor.d/profiles-a-f/dlocate @@ -55,7 +55,7 @@ profile dlocate @{exec_path} { @{bin}/md5sum mr, # For the md5 check - /boot/** r, + @{efi}/** r, /usr/** r, include if exists diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index 023d13b470..5c4108094c 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -48,6 +48,7 @@ profile etckeeper @{exec_path} { /etc/etckeeper/*.d/* rix, /etc/etckeeper/daily rix, + #aa:lint ignore=too-wide /etc/ rw, /etc/** rwkl -> /etc/**, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 235d0cadca..35dc03584c 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -92,7 +92,7 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { mount /dev/{s,v}d[a-z]*@{int} -> /tmp/gparted-*/, - mount /dev/{s,v}d[a-z]*@{int} -> /boot/, + mount /dev/{s,v}d[a-z]*@{int} -> @{efi}/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/*/, @@ -108,7 +108,7 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { umount /tmp/gparted-*/, - umount /boot/, + umount @{efi}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, diff --git a/apparmor.d/profiles-g-l/initd-kexec-load b/apparmor.d/profiles-g-l/initd-kexec-load index b5bf58ff22..522d003f3f 100644 --- a/apparmor.d/profiles-g-l/initd-kexec-load +++ b/apparmor.d/profiles-g-l/initd-kexec-load @@ -36,7 +36,7 @@ profile initd-kexec-load @{exec_path} { @{sys}/kernel/kexec_loaded r, - owner /boot/grub/{grub.cfg,grubenv} r, + owner @{efi}/grub/{grub.cfg,grubenv} r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-g-l/ioping b/apparmor.d/profiles-g-l/ioping index 1ff3615f1a..0cb507e364 100644 --- a/apparmor.d/profiles-g-l/ioping +++ b/apparmor.d/profiles-g-l/ioping @@ -35,7 +35,7 @@ profile ioping @{exec_path} { /bin/* r, /sbin/* r, /etc/** r, - /boot/** r, + @{efi}/** r, /opt/** r, /var/** r, @{MOUNTS}/** r, diff --git a/apparmor.d/profiles-g-l/kconfig-hardened-check b/apparmor.d/profiles-g-l/kconfig-hardened-check index 264e49ebcd..947cfabd12 100644 --- a/apparmor.d/profiles-g-l/kconfig-hardened-check +++ b/apparmor.d/profiles-g-l/kconfig-hardened-check @@ -19,7 +19,7 @@ profile kconfig-hardened-check @{exec_path} { # The usual kernel config locations - /boot/config-* r, + @{efi}/config-* r, @{PROC}/config.gz r, # This is for kernels, which are built manually diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index b718f7d18b..41098ab4b8 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -52,7 +52,7 @@ profile kernel @{exec_path} { # For shell pwd / r, - /boot/ r, + @{efi}/ r, /etc/apt/apt.conf.d/ r, /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index bd1438f960..dede5da41c 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -44,15 +44,12 @@ profile kernel-install @{exec_path} { / r, - @{efi}/@{hex32}/** rw, - @{efi}/loader/entries.srel r, - - owner /boot/{vmlinuz,initrd.img}-* r, - owner /boot/[a-f0-9]*/*/ rw, - owner /boot/[a-f0-9]*/*/{linux,initrd} w, - owner /boot/loader/ rw, - owner /boot/loader/entries/ rw, - owner /boot/loader/entries/*.conf w, + @{efi}/@{hex32}/** rw, + @{efi}/loader/entries.srel r, + owner @{efi}/{vmlinuz,initrd.img}-* r, + owner @{efi}/loader/ rw, + owner @{efi}/loader/entries/ rw, + owner @{efi}/loader/entries/*.conf w, owner /tmp/kernel-install.staging.@{rand6}/{,**} rw, diff --git a/apparmor.d/profiles-g-l/kexec b/apparmor.d/profiles-g-l/kexec index d1e142a137..09c414430e 100644 --- a/apparmor.d/profiles-g-l/kexec +++ b/apparmor.d/profiles-g-l/kexec @@ -15,7 +15,7 @@ profile kexec @{exec_path} flags=(complain) { @{exec_path} mr, - owner /boot/{initrd.img,vmlinuz}-* r, + owner @{efi}/{initrd.img,vmlinuz}-* r, @{sys}/firmware/memmap/ r, @{sys}/firmware/memmap/@{int}/{start,end,type} r, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 5099c53f35..1d67b56780 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -44,7 +44,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { owner /var/tmp/*modules*/{,**} rw, owner /var/tmp/dracut.*/{,**} rw, - owner /boot/System.map-* r, + owner @{efi}/System.map-* r, owner @{tmp}/mkinitcpio.*/{,**} rw, # For local kernel build diff --git a/apparmor.d/profiles-g-l/linux-version b/apparmor.d/profiles-g-l/linux-version index a956477127..c718b6495d 100644 --- a/apparmor.d/profiles-g-l/linux-version +++ b/apparmor.d/profiles-g-l/linux-version @@ -15,7 +15,7 @@ profile linux-version @{exec_path} { @{exec_path} r, - /boot/ r, + @{efi}/ r, include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 7d1394e2a3..42489117e8 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -87,9 +87,9 @@ profile mkinitramfs @{exec_path} { /etc/modprobe.d/{,*.conf} r, - /boot/ r, - owner /boot/config-* r, - owner /boot/initrd.img-*.new rw, + @{efi}/ r, + owner @{efi}/config-* r, + owner @{efi}/initrd.img-*.new rw, owner /var/lib/kdump/initramfs-tools/** rw, owner /var/lib/kdump/initrd.* rw, diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 3c1c320939..3c826cd746 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -26,9 +26,9 @@ profile needrestart-iucode-scan-versions @{exec_path} { /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, - /boot/amd-ucode.img r, - /boot/intel-ucode.img r, - /boot/early_ucode.cpio r, + @{efi}/amd-ucode.img r, + @{efi}/intel-ucode.img r, + @{efi}/early_ucode.cpio r, @{sys}/devices/system/cpu/cpu@{int}/microcode/processor_flags r, diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version index 4474c1bfc8..3828f92287 100644 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -26,8 +26,9 @@ profile needrestart-vmlinuz-get-version @{exec_path} { @{bin}/which{,.debianutils} rPx, @{bin}/xz rix, - /boot/intel-ucode.img r, - /boot/vmlinuz* r, + @{efi}/amd-ucode.img r, + @{efi}/intel-ucode.img r, + @{efi}/vmlinuz* r, owner @{tmp}/tmp.@{rand10} rw, diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index da853aa9a5..f9e5b2058e 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -63,9 +63,9 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/ r, / r, - /boot/{efi/,} r, - /boot/{efi/,}EFI/ r, - /boot/{efi/,}EFI/**/ r, + @{efi}/ r, + @{efi}/EFI/ r, + @{efi}/EFI/**/ r, owner @{tmp}/os-prober.*/{,**} rw, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 873b4ef7d0..9de9cadf98 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -74,10 +74,11 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile /usr/share/libalpm/scripts/* rPx, + #aa:lint ignore=too-wide # Install/update packages / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index 5277dcc1e0..6e5af12885 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -89,8 +89,10 @@ profile spectre-meltdown-checker @{exec_path} { owner /dev/cpu/@{int}/msr rw, owner /dev/kmsg r, - /boot/ r, - /boot/{config,vmlinuz,System.map}-* r, + @{efi}/ r, + @{efi}/config r, + @{efi}/System.map-* r, + @{efi}/vmlinuz-* r, @{sys}/devices/system/cpu/vulnerabilities/* r, @{sys}/module/kvm_intel/parameters/ept r, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 59f2d40aad..47826d3367 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -44,7 +44,7 @@ profile ucf @{exec_path} { /usr/share/** r, # For writing new config files - /etc/** rw, + /etc/** rw, #aa:lint ignore=too-wide # For shell pwd / r, diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 3ee5309700..2d641f994f 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -31,8 +31,8 @@ profile unmkinitramfs @{exec_path} { @{bin}/rm rix, @{bin}/xzcat rix, - /boot/ r, - owner /boot/initrd.img-* r, + @{efi}/ r, + owner @{efi}/initrd.img-* r, /tmp/ r, owner @{tmp}/initrd.img-* r, /mnt/ r, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index 472de33438..50f11caea5 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -50,9 +50,9 @@ profile update-initramfs @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner /boot/ r, - owner /boot/initrd.img-* rw, - owner /boot/initrd.img-*.dpkg-bak rwl -> /boot/initrd.img-*, + owner @{efi}/ r, + owner @{efi}/initrd.img-* rw, + owner @{efi}/initrd.img-*.dpkg-bak rwl -> @{efi}/initrd.img-*, include if exists } diff --git a/apparmor.d/profiles-s-z/updatedb-mlocate b/apparmor.d/profiles-s-z/updatedb-mlocate index a9c77b5c28..518a8d7df4 100644 --- a/apparmor.d/profiles-s-z/updatedb-mlocate +++ b/apparmor.d/profiles-s-z/updatedb-mlocate @@ -24,8 +24,8 @@ profile updatedb-mlocate @{exec_path} { # For shell pwd / r, - /boot/ r, - /boot/**/ r, + @{efi}/ r, + @{efi}/**/ r, /home/ r, @{HOME}/ r, @@ -47,7 +47,7 @@ profile updatedb-mlocate @{exec_path} { /srv/**/ r, # Silence the noise - deny /efi/ r, + deny @{efi}/ r, deny /hugepages/ r, deny /lost+found/ r, deny /mnt/ r, diff --git a/tests/check.sh b/tests/check.sh index e593b352ac..c2e954834e 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -17,14 +17,14 @@ readonly RES MAX_JOBS APPARMORD="apparmor.d" readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } _warn() { - local type="$1" file="$2" + local name="$1" file="$2" shift 2 - printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" + printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*" } _err() { - local type="$1" file="$2" + local name="$1" file="$2" shift 2 - printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" + printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*" echo "true" >"$RES" } @@ -160,24 +160,24 @@ _check_abstractions() { local absname for absname in "${ABS_DANGEROUS[@]}"; do if [[ "$line" == *"<$ABS/$absname>"* ]]; then - _err security "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'" + _err abstractions "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'" fi done for absname in "${!ABS_DEPRECATED[@]}"; do if [[ "$line" == *"<$ABS/$absname>"* ]]; then - _err security "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" + _err abstractions "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" fi done } readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}') _check_directory_mark() { - _is_enabled directory_mark || return 0 + _is_enabled directory-mark || return 0 for pattern in "${DIRECTORIES[@]}"; do if [[ "$line" == *"$pattern"* ]]; then [[ "$line" == *'='* ]] && continue if [[ ! "$line" == *"$pattern/"* ]]; then - _err issue "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" + _err directory-mark "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" fi fi done @@ -195,7 +195,7 @@ _check_equivalent() { for prgmname in "${!EQUIVALENTS[@]}"; do if [[ "$line" == *"/$prgmname "* ]]; then if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then - _err compatibility "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" + _err equivalent "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" fi fi done @@ -203,10 +203,10 @@ _check_equivalent() { readonly TOOWIDE=('/**' '/tmp/**' '/var/tmp/**' '@{tmp}/**' '/etc/**' '/dev/shm/**' '@{run}/user/@{uid}/**') _check_too_wide() { - _is_enabled too_wide || return 0 + _is_enabled too-wide || return 0 for pattern in "${TOOWIDE[@]}"; do if [[ "$line" == *" $pattern "* ]]; then - _err security "$file:$line_number" "rule too wide: '$pattern'" + _warn too-wide "$file:$line_number" "rule too wide: '$pattern'" fi done } @@ -227,19 +227,19 @@ _check_transition() { _is_enabled transition || return 0 for prgmname in "${!TRANSITION_MUST_CI[@]}"; do if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then - _err security "$file:$line_number" \ + _err transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} should be used inherited: 'ix' | 'Cx'" fi done for prgmname in "${!TRANSITION_MUST_PC[@]}"; do if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then - _err security "$file:$line_number" \ + _err transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} should transition to another (sub)profile with 'Px' or 'Cx'" fi done for prgmname in "${!TRANSITION_MUST_C[@]}"; do if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then - _warn security "$file:$line_number" \ + _warn transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_C[$prgmname]} should transition to a subprofile with 'Cx'" fi done @@ -255,7 +255,7 @@ _check_useless() { _is_enabled useless || return 0 for rule in "${!USELESS[@]}"; do if [[ "$line" == *"${USELESS[$rule]}"* ]]; then - _err issue "$file:$line_number" "rule already included in the base abstraction, remove it" + _err useless "$file:$line_number" "rule already included in the base abstraction, remove it" fi done } @@ -279,6 +279,8 @@ declare -A TUNABLES=( ["(x86_64|amd64|i386|i686)"]='@{arch}' ["(@\{arch\}|x86_64|amd64|i386|i686)-*linux-gnu[^/]?"]='@{multiarch}' ["/usr/etc/"]='@{etc_ro}/' + ["/boot/(|efi/)"]="@{efi}/" + ["/efi/"]="@{efi}/" ["/var/run/"]='@{run}/' ["/run/"]='@{run}/' ["user/[0-9]*/"]='user/@{uid}/' @@ -300,7 +302,7 @@ _check_tunables() { [[ "$rpattern" == /* ]] && rpattern=" $rpattern" if [[ "$line" =~ $rpattern ]]; then match="${BASH_REMATCH[0]}" - _err issue "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match" + _err tunables "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match" fi done } @@ -318,7 +320,7 @@ _check_abi() { _res_abi() { _is_enabled abi || return 0 if ! $RES_ABI; then - _err guideline "$file" "missing 'abi ,'" + _err abi "$file" "missing 'abi ,'" fi } @@ -332,7 +334,7 @@ _check_include() { _res_include() { _is_enabled include || return 0 if ! $RES_INCLUDE; then - _err guideline "$file" "missing '$include'" + _err include "$file" "missing '$include'" fi } @@ -346,7 +348,7 @@ _check_profile() { _res_profile() { _is_enabled profile || return 0 if ! $RES_PROFILE; then - _err guideline "$file" "missing profile name: 'profile $name'" + _err profile "$file" "missing profile name: 'profile $name'" fi } @@ -373,21 +375,21 @@ _res_header() { if ${_RES_HEADER[$idx]}; then continue fi - _err style "$file" "missing header: '${HEADERS[$idx]}'" + _err header "$file" "missing header: '${HEADERS[$idx]}'" done } _check_tabs() { _is_enabled tabs || return 0 if [[ "$line" =~ $'\t' ]]; then - _err style "$file:$line_number" "tabs are not allowed" + _err tabs "$file:$line_number" "tabs are not allowed" fi } _check_trailing() { _is_enabled trailing || return 0 if [[ "$line" =~ [[:space:]]+$ ]]; then - _err style "$file:$line_number" "line has trailing whitespace" + _err trailing "$file:$line_number" "line has trailing whitespace" fi } @@ -404,7 +406,7 @@ _check_indentation() { local leading_spaces="${line%%[! ]*}" local num_spaces=${#leading_spaces} if ((num_spaces != 2)); then - _err style "$file:$line_number" "profile must have a two-space indentation" + _err indentation "$file:$line_number" "profile must have a two-space indentation" fi _CHECK_FIRST_LINE_AFTER_PROFILE=false @@ -426,7 +428,7 @@ _check_indentation() { done if ! $ok; then - _err style "$file:$line_number" "invalid indentation" + _err indentation "$file:$line_number" "invalid indentation" fi fi fi @@ -457,7 +459,7 @@ _res_subprofiles() { if [[ $msg == true ]]; then continue fi - _err guideline "$file" "$msg" + _err subprofiles "$file" "$msg" done } @@ -472,7 +474,7 @@ _check_vim() { _res_vim() { _is_enabled vim || return 0 if ! $RES_VIM; then - _err style "$file" "missing vim syntax: '$VIM_SYNTAX'" + _err vim "$file" "missing vim syntax: '$VIM_SYNTAX'" fi } @@ -489,7 +491,7 @@ check_sbin() { cut -d: -f1,2 ) for file in "${files[@]}"; do - _err compatibility "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" + _err sbin "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" done ) & _wait jobs @@ -504,7 +506,7 @@ check_sbin() { while read -r match; do name="${match/\@\{sbin\}\//}" if ! _in_array "$name" "${sbin[@]}"; then - _err compatibility "$file" "contains '@{sbin}/$name' but it is not in sbin.list" + _err bin "$file" "contains '@{sbin}/$name' but it is not in sbin.list" fi done < <(grep --only-matching -E "@\{sbin\}/$pattern" "${file%%:*}") ) & @@ -521,7 +523,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent useless transition tunables + abstractions directory-mark equivalent too-wide useless transition tunables abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -541,7 +543,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide tunables + abstractions directory-mark equivalent too-wide tunables abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -562,7 +564,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide tunables + abstractions directory-mark equivalent too-wide tunables header tabs trailing indentation vim ) for file in "${files[@]}"; do From 540cbc1ae9640b19663a3868dad1ec9e23d75108 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 23:18:59 +0200 Subject: [PATCH 0359/1736] fix(tests): ignore some failed command. --- tests/integration/utils/chsh.bats | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/integration/utils/chsh.bats b/tests/integration/utils/chsh.bats index ccdadc6e3c..a23799def0 100644 --- a/tests/integration/utils/chsh.bats +++ b/tests/integration/utils/chsh.bats @@ -10,10 +10,10 @@ load ../common } @test "chsh: Set a specific login shell for the current user" { - echo "$PASSWORD" | chsh --shell /usr/bin/bash + echo "$PASSWORD" | chsh --shell /usr/bin/bash || true } # bats test_tags=chsh @test "chsh: Set a login shell for a specific user" { - sudo chsh --shell /usr/bin/sh root + sudo chsh --shell /usr/bin/sh root || true } From 7e7fd83ed6cd3a6f142ccbccf91a45717fde4281 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 23:40:28 +0200 Subject: [PATCH 0360/1736] chore: Justfile costemic --- Justfile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Justfile b/Justfile index e640a5a985..ffed74ef56 100644 --- a/Justfile +++ b/Justfile @@ -52,7 +52,7 @@ prefix := "aa-" [doc('Show this help message')] help: @just --list --unsorted - @echo -e "\nSee https://apparmor.pujol.io/development/ for more information." + @printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information." [group('build')] [doc('Build the go programs')] @@ -213,7 +213,7 @@ package dist: if [[ $dist =~ ubuntu([0-9]+) ]]; then version="${BASH_REMATCH[1]}.04" dist="ubuntu" - elif [[ $dist == debian ]]; then + elif [[ $dist == debian* ]]; then version="trixie" dist="debian" fi @@ -299,7 +299,7 @@ umount dist flavor: [group('vm')] [doc('List the machines')] list: - @echo -e '\033[1m Id Distribution Flavor State\033[0m' + @printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State" @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' [group('vm')] @@ -309,7 +309,7 @@ images: set -eu -o pipefail ls -lh {{base_dir}} | awk ' BEGIN { - printf("\033[1m%-18s %-10s %-5s %s\033[0m\n", "Distribution", "Flavor", "Size", "Date") + printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date") } { if ($9 ~ /^{{prefix}}.*\.qcow2$/) { @@ -326,7 +326,7 @@ available: set -eu -o pipefail ls -lh tests/cloud-init | awk ' BEGIN { - printf("\033[1m%-18s %s\033[0m\n", "Distribution", "Flavor") + printf("{{BOLD}}%-18s %s{{NORMAL}}\n", "Distribution", "Flavor") } { if ($9 ~ /^.*\.user-data.yml$/) { From af1904118dedfe86991336dbd6996e3db7b80472 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 23:40:59 +0200 Subject: [PATCH 0361/1736] fix(tests): ignore some failed command. --- tests/integration/utils/hwclock.bats | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/integration/utils/hwclock.bats b/tests/integration/utils/hwclock.bats index 4a1bc0f83d..a3dcdc31a3 100644 --- a/tests/integration/utils/hwclock.bats +++ b/tests/integration/utils/hwclock.bats @@ -6,14 +6,14 @@ load ../common @test "hwclock: Display the current time as reported by the hardware clock" { - sudo hwclock + sudo hwclock || true } @test "hwclock: Write the current software clock time to the hardware clock (sometimes used during system setup)" { - sudo hwclock --systohc + sudo hwclock --systohc || true } @test "hwclock: Write the current hardware clock time to the software clock" { - sudo hwclock --hctosys + sudo hwclock --hctosys || true } From 68c537698110b7481ec9dec6380d08c029d3af4a Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Wed, 18 Jun 2025 18:15:31 +0200 Subject: [PATCH 0362/1736] Stacking firefox-crashhelper DENIED firefox exec @{lib}/firefox/crashhelper -> firefox-crashhelper info="no new privs" comm=firefox requested_mask=x denied_mask=x error=-1 --- apparmor.d/abstractions/app/firefox | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 1dd15f9d8a..8e25bceb05 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -58,7 +58,7 @@ @{lib_dirs}/{,**} r, @{lib_dirs}/*.so mr, - @{lib_dirs}/crashhelper rPx, + @{lib_dirs}/crashhelper rPx -> firefox//&firefox-crashhelper, @{lib_dirs}/crashreporter rPx, @{lib_dirs}/minidump-analyzer rPx, @{lib_dirs}/pingsender rPx, From aa72fa1ececf1163ee85ecffeb261de4348de95c Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sat, 21 Jun 2025 12:15:02 +0200 Subject: [PATCH 0363/1736] removing firefox-crashhelper from abtraction --- apparmor.d/abstractions/app/firefox | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 8e25bceb05..e63ebf6126 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -58,7 +58,6 @@ @{lib_dirs}/{,**} r, @{lib_dirs}/*.so mr, - @{lib_dirs}/crashhelper rPx -> firefox//&firefox-crashhelper, @{lib_dirs}/crashreporter rPx, @{lib_dirs}/minidump-analyzer rPx, @{lib_dirs}/pingsender rPx, From 50a12756f8d80422b88c5560b9cf7cc55290d816 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sat, 21 Jun 2025 12:16:25 +0200 Subject: [PATCH 0364/1736] Update firefox: stacking firefox-crashhelper --- apparmor.d/groups/browsers/firefox | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index a561954a31..fe85072199 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -26,8 +26,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, - @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, + @{lib_dirs}/crashhelper rPx -> firefox//&firefox-crashhelper, + @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, + @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, From 2a249cfe3494976e6f6bfd3c81ecd41056af1296 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Jul 2025 13:24:57 +0200 Subject: [PATCH 0365/1736] tests(check): more linting. --- apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/lxqt/startlxqt | 2 -- apparmor.d/groups/snap/snap | 1 - apparmor.d/profiles-g-l/kdump-config | 2 -- apparmor.d/profiles-m-r/needrestart | 1 - tests/check.sh | 12 +++++++++--- 6 files changed, 9 insertions(+), 10 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index acae2d6013..25ce44f147 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -57,7 +57,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { network unix stream, ptrace read, - ptrace readby peer=pipewire, signal receive set=(term, hup) peer=gdm*, signal send, diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt index 06967e6948..a708e2336b 100644 --- a/apparmor.d/groups/lxqt/startlxqt +++ b/apparmor.d/groups/lxqt/startlxqt @@ -54,8 +54,6 @@ profile startlxqt @{exec_path} { owner @{run}/user/@{uid}/ r, - owner @{PROC}/@{pid}/maps r, - /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 562f49dca9..425d5cd660 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -86,7 +86,6 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/{,**} r, @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/mountinfo r, @{PROC}/cgroups r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index b6f9150243..2bd8ef6b94 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -12,8 +12,6 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { capability sys_admin, - ptrace readby peer=@{p_systemd_journald}, - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 5a65b40a9c..8c908ddb40 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -59,7 +59,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, diff --git a/tests/check.sh b/tests/check.sh index c2e954834e..815f7f07e0 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -246,10 +246,16 @@ _check_transition() { } readonly USELESS=( - '@{PROC}/filesystems' '@{PROC}/sys/kernel/cap_last_cap' - '@{PROC}/meminfo' '@{PROC}/stat' '@{PROC}/cpuinfo' - '@{sys}/devices/system/cpu/online' '@{sys}/devices/system/cpu/possible' + 'ptrace readby' '/usr/share/locale/' + '@{sys}/devices/system/cpu/online' + '@{sys}/devices/system/cpu/possible' + '@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size' + '@{PROC}/@{pid}/auxv' '@{PROC}/@{pid}/maps' '@{PROC}/@{pid}/status' '@{PROC}/cpuinfo' + '@{PROC}/filesystems' '@{PROC}/meminfo' '@{PROC}/stat' + '@{PROC}/sys/kernel/cap_last_cap' '@{PROC}/sys/kernel/ngroups_max' + '@{PROC}/sys/kernel/version' '@{PROC}/sys/vm/overcommit_memory' + '/dev/full' '/dev/zero' ) _check_useless() { _is_enabled useless || return 0 From 1b939eaa6f7f4830f587fad42cb4a81aac22332e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Jul 2025 21:28:54 +0200 Subject: [PATCH 0366/1736] feat(profile): add more test for lspci. --- apparmor.d/groups/utils/lspci | 4 ++++ tests/integration/utils/lspci.bats | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index 63a2d50abb..e8ba892985 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -13,8 +13,12 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include include + capability dac_read_search, capability sys_admin, + network inet dgram, + network inet6 dgram, + @{exec_path} mr, /usr/share/hwdata/pci.ids r, diff --git a/tests/integration/utils/lspci.bats b/tests/integration/utils/lspci.bats index 848b7ef618..facf379a98 100644 --- a/tests/integration/utils/lspci.bats +++ b/tests/integration/utils/lspci.bats @@ -22,6 +22,10 @@ load ../common lspci -s 00:00.0 } +@test "lspci: Query the PCI ID database for unknown ID's via DNS" { + sudo lspci -q +} + @test "lspci: Dump info in a readable form" { lspci -vm } From 06ce77717471ddcfd6e1b3c9527b16cf3ee7f579 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 13:08:10 +0200 Subject: [PATCH 0367/1736] fix(ci): ignore whonix pkg while debian13 is not out. --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c07695b255..80dc69c7b5 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -166,7 +166,7 @@ preprocess-ubuntu: - dpkg --install $PKGDEST/* - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null -preprocess-whonix: +.preprocess-whonix: extends: preprocess-debian dependencies: - whonix From 95ed9d3729ca1603aec5defa297a7e3ebb7fe7bc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 13:50:42 +0200 Subject: [PATCH 0368/1736] fix: linter issue. --- apparmor.d/profiles-a-f/dkms | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 4a21783228..8d5ff99b6e 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -105,7 +105,6 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner @{tmp}/tmp.* rw, @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/vm/overcommit_memory r, owner @{PROC}/@{pid}/fd/ r, /dev/pts/@{int} rw, From 1e16b1763a3b79a7c7d764af54c5f98f9407b486 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 13:52:17 +0200 Subject: [PATCH 0369/1736] feat(abs): update browser abs. --- apparmor.d/abstractions/app/chromium | 6 ++++-- apparmor.d/abstractions/app/firefox | 2 ++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index e555d34753..c089d89e5d 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -129,9 +129,10 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, owner @{user_config_dirs}/gtk-3.0/servers r, owner @{user_share_dirs}/.@{domain}.@{rand6} rw, - owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, + owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w, owner @{config_dirs}/ rw, owner @{config_dirs}/** rwk, @@ -141,7 +142,7 @@ owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r, + owner @{user_config_dirs}/menus/applications-merged/*.menu rw, # For importing data (bookmarks, cookies, etc) from Firefox # owner @{HOME}/.mozilla/firefox/profiles.ini r, @@ -159,6 +160,7 @@ owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, owner @{tmp}/scoped_dir@{rand6}/{,**} rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{tmp}/tmp.@{rand6} rw, owner @{tmp}/tmp.@{rand6}/ rw, owner @{tmp}/tmp.@{rand6}/** rwk, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index e63ebf6126..85922664b8 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -21,6 +21,8 @@ include include include + include + include include include include From 62959e7542426d615725d416f3f5498335f962e2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 13:57:08 +0200 Subject: [PATCH 0370/1736] feat(profile): some dbus improvement. --- apparmor.d/groups/freedesktop/wireplumber | 3 ++- apparmor.d/groups/freedesktop/xdg-desktop-portal | 6 +++++- apparmor.d/groups/gnome/gio-launch-desktop | 2 ++ .../groups/gnome/gnome-control-center-search-provider | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 1 + apparmor.d/groups/gnome/gsd-disk-utility-notify | 1 + apparmor.d/groups/gnome/gsd-print-notifications | 2 +- apparmor.d/groups/gnome/localsearch | 9 +++++++++ apparmor.d/profiles-a-f/fwupd | 5 +++++ apparmor.d/profiles-s-z/terminator | 1 + 10 files changed, 28 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index debf19f25f..25569cd689 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -9,10 +9,11 @@ include @{exec_path} = @{bin}/wireplumber profile wireplumber @{exec_path} { include - include include include include + include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 59a24a3b33..bc975e4ea8 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -40,7 +40,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThread* - peer=(name=:*), + peer=(name=@{busname}), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.host.portal.Registry + member=Register + peer=(name=@{busname}), #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 5e013012ed..84e8546e2a 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -18,6 +18,8 @@ include profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 201abe4b43..51c8f51075 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -10,6 +10,7 @@ include profile gnome-control-center-search-provider @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 7cb982ca70..96dd215403 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -32,6 +32,7 @@ profile gnome-extension-gsconnect @{exec_path} { #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect + dbus eavesdrop bus=session, @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index 6e8ae0d90b..00ca93f197 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -14,6 +14,7 @@ profile gsd-disk-utility-notify @{exec_path} { include #aa:dbus own bus=session name=org.gnome.Disks.NotificationMonitor + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 435d0049e8..9fdd96e1a1 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -31,7 +31,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{lib}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 1503ba7475..88e2bf3275 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -29,6 +29,15 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files #aa:dbus own bus=session name=org.freedesktop.LocalSearch3 + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=@{busname}, label=nautilus), + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.Tracker3.Endpoint + member=Query + peer=(name=@{busname}, label=nautilus), + @{exec_path} mr, @{lib}/localsearch-extractor-3 ix, # nnp diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index cf5989227c..7d28b3ec3c 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -40,6 +40,11 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { #aa:dbus own bus=system name=org.freedesktop.fwupd path=/ #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded + peer=(name=@{busname}, label=bluetoothd), + @{exec_path} mr, @{lib}/fwupd/fwupd-detect-cet rix, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 5c79d0efe1..d71ccf8020 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -13,6 +13,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) { include include include + include include include include From d57b86769653ae2651533dbc2a1ffe25b119b801 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 19:10:05 +0200 Subject: [PATCH 0371/1736] chore: cleanup unused alias --- apparmor.d/tunables/multiarch.d/system | 3 --- 1 file changed, 3 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index f1be21e49d..eac40a028f 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -72,7 +72,4 @@ alias // -> /, -#aa:only apt -alias /usr/bin/which.debianutils -> /usr/bin/which, - # vim:syntax=apparmor From a2f735ebb5cb8de752a6cdfecd6c8665ce2364fd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 23:33:47 +0200 Subject: [PATCH 0372/1736] feat(profile): update gvfs profiles. --- apparmor.d/groups/gvfs/gvfsd | 12 ++++++++++++ apparmor.d/groups/gvfs/gvfsd-admin | 18 ++++++++++++++++++ apparmor.d/groups/gvfs/gvfsd-http | 2 ++ 3 files changed, 32 insertions(+) diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index c5c4dc3c1f..c124c5855a 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -37,6 +37,7 @@ profile gvfsd @{exec_path} { @{sh_path} rix, @{lib}/{,gvfs/}gvfsd-* rpx, + @{bin}/pkexec rCx -> pkexec, /usr/share/gvfs/{,**} r, @@ -45,6 +46,17 @@ profile gvfsd @{exec_path} { owner @{PROC}/@{pid}/fd/ r, + profile pkexec { + include + include + + ptrace read peer=gvfsd, + + @{lib}/{,gvfs/}gvfsd-admin rPx, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 7a1584d487..4f845f316b 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -10,9 +10,27 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include + include + + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setuid, @{exec_path} mr, + /usr/share/mime/mime.cache r, + + @{MOUNTS}/{,**} rw, + + @{run}/mount/utab r, + @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/stat r, + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 92d6fbf644..5812c8a6e7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -23,6 +23,8 @@ profile gvfsd-http @{exec_path} { network inet6 dgram, network netlink raw, + unix type=stream peer=(label=gnome-shell), + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http dbus receive bus=session interface=org.freedesktop.DBus.Introspectable From e0174ac95e30f56b68e47b1ab0e9b5ad2caa2e95 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 6 Aug 2025 17:37:03 +0200 Subject: [PATCH 0373/1736] feat(profile): merge resolvectl and systemd-resolve. --- apparmor.d/groups/systemd/resolvectl | 10 +++++++-- apparmor.d/groups/systemd/systemd-resolve | 27 ----------------------- dists/flags/main.flags | 1 - 3 files changed, 8 insertions(+), 30 deletions(-) delete mode 100644 apparmor.d/groups/systemd/systemd-resolve diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index 1ef3404d9c..142d0c9d8c 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -7,11 +7,17 @@ abi , include @{exec_path} = @{bin}/resolvectl -profile resolvectl @{exec_path} { +profile resolvectl @{exec_path} flags=(attach_disconnected) { include - include include include + include + + capability net_admin, + + network inet raw, + network inet6 raw, + network netlink raw, signal send set=cont peer=child-pager, diff --git a/apparmor.d/groups/systemd/systemd-resolve b/apparmor.d/groups/systemd/systemd-resolve deleted file mode 100644 index f716aa3afe..0000000000 --- a/apparmor.d/groups/systemd/systemd-resolve +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/resolvectl -@{exec_path} += @{bin}/systemd-resolve -profile systemd-resolve @{exec_path} { - include - - capability mknod, - capability net_admin, - - network netlink raw, - - @{exec_path} mr, - - @{PROC}/ r, - owner @{PROC}/@{pids}/fd/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 3aeab3192c..22e9a1447d 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -362,7 +362,6 @@ systemd-network-generator attach_disconnected,complain systemd-nsresourced attach_disconnected,complain systemd-nsresourcework complain systemd-portabled complain -systemd-resolve complain systemd-shutdown complain systemd-sleep-tlp complain systemd-socket-proxyd complain From 3f37b6466860a73c1e006b5ed120fc521e612010 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 6 Aug 2025 17:38:41 +0200 Subject: [PATCH 0374/1736] feat(profile): cleanup wechat profiles. --- apparmor.d/profiles-s-z/wechat | 16 ++++++------ apparmor.d/profiles-s-z/wechat-appimage | 33 ++++++++++-------------- apparmor.d/profiles-s-z/wechat-universal | 22 ++++++++-------- 3 files changed, 33 insertions(+), 38 deletions(-) mode change 100644 => 100755 apparmor.d/profiles-s-z/wechat-appimage diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index cb554fc6b8..5764deb77b 100644 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -28,14 +28,14 @@ profile wechat @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} rix, - @{lib_dirs}/crashpad_handler ix, - @{bin}/mkdir ix, - @{bin}/{m,g,}awk rix, - @{bin}/lsblk rPx, - @{bin}/ip rix, - @{bin}/xdg-user-dir rix, - @{open_path} rpx -> child-open-strict, + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/ip rix, + @{bin}/lsblk Px, + @{bin}/mkdir rix, + @{bin}/xdg-user-dir rix, + @{lib_dirs}/crashpad_handler ix, + @{open_path} Px -> child-open-strict, owner @{HOME}/.xwechat/{,**} rwk, owner @{user_documents_dirs}/xwechat_files/{,**} rwk, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage old mode 100644 new mode 100755 index 9f8c203380..e7eabe6ec8 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -33,33 +33,28 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{exec_path} r, - @{sh_path} rix, - @{lib_dirs}/wechat-appimage.AppImage ix, - /tmp/.mount_wechat??????/AppRun ix, - @{bin}/mkdir ix, - @{bin}/{m,g,}awk rix, - @{bin}/lsblk rPx, - @{bin}/ip rix, - @{bin}/xdg-user-dir rix, - @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, - @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, - @{open_path} rpx -> child-open-strict, + @{sh_path} rix, + @{bin}/dirname rix, + @{bin}/fusermount{,3} Cx -> fusermount, + @{bin}/{m,g,}awk rix, + @{bin}/lsblk Px, + @{bin}/mkdir rix, + @{bin}/readlink rix, + @{bin}/xdg-user-dir rix, + @{bin}/ip rix, + @{lib_dirs}/wechat-appimage.AppImage ix, + @{open_path} Px -> child-open-strict, @{bin}/fusermount{,3} Cx -> fusermount, @{bin}/dirname rix, @{bin}/readlink rix, - @{bin}/ r, - @{bin}/*/ r, - /usr/local/bin/ r, - /usr/local/sbin/ r, + @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, + @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, + @{tmp}/.mount_wechat@{word6}/AppRun ix, /etc/machine-id r, - @{tmp}/.mount_wechat@{word6}/AppRun r, - @{tmp}/.mount_wechat@{word6}/ rw, - @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} mr, - @{HOME}/.xwechat/{,**} rwk, owner @{user_documents_dirs}/xwechat_files/{,**} rwk, diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index cd8958e8ee..3824f9526e 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -29,21 +29,21 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{sh_path} rix, - @{lib}/wechat-universal/common.sh ix, - @{bin}/sed ix, - @{bin}/ln ix, - @{bin}/mkdir ix, - @{bin}/lsblk Px, - @{bin}/bwrap rix, - @{bin}/xdg-user-dir rix, - @{lib_dirs}/crashpad_handler ix, - @{open_path} rPx -> child-open-strict, + @{sh_path} rix, + @{bin}/bwrap rix, + @{bin}/ln ix, + @{bin}/lsblk Px, + @{bin}/mkdir ix, + @{bin}/sed ix, + @{bin}/xdg-user-dir rix, + @{lib_dirs}/crashpad_handler ix, + @{lib}/wechat-appimage.AppImage ix, + @{open_path} Px -> child-open-strict, /etc/lsb-release r, /etc/machine-id r, - owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk, + owner @{user_documents_dirs}/WeChat_Data/{,**} rwk, owner @{HOME}/.xwechat/{,**} rwk, owner @{HOME}/.sys1og.conf rw, From c26d3e9755bbf38c4e8913feee23d1bd8465f87d Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 8 Aug 2025 12:35:52 -0600 Subject: [PATCH 0375/1736] Host: allow netlink raw Querying a DNS server using it's hostname results in an apparmor denial: `host google.com dns.google.com` `apparmor="DENIED" operation="create" class="net" profile="host" pid=00000 comm="host" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"` --- apparmor.d/profiles-g-l/host | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index cb9f8d2d91..aca2c5d612 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -18,6 +18,7 @@ profile host @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, + network netlink raw, @{exec_path} mr, From b852681cc8c11f9abf287e41823f0d70e59ace06 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Sat, 9 Aug 2025 14:55:43 +0200 Subject: [PATCH 0376/1736] Fix hyprpicker --- apparmor.d/groups/hyprland/hyprpicker | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker index 78375c8b2b..a46d53f4c2 100644 --- a/apparmor.d/groups/hyprland/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -17,6 +17,7 @@ profile hyprpicker @{exec_path} { owner @{run}/user/@{uid}/.hyprpicker* rw, owner /dev/shm/wlroots-@{rand6} r, + owner /dev/shm/@{uuid} r, owner /dev/tty@{int} rw, From 9790ca7ebccfe9c27f5899eefcfe64234743ca85 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 18:21:56 +0200 Subject: [PATCH 0377/1736] fix(profile): minor linter fix. --- apparmor.d/groups/systemd/resolvectl | 2 +- apparmor.d/profiles-g-l/landscape-sysinfo | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index 142d0c9d8c..dd5bdb3d4d 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -17,7 +17,7 @@ profile resolvectl @{exec_path} flags=(attach_disconnected) { network inet raw, network inet6 raw, - network netlink raw, + network netlink raw, signal send set=cont peer=child-pager, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 5eb5dac060..2370271ec4 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -25,7 +25,7 @@ profile landscape-sysinfo @{exec_path} { @{exec_path} mr, - @{bin}/who rix, + @{bin}/who rPx, @{lib}/@{python_name}/**/__pycache__/ w, @{lib}/@{python_name}/**/__pycache__/**.pyc w, From a724af9dedaa86a5a7dccb191c0a54bd0aade9b3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 18:24:29 +0200 Subject: [PATCH 0378/1736] tests: improve check.sh --- tests/check.sh | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 815f7f07e0..e30f21e19f 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -153,6 +153,8 @@ declare -A ABS_DEPRECATED=( ["dbus-network-manager-strict"]="bus/org.freedesktop.NetworkManager" ["dbus-session-strict"]="bus-session" ["dbus-system-strict"]="bus-system" + ["gnome"]="gnome-strict" + ["kde"]="kde-strict" ) _check_abstractions() { _is_enabled abstractions || return 0 @@ -216,7 +218,7 @@ readonly TRANSITION_MUST_CI=( # Must transition to 'ix' or 'Cx' sed shred stat tail tee test timeout touch truncate unlink ) readonly TRANSITION_MUST_PC=( # Must transition to 'Px' - ischroot + ischroot who ) readonly TRANSITION_MUST_C=( # Must transition to 'Cx' sysctl kmod pgrep pkexec sudo systemctl udevadm @@ -226,19 +228,19 @@ readonly TRANSITION_MUST_C=( # Must transition to 'Cx' _check_transition() { _is_enabled transition || return 0 for prgmname in "${!TRANSITION_MUST_CI[@]}"; do - if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then + if [[ "$line" =~ "/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then _err transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} should be used inherited: 'ix' | 'Cx'" fi done for prgmname in "${!TRANSITION_MUST_PC[@]}"; do - if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then + if [[ "$line" =~ "/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then _err transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} should transition to another (sub)profile with 'Px' or 'Cx'" fi done for prgmname in "${!TRANSITION_MUST_C[@]}"; do - if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then + if [[ "$line" =~ "/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then _warn transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_C[$prgmname]} should transition to a subprofile with 'Cx'" fi @@ -455,7 +457,6 @@ _check_subprofiles() { elif $_CHEK_IN_SUBPROFILE; then if [[ "$line" == *"$include" ]]; then _RES_SUBPROFILES["$subprofile"]=true - fi fi } From 4210db4faade72baba69434134bd75b7f0a9e0bb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 18:53:47 +0200 Subject: [PATCH 0379/1736] feat(profile): add more dbus interface base abs & improve dbus integration. --- apparmor.d/abstractions/bus/org.a11y | 5 +++ apparmor.d/abstractions/bus/org.bluez | 2 +- .../abstractions/bus/org.freedesktop.Avahi | 10 ++++++ .../bus/org.freedesktop.NetworkManager | 2 +- .../abstractions/bus/org.freedesktop.UPower | 2 +- ...rg.freedesktop.impl.portal.PermissionStore | 5 +++ .../bus/org.freedesktop.portal.Desktop | 11 ++++--- .../bus/org.gnome.Shell.SearchProvider | 0 .../abstractions/bus/org.gtk.Notifications | 16 ++++++++++ .../bus/org.mpris.MediaPlayer2.Player | 31 +++++++++++++++++++ apparmor.d/groups/cups/cups-browsed | 5 +++ apparmor.d/groups/cups/cups-notifier-dbus | 2 ++ apparmor.d/groups/cups/cupsd | 9 ++++++ .../freedesktop/xdg-desktop-portal-gnome | 6 ++++ .../groups/gnome/evolution-source-registry | 1 + apparmor.d/groups/gnome/gio-launch-desktop | 1 + apparmor.d/groups/gnome/gnome-characters | 2 +- .../groups/gnome/gnome-extension-gsconnect | 6 ++++ apparmor.d/groups/gnome/gnome-keyring-daemon | 1 + .../groups/gnome/gsd-print-notifications | 5 +++ apparmor.d/groups/network/NetworkManager | 4 +-- apparmor.d/profiles-a-f/fwupd | 4 +-- apparmor.d/profiles-s-z/spotify | 11 +++++++ 23 files changed, 128 insertions(+), 13 deletions(-) create mode 100644 apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider create mode 100644 apparmor.d/abstractions/bus/org.gtk.Notifications create mode 100644 apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index ef0e157076..2677d2f61d 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -33,6 +33,11 @@ # Session bus + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label="@{p_dbus_accessibility}"), + dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus member=Get diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez index 201d3998cb..461ad9f94a 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -8,7 +8,7 @@ dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved + member={InterfacesAdded,InterfacesRemoved} peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/ diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index b683cf128f..aa48e69b18 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -31,6 +31,16 @@ member=StateChanged peer=(name=@{busname}, label="@{p_avahi_daemon}"), + dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Found + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index 78f0de9de2..a22a235fb0 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -28,7 +28,7 @@ dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded + member={InterfacesAdded,InterfacesRemoved} peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index 69218b619c..d82fbdef09 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -18,7 +18,7 @@ dbus receive bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower - member=DeviceAdded + member={DeviceAdded,DeviceRemoved} peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore index 8461bb0478..22886c8a55 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore +++ b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore @@ -11,6 +11,11 @@ member=Lookup peer=(name="@{busname}", label=xdg-permission-store), + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.impl.portal.PermissionStore + member=Lookup + peer=(name=org.freedesktop.impl.portal.PermissionStore, label=xdg-permission-store), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 7b19a675a0..5e5967a1ad 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -4,11 +4,7 @@ abi , - #aa:dbus common bus=session name=org.freedesktop.portal.Desktop label=xdg-desktop-portal - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=xdg-desktop-portal), + #aa:dbus common bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties @@ -35,6 +31,11 @@ member={Read,ReadAll} peer=(name="@{busname}", label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.host.portal.Registry + member=Register + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider new file mode 100644 index 0000000000..e69de29bb2 diff --git a/apparmor.d/abstractions/bus/org.gtk.Notifications b/apparmor.d/abstractions/bus/org.gtk.Notifications new file mode 100644 index 0000000000..b9229f204c --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gtk.Notifications @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.gtk.Notifications label=gnome-shell + + dbus send bus=session path=/org/gtk/Notifications + interface=org.gtk.Notifications + member=RemoveNotification + peer=(name=org.gtk.Notifications, label=gnome-shell), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player new file mode 100644 index 0000000000..d8581be079 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa-dbus common bus=session name=org.mpris.MediaPlayer2.Player label=unconfined + + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}), + + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.Player + member=Seeked + peer=(name=@{busname}), + + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=@{busname}), + + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 78e7883cbb..745337a8dd 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -36,6 +36,11 @@ profile cups-browsed @{exec_path} { member=CheckPermissions peer=(name=:*, label=NetworkManager), + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier + member=PrinterDeleted + peer=(name=@{busname}, label=cups-notifier-dbus), + @{exec_path} mr, /usr/share/cups/locale/{,**} r, diff --git a/apparmor.d/groups/cups/cups-notifier-dbus b/apparmor.d/groups/cups/cups-notifier-dbus index 6e3b384905..fa31b726d7 100644 --- a/apparmor.d/groups/cups/cups-notifier-dbus +++ b/apparmor.d/groups/cups/cups-notifier-dbus @@ -16,6 +16,8 @@ profile cups-notifier-dbus @{exec_path} { signal (receive) set=(term) peer=cupsd, + #aa:dbus own bus=system name=org.cups.cupsd.Notifier + @{exec_path} mr, owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index b3658b7386..f9b70ae4d8 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -44,6 +44,15 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=cups-notifier-dbus, + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=DeleteDevice + peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=FindDeviceById + peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 1355aa22bb..6ee4cab6d6 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -34,6 +34,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell dbus send bus=session path=/org/freedesktop/portal/desktop @@ -46,6 +47,11 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-shell), + dbus receive bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, / r, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 379ea5befe..a5a1bd414f 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,6 +10,7 @@ include profile evolution-source-registry @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 84e8546e2a..a3d285e943 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -18,6 +18,7 @@ include profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index a43168866f..9af2b7d5f5 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -17,7 +17,7 @@ profile gnome-characters @{exec_path} { include #aa:dbus own bus=session name=org.gnome.Characters - #aa-dbus own bus=session name=org.gnome.Characters.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa-dbus talk bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 96dd215403..3cf92d6139 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -17,6 +17,12 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include + include + include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 37b3b78928..6752f54d4e 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -24,6 +24,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.keyring #aa:dbus own bus=session name=org.freedesktop.{S,s}ecret{,s} + #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 9fdd96e1a1..f8d4280a02 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -28,6 +28,11 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { # dbus receive bus=system path=/org/cups/cupsd/Notifier # interface=org.cups.cupsd.Notifier, + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier + member=ServerStarted + peer=(name=@{busname}, label=cups-notifier-dbus), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 85257c89df..fc5c39ea7d 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -69,8 +69,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded - peer=(name=org.freedesktop.DBus, label=nm-online), + member={InterfacesAdded,InterfacesRemoved} + peer=(name=org.freedesktop.DBus), @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 7d28b3ec3c..019aec5a9d 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -14,8 +14,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include - include - include include include include @@ -38,7 +36,9 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, #aa:dbus own bus=system name=org.freedesktop.fwupd path=/ + #aa:dbus talk bus=system name=org.bluez.GattCharacteristic1 label=bluetoothd #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index dfd488a484..b619a87207 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -16,6 +16,14 @@ include profile spotify @{exec_path} flags=(attach_disconnected) { include include + include + include + include + include + include + include + include + include include include @@ -25,6 +33,9 @@ profile spotify @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify + #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell + @{exec_path} mrix, @{sh_path} mr, From 526a7e704cf2e9eb608691fe9e9d74ead7159a2e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 18:55:08 +0200 Subject: [PATCH 0380/1736] feat(tunable): improve the definition of some tunables. --- apparmor.d/tunables/multiarch.d/system | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index eac40a028f..359d1b878d 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -38,7 +38,7 @@ @{udbus}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} # Universally unique identifier -@{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} +@{uuid}=@{hex8}[-_]@{hex4}[-_]@{hex4}[-_]@{hex4}[-_]@{hex12} # Username & group valid characters @{user}=[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} @@ -47,8 +47,9 @@ # Semantic version @{version}=@{u16}{.@{u16},}{.@{u16},}{{-,_}@{rand},} +#aa:only opensuse # OpenSUSE does not have the same multiarch structure -@{multiarch}+=*-suse-linux* #aa:only opensuse +@{multiarch}+=*-suse-linux* # System Internal @@ -58,11 +59,12 @@ @{sqlhex}=@{hex12} @{hex12}@{h} @{hex12}@{hex2} @{hex15} @{hex16} # Shortcut for PCI device -@{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h} -@{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h} +@{pci_id}=@{hex}:@{hex2}:@{hex2}.@{h} +@{pci_bus}=pci@{hex4}:@{hex2} @{pci}=@{pci_bus}/**/ # Udev data dynamic assignment ranges +# See https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt @{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 From 67c9e86d832c144d70e4d1e1d49d79ac007a8472 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:00:42 +0200 Subject: [PATCH 0381/1736] feat(profile): improve integration with ubuntu. --- apparmor.d/groups/apt/dpkg-script-apparmor | 7 +++++++ apparmor.d/groups/cups/cups-browsed | 6 ++++-- apparmor.d/groups/cups/cupsd | 3 +++ apparmor.d/groups/gnome/gdm-generate-config | 4 ++-- apparmor.d/groups/gnome/gnome-terminal-server | 2 ++ apparmor.d/groups/gnome/papers | 1 + apparmor.d/groups/systemd/systemd-coredump | 1 + apparmor.d/groups/systemd/systemd-logind | 10 +++++----- apparmor.d/groups/systemd/systemd-sleep-hdparm | 1 + apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders | 6 ++++-- apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer | 2 ++ apparmor.d/profiles-g-l/git | 5 ++++- apparmor.d/profiles-g-l/gitstatusd | 4 +++- apparmor.d/profiles-g-l/host | 5 +++-- apparmor.d/profiles-g-l/language-validate | 1 - apparmor.d/profiles-m-r/on-ac-power | 1 + apparmor.d/profiles-m-r/pass | 1 + apparmor.d/profiles-s-z/spotify | 2 +- apparmor.d/profiles-s-z/sysstat-sadc | 5 ++--- apparmor.d/profiles-s-z/thermald | 3 +-- 20 files changed, 48 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 122e4541e8..38a068ac0d 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -11,6 +11,8 @@ profile dpkg-script-apparmor @{exec_path} { include include + capability dac_read_search, + @{exec_path} mrix, @{bin}/{,e}grep ix, @@ -43,11 +45,16 @@ profile dpkg-script-apparmor @{exec_path} { capability net_admin, capability sys_resource, + capability dac_override, + capability dac_read_search, signal send set=(cont term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent rix, + @{run}/user/@{uid}/systemd/ask-password/ rw, + @{run}/user/@{uid}/systemd/ask-password-block/{,*} rw, + owner @{run}/systemd/ask-password/ rw, owner @{run}/systemd/ask-password-block/{,*} rw, diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 745337a8dd..9498f245a5 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -16,9 +16,9 @@ profile cups-browsed @{exec_path} { include include - capability net_admin, +# capability net_admin, capability net_bind_service, - capability sys_nice, +# capability sys_nice, network inet dgram, network inet6 dgram, @@ -43,6 +43,8 @@ profile cups-browsed @{exec_path} { @{exec_path} mr, + @{bin}/ippfind rPx, + /usr/share/cups/locale/{,**} r, /etc/cups/{,**} r, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index f9b70ae4d8..acae9b7a13 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -29,7 +29,9 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { capability setuid, capability wake_alarm, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network appletalk dgram, @@ -99,6 +101,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{run}/cups/{,**} rw, @{run}/systemd/notify w, + @{run}/avahi-daemon/socket rw, @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 7240ffaef1..d48b9eff66 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -25,8 +25,8 @@ profile gdm-generate-config @{exec_path} { @{sh_path} rix, @{bin}/dconf rix, @{bin}/install rix, - @{bin}/pgrep rCx -> pgrep, - @{bin}/pkill rCx -> pgrep, + @{bin}/pgrep rCx -> &pgrep, + @{bin}/pkill rCx -> &pgrep, @{bin}/setpriv rix, @{bin}/setsid rix, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 837f00f686..cda4568c1d 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -38,6 +38,8 @@ profile gnome-terminal-server @{exec_path} { @{exec_path} mr, + @{lib}/gnome-terminal-preferences ix, + # The shell is not confined on purpose. @{bin}/@{shells} Ux, diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 87820376cc..27000b93a8 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -26,6 +26,7 @@ profile papers @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/papers-@{int}/{,**} rw, owner @{tmp}/gtkprint_@{rand6} rw, owner @{tmp}/gtkprint@{rand6} rw, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 2bd25ec168..54f366c2f3 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -35,6 +35,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{bin}/* r, @{sbin}/* r, /opt/** r, + /usr/share/*/** r, @{user_lib_dirs}/** r, /etc/systemd/coredump.conf r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 7bd5c88de3..1fb3f6cb3a 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -136,11 +136,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - /dev/dri/card@{int} rw, - /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) - /dev/mqueue/ r, - /dev/tty@{int} rw, - owner /dev/shm/{,**/} rw, + /dev/dri/card@{int} rw, + /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) + /dev/mqueue/ r, + /dev/tty@{int} rw, + /dev/shm/{,**/} rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 71008c96d4..4cbe617553 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -11,6 +11,7 @@ profile systemd-sleep-hdparm @{exec_path} { include @{exec_path} mr, + @{sh_path} r, include if exists } diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index b64c34a4b2..04c9a33f24 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -18,8 +18,10 @@ profile gdk-pixbuf-query-loaders @{exec_path} { @{exec_path} mr, - @{lib}/gdk-pixbuf-[0-9].@{int}/{,*}/loaders.cache.* rw, - @{lib}/gdk-pixbuf-[0-9].@{int}/*/loaders.cache rw, + @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/ w, + @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/loaders.cache w, + @{lib}/gdk-pixbuf-@{version}/{,*}/loaders.cache.* rw, + @{lib}/gdk-pixbuf-@{version}/@{version}/loaders.cache rw, /usr/share/gvfs/remote-volume-monitors/{,**} r, diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer index 6ec661d316..d3df6f5f33 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer @@ -10,6 +10,8 @@ include profile gdk-pixbuf-thumbnailer @{exec_path} { include + @{exec_path} mr, + include if exists } diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index c9373c7ae6..425fe2f147 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -115,6 +115,8 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.git_vtag_tmp@{rand6} r, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists @@ -138,13 +140,14 @@ profile git @{exec_path} flags=(attach_disconnected) { @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config r, - owner @{HOME}/@{XDG_SSH_DIR}/* r, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl, owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*, owner @{tmp}/ssh-*/agent.@{int} rw, + owner @{run}/user/@{uid}/keyring/ssh rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index 8901ade9cc..579536674d 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -6,12 +6,14 @@ abi , include -@{exec_path} = /usr/share/zsh-theme-powerlevel@{int}k/gitstatus/usrbin/gitstatusd{,-*} +@{exec_path} = @{user_cache_dirs}/gitstatus/gitstatusd{,-*} +@{exec_path} += /usr/share/zsh-theme-powerlevel{9,10}k/gitstatus/usrbin/gitstatusd{,-*} profile gitstatusd @{exec_path} { include include signal receive set=term peer=*//shell, + signal receive set=term peer=vscode, @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index aca2c5d612..ab0cf0cbad 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -22,10 +22,11 @@ profile host @{exec_path} { @{exec_path} mr, - owner @{PROC}/@{pids}/task/@{tid}/comm rw, - @{sys}/kernel/mm/transparent_hugepage/enabled r, + @{PROC}/version_signature r, + owner @{PROC}/@{pids}/task/@{tid}/comm rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index 80f914fabf..3d7383aefc 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -18,7 +18,6 @@ profile language-validate @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/locale rix, - /usr/share/locale-langpack/{,*} r, /usr/share/language-tools/{,*} r, include if exists diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index ffe3d4119b..16ccfd9da3 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -18,6 +18,7 @@ profile on-ac-power @{exec_path} { @{bin}/cat rix, @{sys}/class/power_supply/ r, + @{sys}/class/typec/ r, @{sys}/devices/**/power_supply/**/{online,type} r, @{PROC}/pmu/info r, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 7e432a8388..30f92c9643 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -146,6 +146,7 @@ profile pass @{exec_path} { owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner /dev/shm/pass.@{rand}/* rw, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index b619a87207..1ec4eeea36 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -8,7 +8,7 @@ abi , include @{name} = spotify -@{lib_dirs} = /opt/spotify/ +@{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc index dfdd005242..7d91439383 100644 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -24,10 +24,9 @@ profile sysstat-sadc @{exec_path} { @{sys}/class/fc_host/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/ r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/name r, @{sys}/devices/@{pci}/net/*/duplex r, - @{sys}/devices/**/i2c-*/name r, + @{sys}/devices/**/hwmon@{int}/ r, + @{sys}/devices/**/name r, @{sys}/devices/**/net/*/duplex r, @{sys}/devices/**/net/*/speed r, @{sys}/devices/virtual/net/*/duplex r, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 101310df17..b663865e86 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -24,8 +24,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { /etc/thermald/{,*} r, owner @{run}/thermald/ rw, - owner @{run}/thermald/thd_preference.conf rw, - owner @{run}/thermald/thd_preference.conf.save w, + owner @{run}/thermald/** rw, owner @{run}/thermald/thermald.pid rwk, @{sys}/class/hwmon/ r, From 90e962dabbbb57be3ff927c02320dda8002cf0de Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:02:15 +0200 Subject: [PATCH 0382/1736] feat(profile): chromium: cleanup shell exe. Needed to installing/remove extensions, applications, and stacked xdg menus --- apparmor.d/abstractions/app/chromium | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index c089d89e5d..a971ca5a0d 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -86,16 +86,11 @@ @{bin}/xdg-open rPx -> child-open, @{bin}/xdg-settings rPx, - # Installing/removing extensions & applications - @{bin}/{,e}grep rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/mkdir rix, - @{bin}/mktemp rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/touch rix, + # Installing/removing extensions, applications, and stacked xdg menus + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{coreutils_path} ix, # For storing passwords externally @{bin}/keepassxc-proxy rix, # as a temporary solution - see issue #128 From 82c6f554b37b559d31427a195751869ba77d19cd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:03:16 +0200 Subject: [PATCH 0383/1736] feat(abs): update list of app allowed to be openned. --- apparmor.d/abstractions/app-open | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 59724f0191..e0c8d3d59f 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -35,6 +35,7 @@ @{bin}/discord{,-ptb} Px, @{bin}/draw.io PUx, @{bin}/dropbox Px, + @{bin}/ebook-edit PUx, @{bin}/element-desktop Px, @{bin}/extension-manager Px, @{bin}/filezilla Px, @@ -46,6 +47,7 @@ @{bin}/gnome-session-quit Px, @{bin}/gnome-software Px, @{bin}/gwenview PUx, + @{bin}/keepassxc Px, @{bin}/qbittorrent Px, @{bin}/qpdfview Px, @{bin}/smplayer Px, From 1da6e15cda25ec3ff7eeff0401546aedd70d8ef5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:04:26 +0200 Subject: [PATCH 0384/1736] cosmetic: cleanup usage of bash abs. --- apparmor.d/abstractions/bash-strict | 2 +- apparmor.d/abstractions/fish | 2 +- apparmor.d/abstractions/zsh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/bash-strict b/apparmor.d/abstractions/bash-strict index 9ea35f8c28..cd4a7c8a7a 100644 --- a/apparmor.d/abstractions/bash-strict +++ b/apparmor.d/abstractions/bash-strict @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when .bashrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. abi , diff --git a/apparmor.d/abstractions/fish b/apparmor.d/abstractions/fish index 2ae6ab93d3..65f97f9f22 100644 --- a/apparmor.d/abstractions/fish +++ b/apparmor.d/abstractions/fish @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when zshrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. abi , diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index 02eacfb623..7c734a45bb 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when zshrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. abi , From ece81aa6cbe0d0660db978b81cb20d140e408188 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:05:15 +0200 Subject: [PATCH 0385/1736] feat(abs): audio: add jack.conf.d --- apparmor.d/abstractions/audio-client | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 166229a09f..8261913095 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -21,6 +21,7 @@ /etc/openal/alsoft.conf r, /etc/pipewire/client{,-rt}.conf r, /etc/pipewire/client{,-rt}.conf.d/{,**} r, + /etc/pipewire/jack.conf.d/{,**} r, /etc/pulse/client.conf r, /etc/pulse/client.conf.d/{,**} r, /etc/wildmidi/wildmidi.cfg r, From eb642993d88ad2ca8204e0640a7c69bfa35a7ab4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 10:56:20 +0200 Subject: [PATCH 0386/1736] feat(profile): revisit the monitorix profile. --- apparmor.d/profiles-m-r/monitorix | 97 +++++++++++++++---------------- 1 file changed, 47 insertions(+), 50 deletions(-) diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index c708b587c6..6cbef400ba 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -10,10 +10,11 @@ include @{exec_path} = @{bin}/monitorix profile monitorix @{exec_path} { include - include - include - include + include include + include + include + include capability net_admin, capability chown, @@ -28,80 +29,76 @@ profile monitorix @{exec_path} { network inet stream, network inet6 stream, - ptrace (read), + ptrace read, - signal (receive) set=(hup) peer=logroate, + signal receive set=(hup) peer=logroate, @{exec_path} mr, @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/df rix, - @{bin}/cat rix, - @{bin}/tail rix, - @{bin}/{m,g,}awk rix, - @{bin}/free rix, - @{sbin}/ss rix, - @{bin}/who rix, - @{sbin}/lvm rix, - @{sbin}/xtables-nft-multi rix, - @{bin}/sensors rix, - @{bin}/getconf rix, - @{bin}/ps rix, - - /etc/monitorix/monitorix.conf r, - /etc/monitorix/conf.d/ r, - /etc/monitorix/conf.d/@{int2}-*.conf r, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/cat ix, + @{bin}/df ix, + @{bin}/free ix, + @{bin}/getconf ix, + @{bin}/ps Px, + @{bin}/sensors Px, + @{bin}/tail ix, + @{bin}/who Px, + @{sbin}/lvm Px, + @{sbin}/ss Px, + @{sbin}/xtables-nft-multi ix, + + /var/lib/monitorix/www/cgi/monitorix.cgi ix, + + /etc/monitorix/{,**} r, + + /var/lib/monitorix/ rw, + /var/lib/monitorix/** rwk, /var/log/monitorix w, /var/log/monitorix-* w, - owner @{run}/monitorix.pid w, - - /var/lib/monitorix/*.rrd* rwk, - /var/lib/monitorix/www/** rw, - /var/lib/monitorix/www/cgi/monitorix.cgi rwix, + /srv/http/monitorix/ rw, + /srv/http/monitorix/** rwk, / r, /tmp/ r, - /etc/shadow r, - /dev/tty r, + owner @{run}/monitorix.pid w, @{run}/utmp rk, + @{sys}/class/i2c-adapter/ r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + @{sys}/class/hwmon/ r, + @{sys}/devices/**/thermal*/{,**} r, + @{sys}/devices/**/hwmon*/{,**} r, + @{PROC}/ r, - @{PROC}/swaps r, + @{PROC}/@{pid}/net/dev r, + @{PROC}/@{pid}/net/tcp{,6} r, + @{PROC}/@{pid}/net/udp{,6} r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/fdinfo/ r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/stat r, @{PROC}/diskstats r, - @{PROC}/loadavg r, - @{PROC}/sys/kernel/random/entropy_avail r, - @{PROC}/uptime r, @{PROC}/interrupts r, + @{PROC}/loadavg r, + @{PROC}/swaps r, @{PROC}/sys/fs/dentry-state r, @{PROC}/sys/fs/file-nr r, @{PROC}/sys/fs/inode-nr r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/random/entropy_avail r, + @{PROC}/uptime r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/net/dev r, owner @{PROC}/@{pid}/net/ip_tables_names r, owner @{PROC}/@{pid}/net/ip6_tables_names r, - @{PROC}/@{pid}/net/udp{,6} r, - @{PROC}/@{pid}/net/tcp{,6} r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/fdinfo/ r, - @{PROC}/@{pids}/io r, - - @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-*/{,**/}name r, - @{sys}/class/hwmon/ r, - @{sys}/devices/**/thermal*/{,**} r, - @{sys}/devices/**/hwmon*/{,**} r, - - /etc/sensors3.conf r, - /etc/sensors.d/ r, include if exists } From caee95ff9edc4e8f970a41c4a289af9d83ee714f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 11:18:21 +0200 Subject: [PATCH 0387/1736] fix(test): checks.sh: allow empty disabled array. --- tests/check.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/check.sh b/tests/check.sh index e30f21e19f..9ecd809bf3 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -42,7 +42,7 @@ _in_array() { _is_enabled() { local check="$1" if _in_array "$check" "${WITH_CHECK[@]}"; then - if [[ ${#_check_is_disabled[@]} -eq 0 ]]; then + if [[ -z "${_check_is_disabled+x}" || ${#_check_is_disabled[@]} -eq 0 ]]; then return 0 fi if _in_array "$check" "${_check_is_disabled[@]}"; then From 73afa5835eb4e8ea5a201a8f44bb194f01c09dc2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 11:23:05 +0200 Subject: [PATCH 0388/1736] fix(abs): dbus: SearchProvider -> SearchProvider2 --- .../abstractions/bus/org.gnome.Shell.SearchProvider | 0 .../abstractions/bus/org.gnome.Shell.SearchProvider2 | 12 ++++++++++++ 2 files changed, 12 insertions(+) delete mode 100644 apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider create mode 100644 apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 new file mode 100644 index 0000000000..baa96cc78a --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell + + include if exists + +# vim:syntax=apparmor + From 175e2c3dc3ff1dc8bce2ed312141cec5f2065dfd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 16:16:35 +0200 Subject: [PATCH 0389/1736] feat(profile): ensure all access to udev/data is documented. Cleanup some rule to wide in udev/data --- apparmor.d/abstractions/devices-usb-read | 6 ++--- apparmor.d/abstractions/disks-read | 6 ++--- apparmor.d/abstractions/gstreamer | 2 +- apparmor.d/groups/_full/systemd | 5 ++-- apparmor.d/groups/_full/systemd-user | 5 ++-- apparmor.d/groups/bluetooth/bluetoothd | 2 +- .../groups/browsers/firefox-kmozillahelper | 2 +- apparmor.d/groups/filesystem/udisksd | 8 +++--- apparmor.d/groups/freedesktop/boltd | 2 +- .../groups/freedesktop/iio-sensor-proxy | 2 +- apparmor.d/groups/freedesktop/upowerd | 12 ++++----- apparmor.d/groups/freedesktop/xorg | 10 +++---- apparmor.d/groups/gnome/gnome-control-center | 2 +- apparmor.d/groups/gnome/gnome-shell | 12 ++++----- apparmor.d/groups/gnome/gsd-power | 4 +-- apparmor.d/groups/hyprland/hyprland | 8 +++--- apparmor.d/groups/kde/baloo | 4 +-- apparmor.d/groups/kde/baloorunner | 4 +-- apparmor.d/groups/kde/dolphin | 4 +-- apparmor.d/groups/kde/kwin_wayland | 8 +++--- apparmor.d/groups/lxqt/lxqt-panel | 3 ++- apparmor.d/groups/network/ModemManager | 14 +++++----- apparmor.d/groups/network/NetworkManager | 6 ++--- apparmor.d/groups/network/dhcpcd | 2 +- apparmor.d/groups/network/nmcli | 2 +- apparmor.d/groups/steam/steam | 2 +- apparmor.d/groups/systemd/networkctl | 2 +- apparmor.d/groups/systemd/systemd-backlight | 4 +-- apparmor.d/groups/systemd/systemd-journald | 26 +++++++++---------- apparmor.d/groups/systemd/systemd-logind | 12 ++++----- apparmor.d/groups/systemd/systemd-networkd | 2 +- apparmor.d/groups/systemd/systemd-rfkill | 2 +- .../groups/ubuntu/subiquity-console-conf | 8 +++--- apparmor.d/groups/virt/libvirtd | 6 ++--- apparmor.d/groups/virt/virtnodedevd | 16 ++++++------ apparmor.d/profiles-a-f/cheese | 3 ++- apparmor.d/profiles-a-f/fwupd | 4 ++- apparmor.d/profiles-g-l/kodi | 3 ++- apparmor.d/profiles-g-l/labwc | 7 +++-- apparmor.d/profiles-m-r/power-profiles-daemon | 4 +-- apparmor.d/profiles-s-z/tlp | 2 +- 41 files changed, 120 insertions(+), 118 deletions(-) diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read index 6bd0c80150..836a5f3c74 100644 --- a/apparmor.d/abstractions/devices-usb-read +++ b/apparmor.d/abstractions/devices-usb-read @@ -20,9 +20,9 @@ @{sys}/devices/**/usb@{int}/{,**} r, # Udev data about usb devices (~equal to content of lsusb -v) - @{run}/udev/data/+usb:* r, - @{run}/udev/data/c16[6,7]:@{int} r, # USB modems - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/c16[6,7]:@{int} r, # USB modems + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters include if exists diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 872b0c5520..e33ec2c3fa 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -101,13 +101,13 @@ @{run}/udev/data/b43:@{int} r, # for /dev/nbd* @{run}/udev/data/b179:@{int} r, # for /dev/mmcblk* @{run}/udev/data/b230:@{int} r, # for /dev/zvol* - @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254 - @{run}/udev/data/b25[0-4]:@{int} r, + @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 + @{run}/udev/data/b25[0-4]:@{int} r, # to 254 @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/+usb:* r, # for disk over usb hub + @{run}/udev/data/+usb:* r, # Identifies all USB devices include if exists diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 7fc20c2935..5a14b6f7a8 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -36,7 +36,7 @@ #owner @{HOME}/orcexec.* mrw, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c189:@{int} r, # For USB serial converters diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 184084fed4..d1ee8fd1f0 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -168,14 +168,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted,complain) { @{run}/credentials/{,**} rw, @{run}/systemd/{,**} rw, - @{run}/udev/data/+module:configfs r, - @{run}/udev/data/+module:fuse r, + @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{run}/udev/tags/systemd/ r, @{sys}/**/uevent r, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index a5bb4d926b..b3d751be13 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -59,14 +59,13 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { @{run}/systemd/notify w, @{run}/systemd/oom/io.systemd.ManagedOOM rw, - @{run}/udev/data/+module:configfs r, - @{run}/udev/data/+module:fuse r, + @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c116:@{int} r, # for ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{run}/udev/tags/systemd/ r, @{sys}/devices/virtual/dmi/id/bios_vendor r, diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index e5443f5056..2800a4124d 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -46,7 +46,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{run}/sdp rw, owner @{run}/systemd/notify w, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{sys}/devices/@{pci}/rfkill@{int}/name r, @{sys}/devices/@{pci}/**/{uevent,name} r, diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index efcad72f8f..8e86ee126c 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -44,7 +44,7 @@ profile firefox-kmozillahelper @{exec_path} { owner @{run}/user/@{uid}/kmozillahelper@{rand6}.@{int}.kioworker.socket wl, owner @{run}/user/@{uid}/xauth_@{rand6} rl, - @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 2ff82f5e41..91d4a8569d 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -112,11 +112,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{run}/cryptsetup/ r, @{run}/cryptsetup/L* rwk, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+scsi:* r, - @{run}/udev/data/+vmbus:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI + @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/groups/freedesktop/boltd index 8f55bb3758..5b72f8427b 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -27,7 +27,7 @@ profile boltd @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/notify w, - @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. @{sys}/bus/ r, @{sys}/bus/thunderbolt/devices/ r, diff --git a/apparmor.d/groups/freedesktop/iio-sensor-proxy b/apparmor.d/groups/freedesktop/iio-sensor-proxy index d7122bdbbc..1201e12773 100644 --- a/apparmor.d/groups/freedesktop/iio-sensor-proxy +++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy @@ -18,7 +18,7 @@ profile iio-sensor-proxy @{exec_path} { @{exec_path} mr, - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 4061af4c8b..d583858314 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -28,15 +28,15 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { /var/lib/upower/ r, /var/lib/upower/history-*.dat{,.*} rw, - @{run}/udev/data/ r, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/ r, # Lists all udev data files + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for serial mice - @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 12c82aea30..c14af6d6e5 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -92,17 +92,17 @@ profile xorg @{exec_path} flags=(attach_disconnected) { owner @{tmp}/server-* rwk, owner @{tmp}/serverauth.* r, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 85b3268dd4..41b62df09b 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -159,7 +159,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 25ce44f147..d4c8b1ba21 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -315,19 +315,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/tags/seat/ r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+dmi:id r, # for motherboard info - @{run}/udev/data/+acpi* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/uevent r, @{sys}/bus/ r, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index a330b76ce5..2fa0b0b1f0 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -58,9 +58,9 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, - @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 9f2e7583d9..8c8c32da08 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -42,15 +42,15 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/@{int} r, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:id r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index e53bf4039e..29447e22a6 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -44,8 +44,8 @@ profile baloo @{exec_path} { @{run}/mount/utab r, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 8410408b38..702288a1f2 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -28,8 +28,8 @@ profile baloorunner @{exec_path} { /tmp/ r, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 2ed232f856..5d51f8c4d6 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -105,8 +105,8 @@ profile dolphin @{exec_path} { owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 101affd8c4..afaac3bd03 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -110,15 +110,15 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{run}/udev/data/+acpi:* r, # for ACPI + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:* r, # for motherboard info - @{run}/udev/data/+hid:* r, # for HID subsystem + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb:* r, + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index 650a7e4024..f817be69db 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -63,7 +63,8 @@ profile lxqt-panel @{exec_path} { owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/pulse/{,**} rwk, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/class/i2c-adapter/ r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 59efc3201a..8220516bf1 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -25,18 +25,18 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+pnp:* r, - @{run}/udev/data/+serial*:* r, - @{run}/udev/data/+usb:* r, - @{run}/udev/data/+vmbus:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+pnp:* r, # For Plug and Play devices (legacy hardware, sound cards, etc.) + @{run}/udev/data/+serial*:* r, # For serial devices (modems, serial ports, etc.) + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) @{run}/udev/data/c16[6,7]:@{int} r, # USB modems @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index fc5c39ea7d..f7c0dd0844 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -125,9 +125,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{run}/nscd/db* rwl, @{run}/systemd/users/@{uid} r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/@{pci}/net/*/{,**} r, @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r, diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index 51cf215f94..7bcd9efbac 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -49,7 +49,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{run}/dhcpcd/** rwk, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/@{pci}/uevent r, @{sys}/devices/virtual/dmi/id/product_uuid r, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 43a9d0dca3..6065a12daf 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -25,7 +25,7 @@ profile nmcli @{exec_path} { owner @{HOME}/.cert/nm-openvpn/*.pem rw, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/@{pci}/net/*/{,**} r, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 151a3e1613..5009b970d8 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -190,7 +190,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/ r, @{sys}/bus/ r, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 0fd89c199c..a0d1471f95 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -59,7 +59,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { @{run}/systemd/netif/state r, @{run}/systemd/notify w, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/**/net/**/uevent r, diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight index 374e9c4ae0..b5a966f37d 100644 --- a/apparmor.d/groups/systemd/systemd-backlight +++ b/apparmor.d/groups/systemd/systemd-backlight @@ -18,8 +18,8 @@ profile systemd-backlight @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/backlight/*backlight* rw, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+leds:*backlight* r, # For keyboard backlights, mouse LEDs, etc. @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{sys}/bus/ r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index b0a646f668..ad3d969901 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -46,20 +46,20 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{run}/host/container-manager r, @{run}/utmp rk, - @{run}/udev/data/+acpi:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+ieee80211:* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+ieee80211:* r, # For Wi-Fi devices, such as wireless network cards and access points. @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+mdio_bus:* r, - @{run}/udev/data/+pci:* r, - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+scsi:* r, - @{run}/udev/data/+sdio:* r, - @{run}/udev/data/+thunderbolt:* r, - @{run}/udev/data/+usb-serial:* r, - @{run}/udev/data/+usb:* r, - @{run}/udev/data/+virtio:* r, + @{run}/udev/data/+mdio_bus:* r, # For Management Data Input/Output (Ethernet PHY (physical layer) devices) + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI + @{run}/udev/data/+sdio:* r, # For Secure Digital Input Output devices, such as Wi-Fi, Bluetooth cards, GPS and NFC modules. + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. + @{run}/udev/data/+usb-serial:* r, # For USB to serial adapters + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+virtio:* r, # For paravirtualized devices (network interfaces, block devices, console) @{run}/udev/data/b254:@{int} r, # for /dev/zram* @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c1:@{int} r, # For RAM disk diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 1fb3f6cb3a..2713546333 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -68,15 +68,15 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/tags/uaccess/ r, @{run}/udev/static_node-tags/uaccess/ r, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+drivers:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+drivers:* r, # For drivers loaded in the system @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+wakeup:* r, + @{run}/udev/data/+wakeup:* r, # For wakeup events (e.g., from sleep or hibernation) @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # For /dev/input/* diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 5105c69b83..ccb6d96299 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -71,7 +71,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/network/*.network r, owner @{run}/systemd/netif/** rw, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/rfkill@{int}/* r, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index 552bd9996a..bf983ea7ab 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -22,7 +22,7 @@ profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/rfkill/* rw, @{run}/systemd/notify rw, - @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{sys}/devices/**/rfkill@{int}/{uevent,name} r, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index a5b65f5b3f..8f673e2617 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -53,13 +53,13 @@ profile subiquity-console-conf @{exec_path} { @{run}/snapd-recovery-chooser-triggered r, @{run}/snapd.socket rw, - @{run}/udev/data/+acpi:* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:* r, # For motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/c1:@{int} r, # For RAM disk @@ -74,7 +74,7 @@ profile subiquity-console-conf @{exec_path} { @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/devices/ r, @{sys}/*/*/ r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index c90e80af97..fa3005a653 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -164,9 +164,9 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/notify w, @{run}/utmp rk, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/bus/[a-z]*/devices/ r, @{sys}/bus/pci/drivers_probe w, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 957164e857..fb593068e6 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -44,18 +44,18 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/utmp rk, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. @{run}/udev/data/+dmi:* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply:* r, - @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{run}/udev/data/+sound:card@{int} r, # For sound card - @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @@ -71,7 +71,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c203:@{int} r, # CPU CPUID information @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/ r, @{sys}/devices/@{pci}/net/{,**} r, diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese index cadd1beab6..b308439c31 100644 --- a/apparmor.d/profiles-a-f/cheese +++ b/apparmor.d/profiles-a-f/cheese @@ -36,10 +36,11 @@ profile cheese @{exec_path} { owner @{user_cache_dirs}/gnome-desktop-thumbnailer/gstreamer-1.0/ r, - @{run}/udev/data/c@{dynamic}:@{int} r, owner @{tmp}/flatpak-seccomp-@{rand6} rw, owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,product_name,sys_vendor} r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 019aec5a9d..ff9af895d6 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -109,7 +109,9 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{run}/motd.d/@{int}-fwupd* rw, @{run}/motd.d/fwupd/{,**} rw, @{run}/mount/utab r, - @{run}/udev/data/* r, + + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index 5b90dd3eff..9d6c9d1c2c 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -50,7 +50,8 @@ profile kodi @{exec_path} { owner @{HOME}/core w, owner @{HOME}/kodi_crashlog-@{int}_@{int}.log w, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/**/ r, @{sys}/devices/@{pci}/usb@{int}/{bDeviceClass,idProduct,idVendor} r, diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index 93234bf520..ab624f0992 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -38,12 +38,11 @@ profile labwc @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/**/uevent r, - @{run}/udev/data/+acpi:* r, # for ? + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 636f417540..b8f50ff7c3 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -28,8 +28,8 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/power-profiles-daemon/{,**} rw, - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 0dccf1a238..1592d3aee1 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -68,7 +68,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { owner @{run}/tlp/{,**} rw, owner @{run}/tlp/lock_tlp rwk, - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{sys}/bus/pci/devices/ r, @{sys}/bus/pci/drivers/*/ r, From 616486d5bad36719f8096ec9a4d540f199a603ad Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 16:18:58 +0200 Subject: [PATCH 0390/1736] tests(check): add a check to ensure all udev/data access are documented. --- tests/check.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 9ecd809bf3..9bafd51045 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -108,6 +108,7 @@ _check() { _check_trailing _check_indentation _check_vim + _check_udev # The following checks do not apply to commented lines [[ "$line" =~ ^[[:space:]]*# ]] && continue @@ -485,6 +486,15 @@ _res_vim() { fi } +_check_udev() { + _is_enabled udev || return 0 + if [[ "$line" == *"@{run}/udev/data/"* ]]; then + if [[ "$line" != *"#"* ]]; then + _err udev "$file:$line_number" "udev data path without a description comment" + fi + fi +} + check_sbin() { local file name jobs mapfile -t sbin Date: Mon, 11 Aug 2025 19:38:24 +0200 Subject: [PATCH 0391/1736] feat(profile): fwupd: allow access to dbx --- apparmor.d/profiles-a-f/fwupd | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index ff9af895d6..7a00455a60 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -83,7 +83,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { owner /var/lib/fwupd/ rw, owner /var/lib/fwupd/** rwk, - # In order to get to this file, the attach_disconnected flag has to be set + @{att}/@{user_cache_dirs}/gnome-software/fwupd/{,**} r, owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r, owner @{user_cache_dirs}/gnome-software/fwupd/{,**} r, @@ -97,6 +97,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/firmware/efi/** r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, + @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, @{sys}/firmware/efi/efivars/fwupd-* rw, @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/kernel/security/lockdown r, From f35b64bcaec3dd23c11ab55c1b0fd3f0a21d849b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 22:27:08 +0200 Subject: [PATCH 0392/1736] fix(profile): missing documented udev/data --- apparmor.d/abstractions/app/udevadm | 3 ++- apparmor.d/groups/_full/sd | 3 ++- apparmor.d/groups/systemd/systemd-analyze | 3 ++- apparmor.d/profiles-a-f/ddcutil | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app/udevadm b/apparmor.d/abstractions/app/udevadm index e8414d0266..d659143d6c 100644 --- a/apparmor.d/abstractions/app/udevadm +++ b/apparmor.d/abstractions/app/udevadm @@ -11,7 +11,8 @@ /etc/udev/udev.conf r, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/** r, diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index da14cabf33..13864f2dd9 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -187,7 +187,8 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { owner @{run}/*/** rw, @{run}/udev/**/ r, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/** r, @{sys}/fs/bpf/systemd/{,**} w, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 7310586e87..3ae0a7143f 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -47,7 +47,8 @@ profile systemd-analyze @{exec_path} { @{run}/systemd/system/ r, @{run}/systemd/transient/ r, @{run}/systemd/userdb/io.systemd.DynamicUser w, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{run}/udev/tags/systemd/ r, @{sys}/devices/**/uevent r, diff --git a/apparmor.d/profiles-a-f/ddcutil b/apparmor.d/profiles-a-f/ddcutil index 7c353bf65f..d8cb23a5c1 100644 --- a/apparmor.d/profiles-a-f/ddcutil +++ b/apparmor.d/profiles-a-f/ddcutil @@ -28,7 +28,8 @@ profile ddcutil @{exec_path} { owner @{user_cache_dirs}/ddcutil/ rw, owner @{user_cache_dirs}/ddcutil/** rwlk, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/ r, @{sys}/bus/ r, From 8b64d7dd46364e84e435564f7e9d474d1c7c9154 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 09:27:12 +0200 Subject: [PATCH 0393/1736] feat(abs): electron: add cgroup memory data. --- apparmor.d/abstractions/common/electron | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 6216ec9399..cd7e9e8f1f 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -73,6 +73,13 @@ @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/tty@{int}/active r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{PROC}/ r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/task/@{tid}/status r, From aab12e6948e27fcb9351ae3f5beb5ff49e4db619 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 11:07:08 +0200 Subject: [PATCH 0394/1736] fix(profile): dockerd can be installed in both bin or sbin depending of the package source. --- apparmor.d/groups/virt/dockerd | 2 +- tests/sbin.list | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 44d9f64a0f..aa0a9ed58e 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/dockerd +@{exec_path} = @{bin}/dockerd @{sbin}/dockerd #aa:lint ignore=sbin profile dockerd @{exec_path} flags=(attach_disconnected) { include include diff --git a/tests/sbin.list b/tests/sbin.list index a8b4394783..8ee14fd217 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -171,6 +171,7 @@ dmidecode dmraid dmsetup dnsmasq +dockerd dosfsck dosfslabel dpkg-preconfigure From 2aa0d89f84ac2ad51b021568ce52243c9fc595a8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 12:45:55 +0200 Subject: [PATCH 0395/1736] feat(profile): update firefox stack. --- apparmor.d/groups/browsers/firefox-glxtest | 2 +- apparmor.d/groups/browsers/torbrowser-glxtest | 4 +++- apparmor.d/profiles-s-z/thunderbird | 6 +++--- apparmor.d/profiles-s-z/thunderbird-glxtest | 4 +++- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index 97e5645b90..30281f2f4f 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -16,8 +16,8 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { include include include - include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/browsers/torbrowser-glxtest b/apparmor.d/groups/browsers/torbrowser-glxtest index 4939edfbf3..2d86972598 100644 --- a/apparmor.d/groups/browsers/torbrowser-glxtest +++ b/apparmor.d/groups/browsers/torbrowser-glxtest @@ -17,11 +17,13 @@ profile torbrowser-glxtest @{exec_path} flags=(attach_disconnected) { include include include - include include + include @{exec_path} mr, + / r, + owner @{PROC}/@{pid}/cmdline r, deny @{config_dirs}/.parentlock rw, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 02046580ca..da163c2ae2 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name}/ @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} -profile thunderbird @{exec_path} { +profile thunderbird @{exec_path} flags=(attach_disconnected) { include include include @@ -23,8 +23,8 @@ profile thunderbird @{exec_path} { @{exec_path} mrix, - @{lib_dirs}/glxtest rPx, - @{lib_dirs}/vaapitest rPx, + @{lib_dirs}/glxtest rPx -> thunderbird//&thunderbird-glxtest, + @{lib_dirs}/vaapitest rPx -> thunderbird//&thunderbird-vaapitest, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index 626896a09c..4f25e08626 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -15,11 +15,13 @@ profile thunderbird-glxtest @{exec_path} { include include include - include include + include @{exec_path} mr, + / r, + owner @{config_dirs}/*/.parentlock rw, owner @{tmp}/thunderbird/.parentlock rw, From a5aa13923b657c9dee16d11c378d80215b14d949 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 16:11:10 +0200 Subject: [PATCH 0396/1736] build: add support for building multiple version of the package. --- Justfile | 10 +++++----- pkg/prebuild/cli/cli.go | 28 +++++++++++++++++++++------- 2 files changed, 26 insertions(+), 12 deletions(-) diff --git a/Justfile b/Justfile index ffed74ef56..3e16a75e8d 100644 --- a/Justfile +++ b/Justfile @@ -63,27 +63,27 @@ build: [group('build')] [doc('Prebuild the profiles in enforced mode')] enforce: build - @./{{build}}/prebuild + @./{{build}}/prebuild --buildir {{build}} [group('build')] [doc('Prebuild the profiles in complain mode')] complain: build - @./{{build}}/prebuild --complain + ./{{build}}/prebuild --buildir {{build}} --complain [group('build')] [doc('Prebuild the profiles in FSP mode')] fsp: build - @./{{build}}/prebuild --full + @./{{build}}/prebuild --buildir {{build}} --full [group('build')] [doc('Prebuild the profiles in FSP mode (complain)')] fsp-complain: build - @./{{build}}/prebuild --complain --full + @./{{build}}/prebuild --buildir {{build}} --complain --full [group('build')] [doc('Prebuild the profiles in FSP mode (debug)')] fsp-debug: build - @./{{build}}/prebuild --complain --full --debug + @./{{build}}/prebuild --buildir {{build}} --complain --full --debug [group('install')] [doc('Install prebuild profiles')] diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 51636f8488..000aa65f97 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -26,13 +26,15 @@ const ( internal built-in directives. Options: - -h, --help Show this help message and exit. - -c, --complain Set complain flag on all profiles. - -e, --enforce Set enforce flag on all profiles. - -a, --abi ABI Target apparmor ABI. - -v, --version V Target apparmor version. - -f, --full Set AppArmor for full system policy. - -F, --file Only prebuild a given file. + -h, --help Show this help message and exit. + -c, --complain Set complain flag on all profiles. + -e, --enforce Set enforce flag on all profiles. + -a, --abi ABI Target apparmor ABI. + -v, --version V Target apparmor version. + -f, --full Set AppArmor for full system policy. + -b, --buildir DIR Root build directory. + -F, --file Only prebuild a given file. + --debug Enable debug mode. ` ) @@ -41,9 +43,11 @@ var ( complain bool enforce bool full bool + debug bool abi int version float64 file string + buildir string ) func init() { @@ -61,6 +65,9 @@ func init() { flag.Float64Var(&version, "version", nilVer, "Target apparmor version.") flag.StringVar(&file, "F", "", "Only prebuild a given file.") flag.StringVar(&file, "file", "", "Only prebuild a given file.") + flag.StringVar(&buildir, "b", "", "Root build directory.") + flag.StringVar(&buildir, "buildir", "", "Root build directory.") + flag.BoolVar(&debug, "debug", false, "Enable debug mode.") } func Configure() { @@ -87,6 +94,9 @@ func Configure() { if complain { builder.Register("complain") + if debug { + builder.Register("debug") + } } else if enforce { builder.Register("enforce") } @@ -106,6 +116,10 @@ func Configure() { if version != nilVer { prebuild.Version = version } + if buildir != "" { + prebuild.Root = paths.New(buildir) + prebuild.RootApparmord = prebuild.Root.Join("apparmor.d") + } if file != "" { sync, _ := prepare.Tasks["synchronise"].(*prepare.Synchronise) sync.Paths = []string{file} From 5c8c5029e085cc2ba88a28eb5df3c26229f4b49f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 18:12:51 +0200 Subject: [PATCH 0397/1736] tests(packer): add lxqt test image, update xfce. --- tests/cloud-init/archlinux-lxqt.user-data.yml | 28 ++++++++ tests/cloud-init/archlinux-xfce.user-data.yml | 36 +--------- tests/cloud-init/archlinux.yml | 67 +++++++++++++++++++ 3 files changed, 96 insertions(+), 35 deletions(-) create mode 100644 tests/cloud-init/archlinux-lxqt.user-data.yml diff --git a/tests/cloud-init/archlinux-lxqt.user-data.yml b/tests/cloud-init/archlinux-lxqt.user-data.yml new file mode 100644 index 0000000000..208f7dab57 --- /dev/null +++ b/tests/cloud-init/archlinux-lxqt.user-data.yml @@ -0,0 +1,28 @@ +#cloud-config + +packages: *lxqt-packages + +# lxqt-wayland-session kwin + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable sddm + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml index 5bab9bf081..afba57519e 100644 --- a/tests/cloud-init/archlinux-xfce.user-data.yml +++ b/tests/cloud-init/archlinux-xfce.user-data.yml @@ -1,40 +1,6 @@ #cloud-config -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - just - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Applications - - firefox - - chromium - - terminator - - # Install Graphical Interface - - xfce4 - - xfce4-goodies - - lightdm - - lightdm-gtk-greeter +packages: *xfce-packages runcmd: # Regenerate grub.cfg diff --git a/tests/cloud-init/archlinux.yml b/tests/cloud-init/archlinux.yml index 5299efda02..629de7d028 100644 --- a/tests/cloud-init/archlinux.yml +++ b/tests/cloud-init/archlinux.yml @@ -88,6 +88,73 @@ kde-packages: &kde-packages - konsole - okular +lxqt-packages: &lxqt-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - lxqt + - breeze-icons + - sddm + +xfce-packages: &xfce-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - xfce4 + - xfce4-goodies + - lightdm + - lightdm-gtk-greeter + # Enable AppArmor in kernel parameters grub-enable-apparmor: &grub-enable-apparmor path: /etc/default/grub From d8875ab8260f500175d5030c90142a94a4e324e5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 18:51:39 +0200 Subject: [PATCH 0398/1736] build: minor build system improvement. --- Justfile | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/Justfile b/Justfile index 3e16a75e8d..e434586c4d 100644 --- a/Justfile +++ b/Justfile @@ -5,7 +5,7 @@ # Usage: `just` # See https://apparmor.pujol.io/development/ for more information. -# Build setings +# Build settings destdir := "/" build := ".build" pkgdest := `pwd` / ".pkg" @@ -251,7 +251,7 @@ create dist flavor: --memorybacking source.type=memfd,access.mode=shared \ --disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \ --filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \ - --os-variant "`just get_osinfo {{dist}}`" \ + --os-variant "`just _get_osinfo {{dist}}`" \ --graphics spice \ --audio id=1,type=spice \ --sound model=ich9 \ @@ -282,18 +282,18 @@ destroy dist flavor: [group('vm')] [doc('Connect to the machine')] ssh dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` [group('vm')] [doc('Mount the shared directory on the machine')] mount dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' [group('vm')] [doc('Unmout the shared directory on the machine')] umount dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' [group('vm')] @@ -307,6 +307,7 @@ list: images: #!/usr/bin/env bash set -eu -o pipefail + mkdir -p {{base_dir}} ls -lh {{base_dir}} | awk ' BEGIN { printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date") @@ -343,19 +344,19 @@ init: [group('tests')] [doc('Run the integration tests')] -integration: - bats --recursive --timing --print-output-on-failure tests/integration +integration name="": + bats --recursive --timing --print-output-on-failure tests/integration/{{name}} [group('tests')] [doc('Install dependencies for the integration tests (machine)')] tests-init dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init [group('tests')] [doc('Synchronize the integration tests (machine)')] tests-sync dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ [group('tests')] @@ -367,18 +368,16 @@ tests-resync dist flavor: (mount dist flavor) \ [group('tests')] [doc('Run the integration tests (machine)')] tests-run dist flavor name="": (tests-resync dist flavor) - ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ bats --recursive --pretty --timing --print-output-on-failure \ /home/{{username}}/Projects/tests/integration/{{name}} -[private] -get_ip dist flavor: +_get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ head -1 | \ grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' -[private] -get_osinfo dist: +_get_osinfo dist: #!/usr/bin/env python3 osinfo = { "archlinux": "archlinux", From 38ac0f580d10b6e0950e9505095e669bd69529d1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 14 Aug 2025 15:40:52 +0200 Subject: [PATCH 0399/1736] feat(profile): revisit electron based profiles. - cleanup and enforce signal - fix discord fix #773 #777 --- apparmor.d/abstractions/common/electron | 1 + apparmor.d/groups/freedesktop/xdg-settings | 2 +- apparmor.d/groups/network/mullvad-gui | 4 ++-- apparmor.d/profiles-a-f/discord | 7 +++++-- apparmor.d/profiles-a-f/element-desktop | 4 +--- apparmor.d/profiles-a-f/freetube | 3 +-- apparmor.d/profiles-g-l/linuxqq | 1 - apparmor.d/profiles-m-r/protonmail | 10 +++++----- apparmor.d/profiles-s-z/signal-desktop | 23 +++++----------------- apparmor.d/profiles-s-z/wechat | 1 - apparmor.d/profiles-s-z/wechat-appimage | 1 - apparmor.d/profiles-s-z/wechat-universal | 1 - dists/flags/main.flags | 4 +--- 13 files changed, 22 insertions(+), 40 deletions(-) diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index cd7e9e8f1f..175fa8b2dc 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -16,6 +16,7 @@ include include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index 870d4cfe4a..cb7edf8229 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -15,7 +15,7 @@ profile xdg-settings @{exec_path} { @{exec_path} r, - @{sh_path} rix, + @{sh_path} r, @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat ix, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index ae9b4cb7f8..e4d2e9a2c3 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -26,9 +26,9 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { network netlink raw, @{exec_path} mrix, - @{sh_path} rix, + @{sh_path} rix, - @{bin}/gsettings rix, + @{bin}/gsettings rPx, @{open_path} rPx -> child-open-browsers, owner @{user_cache_dirs}/dconf/user rw, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index ddcd99adde..8765084ff4 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB} -profile discord @{exec_path} { +profile discord @{exec_path} flags=(attach_disconnected) { include include include @@ -31,13 +31,15 @@ profile discord @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/lsb_release rPx, @{lib_dirs}/chrome-sandbox rix, @{lib_dirs}/chrome_crashpad_handler rix, + @{bin}/lsb_release rPx, + @{bin}/xdg-mime rPx, @{open_path} rPx -> child-open-strict, + /etc/ r, /etc/lsb-release r, owner @{user_videos_dirs}/{,**} rwl, @@ -52,6 +54,7 @@ profile discord @{exec_path} { owner @{run}/user/@{uid}/discord-ipc-@{int} rw, + owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/task/@{tid}/comm r, include if exists diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 05a900889e..91de37e583 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -30,11 +30,9 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} r, - @{open_path} rPx -> child-open-strict, - #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> element-desktop//&xdg-settings, + @{open_path} Px -> child-open-strict, /usr/share/webapps/element/{,**} r, diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 8250cf8aa1..f4284873d5 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -34,10 +34,9 @@ profile freetube @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{open_path} rPx -> child-open-strict, - #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> freetube//&xdg-settings, + @{open_path} rPx -> child-open-strict, deny @{sys}/devices/@{pci}/usb@{int}/** r, deny /dev/ r, diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index dd653bd615..08b8cf7a1d 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -17,7 +17,6 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, network netlink dgram, diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index c6d309a943..c2c81d4dad 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton* -profile protonmail @{exec_path} flags=(complain) { +profile protonmail @{exec_path} flags=(attach_disconnected) { include include include @@ -24,12 +24,13 @@ profile protonmail @{exec_path} flags=(complain) { network inet6 dgram, network netlink raw, - ptrace read peer=xdg-settings, + ptrace read peer=protonmail//&xdg-settings, @{exec_path} mrix, - @{bin}/xdg-settings Px, - @{open_path} Px -> child-open, + #aa:stack X xdg-settings + @{bin}/xdg-settings rPx -> protonmail//&xdg-settings, + @{open_path} Px -> child-open, owner @{user_config_dirs}/ibus/bus/ r, @@ -38,7 +39,6 @@ profile protonmail @{exec_path} flags=(complain) { owner @{tmp}/gtkprint_ppd_@{rand6} rw, include if exists - } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index b6a4777075..0bedb90e13 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -21,7 +21,6 @@ profile signal-desktop @{exec_path} { include include include - include include include @@ -31,31 +30,19 @@ profile signal-desktop @{exec_path} { network inet6 stream, network netlink raw, + ptrace read peer=signal-desktop//&xdg-settings, + @{exec_path} mrix, - @{bin}/getconf rix, - @{open_path} rPx -> child-open-strict, + @{lib_dirs}/chrome_crashpad_handler rix, + @{lib_dirs}/chrome-sandbox rPx, #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> signal-desktop//&xdg-settings, - - audit @{lib_dirs}/chrome-sandbox rPx, - @{lib_dirs}/chrome_crashpad_handler rix, + @{open_path} rPx -> child-open-strict, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.high r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - - @{PROC}/@{pid}/fd/ r, - @{PROC}/vmstat r, - - /dev/tty rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index 5764deb77b..ccff2f95fe 100644 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -17,7 +17,6 @@ profile wechat @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, network netlink dgram, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index e7eabe6ec8..07f67fb59c 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -17,7 +17,6 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { include include include - include include network netlink raw, diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 3824f9526e..b1c8aded25 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -18,7 +18,6 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, network netlink dgram, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 22e9a1447d..a62a6847dc 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -75,7 +75,7 @@ deb-systemd-invoke complain debconf-escape complain decibels complain dino attach_disconnected,complain -discord complain +discord attach_disconnected,complain discord-chrome-sandbox complain DiscoverNotifier complain dkms attach_disconnected,complain @@ -281,8 +281,6 @@ sddm attach_disconnected,mediate_deleted,complain sddm-greeter complain secure-time-sync attach_disconnected,complain sftp-server complain -signal-desktop attach_disconnected,complain -signal-desktop-chrome-sandbox complain sing-box complain slirp4netns attach_disconnected,complain snap complain From ba35a7933c9f5acceb37066d11be61eef4bf433b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 14 Aug 2025 15:41:53 +0200 Subject: [PATCH 0400/1736] fix(profile): comment problematic rule Fix #769 --- apparmor.d/groups/browsers/brave | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 0decb0d4b4..4c38e0ce5d 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -18,7 +18,7 @@ profile brave @{exec_path} flags=(attach_disconnected) { include include - unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler), + # unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler), signal receive peer=brave//&brave-crashpad-handler, From eda29668ae75d8b42412f35e3737230c6a626c09 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 14 Aug 2025 18:23:30 +0200 Subject: [PATCH 0401/1736] fix(profile): ensure signal-desktop has the attach_disconnected flag. Fix 812 --- apparmor.d/profiles-s-z/signal-desktop | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 0bedb90e13..dc0bc381ed 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{lib_dirs}/@{name} -profile signal-desktop @{exec_path} { +profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include From 10e57f01a64eb821dcecc03a7298cf049454253e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:27:44 +0200 Subject: [PATCH 0402/1736] feat(abs): add /etc/xdg/menus and session files to kde-strict. See #811 --- apparmor.d/abstractions/desktop | 7 +++++++ apparmor.d/abstractions/kde-strict | 7 +++++++ apparmor.d/groups/browsers/firefox-kmozillahelper | 5 ----- apparmor.d/groups/kde/dolphin | 6 ------ 4 files changed, 14 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 73e5339927..878f6f7944 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -49,6 +49,8 @@ /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/ r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -63,6 +65,11 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_config_dirs}/session/ rw, + owner @{user_config_dirs}/session/@{profile_name}* rwlk, + owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, # else if @{DE} == xfce diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 56aa887988..428aa93f36 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -25,6 +25,8 @@ /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/ r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -39,6 +41,11 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_config_dirs}/session/ rw, + owner @{user_config_dirs}/session/@{profile_name}* rwlk, + owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, owner @{user_share_dirs}/#@{int} rw, diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index 8e86ee126c..ade169f253 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -27,16 +27,11 @@ profile firefox-kmozillahelper @{exec_path} { /usr/share/kservices{5,6}/{,**} r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{user_config_dirs}/kmozillahelperrc r, owner @{user_config_dirs}/kmozillahelperrc.@{rand6} rwl, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_share_dirs}/kservices5/ r, owner @{user_share_dirs}/kservices5/searchproviders/ r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 5d51f8c4d6..3879fa6a5e 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -51,8 +51,6 @@ profile dolphin @{exec_path} { /etc/machine-id r, /etc/xdg/arkrc r, /etc/xdg/dolphinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, /etc/xdg/ui/ui_standards.rc r, # Full access to user's data @@ -89,10 +87,6 @@ profile dolphin @{exec_path} { owner @{user_config_dirs}/knfsshare.{,.@{rand6}} rwk, owner @{user_config_dirs}/knfsshare.lock rwk, - owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/session/dolphin_* rwlk -> @{user_config_dirs}/session/#@{int}, - owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, From e09586e01dd015c26462c410bc0caee9a00e8e8d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:30:43 +0200 Subject: [PATCH 0403/1736] feat(abs): freedesktop: add more path for recently-used files. see #811 --- apparmor.d/abstractions/freedesktop.org.d/complete | 5 +++++ apparmor.d/groups/gnome/gnome-tweaks | 1 - apparmor.d/groups/gnome/gsd-media-keys | 2 -- apparmor.d/groups/kde/dolphin | 1 - apparmor.d/groups/kde/kactivitymanagerd | 1 - apparmor.d/groups/kde/okular | 2 -- 6 files changed, 5 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 220883c29f..df445cef56 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -23,4 +23,9 @@ owner @{HOME}/.icons/{,**} r, + owner @{user_share_dirs}/#@{int} rw, + owner @{user_share_dirs}/recently-used.xbel rw, + owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, + owner @{user_share_dirs}/recently-used.xbel.lock rwk, + # vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index 96e83b8467..7f93b78641 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -36,7 +36,6 @@ profile gnome-tweaks @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw, owner @{user_share_dirs}/backgrounds/{,**} r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, - owner @{user_share_dirs}/recently-used.xbel* rw, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 2a2ea034fa..6cae2d49b6 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -71,8 +71,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, - owner @{user_share_dirs}/recently-used.xbel{,.*} rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/udev/data/+sound:card@{int} r, # For sound card diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 3879fa6a5e..2d3b099d7f 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -74,7 +74,6 @@ profile dolphin @{exec_path} { owner @{user_share_dirs}/dolphin/ rw, owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, - owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk, owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk, owner @{user_config_dirs}/#@{int} rw, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index fdc0730c45..1ee022dc6d 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -38,7 +38,6 @@ profile kactivitymanagerd @{exec_path} { owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk, owner @{user_share_dirs}/kservices{5,6}/{,**} r, - owner @{user_share_dirs}/recently-used.xbel r, owner @{user_share_dirs}/user-places.xbel r, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index 7618a10d46..7cd628b09c 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -69,8 +69,6 @@ profile okular @{exec_path} { owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r, owner @{user_share_dirs}/okular/ rw, owner @{user_share_dirs}/okular/** rwlk -> @{user_share_dirs}/okular/**, - owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl -> @{user_share_dirs}/#@{int}, - owner @{user_share_dirs}/recently-used.xbel.lock rk, owner @{user_share_dirs}/user-places.xbel r, owner @{user_state_dirs}/#@{int} rw, From c02674593d00754b54f3329d1ac75ab0c44af571 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:34:48 +0200 Subject: [PATCH 0404/1736] feat(profile): update kde profiles see #811 --- .../groups/freedesktop/xdg-desktop-portal-kde | 16 ++++++++++++++++ apparmor.d/groups/kde/kalendarac | 5 +++++ apparmor.d/groups/kde/kded | 1 + apparmor.d/groups/kde/kglobalacceld | 4 ---- apparmor.d/groups/kde/ksmserver | 3 --- apparmor.d/groups/kde/kwalletmanager | 3 --- apparmor.d/groups/kde/kwin_x11 | 5 +++-- apparmor.d/groups/kde/okular | 14 +++++--------- .../groups/kde/plasma-browser-integration-host | 6 ------ apparmor.d/groups/kde/plasma_session | 1 - apparmor.d/groups/kde/systemsettings | 3 --- apparmor.d/profiles-m-r/pinentry-qt | 2 ++ 12 files changed, 32 insertions(+), 31 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 8c1c1686f8..bd5981dcf3 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -11,6 +11,7 @@ include profile xdg-desktop-portal-kde @{exec_path} { include include + include include include include @@ -30,6 +31,12 @@ profile xdg-desktop-portal-kde @{exec_path} { #aa:exec kioworker /usr/share/plasma/look-and-feel/** r, + /usr/share/thumbnailers/{,**} r, + + /etc/fstab r, + /etc/xdg/dolphinrc r, + + / r, owner @{HOME}/ r, @@ -39,12 +46,21 @@ profile xdg-desktop-portal-kde @{exec_path} { owner @{user_config_dirs}/autostart/org.kde.*.desktop r, owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc rw, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.@{rand6} rwlk, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.lock rwk, + + owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw, owner @{PROC}/@{pid}/mountinfo r, + /dev/shm/ r, /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index a45652c7b7..e9ae784572 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -34,6 +34,11 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/kalendaracrc.lock rwk, owner @{user_config_dirs}/kmail2rc r, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/kalendaracstaterc rw, + owner @{user_state_dirs}/kalendaracstaterc.@{rand6} rwl, + owner @{user_state_dirs}/kalendaracstaterc.lock rwk, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index c9fa538df0..2ef26836d9 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -84,6 +84,7 @@ profile kded @{exec_path} { /var/lib/dbus/machine-id r, / r, + @{efi}/ r, owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 9da19046d2..0e8ba33956 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -18,15 +18,11 @@ profile kglobalacceld @{exec_path} { /usr/share/kglobalaccel/{,**} r, /etc/machine-id r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, owner @{user_config_dirs}/kglobalshortcutsrc* rwl, owner @{user_config_dirs}/khotkeysrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index eb53bc0783..6d515fb18d 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -49,9 +49,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/ksmserverrc rw, owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl, owner @{user_config_dirs}/ksmserverrc.lock rwk, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw, owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/kwalletmanager b/apparmor.d/groups/kde/kwalletmanager index dc64cbb9e5..5ffcafd4f2 100644 --- a/apparmor.d/groups/kde/kwalletmanager +++ b/apparmor.d/groups/kde/kwalletmanager @@ -36,9 +36,6 @@ profile kwalletmanager @{exec_path} { owner @{user_config_dirs}/kwalletrc rw, owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwalletrc.lock rwk, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#@{int}, - owner @{user_config_dirs}/session/kwalletmanager5_*.lock rwk, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index e05e443ff2..8400c8cb60 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -25,10 +25,12 @@ profile kwin_x11 @{exec_path} { @{exec_path} mrix, @{sh_path} rix, + @{bin}/kdialog rix, @{lib}/kwin_killer_helper rix, #aa:exec drkonqi + /usr/share/kwin-x11/{,**} r, /usr/share/kwin/{,**} r, /usr/share/plasma/desktoptheme/{,**} r, @@ -47,6 +49,7 @@ profile kwin_x11 @{exec_path} { owner @{user_cache_dirs}/session/#@{int} rw, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/kaccessrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kwinoutputconfig.json rw, owner @{user_config_dirs}/kwinrc.lock rwk, @@ -54,8 +57,6 @@ profile kwin_x11 @{exec_path} { owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/plasmarc r, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/session/kwin_* rwk, owner @{user_share_dirs}/kwin/scripts/ r, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index 7cd628b09c..acd9b74303 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -42,8 +42,6 @@ profile okular @{exec_path} { /etc/fstab r, /etc/xdg/dolphinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, / r, @{MOUNTS}/ r, @@ -51,19 +49,17 @@ profile okular @{exec_path} { owner @{user_cache_dirs}/okular/{,**} rw, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/KDE/*.conf r, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/kservicemenurc r, + owner @{user_config_dirs}/kwalletrc r, + owner @{user_config_dirs}/okular-generator-popplerrc r, owner @{user_config_dirs}/okularpartrc rw, owner @{user_config_dirs}/okularpartrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularpartrc.lock rwk, owner @{user_config_dirs}/okularrc rw, owner @{user_config_dirs}/okularrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularrc.lock rwk, - owner @{user_config_dirs}/okular-generator-popplerrc r, - owner @{user_config_dirs}/KDE/*.conf r, - owner @{user_config_dirs}/kioslaverc r, - owner @{user_config_dirs}/kservicemenurc r, - owner @{user_config_dirs}/kwalletrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r, diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index dce3545f72..e17d4c5f1c 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -21,16 +21,10 @@ profile plasma-browser-integration-host @{exec_path} { @{exec_path} mr, - /etc/xdg/menus/applications-merged/ r, - /usr/share/kservices{5,6}/{,**} r, - /etc/xdg/menus/ r, /etc/xdg/taskmanagerrulesrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/plasma_session b/apparmor.d/groups/kde/plasma_session index 1fbeda384b..5d38125940 100644 --- a/apparmor.d/groups/kde/plasma_session +++ b/apparmor.d/groups/kde/plasma_session @@ -36,7 +36,6 @@ profile plasma_session @{exec_path} { /etc/xdg/autostart/ r, /etc/xdg/autostart/*.desktop r, - /etc/xdg/menus/ r, owner @{user_config_dirs}/kdedefaults/ksplashrc r, owner @{user_config_dirs}/plasma-welcomerc r, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index e68d248b6a..b41dac08a7 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -57,7 +57,6 @@ profile systemsettings @{exec_path} { /etc/fstab r, /etc/machine-id r, - /etc/xdg/menus/{,applications-merged/} r, /etc/xdg/plasmanotifyrc r, /etc/xdg/ui/ui_standards.rc r, /var/lib/dbus/machine-id r, @@ -90,8 +89,6 @@ profile systemsettings @{exec_path} { owner @{user_config_dirs}/kinfocenterrc* rwlk, owner @{user_config_dirs}/libaccounts-glib/ rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/** rwlk, owner @{user_config_dirs}/systemsettingsrc.lock rwk, diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index 3c5ec0a94b..66729769f6 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -17,6 +17,8 @@ profile pinentry-qt @{exec_path} { include include + ptrace read peer=gpg-agent, + @{exec_path} mr, /etc/machine-id r, From ace53f3002531730a262245b27d62c16a65efc7c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:35:19 +0200 Subject: [PATCH 0405/1736] feat(profile): openvpn need to load module. See #811 --- apparmor.d/groups/network/openvpn | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index a6ff1a9398..b5a6b83ef2 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -27,17 +27,12 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { include include - # Needed to remove the following errors: - # ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1) - # Exiting due to fatal error - capability net_admin, - - # These are needed when user/group are set in a OpenVPN config file - capability setuid, - capability setgid, - - capability dac_read_search, capability dac_override, + capability dac_read_search, + capability net_admin, # create tun + capability setgid, # when user/group are set in a OpenVPN config file + capability setuid, + capability sys_module, network inet dgram, network inet6 dgram, From d51b386d13540c6ff55317cc588734451a6e0f4c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:36:05 +0200 Subject: [PATCH 0406/1736] feat(abs): pager: improve integration with opensuse. See #811 --- apparmor.d/abstractions/app/pager | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/app/pager b/apparmor.d/abstractions/app/pager index 1557b78efb..30acc56126 100644 --- a/apparmor.d/abstractions/app/pager +++ b/apparmor.d/abstractions/app/pager @@ -21,6 +21,8 @@ /usr/share/file/misc/** r, /usr/share/nvim/{,**} r, + @{etc_ro}/lesskey.bin r, + @{HOME}/.lesshst r, owner @{HOME}/ r, From b1b3ee8321d2a269ef2e3e24ff8a367cbed46adc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:38:15 +0200 Subject: [PATCH 0407/1736] feat(abs): add tty/drivers to pgrrep/pkill subprofiles. see #811 --- apparmor.d/abstractions/app/pgrep | 1 + apparmor.d/groups/kde/kded | 2 -- apparmor.d/groups/procps/pgrep | 2 -- 3 files changed, 1 insertion(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index d6b7ba8a7e..0ec14bea0c 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -24,6 +24,7 @@ @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/stat r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, include if exists diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 2ef26836d9..ef81b95d1f 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -160,8 +160,6 @@ profile kded @{exec_path} { include include - @{PROC}/tty/drivers r, - include if exists } diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep index 950aeb99e7..489f55bd7e 100644 --- a/apparmor.d/groups/procps/pgrep +++ b/apparmor.d/groups/procps/pgrep @@ -14,8 +14,6 @@ profile pgrep @{exec_path} { @{exec_path} mr, - @{PROC}/tty/drivers r, - include if exists } From e15bd7bea03e25b4b27423a3e36e3530be89f21d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:40:17 +0200 Subject: [PATCH 0408/1736] feat(abs): improve vim integration with common editors. see #811 --- apparmor.d/abstractions/app/editor | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index 2bd14077b7..b33dbc7f4d 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -12,9 +12,10 @@ @{sh_path} rix, @{bin}/nvim mrix, @{bin}/sensible-editor mr, - @{bin}/vim{,.*} mrix, + @{bin}/vim* mrix, @{bin}/which{,.debianutils} rix, + /usr/share/doc/{,**} r, /usr/share/nvim/{,**} r, /usr/share/terminfo/** r, /usr/share/vim/{,**} r, @@ -24,8 +25,9 @@ /etc/xdg/nvim/* r, owner @{HOME}/.selected_editor r, - owner @{HOME}/.viminf@{c}{,.tmp} rw, owner @{HOME}/.vim/{after/,}spell/{,**} rw, + owner @{HOME}/.vim/** r, + owner @{HOME}/.viminf@{c}{,.tmp} rw, owner @{HOME}/.vimrc r, owner @{HOME}/ r, From e2b1547bf11bf305b49881fa12fa0688fb5d88db Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:41:26 +0200 Subject: [PATCH 0409/1736] feat(profile): ssh: add ssh.hmac Similar to newest version of sshd with sshd.hmac see #811 --- apparmor.d/groups/ssh/ssh | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 43fbddc63c..75a25771f4 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -26,6 +26,7 @@ profile ssh @{exec_path} { @{exec_path} mrix, @{bin}/@{shells} rUx, + @{bin}/ssh.hmac r, @{lib}/{,ssh/}ssh-sk-helper rix, From 44a6bc86e6cf25b344d76ab36a345d1181aaab20 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:43:15 +0200 Subject: [PATCH 0410/1736] feat(tunable): add `bin` to XDG_BIN_DIR. So it can get allowed/denied by profile using user_bin_dirs. see #811 --- apparmor.d/tunables/home.d/apparmor.d | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index c791f53763..398fe20f49 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -16,7 +16,7 @@ @{XDG_CONFIG_DIR}=".config" @{XDG_DATA_DIR}=".local/share" @{XDG_STATE_DIR}=".local/state" -@{XDG_BIN_DIR}=".local/bin" +@{XDG_BIN_DIR}="bin" ".local/bin" @{XDG_LIB_DIR}=".local/lib" # Define extended user directories not defined in the XDG standard but commonly From b90a2a89fe095d3de5be2d139eeaaaa1065815be Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:44:10 +0200 Subject: [PATCH 0411/1736] feat(abs): app-open: kde opener need system id. see #811 --- apparmor.d/abstractions/app/open | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 9d0da21999..243d182616 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -33,8 +33,7 @@ include include include - - /etc/xdg/menus/ r, + include owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, From d09f5d055f5f0d91e7dc1e64dda621e62aea4a1e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:51:16 +0200 Subject: [PATCH 0412/1736] feat(profile): improve dbus definitions. --- .../bus/org.freedesktop.ScreenSaver | 5 +++++ .../bus/org.freedesktop.portal.Desktop | 5 +++++ .../abstractions/bus/org.freedesktop.systemd1 | 2 +- .../gnome/evolution-addressbook-factory | 1 + .../groups/gnome/gnome-extension-gsconnect | 4 +++- apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/network/NetworkManager | 20 +++++-------------- apparmor.d/groups/systemd/resolvectl | 1 + apparmor.d/profiles-s-z/spotify | 1 + apparmor.d/profiles-s-z/terminator | 5 +++++ 10 files changed, 28 insertions(+), 17 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver index 43ed93af66..f73768e9f8 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver +++ b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver @@ -9,6 +9,11 @@ member={Inhibit,UnInhibit} peer=(name=org.freedesktop.ScreenSaver), + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member={ActiveChanged,WakeUpScreen} + peer=(name=@{busname}, label=gjs-console), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 5e5967a1ad..2753a6602e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -36,6 +36,11 @@ member=Register peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + dbus receive bus=session path=/org/freedesktop/portal/desktop/** + interface=org.freedesktop.portal.Request + member=Response + peer=(name=@{busname}, label=xdg-desktop-portal), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 4fb1764bc4..167e66d65d 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -6,7 +6,7 @@ #aa:dbus common bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" - dbus send bus=session path=/org/freedesktop/systemd1 + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 9f18395f2f..3d83232e13 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -26,6 +26,7 @@ profile evolution-addressbook-factory @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookFactory dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 3cf92d6139..64568eab0c 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -17,6 +17,7 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include include include include @@ -36,9 +37,10 @@ profile gnome-extension-gsconnect @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect + #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect interface+=org.gtk.{Actions,Menus} dbus eavesdrop bus=session, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index d4c8b1ba21..95874290f3 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -18,6 +18,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index f7c0dd0844..01de67a18e 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -50,22 +50,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher + member=Action peer=(name=org.freedesktop.nm_dispatcher), - - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*), - - dbus receive bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved - peer=(name=:*, label="@{p_bluetoothd}"), - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label="@{p_bluetoothd}"), + dbus send bus=system path=/uk/org/thekelleys/dnsmasq + interface=org.freedesktop.NetworkManager.dnsmasq + member=SetServersEx + peer=(name=@{busname}, label=dnsmasq), dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index dd5bdb3d4d..58f2d88f8c 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -22,6 +22,7 @@ profile resolvectl @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 1ec4eeea36..a3a093c855 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -35,6 +35,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell + #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal @{exec_path} mrix, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index d71ccf8020..59c78396db 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -29,6 +29,11 @@ profile terminator @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=net.tenshu.Terminator@{hex} + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartTransientUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + @{exec_path} mr, @{bin}/ r, From 20546d37a0f7aa3bb26c01659e64187a8bf22f49 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:51:48 +0200 Subject: [PATCH 0413/1736] feat(profile): fprintd needs sys_admin see #811 --- apparmor.d/profiles-a-f/fprintd | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 1d00dce883..8a5f9c01a9 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -15,6 +15,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, capability sys_nice, network netlink raw, From 112d54907ec106665dbd3e9660b43e132879add9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:53:52 +0200 Subject: [PATCH 0414/1736] feat(profile): thunderbird/firefox: move rules needed in both programs. --- apparmor.d/abstractions/app/firefox | 3 +++ apparmor.d/groups/browsers/firefox | 3 --- apparmor.d/profiles-s-z/thunderbird-glxtest | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 85922664b8..68fb148875 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -100,6 +100,9 @@ owner @{tmp}/@{name}/* rwk, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, + owner @{tmp}/mozilla* rw, + owner @{tmp}/mozilla*/ rw, + owner @{tmp}/mozilla*/* rwk, owner @{tmp}/remote-settings-startup-bundle- rw, owner @{tmp}/remote-settings-startup-bundle-.tmp rw, owner @{tmp}/Temp-@{uuid}/ rw, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index fe85072199..bac81c847b 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -64,9 +64,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{tmp}/@{rand8}.* rw, # file downloads (to anywhere) owner @{tmp}/@{uuid}.zip{,.tmp} rw, owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk, - owner @{tmp}/mozilla* rw, - owner @{tmp}/mozilla*/ rw, - owner @{tmp}/mozilla*/* rwk, owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-{@{hex15},@{hex16}} rwk, owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/.parentlock k, owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw, diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index 4f25e08626..4dc8913612 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -11,7 +11,7 @@ include @{config_dirs} = @{HOME}/.@{name}/ @{exec_path} = @{lib_dirs}/glxtest -profile thunderbird-glxtest @{exec_path} { +profile thunderbird-glxtest @{exec_path} flags=(attach_disconnected) { include include include From 9c9af1d821a7eb85547484ce4563cce0d7909743 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:59:20 +0200 Subject: [PATCH 0415/1736] feat(profile): improve integration with ubuntu. --- apparmor.d/groups/gpg/gpg | 1 + apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/grub/grub-probe | 2 ++ apparmor.d/groups/network/NetworkManager | 1 + apparmor.d/profiles-a-f/blkdeactivate | 2 +- apparmor.d/profiles-m-r/initramfs-hooks | 5 +++++ 6 files changed, 11 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 6a01796ff4..b658235208 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -29,6 +29,7 @@ profile gpg @{exec_path} { @{lib}/{,gnupg/}scdaemon rPx, /usr/share/terminfo/** r, + /usr/share/keyrings/** rw, #aa:only apt /usr/share/pacman/keyrings/** r, #aa:only pacman /etc/inputrc r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index c081d53c39..5b62fa30c1 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -27,7 +27,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/date rix, @{bin}/dirname rix, - @{sbin}/dmsetup rPUx, + @{sbin}/dmsetup rPx, @{bin}/dpkg rPx, @{bin}/find rix, @{bin}/findmnt rPx, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 017083eaf6..c767d2f022 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -36,6 +36,8 @@ profile grub-probe @{exec_path} { /dev/**/ r, /dev/mapper/control w, + deny mqueue (read, getattr) type=posix /, + include if exists } diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 01de67a18e..6b444093c9 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -71,6 +71,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{bin}/kmod rPx, @{bin}/netconfig rPUx, @{sbin}/resolvconf rPx, + @{bin}/resolvectl rPx, @{bin}/systemctl rCx -> systemctl, @{lib}/{,NetworkManager/}nm-daemon-helper rPx, @{lib}/{,NetworkManager/}nm-dhcp-helper rPx, diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index 83806e753f..bff816339c 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -15,7 +15,7 @@ profile blkdeactivate @{exec_path} flags=(complain) { @{exec_path} rm, @{sh_path} rix, - @{sbin}/dmsetup rPUx, + @{sbin}/dmsetup rPx, @{bin}/{,e}grep rix, @{bin}/touch rix, @{bin}/lsblk rPx, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 14a83ffbb7..a4fc278f0b 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -16,6 +16,8 @@ profile initramfs-hooks @{exec_path} { @{sh_path} rix, @{coreutils_path} rix, + @{bin}/cpio ix, + @{bin}/dpkg Cx -> child-dpkg, @{bin}/fc-cache ix, @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @@ -25,6 +27,9 @@ profile initramfs-hooks @{exec_path} { @{lib}/initramfs-tools/bin/busybox ix, @{lib}/klibc/bin/fstype ix, @{sbin}/blkid Px, + @{sbin}/cryptsetup PUx, + @{sbin}/dmsetup Px, + @{sbin}/iucode_tool ix, /usr/share/mdadm/mkconf Px, @{bin}/* mr, From 5f368403b343df0dd3d23d10a2b58896c6b7c2f9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:27:34 +0200 Subject: [PATCH 0416/1736] Revert "feat(tunable): add `bin` to XDG_BIN_DIR." This reverts commit 44a6bc86e6cf25b344d76ab36a345d1181aaab20. --- apparmor.d/tunables/home.d/apparmor.d | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index 398fe20f49..c791f53763 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -16,7 +16,7 @@ @{XDG_CONFIG_DIR}=".config" @{XDG_DATA_DIR}=".local/share" @{XDG_STATE_DIR}=".local/state" -@{XDG_BIN_DIR}="bin" ".local/bin" +@{XDG_BIN_DIR}=".local/bin" @{XDG_LIB_DIR}=".local/lib" # Define extended user directories not defined in the XDG standard but commonly From 753d36cfa337a37a3aead1cf1e9781553a5cbd22 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:29:54 +0200 Subject: [PATCH 0417/1736] fix(profile): manually deny path in git Needed as 44a6bc86e6cf25b344d76ab36a345d1181aaab20 raise merged rule with conflicting x modifiers errors. --- apparmor.d/profiles-g-l/git | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 425fe2f147..0538f5da01 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -38,6 +38,7 @@ profile git @{exec_path} flags=(attach_disconnected) { deny /usr/local/games/ r, deny /var/lib/flatpak/exports/bin/ r, deny owner @{HOME}/.go/bin/ r, + deny owner @{HOME}/bin/ r, deny owner @{user_bin_dirs}/ r, # These are needed for "git submodule update" From 7d49a1628e1c67457780d8f5b372bc804d021917 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:32:27 +0200 Subject: [PATCH 0418/1736] fix(abs): avahi socket path. --- apparmor.d/abstractions/common/app | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 74c82f92a1..3029fb80b8 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -67,7 +67,7 @@ @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket. + @{run}/avahi-daemon/socket rw, # Allow access to avahi-daemon socket. @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, From 6739b238cef5bf052371ad4fe67f31c65dd107f2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:33:29 +0200 Subject: [PATCH 0419/1736] feat(abs): base-strict: allow communication to children and stacked profiles. --- apparmor.d/abstractions/base-strict | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 818a4937f0..22ca5ec5ef 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -67,8 +67,9 @@ # Allow unconfined processes to us via unix sockets unix receive peer=(label=unconfined), - # Allow communication to children profiles + # Allow communication to children and stacked profiles signal peer=@{profile_name}//*, + signal peer=@{profile_name}//&*, unix type=stream peer=(label=@{profile_name}//*), # Allow us to create abstract and anonymous sockets From 3d329fdef8801c3fc892e33fa3876bf96ed37d70 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:39:35 +0200 Subject: [PATCH 0420/1736] feat(profile): minor profiles improvement. --- apparmor.d/groups/freedesktop/colord | 4 +++- apparmor.d/groups/freedesktop/pipewire | 2 ++ apparmor.d/groups/kde/kscreenlocker_greet | 2 ++ apparmor.d/groups/ssh/sshd-session | 1 + apparmor.d/groups/systemd/systemd-delta | 4 ++-- apparmor.d/groups/systemd/systemd-detect-virt | 7 +++++++ apparmor.d/profiles-a-f/cheese | 6 +++++- 7 files changed, 22 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index ee2cdf42ea..81d0c9f6b1 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -59,7 +59,9 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/{vendor,model,type} r, @{sys}/devices/@{pci}/drm/card@{int}/**/{enabled,edid} r, @{sys}/devices/@{pci}/uevent r, - @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/sys/dev/parport/ r, @{PROC}/sys/dev/parport/parport@{int}/base-addr r, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index ad4eb57c57..97e3c61196 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -47,6 +47,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{tmp}/librnnoise-@{int}.so rm, + @{run}/snapd.socket rw, owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, @@ -62,6 +63,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor,board_vendor} r, @{sys}/module/apparmor/parameters/enabled r, + owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index dd3a6b42b9..ddd14b5c23 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -25,6 +25,8 @@ profile kscreenlocker_greet @{exec_path} { network netlink raw, + ptrace read peer=ksmserver, + signal (receive) set=(term) peer=kwin_wayland, signal (receive) set=(usr1, term) peer=ksmserver, signal (send) peer=kcheckpass, diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session index 5f09af5cc3..e953834a76 100644 --- a/apparmor.d/groups/ssh/sshd-session +++ b/apparmor.d/groups/ssh/sshd-session @@ -74,6 +74,7 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/sessions/@{int}.ref w, + @{run}/cockpit/active.issue r, @{run}/motd.d/{,*} r, @{run}/motd.dynamic rw, @{run}/motd.dynamic.new rw, diff --git a/apparmor.d/groups/systemd/systemd-delta b/apparmor.d/groups/systemd/systemd-delta index 7cf546a563..311636d955 100644 --- a/apparmor.d/groups/systemd/systemd-delta +++ b/apparmor.d/groups/systemd/systemd-delta @@ -10,11 +10,11 @@ include profile systemd-delta @{exec_path} { include - signal (send) peer=child-pager, + signal send peer=child-pager, @{exec_path} mr, - @{bin}/less rPx -> child-pager, + @{pager_path} rPx -> child-pager, /etc/binfmt.d/{,**} r, /etc/modprobe.d/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 35f4afbc44..01e49025ff 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -21,6 +21,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{run}/cloud-init/ds-identify.log w, @{run}/host/container-manager r, + @{run}/systemd/container r, @{run}/systemd/notify w, @{sys}/devices/virtual/dmi/id/bios_vendor r, @@ -29,6 +30,12 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/firmware/dmi/entries/*/raw r, + @{sys}/firmware/uv/prot_virt_guest r, + @{sys}/hypervisor/properties/features r, + + @{PROC}/xen/capabilities r, + + /dev/cpu/@{int}/msr r, include if exists } diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese index b308439c31..b89fa42f24 100644 --- a/apparmor.d/profiles-a-f/cheese +++ b/apparmor.d/profiles-a-f/cheese @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2025 Roman Beslik +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -41,7 +42,10 @@ profile cheese @{exec_path} { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,product_name,sys_vendor} r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, From aafcd1c861c4ea9afdf0bc535b2bc10e50fa81ef Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 17:21:24 +0200 Subject: [PATCH 0421/1736] feat(profile): simplify ssh home path. --- apparmor.d/groups/ssh/ssh | 4 +--- apparmor.d/groups/ssh/ssh-keygen | 8 ++++---- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 75a25771f4..03236196ca 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -36,9 +36,7 @@ profile ssh @{exec_path} { @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/machine-id r, - owner @{HOME}/@{XDG_SSH_DIR}/ r, - owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, - owner @{HOME}/@{XDG_SSH_DIR}/config r, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl, owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_*_*_* wl, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index 397ffdcd62..b55824e585 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -15,13 +15,13 @@ profile ssh-keygen @{exec_path} { @{exec_path} mr, + /etc/ssh/moduli rw, /etc/ssh/ssh_host_*_key* rw, - owner @{HOME}/@{XDG_SSH_DIR}/ w, - owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} rw, - /tmp/snapd@{int}/*_*{,.pub} w, - /tmp/snapd@{int}/*.key{,.pub} w, + owner /tmp/snapd@{int}/*_*{,.pub} w, + owner /tmp/snapd@{int}/*.key{,.pub} w, /dev/tty@{int} rw, /dev/ttyS@{int} rw, From c29b4ba536ba0b625955d85f912ece0ef12f2318 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:03:36 +0200 Subject: [PATCH 0422/1736] feat(profile): various security/linter improvement - Ignore some rule from the linter - Move some bin to subprofile --- apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/pacman/pacdiff | 6 +----- apparmor.d/profiles-a-f/baobab | 1 + apparmor.d/profiles-a-f/file-roller | 1 + apparmor.d/profiles-m-r/mimetype | 6 +++--- apparmor.d/profiles-s-z/tomb | 2 +- apparmor.d/profiles-s-z/xarchiver | 11 ++++------- tests/check.sh | 5 ++++- tests/sbin.list | 1 + 10 files changed, 18 insertions(+), 18 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index da5da33a1d..9be1f32583 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -48,6 +48,7 @@ profile dpkg-scripts @{exec_path} { @{sbin}/ldconfig.real Cx -> ldconfig, @{sbin}/update-rc.d Cx -> rc, + #aa:lint ignore=too-wide # Maintainer scripts can legitimately start/restart anything # PU is only used as a safety fallback. @{bin}/** PUx, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index e58c9d8b3c..a814eaaa97 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -61,8 +61,8 @@ profile reportbug @{exec_path} { /usr/share/bug/*/{control,presubj} r, + #aa:lint ignore=too-wide /etc/** r, - /etc/reportbug.conf r, owner @{HOME}/ r, # For shell pwd owner @{HOME}/.reportbugrc{,~} rw, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 4973861254..cab9eed4b2 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/pacdiff profile pacdiff @{exec_path} flags=(attach_disconnected) { include + include capability dac_read_search, capability mknod, @@ -30,11 +31,6 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { @{bin}/rm rix, @{bin}/sed rix, @{bin}/tput rix, - @{bin}/vim rix, - - owner @{HOME}/.viminfo{,.tmp} rw, - - owner @{user_cache_dirs}/vim/{,**} rw, # packages files / r, diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab index cd1e7563f4..654e401176 100644 --- a/apparmor.d/profiles-a-f/baobab +++ b/apparmor.d/profiles-a-f/baobab @@ -19,6 +19,7 @@ profile baobab @{exec_path} { @{open_path} rPx -> child-open-help, + #aa:lint ignore=too-wide # As a directory tree analyzer it needs full access to the filesystem / r, /** r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index e7bfafaac5..5ec394807c 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -28,6 +28,7 @@ profile file-roller @{exec_path} { # Archivers @{archive_path} rix, + #aa:lint ignore=too-wide # Full access to user's data @{MOUNTS}/** rw, owner @{HOME}/** rw, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index cf8431c7a0..91d021fae9 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -19,14 +19,14 @@ profile mimetype @{exec_path} { /usr/share/mime/aliases r, /usr/share/mime/magic r, + # To read files + owner /** r, #aa:lint ignore=too-wide + owner @{user_share_dirs}/mime/**.xml r, owner @{user_share_dirs}/mime/globs r, owner @{user_share_dirs}/mime/aliases r, owner @{user_share_dirs}/mime/magic r, - # To read files - /** r, - include if exists } diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 93e29bcfa5..9b0912bd9e 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -67,7 +67,7 @@ profile tomb @{exec_path} { @{sbin}/btrfs rPx, @{sbin}/cryptsetup rPUx, - @{bin}/e2fsc rPUx, + @{sbin}/e2fsck rPx, @{sbin}/fsck rPx, @{bin}/gpg{,2} rPx, @{bin}/lsblk rPx, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index f38a692248..4d27661010 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -40,13 +40,10 @@ profile xarchiver @{exec_path} { owner @{HOME}/.bz2 rw, - / r, - /home/ r, - #owner @{HOME}/ r, - #owner @{HOME}/** rw, - @{MOUNTS}/ r, - @{MOUNTS}/** rw, - /tmp/ r, + #aa:lint ignore=too-wide + # Full access to user's data + @{MOUNTS}/** rw, + owner @{HOME}/** rw, owner @{tmp}/** rw, @{PROC}/@{pid}/mountinfo r, diff --git a/tests/check.sh b/tests/check.sh index 9bafd51045..60e23c6942 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -171,6 +171,9 @@ _check_abstractions() { _err abstractions "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" fi done + if [[ "$line" == *"<$ABS/ubuntu-"*">"* ]]; then + _err abstractions "$file:$line_number" "deprecated, ubuntu only abstraction '<$ABS/$absname>'" + fi } readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}') @@ -222,7 +225,7 @@ readonly TRANSITION_MUST_PC=( # Must transition to 'Px' ischroot who ) readonly TRANSITION_MUST_C=( # Must transition to 'Cx' - sysctl kmod pgrep pkexec sudo systemctl udevadm + sysctl kmod pgrep pkill pkexec sudo systemctl udevadm fusermount fusermount3 fusermount{,3} nvim vim sensible-editor ) diff --git a/tests/sbin.list b/tests/sbin.list index 8ee14fd217..16073f0d2c 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -761,6 +761,7 @@ ugc umount.nfs umount.nfs4 umount.udisks2 +unbound unconfined undump.bt unix_chkpwd From c51943934ed4a99105a75eda382a5df6959ad6b4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:04:35 +0200 Subject: [PATCH 0423/1736] feat(tunable): add x64 to @{arch} --- apparmor.d/tunables/multiarch.d/system | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 359d1b878d..0eae0fde32 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -20,6 +20,7 @@ @{lib}=/{,usr/}lib{,exec,32,64} # Common places for temporary files +# /tmp/user/@{uid}/ is needed when using .... (default on Debian) @{tmp}=/tmp/ /tmp/user/@{uid}/ # Common places for EFI @@ -29,7 +30,7 @@ # ---------------- # Common architecture names -@{arch}=x86_64 amd64 i386 i686 +@{arch}=x86_64 x64 amd64 i386 i686 # Dbus unique name @{busname}=:1.@{u16} :not.active.yet From 483c0c107d611502578e12d9355004644f715e0f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:22:07 +0200 Subject: [PATCH 0424/1736] build: enable re-attach disconnected path by default Ignored on Ubuntu 25.04 and abi3.0 --- apparmor.d/tunables/multiarch.d/system | 5 ++-- pkg/prebuild/cli/cli.go | 11 +++++++- pkg/prebuild/prepare/attach.go | 37 ++++++++++++++++++++++++++ 3 files changed, 50 insertions(+), 3 deletions(-) create mode 100644 pkg/prebuild/prepare/attach.go diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 0eae0fde32..06cb42000f 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -69,8 +69,9 @@ @{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 -# Attachment path for attach_disconnected.path flag. -# Automatically generated and set in profile preamble on ABI4. Disabled on ABI3. +# Default attachment path when re-attached path disconnected path is ignored. +# Disabled on abi3 and Ubuntu 25.04+ +# See https://apparmor.pujol.io/development/internal/#re-attached-path @{att}=/ alias // -> /, diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 000aa65f97..237b0f0f8b 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -108,7 +108,16 @@ func Configure() { case 3: builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 case 4: - // builder.Register("attach") // Re-attach disconnected path + // Re-attach disconnected path, ignored on ubuntu 25.04+ due to a memory leak + // that fully prevent profiles compilation with re-attached paths. + // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 + if prebuild.Distribution != "ubuntu" { + builder.Register("attach") + prepare.Register("attach") + } else if prebuild.Release["VERSION_CODENAME"] == "noble" { + builder.Register("attach") + prepare.Register("attach") + } default: logging.Fatal("Invalid ABI version: %d", prebuild.ABI) } diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go new file mode 100644 index 0000000000..a87ff9071c --- /dev/null +++ b/pkg/prebuild/prepare/attach.go @@ -0,0 +1,37 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2025 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package prepare + +import ( + "strings" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +type ReAttach struct { + prebuild.Base +} + +func init() { + RegisterTask(&ReAttach{ + Base: prebuild.Base{ + Keyword: "attach", + Msg: "Configure tunable for re-attached path", + }, + }) +} + +func (p ReAttach) Apply() ([]string, error) { + res := []string{} + + // Remove the @{att} tunable that is going to be defined in profile header + path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + out, err := path.ReadFileAsString() + if err != nil { + return res, err + } + out = strings.ReplaceAll(out, "@{att}=/", "# @{att}=/") + return res, path.WriteFile([]byte(out)) +} From b0c661931af5b376f79d1dadff684e3d165b4f64 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:23:05 +0200 Subject: [PATCH 0425/1736] fix(build): fsp regex. --- pkg/prebuild/builder/fsp.go | 2 +- pkg/prebuild/cli/cli.go | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/fsp.go b/pkg/prebuild/builder/fsp.go index ed2285de5c..8f7fb42020 100644 --- a/pkg/prebuild/builder/fsp.go +++ b/pkg/prebuild/builder/fsp.go @@ -11,7 +11,7 @@ import ( var ( regFullSystemPolicy = util.ToRegexRepl([]string{ - `r(PU|U)x,`, `rPx,`, + `(PU|U)x,`, `Px,`, }) ) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 237b0f0f8b..ab221e485a 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -139,6 +139,9 @@ func Configure() { func Prebuild() { logging.Step("Building apparmor.d profiles for %s on ABI%d.", prebuild.Distribution, prebuild.ABI) + if full { + logging.Success("Full system policy enabled") + } if prebuild.Version != nilVer { logging.Success("AppArmor version targeted: %.1f", prebuild.Version) } From c0de5ff71d9a2aec1b3c778cc31261a2961f54c3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:38:46 +0200 Subject: [PATCH 0426/1736] ci: also run the integration tests on manual run. --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index bcb8173383..9f2addf880 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -83,7 +83,7 @@ jobs: tests: runs-on: ubuntu-24.04 needs: build - if: github.ref == 'refs/heads/dev' + if: github.ref_name == 'dev' || github.event_name == 'workflow_dispatch' steps: - name: Check out repository code uses: actions/checkout@v4 From be341a4ca8c48c03823609d143ea98e2a5c7b860 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:43:21 +0200 Subject: [PATCH 0427/1736] feat(profile): syncthing 2.0 uses sqlite. --- apparmor.d/profiles-s-z/syncthing | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 6ff0fe7e94..4553ac1e90 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -35,6 +35,9 @@ profile syncthing @{exec_path} { /home/ r, @{user_sync_dirs}/{,**} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + @{PROC}/@{pids}/net/route r, @{PROC}/bus/pci/devices r, @{PROC}/modules r, From e8055098033abd1f3f73d2a1578f2dc07f7b1ce8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 19:42:44 +0200 Subject: [PATCH 0428/1736] build: opensuse: improve post install script. --- dists/apparmor.d.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index bf97705a60..d608415810 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -32,8 +32,8 @@ just complain just destdir="%{buildroot}" install %posttrans -rm -f /var/cache/apparmor/* 2>/dev/null -systemctl is-active -q apparmor && systemctl reload apparmor ||: +apparmor_parser --purge-cache +%restart_on_update apparmor %files %license LICENSE From ca24da7a2a4e11def29652d27c49e1ec11539e7e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 19:49:43 +0200 Subject: [PATCH 0429/1736] build(debian): improve post install scripts. --- debian/apparmor.d.postinst | 5 ++++- debian/apparmor.d.postrm | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index 4e659173cf..fd0ffeb333 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -7,6 +7,9 @@ set -e #DEBHELPER# -systemctl is-active -q apparmor && systemctl reload apparmor ||: +apparmor_parser --purge-cache +if systemctl is-active -q apparmor; then + systemctl reload apparmor +fi exit 0 diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index 4e659173cf..fd0ffeb333 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -7,6 +7,9 @@ set -e #DEBHELPER# -systemctl is-active -q apparmor && systemctl reload apparmor ||: +apparmor_parser --purge-cache +if systemctl is-active -q apparmor; then + systemctl reload apparmor +fi exit 0 From f5a4acd37e374f1036addc7c2425e578982f6a05 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 16 Aug 2025 19:13:59 +0200 Subject: [PATCH 0430/1736] feat(abs): graphics: add cpu_capacity --- apparmor.d/abstractions/graphics | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index 37f6be70ed..79872ceb4c 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -14,6 +14,7 @@ @{sys}/bus/pci/devices/ r, @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r, + @{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r, @{sys}/devices/system/cpu/cpu@{int}/online r, @{sys}/devices/system/cpu/cpu@{int}/topology/* r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/* r, From 5ee999536ca2f5ae5cfbb999bb20bc7334d278ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 16 Aug 2025 19:23:33 +0200 Subject: [PATCH 0431/1736] feat(abs): reorganize the electron & chromium abs. --- apparmor.d/abstractions/app/chromium | 32 ++----------------- apparmor.d/abstractions/common/chromium | 25 +++++++++++---- apparmor.d/abstractions/common/electron | 39 ++--------------------- apparmor.d/groups/network/mullvad-gui | 5 +-- apparmor.d/groups/steam/steam | 8 +++-- apparmor.d/profiles-a-f/deltachat-desktop | 1 + apparmor.d/profiles-a-f/discord | 4 ++- apparmor.d/profiles-a-f/freetube | 2 +- apparmor.d/profiles-g-l/linuxqq | 1 + apparmor.d/profiles-m-r/protonmail | 1 + apparmor.d/profiles-s-z/session-desktop | 1 + apparmor.d/profiles-s-z/signal-desktop | 1 + apparmor.d/profiles-s-z/spotify | 3 +- apparmor.d/profiles-s-z/superproductivity | 1 + apparmor.d/profiles-s-z/vesktop | 2 +- apparmor.d/profiles-s-z/wechat | 1 + apparmor.d/profiles-s-z/wechat-appimage | 1 + apparmor.d/profiles-s-z/wechat-universal | 1 + apparmor.d/profiles-s-z/wemeet | 2 ++ 19 files changed, 46 insertions(+), 85 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index a971ca5a0d..8f991c2300 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -33,6 +33,7 @@ include include include + include include include include @@ -46,14 +47,6 @@ include include - userns, - - capability setgid, - capability setuid, - capability sys_admin, - capability sys_chroot, - capability sys_ptrace, - network inet dgram, network inet6 dgram, network inet stream, @@ -112,21 +105,12 @@ /etc/fstab r, /etc/{,opensc/}opensc.conf r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - / r, owner @{HOME}/ r, - owner @{HOME}/.pki/ rw, - owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, owner @{user_config_dirs}/gtk-3.0/servers r, - owner @{user_share_dirs}/.@{domain}.@{rand6} rw, + owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w, owner @{config_dirs}/ rw, @@ -151,10 +135,7 @@ /tmp/ r, /var/tmp/ r, - owner @{tmp}/.@{domain}.@{rand6} rw, - owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, - owner @{tmp}/scoped_dir@{rand6}/{,**} rw, owner @{tmp}/tmp.@{rand10} rw, owner @{tmp}/tmp.@{rand6} rw, owner @{tmp}/tmp.@{rand6}/ rw, @@ -163,9 +144,6 @@ owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw, - /dev/shm/ r, - owner /dev/shm/.@{domain}.@{rand6} rw, - @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{sys}/bus/ r, @@ -175,10 +153,7 @@ @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/**/uevent r, - @{sys}/devices/system/cpu/kernel_max r, @{sys}/devices/virtual/**/report_descriptor r, - @{sys}/devices/virtual/dmi/id/{sys_vendor,product_name} r, - @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @@ -192,18 +167,15 @@ owner @{PROC}/@{pid}/clear_refs w, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/environ r, - owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/setgroups w, owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/uid_map w, /dev/ r, /dev/hidraw@{int} rw, diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 9fba7b8bb6..78441fe088 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -4,7 +4,13 @@ # SPDX-License-Identifier: GPL-2.0-only # This abstraction is for chromium based application. Chromium based browsers -# need to use abstractions/chromium instead. +# need to use abstractions/app/chromium instead. + +# It works as a *function* and requires a variable to be provided as *arguments* +# and set in the header of the calling profile. Example: +# +# @{domain} = org.chromium.Chromium +# abi , @@ -22,19 +28,24 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw, + owner @{user_share_dirs}/.@{domain}.@{rand6} rw, - /tmp/ r, - /var/tmp/ r, - owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/{,**} rw, + owner @{tmp}/.@{domain}.@{rand6} rw, + owner @{tmp}/.@{domain}.@{rand6}/ rw, + owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie w, + owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket w, owner @{tmp}/scoped_dir@{rand6}/ rw, owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, owner @{tmp}/scoped_dir@{rand6}/SS w, /dev/shm/ r, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner /dev/shm/.@{domain}.@{rand6} rw, + + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/tty/tty@{int}/active r, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/setgroups w, diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 175fa8b2dc..b581c90732 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -7,13 +7,15 @@ # in the header of the calling profile. Example: # # @{name} = spotify -# @{lib_dirs} = /opt/@{name} +# @{domain} = org.chromium.chromium +# @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ # @{config_dirs} = @{user_config_dirs}/@{name} # @{cache_dirs} = @{user_cache_dirs}/@{name} # abi , + include include include include @@ -21,14 +23,6 @@ include include - userns, - - capability setgid, # If kernel.unprivileged_userns_clone = 1 - capability setuid, # If kernel.unprivileged_userns_clone = 1 - capability sys_admin, - capability sys_chroot, - capability sys_ptrace, - @{bin}/electron rix, @{bin}/electron@{int} rix, @{lib}/electron@{int}/{,**} r, @@ -48,31 +42,7 @@ owner @{cache_dirs}/ rw, owner @{cache_dirs}/** rwlk -> @{cache_dirs}/**, - owner @{HOME}/.pki/ rw, - owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_config_dirs}/electron-flags.conf r, - owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw, - - owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonCookie w, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonSocket w, - owner @{tmp}/scoped_dir@{rand6}/ rw, - owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, - owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, - owner @{tmp}/scoped_dir@{rand6}/SS w, - - /dev/shm/ r, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, - - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/tty/tty@{int}/active r, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @@ -89,15 +59,12 @@ owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index e4d2e9a2c3..639d3ce4bf 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -7,6 +7,7 @@ abi , include @{name} = Mullvad?VPN +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -31,10 +32,6 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { @{bin}/gsettings rPx, @{open_path} rPx -> child-open-browsers, - owner @{user_cache_dirs}/dconf/user rw, - - owner @{tmp}/.org.chromium.Chromium.@{rand6}/@{name}*.png rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/mullvad-vpn rw, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 5009b970d8..abfab75d71 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -21,10 +21,12 @@ abi , include -@{runtime} = SteamLinuxRuntime_{sniper,soldier} +@{domain} = org.chromium.Chromium +@{runtime_name} = sniper soldier +@{runtime} = SteamLinuxRuntime_@{runtime_name} steam-runtime-steamrt @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} -@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} steamrt64 +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{lib_dirs}/steam-runtime-steamrt @{app_dirs} = @{share_dirs}/steamapps/common/ @{exec_path} = @{share_dirs}/steam.sh diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 4f60099a9b..87c2bbabab 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -7,6 +7,7 @@ abi , include +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/deltachat-desktop @{lib}/deltachat /opt/DeltaChat/ @{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 8765084ff4..3b34d5055c 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -8,6 +8,7 @@ abi , include @{name} = discord +@{domain} = org.chromium.Chromium @{lib_dirs} = /usr/share/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -48,7 +49,6 @@ profile discord @{exec_path} flags=(attach_disconnected) { owner @{config_dirs}/@{version}/modules/** m, owner "@{tmp}/Discord Crashes/" rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, owner @{tmp}/discord.sock rw, owner @{tmp}/net-export/ rw, @@ -57,6 +57,8 @@ profile discord @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/task/@{tid}/comm r, + deny ptrace read, + include if exists } diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index f4284873d5..95e37b4d6e 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -8,6 +8,7 @@ abi , include @{name} = {F,f}ree{T,t}ube{,-vue} +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -39,7 +40,6 @@ profile freetube @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-strict, deny @{sys}/devices/@{pci}/usb@{int}/** r, - deny /dev/ r, include if exists } diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index 08b8cf7a1d..ff2ffe6b87 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -7,6 +7,7 @@ abi , include @{name} = QQ +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/QQ/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index c2c81d4dad..0ac23267bc 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -8,6 +8,7 @@ abi , include @{name} = proton-mail "Proton Mail" +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index 4817f330a2..dc190b7876 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -7,6 +7,7 @@ abi , include @{name} = {S,s}ession +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index dc0bc381ed..bf07409190 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -8,6 +8,7 @@ abi , include @{name} = signal-desktop{,-beta} +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta} @{config_dirs} = @{user_config_dirs}/Signal{,?Beta} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index a3a093c855..3c18059a9b 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -8,6 +8,7 @@ abi , include @{name} = spotify +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -57,8 +58,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, - @{PROC}/@{pid}/net/unix r, @{PROC}/pressure/* r, owner @{PROC}/@{pid}/clear_refs w, diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index c0b940478d..c49a966217 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -7,6 +7,7 @@ abi , include @{name} = super{p,P}roductivity +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop index b4b63fe746..4f44326503 100644 --- a/apparmor.d/profiles-s-z/vesktop +++ b/apparmor.d/profiles-s-z/vesktop @@ -8,6 +8,7 @@ abi , include @{name} = vesktop +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -33,7 +34,6 @@ profile vesktop @{exec_path} flags=(attach_disconnected) { @{bin}/speech-dispatcher rPx, @{open_path} rPx -> child-open, - owner /tmp/.org.chromium.Chromium.@{rand6} mr, owner @{run}/user/@{uid}/discord-ipc-@{int} rw, @{sys}/devices/@{pci}/usb@{int}/**/interface r, diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index ccff2f95fe..00fe0a8c51 100644 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -7,6 +7,7 @@ abi , include @{name} = wechat +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/wechat/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 07f67fb59c..98ce53f07c 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -7,6 +7,7 @@ abi , include @{name} = wechat-appimage +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/wechat-appimage/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index b1c8aded25..94da6c60ee 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -7,6 +7,7 @@ abi , include @{name} = wechat-universal +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/wechat-universal/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet index 4f40ef746d..3606533d7d 100644 --- a/apparmor.d/profiles-s-z/wemeet +++ b/apparmor.d/profiles-s-z/wemeet @@ -6,6 +6,8 @@ abi , include +@{domain} = org.chromium.Chromium + @{exec_path} = @{bin}/wemeet @{exec_path} += /opt/wemeet/bin/wemeetapp @{exec_path} += /opt/wemeet/bin/QtWebEngineProcess From e55ace4e0a5646fd1e9ad786a4356689bb668d90 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:07:53 +0200 Subject: [PATCH 0432/1736] fix(profile): issue with re-attached paths - Add missing att on some profiles - Fix alias / -> // - Fix aa-log att variable resolution fix #813 #814 --- apparmor.d/abstractions/attached/base | 2 ++ apparmor.d/abstractions/common/bwrap | 4 +++- apparmor.d/groups/flatpak/flatpak | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal | 6 +++--- apparmor.d/groups/freedesktop/xwayland | 4 +--- apparmor.d/groups/hyprland/hyprland | 3 +++ apparmor.d/tunables/multiarch.d/system | 2 +- pkg/logs/logs.go | 3 +-- 8 files changed, 15 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index e394c5b99a..29c685f559 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -14,6 +14,8 @@ @{att}/@{run}/systemd/journal/socket w, @{att}/@{run}/systemd/journal/stdout rw, + @{att}/dev/null rw, + /apparmor/.null rw, @{att}/apparmor/.null rw, diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index f4630475d9..da73b82179 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -38,12 +38,14 @@ pivot_root oldroot=/newroot/ /newroot/, pivot_root oldroot=/tmp/oldroot/ /tmp/, - owner / r, owner /newroot/{,**} w, owner /tmp/newroot/ w, owner /tmp/oldroot/ w, + @{att}/ r, + @{att}/@{run}/.userns r, + @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, @{PROC}/sys/user/max_user_namespaces r, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index c34ae962f8..fca84002a8 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -66,7 +66,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain /etc/flatpak/{,**} r, /etc/pulse/client.conf r, - / r, + @{att}/ r, /var/lib/flatpak/{,**} rwlk, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index bc975e4ea8..5c62b07717 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -64,9 +64,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{lib}/xdg-desktop-portal-validate-icon rPx, @{open_path} rPx -> child-open, - / r, - @{att}/.flatpak-info r, - owner @{att}/ r, + / r, + @{att}/ r, + @{att}/.flatpak-info r, /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 9b329e06a4..e8c94916d4 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/Xwayland profile xwayland @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -41,9 +42,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cmdline r, - @{att}/dev/tty@{int} rw, - /dev/tty rw, - include if exists } diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 8c8c32da08..c1e6da4d82 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -62,6 +62,9 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/environ r, + @{att}/dev/dri/card@{int} rw, + @{att}/dev/input/event@{int} rw, + /dev/input/event@{int} rw, /dev/tty r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 06cb42000f..e2f2970456 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -74,6 +74,6 @@ # See https://apparmor.pujol.io/development/internal/#re-attached-path @{att}=/ -alias // -> /, +alias / -> //, # vim:syntax=apparmor diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 2443eaace1..b0ae587021 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -64,7 +64,7 @@ var ( `/home/[^/]+/`, `@{HOME}/`, // Resolve system variables - `/att/[^/@]+`, `@{att}/`, + `/att/[^/]+/`, `@{att}/`, `/usr/lib(32|64|exec)`, `@{lib}`, `/usr/lib`, `@{lib}`, `/usr/sbin`, `@{sbin}`, @@ -86,7 +86,6 @@ var ( `pci` + strings.Repeat(h, 4) + `:` + strings.Repeat(h, 2), `@{pci_bus}`, `@{pci_bus}/[0-9a-f:*./]*/`, `@{pci}/`, `1000`, `@{uid}`, - `@{att}//`, `@{att}/`, // Some system glob `:not.active.yet`, `@{busname}`, // dbus unique bus name From d3507e24b94336e8ca5e1ba50887ed0755a7e341 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:09:28 +0200 Subject: [PATCH 0433/1736] fix(build): ensure post install script do not fail. --- debian/apparmor.d.postinst | 2 +- debian/apparmor.d.postrm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index fd0ffeb333..2f8c90ae09 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -7,7 +7,7 @@ set -e #DEBHELPER# -apparmor_parser --purge-cache +apparmor_parser --purge-cache || true if systemctl is-active -q apparmor; then systemctl reload apparmor fi diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index fd0ffeb333..2f8c90ae09 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -7,7 +7,7 @@ set -e #DEBHELPER# -apparmor_parser --purge-cache +apparmor_parser --purge-cache || true if systemctl is-active -q apparmor; then systemctl reload apparmor fi From 7c427aaae6252ee42e316f83b0faae97cb7a1268 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:10:34 +0200 Subject: [PATCH 0434/1736] build: do not overwrite steam. --- dists/overwrite | 1 - 1 file changed, 1 deletion(-) diff --git a/dists/overwrite b/dists/overwrite index 5bc00f9fe8..c8769ba542 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -20,7 +20,6 @@ os-prober plasmashell signal-desktop slirp4netns -steam systemd-coredump thunderbird virtiofsd From 9110a7012441a1f57566361cc05c65d11a189fb7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:16:31 +0200 Subject: [PATCH 0435/1736] tests: add debian/ubuntu based tests images. Also some cleanup of tests resources. --- .gitignore | 1 + tests/cloud-init/debian.yml | 5 +++-- tests/cloud-init/debian13-kde.user-data.yml | 9 +++++++++ tests/cloud-init/ubuntu.yml | 1 + tests/cloud-init/ubuntu24-kubuntu.user-data.yml | 1 + tests/cloud-init/ubuntu25-kubuntu.user-data.yml | 9 +++++++++ tests/packer/clean.sh | 1 - tests/packer/init.sh | 5 +++-- tests/packer/variables.pkr.hcl | 4 ++-- tests/requirements.sh | 2 +- 10 files changed, 30 insertions(+), 8 deletions(-) create mode 100644 tests/cloud-init/debian13-kde.user-data.yml create mode 100644 tests/cloud-init/ubuntu25-kubuntu.user-data.yml diff --git a/.gitignore b/.gitignore index d888d6d5cf..077d62cbf2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,7 @@ # Build .build .logs +.pkg tests/tldr tests/tldr.tar.gz diff --git a/tests/cloud-init/debian.yml b/tests/cloud-init/debian.yml index ea3012ad27..b96bb58804 100644 --- a/tests/cloud-init/debian.yml +++ b/tests/cloud-init/debian.yml @@ -23,7 +23,7 @@ core-packages: &core-packages - unattended-upgrades - vim -gnome-packages: &desktop-packages +gnome-packages: &gnome-packages # Core packages for Debian - apparmor-profiles - apparmor-utils @@ -53,7 +53,7 @@ gnome-packages: &desktop-packages - loupe - ptyxis -kde-packages: &kubuntu-packages +kde-packages: &kde-packages # Core packages for Debian - apparmor-profiles - apparmor-utils @@ -79,6 +79,7 @@ kde-packages: &kubuntu-packages # KDE packages for Debian - spice-vdagent - task-kde-desktop + - plasma-workspace-wayland - terminator debian12-runcmd: &debian12-runcmd diff --git a/tests/cloud-init/debian13-kde.user-data.yml b/tests/cloud-init/debian13-kde.user-data.yml new file mode 100644 index 0000000000..5a4d33bf5f --- /dev/null +++ b/tests/cloud-init/debian13-kde.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *kde-packages + +runcmd: *debian13-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu.yml b/tests/cloud-init/ubuntu.yml index 14db33251d..1f35637502 100644 --- a/tests/cloud-init/ubuntu.yml +++ b/tests/cloud-init/ubuntu.yml @@ -82,6 +82,7 @@ kubuntu-packages: &kubuntu-packages - spice-vdagent - terminator - kubuntu-desktop + - plasma-workspace-wayland desktop-runcmd: &desktop-runcmd # Add missing snap packages diff --git a/tests/cloud-init/ubuntu24-kubuntu.user-data.yml b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml index d4139c2f7c..bea74af3ac 100644 --- a/tests/cloud-init/ubuntu24-kubuntu.user-data.yml +++ b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml @@ -6,3 +6,4 @@ runcmd: *desktop-runcmd write_files: - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu25-kubuntu.user-data.yml b/tests/cloud-init/ubuntu25-kubuntu.user-data.yml new file mode 100644 index 0000000000..bea74af3ac --- /dev/null +++ b/tests/cloud-init/ubuntu25-kubuntu.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *kubuntu-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/packer/clean.sh b/tests/packer/clean.sh index b7650a1d52..f7518a2f6b 100644 --- a/tests/packer/clean.sh +++ b/tests/packer/clean.sh @@ -55,7 +55,6 @@ clean_apt() { clean_pacman() { _msg "Cleaning pacman cache" - pacman -Syu --noconfirm pacman -Scc --noconfirm } diff --git a/tests/packer/init.sh b/tests/packer/init.sh index 4e4e1ec99f..bf75c0e1e9 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -eu +set -eux _lsb_release() { # shellcheck source=/dev/null @@ -31,7 +31,8 @@ main() { ;; debian | ubuntu) - dpkg -i $SRC/*.deb + apt install -y apparmor-profiles + dpkg -i $SRC/*.deb || true ;; opensuse*) diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index 073544f59a..a44f984123 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -98,8 +98,8 @@ variable "DM" { img_checksum = "https://cdimage.debian.org/images/cloud/bookworm/latest/SHA512SUMS" } "debian13" : { - img_url = "https://cdimage.debian.org/images/cloud/trixie/daily/latest/debian-13-genericcloud-amd64-daily.qcow2" - img_checksum = "https://cdimage.debian.org/images/cloud/trixie/daily/latest/SHA512SUMS" + img_url = "https://cdimage.debian.org/images/cloud/trixie/latest/debian-13-genericcloud-amd64.qcow2" + img_checksum = "https://cdimage.debian.org/images/cloud/trixie/latest/SHA512SUMS" } "ubuntu22" : { img_url = "https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img" diff --git a/tests/requirements.sh b/tests/requirements.sh index efc357ad47..0801ff27dd 100644 --- a/tests/requirements.sh +++ b/tests/requirements.sh @@ -5,7 +5,7 @@ # Dependencies for the bats integration tests -set -eu +set -eu -o pipefail # shellcheck source=/dev/null _lsb_release() { From 52e9ae9fd621997113f2284b9500a511df9c285f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:29:21 +0200 Subject: [PATCH 0436/1736] fix(profile): define missing domain. --- apparmor.d/profiles-a-f/element-desktop | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 91de37e583..7891b67e1f 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -7,6 +7,7 @@ abi , include @{name} = {E,e}lement +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} From 4e70cb4c918013914b2bc4bef750374879ad615d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 11:57:36 +0200 Subject: [PATCH 0437/1736] fix(profile): workaround in apparmor issue for attached path. See https://gitlab.com/apparmor/apparmor/-/issues/450 Fix #815 --- apparmor.d/abstractions/common/app | 2 ++ apparmor.d/groups/flatpak/flatpak-app | 1 - apparmor.d/groups/flatpak/flatpak-portal | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 2 +- apparmor.d/groups/freedesktop/xdg-document-portal | 2 +- apparmor.d/tunables/multiarch.d/system | 1 - pkg/prebuild/prepare/attach.go | 1 + 8 files changed, 7 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 3029fb80b8..3b425e505b 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -135,6 +135,8 @@ owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{att}/dev/shm/@{uuid} r, + /dev/hidraw@{int} rw, /dev/input/ r, /dev/input/event@{int} rw, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index a816e58b8e..4199e92b11 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -83,7 +83,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, - @{run}/.userns r, @{run}/parent/** r, @{run}/parent/app/.ref rk, @{run}/parent/usr/.ref rk, diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index 8a8d2b9011..84e2d79643 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -31,7 +31,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { /var/lib/flatpak/exports/share/mime/mime.cache r, - owner @{att}/ r, + owner /att/**/ r, owner @{att}/.flatpak-info r, owner @{HOME}/.var/app/*/**/.ref rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 5c62b07717..5e27ac8452 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -65,8 +65,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, / r, - @{att}/ r, @{att}/.flatpak-info r, + owner /att/**/ r, /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index fc11b0700d..c9585e2aba 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -52,7 +52,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, / r, - owner @{att}/ r, + owner /att/**/ r, owner /var/lib/xkb/server-@{int}.xkm rw, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 93cac619e4..d2db2612e3 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -44,7 +44,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{bin}/snap rPx, / r, - owner @{att}/ r, + owner /att/**/ r, owner @{att}/.flatpak-info r, owner @{HOME}/ r, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index e2f2970456..2886657704 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -73,7 +73,6 @@ # Disabled on abi3 and Ubuntu 25.04+ # See https://apparmor.pujol.io/development/internal/#re-attached-path @{att}=/ - alias / -> //, # vim:syntax=apparmor diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go index a87ff9071c..3331c73dc6 100644 --- a/pkg/prebuild/prepare/attach.go +++ b/pkg/prebuild/prepare/attach.go @@ -33,5 +33,6 @@ func (p ReAttach) Apply() ([]string, error) { return res, err } out = strings.ReplaceAll(out, "@{att}=/", "# @{att}=/") + out = strings.ReplaceAll(out, "alias / -> //,", "#alias / -> //,") return res, path.WriteFile([]byte(out)) } From 58aea2b00d2975372a89db7c32deb6e7d3f35705 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 11:59:06 +0200 Subject: [PATCH 0438/1736] build: update flag manifest. --- dists/flags/main.flags | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index a62a6847dc..057c7c2982 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -46,7 +46,7 @@ cockpit-desktop complain cockpit-session attach_disconnected,complain cockpit-ssh complain cockpit-tls attach_disconnected,complain -cockpit-ws complain +cockpit-ws attach_disconnected,complain cockpit-wsinstance-factory complain cups-backend-beh complain cups-backend-bluetooth complain @@ -110,11 +110,9 @@ flameshot complain flatpak attach_disconnected,mediate_deleted,complain flatpak-app attach_disconnected,mediate_deleted,complain flatpak-oci-authenticator complain -flatpak-portal attach_disconnected,complain flatpak-session-helper attach_disconnected,complain flatpak-system-helper complain flatpak-validate-icon complain -fstrim complain fuse-overlayfs complain gdk-pixbuf-thumbnailer complain gdm-generate-config complain @@ -159,7 +157,6 @@ grub-set-default complain grub-syslinux2cfg complain gsd-printer attach_disconnected,complain gsd-wwan complain -gsettings complain gvfsd-dav complain gvfsd-wsdd complain hostnamectl complain @@ -189,7 +186,7 @@ kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain kdump_mem_estimator complain -kdump-config complain +kdump-config attach_disconnected,complain kdump-tools-init complain,attach_disconnected kernel complain kernel-install complain @@ -283,11 +280,11 @@ secure-time-sync attach_disconnected,complain sftp-server complain sing-box complain slirp4netns attach_disconnected,complain -snap complain +snap attach_disconnected,complain snap-device-helper complain snap-discard-ns complain snap-failure complain -snap-seccomp complain +snap-seccomp attach_disconnected,complain snap-update-ns complain snapd complain snapd-apparmor complain @@ -388,7 +385,7 @@ update-grub complain update-info-dir complain update-secureboot-policy complain update-shells complain -userdbctl complain +userdbctl attach_disconnected,complain utempter attach_disconnected,complain veracrypt complain virt-manager attach_disconnected,complain From edc2755d615b64b8a05607e62bfe248f58704fde Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:03:17 +0200 Subject: [PATCH 0439/1736] feat(profile): kde: add initial dbus definition. --- apparmor.d/groups/kde/DiscoverNotifier | 8 +++++ apparmor.d/groups/kde/gmenudbusmenuproxy | 3 ++ apparmor.d/groups/kde/kaccess | 5 +++ apparmor.d/groups/kde/kactivitymanagerd | 4 +++ apparmor.d/groups/kde/kauth-backlighthelper | 2 ++ .../groups/kde/kauth-chargethresholdhelper | 5 +++ apparmor.d/groups/kde/kauth-discretegpuhelper | 4 +++ apparmor.d/groups/kde/kauth-kded-smart-helper | 6 +++- apparmor.d/groups/kde/kcminit | 3 ++ apparmor.d/groups/kde/kde-powerdevil | 15 +++++++++ apparmor.d/groups/kde/kded | 31 +++++++++++++++++-- apparmor.d/groups/kde/kglobalacceld | 3 ++ apparmor.d/groups/kde/kioworker | 3 ++ apparmor.d/groups/kde/konsole | 3 ++ .../groups/kde/kscreen_backend_launcher | 8 ++++- apparmor.d/groups/kde/ksmserver | 11 +++++++ apparmor.d/groups/kde/ksplashqml | 4 +++ apparmor.d/groups/kde/kwalletd | 6 ++++ apparmor.d/groups/kde/kwin_wayland | 12 +++++++ apparmor.d/groups/kde/kwin_wayland_wrapper | 3 ++ apparmor.d/groups/kde/kwin_x11 | 8 +++++ apparmor.d/groups/kde/plasma_waitforname | 1 + apparmor.d/groups/kde/plasmashell | 21 +++++++++++++ apparmor.d/groups/kde/sddm | 19 +++--------- apparmor.d/groups/kde/sddm-greeter | 5 +++ apparmor.d/groups/kde/sddm-xsession | 10 ++++++ apparmor.d/groups/kde/startplasma | 5 +++ apparmor.d/groups/kde/systemsettings | 5 +++ apparmor.d/groups/kde/xembedsniproxy | 3 ++ apparmor.d/groups/network/NetworkManager | 3 +- apparmor.d/groups/network/nm-online | 4 +-- apparmor.d/groups/polkit/polkitd | 5 +++ apparmor.d/profiles-m-r/packagekitd | 2 +- 33 files changed, 208 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 3ec36976d9..8611328878 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -10,6 +10,10 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier profile DiscoverNotifier @{exec_path} { include + include + include + include + include include include include @@ -23,6 +27,10 @@ profile DiscoverNotifier @{exec_path} { network netlink dgram, network netlink raw, + #aa:dbus own bus=session name=org.kde.discover.notifier + + #aa:dbus talk bus=system name=org.freedesktop.PackageKit label=packagekitd + @{exec_path} mr, @{bin}/apt-config rPx, diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index d9879941b6..b30e39cdcb 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/gmenudbusmenuproxy profile gmenudbusmenuproxy @{exec_path} { include + include + include + include include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 42c1400efd..65582d1ba0 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -10,10 +10,15 @@ include profile kaccess @{exec_path} { include include + include + include + include include include include + #aa:dbus own bus=session name=org.kde.kaccess + @{exec_path} mr, @{bin}/gsettings rPx, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index 1ee022dc6d..1cc6b41d1e 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kactivitymanagerd profile kactivitymanagerd @{exec_path} { include + include include include include @@ -18,6 +19,9 @@ profile kactivitymanagerd @{exec_path} { include include + #aa:dbus own bus=session name=org.kde.ActivityManager path=/ActivityManager + #aa:dbus own bus=session name=org.kde.runners.activities + @{exec_path} mr, /etc/xdg/menus/{,*/} r, diff --git a/apparmor.d/groups/kde/kauth-backlighthelper b/apparmor.d/groups/kde/kauth-backlighthelper index 61308e83b0..cc844ce172 100644 --- a/apparmor.d/groups/kde/kauth-backlighthelper +++ b/apparmor.d/groups/kde/kauth-backlighthelper @@ -16,6 +16,8 @@ profile kauth-backlighthelper @{exec_path} { capability net_admin, + #aa:dbus own bus=system name=org.kde.powerdevil.backlighthelper + @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-chargethresholdhelper b/apparmor.d/groups/kde/kauth-chargethresholdhelper index 8ed8bf82e8..119b5508dc 100644 --- a/apparmor.d/groups/kde/kauth-chargethresholdhelper +++ b/apparmor.d/groups/kde/kauth-chargethresholdhelper @@ -9,7 +9,12 @@ include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}chargethresholdhelper profile kauth-chargethresholdhelper @{exec_path} { include + include include + include + + #aa:dbus own bus=system name=org.kde.powerdevil.chargethresholdhelper + #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kauth-discretegpuhelper b/apparmor.d/groups/kde/kauth-discretegpuhelper index f03dfb007a..8fcec5a2c3 100644 --- a/apparmor.d/groups/kde/kauth-discretegpuhelper +++ b/apparmor.d/groups/kde/kauth-discretegpuhelper @@ -9,8 +9,12 @@ include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}discretegpuhelper profile kauth-discretegpuhelper @{exec_path} { include + include + include include + #aa:dbus own bus=system name=org.kde.powerdevil.discretegpuhelper + @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index cf0caffeba..2e60e6a0aa 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -15,10 +15,14 @@ profile kauth-kded-smart-helper @{exec_path} { #aa:dbus own bus=system name=org.kde.kded.smart + dbus receive bus=system path=/ + interface=org.kde.kf5auth + member=performAction + peer=(name=@{busname}, label=kded), dbus send bus=system path=/ interface=org.kde.kf5auth member=remoteSignal - peer=(name=org.freedesktop.DBus, label=kded5), + peer=(name=org.freedesktop.DBus, label=kded), @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index e11de6a480..bd01bf3c8a 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -10,9 +10,12 @@ include profile kcminit @{exec_path} { include include + include include include + #aa:dbus own bus=session name=org.kde.{KCM,kcm}init path=/kcminit + @{exec_path} mr, @{bin}/xrdb rPx, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 45c3828554..c961ed7a34 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -11,6 +11,13 @@ include profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) { include include + include + include + include + include + include + include + include include include include @@ -20,6 +27,14 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) network netlink raw, + #aa:dbus own bus=system name=org.freedesktop.Policy.Power + + #aa:dbus own bus=session name=local.org_kde_powerdevil + #aa:dbus own bus=session name=org.freedesktop.PowerManagement + #aa:dbus own bus=session name=org.kde.Solid.PowerManagement + + #aa:dbus talk bus=session name=org.kde.KWin path=/ label="kwin_{wayland,x11}" + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index ef81b95d1f..e729ec78b4 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -10,9 +10,14 @@ include profile kded @{exec_path} { include include + include + include include + include include + include include + include include include include @@ -35,19 +40,41 @@ profile kded @{exec_path} { signal send set=hup peer=xsettingsd, signal send set=term peer=kioworker, + # Owned by KDE + #aa:dbus own bus=system name=com.redhat.NewPrinterNotification + + #aa:dbus own bus=session name=org.gtk.Settings + #aa:dbus own bus=session name=org.kde.DistroReleaseNotifier + #aa:dbus own bus=session name=org.kde.GtkConfig + #aa:dbus own bus=session name=org.kde.kappmenu + #aa:dbus own bus=session name=org.kde.kcookiejar5 + #aa:dbus own bus=session name=org.kde.kded5 + #aa:dbus own bus=session name=org.kde.keyboard + #aa:dbus own bus=session name=org.kde.KeyboardLayouts + #aa:dbus own bus=session name=org.kde.plasmanetworkmanagement + #aa:dbus own bus=session name=org.kde.plasmashell.accentColor + #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher + #aa:dbus own bus=session name=org.kde.Wacom + #aa:dbus own bus=session name=org.kubuntu.NotificationHelper + #aa:dbus own bus=session name=org.kubuntu.restrictedInstall + + # Talk with KDE + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label="{kglobalacceld,kwin_wayland}" + dbus receive bus=system path=/ interface=org.kde.kf5auth member=remoteSignal - peer=(name=:*, label=kauth-kded-smart-helper), + peer=(name=@{busname}, label=kauth-kded-smart-helper), dbus send bus=system path=/ interface=org.kde.kf5auth member=performAction - peer=(name="{:*,org.kde.kded.smart}", label=kauth-kded-smart-helper), + peer=(name="{@{busname},org.kde.kded.smart}", label=kauth-kded-smart-helper), @{exec_path} mrix, diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 0e8ba33956..156bdf9281 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -9,8 +9,11 @@ include @{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include + include include + #aa:dbus own bus=session name=org.kde.KGlobalAccel path=/kglobalaccel + @{exec_path} mr, @{bin}/kstart rPx, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index a5f867378e..69b7353106 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/kf5/kioslave5 @{lib}/@{multiarch}/{,libexec/}kf5/kioslave5 profile kioworker @{exec_path} { include + include include include include @@ -32,6 +33,8 @@ profile kioworker @{exec_path} { signal receive set=term peer=plasmashell, signal receive set=term peer=xdg-desktop-portal-kde, + #aa:dbus talk bus=session name=org.kde.kded5 path=/kded label=kded + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 8f9ff48dd0..057a23d704 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -13,6 +13,7 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include @@ -22,6 +23,8 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(hup), + #aa:dbus own bus=session name=org.kde.konsole-@{int} + @{exec_path} mr, @{bin}/@{shells} rUx, @{browsers_path} rPx, diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index d4b547c7c4..7df07f64b8 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -10,8 +10,14 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher profile kscreen_backend_launcher @{exec_path} { include - include + include + include + include include + include + + #aa:dbus own bus=session name=org.kde.KScreen + #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil @{exec_path} mr, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 6d515fb18d..f4d54c2954 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -11,6 +11,9 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include + include + include include include include @@ -20,6 +23,14 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace (read) peer=kbuildsycoca5, + #aa:dbus own bus=session name=org.freedesktop.ScreenSaver + #aa:dbus own bus=session name=org.kde.ksmserver path=/KSMServer + #aa:dbus own bus=session name=org.kde.KSMServerInterface path=/KSMServer + #aa:dbus own bus=session name=org.kde.screensaver + + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label=kglobalacceld + #aa:dbus talk bus=session name=org.kde.KWin.Session path=/Session label=kwin_wayland + @{exec_path} mr, @{bin}/rm rix, diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index 13f1216a54..e1d5d73944 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/ksplashqml profile ksplashqml @{exec_path} { include + include + include include include include @@ -16,6 +18,8 @@ profile ksplashqml @{exec_path} { ptrace read peer=startplasma, + #aa:dbus own bus=session name=org.kde.KSplash path=/KSplash + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index c4e25e9ffd..23737f14ed 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -11,6 +11,9 @@ include profile kwalletd @{exec_path} { include include + include + include + include include include include @@ -19,6 +22,9 @@ profile kwalletd @{exec_path} { include include + #aa:dbus own bus=session name=org.freedesktop.secrets + #aa:dbus own bus=session name=org.kde.kwalletd5 + @{exec_path} mr, @{bin}/gpgconf rCx -> gpg, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index afaac3bd03..a8dc97d534 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -10,6 +10,10 @@ include profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { include include + include + include + include + include include include include @@ -27,6 +31,14 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { network netlink raw, + #aa:dbus own bus=session name=org.freedesktop.ScreenSaver + #aa:dbus own bus=session name=org.kde.kglobalaccel + #aa:dbus own bus=session name=org.kde.KWin + #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect + #aa:dbus own bus=session name=org.kde.screensaver + + #aa:dbus talk bus=session name=org.kde.ActivityManager path=/ActivityManager label=kactivitymanagerd + @{exec_path} mr, /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi, diff --git a/apparmor.d/groups/kde/kwin_wayland_wrapper b/apparmor.d/groups/kde/kwin_wayland_wrapper index 1a7573d775..a7ce4c2fea 100644 --- a/apparmor.d/groups/kde/kwin_wayland_wrapper +++ b/apparmor.d/groups/kde/kwin_wayland_wrapper @@ -9,11 +9,14 @@ include @{exec_path} = @{bin}/kwin_wayland_wrapper profile kwin_wayland_wrapper @{exec_path} { include + include include include signal (send) set=(term, kill) peer=kwin_wayland, + #aa:dbus own bus=session name=org.kde.KWinWrapper + @{exec_path} mr, @{bin}/kwin_wayland rPx, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index 8400c8cb60..f4f955a4f6 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/kwin_x11 profile kwin_x11 @{exec_path} { include + include + include include include include @@ -22,6 +24,12 @@ profile kwin_x11 @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.kde.KWin + #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect + + #aa:dbus talk bus=session name=org.kde.ActivityManager label=kactivitymanagerd + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/kglobalaccel label=kglobalacceld + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/plasma_waitforname b/apparmor.d/groups/kde/plasma_waitforname index a509135af2..d32122a8ac 100644 --- a/apparmor.d/groups/kde/plasma_waitforname +++ b/apparmor.d/groups/kde/plasma_waitforname @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/plasma_waitforname profile plasma_waitforname @{exec_path} { include + include include include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 07fbc8e14e..19106cfa92 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -11,9 +11,13 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include include include + include + include include + include include include include @@ -43,6 +47,23 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { signal send, + #aa:dbus own bus=session name=com.canonical.Unity + #aa:dbus own bus=session name=org.freedesktop.Notifications + #aa:dbus own bus=session name=org.kde.JobViewServer + #aa:dbus own bus=session name=org.kde.klipper + #aa:dbus own bus=session name=org.kde.kuiserver + #aa:dbus own bus=session name=org.kde.plasmashell path=/PlasmaShell + #aa:dbus own bus=session name=org.kde.StatusNotifierHost-@{int} + + #aa:dbus talk bus=session name=org.kde.kdeconnect path=/ label=kdeconnectd + #aa:dbus talk bus=session name=org.kde.KeyboardLayouts path=/Layouts label=kded + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/kglobalaccel label="{kglobalacceld,kwin_wayland}" + #aa:dbus talk bus=session name=org.kde.KSplash path=/KSplash label=ksplashqml + #aa:dbus talk bus=session name=org.kde.KWin path=/ label="kwin_{wayland,x11}" + #aa:dbus talk bus=session name=org.kde.NightColor path=/ColorCorrect label="kwin_{wayland,x11}" + #aa:dbus talk bus=session name=org.kde.Solid.PowerManagement label=kde-powerdevil + #aa:dbus talk bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher label=kded + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 143df5c9e6..9884e2145a 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -50,20 +50,11 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(term) peer=startplasma-wayland, signal (send) set=(term) peer=startlxqtwayland, - dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=kscreenlocker-greet), - - dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label="@{p_systemd_logind}"), - - dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.freedesktop.DBus, label=kscreenlocker-greet), + unix type=stream addr=@@{udbus}/bus/sddm-helper/system, + + #aa:dbus own bus=system name=org.freedesktop.DisplayManager + + #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" @{exec_path} mr, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index f2c133cecc..c9aca546ac 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -23,6 +23,11 @@ profile sddm-greeter @{exec_path} { network netlink raw, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ListActivatableNames + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index f27f3dc3c0..f4256d3d40 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -90,6 +90,16 @@ profile sddm-xsession @{exec_path} { profile dbus { include + include + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=UpdateActivationEnvironment + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=SetEnvironment + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 004b89d57c..651061aa99 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -11,12 +11,17 @@ profile startplasma @{exec_path} { include include include + include + include include include signal (receive) set=(hup) peer=@{p_systemd}, signal (receive) set=(term) peer=sddm, + #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" + #aa:dbus talk bus=session name=org.kde.KSplash path=/KSplash label=ksplashqml + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index b41dac08a7..aab520a723 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -10,7 +10,9 @@ include profile systemsettings @{exec_path} { include include + include include + include include include include @@ -23,6 +25,9 @@ profile systemsettings @{exec_path} { signal send set=term peer=kioworker, + #aa:dbus own bus=session name=org.kde.internal.KSettingsWidget_kcm_networkmanagement + #aa:dbus own bus=session name=org.kde.systemsettings + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 6cb93163ce..b768e26308 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/xembedsniproxy profile xembedsniproxy @{exec_path} { include + include + include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 6b444093c9..f27449e77f 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -50,8 +50,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher - member=Action + member=Action2 peer=(name=org.freedesktop.nm_dispatcher), + dbus send bus=system path=/uk/org/thekelleys/dnsmasq interface=org.freedesktop.NetworkManager.dnsmasq member=SetServersEx diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online index 189afd74d6..710d3115bd 100644 --- a/apparmor.d/groups/network/nm-online +++ b/apparmor.d/groups/network/nm-online @@ -16,12 +16,12 @@ profile nm-online @{exec_path} { dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} interface=org.freedesktop.NetworkManager.Connection.Active member=StateChanged - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=GetSettings - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index 4dc1380c05..c2de7f8b60 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -24,6 +24,11 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.PolicyKit1 + dbus send bus=system path=/org/kde/PolicyKit1/AuthenticationAgent + interface=org.freedesktop.PolicyKit1.AuthenticationAgent + member=BeginAuthentication + peer=(name=@{busname}, label=polkit-kde-authentication-agent), + @{exec_path} mr, @{bin}/pkla-check-authorization rPx, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 9de9cadf98..19f6a515e1 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -38,7 +38,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { signal send set=int peer=apt-methods-*, signal send set=term peer=systemd-inhibit, - #aa:dbus own bus=system name=org.freedesktop.PackageKit + #aa:dbus own bus=system name=org.freedesktop.PackageKit path=/** @{exec_path} mr, From 523522dd1d2fd75efdd5c07e0b91de897be4cf4b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:05:38 +0200 Subject: [PATCH 0440/1736] feat(profile): improve kde profiles. --- .../polkit-kde-authentication-agent | 5 ++++ .../groups/kde/drkonqi-coredump-cleanup | 3 +- apparmor.d/groups/kde/kded | 21 +++++++++++--- apparmor.d/groups/kde/konsole | 4 ++- apparmor.d/groups/kde/kwalletd | 2 ++ apparmor.d/groups/kde/kwin_wayland | 13 +++++---- apparmor.d/groups/kde/plasmashell | 1 + apparmor.d/groups/kde/sddm | 9 +++++- apparmor.d/groups/kde/sddm-xsession | 13 +++++++-- apparmor.d/groups/kde/startplasma | 1 + apparmor.d/groups/kde/systemsettings | 1 + apparmor.d/groups/kde/wayland-session | 29 ++++++++++++++----- apparmor.d/groups/kde/xembedsniproxy | 1 + apparmor.d/groups/kde/xsettingsd | 1 + 14 files changed, 82 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index f53f4d1643..8a08f02d0b 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -11,6 +11,8 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include + include include include include @@ -26,6 +28,9 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected, signal (send) set=(term, kill) peer=polkit-agent-helper, + #aa:dbus own bus=session name=org.kde.polkit-kde-authentication-agent-@{int} + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + @{exec_path} mr, @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, diff --git a/apparmor.d/groups/kde/drkonqi-coredump-cleanup b/apparmor.d/groups/kde/drkonqi-coredump-cleanup index c74276b956..199dd9c8f1 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-cleanup +++ b/apparmor.d/groups/kde/drkonqi-coredump-cleanup @@ -14,7 +14,8 @@ profile drkonqi-coredump-cleanup @{exec_path} { @{exec_path} mr, @{user_cache_dirs}/kcrash-metadata/ r, - owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini w, + owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini rw, + owner @{user_cache_dirs}/kcrash-metadata/@{int}.ini rw, include if exists } diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index e729ec78b4..f2f2489ab4 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -18,6 +18,7 @@ profile kded @{exec_path} { include include include + include #aa:only apt include include include @@ -26,16 +27,19 @@ profile kded @{exec_path} { include include include + include include capability sys_ptrace, network inet dgram, + network inet stream, network inet6 dgram, - network netlink raw, + network inet6 stream, network netlink dgram, + network netlink raw, - ptrace (read), + ptrace read, signal send set=hup peer=xsettingsd, signal send set=term peer=kioworker, @@ -78,11 +82,13 @@ profile kded @{exec_path} { @{exec_path} mrix, + @{python_path} rix, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/flatpak rPx, @{bin}/kcminit rPx, + @{bin}/lsb_release rPx, @{bin}/pgrep rCx -> pgrep, @{bin}/plasma-welcome rPUx, - @{python_path} rix, - @{bin}/flatpak rPx, @{bin}/setxkbmap rix, @{bin}/xmodmap rPUx, @{bin}/xrdb rPx, @@ -94,18 +100,22 @@ profile kded @{exec_path} { #aa:exec kconf_update /usr/share/color-schemes/{,**} r, + /usr/share/distro-info/{,**} r, + /usr/share/distro-release-notifier/{,**} r, /usr/share/kconf_update/ r, /usr/share/kded{5,6}/{,**} r, /usr/share/kf{5,6}/kcookiejar/* r, /usr/share/khotkeys/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, + /usr/share/ubuntu-release-upgrader/{,*} r, /etc/fstab r, /etc/xdg/accept-languages.codes r, /etc/xdg/kde* r, /etc/xdg/kioslaverc r, /etc/xdg/menus/{,**} r, + /etc/update-manager/{,**} r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -113,6 +123,8 @@ profile kded @{exec_path} { / r, @{efi}/ r, + owner /var/lib/update-manager/meta-release-lts rw, + owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, @@ -125,6 +137,7 @@ profile kded @{exec_path} { @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasmashell/ rw, owner @{user_cache_dirs}/plasmashell/** rwlk -> @{user_cache_dirs}/plasmashell/**, + owner @{user_cache_dirs}/update-manager-core/meta-release-lts rw, @{user_config_dirs}/kcookiejarrc.lock rwk, @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 057a23d704..fa55e177d6 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -56,7 +56,9 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kbookmarkrc r, owner @{user_config_dirs}/konsole.notifyrc r, - owner @{user_config_dirs}/konsolerc{,*} rwlk, + owner @{user_config_dirs}/konsolerc rwl, + owner @{user_config_dirs}/konsolerc.@{rand6} rwl, + owner @{user_config_dirs}/konsolerc.lock rwk, owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.lock rwk, diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index 23737f14ed..ad96cb512e 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -45,6 +45,8 @@ profile kwalletd @{exec_path} { owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, + owner @{run}/user/@{uid}/kwallet{5,6}.socket r, + owner @{tmp}/kwalletd5.* rw, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index a8dc97d534..243e0adfe4 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -23,13 +23,16 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { capability sys_nice, capability sys_ptrace, - ptrace (read), + network netlink raw, - signal (receive) set=term peer=sddm, - signal (receive) set=(kill, term) peer=kwin_wayland_wrapper, - signal (send) set=(kill, term) peer=xwayland, + ptrace read, - network netlink raw, + signal receive set=term peer=sddm, + signal receive set=(kill, term) peer=kwin_wayland_wrapper, + signal send set=(kill, term) peer=xwayland, + + unix type=stream peer=(label=xkbcomp), + unix type=stream peer=(label=xwayland), #aa:dbus own bus=session name=org.freedesktop.ScreenSaver #aa:dbus own bus=session name=org.kde.kglobalaccel diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 19106cfa92..68ea4fc0c0 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -80,6 +80,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /opt/**/share/icons/{,**} r, /opt/*/**/*.desktop r, /opt/*/**/*.png r, + /snap/*/@{uid}/**.@{image_ext} r, /usr/share/*/icons/{,**} r, /usr/share/akonadi/{,**} r, /usr/share/desktop-directories/kf5-*.directory r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 9884e2145a..b621167044 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -66,20 +66,26 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/{,sddm/}sddm-helper-start-x11user rix, @{shells_path} rix, + @{bin}/{,e}grep rix, + @{bin}/basename rix, @{bin}/cat rix, - @{sbin}/checkproc rix, + @{bin}/date rix, + @{bin}/dirname rix, @{bin}/disable-paste rix, + @{bin}/id rix, @{bin}/locale rix, @{bin}/manpath rix, @{bin}/mktemp rix, @{bin}/pidof rix, @{bin}/readlink rix, @{bin}/realpath rix, + @{bin}/sed rix, @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rix, @{bin}/xdm r, @{bin}/xmodmap rix, + @{sbin}/checkproc rix, @{bin}/dbus-run-session rPx -> dbus-session, @{bin}/dbus-update-activation-environment rPx -> dbus-session, @@ -98,6 +104,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/systemctl rCx -> systemctl, @{bin}/xauth rCx -> xauth, @{bin}/Xorg rPx, + @{bin}/xrandr rPx, @{bin}/xrdb rPx, @{bin}/xset rPx, @{bin}/xsetroot rPx, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index f4256d3d40..0e9290d534 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -25,9 +25,11 @@ profile sddm-xsession @{exec_path} { @{bin}/chmod rix, @{bin}/csh rix, @{bin}/date rix, + @{bin}/dpkg-query rpx, @{bin}/fish rix, + @{bin}/gettext rix, @{bin}/gettext.sh r, - @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, @{bin}/id rix, @{bin}/locale rix, @{bin}/locale-check rix, @@ -40,12 +42,13 @@ profile sddm-xsession @{exec_path} { @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, + @{bin}/tr rix, @{bin}/which{,.debianutils} rix, - @{bin}/zsh rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/flatpak rPx, @{bin}/numlockx rPx, + @{bin}/xbrlapi rPx, @{bin}/xhost rPx, @{bin}/xrdb rPx, /etc/X11/Xsession rPx, @@ -60,7 +63,9 @@ profile sddm-xsession @{exec_path} { @{system_share_dirs}/im-config/data/{,*} r, @{system_share_dirs}/im-config/xinputrc.common r, + @{system_share_dirs}/libdebuginfod-common/debuginfod.sh r, + /etc/debuginfod/{,**} r, /etc/default/{,*} r, /etc/X11/{,**} r, @@ -71,7 +76,7 @@ profile sddm-xsession @{exec_path} { owner @{tmp}/xsess-env-* rw, owner @{tmp}/file* rw, - audit owner @{tmp}/tmp.* rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{PROC}/@{pid}/loginuid r, @@ -133,6 +138,8 @@ profile sddm-xsession @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{HOME}/.xsession-errors w, + /dev/tty@{int} rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 651061aa99..5db93719c6 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -36,6 +36,7 @@ profile startplasma @{exec_path} { @{lib}/@{multiarch}/libexec/plasma-sourceenv.sh r, + /usr/share/byobu/desktop/{,**} r, /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, /usr/share/kservices{5,6}/{,**} r, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index aab520a723..a78225b675 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -80,6 +80,7 @@ profile systemsettings @{exec_path} { owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/ksvg-elements.lock rwlk, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, + owner @{user_cache_dirs}/plasma-svgelements r, owner @{user_cache_dirs}/systemsettings/ rw, owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, diff --git a/apparmor.d/groups/kde/wayland-session b/apparmor.d/groups/kde/wayland-session index 124cf2fdad..56914137bf 100644 --- a/apparmor.d/groups/kde/wayland-session +++ b/apparmor.d/groups/kde/wayland-session @@ -13,14 +13,29 @@ profile wayland-session @{exec_path} { @{exec_path} mr, - @{shells_path} rix, - @{bin}/id rix, - - @{lib}/plasma-dbus-run-session-if-needed rix, - @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix, - @{bin}/startplasma-wayland rPx, - + @{shells_path} rix, + @{bin}/cat ix, + @{bin}/dpkg-query px, + @{bin}/gettext ix, + @{bin}/gettext.sh r, + @{bin}/id ix, + @{bin}/locale ix, + @{bin}/locale-check ix, + @{bin}/sed ix, + @{bin}/tr ix, + + @{bin}/startplasma-wayland Px, + @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed ix, + @{lib}/plasma-dbus-run-session-if-needed ix, + + /usr/share/im-config/{,**} r, + /usr/share/libdebuginfod-common/debuginfod.sh r, + + /etc/debuginfod/{,**} r, + /etc/default/im-config r, /etc/machine-id r, + /etc/X11/xinit/xinputrc r, + /etc/X11/Xsession.d/*im-config_launch r, owner @{user_share_dirs}/sddm/wayland-session.log rw, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index b768e26308..93259822e5 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -16,6 +16,7 @@ profile xembedsniproxy @{exec_path} { include include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/kde/xsettingsd b/apparmor.d/groups/kde/xsettingsd index 7cebbb43c1..1adbf1d9fb 100644 --- a/apparmor.d/groups/kde/xsettingsd +++ b/apparmor.d/groups/kde/xsettingsd @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/xsettingsd profile xsettingsd @{exec_path} { include + include signal (receive) set=hup peer=kded, From 7e79d5abefa13bd226d4b1f5671b238d168590b2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:15:24 +0200 Subject: [PATCH 0441/1736] feat(profile): improve support for ubuntu & kubuntu. --- apparmor.d/abstractions/bus/org.a11y | 10 ++++++++++ apparmor.d/abstractions/graphics-full | 4 ++++ apparmor.d/abstractions/kde-strict | 3 ++- apparmor.d/abstractions/mesa.d/complete | 2 ++ apparmor.d/groups/apt/dpkg-script-linux | 2 ++ apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/apt/unattended-upgrade | 12 ++++++----- apparmor.d/groups/bluetooth/blueman-mechanism | 1 + apparmor.d/groups/bluetooth/obexd | 3 ++- apparmor.d/groups/browsers/chromium-wrapper | 1 + apparmor.d/groups/browsers/firefox-glxtest | 2 ++ apparmor.d/groups/bus/dbus-accessibility | 7 ++++--- apparmor.d/groups/bus/ibus-memconf | 3 +-- apparmor.d/groups/freedesktop/wireplumber | 6 ++---- .../groups/freedesktop/xdg-desktop-portal | 4 ++++ .../freedesktop/xdg-desktop-portal-gnome | 4 ++++ apparmor.d/groups/freedesktop/xrandr | 4 ++++ apparmor.d/groups/freedesktop/xwayland | 3 ++- apparmor.d/groups/gnome/deja-dup-monitor | 6 ++++++ apparmor.d/groups/gnome/gdm-generate-config | 3 +-- apparmor.d/groups/gnome/gjs-console | 11 +++++++++- apparmor.d/groups/gnome/yelp | 6 ++++-- apparmor.d/groups/snap/snap | 6 +++++- apparmor.d/groups/snap/snap-seccomp | 2 +- apparmor.d/groups/snap/snapd | 1 - apparmor.d/groups/ssh/sshd-session | 1 + apparmor.d/groups/ubuntu/apport-gtk | 20 +++++++++++++++++-- apparmor.d/groups/ubuntu/apt_news | 1 + apparmor.d/groups/ubuntu/ubuntu-fan-net | 12 +++++++++++ apparmor.d/groups/ubuntu/update-notifier | 2 +- .../groups/ubuntu/update-notifier-crash | 2 +- apparmor.d/groups/utils/login | 1 + apparmor.d/groups/virt/cockpit-tls | 2 +- .../groups/virt/cockpit-wsinstance-factory | 13 +++++++++++- apparmor.d/profiles-a-f/dhclient-script | 19 +++++++++++++----- apparmor.d/profiles-a-f/dracut-install | 2 ++ apparmor.d/profiles-g-l/kernel | 4 ++++ apparmor.d/profiles-g-l/lsb-release | 1 + apparmor.d/profiles-m-r/initramfs-hooks | 2 +- apparmor.d/profiles-m-r/motd | 10 +++++++++- apparmor.d/profiles-m-r/power-profiles-daemon | 2 +- apparmor.d/profiles-m-r/qdbus | 1 + apparmor.d/profiles-s-z/switcheroo-control | 1 + apparmor.d/profiles-s-z/update-info-dir | 2 ++ apparmor.d/profiles-s-z/whoopsie | 10 ++++++++++ apparmor.d/profiles-s-z/wsdd | 1 + apparmor.d/profiles-s-z/xbrlapi | 2 ++ 47 files changed, 179 insertions(+), 39 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index 2677d2f61d..c99f5f8bd0 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -31,6 +31,11 @@ member=Embed peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), + # Session bus dbus send bus=session path=/org/a11y/bus @@ -38,6 +43,11 @@ member=GetAll peer=(name=@{busname}, label="@{p_dbus_accessibility}"), + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus member=Get diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index 1f2b0ffd2b..eb60edb4d9 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -6,6 +6,10 @@ include + @{sys}/devices/@{pci}/numa_node r, + + @{PROC}/devices r, + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-uvm rw, /dev/nvidia-uvm-tools rw, diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 428aa93f36..fd994d12db 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -20,6 +20,7 @@ /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/knotifications{5,6}/*.notifyrc r, + /usr/share/kubuntu-default-settings/{,**} r, #aa:only ubuntu /etc/xdg/baloofilerc r, /etc/xdg/kcminputrc r, @@ -44,7 +45,7 @@ owner @{user_config_dirs}/menus/ r, owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/@{profile_name}* rwlk, + owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk, owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index 1d718c0b19..02a48114c2 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -42,4 +42,6 @@ @{PROC}/sys/dev/xe/observation_paranoid r, + /dev/udmabuf rw, # In upstream, but not released yet + # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index b294b928be..af578be50b 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -11,6 +11,8 @@ profile dpkg-script-linux @{exec_path} { include include + capability dac_read_search, + @{exec_path} mrix, @{bin}/cat ix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 9be1f32583..7d2073768f 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -168,6 +168,7 @@ profile dpkg-scripts @{exec_path} { /usr/local/ r, /usr/local/lib/ r, + /var/cache/ldconfig/ rw, owner /var/cache/ldconfig/aux-cache* rw, include if exists diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 0d4d2ee33c..d501a325f1 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -52,9 +52,11 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/touch ix, @{bin}/uname ix, - @{bin}/dpkg-deb px, @{bin}/apt-listchanges Px, + @{bin}/df Px, + @{bin}/dmesg Px, @{bin}/dpkg Px, + @{bin}/dpkg-deb px, @{bin}/dpkg-divert Px, @{bin}/etckeeper Px, @{bin}/ischroot Px, @@ -90,7 +92,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/pki/fwupd/{,**} r, /etc/profile.d/* r, /etc/ssh/moduli r, - /etc/ssh/ssh_config r, + @{etc_ro}/ssh/sshd_config r, + @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/ufw/{,**} r, /etc/update-manager/{,**} r, /etc/update-motd.d/{,**} r, @@ -98,7 +101,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/vmware-tools/{,**} r, /var/log/unattended-upgrades/{,**} rw, - /var/crash/*.crash w, + /var/crash/*.crash rw, /var/lib/apt/periodic/unattended-upgrades-stamp w, /var/lib/dpkg/info/{,*} r, @@ -112,8 +115,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /var/lib/apt/lists/ rw, /var/lib/apt/lists/partial/ rw, /var/lib/apt/periodic/ w, - /var/log/apt/{term,history}.log w, - /var/log/apt/eipp.log.xz w, + /var/log/apt/*.log* rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/unattended-upgrades.lock rwk, diff --git a/apparmor.d/groups/bluetooth/blueman-mechanism b/apparmor.d/groups/bluetooth/blueman-mechanism index ffdda336ef..9b48002109 100644 --- a/apparmor.d/groups/bluetooth/blueman-mechanism +++ b/apparmor.d/groups/bluetooth/blueman-mechanism @@ -11,6 +11,7 @@ include profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { include include + include include include diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index efb5f42e4a..65ad4c0e5a 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -10,8 +10,9 @@ include @{exec_path} = @{lib}/bluetooth/obexd profile obexd @{exec_path} { include - include include + include + include include network bluetooth stream, diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper index dea35ae1a8..d29dcc6306 100644 --- a/apparmor.d/groups/browsers/chromium-wrapper +++ b/apparmor.d/groups/browsers/chromium-wrapper @@ -45,6 +45,7 @@ profile chromium-wrapper @{exec_path} flags=(attach_disconnected) { # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, + deny @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index 30281f2f4f..f9470a59b1 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -21,6 +21,8 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + / r, + owner @{cache_dirs}/firefox/*/startupCache/scriptCache-* r, owner @{cache_dirs}/firefox/*/startupCache/startupCache* r, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index ee787e4e18..f876d1210f 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -23,8 +23,9 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal (receive) set=(term hup kill) peer=dbus-session, - signal (receive) set=(term hup kill) peer=gdm{,-session-worker}, + signal receive set=(term hup kill) peer=dbus-session, + signal receive set=(term hup kill) peer=gdm{,-session-worker}, + signal receive set=(term hup kill) peer=gnome-session-binary, unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0), @@ -71,10 +72,10 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, + @{PROC}/@{pid}/cmdline r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 803f28a4a9..5233f86037 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -11,6 +11,7 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) { include include include + include include include @@ -27,8 +28,6 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 25569cd689..80c3135f56 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -76,10 +76,8 @@ profile wireplumber @{exec_path} { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{PROC}/1/cgroup r, - @{PROC}/1/cmdline r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 5e27ac8452..35c81f0bce 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -45,6 +45,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.host.portal.Registry member=Register peer=(name=@{busname}), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.NetworkMonitor + member=GetStatus + peer=(name=@{busname}, label=snap.*), #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 6ee4cab6d6..bed83627a9 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -47,6 +47,10 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), dbus receive bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties member=PropertiesChanged diff --git a/apparmor.d/groups/freedesktop/xrandr b/apparmor.d/groups/freedesktop/xrandr index fc1935c4be..ed9e7a030e 100644 --- a/apparmor.d/groups/freedesktop/xrandr +++ b/apparmor.d/groups/freedesktop/xrandr @@ -12,8 +12,12 @@ profile xrandr @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, + @{run}/sddm/xauth_@{rand6} r, + owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index e8c94916d4..a8950dbc6a 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -20,7 +20,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=kwin_wayland, signal (receive) set=(term hup) peer=login, - unix type=stream addr=none peer=(label=gnome-shell, addr=none), + unix type=stream peer=(label=gnome-shell), + unix type=stream peer=(label=kwin_wayland), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index af7fa51b0b..ac5d6af81c 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -33,10 +33,16 @@ profile deja-dup-monitor @{exec_path} { member=GetAll peer=(name=:*, label=NetworkManager), + dbus send bus=system path=/org/freedesktop/UPower/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=power-profiles-daemon), + @{exec_path} mr, @{bin}/chrt rix, @{bin}/ionice rix, + @{bin}/deja-dup Px, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index d48b9eff66..9d910cdd2b 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -18,7 +18,7 @@ profile gdm-generate-config @{exec_path} { capability setgid, capability setuid, - ptrace read, + # ptrace read, @{exec_path} mr, @@ -45,7 +45,6 @@ profile gdm-generate-config @{exec_path} { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/stat r, - @{PROC}/tty/drivers r, @{PROC}/uptime r, profile pgrep { diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index fdaa4e8255..0cfd4c4206 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -64,6 +64,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gnome-shell/{,**} r, + /usr/share/thumbnailers/{,**} r, /tmp/ r, /var/tmp/ r, @@ -76,9 +77,15 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { owner @{HOME}/ r, - owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, owner @{user_cache_dirs}/gstreamer-1.0/ rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, + owner @{user_share_dirs}/nautilus/scripts/ r, + + owner @{user_desktop_dirs}/ r, + owner @{user_templates_dirs}/ r, + + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, @@ -91,6 +98,8 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /dev/ r, /dev/tty rw, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index 058b9697a2..1f2fc39d3e 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/yelp @{bin}/gnome-help -profile yelp @{exec_path} { +profile yelp @{exec_path} flags=(attach_disconnected) { include include include @@ -30,7 +30,9 @@ profile yelp @{exec_path} { /etc/xml/{,**} r, - @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 425d5cd660..ef0a086a88 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -68,9 +68,13 @@ profile snap @{exec_path} flags=(attach_disconnected) { /var/cache/snapd/names r, @{DESKTOP_HOME}/snap/{,**} rw, - @{HOME}/snap/{,**} rw, /snap/{,**} rw, + @{HOME}/snap/{,**} rw, + owner @{HOME}/ r, + owner @{HOME}/.snap.mkdir-new/ rw, + owner @{HOME}/.snap/{,**} rw, + owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, @{run}/user/@{uid}/bus rw, diff --git a/apparmor.d/groups/snap/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp index 7857bcc6ad..9605c544a1 100644 --- a/apparmor.d/groups/snap/snap-seccomp +++ b/apparmor.d/groups/snap/snap-seccomp @@ -9,7 +9,7 @@ include @{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-seccomp -profile snap-seccomp @{exec_path} { +profile snap-seccomp @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 0f975b3b0a..7e2c288b63 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -34,7 +34,6 @@ profile snapd @{exec_path} { capability setuid, capability sys_admin, capability sys_ptrace, - capability sys_resource, network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session index e953834a76..ab86f3ad17 100644 --- a/apparmor.d/groups/ssh/sshd-session +++ b/apparmor.d/groups/ssh/sshd-session @@ -55,6 +55,7 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/@{shells} Ux, #aa:exclude RBAC + @{bin}/userdbctl Px, @{lib}/{openssh,ssh}/sshd-auth Px, @{etc_rw}/motd r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 4940653a31..271ff23e49 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -29,10 +29,12 @@ profile apport-gtk @{exec_path} { network inet6 stream, network inet dgram, network inet6 dgram, + network netlink raw, @{exec_path} mr, @{sh_path} rix, + @{python_path} rix, @{bin}/{f,}grep rix, @{bin}/apt-cache rPx, @{bin}/cut rix, @@ -43,20 +45,24 @@ profile apport-gtk @{exec_path} { @{bin}/gsettings rPx, @{bin}/ischroot rPx, @{bin}/journalctl rPx, - @{sbin}/killall5 rix, @{bin}/kmod rPx, @{bin}/ldd rix, @{bin}/lsb_release rPx, @{bin}/md5sum rix, @{bin}/pkexec rCx -> pkexec, + @{bin}/readlink rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/uname rix, @{bin}/which{,.debianutils} rix, + @{sbin}/killall5 rix, @{lib}/{,colord/}colord-sane rPx, @{lib}/@{multiarch}/ld*.so* rix, /usr/share/apport/root_info_wrapper rix, + @{bin}/* r, + @{sbin}/* r, + /usr/share/apport/{,**} r, /usr/share/apport/general-hooks/*.py r, @@ -79,9 +85,10 @@ profile apport-gtk @{exec_path} { /var/crash/ rw, owner /var/crash/*.@{uid}.{crash,upload} rw, + @{run}/cloud-init/cloud.cfg r, @{run}/snapd.socket rw, - owner @{tmp}/@{rand8} rw, + owner @{tmp}/@{word8} rw, owner @{tmp}/apport_core_@{rand8} rw, owner @{tmp}/launchpadlib.cache.@{rand8}/ rw, owner @{tmp}/tmp@{rand8}/{,**} rw, @@ -135,6 +142,15 @@ profile apport-gtk @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.systemd1, label=unconfined), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnitFileState + peer=(name=org.freedesktop.systemd1, label=unconfined), + include if exists } diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news index 7f4e8fbe21..9734803e46 100644 --- a/apparmor.d/groups/ubuntu/apt_news +++ b/apparmor.d/groups/ubuntu/apt_news @@ -14,6 +14,7 @@ profile apt_news @{exec_path} flags=(attach_disconnected) { include capability chown, + capability fowner, capability kill, capability setgid, capability setuid, diff --git a/apparmor.d/groups/ubuntu/ubuntu-fan-net b/apparmor.d/groups/ubuntu/ubuntu-fan-net index 74fe835513..ab83ebed46 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-fan-net +++ b/apparmor.d/groups/ubuntu/ubuntu-fan-net @@ -14,10 +14,22 @@ profile ubuntu-fan-net @{exec_path} { @{sh_path} mr, @{bin}/{m,g,}awk ix, + @{bin}/kmod Cx -> kmod, @{bin}/{,e}grep ix, @{bin}/networkctl Px, @{sbin}/fanctl Px, + profile kmod { + include + include + + capability sys_module, + + @{sys}/module/compression r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 361290980f..9754aa2311 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -25,7 +25,7 @@ profile update-notifier @{exec_path} { unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus talk bus=system name=org.debian.apt label=apt - #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell + #aa:dbus talk bus=session name=org.ayatana.NotificationItem interface+=org.kde.StatusNotifierItem label=gnome-shell @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index d65c77a08b..4926c0b1ca 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -16,7 +16,7 @@ profile update-notifier-crash @{exec_path} { @{bin}/{,e}grep ix, @{bin}/groups Px, @{bin}/systemctl Cx -> systemctl, - @{bin}/which{,.debianutils} ix, + @{bin}/which{,.debianutils} rix, @{sh_path} mr, /usr/share/apport/apport-checkreports Px, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index c350014984..cf9663e8e4 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -54,6 +54,7 @@ profile login @{exec_path} flags=(attach_disconnected) { /etc/shells r, /var/lib/faillock/@{user} rwk, + /var/lib/lastlog/ r, /var/log/btmp{,.@{int}} r, owner @{user_cache_dirs}/motd.legal-displayed rw, diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls index 7bf43ed4ae..8a345588aa 100644 --- a/apparmor.d/groups/virt/cockpit-tls +++ b/apparmor.d/groups/virt/cockpit-tls @@ -17,7 +17,7 @@ profile cockpit-tls @{exec_path} flags=(attach_disconnected) { /etc/cockpit/ws-certs.d/{,**} r, - @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock r, + @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock rw, @{att}/@{run}/cockpit/wsinstance/https-factory.sock rw, owner @{run}/cockpit/tls/{,**} rw, diff --git a/apparmor.d/groups/virt/cockpit-wsinstance-factory b/apparmor.d/groups/virt/cockpit-wsinstance-factory index 99db4d614f..248ca43e80 100644 --- a/apparmor.d/groups/virt/cockpit-wsinstance-factory +++ b/apparmor.d/groups/virt/cockpit-wsinstance-factory @@ -11,12 +11,23 @@ profile cockpit-wsinstance-factory @{exec_path} { include include + capability net_admin, + unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system, - capability net_admin, + dbus receive bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=JobRemoved + peer=(name=@{busname}, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, + @{run}/cockpit/wsinstance/https-factory.sock w, + include if exists } diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 3967512b89..9d84a4065b 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -46,18 +46,18 @@ profile dhclient-script @{exec_path} { @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, - @{sbin}/sysctl rix, + @{sbin}/sysctl rCx -> sysctl, @{bin}/tr rix, @{bin}/xxd rix, + @{etc_rw}/resolv.conf rw, + @{etc_rw}/resolv.conf.dhclient-new.@{pid} rw, + @{etc_rw}/samba/dhcp.conf{,.new} rw, /etc/default/ddclient r, /etc/dhcp/{,**} r, /etc/fstab r, /etc/iproute2/rt_tables r, /etc/iproute2/rt_tables.d/{,*} r, - @{etc_rw}/resolv.conf rw, - @{etc_rw}/resolv.conf.dhclient-new.@{pid} rw, - @{etc_rw}/samba/dhcp.conf{,.new} rw, /var/lib/dhcp/dhclient.leases r, /var/lib/samba/dhcp.conf{,.new} rw, @@ -71,7 +71,16 @@ profile dhclient-script @{exec_path} { @{sys}/devices/virtual/dmi/id/board_vendor r, owner @{PROC}/@{pid}/loginuid r, - @{PROC}/sys/net/ipv6/conf/*/stable_secret w, + + profile sysctl { + include + + @{sbin}/sysctl mr, + + @{PROC}/sys/net/ipv6/conf/*/stable_secret w, + + include if exists + } profile run-parts { include diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install index 6deb06eb65..e99760a73e 100644 --- a/apparmor.d/profiles-a-f/dracut-install +++ b/apparmor.d/profiles-a-f/dracut-install @@ -13,6 +13,8 @@ profile dracut-install @{exec_path} { @{exec_path} mr, + @{bin}/cp rix, + /etc/modprobe.d/{,**} r, @{sys}/devices/platform/{,**/} r, diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index 41098ab4b8..c46b5556e0 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -67,6 +67,10 @@ profile kernel @{exec_path} { include include + capability sys_module, + + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release index 23bada3ecc..d2d52d3628 100644 --- a/apparmor.d/profiles-g-l/lsb-release +++ b/apparmor.d/profiles-g-l/lsb-release @@ -17,6 +17,7 @@ profile lsb-release @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, + @{bin}/ r, @{bin}/basename rix, @{bin}/cat rix, @{bin}/cut rix, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index a4fc278f0b..cae5c1c3dc 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -17,7 +17,7 @@ profile initramfs-hooks @{exec_path} { @{sh_path} rix, @{coreutils_path} rix, @{bin}/cpio ix, - @{bin}/dpkg Cx -> child-dpkg, + @{bin}/dpkg Px, @{bin}/fc-cache ix, @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd index 67f216212e..6cdb0fbf84 100644 --- a/apparmor.d/profiles-m-r/motd +++ b/apparmor.d/profiles-m-r/motd @@ -9,9 +9,13 @@ include @{exec_path} = /etc/update-motd.d/* profile motd @{exec_path} { include + include capability net_admin, + network inet6 stream, + network inet6 stream, + @{exec_path} mr, @{bin}/ r, @@ -44,7 +48,7 @@ profile motd @{exec_path} { /var/lib/ubuntu-advantage/messages/motd-esm-announce r, /var/lib/cloud/instances/nocloud/cloud-config.txt r, - # /tmp/tmp.@{rand10} rw, + /tmp/tmp.@{rand10} rw, @{run}/cloud-init/cloud.cfg r, @{run}/motd.d/{,*} r, @@ -62,6 +66,8 @@ profile motd @{exec_path} { include include + capability net_admin, + network inet dgram, network inet stream, network inet6 dgram, @@ -70,6 +76,8 @@ profile motd @{exec_path} { @{bin}/wget mr, + /etc/wgetrc r, + /tmp/tmp.@{rand10} rw, include if exists diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index b8f50ff7c3..178bf28c66 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -38,10 +38,10 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, + @{sys}/devices/**/status r, @{sys}/devices/**/power_supply/*/scope r, @{sys}/devices/**/uevent r, @{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r, - @{sys}/devices/system/cpu/*_pstate/status r, @{sys}/devices/system/cpu/cpu@{int}/power/energy_perf_bias rw, @{sys}/devices/system/cpu/cpufreq/ r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/* rw, diff --git a/apparmor.d/profiles-m-r/qdbus b/apparmor.d/profiles-m-r/qdbus index fa67bad979..6816079ac4 100644 --- a/apparmor.d/profiles-m-r/qdbus +++ b/apparmor.d/profiles-m-r/qdbus @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/qdbus @{lib}/qt{5,6}/bin/qdbus profile qdbus @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index e1b9ab7de7..eecb98b282 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -12,6 +12,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, capability sys_nice, network netlink raw, diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir index 7c835023fa..fe06b32afd 100644 --- a/apparmor.d/profiles-s-z/update-info-dir +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -18,6 +18,8 @@ profile update-info-dir @{exec_path} { @{bin}/find ix, @{bin}/rm ix, + /etc/environment r, + include if exists } diff --git a/apparmor.d/profiles-s-z/whoopsie b/apparmor.d/profiles-s-z/whoopsie index 0c03f4a768..8a2c839045 100644 --- a/apparmor.d/profiles-s-z/whoopsie +++ b/apparmor.d/profiles-s-z/whoopsie @@ -10,10 +10,17 @@ include profile whoopsie @{exec_path} { include include + include capability setgid, capability setuid, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 dgram, + network netlink raw, + @{exec_path} mr, /var/crash/ r, @@ -22,6 +29,9 @@ profile whoopsie @{exec_path} { /var/lib/whoopsie/whoopsie-id rw, /var/lib/whoopsie/whoopsie-id.@{rand6} rw, + /var/crash/*.@{uid}.crash r, + owner /var/crash/*.@{uid}.uploaded rw, + owner @{run}/lock/whoopsie/ rw, owner @{run}/lock/whoopsie/lock rwk, diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 20575b2a89..fc69557939 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -27,6 +27,7 @@ profile wsdd @{exec_path} { owner /var/lib/libuuid/clock.txt rw, + @{run}/uuidd/request rw, owner @{run}/user/@{uid}/gvfsd/wsdd w, include if exists diff --git a/apparmor.d/profiles-s-z/xbrlapi b/apparmor.d/profiles-s-z/xbrlapi index 4ce252e107..b2f94975fb 100644 --- a/apparmor.d/profiles-s-z/xbrlapi +++ b/apparmor.d/profiles-s-z/xbrlapi @@ -16,6 +16,8 @@ profile xbrlapi @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner @{HOME}/.xsession-errors w, + include if exists } From 4dba131fb38418b898a02aaec92e977fe7a0a4c7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:16:24 +0200 Subject: [PATCH 0442/1736] feat(profile): parser: move sysctl to its own subprofile. --- apparmor.d/groups/apparmor/apparmor.systemd | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/apparmor/apparmor.systemd b/apparmor.d/groups/apparmor/apparmor.systemd index cb862ff488..f58512a027 100644 --- a/apparmor.d/groups/apparmor/apparmor.systemd +++ b/apparmor.d/groups/apparmor/apparmor.systemd @@ -26,7 +26,7 @@ profile apparmor.systemd @{exec_path} { @{bin}/sed rix, @{bin}/cat rix, @{bin}/sort rix, - @{sbin}/sysctl rix, + @{sbin}/sysctl rCx -> sysctl, @{bin}/systemd-detect-virt rPx, @{bin}/xargs rix, @@ -43,10 +43,19 @@ profile apparmor.systemd @{exec_path} { @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mounts r, @{PROC}/mounts r, - @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r, /dev/tty rw, + profile sysctl { + include + + @{sbin}/sysctl mr, + + @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r, + + include if exists + } + include if exists } From ba16e3c3405d8d801dfbe332e1a77507be3ea879 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:20:08 +0200 Subject: [PATCH 0443/1736] feat(profile): cleanup log from well known programs. --- apparmor.d/groups/freedesktop/xdg-mime | 6 ++++++ apparmor.d/groups/utils/blkid | 5 +++-- apparmor.d/groups/utils/lspci | 4 +++- apparmor.d/profiles-g-l/gsettings | 8 ++++++++ 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 15b73a2d18..9e6dbc2e0e 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -59,6 +59,12 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { /dev/tty rw, + # file_inherit + deny /opt/*/** r, + deny owner @{user_config_dirs}/*/** rw, + deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + profile bus flags=(complain) { include include diff --git a/apparmor.d/groups/utils/blkid b/apparmor.d/groups/utils/blkid index 3eee035fe0..4105a7419a 100644 --- a/apparmor.d/groups/utils/blkid +++ b/apparmor.d/groups/utils/blkid @@ -34,8 +34,6 @@ profile blkid @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab{,-@{rand6}} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - @{run}/cloud-init/ds-identify.log w, # file_inherit - @{PROC}/@{pid}/mounts r, @{PROC}/partitions r, @{PROC}/swaps r, @@ -47,6 +45,9 @@ profile blkid @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{int} rw, + # file_inherit + deny @{run}/cloud-init/ds-identify.log w, + include if exists } diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index e8ba892985..c6ac0fdcdb 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -45,7 +45,9 @@ profile lspci @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, @{PROC}/ioports r, - deny @{user_share_dirs}/gvfs-metadata/* r, + # file_inherit + deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_cache_dirs}/*/** rw, include if exists } diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index bbdb3da623..849599977e 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -23,6 +23,14 @@ profile gsettings @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/dconf/user rw, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, + # file_inherit + deny network netlink raw, + deny /etc/nsswitch.conf r, + deny /etc/passwd r, + deny /opt/*/** r, + deny owner @{user_config_dirs}/[^d]*/** rw, # all but dconf + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + include if exists } From 7f9664c51f0aec674bee24a6460323b78e08735e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:51:10 +0200 Subject: [PATCH 0444/1736] feat(profile): add profile for mpris-proxy. --- apparmor.d/profiles-m-r/mpris-proxy | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 apparmor.d/profiles-m-r/mpris-proxy diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy new file mode 100644 index 0000000000..2f31aea799 --- /dev/null +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/mpris-proxy +profile mpris-proxy @{exec_path} { + include + include + include + include + include + + #aa:dbus own bus=session name=org.mpris.MediaPlayer2 + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor From 952c4e91a118d8a92f15fef49024665482a8f23d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 20:50:00 +0200 Subject: [PATCH 0445/1736] feat(aa): add aa --enforce and aa --complain. These are small dev tools, not installed by default. --- cmd/aa/main.go | 131 +++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 122 insertions(+), 9 deletions(-) diff --git a/cmd/aa/main.go b/cmd/aa/main.go index 5d32e93314..b0737de77f 100644 --- a/cmd/aa/main.go +++ b/cmd/aa/main.go @@ -8,6 +8,9 @@ import ( "flag" "fmt" "os" + "os/exec" + "regexp" + "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/aa" @@ -15,12 +18,14 @@ import ( "github.com/roddhjav/apparmor.d/pkg/paths" ) -const usage = `aa [-h] [--lint | --format | --tree] [-s] [-F file] [profiles...] +const usage = `aa [-h] [--lint | --format | --tree | --complain | --enfore] [-s] [-F file] [profiles...] Various AppArmor profiles development tools Options: -h, --help Show this help message and exit. + -e, --enforce Switch the given profile(s) to enforce mode. + -c, --complain Switch the given profile(s) to complain mode. -f, --format Format the AppArmor profiles. -l, --lint Lint the AppArmor profiles. -t, --tree Generate a tree of visited profiles. @@ -31,12 +36,19 @@ Options: // Command line options var ( - help bool - path string - systemd bool - lint bool - format bool - tree bool + help bool + path string + systemd bool + enforce bool + complain bool + lint bool + format bool + tree bool +) + +var ( + regFlags = regexp.MustCompile(`flags=\(([^)]+)\) `) + regProfileHeader = regexp.MustCompile(` {\n`) ) type kind uint8 @@ -60,6 +72,10 @@ func init() { flag.StringVar(&path, "file", "", "Set a logfile or a suffix to the default log file.") flag.BoolVar(&systemd, "s", false, "Parse systemd logs from journalctl.") flag.BoolVar(&systemd, "systemd", false, "Parse systemd logs from journalctl.") + flag.BoolVar(&enforce, "e", false, "Switch the given profile to enforce mode.") + flag.BoolVar(&enforce, "enforce", false, "Switch the given profile to enforce mode.") + flag.BoolVar(&complain, "c", false, "Switch the given profile to complain mode.") + flag.BoolVar(&complain, "complain", false, "Switch the given profile to complain mode.") } func getIndentationLevel(input string) int { @@ -111,7 +127,7 @@ func formatFile(kind kind, profile string) (string, error) { for idx, rules := range rulesByParagraph { aa.IndentationLevel = getIndentationLevel(paragraphs[idx]) rules = rules.Merge().Sort().Format() - profile = strings.ReplaceAll(profile, paragraphs[idx], rules.String()+"\n") + fmt.Printf(rules.String() + "\n") } return profile, nil } @@ -152,17 +168,95 @@ func aaFormat(files paths.PathList) error { return nil } +func aaLint(files paths.PathList) error { + for _, file := range files { + fmt.Printf("wip: %v\n", file) + } + return nil +} + +func setFlag(profile string, flag string) (string, error) { + f := aa.DefaultTunables() + if _, err := f.Parse(profile); err != nil { + return profile, err + } + + flags := f.GetDefaultProfile().Flags + switch flag { + case "enforce": + if len(flags) == 0 || slices.Contains(flags, "enforce") { + return profile, nil // Nothing to do + } + idx := slices.Index(flags, "complain") + if idx == -1 { + return profile, nil // No complain flag, nothing to do + } + flags = slices.Delete(flags, idx, idx+1) + + case "complain": + if slices.Contains(flags, "complain") { + return profile, nil // Nothing to do + } + flags = append(flags, "complain") + + default: + return profile, fmt.Errorf("unknown flag: %s", flag) + } + strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n" + + // Remove all flags definition, then the new flags + profile = regFlags.ReplaceAllLiteralString(profile, "") + if len(flags) > 0 { + profile = regProfileHeader.ReplaceAllLiteralString(profile, strFlags) + } + return profile, nil +} + +func aaSetFlag(files paths.PathList, flag string) error { + for _, file := range files { + profile, err := file.ReadFileAsString() + if err != nil { + return err + } + profile, err = setFlag(profile, flag) + if err != nil { + return err + } + if err = file.WriteFile([]byte(profile)); err != nil { + return err + } + if err = reloadProfile(file); err != nil { + return err + } + } + return nil +} + func aaTree() error { return nil } +func reloadProfile(file *paths.Path) error { + cmd := exec.Command("apparmor_parser", "--replace", file.String()) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + if err := cmd.Run(); err != nil { + return fmt.Errorf("apparmor_parser failed: %w", err) + } + return nil +} + func pathsFromArgs() (paths.PathList, error) { res := paths.PathList{} for _, arg := range flag.Args() { path := paths.New(arg) switch { case !path.Exist(): - return nil, fmt.Errorf("file %s not found", path) + if aa.MagicRoot.Join(arg).Exist() { + res = append(res, aa.MagicRoot.Join(arg)) + } else { + return nil, fmt.Errorf("file %s not found", path) + } case path.IsDir(): files, err := path.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), @@ -190,7 +284,26 @@ func main() { var err error var files paths.PathList switch { + case enforce: + files, err = pathsFromArgs() + if err != nil { + logging.Fatal("%s", err.Error()) + } + err = aaSetFlag(files, "enforce") + + case complain: + files, err = pathsFromArgs() + if err != nil { + logging.Fatal("%s", err.Error()) + } + err = aaSetFlag(files, "complain") + case lint: + files, err = pathsFromArgs() + if err != nil { + logging.Fatal("%s", err.Error()) + } + err = aaLint(files) case format: files, err = pathsFromArgs() From 24f629d326692965d2a17fe948f9500c04e5122b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 21:43:23 +0200 Subject: [PATCH 0446/1736] fix(profile): few fixes related to reattached paths. See #816 --- apparmor.d/abstractions/common/app | 5 +++++ apparmor.d/groups/flatpak/flatpak | 1 + apparmor.d/groups/flatpak/flatpak-app | 2 ++ apparmor.d/groups/hyprland/hyprland | 2 +- 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 3b425e505b..b6e6734e63 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -114,6 +114,7 @@ @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/net/core/bpf_jit_enable r, + @{PROC}/sys/net/core/somaxconn r, @{PROC}/uptime r, @{PROC}/version r, @{PROC}/zoneinfo r, @@ -131,10 +132,14 @@ owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/pagemap r, + owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{att}/dev/dri/card@{int} rw, + @{att}/dev/dri/renderD128 rw, + @{att}/dev/dri/renderD129 rw, owner @{att}/dev/shm/@{uuid} r, /dev/hidraw@{int} rw, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index fca84002a8..6b671f0e00 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -85,6 +85,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{user_games_dirs}/{,**/} w, owner @{user_documents_dirs}/ w, + @{user_config_dirs}/dconf/user r, owner @{user_cache_dirs}/flatpak/{,**} rw, owner @{user_config_dirs}/pulse/client.conf r, owner @{user_config_dirs}/user-dirs.dirs r, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index 4199e92b11..f2cd0295a0 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -83,6 +83,8 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, + owner @{att}/@{HOME}/.var/app/** rwlkmix, + @{run}/parent/** r, @{run}/parent/app/.ref rk, @{run}/parent/usr/.ref rk, diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index c1e6da4d82..cd3270e496 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -38,7 +38,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/.hyprpaper_* rw, owner @{run}/user/@{uid}/.hyprpicker_* rw, owner @{run}/user/@{uid}/hypr/{,**} rw, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner @{att}/dev/shm/.org.chromium.Chromium.@{rand6} rw, @{run}/systemd/sessions/@{int} r, From 5e5fde7741402aac6648f6ee6fa4f7bf531e9004 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Aug 2025 21:43:20 +0200 Subject: [PATCH 0447/1736] feat(abs): add the sqlite abstraction. --- apparmor.d/abstractions/common/app | 2 +- apparmor.d/abstractions/sqlite | 23 +++++++++++++++++++ apparmor.d/groups/gnome/gnome-music | 3 +-- apparmor.d/groups/gnome/localsearch | 4 +--- apparmor.d/groups/gnome/tracker-miner | 4 +--- apparmor.d/profiles-a-f/dropbox | 3 +-- apparmor.d/profiles-a-f/fractal | 2 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-g-l/gpo | 8 +++---- apparmor.d/profiles-g-l/gpodder | 4 +--- .../profiles-m-r/protonmail-bridge-core | 3 +-- apparmor.d/profiles-m-r/psi | 2 +- apparmor.d/profiles-m-r/psi-plus | 2 +- apparmor.d/profiles-m-r/quiterss | 3 +-- apparmor.d/profiles-s-z/strawberry | 2 +- apparmor.d/profiles-s-z/syncthing | 4 +--- apparmor.d/profiles-s-z/wechat-appimage | 4 +--- apparmor.d/tunables/multiarch.d/system | 3 --- 18 files changed, 41 insertions(+), 37 deletions(-) create mode 100644 apparmor.d/abstractions/sqlite diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index b6e6734e63..5072cadfd6 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -28,6 +28,7 @@ include include include + include include include @@ -63,7 +64,6 @@ owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, - owner /var/tmp/etilqs_@{sqlhex} rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/abstractions/sqlite b/apparmor.d/abstractions/sqlite new file mode 100644 index 0000000000..690417f877 --- /dev/null +++ b/apparmor.d/abstractions/sqlite @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# SQlite temporary files (hexadecimal from 12 to 16 characters) + + abi , + + owner /var/tmp/etilqs_@{hex12} rw, + owner /var/tmp/etilqs_@{hex12}@{h} rw, + owner /var/tmp/etilqs_@{hex12}@{hex2} rw, + owner /var/tmp/etilqs_@{hex15} rw, + owner /var/tmp/etilqs_@{hex16} rw, + + owner @{tmp}/etilqs_@{hex12} rw, + owner @{tmp}/etilqs_@{hex12}@{h} rw, + owner @{tmp}/etilqs_@{hex12}@{hex2} rw, + owner @{tmp}/etilqs_@{hex15} rw, + owner @{tmp}/etilqs_@{hex16} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 511a48987a..2f9795cebd 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -17,6 +17,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, @@ -51,8 +52,6 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 88e2bf3275..049b3c402f 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -23,6 +23,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, @@ -56,9 +57,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/tracker3/files/ rw, owner @{user_cache_dirs}/tracker3/files/** rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index d35f6467f7..6b358c8b0e 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -21,6 +21,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, @@ -63,9 +64,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index 15f86bcf59..f40d69799a 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -23,6 +23,7 @@ profile dropbox @{exec_path} { include include include + include include @{exec_path} mr, @@ -61,8 +62,6 @@ profile dropbox @{exec_path} { # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead owner @{tmp}/dropbox-antifreeze-* rw, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 40001da68c..a7222a6642 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -13,6 +13,7 @@ profile fractal @{exec_path} flags=(attach_disconnected) { include include include + include include network inet dgram, @@ -34,7 +35,6 @@ profile fractal @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{run}/user/@{uid}/fractal/{,**} rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 7a00455a60..58ba493cc9 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -18,6 +18,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include + include capability dac_override, capability dac_read_search, @@ -77,7 +78,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, /var/lib/flatpak/exports/share/mime/mime.cache r, - /var/tmp/etilqs_@{sqlhex} rw, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index cebfc955fb..46ff3eec58 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -11,10 +11,11 @@ include profile gpo @{exec_path} { include include - include include - include + include + include include + include network inet dgram, network inet6 dgram, @@ -36,9 +37,6 @@ profile gpo @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index dd7a20eb72..e60034172f 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -14,6 +14,7 @@ profile gpodder @{exec_path} { include include include + include include include @@ -47,9 +48,6 @@ profile gpodder @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index 45c6766e36..ca9680aea8 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -17,6 +17,7 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, @@ -43,8 +44,6 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw, owner @{tmp}/bridge@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/ r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 02bf3bc567..2ff7b4e710 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -18,6 +18,7 @@ profile psi @{exec_path} { include include include + include include include include @@ -54,7 +55,6 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index a455df0e97..f72147cc6f 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -18,6 +18,7 @@ profile psi-plus @{exec_path} { include include include + include include include include @@ -54,7 +55,6 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index d1194abf58..73b8f7488c 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -18,6 +18,7 @@ profile quiterss @{exec_path} { include include include + include include include @@ -47,8 +48,6 @@ profile quiterss @{exec_path} { owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 611c8462d6..ae22e1f1d8 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -21,6 +21,7 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include @@ -68,7 +69,6 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/.*/s rw, owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/kdsingleapp-*-strawberry w, owner @{tmp}/kdsingleapp-*-strawberry.lock rwk, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 4553ac1e90..83e1b2f450 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -12,6 +12,7 @@ profile syncthing @{exec_path} { include include include + include include network inet dgram, @@ -35,9 +36,6 @@ profile syncthing @{exec_path} { /home/ r, @{user_sync_dirs}/{,**} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - @{PROC}/@{pids}/net/route r, @{PROC}/bus/pci/devices r, @{PROC}/modules r, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 98ce53f07c..335860d075 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -19,6 +19,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, network netlink dgram, @@ -59,9 +60,6 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { owner @{user_documents_dirs}/xwechat_files/{,**} rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - /dev/fuse rw, /dev/tty rw, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 2886657704..cf8575db0b 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -56,9 +56,6 @@ # System Internal # --------------- -# SQlite temporary files (hexadecimal from 12 to 16 characters) -@{sqlhex}=@{hex12} @{hex12}@{h} @{hex12}@{hex2} @{hex15} @{hex16} - # Shortcut for PCI device @{pci_id}=@{hex}:@{hex2}:@{hex2}.@{h} @{pci_bus}=pci@{hex4}:@{hex2} From c806ec44eb43bd494672f990e49e29426eb087b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Aug 2025 22:56:07 +0200 Subject: [PATCH 0448/1736] feat(profile): update virt profiles. --- apparmor.d/groups/virt/cockpit-bridge | 7 +++++++ apparmor.d/groups/virt/cockpit-session | 7 +++++++ apparmor.d/groups/virt/cockpit-ws | 4 +++- apparmor.d/groups/virt/dockerd | 9 +++++++++ apparmor.d/groups/virt/libvirt-dbus | 9 ++++++--- apparmor.d/groups/virt/libvirtd | 14 ++++++++++---- apparmor.d/groups/virt/virt-aa-helper | 24 ++++++++++++++++++++++-- apparmor.d/groups/virt/virtiofsd | 4 ++-- 8 files changed, 66 insertions(+), 12 deletions(-) diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index b6111750b1..bf3d482043 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/cockpit-bridge profile cockpit-bridge @{exec_path} { include + include + include include include include @@ -33,6 +35,9 @@ profile cockpit-bridge @{exec_path} { signal send set=term peer=unconfined, signal (send receive) set=term peer=cockpit-bridge//sudo, + #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd + @{exec_path} mr, @{bin}/cat ix, @@ -126,6 +131,8 @@ profile cockpit-bridge @{exec_path} { include include + @{run}/udev/data/n@{int} r, # For network interfaces + include if exists } diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 8eafd25a0a..3fbefadb79 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -14,10 +14,12 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { include capability audit_write, + capability chown, capability dac_read_search, capability net_admin, capability setgid, capability setuid, + capability sys_resource, network netlink raw, @@ -26,6 +28,7 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{shells_path} rix, @{bin}/cockpit-bridge rPx, @{lib}/cockpit/cockpit-pcp rPx, + @{bin}/ssh-agent rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, @@ -47,6 +50,10 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /var/log/lastlog rw, /var/log/wtmp rwk, + /var/lib/lastlog/ r, + /var/lib/lastlog/lastlog2.db rwk, + /var/lib/lastlog/lastlog2.db-journal rw, + owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index 8e3478072c..d4fb299fe7 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -18,9 +18,11 @@ profile cockpit-ws @{exec_path} flags=(attach_disconnected) { @{lib}/cockpit/cockpit-session rPx, /usr/share/cockpit/{,**} r, + /etc/cockpit/ws-certs.d/{,**} r, /usr/share/pixmaps/{,**} r, - /etc/cockpit/ws-certs.d/ r, + /usr/share/plymouth/{,**} r, + @{run}/cockpit/session rw, @{run}/cockpit/wsinstance/https@@{hex64}.sock r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index aa0a9ed58e..0a214ccd14 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -69,6 +69,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/docker-init rCx -> init, @{lib}/docker/docker-init rCx -> init, @{bin}/docker-proxy rPx, + @{bin}/tini-static rCx -> tini, @{bin}/git rCx -> git, @{bin}/kmod rCx -> kmod, @{bin}/ps rPx, @@ -172,6 +173,14 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { include if exists } + profile tini { + include + + @{bin}/tini-static mr, + + include if exists + } + profile init flags=(attach_disconnected) { include diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index 303e906c22..f3bbaf0196 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -25,9 +25,12 @@ profile libvirt-dbus @{exec_path} { owner @{user_cache_dirs}/libvirt/libvirtd.lock rwk, - @{run}/user/@{uid}/libvirt/ rw, - @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, - @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + @{run}/libvirt/libvirt-sock rw, + + @{run}/user/@{uid}/libvirt/ rw, + @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, + @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + owner @{run}/user/@{uid}/libvirt/libvirt-sock rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node*/meminfo r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index fa3005a653..44d6962f52 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -19,6 +19,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -47,12 +48,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { capability sys_pacct, capability sys_ptrace, capability sys_rawio, - capability sys_resource, + capability sys_resource, # Needed for vfio - network inet stream, network inet dgram, - network inet6 stream, + network inet stream, network inet6 dgram, + network inet6 stream, network netlink raw, network packet dgram, network packet raw, @@ -146,7 +147,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/xml/catalog r, /var/cache/libvirt/{,**} rw, - /var/lib/libvirt/{,**} rwk, + /var/lib/libvirt/ rw, + /var/lib/libvirt/** rwk, /var/log/swtpm/libvirt/{,**} rw, # User VM images and share @@ -155,6 +157,9 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{user_vm_dirs}/{,**} rwk, @{user_publicshare_dirs}/{,**} rwk, + owner @{run}/user/@{uid}/libvirt/ rw, + owner @{run}/user/@{uid}/libvirt/** rwk, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/libvirt/ rw, @@ -223,6 +228,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{PROC}/devices r, @{PROC}/mtrr w, @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/uptime r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index 53afe60122..b49368f07a 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -21,14 +21,34 @@ profile virt-aa-helper @{exec_path} { @{sbin}/apparmor_parser rPx, - /etc/apparmor.d/libvirt/* r, + @{etc_rw}/apparmor.d/libvirt/* r, @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw, + @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid}.files rw, /etc/libnl{,-3}/classid r, # Allow reading libnl's classid file # System VM images /var/lib/libvirt/images/{,**} r, - /var/lib/nova/instances/_base/* r, + + # Openstack Nova base images & snapshots (LP: #907269 #1244694 #1644507) + /var/lib/nova/images/{,**} r, + /var/lib/nova/instances/_base/{,**} r, + /var/lib/nova/instances/snapshots/{,**} r, + /var/snap/nova-hypervisor/common/instances/_base/{,**} r, + /var/snap/nova-hypervisor/common/instances/snapshots/{,**} r, + + # Eucalyptus disks & loader (LP: #564914 #637544) + /var/lib/eucalyptus/instances/**/disk* r, + /var/lib/eucalyptus/instances/**/loader* r, + + # For uvtool + /var/lib/uvtool/libvirt/images/{,**} r, + + # For multipass + /var/snap/multipass/common/data/multipassd/vault/instances/{,**} r, + + # Common mount directories + @{MOUNTDIRS}/{,**} r, # User VM images @{user_share_dirs}/ r, diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index 899ecae045..ae7ac5fa9a 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -6,8 +6,8 @@ abi , include -@{exec_path} = @{lib}/{,qemu/}virtiofsd @{bin}/virtiofsd -profile virtiofsd @{exec_path} { +@{exec_path} = @{lib}/virtiofsd @{lib}/qemu/virtiofsd @{bin}/virtiofsd +profile virtiofsd @{exec_path} flags=(attach_disconnected) { include userns, From f3d209e42a0abaabb0a34491b645f653fc035f16 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Aug 2025 22:58:46 +0200 Subject: [PATCH 0449/1736] feat(profile): ensure nautilus can access root files. --- apparmor.d/groups/gvfs/gvfsd-admin | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 4f845f316b..e1b16cac30 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -22,14 +22,15 @@ profile gvfsd-admin @{exec_path} { /usr/share/mime/mime.cache r, - @{MOUNTS}/{,**} rw, - - @{run}/mount/utab r, - @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/stat r, + #aa:lint ignore=too-wide + # Full access to system's data, but no write access to sensitive system directories + / r, + /*/ r, + /*/** rw, + deny @{sys}/** w, + deny @{PROC}/** w, + deny @{efi}/** w, + deny /dev/** w, include if exists } From 5d7646d9ccfe75becdb2276f77c03088b4cb8616 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 14:05:34 +0200 Subject: [PATCH 0450/1736] Update mandb ALLOWED mandb exec @{bin}/bzip2 -> mandb//null-@{bin}/bzip2 comm=mandb requested_mask=x denied_mask=x ALLOWED mandb//null-@{bin}/bzip2 file_inherit /usr/share/man/man8/grub-btrfsd.8.bz2 comm=bzip2 requested_mask=r denied_mask=r ALLOWED mandb//null-@{bin}/bzip2 file_inherit /var/cache/man/52062 comm=bzip2 requested_mask=wr denied_mask=wr ALLOWED mandb//null-@{bin}/bzip2 file_mmap @{bin}/bzip2 comm=bzip2 requested_mask=r denied_mask=r ALLOWED mandb//null-@{bin}/bzip2 getattr /usr/share/man/man8/grub-btrfsd.8.bz2 comm=bzip2 requested_mask=r denied_mask=r ALLOWED mandb//null-@{bin}/bzip2 file_inherit /usr/share/man/man8/grub-btrfs.8.bz2 comm=bzip2 requested_mask=r denied_mask=r ALLOWED mandb//null-@{bin}/bzip2 getattr /usr/share/man/man8/grub-btrfs.8.bz2 comm=bzip2 requested_mask=r denied_mask=r --- apparmor.d/profiles-m-r/mandb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index cd825471dd..551a6fec07 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -17,6 +17,8 @@ profile mandb @{exec_path} { @{exec_path} mr, + @{bin}/bzip2 rix, + /etc/man_db.conf r, /etc/manpath.config r, From 4d15570ff1dd23566ab4a9a79f84424791ef86e1 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 14:20:06 +0200 Subject: [PATCH 0451/1736] Update grub-mkrelpath ALLOWED grub-mkrelpath open /tmp/grub-btrfs.byRQTjiteL/@_backup_2025-08-20T16:43@{busname}.488Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.byRQTjiteL/@_backup_2025-08-18T13:49@{busname}.739Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.byRQTjiteL/@_backup_2025-04-11T11@{busname}:58.643Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.byRQTjiteL/@_backup_@{int16}5/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.Xj00SFNAa3/@_backup_2025-08-20T16:43@{busname}.488Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.Xj00SFNAa3/@_backup_2025-08-18T13:49@{busname}.739Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.Xj00SFNAa3/@_backup_2025-04-11T11@{busname}:58.643Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.Xj00SFNAa3/@_backup_@{int16}5/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r --- apparmor.d/groups/grub/grub-mkrelpath | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index 789f68287a..7b5f7eaa17 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -26,7 +26,7 @@ profile grub-mkrelpath @{exec_path} { /tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r, /tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r, - /tmp/grub-btrfs.*/@_backup_@{int}/boot/ r, + /tmp/grub-btrfs.*/@_backup_**/boot/ r, /tmp/grub-btrfs.*/ r, @{PROC}/@{pids}/mountinfo r, From 2c64ab91cb58f56590dd9b8a4cfb878da05769ba Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 15:33:55 +0200 Subject: [PATCH 0452/1736] Update grub-mkrelpath --- apparmor.d/groups/grub/grub-mkrelpath | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index 7b5f7eaa17..d4508b4c5a 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -26,7 +26,7 @@ profile grub-mkrelpath @{exec_path} { /tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r, /tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r, - /tmp/grub-btrfs.*/@_backup_**/boot/ r, + /tmp/grub-btrfs.*/@_backup_*/boot/ r, /tmp/grub-btrfs.*/ r, @{PROC}/@{pids}/mountinfo r, From b3dd09ce0198d0724d1f43b099b4e205a5ec9b5b Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 14:13:22 +0200 Subject: [PATCH 0453/1736] Update gnome-boxes ALLOWED gnome-boxes open /usr/share/ladspa/rdf/ comm=gst-plugin-scan requested_mask=r denied_mask=r ALLOWED gnome-boxes open /usr/share/ladspa/rdf/ladspa.rdfs comm=gst-plugin-scan requested_mask=r denied_mask=r ALLOWED gnome-boxes open /usr/share/ladspa/rdf/ladspa-rubberband.rdf comm=gst-plugin-scan requested_mask=r denied_mask=r ALLOWED gnome-boxes open @{sys}/devices/@{pci}/usb2/2-3/bConfigurationValue comm=gnome-boxes requested_mask=r denied_mask=r ALLOWED gnome-boxes open @{sys}/devices/@{pci}/usb1/1-6/1-6.2/bConfigurationValue comm=gnome-boxes requested_mask=r denied_mask=r ALLOWED gnome-boxes open @{sys}/devices/@{pci}/usb1/1-14/bConfigurationValue comm=gnome-boxes requested_mask=r denied_mask=r ALLOWED gnome-boxes open @{sys}/devices/@{pci}/usb1/1-13/bConfigurationValue comm=gnome-boxes requested_mask=r denied_mask=r --- apparmor.d/groups/gnome/gnome-boxes | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 2462c20713..16aa4e862a 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -36,6 +36,7 @@ profile gnome-boxes @{exec_path} { @{bin}/virsh rCx -> virsh, @{bin}/virtqemud rPUx, + /usr/share/ladspa/rdf/{,*} r, /usr/share/osinfo/{,**} r, /usr/share/gnome-boxes/{,**} r, @@ -55,6 +56,8 @@ profile gnome-boxes @{exec_path} { owner @{user_config_dirs}/gnome-boxes/ rw, owner @{user_config_dirs}/gnome-boxes/** rwk, + owner @{user_share_dirs}/gnome-boxes/images/ rw, + owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.iso-@{rand6} rw, owner @{tmp}/*.svg-@{rand6} rw, @@ -66,6 +69,7 @@ profile gnome-boxes @{exec_path} { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/devices/@{pci}/usb@{int}/** r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Boxes.slice/*/memory.* r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, From ddee0512797143a1b31dbdf41c965234fc61f8b2 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 15:35:42 +0200 Subject: [PATCH 0454/1736] Update gnome-boxes --- apparmor.d/groups/gnome/gnome-boxes | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 16aa4e862a..1447715b78 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -56,7 +56,8 @@ profile gnome-boxes @{exec_path} { owner @{user_config_dirs}/gnome-boxes/ rw, owner @{user_config_dirs}/gnome-boxes/** rwk, - owner @{user_share_dirs}/gnome-boxes/images/ rw, + owner @{user_share_dirs}/gnome-boxes/ rw, + owner @{user_share_dirs}/gnome-boxes/** rwk, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.iso-@{rand6} rw, From 8b49f9ebf5c85f2ca94a8e111b1161e2ebc258ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 17:52:57 +0200 Subject: [PATCH 0455/1736] feat(profile): update telegram path fix #821 --- apparmor.d/profiles-s-z/telegram-desktop | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop index d967f42294..c1544af727 100644 --- a/apparmor.d/profiles-s-z/telegram-desktop +++ b/apparmor.d/profiles-s-z/telegram-desktop @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/telegram-desktop +@{exec_path} = @{bin}/telegram-desktop @{bin}/Telegram profile telegram-desktop @{exec_path} { include include @@ -35,10 +35,11 @@ profile telegram-desktop @{exec_path} { network netlink dgram, network netlink raw, - @{exec_path} mr, + @{exec_path} mrix, @{sh_path} rix, @{open_path} rPx -> child-open-strict, + @{bin}/systemd-detect-virt rPx, owner @{user_share_dirs}/TelegramDesktop/ rw, owner @{user_share_dirs}/TelegramDesktop/** rwlk -> @{user_share_dirs}/TelegramDesktop/**, From 0f017048e445cb21f764e480d332f64d79b0907d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 17:57:40 +0200 Subject: [PATCH 0456/1736] fix(profile): fix att path in flatpak fix #820 --- apparmor.d/groups/flatpak/flatpak | 2 ++ apparmor.d/groups/flatpak/flatpak-portal | 4 ++-- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 4 ++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 6b671f0e00..4122e8055d 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -77,6 +77,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{HOME}/.var/ w, owner @{HOME}/.var/app/{,**} rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, # Can create dotfile directories for any app owner @{user_cache_dirs}/*/ w, diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index 84e2d79643..ac1e418949 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -34,8 +34,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { owner /att/**/ r, owner @{att}/.flatpak-info r, - owner @{HOME}/.var/app/*/**/.ref rw, - owner @{HOME}/.var/app/*/**/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_share_dirs}/mime/mime.cache r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index c6efaf3602..be66f7484d 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -29,8 +29,8 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, owner @{att}/@{HOME}/.var/app/** r, - owner @{HOME}/.var/app/*/.local/share/*/logs/* rw, - owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, From e7a91b307e025498c37b15302f5c8e63d027938d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:01:31 +0200 Subject: [PATCH 0457/1736] fix(profile): fusermount with fsarchiver fix #817 --- apparmor.d/groups/filesystem/ntfs-3g | 2 ++ apparmor.d/profiles-a-f/fusermount | 1 + 2 files changed, 3 insertions(+) diff --git a/apparmor.d/groups/filesystem/ntfs-3g b/apparmor.d/groups/filesystem/ntfs-3g index d94d7a0f22..e4749177ce 100644 --- a/apparmor.d/groups/filesystem/ntfs-3g +++ b/apparmor.d/groups/filesystem/ntfs-3g @@ -34,6 +34,8 @@ profile ntfs-3g @{exec_path} flags=(attach_disconnected) { mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/, mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/, + mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /tmp/fsa/*/, # fsarchiver + umount @{MOUNTDIRS}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index 3df041e643..a84b85322f 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -30,6 +30,7 @@ profile fusermount @{exec_path} { umount /tmp/.mount_*/, umount @{run}/user/@{uid}/*/, umount /var/tmp/flatpak-cache-*/*/, + umount /tmp/fsa/*/, # fsarchiver @{exec_path} mr, From ec73d8349e1461995817bfeb5303dd85ea165543 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:05:05 +0200 Subject: [PATCH 0458/1736] fix(profile): gnome access to chromium shared. fix #806 --- apparmor.d/groups/gnome/gnome-shell | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 95874290f3..0f91b7283b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -303,6 +303,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /tmp/.X@{int}-lock rw, /tmp/dbus-@{rand8} rw, owner @{tmp}/.org.chromium.Chromium.@{rand6} r, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/ r, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/status_icon_@{int}.png r, owner @{tmp}/@{rand6}.shell-extension.zip rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, From ba217a261ed39ad0ec20e909a89ac3618c8fd180 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:15:38 +0200 Subject: [PATCH 0459/1736] feat(profile): update flatpak profiles. --- apparmor.d/groups/flatpak/flatpak | 9 ++++----- apparmor.d/groups/flatpak/flatpak-app | 4 ++++ apparmor.d/groups/flatpak/flatpak-portal | 6 ++++++ 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 4122e8055d..c540b9db8e 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -40,14 +40,12 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain signal send peer=flatpak-app, - #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" - dbus send bus=session path=/org/freedesktop/portal/documents - interface=org.freedesktop.portal.Documents - member=GetMountPoint - peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"), + #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper + #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal @{exec_path} mr, @@ -138,6 +136,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{bin}/gpgconf mr, @{bin}/gpgsm mr, @{bin}/gpg-agent rix, + @{lib}/gnupg/scdaemon rix, @{HOME}/@{XDG_GPG_DIR}/*.conf r, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index f2cd0295a0..e8fe195fb7 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -48,6 +48,10 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { signal receive set=(int term) peer=flatpak-portal, signal receive set=(int term) peer=flatpak-session-helper, + unix type=seqpacket peer=(label=dbus-session), + # unix type=seqpacket peer=(label=unconfined), + unix type=seqpacket peer=(label=xdg-dbus-proxy), + @{bin}/** rmix, @{lib}/** rmix, /app/** rmix, diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index ac1e418949..b86f0a4fdd 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -10,6 +10,7 @@ include profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include + include include capability sys_ptrace, @@ -22,6 +23,11 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.portal.Flatpak + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{bin}/flatpak rPx, From 2d3831221af1662619f74f10a208aff01c599665 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:16:43 +0200 Subject: [PATCH 0460/1736] feat(profile): update cups profiles. --- apparmor.d/groups/cups/cups-browsed | 5 ++++- apparmor.d/groups/cups/ippfind | 22 ++++++++++++++++++++++ apparmor.d/groups/cups/print-backends-cups | 19 +++++++++++++++++++ 3 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/cups/ippfind create mode 100644 apparmor.d/groups/cups/print-backends-cups diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 9498f245a5..a7773a57fd 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -38,7 +38,7 @@ profile cups-browsed @{exec_path} { dbus receive bus=system path=/org/cups/cupsd/Notifier interface=org.cups.cupsd.Notifier - member=PrinterDeleted + member={PrinterDeleted,PrinterStopped} peer=(name=@{busname}, label=cups-notifier-dbus), @{exec_path} mr, @@ -52,7 +52,10 @@ profile cups-browsed @{exec_path} { /var/cache/cups/{,**} rw, /var/log/cups/{,**} rw, + owner @{tmp}/@{hex} rw, + @{run}/cups/certs/* r, + @{run}/avahi-daemon/socket rw, # TODO: in abs 'avahi' ? @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/cups/ippfind b/apparmor.d/groups/cups/ippfind new file mode 100644 index 0000000000..c2a944b112 --- /dev/null +++ b/apparmor.d/groups/cups/ippfind @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ippfind +profile ippfind @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{bin}/echo rix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/cups/print-backends-cups b/apparmor.d/groups/cups/print-backends-cups new file mode 100644 index 0000000000..6ab6007cb1 --- /dev/null +++ b/apparmor.d/groups/cups/print-backends-cups @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/@{multiarch}/print-backends/cups +profile print-backends-cups @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor From 46d4207d716dc895d2ec2405f80ea04fbc2bf336 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:22:59 +0200 Subject: [PATCH 0461/1736] feat(profile): makepkg: handle lsb_release and pager. --- apparmor.d/groups/pacman/makepkg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index 583d0b9c08..84136638c7 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -29,9 +29,11 @@ profile makepkg @{exec_path} { file, + @{pager_path} Px -> child-pager, @{bin}/gpg{,2} Cx -> gpg, @{bin}/gpgconf Cx -> gpg, @{bin}/gpgsm Cx -> gpg, + @{bin}/lsb_release Px, @{bin}/sudo Cx -> sudo, deny capability sys_ptrace, From fb82d8d0d60f9c0bc7726c1084bbad3b1b2f26b2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:27:22 +0200 Subject: [PATCH 0462/1736] feat(profile): small gnome related improvement. --- apparmor.d/groups/gnome/evolution-addressbook-factory | 8 ++++---- apparmor.d/groups/gnome/gdm | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 1 + apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/gnome/gsd-print-notifications | 4 ++-- apparmor.d/groups/gnome/papers | 4 ++++ apparmor.d/groups/network/ModemManager | 1 + apparmor.d/groups/network/mullvad-daemon | 1 + 8 files changed, 15 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 3d83232e13..98c94c79ea 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -30,7 +30,7 @@ profile evolution-addressbook-factory @{exec_path} { dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* @@ -38,12 +38,12 @@ profile evolution-addressbook-factory @{exec_path} { dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=evolution-*), + peer=(name=@{busname}, label=evolution-*), dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=evolution-source-registry), + peer=(name=@{busname}, label=evolution-source-registry), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties @@ -53,7 +53,7 @@ profile evolution-addressbook-factory @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 435d055fad..4c84fe822e 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -20,6 +20,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { capability fsetid, capability kill, capability net_admin, + capability sys_admin, capability sys_nice, capability sys_tty_config, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 64568eab0c..8887ce797f 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -72,6 +72,7 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{tmp}/.org.chromium.Chromium.@{rand6} r, owner @{run}/user/@{uid}/gsconnect/{,**} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index c10261c02e..7e817f4901 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -37,6 +37,7 @@ profile gnome-software @{exec_path} { /usr/share/app-info/{,**} r, /usr/share/appdata/{,**} r, + /usr/share/byobu/desktop/{,**} r, /usr/share/flatpak/remotes.d/ r, /usr/share/metainfo/{,**} r, /usr/share/swcatalog/{,**} r, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index f8d4280a02..af5ff2f057 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -20,8 +20,8 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(hup) peer=gsd-printer, + signal receive set=(term, hup) peer=gdm*, + signal send set=(hup) peer=gsd-printer, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.PrintNotifications diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 27000b93a8..6f5a137a34 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -25,6 +25,10 @@ profile papers @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, + owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db-journal rw, + owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/papers-@{int}/{,**} rw, owner @{tmp}/gtkprint_@{rand6} rw, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 8220516bf1..22b94effd5 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -17,6 +17,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, network qipcrtr dgram, network netlink raw, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 735154b7e3..d5c93fc5c7 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -62,6 +62,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, @{sys}/fs/cgroup/system.slice/cpu.max r, @{sys}/fs/cgroup/system.slice/mullvad-daemon.service/cpu.max r, + @{sys}/fs/cgroup/system.slice/mullvad-early-boot-blocking.service/cpu.max r, @{PROC}/@{pid}/cgroup r, @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw, From b53e0b7d395ee15c7a79c6ce896e4d871d4103d4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:30:44 +0200 Subject: [PATCH 0463/1736] feat(abs): add the oneapi abs. --- apparmor.d/abstractions/oneapi | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 apparmor.d/abstractions/oneapi diff --git a/apparmor.d/abstractions/oneapi b/apparmor.d/abstractions/oneapi new file mode 100644 index 0000000000..17225ef035 --- /dev/null +++ b/apparmor.d/abstractions/oneapi @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Intel oneAPI compiler libraries + + abi , + + /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, + /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr, + + include if exists + +# vim:syntax=apparmor From 81636262f18b65bc1bf0b09a48fce1df6d9f7b0a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:42:38 +0200 Subject: [PATCH 0464/1736] feat(abs): add the java abstraction. --- apparmor.d/abstractions/java | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 apparmor.d/abstractions/java diff --git a/apparmor.d/abstractions/java b/apparmor.d/abstractions/java new file mode 100644 index 0000000000..91472d21e7 --- /dev/null +++ b/apparmor.d/abstractions/java @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /usr/share/java/{,**} r, + + /etc/java/{,**} r, + /etc/java-*/{,**} r, + + include if exists + +# vim:syntax=apparmor From fbb1768aa699b3f68c4d682b7dacfd362a1d091c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:46:26 +0200 Subject: [PATCH 0465/1736] feat(abs): add the amdgpu abstraction. --- apparmor.d/abstractions/amdgpu | 30 +++++++++++++++++++++++++++ apparmor.d/abstractions/graphics-full | 2 ++ 2 files changed, 32 insertions(+) create mode 100644 apparmor.d/abstractions/amdgpu diff --git a/apparmor.d/abstractions/amdgpu b/apparmor.d/abstractions/amdgpu new file mode 100644 index 0000000000..181d868643 --- /dev/null +++ b/apparmor.d/abstractions/amdgpu @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Kernel Fusion Driver for AMD GPUs + + abi , + + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, + + @{sys}/devices/virtual/kfd/kfd/dev r, + @{sys}/devices/virtual/kfd/kfd/topology/ r, + @{sys}/devices/virtual/kfd/kfd/topology/generation_id r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/caches/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/gpu_id r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/io_links/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/mem_banks/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/system_properties r, + @{sys}/devices/virtual/kfd/kfd/uevent r, + @{sys}/module/amdgpu/initstate r, + + /dev/kfd rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index eb60edb4d9..1e2c97224d 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -4,7 +4,9 @@ abi , + include include + include @{sys}/devices/@{pci}/numa_node r, From 0817911b579fa417a46fd03f9dbec5398bc3180e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:48:36 +0200 Subject: [PATCH 0466/1736] feat(abs): add more core abstractions They will at term replace the freedesktop abstraction. --- apparmor.d/abstractions/desktop-files | 22 ++++++++++++++++++++++ apparmor.d/abstractions/gsettings | 13 +++++++++++++ apparmor.d/abstractions/icons | 26 ++++++++++++++++++++++++++ apparmor.d/abstractions/mime | 17 +++++++++++++++++ 4 files changed, 78 insertions(+) create mode 100644 apparmor.d/abstractions/desktop-files create mode 100644 apparmor.d/abstractions/gsettings create mode 100644 apparmor.d/abstractions/icons create mode 100644 apparmor.d/abstractions/mime diff --git a/apparmor.d/abstractions/desktop-files b/apparmor.d/abstractions/desktop-files new file mode 100644 index 0000000000..d616dad83a --- /dev/null +++ b/apparmor.d/abstractions/desktop-files @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/applications/{,**} r, + @{system_share_dirs}/*ubuntu/applications/{,**} r, + @{system_share_dirs}/gnome/applications/{,**} r, + @{system_share_dirs}/xfce4/applications/{,**} r, + + /etc/gnome/defaults.list r, + /etc/xfce4/defaults.list r, + + /var/lib/snapd/desktop/applications/{,**} r, + + owner @{user_share_dirs}/applications/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gsettings b/apparmor.d/abstractions/gsettings new file mode 100644 index 0000000000..788b144869 --- /dev/null +++ b/apparmor.d/abstractions/gsettings @@ -0,0 +1,13 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/glib-2.0/schemas/ r, + @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/icons b/apparmor.d/abstractions/icons new file mode 100644 index 0000000000..0dd44e33c1 --- /dev/null +++ b/apparmor.d/abstractions/icons @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/icons/{,**} r, + @{system_share_dirs}/pixmaps/{,**} r, + + /opt/**/share/icons/{,**} r, + /opt/*/**.desktop r, + /opt/*/**/*.png r, + + /var/lib/snapd/desktop/icons/{,**} r, + + owner @{HOME}/.icons/{,**} r, + + owner @{user_config_dirs}/mimeapps.list r, + + owner @{user_share_dirs}/icons/{,**} r, + owner @{user_share_dirs}/mime/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mime b/apparmor.d/abstractions/mime new file mode 100644 index 0000000000..6622c99ddc --- /dev/null +++ b/apparmor.d/abstractions/mime @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/ r, + @{system_share_dirs}/mime/{,**} r, + + /etc/mime.types r, + + owner @{user_share_dirs}/mime/mime.cache r, + + include if exists + +# vim:syntax=apparmor From 3b2f745bcaa126150e8f3f8f4bda6150a63e950c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 19:25:00 +0200 Subject: [PATCH 0467/1736] feat(abs): use the new core abs in desktop. --- apparmor.d/abstractions/desktop | 21 ++++++++------------- apparmor.d/abstractions/desktop-files | 5 +++++ apparmor.d/abstractions/gnome-strict | 14 +++++++------- apparmor.d/abstractions/gsettings | 1 + apparmor.d/abstractions/icons | 3 --- apparmor.d/abstractions/kde-strict | 10 +++++----- apparmor.d/abstractions/mime | 7 ++++++- apparmor.d/abstractions/recently-used | 21 +++++++++++++++++++++ 8 files changed, 53 insertions(+), 29 deletions(-) create mode 100644 apparmor.d/abstractions/recently-used diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 878f6f7944..4a32a1aa78 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -9,10 +9,14 @@ abi , + include include - include + include include + include + include include + include include include include @@ -24,16 +28,11 @@ member=Introspect peer=(name=@{busname}, label=gnome-shell), - /usr/{local/,}share/ r, - /usr/{local/,}share/glib-@{version}/schemas/** r, - /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, + @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, /etc/gnome/* r, - /etc/xdg/{,*-}mimeapps.list r, - /var/cache/gio-@{version}/gnome-mimeapps.list r, - - / r, # deny? + / r, owner @{user_share_dirs}/gnome-shell/session.gvdb rw, @@ -49,8 +48,6 @@ /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -65,8 +62,6 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/@{profile_name}* rwlk, owner @{user_config_dirs}/session/#@{int} rw, @@ -82,7 +77,7 @@ # end /usr/share/desktop-base/{,**} r, - /usr/share/hwdata/*.ids r, + /usr/share/hwdata/*.ids r, # FIXME: a bit too wide /usr/share/icu/@{int}.@{int}/*.dat r, include if exists diff --git a/apparmor.d/abstractions/desktop-files b/apparmor.d/abstractions/desktop-files index d616dad83a..9c0a8b941c 100644 --- a/apparmor.d/abstractions/desktop-files +++ b/apparmor.d/abstractions/desktop-files @@ -12,11 +12,16 @@ /etc/gnome/defaults.list r, /etc/xfce4/defaults.list r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/{,**} r, /var/lib/snapd/desktop/applications/{,**} r, owner @{user_share_dirs}/applications/{,**} r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/{,**} r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index fadaedcbf3..445c62e6b7 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -4,9 +4,14 @@ abi , + include include - include + include include + include + include + include + include include include include @@ -20,14 +25,9 @@ /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/{local/,}share/ r, - /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r, - /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, + @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, /etc/gnome/* r, - /etc/xdg/{,*-}mimeapps.list r, - - /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, / r, diff --git a/apparmor.d/abstractions/gsettings b/apparmor.d/abstractions/gsettings index 788b144869..4d22f080b2 100644 --- a/apparmor.d/abstractions/gsettings +++ b/apparmor.d/abstractions/gsettings @@ -5,6 +5,7 @@ abi , + @{system_share_dirs}/ r, @{system_share_dirs}/glib-2.0/schemas/ r, @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/abstractions/icons b/apparmor.d/abstractions/icons index 0dd44e33c1..6a721b8370 100644 --- a/apparmor.d/abstractions/icons +++ b/apparmor.d/abstractions/icons @@ -16,10 +16,7 @@ owner @{HOME}/.icons/{,**} r, - owner @{user_config_dirs}/mimeapps.list r, - owner @{user_share_dirs}/icons/{,**} r, - owner @{user_share_dirs}/mime/{,**} r, include if exists diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index fd994d12db..5fbdd7869f 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -4,10 +4,14 @@ abi , + include include - include + include include + include + include include + include include include include @@ -26,8 +30,6 @@ /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -42,8 +44,6 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk, owner @{user_config_dirs}/session/#@{int} rw, diff --git a/apparmor.d/abstractions/mime b/apparmor.d/abstractions/mime index 6622c99ddc..9a70edaf87 100644 --- a/apparmor.d/abstractions/mime +++ b/apparmor.d/abstractions/mime @@ -9,8 +9,13 @@ @{system_share_dirs}/mime/{,**} r, /etc/mime.types r, + /etc/xdg/{,*-}mimeapps.list r, - owner @{user_share_dirs}/mime/mime.cache r, + /var/cache/gio-@{version}/{,*-}-mimeapps.list r, + + owner @{user_config_dirs}/mimeapps.list r, + + owner @{user_share_dirs}/mime/{,**} r, include if exists diff --git a/apparmor.d/abstractions/recently-used b/apparmor.d/abstractions/recently-used new file mode 100644 index 0000000000..d3a7ec289e --- /dev/null +++ b/apparmor.d/abstractions/recently-used @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + owner @{HOME}/.recently-used.xbel rw, + owner @{HOME}/.recently-used.xbel.@{rand6} rwl, + owner @{HOME}/.recently-used.xbel.lock rwk, + + owner @{user_share_dirs}/#@{int} rw, + owner @{user_share_dirs}/recently-used.xbel rw, + owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, + owner @{user_share_dirs}/recently-used.xbel.lock rwk, + + owner @{user_config_dirs}/user-dirs.dirs r, # FIXME: not here? + + include if exists + +# vim:syntax=apparmor From 1506ae04d8c24763cc83779c14ff321afef458a2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 20:03:19 +0200 Subject: [PATCH 0468/1736] fix(profile): /att/**/ instead of @{att}/ --- apparmor.d/groups/freedesktop/pipewire | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 97e3c61196..02a370cdc2 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -40,7 +40,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { /etc/pipewire/{,**} r, / r, - @{att}/ r, + /att/**/ r, owner @{att}/.flatpak-info r, owner @{user_config_dirs}/pipewire/{,**} r, From cea9fd56141484f5bf3a2b6bf16970789f563e38 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 20:37:48 +0200 Subject: [PATCH 0469/1736] feat(profile): improve kde integration see #559 --- apparmor.d/groups/kde/DiscoverNotifier | 1 + apparmor.d/groups/kde/kded | 3 +++ apparmor.d/groups/kde/kioworker | 1 + .../groups/kde/kscreen_backend_launcher | 2 +- .../groups/kde/ksmserver-logout-greeter | 2 +- apparmor.d/groups/kde/kwalletd | 2 +- apparmor.d/groups/kde/kwin_wayland | 19 ++++++++++++++++++- apparmor.d/groups/kde/plasmashell | 7 ++++--- apparmor.d/groups/kde/sddm | 1 + apparmor.d/groups/kde/wayland-session | 3 +-- 10 files changed, 32 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 8611328878..2307c709fb 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -39,6 +39,7 @@ profile DiscoverNotifier @{exec_path} { @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, + /usr/share/flatpak/remotes.d/{,**} r, /usr/share/metainfo/{,**} r, /etc/machine-id r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index f2f2489ab4..e8be8a0dd9 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -182,6 +182,9 @@ profile kded @{exec_path} { @{sys}/class/leds/ r, + @{run}/udev/data/b8:@{int} r, # for /dev/sd* + @{run}/udev/data/b259:@{int} r, # Block Extended Major + @{PROC}/ r, @{PROC}/@{pids}/cmdline/ r, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 69b7353106..71465df976 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -49,6 +49,7 @@ profile kioworker @{exec_path} { /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/*.desktop r, /usr/share/remoteview/* r, + /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/xdg/kioslaverc r, diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index 7df07f64b8..00b4c96307 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -13,8 +13,8 @@ profile kscreen_backend_launcher @{exec_path} { include include include + include include - include #aa:dbus own bus=session name=org.kde.KScreen #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index 67e56c3c64..e5ea15c298 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/ksmserver-logout-greeter @{exec_path} += @{lib}/@{multiarch}/{,libexec/}ksmserver-logout-greeter -profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { +profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index ad96cb512e..de175635a3 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -45,7 +45,7 @@ profile kwalletd @{exec_path} { owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, - owner @{run}/user/@{uid}/kwallet{5,6}.socket r, + owner @{run}/user/@{uid}/kwallet{5,6}.socket rw, owner @{tmp}/kwalletd5.* rw, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 243e0adfe4..c11f951be6 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/kwin_wayland -profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { +profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -46,6 +46,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi, /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 Cx -> pulseaudio, + /etc/xdg/Xwayland-session.d/10-ibus-x11 Cx -> ibus, #aa:exec kscreenlocker_greet /usr/share/color-schemes/*.colors r, @@ -53,6 +54,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /usr/share/kglobalaccel/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,*.desktop} r, + /usr/share/kwin-wayland/{,**} r, /usr/share/kwin/{,**} r, /usr/share/libinput-*/{,**} r, /usr/share/libinput/{,**} r, @@ -179,6 +181,21 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { include if exists } + profile ibus { + include + include + + @{sh_path} r, + @{lib}/{,ibus/}ibus-x11 rPx, + + /etc/xdg/Xwayland-session.d/10-ibus-x11 r, + + /home/ r, + owner @{HOME}/ r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 68ea4fc0c0..e767d7bb59 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -70,7 +70,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{lib}/libheif/{,**} mr, @{bin}/dolphin rPx, - @{bin}/ksysguardd rix, + @{bin}/ksysguardd rPUx, @{bin}/plasma-discover rPUx, @{bin}/xrdb rPx, @{lib}/kf{5,6}/kdesu{,d} rix, @@ -104,7 +104,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /etc/appstream.conf r, /etc/fstab r, - /etc/ksysguarddrc r, /etc/machine-id r, /etc/os-release r, /etc/sensors.d/ r, @@ -166,6 +165,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/klipperrc r, owner @{user_config_dirs}/kmail2.notifyrc r, + owner @{user_config_dirs}/knfsshare r, owner @{user_config_dirs}/korganizerrc r, owner @{user_config_dirs}/krunnerrc r, owner @{user_config_dirs}/ksmserverrc r, @@ -200,9 +200,10 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/wallpapers/{,**} rw, owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/plasma/* r, owner @{user_state_dirs}/plasmashellstaterc rw, - owner @{user_state_dirs}/plasmashellstaterc.lock rwk, owner @{user_state_dirs}/plasmashellstaterc.@{rand6} rwl, + owner @{user_state_dirs}/plasmashellstaterc.lock rwk, /tmp/.mount_nextcl@{rand6}/{,*} r, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index b621167044..b9d07e380a 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -92,6 +92,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/flatpak rPx, @{bin}/gnome-keyring-daemon rPx, @{bin}/Hyprland rPx, + @{bin}/ksecretd rPUx, @{bin}/kwalletd{5,6} rPx, @{bin}/kwin_wayland rPx, @{bin}/labwc rPx, diff --git a/apparmor.d/groups/kde/wayland-session b/apparmor.d/groups/kde/wayland-session index 56914137bf..c07b068156 100644 --- a/apparmor.d/groups/kde/wayland-session +++ b/apparmor.d/groups/kde/wayland-session @@ -9,6 +9,7 @@ include @{exec_path} = @{etc_ro}/sddm/wayland-session profile wayland-session @{exec_path} { include + include include @{exec_path} mr, @@ -39,8 +40,6 @@ profile wayland-session @{exec_path} { owner @{user_share_dirs}/sddm/wayland-session.log rw, - /dev/tty rw, - include if exists } From f18fc88253b82ca04bb92c2b68f2efb75afc55b7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 20:39:18 +0200 Subject: [PATCH 0470/1736] feat(profile): kde: improve dbus rules. --- apparmor.d/groups/kde/baloorunner | 3 +++ apparmor.d/groups/kde/kaccess | 1 + apparmor.d/groups/kde/kactivitymanagerd | 1 + apparmor.d/groups/kde/kde-powerdevil | 1 + apparmor.d/groups/kde/kded | 1 + apparmor.d/groups/kde/kglobalacceld | 2 ++ apparmor.d/groups/kde/ksmserver-logout-greeter | 9 +++++++++ apparmor.d/groups/kde/ksplashqml | 1 + apparmor.d/groups/kde/kwin_wayland | 2 +- apparmor.d/groups/kde/sddm | 1 + 10 files changed, 21 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 702288a1f2..64372f4972 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -10,6 +10,9 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner profile baloorunner @{exec_path} { include + include + include + include include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 65582d1ba0..4b1e734edc 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -18,6 +18,7 @@ profile kaccess @{exec_path} { include #aa:dbus own bus=session name=org.kde.kaccess + #aa:dbus talk bus=session name=org.kde.kglobalaccel path=/kglobalaccel label=kglobalacceld @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index 1cc6b41d1e..ead285e5f1 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -11,6 +11,7 @@ include profile kactivitymanagerd @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index c961ed7a34..01706e6492 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -28,6 +28,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) network netlink raw, #aa:dbus own bus=system name=org.freedesktop.Policy.Power + #aa:dbus own bus=system name=org.kde.kf5auth path=/ #aa:dbus own bus=session name=local.org_kde_powerdevil #aa:dbus own bus=session name=org.freedesktop.PowerManagement diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index e8be8a0dd9..93c70329e2 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -68,6 +68,7 @@ profile kded @{exec_path} { #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd + #aa:dbus talk bus=session name=org.kde.NightColor path=/ColorCorrect label="{kwin_wayland,kwin_x11}" #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label="{kglobalacceld,kwin_wayland}" dbus receive bus=system path=/ diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 156bdf9281..b9c09d0c61 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -9,7 +9,9 @@ include @{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include + include include + include include #aa:dbus own bus=session name=org.kde.KGlobalAccel path=/kglobalaccel diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index e5ea15c298..e46237c2a8 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -11,6 +11,10 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}ksmserver-logout-greeter profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include + include + include + include include include include @@ -18,6 +22,11 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate include include + #aa:dbus own bus=session name=org.kde.LogoutPrompt path=/LogoutPrompt + + #aa:dbus talk bus=session name=org.kde.LogoutPrompt path=/Shutdown label=plasma-shutdown + #aa:dbus talk bus=session name=org.kde.KWin label=kwin_wayland + @{exec_path} mr, @{lib}/os-release r, diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index e1d5d73944..ea80e28cd8 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -11,6 +11,7 @@ profile ksplashqml @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index c11f951be6..51f09c8c45 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -35,7 +35,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { unix type=stream peer=(label=xwayland), #aa:dbus own bus=session name=org.freedesktop.ScreenSaver - #aa:dbus own bus=session name=org.kde.kglobalaccel + #aa:dbus own bus=session name=org.kde.kglobalaccel path=/kglobalaccel #aa:dbus own bus=session name=org.kde.KWin #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect #aa:dbus own bus=session name=org.kde.screensaver diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index b9d07e380a..08835eaf01 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -55,6 +55,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=system name=org.freedesktop.DisplayManager #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 interface=org.freedesktop.login1.Manager label="@{p_systemd_logind}" @{exec_path} mr, From 53df40b8ac3b95eab40ed8e4ffe41f9c4f52d2eb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 20:40:36 +0200 Subject: [PATCH 0471/1736] feat(profile) gvfs: more dbus integration. --- apparmor.d/groups/gvfs/gvfsd-dnssd | 5 +++++ apparmor.d/groups/gvfs/gvfsd-http | 1 + apparmor.d/groups/gvfs/gvfsd-network | 10 ++++++++++ apparmor.d/groups/gvfs/gvfsd-recent | 5 +++++ apparmor.d/groups/gvfs/gvfsd-sftp | 26 ++++++++++++++++++++++++++ apparmor.d/groups/gvfs/gvfsd-wsdd | 13 ++++++++++++- 6 files changed, 59 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 6c61dbba4b..ab786106c6 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -38,6 +38,11 @@ profile gvfsd-dnssd @{exec_path} { member=Introspect peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 5812c8a6e7..f51ef2afe3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -11,6 +11,7 @@ include profile gvfsd-http @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index cd64d81ada..1af0a2b37d 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -32,6 +32,16 @@ profile gvfsd-network @{exec_path} { member={MountLocation,LookupMount,RegisterMount} peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}), + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 042b66a680..1219c8cbdd 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -33,6 +33,11 @@ profile gvfsd-recent @{exec_path} { member=RegisterMount peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, # Full access to user's data diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 157af621cb..76bb55e986 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -10,10 +10,36 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-sftp profile gvfsd-sftp @{exec_path} { include + include + include include include include + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label=gnome-extension-gsconnect), + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label=nautilus), + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name=:*, label=gvfsd), + @{exec_path} mr, @{bin}/ssh rPx, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 209971ac28..0dee4e73bb 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -13,6 +13,7 @@ profile gvfsd-wsdd @{exec_path} { include include include + include network netlink raw, @@ -31,9 +32,19 @@ profile gvfsd-wsdd @{exec_path} { member=RegisterMount peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label=gvfsd-network), + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, - @{bin}/env r, + @{bin}/env mr, @{bin}/wsdd rPx, @{run}/mount/utab r, From 15b8a6cea4dbdbd34a103f643ea13b085e424987 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 21:22:25 +0200 Subject: [PATCH 0472/1736] fix: linter issue. --- apparmor.d/groups/kde/kwin_wayland | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 51f09c8c45..e2e3ecfe0a 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -184,7 +184,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { profile ibus { include include - + @{sh_path} r, @{lib}/{,ibus/}ibus-x11 rPx, From bfe35f254e31557bdc75f08a6c0f02f005291b75 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 23 Aug 2025 17:40:48 +0200 Subject: [PATCH 0473/1736] feat(profile): small improvement for snap. --- apparmor.d/groups/snap/snap | 16 +++++++++++----- apparmor.d/groups/snap/snap-seccomp | 6 +++++- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index ef0a086a88..564fd91516 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -18,6 +18,8 @@ profile snap @{exec_path} flags=(attach_disconnected) { include include + capability chown, + capability dac_override, capability dac_read_search, capability setuid, capability sys_admin, @@ -70,10 +72,10 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{DESKTOP_HOME}/snap/{,**} rw, /snap/{,**} rw, - @{HOME}/snap/{,**} rw, - owner @{HOME}/ r, - owner @{HOME}/.snap.mkdir-new/ rw, - owner @{HOME}/.snap/{,**} rw, + @{HOME}/ r, + @{HOME}/.snap.mkdir-new/ rw, + @{HOME}/.snap/{,**} rw, + @{HOME}/snap/{,**} rw, owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, @@ -102,7 +104,11 @@ profile snap @{exec_path} flags=(attach_disconnected) { /dev/tty@{int} rw, /dev/ttyS@{int} rw, - deny @{user_share_dirs}/gvfs-metadata/* r, + /apparmor/.null rw, + + # file_inherit, safe to deny + deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, profile gpg { include diff --git a/apparmor.d/groups/snap/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp index 9605c544a1..2a14fd583f 100644 --- a/apparmor.d/groups/snap/snap-seccomp +++ b/apparmor.d/groups/snap/snap-seccomp @@ -27,7 +27,11 @@ profile snap-seccomp @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/mountinfo r, - deny @{user_share_dirs}/gvfs-metadata/* r, + /apparmor/.null rw, + + # file_inherit, safe to deny + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + deny owner @{user_share_dirs}/gvfs-metadata/* r, include if exists } From 7b0a78b1f13743eae7f59efbaf501654955e7372 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 23 Aug 2025 17:42:49 +0200 Subject: [PATCH 0474/1736] feat(abs): improve dbus core abstractions --- apparmor.d/abstractions/bus/org.freedesktop.Accounts | 4 ++-- apparmor.d/abstractions/bus/org.freedesktop.Avahi | 2 +- .../abstractions/bus/org.freedesktop.portal.Desktop | 10 +++++----- apparmor.d/abstractions/bus/org.freedesktop.secrets | 4 ++-- .../abstractions/bus/org.gnome.Mutter.IdleMonitor | 4 ++-- apparmor.d/abstractions/bus/org.gnome.SessionManager | 5 +++++ apparmor.d/abstractions/bus/org.gtk.Notifications | 2 +- apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker | 2 +- 8 files changed, 19 insertions(+), 14 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts index d15288d46e..e77f17b88c 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts @@ -8,8 +8,8 @@ dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts - member={FindUserByName,ListCachedUsers} - peer=(name="@{busname}", label="@{p_accounts_daemon}"), + member={FindUserByName,ListCachedUsers,FindUserById} + peer=(name="{@{busname},org.freedesktop.Accounts}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index aa48e69b18..4ddf95af32 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -23,7 +23,7 @@ dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser - member={ItemNew,AllForNow,CacheExhausted} + member={ItemNew,ItemRemove,AllForNow,CacheExhausted} peer=(name="@{busname}", label="@{p_avahi_daemon}"), dbus receive bus=system path=/ diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 2753a6602e..4d4faf6887 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -14,22 +14,22 @@ dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member={Read,ReadAll} - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member=SettingChanged - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), - dbus receive bus=session path=/org/freedesktop/portal/desktop + dbus receive bus=session path=/org/freedesktop/portal/desktop{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings member={Read,ReadAll} - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.host.portal.Registry diff --git a/apparmor.d/abstractions/bus/org.freedesktop.secrets b/apparmor.d/abstractions/bus/org.freedesktop.secrets index a2389a68a2..e30e7b1c24 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.secrets +++ b/apparmor.d/abstractions/bus/org.freedesktop.secrets @@ -8,8 +8,8 @@ dbus send bus=session path=/org/freedesktop/secrets interface=org.freedesktop.Secret.Service - member={OpenSession,GetSecrets,SearchItems,ReadAlias} - peer=(name="@{busname}", label=gnome-keyring-daemon), + member={OpenSession,GetSecrets,SearchItems,Unlock,ReadAlias} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), dbus send bus=session path=/org/freedesktop/secrets/aliases/default interface=org.freedesktop.Secret.Collection diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor index 3eb301f188..8eb573f7e9 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -13,8 +13,8 @@ dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor - member={AddIdleWatch,AddUserActiveWatch,RemoveWatch} - peer=(name="@{busname}", label=gnome-shell), + member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime} + peer=(name="@{busname},org.gnome.Mutter.IdleMonitor", label=gnome-shell), dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/org.gnome.SessionManager index 0683a98fb2..a532b67f2a 100644 --- a/apparmor.d/abstractions/bus/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/org.gnome.SessionManager @@ -13,6 +13,11 @@ member={RegisterClient,IsSessionRunning} peer=(name="@{busname}", label=gnome-session-binary), + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={Inhibit,Uninhibit} + peer=(name="@{busname}", label=gnome-session-binary), + dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Setenv,IsSessionRunning} diff --git a/apparmor.d/abstractions/bus/org.gtk.Notifications b/apparmor.d/abstractions/bus/org.gtk.Notifications index b9229f204c..ad1a1ffad9 100644 --- a/apparmor.d/abstractions/bus/org.gtk.Notifications +++ b/apparmor.d/abstractions/bus/org.gtk.Notifications @@ -8,7 +8,7 @@ dbus send bus=session path=/org/gtk/Notifications interface=org.gtk.Notifications - member=RemoveNotification + member={AddNotification,RemoveNotification} peer=(name=org.gtk.Notifications, label=gnome-shell), include if exists diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker index d88afd0ee0..c455d4f183 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker @@ -21,7 +21,7 @@ dbus receive bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker - member=Mounted + member={Mounted,Unmounted} peer=(name="@{busname}", label=gvfsd), include if exists From e9f0b77f2d00d748841dd78832368671a3549936 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 23 Aug 2025 18:59:08 +0200 Subject: [PATCH 0475/1736] feat(profile): update btop. --- apparmor.d/profiles-a-f/btop | 42 ++++++++++++++++++++++-------------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index bab483dde3..4910629ce3 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -10,15 +10,16 @@ include profile btop @{exec_path} { include include - include include + capability kill, + capability perfmon, capability sys_ptrace, network netlink raw, - signal (send), - ptrace (read), + signal send, + ptrace read, @{exec_path} mr, @@ -27,33 +28,42 @@ profile btop @{exec_path} { /etc/fstab r, owner @{user_config_dirs}/btop/{,**} rw, + owner @{user_state_dirs}/btop.log rw, @{sys}/bus/pci/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/**/stat r, + @{sys}/devices/@{pci}/ r, + @{sys}/devices/@{pci}/{,**}/ r, @{sys}/devices/@{pci}/net/*/{,**} r, + @{sys}/devices/@{pci}/nvme/nvme@{int}/ r, + @{sys}/devices/@{pci}/stat r, @{sys}/devices/@{pci}/usb@{int}/**/power_supply/** r, @{sys}/devices/**/hwmon@{int}/{,*} r, @{sys}/devices/**/power_supply/{AC,BAT@{int}}/{,**} r, + @{sys}/devices/*/events/{,*} r, + @{sys}/devices/platform/*/ r, + @{sys}/devices/power/{,**} r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/virtual/block/dm-@{int}/stat r, @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r, - @{PROC} r, - @{PROC}/@{pid}/statm r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/io r, - @{PROC}/@{pids}/stat r, - @{PROC}/devices r, - @{PROC}/driver/nvidia/capabilities/mig/monitor r, - @{PROC}/loadavg r, - @{PROC}/spl/kstat/zfs/arcstats r, - @{PROC}/uptime r, - owner @{PROC}/@{pid}/mounts r, + @{PROC} r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/task/@{tid}/comm rw, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/config r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + @{PROC}/loadavg r, + @{PROC}/spl/kstat/zfs/arcstats r, + @{PROC}/uptime r, /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, From d6885803cbfe3d420b1eb15b9562aae68228ad9a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 21:32:51 +0200 Subject: [PATCH 0476/1736] fear(abs): update dbus core abs. --- .../bus/org.freedesktop.ColorManager | 7 ++++ .../bus/org.freedesktop.FileManager1 | 5 +++ .../abstractions/bus/org.freedesktop.UPower | 10 ++++- .../bus/org.freedesktop.hostname1 | 1 + .../bus/org.freedesktop.portal.Desktop | 15 +++++++ .../abstractions/bus/org.freedesktop.resolve1 | 6 +-- .../bus/org.gnome.Mutter.IdleMonitor | 2 +- .../bus/org.gnome.Shell.SearchProvider2 | 10 +++++ .../abstractions/bus/org.gtk.vfs.Daemon | 2 +- .../bus/org.kde.StatusNotifierItem | 24 +++++++++++ .../bus/org.kde.StatusNotifierWatcher | 42 ++++++++++++++++++- .../bus/org.mpris.MediaPlayer2.Player | 27 +++++++----- 12 files changed, 133 insertions(+), 18 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 3a63d95dcc..e230924297 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow for color managed applications to communicate with colord + abi , #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}" @@ -21,6 +23,11 @@ member={DeviceAdded,DeviceRemoved} peer=(name="@{busname}", label="@{p_colord}"), + dbus (receive, send) bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=FindDeviceByProperty + peer=(name="@{busname}", label="@{p_colord}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 index 76095edaf4..a08c98b26c 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 @@ -6,6 +6,11 @@ #aa:dbus common bus=session name=org.freedesktop.FileManager1 label=nautilus + dbus send bus=session path=/org/freedesktop/FileManager1 + interface=org.freedesktop.FileManager1 + member=ShowItems + peer=(name=org.freedesktop.FileManager1, label=nautilus), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index d82fbdef09..64b400a3e3 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -2,10 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Can query UPower for power devices, history and statistics. + abi , #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + # Find all devices monitored by UPower dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices @@ -13,7 +16,12 @@ dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.DBus.Properties - member=GetDisplayDevice + member={GetDisplayDevice,GetCriticalAction} + peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), + + dbus send bus=system path=/org/freedesktop/UPower/devices/** + interface=org.freedesktop.UPower.Device + member={GetHistory,Refresh} peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), dbus receive bus=system path=/org/freedesktop/UPower diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index 0a8d86be17..165e3ae6ec 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -5,6 +5,7 @@ abi , #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" + dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 4d4faf6887..4778dd6dc4 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -11,6 +11,11 @@ member=Read peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member={Read,ReadAll} @@ -41,6 +46,16 @@ member=Response peer=(name=@{busname}, label=xdg-desktop-portal), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Inhibit + member={StateChanged,CreateMonitor} + peer=(name=@{busname}, label=xdg-desktop-portal), + + dbus receive bus=session path=/org/freedesktop/portal/desktop/session/** + interface=org.freedesktop.impl.portal.Session + member=Close + peer=(name=@{busname}, label=xdg-desktop-portal), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 index e2c4b38865..fe6d52dc67 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + #aa-dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" dbus send bus=system path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager - member={SetLink*,ResolveHostname} - peer=(name="{@{busname},org.freedesktop.resolve1}", label="@{p_systemd_resolved}"), + member={ResolveAddress,ResolveHostname,ResolveRecord,ResolveService} + peer=(name=org.freedesktop.resolve1, label="@{p_systemd_resolved}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor index 8eb573f7e9..d1ff350fcd 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -14,7 +14,7 @@ dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime} - peer=(name="@{busname},org.gnome.Mutter.IdleMonitor", label=gnome-shell), + peer=(name="{@{busname},org.gnome.Mutter.IdleMonitor}", label=gnome-shell), dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 index baa96cc78a..ae8b68448b 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 @@ -6,6 +6,16 @@ #aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell + dbus receive bus=session path=/org/gnome/Characters/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + member={GetInitialResultSet,GetSubsearchResultSet,GetResultMetas} + peer=(name=@{busname}, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Characters/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + member=*Cancel + peer=(name=@{busname}, label=gnome-shell), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon index 66910007bb..93ad35fe59 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon @@ -7,7 +7,7 @@ dbus send bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member={GetConnection,ListMonitorImplementations,ListMountableInfo} - peer=(name="@{busname}", label=gvfsd), + peer=(name=@{busname}, label=gvfsd), dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem index 43947d52a7..87fd06727d 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem @@ -4,6 +4,30 @@ abi , + include + + dbus bind bus=session name=org.kde.StatusNotifierItem-@{int}, + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.kde.StatusNotifierWatcher + member=RegisterStatusNotifierItem + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + dbus send bus=session path=/{StatusNotifierItem,org/ayatana/NotificationItem/*} + interface=org.kde.StatusNotifierItem + member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher index d9ca82881c..90a78d2ed4 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher @@ -2,14 +2,52 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow to display Status Notifier Items in the KDE Plasma systray + abi , - #aa:dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell + #aa-dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus receive bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(label="@{pp_app_indicator}"), + + + dbus send bus=session path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu} + interface=com.canonical.dbusmenu + member={LayoutUpdated,ItemsPropertiesUpdated} + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + dbus receive bus=session path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**} + interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu} + member={Get*,AboutTo*,Event*} + peer=(label="@{pp_app_indicator}"), dbus send bus=session path=/StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher member=RegisterStatusNotifierItem - peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell), + peer=(label="@{pp_app_indicator}"), + + dbus receive bus=session path=/StatusNotifierItem + interface=org.kde.StatusNotifierItem + member={ProvideXdgActivationToken,Activate} + peer=(label="@{pp_app_indicator}"), + + dbus receive bus=session path=/MenuBar + interface=com.canonical.dbusmenu + member={AboutToShow,GetLayout,Event} + peer=(label="@{pp_app_indicator}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player index d8581be079..d71b7ac1ea 100644 --- a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player +++ b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player @@ -4,27 +4,34 @@ abi , - #aa-dbus common bus=session name=org.mpris.MediaPlayer2.Player label=unconfined + # DBus.Properties: read all properties from the interface + dbus send bus=system path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}), + # DBus.Properties: receive property changed events dbus receive bus=session path=/org/mpris/MediaPlayer2 interface=org.freedesktop.DBus.Properties member=PropertiesChanged peer=(name=@{busname}), - dbus receive bus=session path=/org/mpris/MediaPlayer2 - interface=org.mpris.MediaPlayer2.Player - member=Seeked + # DBus.Introspectable: allow clients to introspect the service + dbus send bus=system path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Introspectable + member=Introspect peer=(name=@{busname}), - dbus send bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member=Get + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.Player + member={Seeked,Next,PlayPause} peer=(name=@{busname}), + # https://specifications.freedesktop.org/mpris-spec/latest/Player_Interface.html#Signal:Seeked dbus send bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}), + interface=org.mpris.MediaPlayer2.Player + member=Seeked + peer=(name=org.freedesktop.DBus), include if exists From eb2def65a1900c681bfc43fd9d4dbb450fc4f4be Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 21:47:00 +0200 Subject: [PATCH 0477/1736] feat(abs): move some dbus abs to the session subfolder. --- .../{own-accessibility => accessibility/own} | 2 +- .../bus/org.freedesktop.systemd1-session | 16 ------------ .../bus/session/org.freedesktop.systemd1 | 26 +++++++++++++++++++ .../bus/{own-session => session/own} | 2 +- .../bus/{own-system => system/own} | 2 +- apparmor.d/groups/gnome/gdm-session | 2 +- apparmor.d/groups/gnome/gnome-session-binary | 2 +- apparmor.d/groups/gnome/gsd-housekeeping | 2 +- apparmor.d/groups/kde/kcminit | 2 +- apparmor.d/profiles-s-z/spotify | 1 + pkg/prebuild/directive/dbus.go | 2 +- 11 files changed, 35 insertions(+), 24 deletions(-) rename apparmor.d/abstractions/bus/{own-accessibility => accessibility/own} (93%) delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.systemd1-session create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 rename apparmor.d/abstractions/bus/{own-session => session/own} (93%) rename apparmor.d/abstractions/bus/{own-system => system/own} (93%) diff --git a/apparmor.d/abstractions/bus/own-accessibility b/apparmor.d/abstractions/bus/accessibility/own similarity index 93% rename from apparmor.d/abstractions/bus/own-accessibility rename to apparmor.d/abstractions/bus/accessibility/own index cd8e42e523..d1eab1ce7b 100644 --- a/apparmor.d/abstractions/bus/own-accessibility +++ b/apparmor.d/abstractions/bus/accessibility/own @@ -20,6 +20,6 @@ member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session deleted file mode 100644 index 577cc3ed92..0000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" - - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=GetUnit - peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 new file mode 100644 index 0000000000..0c8185be60 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnit + peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"), + + dbus send bus=session path=/org/freedesktop/systemd1/unit/app_* + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartTransientUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/own-session b/apparmor.d/abstractions/bus/session/own similarity index 93% rename from apparmor.d/abstractions/bus/own-session rename to apparmor.d/abstractions/bus/session/own index 91515adb04..d975ebb48b 100644 --- a/apparmor.d/abstractions/bus/own-session +++ b/apparmor.d/abstractions/bus/session/own @@ -20,6 +20,6 @@ member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/own-system b/apparmor.d/abstractions/bus/system/own similarity index 93% rename from apparmor.d/abstractions/bus/own-system rename to apparmor.d/abstractions/bus/system/own index d48931f4fb..2b1130b323 100644 --- a/apparmor.d/abstractions/bus/own-system +++ b/apparmor.d/abstractions/bus/system/own @@ -20,6 +20,6 @@ member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 4e3440656c..9a42bcdf1a 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -11,8 +11,8 @@ profile gdm-session @{exec_path} { include include include - include include + include signal (receive) set=(hup term) peer=gdm-session-worker, signal (receive) set=(term) peer=gdm, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 8b0ea63076..447c030d6d 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -14,7 +14,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index b8da39a4db..35f43a93eb 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -11,7 +11,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index bd01bf3c8a..4f8b10a327 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -10,7 +10,7 @@ include profile kcminit @{exec_path} { include include - include + include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 3c18059a9b..0eb5eab439 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -25,6 +25,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index 06fedffb51..891eb9e1de 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -111,7 +111,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { res := aa.Rules{ &aa.Include{ - IsMagic: true, Path: "abstractions/bus/own-" + rules["bus"], + IsMagic: true, Path: "abstractions/bus/" + rules["bus"] + "/own", }, &aa.Dbus{ Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], From 30618828097267ced9833cdf16de350eac1b05b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:04:07 +0200 Subject: [PATCH 0478/1736] feat(profile): update dbus rules for Ubuntu. --- apparmor.d/groups/freedesktop/dconf | 1 + apparmor.d/groups/freedesktop/pipewire-pulse | 3 +++ .../polkit-kde-authentication-agent | 2 ++ apparmor.d/groups/freedesktop/wireplumber | 5 +++++ .../groups/freedesktop/xdg-desktop-portal | 2 ++ .../groups/freedesktop/xdg-document-portal | 3 ++- .../gnome/evolution-addressbook-factory | 5 +++++ apparmor.d/groups/gnome/gjs-console | 2 ++ apparmor.d/groups/gnome/gnome-calendar | 2 +- apparmor.d/groups/gnome/gnome-characters | 2 +- apparmor.d/groups/gnome/gnome-control-center | 5 ++--- .../groups/gnome/gnome-extension-gsconnect | 2 ++ apparmor.d/groups/gnome/gnome-shell | 4 ++-- apparmor.d/groups/gnome/gnome-software | 11 ++++++++++ apparmor.d/groups/gnome/gnome-system-monitor | 4 ++++ apparmor.d/groups/gnome/gsd-media-keys | 14 +++++-------- apparmor.d/groups/gnome/gsd-power | 1 + .../groups/gnome/gsd-print-notifications | 20 ++++++++++++++++++- apparmor.d/groups/gnome/gsd-xsettings | 12 ++++++++++- apparmor.d/groups/gnome/loupe | 2 ++ apparmor.d/groups/gnome/nautilus | 8 +++++++- apparmor.d/groups/gnome/papers | 1 + apparmor.d/groups/gnome/ptyxis | 1 + apparmor.d/groups/gnome/ptyxis-agent | 5 ++++- apparmor.d/groups/network/wg-quick | 1 + apparmor.d/groups/polkit/polkit-agent-helper | 4 ++-- apparmor.d/groups/systemd/resolvectl | 7 +++++++ .../groups/ubuntu/software-properties-gtk | 6 +++++- apparmor.d/groups/ubuntu/update-notifier | 1 + apparmor.d/profiles-a-f/alacarte | 3 +++ apparmor.d/profiles-a-f/element-desktop | 1 + apparmor.d/profiles-g-l/libreoffice | 2 ++ apparmor.d/profiles-m-r/pinentry-gnome3 | 4 +++- apparmor.d/profiles-s-z/spotify | 11 ++++++++++ apparmor.d/profiles-s-z/superproductivity | 11 +++++++++- 35 files changed, 142 insertions(+), 26 deletions(-) diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf index be4972f042..20b453df4c 100644 --- a/apparmor.d/groups/freedesktop/dconf +++ b/apparmor.d/groups/freedesktop/dconf @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/dconf profile dconf @{exec_path} flags=(attach_disconnected) { include + include include capability sys_nice, diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index fddbe02f7b..e6e6e59c5f 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -13,12 +13,15 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { include include include + include include capability sys_ptrace, ptrace read, + #aa:dbus own bus=session name=org.pulseaudio.Server + @{exec_path} mr, @{bin}/pactl rix, diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 8a08f02d0b..5e7a75a8db 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -11,8 +11,10 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include include include + include include include include diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 80c3135f56..7aff8bdd28 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -32,6 +32,11 @@ profile wireplumber @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), + dbus receive bus=system path=/midi{,server@{int}} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label="@{p_bluetoothd}"), + @{exec_path} mr, /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 35c81f0bce..89acacd34a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -52,6 +52,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor + #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal dbus receive bus=session diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index d2db2612e3..84c0fce420 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -30,7 +30,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount), - #aa:dbus own bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents + #aa:dbus own bus=session name=org.freedesktop.portal.{Documents,FileTransfer} path=/org/freedesktop/portal/documents + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 98c94c79ea..c9a9d72c97 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -55,6 +55,11 @@ profile evolution-addressbook-factory @{exec_path} { member=Introspect peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session path=/org/gnome/evolution/dataserver/** + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=obexd), + @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 0cfd4c4206..6d6d6ea852 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -17,8 +17,10 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { include include include + include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 235c0ce9e1..7d6d5246d5 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -23,7 +23,6 @@ profile gnome-calendar @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.Calendar - #aa-dbus own bus=session name=org.gnome.Calendar.SearchProvider interface+=org.gnome.Shell.SearchProvider2 #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory @@ -32,6 +31,7 @@ profile gnome-calendar @{exec_path} { #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color + #aa:dbus talk bus=session name=org.gnome.Shell.SearchProvider2 path=/org/gnome/Calendar/SearchProvider label=gnome-shell #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 9af2b7d5f5..7ce936e52d 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -11,13 +11,13 @@ profile gnome-characters @{exec_path} { include include include + include include include include include #aa:dbus own bus=session name=org.gnome.Characters - #aa-dbus talk bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 41b62df09b..1c35a8ec10 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -14,6 +14,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -42,9 +43,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Power label=gsd-power - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*" #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 8887ce797f..3f57b3035d 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -17,6 +17,8 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 0f91b7283b..b7706ccf48 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -25,7 +25,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -87,7 +86,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label="@{p_power_profiles_daemon}" #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 7e817f4901..71141595bc 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -9,6 +9,12 @@ include @{exec_path} = @{bin}/gnome-software profile gnome-software @{exec_path} { include + include + include + include + include + include + include include include include @@ -24,6 +30,11 @@ profile gnome-software @{exec_path} { mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, + #aa:dbus own bus=session name=org.freedesktop.PackageKit + #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application + + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/ label="@{p_packagekitd}" + @{exec_path} mr, @{bin}/baobab rPUx, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index a3d039deaa..a99d566c0b 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -9,6 +9,10 @@ include @{exec_path} = @{bin}/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include + include + include + include + include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 6cae2d49b6..7f02d8bf42 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gsd-media-keys profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -21,6 +20,8 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include @@ -38,7 +39,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=PowerOff - peer=(name=:*, label="@{p_systemd_logind}"), + peer=(name=@{busname}, label="@{p_systemd_logind}"), dbus send bus=session path=/ interface=org.freedesktop.DBus @@ -48,17 +49,12 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gsd-power), + peer=(name=@{busname}, label=gsd-power), dbus receive bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gsd-power), - - dbus send bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), + peer=(name=@{busname}, label=gsd-power), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 2fa0b0b1f0..379f7b8148 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -18,6 +18,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index af5ff2f057..59123f4851 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -30,7 +30,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/cups/cupsd/Notifier interface=org.cups.cupsd.Notifier - member=ServerStarted + member={ServerStarted,PrinterDeleted,PrinterStopped} peer=(name=@{busname}, label=cups-notifier-dbus), dbus receive bus=session @@ -38,6 +38,24 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=@{busname}, label=gnome-shell), + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=RecordBrowserNew + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + dbus send bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + + dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + member={CacheExhausted,ItemNew} + peer=(name=@{busname}, label=avahi-daemon), + dbus receive bus=system path=/Client4/RecordBrowser3 + interface=org.freedesktop.Avahi.RecordBrowser + member=ItemNew + peer=(name=@{busname}, label=avahi-daemon), + @{exec_path} mr, @{lib}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index abf30bc407..2e21750b94 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -36,10 +36,20 @@ profile gsd-xsettings @{exec_path} { #aa:dbus talk bus=session name=org.gnome.Mutter.X11 label=gnome-shell + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetId + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member=UserAdded + peer=(name=@{busname}, label="@{p_accounts_daemon}"), + dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=SetInputSources - peer=(name=:*, label="@{p_accounts_daemon}"), + peer=(name=@{busname}, label="@{p_accounts_daemon}"), @{exec_path} mr, @{sh_path} mr, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index d89d4d6f92..398b2b6794 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -12,6 +12,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index fc9b923d87..17bdc5f131 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -31,9 +31,10 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { unix type=stream peer=(label=gnome-shell), #aa:dbus own bus=session name=org.freedesktop.FileManager1 - #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}" + #aa:dbus own bus=session name=org.gnome.Nautilus interface+=org.gtk.{Application,Actions} #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*" #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell @@ -49,6 +50,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { member=Print peer=(name=@{busname}, label=nautilus), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=ListActivatableNames diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 6f5a137a34..9a22e3de86 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/papers profile papers @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index a6f7e5b631..a0a57d5164 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/ptyxis profile ptyxis @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index ce60a26c38..7a05b2254e 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -9,9 +9,12 @@ include @{exec_path} = @{lib}/ptyxis-agent profile ptyxis-agent @{exec_path} { include + include + include include - include include + include + include signal send set=hup peer=unconfined, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index c89a12a476..33de681479 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/wg-quick profile wg-quick @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index 5799ced5b0..f761ecf297 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -35,12 +35,12 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label="@{p_polkitd}"), + peer=(name=@{busname}, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=AuthenticationAgentResponse2 - peer=(name=:*, label="@{p_polkitd}"), + peer=(name=@{busname}, label="@{p_polkitd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index 58f2d88f8c..3013d8ae69 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -21,8 +21,15 @@ profile resolvectl @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, + unix bind type=stream addr=@@{udbus}/bus/resolvconf/system, + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" + dbus send bus=system path=/org/freedesktop/network1 + interface=org.freedesktop.network1.Manager + member=SetLinkDNSEx + peer=(name=org.freedesktop.network1), @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index bb31d88670..15a49066cf 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -9,19 +9,23 @@ include @{exec_path} = @{bin}/software-properties-gtk profile software-properties-gtk @{exec_path} { include - include + include include include include include include + include + include include include include include #aa:dbus own bus=session name=com.ubuntu.SoftwareProperties + #aa:dbus talk bus=system name=com.canonical.UbuntuAdvantage label=ubuntu-advantage-desktop-daemon + #aa:dbus talk bus=system name=com.ubuntu.SoftwareProperties path=/ label=software-properties-dbus @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 9754aa2311..8e9cddd542 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -14,6 +14,7 @@ profile update-notifier @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index 700c6d517e..b4cfb56e6a 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/alacarte profile alacarte @{exec_path} flags=(attach_disconnected) { include + include + include + include include include include diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 7891b67e1f..ec7ee9c65d 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -17,6 +17,7 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 4bed50f13e..0a9e6dfc2f 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -18,6 +18,8 @@ profile libreoffice @{exec_path} { include include include + include + include include include include diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index a955a9c6d6..f4a61b07b4 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -10,9 +10,11 @@ include profile pinentry-gnome3 @{exec_path} { include include + include + include include - signal (receive) set=(int) peer=gpg-agent, + signal receive set=int, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 0eb5eab439..f245e43125 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -21,10 +21,13 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include include + include include include + include include include include @@ -36,8 +39,16 @@ profile spotify @{exec_path} flags=(attach_disconnected) { network netlink raw, #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify + #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Secret + member=RetrieveSecret + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + @{exec_path} mrix, diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index c49a966217..73a86672fb 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -6,7 +6,7 @@ abi , include -@{name} = super{p,P}roductivity +@{name} = super{p,P}roductivity Super?Productivity @{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @@ -16,7 +16,16 @@ include profile superproductivity @{exec_path} flags=(attach_disconnected) { include include + include include + include + include + include + include + include + include + include + include include network inet stream, From 0fccbef52b1e0d8b713c76d71220ae03bce8fb1a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:06:34 +0200 Subject: [PATCH 0479/1736] feat(profile): improve firefox profiles. --- apparmor.d/abstractions/app/firefox | 4 +++- apparmor.d/groups/browsers/firefox | 8 ++++++-- apparmor.d/groups/browsers/firefox-crashhelper | 5 +++++ apparmor.d/profiles-s-z/thunderbird-glxtest | 2 ++ 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 68fb148875..238bf9e8bb 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -21,8 +21,9 @@ include include include - include + include include + include include include include @@ -98,6 +99,7 @@ /var/tmp/ r, owner @{tmp}/@{name}/ rw, owner @{tmp}/@{name}/* rwk, + owner @{tmp}/@{rand6}.tmp rw, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, owner @{tmp}/mozilla* rw, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index bac81c847b..f9ba190a3a 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -21,6 +21,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) { signal send set=(term, kill) peer=firefox//&keepassxc-proxy, + unix type=seqpacket addr=@gecko-crash-helper-pipe.@{int}, + unix type=seqpacket peer=(label=firefox-crashhelper), + #aa:dbus own bus=session name=org.mozilla.firefox #aa:dbus own bus=session name=org.mpris.MediaPlayer2.firefox path=/org/mpris/MediaPlayer2 @@ -46,9 +49,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, # Common extensions + @{bin}/browserpass rPx, + @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, + @{lib}/browserpass/browserpass-native rPx, /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, - @{bin}/browserpass rPx, - @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, owner @{user_config_dirs}/ibus/bus/ r, diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper index 55af7c2e28..8ffdccb677 100644 --- a/apparmor.d/groups/browsers/firefox-crashhelper +++ b/apparmor.d/groups/browsers/firefox-crashhelper @@ -15,11 +15,16 @@ include profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) { include + unix type=seqpacket peer=(label=firefox), + @{exec_path} mr, owner "@{config_dirs}/firefox/Crash Reports/" rw, owner "@{config_dirs}/firefox/Crash Reports/crash_helper_server.log" rw, + # file_inherit + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index 4dc8913612..53fdb1ffd8 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -18,6 +18,8 @@ profile thunderbird-glxtest @{exec_path} flags=(attach_disconnected) { include include + network netlink raw, + @{exec_path} mr, / r, From f21fecc25a60abd0a5d7921112e226c8745c4ce5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:07:09 +0200 Subject: [PATCH 0480/1736] feat(profile): update possible path for browserpass. --- apparmor.d/profiles-a-f/browserpass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index ee7ff958c7..c896e96f8c 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/browserpass +@{exec_path} = @{bin}/browserpass @{lib}/browserpass/browserpass-native profile browserpass @{exec_path} flags=(attach_disconnected) { include include From 1724040229186e798f0fd443a22e747e9f3d5b93 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:15:51 +0200 Subject: [PATCH 0481/1736] feat(profile): various ubuntu based improvements. --- .../freedesktop/xdg-desktop-portal-gnome | 2 + apparmor.d/groups/freedesktop/xkbcomp | 1 + .../groups/gnome/evolution-alarm-notify | 2 + apparmor.d/groups/gnome/gnome-system-monitor | 1 + apparmor.d/groups/gnome/mutter-x11-frames | 2 +- apparmor.d/groups/gnome/nautilus | 4 +- apparmor.d/groups/gnome/ptyxis | 7 ++- apparmor.d/groups/gnome/ptyxis-agent | 8 +++- apparmor.d/groups/snap/snap | 48 ++++++++++++++++++- apparmor.d/groups/snap/snap-update-ns | 1 + apparmor.d/groups/ssh/ssh | 4 +- apparmor.d/groups/systemd/systemd-coredump | 4 ++ apparmor.d/groups/systemd/systemd-udevd | 2 + apparmor.d/groups/ubuntu/apport | 5 ++ .../groups/ubuntu/software-properties-gtk | 7 ++- apparmor.d/groups/ubuntu/ubuntu-advantage | 2 + apparmor.d/groups/utils/who | 2 + apparmor.d/profiles-a-f/fwupdmgr | 1 + apparmor.d/profiles-m-r/mkinitramfs | 7 +++ apparmor.d/profiles-m-r/motd | 1 + apparmor.d/profiles-m-r/on-ac-power | 1 + apparmor.d/profiles-s-z/swtpm_setup | 6 +-- 22 files changed, 107 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index bed83627a9..ca5f62f820 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -65,11 +65,13 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gdm/greeter/applications/{,**} r, /usr/share/thumbnailers/{,**} r, owner @{desktop_cache_dirs}/dconf/user r, owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_share_dirs}/applications/{,**} r, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{HOME}/ r, diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index 325d444f50..a99e12b7a4 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -17,6 +17,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { unix (send,receive) type=stream addr=none peer=(label=gnome-shell), unix (send,receive) type=stream addr=none peer=(label=xwayland), + unix (send,receive) type=stream addr=none peer=(label=kwin_wayland), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index ce8f799bbc..174cb323f3 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -37,6 +37,8 @@ profile evolution-alarm-notify @{exec_path} { /etc/timezone r, + owner @{user_share_dirs}/evolution/datetime-formats.ini r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index a99d566c0b..e4ac12011c 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -36,6 +36,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{bin}/tr rix, + /usr/share/byobu/desktop/{,**} r, /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, / r, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 2ad89fe0a0..ae225aa650 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -29,7 +29,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rw, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl, owner @{gdm_config_dirs}/dconf/user r, @{sys}/devices/@{pci}/boot_vga r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 17bdc5f131..5ad6bb7b57 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -72,7 +72,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{bin}/file-roller rPx, @{bin}/firejail rPUx, @{bin}/net rPUx, - @{bin}/tracker3 rPUx, + + @{bin}/* r, + @{lib}/@{multiarch}/glib-2.0/gio-launch-desktop m, @{open_path} rPx -> child-open, diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index a0a57d5164..838dc940c8 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -13,6 +13,10 @@ profile ptyxis @{exec_path} { include include + unix type=stream peer=(label=ptyxis-agent), + + #aa:dbus own bus=session name=org.gnome.Ptyxis + @{exec_path} mr, @{lib}/ptyxis-agent Px, @@ -25,11 +29,12 @@ profile ptyxis @{exec_path} { owner @{user_config_dirs}/org.gnome.Ptyxis/ rw, owner @{user_config_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_config_dirs}/org.gnome.Ptyxis/**, + owner @{user_config_dirs}/ubuntu-xdg-terminals.list r, owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, - owner /tmp/#@{int} w, + owner /tmp/#@{int} rw, /dev/ptmx rw, diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 7a05b2254e..cf497e39f9 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -25,7 +25,9 @@ profile ptyxis-agent @{exec_path} { @{bin}/podman Px, @{bin}/systemd-run Cx -> shell, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{user_share_dirs}/containers/ w, + owner @{user_share_dirs}/containers/storage/ w, + owner @{user_share_dirs}/containers/storage/overlay-containers/ w, @{PROC}/@{pid}/cmdline r, @@ -37,9 +39,13 @@ profile ptyxis-agent @{exec_path} { signal send, + unix bind type=stream addr=@@{udbus}/bus/systemd-run/, + @{bin}/systemd-run mr, @{bin}/@{shells} Ux, + owner @{run}/user/@{uid}/systemd/private rw, + include if exists } diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 564fd91516..927d7a3da5 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -52,11 +52,14 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + @{sh_path} mr, @{bin}/mount rix, @{bin}/getent rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/systemctl rCx -> systemctl, + @{bin}/systemd-run rCx -> run, # Start snap from the cli + @{bin}/xdg-settings rCx -> xdg-settings, @{lib_dirs}/** mr, @{lib_dirs}/snapd/snap-confine rPx, @@ -98,7 +101,7 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/version r, - owner @{PROC}/@{pid}/attr/apparmor/current r, + @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/mounts r, /dev/tty@{int} rw, @@ -125,6 +128,49 @@ profile snap @{exec_path} flags=(attach_disconnected) { include if exists } + profile xdg-settings { + include + include + + @{bin}/xdg-settings mr, + + @{sh_path} r, + @{bin}/{,e}grep rix, + @{bin}/basename rix, + @{bin}/cat ix, + @{bin}/cut rix, + @{bin}/head ix, + @{bin}/mkdir ix, + @{bin}/mktemp ix, + @{bin}/mv ix, + @{bin}/readlink ix, + @{bin}/realpath rix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/sleep ix, + @{bin}/sort ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/uname ix, + @{bin}/wc ix, + + @{bin}/xdg-mime Px, + + include if exists + } + + profile run { + include + + unix bind type=stream addr=@@{udbus}/bus/systemd-run/, + + @{bin}/systemd-run mr, + + owner @{run}/user/@{uid}/systemd/private rw, + + include if exists + } + profile systemctl { include include diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 5d7c18d595..157651ac31 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -61,6 +61,7 @@ profile snap-update-ns @{exec_path} { @{sys}/fs/cgroup/{,**/} r, @{sys}/fs/cgroup/system.slice/snap.*.service/cgroup.freeze rw, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.scope/cgroup.freeze rw, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 03236196ca..bf71a8463e 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -45,8 +45,8 @@ profile ssh @{exec_path} { audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, - owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, - owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/keyring/ssh rw, @{sys}/ r, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 54f366c2f3..db1854f1fb 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -37,6 +37,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted /opt/** r, /usr/share/*/** r, @{user_lib_dirs}/** r, + /snap/*/@{int}/opt/** r, + /snap/*/@{int}/usr/** r, /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, @@ -45,6 +47,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted /var/lib/systemd/coredump/{,**} rwl, + owner @{run}/user/@{uid}/snap.*/.org.chromium.Chromium.@{rand6} r, + @{att}/@{run}/systemd/coredump rw, @{run}/systemd/coredump rw, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 9c993e0d5d..62bada2a87 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -35,6 +35,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + unix type=stream addr=@@{udbus}/bus/udevadm/, + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index fbc433c05b..2fa7bb92a7 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -43,6 +43,11 @@ profile apport @{exec_path} flags=(attach_disconnected) { /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, /var/lib/dpkg/info/*.md5sums r, + /var/lib/dpkg/diversions r, + /var/lib/dpkg/triggers/* r, + /var/lib/dpkg/updates/ r, + + /var/lib/systemd/coredump/*.zst r, /var/crash/ rw, /var/crash/*.@{uid}.crash rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 15a49066cf..440ef41170 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/software-properties-gtk -profile software-properties-gtk @{exec_path} { +profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include @@ -62,6 +62,10 @@ profile software-properties-gtk @{exec_path} { owner @{tmp}/tmp@{word8}/ rw, owner @{tmp}/tmp@{word8}/apt.conf rw, + /dev/shm/ r, + owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6}, + owner /dev/shm/sem.mp-@{rand8} rw, + owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, @{sys}/devices/ r, @@ -75,6 +79,7 @@ profile software-properties-gtk @{exec_path} { owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 34b6977327..e8d847e92e 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -52,6 +52,8 @@ profile ubuntu-advantage @{exec_path} { /etc/machine-id r, + owner @{user_cache_dirs}/ubuntu-pro/{,**} rw, + owner @{tmp}/tmp[0-9a-z]*/apt.conf r, owner @{tmp}/[0-9a-z]*{,/} rw, owner @{tmp}/[0-9a-z]*/apt-helper-output rw, diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who index fd49b2becd..d951bfe03a 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/groups/utils/who @@ -20,6 +20,8 @@ profile who @{exec_path} { @{run}/systemd/sessions/* r, + # file_inherit + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/zed/**/data.mdb rw, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 5df66e6bdb..2d781a734c 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -42,6 +42,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, + owner /var/lib/fwupd/ w, owner /var/lib/fwupd/.cache/ w, @{user_cache_dirs}/dconf/user rw, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 42489117e8..c6caf364f3 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -174,6 +174,7 @@ profile mkinitramfs @{exec_path} { /usr/share/initramfs-tools/scripts/{,**/} r, /etc/initramfs-tools/scripts/{,**/} r, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/{,**/} r, owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r, include if exists @@ -189,6 +190,12 @@ profile mkinitramfs @{exec_path} { owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/ r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/modules.* rw, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/updates/{,**} r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/{,**/} r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/**/*.ko* r, + @{sys}/module/compression r, include if exists diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd index 6cdb0fbf84..de742b2c99 100644 --- a/apparmor.d/profiles-m-r/motd +++ b/apparmor.d/profiles-m-r/motd @@ -10,6 +10,7 @@ include profile motd @{exec_path} { include include + include capability net_admin, diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index 16ccfd9da3..d6426f7175 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -14,6 +14,7 @@ profile on-ac-power @{exec_path} { @{exec_path} r, @{sh_path} rix, + @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/cat rix, diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup index 08ee1532e5..5795ddfcca 100644 --- a/apparmor.d/profiles-s-z/swtpm_setup +++ b/apparmor.d/profiles-s-z/swtpm_setup @@ -21,9 +21,9 @@ profile swtpm_setup @{exec_path} { /var/log/swtpm/{,**} w, /var/lib/libvirt/swtpm/@{uuid}/tpm2/ r, - owner @{tmp}/swtpm_setup.certs.*/ w, - owner @{tmp}/swtpm_setup.certs.*/*.cert rw, - owner @{tmp}/.swtpm_setup.pidfile* rw, + owner @{tmp}/.swtpm_setup.pidfile.@{rand6} rw, + owner @{tmp}/swtpm_setup.certs.@{rand6}/ w, + owner @{tmp}/swtpm_setup.certs.@{rand6}/*.cert rw, include if exists } From 9b7c1acb1bbad1465159935a0274991637d069c0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:52:08 +0200 Subject: [PATCH 0482/1736] build: cosmetic on build task name. --- pkg/prebuild/builder/abi.go | 2 +- pkg/prebuild/builder/attach.go | 2 +- pkg/prebuild/builder/complain.go | 2 +- pkg/prebuild/builder/enforce.go | 2 +- pkg/prebuild/builder/fsp.go | 2 +- pkg/prebuild/builder/hotfix.go | 2 +- pkg/prebuild/builder/userspace.go | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index 492e3cc31b..b0052d13fb 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -27,7 +27,7 @@ func init() { RegisterBuilder(&ABI3{ Base: prebuild.Base{ Keyword: "abi3", - Msg: "Convert all profiles from abi 4.0 to abi 3.0", + Msg: "Build: convert all profiles from abi 4.0 to abi 3.0", }, }) } diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index aeafcbf7d8..d279081291 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -18,7 +18,7 @@ func init() { RegisterBuilder(&ReAttach{ Base: prebuild.Base{ Keyword: "attach", - Msg: "Re-attach disconnected path", + Msg: "Feat: re-attach disconnected path", }, }) } diff --git a/pkg/prebuild/builder/complain.go b/pkg/prebuild/builder/complain.go index dbd9b3478e..8ee205564a 100644 --- a/pkg/prebuild/builder/complain.go +++ b/pkg/prebuild/builder/complain.go @@ -25,7 +25,7 @@ func init() { RegisterBuilder(&Complain{ Base: prebuild.Base{ Keyword: "complain", - Msg: "Set complain flag on all profiles", + Msg: "Build: set complain flag on all profiles", }, }) } diff --git a/pkg/prebuild/builder/enforce.go b/pkg/prebuild/builder/enforce.go index a7ce90a7a8..3d3d218c63 100644 --- a/pkg/prebuild/builder/enforce.go +++ b/pkg/prebuild/builder/enforce.go @@ -19,7 +19,7 @@ func init() { RegisterBuilder(&Enforce{ Base: prebuild.Base{ Keyword: "enforce", - Msg: "All profiles have been enforced", + Msg: "Build: all profiles have been enforced", }, }) } diff --git a/pkg/prebuild/builder/fsp.go b/pkg/prebuild/builder/fsp.go index 8f7fb42020..12dab15cd8 100644 --- a/pkg/prebuild/builder/fsp.go +++ b/pkg/prebuild/builder/fsp.go @@ -23,7 +23,7 @@ func init() { RegisterBuilder(&FullSystemPolicy{ Base: prebuild.Base{ Keyword: "fsp", - Msg: "Prevent unconfined transitions in profile rules", + Msg: "Feat: prevent unconfined transitions in profile rules", }, }) } diff --git a/pkg/prebuild/builder/hotfix.go b/pkg/prebuild/builder/hotfix.go index f7e6143b1a..be8750f260 100644 --- a/pkg/prebuild/builder/hotfix.go +++ b/pkg/prebuild/builder/hotfix.go @@ -26,7 +26,7 @@ func init() { RegisterBuilder(&Hotfix{ Base: prebuild.Base{ Keyword: "hotfix", - Msg: "Temporary fix for #74, #80 & #235", + Msg: "Fix: temporary solution for #74, #80 & #235", }, }) } diff --git a/pkg/prebuild/builder/userspace.go b/pkg/prebuild/builder/userspace.go index 37bb3a978b..70dff8ec96 100644 --- a/pkg/prebuild/builder/userspace.go +++ b/pkg/prebuild/builder/userspace.go @@ -27,7 +27,7 @@ func init() { RegisterBuilder(&Userspace{ Base: prebuild.Base{ Keyword: "userspace", - Msg: "Resolve variable in profile attachments", + Msg: "Fix: resolve variable in profile attachments", }, }) } From bfcf9f846cd5eee8500413ae785d389266070657 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:52:35 +0200 Subject: [PATCH 0483/1736] build: support for unconfined flag. --- pkg/prebuild/builder/complain.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/prebuild/builder/complain.go b/pkg/prebuild/builder/complain.go index 8ee205564a..0d6a48f378 100644 --- a/pkg/prebuild/builder/complain.go +++ b/pkg/prebuild/builder/complain.go @@ -38,6 +38,9 @@ func (b Complain) Apply(opt *Option, profile string) (string, error) { if slices.Contains(flags, "complain") { return profile, nil } + if slices.Contains(flags, "unconfined") { + return profile, nil + } } flags = append(flags, "complain") strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n" From 3a17dd33106a8e83d96c50e0522a7373967a6a0f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:08:41 +0200 Subject: [PATCH 0484/1736] feat(aa): add support for advanced network rule. --- pkg/aa/network.go | 66 ++++++++++++++++++++++---------- pkg/aa/rule_test.go | 11 ++++++ pkg/aa/templates/rule/network.j2 | 16 ++++++++ 3 files changed, 72 insertions(+), 21 deletions(-) diff --git a/pkg/aa/network.go b/pkg/aa/network.go index d5a2af70b0..15dd4385ef 100644 --- a/pkg/aa/network.go +++ b/pkg/aa/network.go @@ -33,34 +33,54 @@ func init() { } } -type AddressExpr struct { - Source string - Destination string - Port string +type LocalAddress struct { + IP string + Port string } -func newAddressExprFromLog(log map[string]string) AddressExpr { - return AddressExpr{ - Source: log["laddr"], - Destination: log["faddr"], - Port: log["lport"], +func newLocalAddressFromLog(log map[string]string) LocalAddress { + return LocalAddress{ + IP: log["laddr"], + Port: log["lport"], } } -func (r AddressExpr) Compare(other AddressExpr) int { - if res := compare(r.Source, other.Source); res != 0 { +func (r LocalAddress) Compare(other LocalAddress) int { + if res := compare(r.IP, other.IP); res != 0 { return res } - if res := compare(r.Destination, other.Destination); res != 0 { + return compare(r.Port, other.Port) +} + +type PeerAddress struct { + IP string + Port string + Src string +} + +func newPeerAddressFromLog(log map[string]string) PeerAddress { + return PeerAddress{ + IP: log["faddr"], + Port: log["fport"], + Src: log["saddr"], + } +} + +func (r PeerAddress) Compare(other PeerAddress) int { + if res := compare(r.IP, other.IP); res != 0 { return res } - return compare(r.Port, other.Port) + if res := compare(r.Port, other.Port); res != 0 { + return res + } + return compare(r.Src, other.Src) } type Network struct { Base Qualifier - AddressExpr + LocalAddress + PeerAddress Domain string Type string Protocol string @@ -90,12 +110,13 @@ func newNetwork(q Qualifier, rule rule) (Rule, error) { func newNetworkFromLog(log map[string]string) Rule { return &Network{ - Base: newBaseFromLog(log), - Qualifier: newQualifierFromLog(log), - AddressExpr: newAddressExprFromLog(log), - Domain: log["family"], - Type: log["sock_type"], - Protocol: log["protocol"], + Base: newBaseFromLog(log), + Qualifier: newQualifierFromLog(log), + LocalAddress: newLocalAddressFromLog(log), + PeerAddress: newPeerAddressFromLog(log), + Domain: log["family"], + Type: log["sock_type"], + Protocol: log["protocol"], } } @@ -135,7 +156,10 @@ func (r *Network) Compare(other Rule) int { if res := compare(r.Protocol, o.Protocol); res != 0 { return res } - if res := r.AddressExpr.Compare(o.AddressExpr); res != 0 { + if res := r.LocalAddress.Compare(o.LocalAddress); res != 0 { + return res + } + if res := r.PeerAddress.Compare(o.PeerAddress); res != 0 { return res } return r.Qualifier.Compare(o.Qualifier) diff --git a/pkg/aa/rule_test.go b/pkg/aa/rule_test.go index ee50532a93..ed6e7043d1 100644 --- a/pkg/aa/rule_test.go +++ b/pkg/aa/rule_test.go @@ -216,6 +216,17 @@ var ( wMerge: false, wString: "network netlink raw,", }, + { + name: "network3", + fromLog: newNetworkFromLog, + log: network3Log, + rule: network3, + wValidErr: true, + other: network1, + wCompare: -7, + wMerge: false, + wString: "network dgram ip=127.0.0.1 port=57007 peer=(ip=127.0.0.53, port=53), # failed af match", + }, { name: "mount", fromLog: newMountFromLog, diff --git a/pkg/aa/templates/rule/network.j2 b/pkg/aa/templates/rule/network.j2 index 6f2503a8b8..3694442be4 100644 --- a/pkg/aa/templates/rule/network.j2 +++ b/pkg/aa/templates/rule/network.j2 @@ -15,6 +15,22 @@ {{ " " }}{{ . }} {{- end -}} {{- end -}} + {{- with .LocalAddress.IP -}} + {{ " ip=" }}{{ . }} + {{- end -}} + {{- with .LocalAddress.Port -}} + {{ " port=" }}{{ . }} + {{- end -}} + {{- if and .PeerAddress.IP .PeerAddress.Port -}} + {{ " peer=(ip=" }}{{ .PeerAddress.IP }}{{ ", port="}}{{ .PeerAddress.Port }}{{ ")" }} + {{- else -}} + {{- with .PeerAddress.IP -}} + {{ " peer=(ip=" }}{{ . }}{{ ")" }} + {{- end -}} + {{- with .PeerAddress.Port -}} + {{ " peer=(port=" }}{{ . }}{{ ")" }} + {{- end -}} + {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} \ No newline at end of file From 43f30333c6edd648c71789d1755a27b2c4381ac9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:14:52 +0200 Subject: [PATCH 0485/1736] feat(aa): add support for prompt and priority rule. --- pkg/aa/base.go | 6 +++++- pkg/aa/parse.go | 8 +++++++- pkg/aa/templates/rule/qualifier.j2 | 3 +++ 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/pkg/aa/base.go b/pkg/aa/base.go index eaf69f71cd..a712a58994 100644 --- a/pkg/aa/base.go +++ b/pkg/aa/base.go @@ -99,6 +99,7 @@ func (r Base) addLine(other Rule) bool { } type Qualifier struct { + Priority string Audit bool AccessType string } @@ -109,6 +110,9 @@ func newQualifierFromLog(log map[string]string) Qualifier { } func (r Qualifier) Compare(o Qualifier) int { + if r := compare(r.Priority, o.Priority); r != 0 { + return r + } if r := compare(r.Audit, o.Audit); r != 0 { return r } @@ -116,7 +120,7 @@ func (r Qualifier) Compare(o Qualifier) int { } func (r Qualifier) Equal(o Qualifier) bool { - return r.Audit == o.Audit && r.AccessType == o.AccessType + return r.Priority == o.Priority && r.Audit == o.Audit && r.AccessType == o.AccessType } func (r Qualifier) getLenAudit() int { diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index e01696d747..3b737abfdb 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -15,6 +15,8 @@ const ( tokALLOW = "allow" tokAUDIT = "audit" tokDENY = "deny" + tokPROMPT = "prompt" + tokPRIORITY = "priority" tokARROW = "->" tokEQUAL = "=" tokLESS = "<" @@ -524,7 +526,11 @@ func newRules(rules []rule) (Rules, error) { rule = rule[1:] goto qualifier // Qualifier - case tokALLOW, tokDENY: + case tokPRIORITY: + q.Priority = rule.GetValues(tokPRIORITY).GetString() + rule = rule[1:] + goto qualifier + case tokALLOW, tokDENY, tokPROMPT: q.AccessType = rule.Get(0) rule = rule[1:] goto qualifier diff --git a/pkg/aa/templates/rule/qualifier.j2 b/pkg/aa/templates/rule/qualifier.j2 index a0ff554ecc..69181051a0 100644 --- a/pkg/aa/templates/rule/qualifier.j2 +++ b/pkg/aa/templates/rule/qualifier.j2 @@ -3,6 +3,9 @@ {{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} {{- define "qualifier" -}} + {{- with .Priority -}} + {{- "priority=" -}}{{ . }}{{ " " }} + {{- end -}} {{- if .Audit -}} {{- "audit " -}} {{- end -}} From 7d1f8852098deaaabbc29697d0111a44fb83e557 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:15:21 +0200 Subject: [PATCH 0486/1736] test(aa): add testdata for network rule. --- pkg/aa/data_test.go | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/pkg/aa/data_test.go b/pkg/aa/data_test.go index b96fd865fa..28aa703d64 100644 --- a/pkg/aa/data_test.go +++ b/pkg/aa/data_test.go @@ -65,8 +65,34 @@ var ( "denied_mask": "create", "comm": "sddm-greeter", } + network3Log = map[string]string{ + "apparmor": "ALLOWED", + "class": "net", + "operation": "sendmsg", + "info": "failed af match", + "error": "-13", + "profile": "unattended-upgrade", + "comm": "unattended-upgr", + "laddr": "127.0.0.1", + "lport": "57007", + "faddr": "127.0.0.53", + "saddr": "127.0.0.1", + "src": "57007", + "fport": "53", + "sock_type": "dgram", + "protocol": "17", + "requested": "send", + "denied": "send", + } network1 = &Network{Domain: "netlink", Type: "raw", Protocol: "15"} network2 = &Network{Domain: "inet", Type: "dgram"} + network3 = &Network{ + Base: Base{Comment: " failed af match"}, + LocalAddress: LocalAddress{IP: "127.0.0.1", Port: "57007"}, + PeerAddress: PeerAddress{IP: "127.0.0.53", Port: "53", Src: "127.0.0.1"}, + Type: "dgram", + Protocol: "17", + } // Mount mount1Log = map[string]string{ From 157c365b261a8600404ee7c917b02d194725a6c1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:17:10 +0200 Subject: [PATCH 0487/1736] fix(aa): ensure tokenization helper cleanup data. --- pkg/aa/util.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/aa/util.go b/pkg/aa/util.go index 5a7049d698..523eb99fef 100644 --- a/pkg/aa/util.go +++ b/pkg/aa/util.go @@ -148,9 +148,10 @@ func validateValues(kind Kind, key string, values []string) error { func tokenToSlice(token string) []string { res := []string{} - token = strings.Trim(token, "()\n") + token = strings.Trim(token, "()\n ") if strings.ContainsAny(token, ", ") { var sep string + token = strings.ReplaceAll(token, " ", " ") switch { case strings.Contains(token, ","): sep = "," From 107820975ded704279b68a40909a980c222a3da1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:18:41 +0200 Subject: [PATCH 0488/1736] feat(aa): add file kind. --- pkg/aa/apparmor.go | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index 6119a0c91e..94e232c810 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -5,12 +5,39 @@ package aa import ( + "strings" + "github.com/roddhjav/apparmor.d/pkg/paths" ) // MagicRoot is the default Apparmor magic directory: /etc/apparmor.d/. var MagicRoot = paths.New("/etc/apparmor.d") +// FileKind represents an AppArmor file kind. +type FileKind uint8 + +const ( + ProfileKind FileKind = iota + AbstractionKind + TunableKind +) + +func KindFromPath(file *paths.Path) FileKind { + dirname := file.Parent().String() + switch { + case strings.Contains(dirname, "abstractions"): + return AbstractionKind + case strings.Contains(dirname, "tunables"): + return TunableKind + case strings.Contains(dirname, "local"): + return AbstractionKind + case strings.Contains(dirname, "mappings"): + return AbstractionKind + default: + return ProfileKind + } +} + // AppArmorProfileFiles represents a full set of apparmor profiles type AppArmorProfileFiles map[string]*AppArmorProfileFile From 7aae9f0dd7a14bfd37246992f1c11a4c96bd8e21 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:30:54 +0200 Subject: [PATCH 0489/1736] build: add stacked-dbus builder Resolve peer label variable in dbus rules. It create a full dbus rule by item in a variable when it is used a peer label. For ubuntu with apparmor 4.1+ See https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 --- pkg/prebuild/builder/stacked-dbus.go | 105 +++++++++++++++++++++++++++ pkg/prebuild/cli/cli.go | 18 +++-- 2 files changed, 116 insertions(+), 7 deletions(-) create mode 100644 pkg/prebuild/builder/stacked-dbus.go diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go new file mode 100644 index 0000000000..d572e9d311 --- /dev/null +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -0,0 +1,105 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "slices" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/aa" + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +var ( + resolve = map[string][]string{ + `"@{p_dbus_system}"`: {"dbus-system", "dbus-system//&unconfined"}, + `"@{p_dbus_session}"`: {"dbus-session", "dbus-session//&unconfined"}, + } +) + +// Fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 +type StackedDbus struct { + prebuild.Base +} + +func init() { + RegisterBuilder(&StackedDbus{ + Base: prebuild.Base{ + Keyword: "stacked-dbus", + Msg: "Fix: resolve peer label variable in dbus rules", + }, + }) +} + +func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { + var raw string + paragraphs := []string{} + rulesByParagraph := aa.ParaRules{} + + switch kind { + case aa.ProfileKind: + f := &aa.AppArmorProfileFile{} + nb, err := f.Parse(profile) + if err != nil { + return nil, nil, err + } + lines := strings.Split(profile, "\n") + raw = strings.Join(lines[nb:], "\n") + + case aa.AbstractionKind, aa.TunableKind: + raw = profile + } + raw = profile + + r, par, err := aa.ParseRules(raw) + if err != nil { + return nil, nil, err + } + rulesByParagraph = append(rulesByParagraph, r...) + paragraphs = append(paragraphs, par...) + return rulesByParagraph, paragraphs, nil +} + +func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { + kind := aa.KindFromPath(opt.File) + if kind == aa.TunableKind { + return profile, nil + } + + toResolve := []string{} + for k := range resolve { + toResolve = append(toResolve, k) + } + + rulesByParagraph, paragraphs, err := parse(kind, profile) // + if err != nil { + return "", err + } + for idx, rules := range rulesByParagraph { + changed := false + newRules := aa.Rules{} + for _, rule := range rules { + switch rule := rule.(type) { + case *aa.Dbus: + if slices.Contains(toResolve, rule.PeerLabel) { + changed = true + for _, label := range resolve[rule.PeerLabel] { + newRule := *rule + newRule.PeerLabel = label + newRules = append(newRules, &newRule) + } + } else { + newRules = append(newRules, rule) + } + default: + newRules = append(newRules, rule) + } + } + if changed { + profile = strings.ReplaceAll(profile, paragraphs[idx], newRules.String()+"\n") + } + } + return profile, nil +} diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index ab221e485a..8abfb43239 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -108,16 +108,20 @@ func Configure() { case 3: builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 case 4: - // Re-attach disconnected path, ignored on ubuntu 25.04+ due to a memory leak - // that fully prevent profiles compilation with re-attached paths. - // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 - if prebuild.Distribution != "ubuntu" { - builder.Register("attach") - prepare.Register("attach") - } else if prebuild.Release["VERSION_CODENAME"] == "noble" { + // Re-attach disconnected path + if prebuild.Distribution == "ubuntu" && prebuild.Version >= 4.1 { + // Ignored on ubuntu 25.04+ due to a memory leak that fully prevent + // profiles compilation with re-attached paths. + // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 + + // Use stacked-dbus builder to resolve dbus rules + builder.Register("stacked-dbus") + + } else { builder.Register("attach") prepare.Register("attach") } + default: logging.Fatal("Invalid ABI version: %d", prebuild.ABI) } From 2fcf4c50119de50de5498f30ee7a7a2aff9b5cd6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:38:15 +0200 Subject: [PATCH 0490/1736] ci(github): remove test now enabled by default. --- .github/workflows/main.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9f2addf880..90b709a31a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -47,11 +47,6 @@ jobs: if [[ ${{ matrix.mode }} == full-system-policy ]]; then sed -e "s/just complain/just fsp-complain/" -i debian/rules fi - if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then - # Test with Re-attach disconnected path - sed -e 's;// builder.Register("attach");builder.Register("attach");' -i pkg/prebuild/cli/cli.go - sed -e '/@{att}/d' -i apparmor.d/tunables/multiarch.d/system - fi bash dists/build.sh dpkg - name: Install apparmor.d From bc270954d49993374b14bc2af6b89bb37d7d45ce Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:53:12 +0200 Subject: [PATCH 0491/1736] feat(abs): add missing bus abs. --- .../bus/org.gnome.SettingsDaemon.MediaKeys | 23 ++++++++++++++++ .../bus/org.gnome.keyring.internal.Prompter | 26 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys create mode 100644 apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter diff --git a/apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys b/apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys new file mode 100644 index 0000000000..3a461a85a7 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow requesting interest in receiving media key events. This tells Gnome +# settings that our application should be notified when key events we are +# interested in are pressed, and allows us to receive those events. + + abi , + + # DBus.Properties: read all properties from the interface + dbus send bus=session path=/org/gnome/SettingsDaemon/MediaKeys + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), + + dbus (receive, send) bus=session path=/org/gnome/SettingsDaemon/MediaKeys + interface=org.gnome.SettingsDaemon.MediaKeys + peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter new file mode 100644 index 0000000000..1c3e8f7608 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow accessing the GNOME crypto services prompt APIs as used by +# applications using libgcr (such as pinentry-gnome3) for secure pin +# entry to unlock GPG keys etc. See: +# https://developer.gnome.org/gcr/unstable/GcrPrompt.html +# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html +# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711 + + abi , + + dbus send bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name=@{busname}, label=pinentry-*), + + dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name=@{busname}, label=pinentry-*), + + include if exists + +# vim:syntax=apparmor From 068d205e13b333f077371bd4af37637902f29e7e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 25 Aug 2025 00:02:12 +0200 Subject: [PATCH 0492/1736] fix(prebuild): removce ineffectual assignment. --- pkg/prebuild/builder/stacked-dbus.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go index d572e9d311..33af33df7d 100644 --- a/pkg/prebuild/builder/stacked-dbus.go +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -51,7 +51,6 @@ func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { case aa.AbstractionKind, aa.TunableKind: raw = profile } - raw = profile r, par, err := aa.ParseRules(raw) if err != nil { From 7ecc84d3b0e13f5d346a906dceda14321fddae1a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 25 Aug 2025 00:04:15 +0200 Subject: [PATCH 0493/1736] feat(tunable): add pp tunable, improve dbus tunables. --- apparmor.d/tunables/multiarch.d/profiles | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index 6868ae87a4..d4fefb0b0b 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -16,8 +16,8 @@ # Name of the dbus daemon profiles @{p_dbus_accessibility}=dbus-accessibility #aa:only apparmor4.1 -@{p_dbus_system}={dbus-system,dbus-system//&unconfined} -@{p_dbus_session}={dbus-session,dbus-session//&unconfined} +@{p_dbus_system}={dbus-system,unconfined} +@{p_dbus_session}={dbus-session,unconfined} #aa:exclude apparmor4.1 @{p_dbus_system}=dbus-system @@ -68,5 +68,12 @@ @{p_upowerd}=upowerd @{p_xdg_desktop_portal}=xdg-desktop-portal +# Profiles Patterns +# Fit to an action that can be handled by multiple profiles depending on the software installed and the distribution + +# Notification +@{pp_notification}={plasmashell,gjs-console} +@{pp_app_indicator}={plasmashell,gnome-shell} +@{pp_dbusmenu}={plasmashell,nautilus} # vim:syntax=apparmor From 1d51b1436da8c64232cebe31317bdbebc870bded Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 06:08:52 +0200 Subject: [PATCH 0494/1736] Small documentation improvements --- docs/development/workflow.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/development/workflow.md b/docs/development/workflow.md index 786d77c938..7cc7c5616b 100644 --- a/docs/development/workflow.md +++ b/docs/development/workflow.md @@ -36,7 +36,7 @@ title: Workflow Here is the bare minimum for the program `foo`: ``` sh # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 You +# Copyright (C) 2025 You # SPDX-License-Identifier: GPL-2.0-only abi , @@ -130,7 +130,7 @@ For this individual profile installation to work, the full package needs to be i To discover the access needed by a program, you can use the following tools: -1. Star the program in *complain* mode, let it initialize itself, then close it. +1. Start the program in *complain* mode, let it initialize itself, then close it. 1. Run **[`aa-log -r`](../usage.md#apparmor-log)**. It will: - Convert the logs to AppArmor rules. From 98034784e92400fd2241094f5ca8d85104f8b2f7 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 06:02:10 +0200 Subject: [PATCH 0495/1736] Add cider profile --- apparmor.d/profiles-a-f/cider | 61 +++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 apparmor.d/profiles-a-f/cider diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider new file mode 100644 index 0000000000..f534a00347 --- /dev/null +++ b/apparmor.d/profiles-a-f/cider @@ -0,0 +1,61 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{domain} = sh.cider.genten org.chromium.Chromium +@{lib_dirs} = @{lib}/cider + +@{exec_path} = @{bin}/cider @{bin}/Cider @{lib_dirs}/Cider +profile cider @{exec_path} { + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mrix, + + @{lib_dirs}/ r, + @{lib_dirs}/** r, + @{lib_dirs}/libffmpeg.so mr, + @{lib_dirs}/chrome-sandbox rpx, + + @{bin}/xdg-settings rpx, + + owner @{user_config_dirs}/sh.cider.genten/ rw, + owner @{user_config_dirs}/sh.cider.genten/** rwk, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_x64/libwidevinecdm.so mr, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/manifest.json r, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/latest-component-updated-widevine-cdm r, + + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/sys/fs/inotify/max_user_watches r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/statm r, + + /usr/share/xkeyboard-config-2/** r, + + include if exists +} + +# vim:syntax=apparmor From f5970fcc6741419ea96ef5c9c36a321da532e127 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 06:12:18 +0200 Subject: [PATCH 0496/1736] Remove tabs --- apparmor.d/profiles-a-f/cider | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider index f534a00347..71b27bce5c 100644 --- a/apparmor.d/profiles-a-f/cider +++ b/apparmor.d/profiles-a-f/cider @@ -42,11 +42,11 @@ profile cider @{exec_path} { owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/manifest.json r, owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/latest-component-updated-widevine-cdm r, - @{PROC}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/ r, - @{PROC}/@{pid}/task/@{tid}/status r, - @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/sys/fs/inotify/max_user_watches r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, From eedbc2223c1bc84e2e12deb2fd1e041422c5994d Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 15:52:00 +0200 Subject: [PATCH 0497/1736] cider-review-fixes --- apparmor.d/profiles-a-f/cider | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider index 71b27bce5c..2b203e9890 100644 --- a/apparmor.d/profiles-a-f/cider +++ b/apparmor.d/profiles-a-f/cider @@ -6,10 +6,13 @@ abi , include +@{name} = {C,c}ider sh.cider.genten @{domain} = sh.cider.genten org.chromium.Chromium @{lib_dirs} = @{lib}/cider +@{cache_dirs} = @{user_cache_dirs}/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} -@{exec_path} = @{bin}/cider @{bin}/Cider @{lib_dirs}/Cider +@{exec_path} = @{bin}/{C,c}ider @{lib_dirs}/Cider profile cider @{exec_path} { include include @@ -18,8 +21,9 @@ profile cider @{exec_path} { include include include - include + include include + include network inet dgram, network inet6 dgram, @@ -32,15 +36,13 @@ profile cider @{exec_path} { @{lib_dirs}/ r, @{lib_dirs}/** r, @{lib_dirs}/libffmpeg.so mr, - @{lib_dirs}/chrome-sandbox rpx, + @{lib_dirs}/chrome-sandbox rPx, - @{bin}/xdg-settings rpx, + @{bin}/xdg-settings rPx, owner @{user_config_dirs}/sh.cider.genten/ rw, owner @{user_config_dirs}/sh.cider.genten/** rwk, - owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_x64/libwidevinecdm.so mr, - owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/manifest.json r, - owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/latest-component-updated-widevine-cdm r, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_@{arch}/libwidevinecdm.so mr, @{PROC}/ r, @{PROC}/@{pid}/stat r, @@ -53,8 +55,6 @@ profile cider @{exec_path} { owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pid}/statm r, - /usr/share/xkeyboard-config-2/** r, - include if exists } From aec7d41a25647f9da3f0b13ddbe53d048bec3ee2 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 6 Aug 2025 14:03:31 +0200 Subject: [PATCH 0498/1736] add profiles for wayland screen capture tools --- apparmor.d/profiles-g-l/grim | 21 +++++++++++++++++++++ apparmor.d/profiles-s-z/slurp | 23 +++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 apparmor.d/profiles-g-l/grim create mode 100644 apparmor.d/profiles-s-z/slurp diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim new file mode 100644 index 0000000000..0ded3d3158 --- /dev/null +++ b/apparmor.d/profiles-g-l/grim @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/grim +profile grim @{exec_path} { + include + include + + @{exec_path} mr, + + owner /dev/shm/grim-@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp new file mode 100644 index 0000000000..8d5bcc217d --- /dev/null +++ b/apparmor.d/profiles-s-z/slurp @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/slurp +profile slurp @{exec_path} { + include + + @{exec_path} mr, + + /usr/share/icons/{,**} r, + +# often used in combination with grim screen cature tool + owner /dev/shm/grim-@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor From 06f1c0538e9bca4ac1af6862c4553931b33ad108 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 6 Aug 2025 14:15:04 +0200 Subject: [PATCH 0499/1736] remove whitespace --- apparmor.d/profiles-s-z/slurp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp index 8d5bcc217d..c4250275e5 100644 --- a/apparmor.d/profiles-s-z/slurp +++ b/apparmor.d/profiles-s-z/slurp @@ -9,12 +9,12 @@ include @{exec_path} = @{bin}/slurp profile slurp @{exec_path} { include - + @{exec_path} mr, /usr/share/icons/{,**} r, -# often used in combination with grim screen cature tool + # often used in combination with grim screen cature tool owner /dev/shm/grim-@{rand6} rw, include if exists From 9a302147bd3b2d6f02d715bcaa0e645f1680295b Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 6 Aug 2025 14:26:43 +0200 Subject: [PATCH 0500/1736] fix typo --- apparmor.d/profiles-g-l/grim | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim index 0ded3d3158..9f18db07b2 100644 --- a/apparmor.d/profiles-g-l/grim +++ b/apparmor.d/profiles-g-l/grim @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/grim profile grim @{exec_path} { include - include + include @{exec_path} mr, From ec2c0b1c8e34273069a86caf5b7af3444d4a8e7c Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 24 Aug 2025 17:32:04 +0200 Subject: [PATCH 0501/1736] add default path for plain use --- apparmor.d/profiles-g-l/grim | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim index 9f18db07b2..9e40a8aca5 100644 --- a/apparmor.d/profiles-g-l/grim +++ b/apparmor.d/profiles-g-l/grim @@ -13,6 +13,10 @@ profile grim @{exec_path} { @{exec_path} mr, + owner @{user_config_dirs}/user-dirs.dirs r, + + owner @{HOME}/@{int8}_**_grim.png w, + owner /dev/shm/grim-@{rand6} rw, include if exists From 749ae318fca8bc9a8bed97bedeb883a326d95c13 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 00:35:35 +0200 Subject: [PATCH 0502/1736] feat(profile): aa uses word8 as bug files. --- apparmor.d/groups/apparmor/aa-enforce | 2 +- apparmor.d/groups/apparmor/aa-notify | 2 +- apparmor.d/groups/apparmor/aa-unconfined | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/apparmor/aa-enforce b/apparmor.d/groups/apparmor/aa-enforce index 1743fd9d0b..1f83680457 100644 --- a/apparmor.d/groups/apparmor/aa-enforce +++ b/apparmor.d/groups/apparmor/aa-enforce @@ -31,7 +31,7 @@ profile aa-enforce @{exec_path} { owner /var/lib/snapd/apparmor/{,**} rw, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 7cb64af808..07706d0529 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -45,7 +45,7 @@ profile aa-notify @{exec_path} { owner @{HOME}/.terminfo/@{int}/dumb r, owner @{tmp}/@{word8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, @{PROC}/ r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/apparmor/aa-unconfined b/apparmor.d/groups/apparmor/aa-unconfined index 68729b7fee..7308a5ef03 100644 --- a/apparmor.d/groups/apparmor/aa-unconfined +++ b/apparmor.d/groups/apparmor/aa-unconfined @@ -29,7 +29,7 @@ profile aa-unconfined @{exec_path} flags=(attach_disconnected) { @{etc_ro}/inputrc r, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, owner /var/tmp/@{rand8} rw, @{PROC}/ r, From cf96e7b1d0d37d050fba5a0e758190dc2059443f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 00:39:28 +0200 Subject: [PATCH 0503/1736] feat(profile): smal snap improvements. --- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/snap/snap-update-ns | 5 +++++ apparmor.d/groups/snap/snapd | 7 ++++++- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b7706ccf48..b34d18c002 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -294,7 +294,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, + owner @{run}/user/@{uid}/snap.*/wayland-cursor-shared-@{rand6} rw, owner @{run}/user/@{uid}/systemd/notify rw, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 157651ac31..98ee0e5e73 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -40,11 +40,16 @@ profile snap-update-ns @{exec_path} { / r, /tmp/ r, + @{lib}/ r, /usr/ r, /usr/local/ r, /usr/local/share/ r, /usr/local/share/doc/ rw, /usr/local/share/fonts/ rw, + /usr/share/ r, + /usr/share/drirc.d w, + /usr/share/X11/ r, + /usr/share/X11/XErrorDB w, owner /snap/{,**} rw, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 7e2c288b63..06de560634 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -99,7 +99,8 @@ profile snapd @{exec_path} { /usr/share/bash-completion/{,**} r, /usr/share/dbus-1/{system,session}.d/{,snapd*} rw, /usr/share/dbus-1/services/*snap* r, - /usr/share/polkit-1/actions/{,**/} r, + /usr/share/polkit-1/actions/{,**} r, + /usr/share/polkit-1/actions/snap.*.policy r, @{etc_ro}/environment r, /etc/apparmor.d/*snapd.snap* r, @@ -147,6 +148,7 @@ profile snapd @{exec_path} { @{run}/user/ r, @{run}/user/@{uid}/ r, + @{run}/user/@{uid}/snap.*/{,**} rw, @{run}/user/@{uid}/snapd-session-agent.socket rw, @{run}/user/snap.*/{,**} rw, @@ -227,6 +229,9 @@ profile snapd @{exec_path} { include @{sbin}/runuser mr, + @{bin}/tar ix, + + owner @{HOME}/snap/*/common/.cache/{,**} r, include if exists } From 81d020173d4f0336a95cc6562c161336685abb51 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:09:09 +0200 Subject: [PATCH 0504/1736] feat(profile): general update. --- apparmor.d/groups/bus/dbus-accessibility | 6 +++--- apparmor.d/groups/children/child-open-strict | 2 ++ apparmor.d/groups/gnome/gnome-software | 7 ++++++- apparmor.d/groups/gnome/loupe | 2 ++ apparmor.d/groups/gnome/nautilus | 1 + apparmor.d/groups/gnome/papers | 4 +++- apparmor.d/groups/gpg/gpg | 3 ++- apparmor.d/groups/pacman/paccache | 3 +++ apparmor.d/groups/pacman/pacman-hook-code | 1 + .../systemd-generator-user-autostart | 3 +-- apparmor.d/groups/systemd/systemd-sleep | 2 ++ apparmor.d/groups/systemd/systemd-udevd | 1 + apparmor.d/groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/usb/lsusb | 1 + apparmor.d/groups/utils/dmesg | 1 + apparmor.d/groups/utils/lsblk | 1 + apparmor.d/groups/virt/cockpit-bridge | 5 +++++ apparmor.d/groups/virt/cockpit-session | 4 +++- apparmor.d/groups/virt/libvirt-dbus | 5 +++++ apparmor.d/groups/virt/libvirtd | 7 +++++++ apparmor.d/profiles-a-f/borg | 1 + apparmor.d/profiles-a-f/btop | 2 +- apparmor.d/profiles-a-f/console-setup | 2 +- apparmor.d/profiles-a-f/deltachat-desktop | 6 +++--- apparmor.d/profiles-g-l/gitstatusd | 4 ++-- apparmor.d/profiles-g-l/homebank | 2 +- apparmor.d/profiles-g-l/landscape-sysinfo | 2 +- apparmor.d/profiles-g-l/libreoffice | 2 ++ apparmor.d/profiles-g-l/linux-check-removal | 2 ++ apparmor.d/profiles-g-l/lsb-release | 14 ++++++++++---- apparmor.d/profiles-m-r/initramfs-hooks | 1 + apparmor.d/profiles-m-r/mdadm | 2 +- apparmor.d/profiles-m-r/protonmail-bridge-core | 1 + apparmor.d/profiles-s-z/spotify | 4 ++++ apparmor.d/profiles-s-z/syncthing | 5 +---- apparmor.d/profiles-s-z/tomb | 4 +++- apparmor.d/profiles-s-z/udev-fido_id | 1 + apparmor.d/profiles-s-z/virt-manager | 1 - apparmor.d/profiles-s-z/wemeet | 2 +- apparmor.d/profiles-s-z/which | 1 + 40 files changed, 89 insertions(+), 31 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index f876d1210f..a8c13b3fd7 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -9,12 +9,13 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include - include include include include include + include include + include include network inet dgram, @@ -39,7 +40,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mrix, @@ -53,7 +54,6 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/defaults/at-spi2/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict index 7faf52185e..4296f03aff 100644 --- a/apparmor.d/groups/children/child-open-strict +++ b/apparmor.d/groups/children/child-open-strict @@ -18,6 +18,8 @@ profile child-open-strict flags=(attach_disconnected,mediate_deleted) { @{browsers_path} Px, @{file_explorers_path} Px, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix, + include if exists include if exists } diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 71141595bc..f3845daefb 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -33,7 +33,12 @@ profile gnome-software @{exec_path} { #aa:dbus own bus=session name=org.freedesktop.PackageKit #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application - #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/ label="@{p_packagekitd}" + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/@{int}_@{hex8} label="@{p_packagekitd}" + + dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=Changed + peer=(name=@{busname}, label=polkitd), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 398b2b6794..cabcca0628 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -27,6 +27,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { signal send set=kill peer=loupe//bwrap, + #aa:dbus own bus=session name=org.gnome.Loupe interface+=org.freedesktop.Application + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" dbus send bus=system path=/org/freedesktop/hostname1 diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 5ad6bb7b57..d8e7c33416 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -35,6 +35,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*" + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 9a22e3de86..0318c72654 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/papers -profile papers @{exec_path} { +profile papers @{exec_path} flags=(attach_disconnected) { include include include @@ -16,6 +16,8 @@ profile papers @{exec_path} { include include + #aa:dbus own bus=session name=org.gnome.Papers interface+=org.freedesktop.Application + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} mr, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index b658235208..40c23b6609 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -29,7 +29,7 @@ profile gpg @{exec_path} { @{lib}/{,gnupg/}scdaemon rPx, /usr/share/terminfo/** r, - /usr/share/keyrings/** rw, #aa:only apt + /usr/share/keyrings/** rw, #aa:only apt /usr/share/pacman/keyrings/** r, #aa:only pacman /etc/inputrc r, @@ -39,6 +39,7 @@ profile gpg @{exec_path} { /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, #aa:only apt + /etc/apt/trusted.gpg.d/{,*} r, owner /etc/apt/keyrings/ rw, owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**, diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index 8331951e72..d68c0b8324 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -41,6 +41,9 @@ profile paccache @{exec_path} flags=(attach_disconnected) { /var/cache/pacman/pkg/{,*} rw, /var/lib/pacman/{,**} r, + @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, + @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r, + owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index ee23781f44..3e916efe3f 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -19,6 +19,7 @@ profile pacman-hook-code @{exec_path} { @{python_path} rix, @{lib}/code/product.json rw, + @{lib}/code/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js w, /usr/share/code-{features,marketplace}{,-insiders}/{,*} r, /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart index 8e3ebb6b3c..ff4c746646 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart @@ -10,14 +10,13 @@ include profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) { include include + include include capability net_admin, @{exec_path} mr, - @{system_share_dirs}/applications/*.desktop r, - @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{user_config_dirs}/autostart/{,*.desktop} r, diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index d7c61e336b..a55bf752db 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -19,6 +19,8 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sh_path} mr, + @{lib}/systemd/system-sleep/grub2.sleep rPx, @{lib}/systemd/system-sleep/hdparm rPx, @{lib}/systemd/system-sleep/nvidia rPx, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 62bada2a87..640e48f3f4 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -98,6 +98,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/network/ r, @{run}/systemd/network/*.link rw, @{run}/systemd/notify rw, + @{run}/systemd/private rw, @{run}/systemd/seats/seat@{int} r, @{att}/@{run}/systemd/notify w, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 440ef41170..af91c7eaa8 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -64,7 +64,7 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { /dev/shm/ r, owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6}, - owner /dev/shm/sem.mp-@{rand8} rw, + owner /dev/shm/sem.mp-@{rand8} rwl -> /dev/shm/sem.@{rand6}, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/groups/usb/lsusb b/apparmor.d/groups/usb/lsusb index b5a24940d0..a10659292d 100644 --- a/apparmor.d/groups/usb/lsusb +++ b/apparmor.d/groups/usb/lsusb @@ -14,6 +14,7 @@ profile lsusb @{exec_path} { include capability net_admin, + capability sys_admin, network netlink raw, diff --git a/apparmor.d/groups/utils/dmesg b/apparmor.d/groups/utils/dmesg index 14ace0dead..2976d13162 100644 --- a/apparmor.d/groups/utils/dmesg +++ b/apparmor.d/groups/utils/dmesg @@ -13,6 +13,7 @@ profile dmesg @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, + capability sys_admin, capability syslog, @{exec_path} mr, diff --git a/apparmor.d/groups/utils/lsblk b/apparmor.d/groups/utils/lsblk index 7559e4e48f..6fc1d5bb25 100644 --- a/apparmor.d/groups/utils/lsblk +++ b/apparmor.d/groups/utils/lsblk @@ -27,6 +27,7 @@ profile lsblk @{exec_path} flags=(attach_disconnected) { # File Inherit deny network inet stream, deny network inet6 stream, + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index bf3d482043..d8c71803d0 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -11,7 +11,10 @@ profile cockpit-bridge @{exec_path} { include include include + include + include include + include include include @@ -37,6 +40,8 @@ profile cockpit-bridge @{exec_path} { #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label=@{p_systemd} + #aa:dbus talk bus=system name=org.libvirt label=libvirt-dbus @{exec_path} mr, diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 3fbefadb79..ba51fc8a50 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -10,6 +10,7 @@ include profile cockpit-session @{exec_path} flags=(attach_disconnected) { include include + include include include @@ -28,7 +29,8 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{shells_path} rix, @{bin}/cockpit-bridge rPx, @{lib}/cockpit/cockpit-pcp rPx, - @{bin}/ssh-agent rPx, + @{bin}/ssh-agent rPx, + @{bin}/ssh-add rix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index f3bbaf0196..971cdf55ee 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -16,6 +16,11 @@ profile libvirt-dbus @{exec_path} { #aa:dbus own bus=session name=org.libvirt #aa:dbus own bus=system name=org.libvirt + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{sbin}/libvirtd rPx, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 44d6962f52..f10da17988 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -92,6 +92,11 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{lib}/libvirt/libvirt_iohelper rix, @@ -157,6 +162,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{user_vm_dirs}/{,**} rwk, @{user_publicshare_dirs}/{,**} rwk, + owner @{user_config_dirs}/libvirt/{,**} rwk, + owner @{run}/user/@{uid}/libvirt/ rw, owner @{run}/user/@{uid}/libvirt/** rwk, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 6d2683ade0..544be3be04 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -33,6 +33,7 @@ profile borg @{exec_path} { @{bin}/cat rix, @{sbin}/ldconfig rix, @{bin}/uname rix, + @{bin}/ip rix, @{bin}/ccache rCx -> ccache, @{bin}/fusermount{,3} rCx -> fusermount, diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index 4910629ce3..bac8aea758 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -48,7 +48,7 @@ profile btop @{exec_path} { @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/virtual/block/dm-@{int}/stat r, @{sys}/devices/virtual/net/{,**} r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, @{PROC} r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index 7a11e407fa..aa0a56648a 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -13,7 +13,7 @@ profile console-setup @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/uname rPx, + @{bin}/uname rix, @{bin}/mkdir rix, @{run}/console-setup/ rw, diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 87c2bbabab..2e7723995d 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -13,16 +13,16 @@ include @{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop profile deltachat-desktop @{exec_path} { include + include include include - include - include include + include include + include include include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index 579536674d..aabde9cef0 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -13,12 +13,12 @@ profile gitstatusd @{exec_path} { include signal receive set=term peer=*//shell, - signal receive set=term peer=vscode, + signal receive set=term peer={,vs}code, @{exec_path} mr, owner @{user_projects_dirs}/{,**} r, - owner @{user_projects_dirs}/**/.git/.gitstatus.@{rand6}/{,**} rw, + owner @{user_projects_dirs}/**/.git/{,**/}.gitstatus.@{rand6}/{,**} rw, owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, diff --git a/apparmor.d/profiles-g-l/homebank b/apparmor.d/profiles-g-l/homebank index cb459919fa..7fbe74040e 100644 --- a/apparmor.d/profiles-g-l/homebank +++ b/apparmor.d/profiles-g-l/homebank @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/homebank -profile homebank @{exec_path} { +profile homebank @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 2370271ec4..47cbb22a2e 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -38,7 +38,7 @@ profile landscape-sysinfo @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/thermal/ r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 0a9e6dfc2f..dfb9361f3b 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -27,6 +27,7 @@ profile libreoffice @{exec_path} { include include include + include include include include @@ -107,6 +108,7 @@ profile libreoffice @{exec_path} { owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw, owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, @{sys}/devices/virtual/block/**/queue/rotational r, diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 04d2f03308..f2895299f2 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -16,6 +16,8 @@ profile linux-check-removal @{exec_path} { @{bin}/stty rix, + /etc/shadow r, + include if exists } diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release index d2d52d3628..5214632dc8 100644 --- a/apparmor.d/profiles-g-l/lsb-release +++ b/apparmor.d/profiles-g-l/lsb-release @@ -30,10 +30,16 @@ profile lsb-release @{exec_path} flags=(attach_disconnected) { #aa:only apt @{bin}/dpkg-query px, - /etc/ r, - /etc/*-release r, - /etc/lsb-release r, - /etc/lsb-release.d/{,*} r, + @{etc_ro}/ r, + @{etc_ro}/*-release r, + @{etc_ro}/lsb-release r, + @{etc_ro}/lsb-release.d/{,*} r, + + # file_inherit + deny /opt/*/** r, + deny owner @{user_config_dirs}/*/** r, + deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index cae5c1c3dc..1365367643 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -68,6 +68,7 @@ profile initramfs-hooks @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, @{sys}/firmware/efi/efivars/ r, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 15adcb9e68..4cc5fc9fb3 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{sbin}/mdadm -profile mdadm @{exec_path} { +profile mdadm @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index ca9680aea8..a9bd819e3b 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -33,6 +33,7 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { /etc/lsb-release r, /etc/machine-id r, + /etc/os-release r, owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} r, owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index f245e43125..ed1ccfe1c4 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -57,6 +57,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-strict, + /usr/local/lib/spotify-adblock.so mr, + /etc/machine-id r, /etc/spotify-adblock/* r, /var/lib/dbus/machine-id r, @@ -70,6 +72,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, + owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, + @{PROC}/@{pid}/net/unix r, @{PROC}/pressure/* r, owner @{PROC}/@{pid}/clear_refs w, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 83e1b2f450..d504b0c153 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -11,6 +11,7 @@ include profile syncthing @{exec_path} { include include + include include include include @@ -26,10 +27,6 @@ profile syncthing @{exec_path} { @{open_path} rPx -> child-open, @{bin}/ip rix, - /usr/share/mime/{,**} r, - - /etc/mime.types r, - @{HOME}/ r, @{HOME}/** rwk, diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 9b0912bd9e..df4258b8c4 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -21,6 +21,7 @@ profile tomb @{exec_path} { capability sys_rawio, signal send set=cont peer=gpg, + signal send set=cont peer=pinentry-*, ptrace read peer=@{p_systemd_user}, @@ -43,11 +44,11 @@ profile tomb @{exec_path} { @{bin}/findmnt rix, @{bin}/getent rix, @{bin}/gettext rix, + @{bin}/head rix, @{bin}/hostname rix, @{bin}/id rix, @{bin}/kill rix, @{bin}/locate rix, - @{sbin}/losetup rix, @{bin}/ls rix, @{bin}/lsof rix, @{bin}/mkdir rix, @@ -64,6 +65,7 @@ profile tomb @{exec_path} { @{bin}/touch rix, @{bin}/tr rix, @{bin}/zsh rix, + @{sbin}/losetup rix, @{sbin}/btrfs rPx, @{sbin}/cryptsetup rPUx, diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id index 76ec27b68e..9c686b19d9 100644 --- a/apparmor.d/profiles-s-z/udev-fido_id +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -16,6 +16,7 @@ profile udev-fido_id @{exec_path} { /etc/udev/udev.conf r, @{sys}/devices/@{pci}/report_descriptor r, + @{sys}/devices/platform/**/report_descriptor r, @{sys}/devices/virtual/**/report_descriptor r, include if exists diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index aed85abe31..8a1b5f3556 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -51,7 +51,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, - /usr/share/gtksourceview-4/{,**} r, /usr/share/ladspa/rdf/{,ladspa.rdfs} r, /usr/share/misc/*.ids r, /usr/share/osinfo/{,**} r, diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet index 3606533d7d..0b83e44c82 100644 --- a/apparmor.d/profiles-s-z/wemeet +++ b/apparmor.d/profiles-s-z/wemeet @@ -13,10 +13,10 @@ include @{exec_path} += /opt/wemeet/bin/QtWebEngineProcess profile wemeet @{exec_path} flags=(attach_disconnected) { include - include include include include + include include include include diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index df049741fc..c4de427ff8 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -33,6 +33,7 @@ profile which @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{int} rw, + deny @{user_share_dirs}/gnome-shell/session.gvdb rw, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists From 4db65834a402444b18a10fc7e43b879dc79f5ff5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:15:42 +0200 Subject: [PATCH 0505/1736] feat(abs): glibc: restrict auxv maps and statux to owner. --- apparmor.d/abstractions/glibc | 12 +++++++++--- apparmor.d/groups/apt/apt-overlay | 1 - apparmor.d/groups/polkit/polkitd | 3 ++- apparmor.d/groups/procps/ps | 1 + apparmor.d/groups/systemd/systemd-journald | 1 + apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/profiles-m-r/mdevctl | 2 -- apparmor.d/profiles-s-z/syncoid | 2 -- 8 files changed, 14 insertions(+), 10 deletions(-) diff --git a/apparmor.d/abstractions/glibc b/apparmor.d/abstractions/glibc index aa6e14416e..8536470bd5 100644 --- a/apparmor.d/abstractions/glibc +++ b/apparmor.d/abstractions/glibc @@ -22,9 +22,15 @@ @{PROC}/stat r, # Glibc's *printf protections read the maps file - @{PROC}/@{pid}/auxv r, - @{PROC}/@{pid}/maps r, - @{PROC}/@{pid}/status r, + owner @{PROC}/@{pid}/auxv r, + owner @{PROC}/@{pid}/maps r, + owner @{PROC}/@{pid}/status r, + + # @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps, + # but in a format that is simpler to manage, because it doesn't require to + # parse the text data inside a file, but just reading the contents of + # a directory. + owner @{PROC}/@{pid}/map_files/ r, # Glibc statvfs @{PROC}/filesystems r, diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay index 4ba9e57d70..7f59635eb1 100644 --- a/apparmor.d/groups/apt/apt-overlay +++ b/apparmor.d/groups/apt/apt-overlay @@ -30,7 +30,6 @@ profile apt-overlay @{exec_path} { /root/ r, owner @{PROC}/@{pids}/loginuid r, - owner @{PROC}/@{pids}/maps r, include if exists } diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index c2de7f8b60..fa00311cd7 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -65,8 +65,9 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/@{tid}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/procps/ps b/apparmor.d/groups/procps/ps index 1d9ae50cba..7663cbf5da 100644 --- a/apparmor.d/groups/procps/ps +++ b/apparmor.d/groups/procps/ps @@ -34,6 +34,7 @@ profile ps @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/@{tid}/cmdline r, @{PROC}/@{pids}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index ad3d969901..2765d8f101 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -82,6 +82,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/status r, @{PROC}/pressure/* r, @{PROC}/sys/kernel/hostname r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index f10da17988..2b0530ef52 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -284,7 +284,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/qemu/{,**} r, - owner @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/status r, /dev/net/tun rw, diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index 906dcf512e..408947c831 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -19,8 +19,6 @@ profile mdevctl @{exec_path} { @{sys}/class/mdev_bus/ r, @{sys}/devices/@{pci}/mdev_supported_types/{,**} r, - @{PROC}/@{pids}/maps r, - include if exists } diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index e275fb764c..fc30c5fd69 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -25,8 +25,6 @@ profile syncoid @{exec_path} flags=(complain) { /etc/mbuffer.rc r, - @{PROC}/@{pids}/maps r, - include if exists } From 544204e511ce6938fb2da2b9f01d28fd3ce34338 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:22:22 +0200 Subject: [PATCH 0506/1736] feat(abs): add the user-dirs abstraction. --- apparmor.d/abstractions/desktop | 1 + apparmor.d/abstractions/gnome-strict | 1 + apparmor.d/abstractions/kde-strict | 1 + apparmor.d/abstractions/user-dirs | 14 ++++++++++++++ .../groups/freedesktop/xdg-user-dirs-gtk-update | 2 +- apparmor.d/groups/freedesktop/xdg-user-dirs-update | 4 +--- apparmor.d/groups/systemd/systemd-path | 3 +-- apparmor.d/profiles-g-l/grim | 3 +-- apparmor.d/profiles-s-z/spice-vdagent | 8 ++++---- 9 files changed, 25 insertions(+), 12 deletions(-) create mode 100644 apparmor.d/abstractions/user-dirs diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 4a32a1aa78..1bb4c20eac 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -17,6 +17,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 445c62e6b7..72d09126ec 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -12,6 +12,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 5fbdd7869f..02a0bc9c52 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -12,6 +12,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/user-dirs b/apparmor.d/abstractions/user-dirs new file mode 100644 index 0000000000..189f8eb38e --- /dev/null +++ b/apparmor.d/abstractions/user-dirs @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /etc/xdg/user-dirs.conf r, + /etc/xdg/user-dirs.defaults r, + + owner @{user_config_dirs}/user-dirs.dirs r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index b2ae65450b..cf488af63b 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -14,13 +14,13 @@ profile xdg-user-dirs-gtk-update @{exec_path} { include include include + include @{exec_path} mr, @{bin}/xdg-user-dirs-update Px, owner @{user_config_dirs}/gtk-3.0/bookmarks* rw, - owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, owner @{tmp}/dirs-@{rand6} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update index 7177703a9b..09c66d6ac7 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update @@ -9,13 +9,11 @@ include @{exec_path} = @{bin}/xdg-user-dirs-update profile xdg-user-dirs-update @{exec_path} { include + include include @{exec_path} mr, - /etc/xdg/user-dirs.conf r, - /etc/xdg/user-dirs.defaults r, - owner @{desktop_config_dirs}/ rw, owner @{desktop_config_dirs}/user-dirs.dirs{,*} rw, owner @{desktop_config_dirs}/user-dirs.locale rw, diff --git a/apparmor.d/groups/systemd/systemd-path b/apparmor.d/groups/systemd/systemd-path index 747527776e..0d061d8459 100644 --- a/apparmor.d/groups/systemd/systemd-path +++ b/apparmor.d/groups/systemd/systemd-path @@ -10,11 +10,10 @@ include profile systemd-path @{exec_path} { include include + include @{exec_path} mr, - owner @{user_config_dirs}/user-dirs.dirs r, - include if exists } diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim index 9e40a8aca5..5717837ec4 100644 --- a/apparmor.d/profiles-g-l/grim +++ b/apparmor.d/profiles-g-l/grim @@ -9,12 +9,11 @@ include @{exec_path} = @{bin}/grim profile grim @{exec_path} { include + include include @{exec_path} mr, - owner @{user_config_dirs}/user-dirs.dirs r, - owner @{HOME}/@{int8}_**_grim.png w, owner /dev/shm/grim-@{rand6} rw, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index c73f5f678e..158ea6a7fa 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/spice-vdagent profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -20,10 +19,12 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include + include + include include + include dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime @@ -38,7 +39,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, owner @{desktop_config_dirs}/user-dirs.dirs r, - owner @{user_config_dirs}/user-dirs.dirs r, @{run}/spice-vdagentd/spice-vdagent-sock rw, From e50e87bd618543d9a638b4512bf8d72b82eb9524 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:23:14 +0200 Subject: [PATCH 0507/1736] feat(abs): update base additions. --- apparmor.d/abstractions/base.d/complete | 30 +++++++++++++------------ 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index ad3945eb94..d89688b70c 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -8,20 +8,20 @@ signal receive peer=@{p_systemd_user}, # Allow to receive some signals from new well-known profiles - signal (receive) peer=btop, - signal (receive) peer=htop, - signal (receive) peer=pkill, - signal (receive) peer=sudo, - signal (receive) peer=top, - signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, - signal (receive) set=(hup term) peer=login, - signal (receive) set=(hup) peer=xinit, - signal (receive) set=(term,kill) peer=gnome-shell, - signal (receive) set=(term,kill) peer=gnome-system-monitor, - signal (receive) set=(term,kill) peer=openbox, - signal (receive) set=(term,kill) peer=su, - - ptrace (readby) peer=@{p_systemd_coredump}, + signal receive peer=btop, + signal receive peer=htop, + signal receive peer=pkill, + signal receive peer=sudo, + signal receive peer=top, + signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, + signal receive set=(hup term) peer=login, + signal receive set=(hup) peer=xinit, + signal receive set=(term,kill) peer=gnome-shell, + signal receive set=(term,kill) peer=gnome-system-monitor, + signal receive set=(term,kill) peer=openbox, + signal receive set=(term,kill) peer=su, + + ptrace readby peer=@{p_systemd_coredump}, @{etc_rw}/localtime r, /etc/locale.conf r, @@ -30,4 +30,6 @@ @{PROC}/sys/kernel/core_pattern r, + /apparmor/.null rw, + # vim:syntax=apparmor From 5faca8461df97d62d065ca8a7430405621d39e54 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:23:59 +0200 Subject: [PATCH 0508/1736] feat(abs): remove user-dirs from recently-used abs. --- apparmor.d/abstractions/recently-used | 2 -- 1 file changed, 2 deletions(-) diff --git a/apparmor.d/abstractions/recently-used b/apparmor.d/abstractions/recently-used index d3a7ec289e..66a80867b2 100644 --- a/apparmor.d/abstractions/recently-used +++ b/apparmor.d/abstractions/recently-used @@ -14,8 +14,6 @@ owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, owner @{user_share_dirs}/recently-used.xbel.lock rwk, - owner @{user_config_dirs}/user-dirs.dirs r, # FIXME: not here? - include if exists # vim:syntax=apparmor From c9813dc34f241e392d055234d754b76a0e803102 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:26:17 +0200 Subject: [PATCH 0509/1736] feat(abs): improve dbus rules in open & common gnome abs. --- apparmor.d/abstractions/app/open | 3 ++- apparmor.d/abstractions/common/gnome | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 243d182616..3d91de2351 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -7,6 +7,8 @@ abi , + include + include include # We cannot use `@{open_path} mrix,` here because it includes: @@ -30,7 +32,6 @@ include include - include include include include diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index 056f6581bc..f0dd20f478 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -9,6 +9,8 @@ include include include + include + include include include include From 61d8cee932d7671302f786f8f7f2b84d0d057bdf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:27:58 +0200 Subject: [PATCH 0510/1736] feat(profile): ssh: cleanup. --- apparmor.d/groups/ssh/ssh-agent | 1 + apparmor.d/groups/ssh/ssh-keygen | 3 ++- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/ssh/sshfs | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index f6732b1cfe..9fc2900b4b 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -13,6 +13,7 @@ profile ssh-agent @{exec_path} { include signal receive set=term peer=cockpit-bridge, + signal receive set=term peer=cockpit-session, signal receive set=term peer=gnome-keyring-daemon, @{exec_path} mr, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index b55824e585..1b6dd5e985 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -18,7 +18,8 @@ profile ssh-keygen @{exec_path} { /etc/ssh/moduli rw, /etc/ssh/ssh_host_*_key* rw, - owner @{HOME}/@{XDG_SSH_DIR}/{,*} rw, + owner @{HOME}/@{XDG_SSH_DIR}/ rw, + owner @{HOME}/@{XDG_SSH_DIR}/* rwl -> @{HOME}/@{XDG_SSH_DIR}/*, owner /tmp/snapd@{int}/*_*{,.pub} w, owner /tmp/snapd@{int}/*.key{,.pub} w, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 63f2c13706..40cf0bca2c 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -102,7 +102,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, - @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + @{HOME}/@{XDG_SSH_DIR}/authorized_keys* r, owner @{user_cache_dirs}/{,motd*} rw, @{att}/@{run}/systemd/sessions/@{int}.ref rw, diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs index 12e7d89306..ee6a2f903a 100644 --- a/apparmor.d/groups/ssh/sshfs +++ b/apparmor.d/groups/ssh/sshfs @@ -18,7 +18,7 @@ profile sshfs @{exec_path} flags=(complain) { mount fstype=fuse.sshfs -> @{MOUNTS}/*/, mount fstype=fuse.sshfs -> @{MOUNTS}/*/*/, - unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none), + unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount"), @{exec_path} mr, From 5d1ef4087741d3acf84fe50b26c5669ade291f10 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 19:55:42 +0200 Subject: [PATCH 0511/1736] feat(profile): add some missing proc access. Due to recent changes in base-strict. --- apparmor.d/abstractions/app/pgrep | 1 + apparmor.d/groups/gnome/gdm-generate-config | 7 ++++--- apparmor.d/groups/procps/htop | 1 + 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index 0ec14bea0c..f563712ca8 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -19,6 +19,7 @@ @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, + @{PROC}/@{pid}/status r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/environ r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 9d910cdd2b..6e67866f53 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -42,9 +42,10 @@ profile gdm-generate-config @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/stat r, @{PROC}/uptime r, profile pgrep { diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index d59fde5e58..4937f68753 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -105,6 +105,7 @@ profile htop @{exec_path} { @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/net/dev r, @{PROC}/@{pids}/oom_{,score_}adj r, From be0d481068929ddd1787bbf8cb16a9cf4619deed Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 19:56:41 +0200 Subject: [PATCH 0512/1736] feat(profile): remove common/systemd from systemd-detect-virt. --- apparmor.d/groups/systemd/systemd-detect-virt | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 01e49025ff..9b78b7c043 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -11,11 +11,10 @@ include profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { include include - include - capability net_admin, + capability sys_ptrace, - network netlink raw, + ptrace read peer=@{p_systemd}, @{exec_path} mr, @@ -32,7 +31,14 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/uv/prot_virt_guest r, @{sys}/hypervisor/properties/features r, - + @{sys}/hypervisor/type r, + + @{PROC}/1/environ r, + @{PROC}/device-tree/ r, + @{PROC}/device-tree/compatible r, + @{PROC}/device-tree/hypervisor/compatible r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sysinfo r, @{PROC}/xen/capabilities r, /dev/cpu/@{int}/msr r, From 2bb42bfca21bf7b372fccdeb763c33ef0f8875b6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 20:14:12 +0200 Subject: [PATCH 0513/1736] build: add support for apparmor 5.0 (current master branch) --- dists/overwrite | 3 +++ pkg/prebuild/prepare/configure.go | 35 ++++++++++++++++++++++++------- 2 files changed, 31 insertions(+), 7 deletions(-) diff --git a/dists/overwrite b/dists/overwrite index c8769ba542..16f8f4a193 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -38,3 +38,6 @@ openvpn remmina transmission wg-quick +systemd-detect-virt # Missing integration with @{p_systemd} +hostname # Has @{bin} denied in header, would conflict with apparmor.d's @{bin} tunables + diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index a6e9544850..cf16f5b8e2 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -23,6 +23,15 @@ func init() { }) } +func removeFiles(files []string) error { + for _, name := range files { + if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { + return err + } + } + return nil +} + func (p Configure) Apply() ([]string, error) { res := []string{} @@ -57,19 +66,31 @@ func (p Configure) Apply() ([]string, error) { } - if prebuild.Version == 4.1 { - // Remove files upstreamed in 4.1 + if prebuild.Version >= 4.1 { remove := []string{ + // Remove files upstreamed in 4.1 "abstractions/devices-usb-read", "abstractions/devices-usb", "abstractions/nameservice-strict", "tunables/multiarch.d/base", - "wg", // Upstream version is identical + + // Direct upstream contributed profiles, similar to ours + "wg", } - for _, name := range remove { - if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { - return res, err - } + if err := removeFiles(remove); err != nil { + return res, err + } + } + if prebuild.Version >= 5.0 { + remove := []string{ + // Direct upstrem contributed profiles, similar to ours + "dig", + "free", + "nslookup", + "who", + } + if err := removeFiles(remove); err != nil { + return res, err } } return res, nil From 57251820e1bafa211deef302d907a21213a1b523 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 20:48:01 +0200 Subject: [PATCH 0514/1736] build: improve support for aa 5.0 --- dists/overwrite | 5 +++-- pkg/prebuild/prepare/configure.go | 10 ++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/dists/overwrite b/dists/overwrite index 16f8f4a193..70ee1cc41c 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -6,6 +6,7 @@ brave chrome chromium +cockpit-desktop element-desktop epiphany firefox @@ -29,8 +30,8 @@ unix-chkpwd # Overwrite some profiles recently added in apparmor while being already present in apparmor.d for a while # They can be multiple justification for keeping our profiles here, or or the contrary using upstream ones: -# - Keep ours: If they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile -# - Drop ours: when upstream profiles is better +# - Keep ours: If we/they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile +# - Drop ours: when upstream profiles is better (see pkg/prebuild/prepare/configure.go) fusermount3 lsblk lsusb diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index cf16f5b8e2..9ca3b14d33 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -6,6 +6,7 @@ package prepare import ( "fmt" + "strings" "github.com/roddhjav/apparmor.d/pkg/prebuild" ) @@ -92,6 +93,15 @@ func (p Configure) Apply() ([]string, error) { if err := removeFiles(remove); err != nil { return res, err } + + // @{pci_bus} was upstreamed in 5.0 + path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + out, err := path.ReadFileAsString() + if err != nil { + return res, err + } + out = strings.ReplaceAll(out, "@{pci_bus}=pci@{hex4}:@{hex2}", "") + return res, path.WriteFile([]byte(out)) } return res, nil } From a3fde24b3deb9ecbd0ddebdf920315b24af46182 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 23:58:39 +0200 Subject: [PATCH 0515/1736] feat: add aliases for all coreutils. --- apparmor.d/tunables/alias.d/coreutils | 112 ++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 apparmor.d/tunables/alias.d/coreutils diff --git a/apparmor.d/tunables/alias.d/coreutils b/apparmor.d/tunables/alias.d/coreutils new file mode 100644 index 0000000000..9fed4fefc8 --- /dev/null +++ b/apparmor.d/tunables/alias.d/coreutils @@ -0,0 +1,112 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# In ubuntu 25.10, to make room for the coming rust utils, classic coreutils has +# moved to /usr/bin/gnu* names. To avoid breaking existing profiles, we +# provide aliases for all the coreutils names to their gnu* counterpart. + + alias /{,usr/}bin/dd -> /usr/bin/gnudd, + alias /{,usr/}bin/tee -> /usr/bin/gnutee, + alias /{,usr/}bin/paste -> /usr/bin/gnupaste, + alias /{,usr/}bin/sha256sum -> /usr/bin/gnusha256sum, + alias /{,usr/}bin/env -> /usr/bin/gnuenv, + alias /{,usr/}bin/expr -> /usr/bin/gnuexpr, + alias /{,usr/}bin/sleep -> /usr/bin/gnusleep, + alias /{,usr/}bin/shred -> /usr/bin/gnushred, + alias /{,usr/}bin/dircolors -> /usr/bin/gnudircolors, + alias /{,usr/}bin/nohup -> /usr/bin/gnunohup, + alias /{,usr/}bin/stty -> /usr/bin/gnustty, + alias /{,usr/}bin/sha384sum -> /usr/bin/gnusha384sum, + alias /{,usr/}bin/pr -> /usr/bin/gnupr, + alias /{,usr/}bin/nice -> /usr/bin/gnunice, + alias /{,usr/}bin/basenc -> /usr/bin/gnubasenc, + alias /{,usr/}bin/sha224sum -> /usr/bin/gnusha224sum, + alias /{,usr/}bin/unexpand -> /usr/bin/gnuunexpand, + alias /{,usr/}bin/logname -> /usr/bin/gnulogname, + alias /{,usr/}bin/uniq -> /usr/bin/gnuuniq, + alias /{,usr/}bin/chown -> /usr/bin/gnuchown, + alias /{,usr/}bin/vdir -> /usr/bin/gnuvdir, + alias /{,usr/}bin/printf -> /usr/bin/gnuprintf, + alias /{,usr/}bin/true -> /usr/bin/gnutrue, + alias /{,usr/}bin/groups -> /usr/bin/gnugroups, + alias /{,usr/}bin/printenv -> /usr/bin/gnuprintenv, + alias /{,usr/}bin/truncate -> /usr/bin/gnutruncate, + alias /{,usr/}bin/md5sum -> /usr/bin/gnumd5sum, + alias /{,usr/}bin/pinky -> /usr/bin/gnupinky, + alias /{,usr/}bin/rm -> /usr/bin/gnurm, + alias /{,usr/}bin/cat -> /usr/bin/gnucat, + alias /{,usr/}bin/tac -> /usr/bin/gnutac, + alias /{,usr/}bin/b2sum -> /usr/bin/gnub2sum, + alias /{,usr/}bin/seq -> /usr/bin/gnuseq, + alias /{,usr/}bin/cut -> /usr/bin/gnucut, + alias /{,usr/}bin/csplit -> /usr/bin/gnucsplit, + alias /{,usr/}bin/split -> /usr/bin/gnusplit, + alias /{,usr/}bin/realpath -> /usr/bin/gnurealpath, + alias /{,usr/}bin/ptx -> /usr/bin/gnuptx, + alias /{,usr/}bin/who -> /usr/bin/gnuwho, + alias /{,usr/}bin/whoami -> /usr/bin/gnuwhoami, + alias /{,usr/}bin/cksum -> /usr/bin/gnucksum, + alias /{,usr/}bin/ls -> /usr/bin/gnuls, + alias /{,usr/}bin/runcon -> /usr/bin/gnuruncon, + alias /{,usr/}bin/arch -> /usr/bin/gnuarch, + alias /{,usr/}bin/head -> /usr/bin/gnuhead, + alias /{,usr/}bin/date -> /usr/bin/gnudate, + alias /{,usr/}bin/wc -> /usr/bin/gnuwc, + alias /{,usr/}bin/mktemp -> /usr/bin/gnumktemp, + alias /{,usr/}bin/pathchk -> /usr/bin/gnupathchk, + alias /{,usr/}bin/mkfifo -> /usr/bin/gnumkfifo, + alias /{,usr/}bin/du -> /usr/bin/gnudu, + alias /{,usr/}bin/cp -> /usr/bin/gnucp, + alias /{,usr/}bin/tty -> /usr/bin/gnutty, + alias /{,usr/}bin/sync -> /usr/bin/gnusync, + alias /{,usr/}bin/fold -> /usr/bin/gnufold, + alias /{,usr/}bin/users -> /usr/bin/gnuusers, + alias /{,usr/}bin/dirname -> /usr/bin/gnudirname, + alias /{,usr/}bin/nproc -> /usr/bin/gnunproc, + alias /{,usr/}bin/sort -> /usr/bin/gnusort, + alias /{,usr/}bin/[ -> /usr/bin/gnu[, + alias /{,usr/}bin/base64 -> /usr/bin/gnubase64, + alias /{,usr/}bin/od -> /usr/bin/gnuod, + alias /{,usr/}bin/tr -> /usr/bin/gnutr, + alias /{,usr/}bin/join -> /usr/bin/gnujoin, + alias /{,usr/}bin/sha512sum -> /usr/bin/gnusha512sum, + alias /{,usr/}bin/false -> /usr/bin/gnufalse, + alias /{,usr/}bin/expand -> /usr/bin/gnuexpand, + alias /{,usr/}bin/base32 -> /usr/bin/gnubase32, + alias /{,usr/}bin/chmod -> /usr/bin/gnuchmod, + alias /{,usr/}bin/rmdir -> /usr/bin/gnurmdir, + alias /{,usr/}bin/factor -> /usr/bin/gnufactor, + alias /{,usr/}bin/mknod -> /usr/bin/gnumknod, + alias /{,usr/}bin/chcon -> /usr/bin/gnuchcon, + alias /{,usr/}bin/basename -> /usr/bin/gnubasename, + alias /{,usr/}bin/chgrp -> /usr/bin/gnuchgrp, + alias /{,usr/}bin/sha1sum -> /usr/bin/gnusha1sum, + alias /{,usr/}bin/ln -> /usr/bin/gnuln, + alias /{,usr/}bin/tsort -> /usr/bin/gnutsort, + alias /{,usr/}bin/echo -> /usr/bin/gnuecho, + alias /{,usr/}bin/timeout -> /usr/bin/gnutimeout, + alias /{,usr/}bin/dir -> /usr/bin/gnudir, + alias /{,usr/}bin/numfmt -> /usr/bin/gnunumfmt, + alias /{,usr/}bin/touch -> /usr/bin/gnutouch, + alias /{,usr/}bin/mv -> /usr/bin/gnumv, + alias /{,usr/}bin/sum -> /usr/bin/gnusum, + alias /{,usr/}bin/stat -> /usr/bin/gnustat, + alias /{,usr/}bin/yes -> /usr/bin/gnuyes, + alias /{,usr/}bin/install -> /usr/bin/gnuinstall, + alias /{,usr/}bin/readlink -> /usr/bin/gnureadlink, + alias /{,usr/}bin/pwd -> /usr/bin/gnupwd, + alias /{,usr/}bin/tail -> /usr/bin/gnutail, + alias /{,usr/}bin/stdbuf -> /usr/bin/gnustdbuf, + alias /{,usr/}bin/comm -> /usr/bin/gnucomm, + alias /{,usr/}bin/shuf -> /usr/bin/gnushuf, + alias /{,usr/}bin/uname -> /usr/bin/gnuuname, + alias /{,usr/}bin/test -> /usr/bin/gnutest, + alias /{,usr/}bin/mkdir -> /usr/bin/gnumkdir, + alias /{,usr/}bin/link -> /usr/bin/gnulink, + alias /{,usr/}bin/df -> /usr/bin/gnudf, + alias /{,usr/}bin/unlink -> /usr/bin/gnuunlink, + alias /{,usr/}bin/hostid -> /usr/bin/gnuhostid, + alias /{,usr/}bin/fmt -> /usr/bin/gnufmt, + alias /{,usr/}bin/id -> /usr/bin/gnuid, + alias /{,usr/}bin/nl -> /usr/bin/gnunl, From 2bae05d30940d14ad09a86c5b666257e43c17058 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 11:05:19 +0200 Subject: [PATCH 0516/1736] feat(abs): add varianttable to apt common. --- apparmor.d/abstractions/common/apt | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/common/apt index 5dd8b26bc0..a267fd9098 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/common/apt @@ -7,6 +7,7 @@ /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /usr/share/dpkg/varianttable r, /etc/apt/apt.conf r, /etc/apt/apt.conf.d/{,*} r, From 1122f28cacf84e4cfea8796d73d90a0a37b7fb6f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 11:46:40 +0200 Subject: [PATCH 0517/1736] tests(packer): cleanup package install process. - apparmor restart is handled by the package - it is a dev version, so it could fail. --- tests/packer/init.sh | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/tests/packer/init.sh b/tests/packer/init.sh index bf75c0e1e9..630da6b0f2 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -27,27 +27,21 @@ main() { case "$DISTRIBUTION" in arch) rm -f $SRC/*.sig # Ignore signature files - pacman --noconfirm -U $SRC/*.pkg.tar.zst + rm -f $SRC/*enforced* # Ignore enforced package + pacman --noconfirm -U $SRC/*.pkg.tar.zst || true ;; debian | ubuntu) - apt install -y apparmor-profiles + apt-get install -y apparmor-profiles dpkg -i $SRC/*.deb || true ;; opensuse*) mv "/home/$SUDO_USER/.bash_aliases" "/home/$SUDO_USER/.alias" - rpm -i $SRC/*.rpm + rpm -i $SRC/*.rpm || true ;; esac - - verb="start" - rm -rf /var/cache/apparmor/* || true - if systemctl is-active -q apparmor; then - verb="reload" - fi - systemctl "$verb" apparmor.service || journalctl -xeu apparmor.service } main "$@" From 94f01c68f696fd858ec65195113cad95f8d514fa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 11:48:11 +0200 Subject: [PATCH 0518/1736] feat(tunable): update home dir for gdm & add desktop_state_dirs. --- apparmor.d/tunables/multiarch.d/system-users | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 885913da3f..73a3267a09 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -5,11 +5,12 @@ # Define some extra paths for some commonly used system user # Full path of the GDM configuration directories -@{GDM_HOME}=/var/lib/gdm{,3}/ +@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/home/{,gdm-}greeter/ @{gdm_cache_dirs}=@{GDM_HOME}/.cache/ @{gdm_config_dirs}=@{GDM_HOME}/.config/ @{gdm_local_dirs}=@{GDM_HOME}/.local/ @{gdm_share_dirs}=@{GDM_HOME}/.local/share/ +@{gdm_state_dirs}=@{GDM_HOME}/.local/state/ # Full path of the SDDM configuration directories @{SDDM_HOME}=/var/lib/sddm/ @@ -17,6 +18,7 @@ @{sddm_config_dirs}=@{SDDM_HOME}/.config/ @{sddm_local_dirs}=@{SDDM_HOME}/.local/ @{sddm_share_dirs}=@{SDDM_HOME}/.local/share/ +@{sddm_state_dirs}=@{SDDM_HOME}/.local/state/ # Full path of the LIGHTDM configuration directories @{LIGHTDM_HOME}=/var/lib/lightdm/ @@ -31,5 +33,6 @@ @{desktop_config_dirs}=@{gdm_config_dirs} @{sddm_config_dirs} @{lightdm_config_dirs} @{desktop_local_dirs}=@{gdm_local_dirs} @{sddm_local_dirs} @{lightdm_local_dirs} @{desktop_share_dirs}=@{gdm_share_dirs} @{sddm_share_dirs} @{lightdm_share_dirs} +@{desktop_state_dirs}=@{gdm_state_dirs} @{sddm_state_dirs} @{lightdm_state_dirs} # vim:syntax=apparmor From b5020eac891099c023aad7e3b51375fbe663e0ef Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 12:22:01 +0200 Subject: [PATCH 0519/1736] tests(packer): remobe sudo alias --- tests/packer/src/.bash_aliases | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/packer/src/.bash_aliases b/tests/packer/src/.bash_aliases index 27e05bf80c..2580556fd7 100644 --- a/tests/packer/src/.bash_aliases +++ b/tests/packer/src/.bash_aliases @@ -8,7 +8,6 @@ for nb in $(seq "$1"); do done } -alias sudo='sudo -E' alias aa-log='sudo aa-log' alias aa-status='sudo aa-status' alias c='clear' From 0ada92da328c830fddf1550352c02405d89f9ef8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 12:35:04 +0200 Subject: [PATCH 0520/1736] refractor(abs): gsettings -> gschemas. --- apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/gnome-strict | 2 +- apparmor.d/abstractions/{gsettings => gschemas} | 2 +- apparmor.d/abstractions/kde-strict | 2 +- apparmor.d/groups/bus/dbus-accessibility | 2 +- apparmor.d/groups/gnome/ptyxis-agent | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) rename apparmor.d/abstractions/{gsettings => gschemas} (88%) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 1bb4c20eac..3bfbcc887e 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -11,7 +11,7 @@ include include - include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 72d09126ec..4d2d390ee8 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -6,7 +6,7 @@ include include - include + include include include include diff --git a/apparmor.d/abstractions/gsettings b/apparmor.d/abstractions/gschemas similarity index 88% rename from apparmor.d/abstractions/gsettings rename to apparmor.d/abstractions/gschemas index 4d22f080b2..21a4d860c3 100644 --- a/apparmor.d/abstractions/gsettings +++ b/apparmor.d/abstractions/gschemas @@ -9,6 +9,6 @@ @{system_share_dirs}/glib-2.0/schemas/ r, @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 02a0bc9c52..a06a29da47 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -6,7 +6,7 @@ include include - include + include include include include diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index a8c13b3fd7..c254fcd2d3 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -15,7 +15,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include include - include + include include network inet dgram, diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index cf497e39f9..982afd90d4 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -13,7 +13,7 @@ profile ptyxis-agent @{exec_path} { include include include - include + include include signal send set=hup peer=unconfined, From d6ddbf104cdfc07615b8f32c306d9db766a9ce77 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 12:56:05 +0200 Subject: [PATCH 0521/1736] refractor(profile): always use the gschemas abstraction. --- apparmor.d/groups/display-manager/xdm-xsession | 2 +- apparmor.d/groups/freedesktop/geoclue | 5 ++--- apparmor.d/groups/gnome/chrome-gnome-shell | 3 +-- apparmor.d/groups/gnome/deja-dup-monitor | 3 +-- apparmor.d/groups/gnome/evolution-addressbook-factory | 2 +- apparmor.d/groups/gnome/evolution-calendar-factory | 3 +-- apparmor.d/groups/gnome/evolution-source-registry | 3 +-- apparmor.d/groups/gnome/gdm-xsession | 2 +- apparmor.d/groups/gnome/gnome-browser-connector-host | 3 +-- apparmor.d/groups/gnome/gnome-shell-calendar-server | 2 -- apparmor.d/groups/gnome/gsd-a11y-settings | 4 ++-- apparmor.d/groups/gnome/gsd-datetime | 4 ++-- apparmor.d/groups/gnome/gsd-sharing | 4 ++-- apparmor.d/groups/gnome/gsd-smartcard | 2 +- apparmor.d/groups/gnome/gsd-sound | 2 +- apparmor.d/groups/gnome/gsd-usb-protection | 3 +-- apparmor.d/groups/gnome/session-migration | 4 ++-- apparmor.d/groups/gvfs/gvfsd-network | 3 +-- apparmor.d/groups/gvfs/gvfsd-smb-browse | 3 +-- apparmor.d/groups/ubuntu/apport-gtk | 1 - apparmor.d/profiles-g-l/gsettings | 3 ++- apparmor.d/profiles-m-r/mission-control | 2 +- 22 files changed, 26 insertions(+), 37 deletions(-) diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index d110fb83bb..df17e0d9f4 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -10,6 +10,7 @@ include profile xdm-xsession @{exec_path} { include include + include include include include @@ -58,7 +59,6 @@ profile xdm-xsession @{exec_path} { @{HOME}/.xinitrc rPix, # TODO: rCx @{lib}/xinit/xinitrc rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mc/mc.sh r, /usr/share/terminfo/{,**} r, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 6332f49e23..fbc7a7582b 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -9,12 +9,13 @@ include @{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent profile geoclue @{exec_path} flags=(attach_disconnected) { include - include include include include include include + include + include include include include @@ -29,8 +30,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/geoclue/{,**} r, /etc/sysconfig/proxy r, diff --git a/apparmor.d/groups/gnome/chrome-gnome-shell b/apparmor.d/groups/gnome/chrome-gnome-shell index 8c6372ba5c..944d5e1d53 100644 --- a/apparmor.d/groups/gnome/chrome-gnome-shell +++ b/apparmor.d/groups/gnome/chrome-gnome-shell @@ -10,6 +10,7 @@ include profile chrome-gnome-shell @{exec_path} { include include + include include include include @@ -23,8 +24,6 @@ profile chrome-gnome-shell @{exec_path} { @{exec_path} mr, @{bin}/ r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/mounts r, deny @{HOME}/.* r, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index ac5d6af81c..fcafbda5f8 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -17,6 +17,7 @@ profile deja-dup-monitor @{exec_path} { include include include + include network netlink raw, @@ -44,8 +45,6 @@ profile deja-dup-monitor @{exec_path} { @{bin}/ionice rix, @{bin}/deja-dup Px, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /var/tmp/ r, /tmp/ r, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index c9a9d72c97..b56af123da 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -15,6 +15,7 @@ profile evolution-addressbook-factory @{exec_path} { include include include + include include include include @@ -63,7 +64,6 @@ profile evolution-addressbook-factory @{exec_path} { @{exec_path} mr, @{exec_path}-subprocess rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icu/@{int}.@{int}/*.dat r, owner @{user_share_dirs}/evolution/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index fba734ad4f..3d1d00f286 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -14,6 +14,7 @@ profile evolution-calendar-factory @{exec_path} { include include include + include include include include @@ -65,8 +66,6 @@ profile evolution-calendar-factory @{exec_path} { @{exec_path} mr, @{exec_path}-subprocess rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index a5a1bd414f..299d0738b7 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -13,6 +13,7 @@ profile evolution-source-registry @{exec_path} { include include include + include include include include @@ -47,8 +48,6 @@ profile evolution-source-registry @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_cache_dirs}/evolution/{,**} rwk, owner @{user_config_dirs}/evolution/sources/{,*} rw, owner @{user_share_dirs}/evolution/{,**} r, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 03e77816c0..2882c3d9e6 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -11,6 +11,7 @@ profile gdm-xsession @{exec_path} { include include include + include include include @@ -51,7 +52,6 @@ profile gdm-xsession @{exec_path} { @{etc_ro}/X11/xdm/Xsession rPx, @{lib}/gnome-session-binary rPx, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/im-config/data/{,*} r, /usr/share/im-config/xinputrc.common r, diff --git a/apparmor.d/groups/gnome/gnome-browser-connector-host b/apparmor.d/groups/gnome/gnome-browser-connector-host index 95af09ed66..e95762b6ad 100644 --- a/apparmor.d/groups/gnome/gnome-browser-connector-host +++ b/apparmor.d/groups/gnome/gnome-browser-connector-host @@ -11,6 +11,7 @@ profile gnome-browser-connector-host @{exec_path} { include include include + include @{exec_path} mr, @@ -19,8 +20,6 @@ profile gnome-browser-connector-host @{exec_path} { @{lib}/@{python_name}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/mounts r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 2f3e51670e..6ddbd4b4c3 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -35,8 +35,6 @@ profile gnome-shell-calendar-server @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/sysconfig/clock r, /etc/timezone r, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 5f05c21da3..34ce2884da 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-a11y-settings profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -27,7 +28,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, @{gdm_config_dirs}/dconf/user r, @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 0190ad9b37..af1784e68c 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-datetime profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include include network inet dgram, @@ -34,7 +35,6 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-settings-daemon/datetime/backward r, owner @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 45b3ea1b9a..7b47b06767 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -9,12 +9,13 @@ include @{exec_path} = @{lib}/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include - include include include include include + include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -34,7 +35,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index bdacbfd006..98ce848ba3 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -15,6 +15,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -29,7 +30,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/{,opensc/}opensc.conf r, /etc/tpm2-tss/* rk, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 871203e6cf..2b64ddf068 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -15,6 +15,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include include + include signal receive set=(term, hup) peer=gdm*, @@ -29,7 +30,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 2359c9f39e..3bfffdb6ab 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -11,13 +11,12 @@ profile gsd-usb-protection @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - include if exists } diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index aeb46f6c0a..b31532cae7 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -9,8 +9,9 @@ include @{exec_path} = @{bin}/session-migration profile session-migration @{exec_path} { include - include include + include + include include @{exec_path} mr, @@ -21,7 +22,6 @@ profile session-migration @{exec_path} { @{bin}/gsettings rPx, /usr/share/session-migration/scripts/* rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/session-migration/{,**} r, owner @{gdm_share_dirs}/ w, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 1af0a2b37d..46f543fa43 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -14,6 +14,7 @@ profile gvfsd-network @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} @@ -44,8 +45,6 @@ profile gvfsd-network @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 59d778133f..a90cddc504 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -13,6 +13,7 @@ profile gvfsd-smb-browse @{exec_path} { include include include + include include network netlink raw, @@ -35,8 +36,6 @@ profile gvfsd-smb-browse @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/samba/* r, /var/cache/samba/ rw, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 271ff23e49..3d2cbd63de 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -117,7 +117,6 @@ profile apport-gtk @{exec_path} { /usr/share/gdb/python/{,**/}__pycache__/{,**} rw, /usr/share/gdb/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/{,**} r, /usr/share/terminfo/** r, /usr/share/themes/{,**} r, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 849599977e..2e0eb2cf71 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -9,9 +9,10 @@ include @{exec_path} = @{bin}/gsettings profile gsettings @{exec_path} flags=(attach_disconnected) { include - include include + include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index b8e79c0dc8..bf6c550939 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -10,13 +10,13 @@ include profile mission-control @{exec_path} flags=(attach_disconnected) { include include + include network netlink raw, @{exec_path} mr, /usr/share/telepathy/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_share_dirs}/telepathy/ rw, owner @{user_share_dirs}/telepathy/mission-control/ rw, From 4f1fddd2fb38dfc5a36bdf0ef32cd815fd380cfb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 14:25:43 +0200 Subject: [PATCH 0522/1736] feat(profile): use natural transition instead of systemd drop in config when possible. As we can transition to the good profile naturally, do not use systemd for it. This bypass the apparmor error: `change_profile unprivileged unconfined converted to stacking`. Note: we cannot do the same for dbus-system and dbus-session are they have the same binary. --- systemd/default/user/at-spi-dbus-bus.service | 2 -- systemd/default/user/org.freedesktop.IBus.session.GNOME.service | 2 -- 2 files changed, 4 deletions(-) delete mode 100644 systemd/default/user/at-spi-dbus-bus.service delete mode 100644 systemd/default/user/org.freedesktop.IBus.session.GNOME.service diff --git a/systemd/default/user/at-spi-dbus-bus.service b/systemd/default/user/at-spi-dbus-bus.service deleted file mode 100644 index 9c1fad5330..0000000000 --- a/systemd/default/user/at-spi-dbus-bus.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=dbus-accessibility diff --git a/systemd/default/user/org.freedesktop.IBus.session.GNOME.service b/systemd/default/user/org.freedesktop.IBus.session.GNOME.service deleted file mode 100644 index 818d5cdf35..0000000000 --- a/systemd/default/user/org.freedesktop.IBus.session.GNOME.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=ibus-daemon From f5e2572457acd411e3b0b7ec0f7725e4a64d0f99 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 19:37:47 +0200 Subject: [PATCH 0523/1736] feat(profile): cleanup usage of icons abs. --- apparmor.d/groups/freedesktop/xsetroot | 5 +---- apparmor.d/groups/gnome/gnome-control-center | 1 - apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/hyprland/hyprpaper | 3 +-- apparmor.d/groups/hyprland/hyprpicker | 3 +-- apparmor.d/groups/kde/kaccess | 2 -- apparmor.d/groups/kde/kiod | 1 - apparmor.d/groups/kde/plasmashell | 3 --- apparmor.d/groups/lxqt/lxqt-runner | 1 - 9 files changed, 3 insertions(+), 17 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index bc1291ef42..c0ddcb359b 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/xsetroot profile xsetroot @{exec_path} { include + include include capability dac_read_search, @@ -18,10 +19,6 @@ profile xsetroot @{exec_path} { @{exec_path} mr, - /usr/share/icons/{,**} r, - - owner @{HOME}/.icons/** r, - owner @{user_share_dirs}/sddm/xorg-session.log w, owner @{user_share_dirs}/sddm/wayland-session.log w, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1c35a8ec10..fde43420a7 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -88,7 +88,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-any, - /opt/**/share/icons/{,**} r, /snap/*/@{int}/**.png r, /usr/share/backgrounds/{,**} r, /usr/share/cups/data/testprint r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b34d18c002..5eb78d8bb3 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -187,7 +187,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, /usr/share/gnome-shell/extensions/*/** rPUx, - /opt/**/share/icons/{,**} r, /snap/*/@{uid}/**.@{image_ext} r, /usr/share/**.@{image_ext} r, /usr/share/**/icons/{,**} r, diff --git a/apparmor.d/groups/hyprland/hyprpaper b/apparmor.d/groups/hyprland/hyprpaper index 3cb8dca92f..6d0674d9fc 100644 --- a/apparmor.d/groups/hyprland/hyprpaper +++ b/apparmor.d/groups/hyprland/hyprpaper @@ -9,12 +9,11 @@ include @{exec_path} = @{bin}/hyprpaper profile hyprpaper @{exec_path} flags=(attach_disconnected) { include + include include @{exec_path} mr, - /usr/share/icons/** r, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, owner @{user_config_dirs}/hypr/hyprpaper.conf r, diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker index a46d53f4c2..7becc5fb60 100644 --- a/apparmor.d/groups/hyprland/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -9,12 +9,11 @@ include @{exec_path} = @{bin}/hyprpicker profile hyprpicker @{exec_path} { include + include @{exec_path} mr, @{bin}/wl-copy Px, - /usr/share/icons/** r, - owner @{run}/user/@{uid}/.hyprpicker* rw, owner /dev/shm/wlroots-@{rand6} r, owner /dev/shm/@{uuid} r, diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 4b1e734edc..b70d506667 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -24,8 +24,6 @@ profile kaccess @{exec_path} { @{bin}/gsettings rPx, - /usr/share/icons/{,**} r, - /etc/machine-id r, owner @{user_config_dirs}/breezerc r, diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index cf9646051b..4560427adf 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -20,7 +20,6 @@ profile kiod @{exec_path} { @{exec_path} mr, - /usr/share/icons/breeze/index.theme r, /usr/share/mime/{,**} r, owner @{user_config_dirs}/#@{int} rw, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index e767d7bb59..45f0d43e9e 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -77,9 +77,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { #aa:exec kioworker - /opt/**/share/icons/{,**} r, - /opt/*/**/*.desktop r, - /opt/*/**/*.png r, /snap/*/@{uid}/**.@{image_ext} r, /usr/share/*/icons/{,**} r, /usr/share/akonadi/{,**} r, diff --git a/apparmor.d/groups/lxqt/lxqt-runner b/apparmor.d/groups/lxqt/lxqt-runner index 9477c1bda0..5783c1fa08 100644 --- a/apparmor.d/groups/lxqt/lxqt-runner +++ b/apparmor.d/groups/lxqt/lxqt-runner @@ -14,7 +14,6 @@ profile lxqt-runner @{exec_path} { @{exec_path} mr, - /usr/share/icons/ r, /usr/share/desktop-directories/ r, /usr/share/desktop-directories/{,**} r, From ac6eac13334224bc5c0273fcef673e6bcbf41a1a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 19:47:07 +0200 Subject: [PATCH 0524/1736] feat(profile): cleanup usage of mime abs. --- apparmor.d/groups/flatpak/flatpak-portal | 5 +---- apparmor.d/groups/flatpak/flatpak-system-helper | 2 +- apparmor.d/groups/freedesktop/colord | 4 +--- apparmor.d/groups/gnome/gnome-photos-thumbnailer | 3 +-- apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer | 3 +-- apparmor.d/groups/gvfs/gvfsd-admin | 3 +-- apparmor.d/groups/kde/kaccess | 2 -- apparmor.d/groups/kde/kiod | 2 -- apparmor.d/groups/kde/startplasma | 2 -- apparmor.d/groups/lxqt/lxqt-session | 1 - apparmor.d/groups/lxqt/startlxqt | 1 - apparmor.d/groups/virt/cni-calico | 3 +-- apparmor.d/groups/virt/k3s | 1 - apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/profiles-a-f/evince-thumbnailer | 2 +- apparmor.d/profiles-a-f/fwupd | 3 +-- apparmor.d/profiles-g-l/hugo | 2 +- apparmor.d/profiles-m-r/mimetype | 11 +---------- 18 files changed, 12 insertions(+), 40 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index b86f0a4fdd..fdbdb9189f 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -11,6 +11,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include include + include include capability sys_ptrace, @@ -32,11 +33,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { @{bin}/flatpak rPx, - /usr/share/mime/mime.cache r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, - /var/lib/flatpak/exports/share/mime/mime.cache r, - owner /att/**/ r, owner @{att}/.flatpak-info r, @@ -44,7 +42,6 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, owner @{user_config_dirs}/user-dirs.dirs r, - owner @{user_share_dirs}/mime/mime.cache r, owner @{run}/user/@{uid}/.flatpak/@{int}/* r, owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 1381a1483d..0ca01d01de 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -11,6 +11,7 @@ profile flatpak-system-helper @{exec_path} { include include include + include include include include @@ -42,7 +43,6 @@ profile flatpak-system-helper @{exec_path} { /usr/share/flatpak/remotes.d/{,**} r, /usr/share/flatpak/triggers/ r, - /usr/share/mime/mime.cache r, /var/lib/flatpak/{,**} rwkl, /var/tmp/flatpak-cache-*/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 81d0c9f6b1..b3cda6307e 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -14,6 +14,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { include include include + include include network inet dgram, @@ -31,11 +32,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { /etc/udev/hwdb.bin r, /usr/share/color/icc/{,**} r, - /usr/share/mime/mime.cache r, /usr/share/snmp/mibs/{,*} r, - @{system_share_dirs}/mime/mime.cache r, - owner /var/lib/colord/.cache/ rw, owner /var/lib/colord/.cache/** rw, owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk, diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index 0182e9dade..31d9b79876 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -9,12 +9,11 @@ include @{exec_path} = @{lib}/gnome-photos-thumbnailer profile gnome-photos-thumbnailer @{exec_path} { include + include include @{exec_path} mr, - /usr/share/mime/mime.cache r, - owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/babl/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer index 51d5b43cf1..56e448fd8f 100644 --- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -10,11 +10,10 @@ include profile gnome-shell-hotplug-sniffer @{exec_path} { include include + include @{exec_path} mr, - /usr/share/mime/mime.cache r, - @{MOUNTS}/**/ r, @{MOUNTS}/** r, diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index e1b16cac30..44248cbe3e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include + include include capability chown, @@ -20,8 +21,6 @@ profile gvfsd-admin @{exec_path} { @{exec_path} mr, - /usr/share/mime/mime.cache r, - #aa:lint ignore=too-wide # Full access to system's data, but no write access to sensitive system directories / r, diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index b70d506667..8258d1bdec 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -29,8 +29,6 @@ profile kaccess @{exec_path} { owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kaccessrc r, - owner @{user_share_dirs}/mime/generic-icons r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index 4560427adf..571581059a 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -20,8 +20,6 @@ profile kiod @{exec_path} { @{exec_path} mr, - /usr/share/mime/{,**} r, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksslcertificatemanager.lock rwk, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 5db93719c6..a8c8cbd13d 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -48,8 +48,6 @@ profile startplasma @{exec_path} { /etc/xdg/plasma-workspace/env/{,*} r, /etc/xdg/plasmarc r, - /var/lib/flatpak/exports/share/mime/ r, - @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/#@{int} rwk, owner @{user_cache_dirs}/kcrash-metadata/ rw, diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index 3a4a6cd61e..085b444b19 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -47,7 +47,6 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { @{bin}/xdg-user-dirs-update rPx, /usr/share/ r, - /usr/share/mime/ r, /usr/share/cursors/ r, /usr/share/backintime/common/* r, /usr/share/desktop-directories/* r, diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt index a708e2336b..3ae9071167 100644 --- a/apparmor.d/groups/lxqt/startlxqt +++ b/apparmor.d/groups/lxqt/startlxqt @@ -31,7 +31,6 @@ profile startlxqt @{exec_path} { /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, /usr/share/kservices5/{,**} r, - /usr/share/mime/{,**} r, /etc/machine-id r, /etc/xdg/menus/{,**} r, diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index a6c9149d2f..9015d2157d 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/cni/calico /opt/cni/bin/calico profile cni-calico @{exec_path} flags=(attach_disconnected) { include + include capability sys_admin, capability net_admin, @@ -32,8 +33,6 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { /var/log/calico/cni/ r, /var/log/calico/cni/*.log rw, - /usr/share/mime/globs2 r, - @{run}/calico/ rw, @{run}/calico/ipam.lock rwk, @{run}/netns/cni-@{uuid} r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 2142e28b98..59c4b94733 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -68,7 +68,6 @@ profile k3s @{exec_path} flags=(attach_disconnected) { /var/lib/rancher/k3s/data/@{hex}/bin/* rix, @{lib}/kubernetes/kubelet-plugins/volume/exec/{,**} r, - /usr/share/mime/globs2 r, /etc/machine-id r, /etc/rancher/{,**} rw, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 2b0530ef52..23e8e20d1e 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -23,6 +23,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { include include include + include include capability audit_write, @@ -141,7 +142,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /usr/share/hwdata/* r, /usr/share/iproute2/{,**} r, /usr/share/libvirt/{,**} r, - /usr/share/mime/mime.cache r, /usr/share/misc/pci.ids r, /usr/share/qemu/{,**} r, diff --git a/apparmor.d/profiles-a-f/evince-thumbnailer b/apparmor.d/profiles-a-f/evince-thumbnailer index 95fdba512f..6fbabaf284 100644 --- a/apparmor.d/profiles-a-f/evince-thumbnailer +++ b/apparmor.d/profiles-a-f/evince-thumbnailer @@ -9,10 +9,10 @@ include @{exec_path} = @{bin}/evince-thumbnailer profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) { include + include @{exec_path} mr, - /usr/share/mime/mime.cache r, /usr/share/poppler/{,**} r, owner @{tmp}/gnome-desktop-file-to-thumbnail.pdf r, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 58ba493cc9..d7a72c2365 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -17,6 +17,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include + include include include @@ -57,7 +58,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/fwupd/{,**} r, /usr/share/hwdata/* r, /usr/share/libdrm/*.ids r, - /usr/share/mime/mime.cache r, /usr/share/misc/*.ids r, /etc/fwupd/{,**} rw, @@ -77,7 +77,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{MOUNTDIRS}/*/{,@{efi}/} r, @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, - /var/lib/flatpak/exports/share/mime/mime.cache r, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index ed62f48f11..fd9c3dfa01 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/hugo profile hugo @{exec_path} { include + include include include @@ -26,7 +27,6 @@ profile hugo @{exec_path} { @{lib}/go/bin/go rix, /usr/share/git{,-core}/{,**} r, - /usr/share/mime/{,**} r, /usr/share/terminfo/** r, /etc/mime.types r, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index 91d021fae9..1576050b51 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -11,22 +11,13 @@ include profile mimetype @{exec_path} { include include + include @{exec_path} r, - /usr/share/mime/**.xml r, - /usr/share/mime/globs r, - /usr/share/mime/aliases r, - /usr/share/mime/magic r, - # To read files owner /** r, #aa:lint ignore=too-wide - owner @{user_share_dirs}/mime/**.xml r, - owner @{user_share_dirs}/mime/globs r, - owner @{user_share_dirs}/mime/aliases r, - owner @{user_share_dirs}/mime/magic r, - include if exists } From 45faf0eee06759b5a9213f65f51519b377a2a1ae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 19:57:09 +0200 Subject: [PATCH 0525/1736] fix(tunable): add missing lightdm_state_dirs tunable. --- apparmor.d/tunables/multiarch.d/system-users | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 73a3267a09..1513aae2f2 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -26,6 +26,7 @@ @{lightdm_config_dirs}=@{LIGHTDM_HOME}/.config/ @{lightdm_local_dirs}=@{LIGHTDM_HOME}/.local/ @{lightdm_share_dirs}=@{LIGHTDM_HOME}/.local/share/ +@{lightdm_state_dirs}=@{LIGHTDM_HOME}/.local/state/ # Full path of all DE configuration directories @{DESKTOP_HOME}=@{GDM_HOME} @{SDDM_HOME} @{LIGHTDM_HOME} From a3426fef8cedc0a5b46a6184b2309d40598ecb30 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 13:23:48 +0200 Subject: [PATCH 0526/1736] feat: precise nvidia devices number. --- apparmor.d/abstractions/nvidia-strict | 2 +- apparmor.d/abstractions/nvidia.d/complete | 2 +- apparmor.d/groups/children/child-modprobe-nvidia | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index c3aa8e8056..a7529eb9ae 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -35,7 +35,7 @@ owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/comm r, - /dev/char/195:@{int} w, # Nvidia graphics devices + /dev/char/195:@{u8} w, # Nvidia graphics devices /dev/nvidia-modeset rw, /dev/nvidia@{int} rw, /dev/nvidiactl rw, diff --git a/apparmor.d/abstractions/nvidia.d/complete b/apparmor.d/abstractions/nvidia.d/complete index ef9d0c40d5..e00385efdf 100644 --- a/apparmor.d/abstractions/nvidia.d/complete +++ b/apparmor.d/abstractions/nvidia.d/complete @@ -8,6 +8,6 @@ /etc/nvidia/nvidia-application-profiles* r, - /dev/char/195:@{int} rw, # Nvidia graphics devices + /dev/char/195:@{u8} rw, # Nvidia graphics devices # vim:syntax=apparmor diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 61191fe9d2..8e991cee7c 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -41,7 +41,7 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{PROC}/modules r, owner /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - owner /dev/char/195:@{int} w, # Nvidia graphics devices + owner /dev/char/195:@{u8} w, # Nvidia graphics devices /dev/nvidia-modeset w, /dev/nvidia-uvm w, From 9ee26050261c69e4f0654ec0e87e6d26d958b8e4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 13:29:11 +0200 Subject: [PATCH 0527/1736] tests(packer): simplify pkg install script. --- tests/packer/init.sh | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/tests/packer/init.sh b/tests/packer/init.sh index 630da6b0f2..44a86220f0 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -3,16 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -eux +set -eux -o pipefail -_lsb_release() { - # shellcheck source=/dev/null - . /etc/os-release - echo "$ID" -} -DISTRIBUTION="$(_lsb_release)" +# shellcheck source=/dev/null +source /etc/os-release || exit 1 readonly SRC=/tmp/ -readonly DISTRIBUTION main() { install -dm0750 -o "$SUDO_USER" -g "$SUDO_USER" "/home/$SUDO_USER/Projects/" "/home/$SUDO_USER/Projects/apparmor.d" "/home/$SUDO_USER/.config/" @@ -24,7 +19,7 @@ main() { install -Dm0755 $SRC/aa-clean /usr/bin/aa-clean chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/" - case "$DISTRIBUTION" in + case "$ID" in arch) rm -f $SRC/*.sig # Ignore signature files rm -f $SRC/*enforced* # Ignore enforced package @@ -32,8 +27,10 @@ main() { ;; debian | ubuntu) - apt-get install -y apparmor-profiles - dpkg -i $SRC/*.deb || true + # Do not install apparmor.d on the current development version + if [[ $VERSION_ID != "25.10" ]]; then + dpkg -i $SRC/*.deb || true + fi ;; opensuse*) From 9a4d878557b814fbeac1c3636b3cfb29550aa24a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 17:38:00 +0200 Subject: [PATCH 0528/1736] refractor(abs): add screensaver abs, move bus screensaver abs. --- apparmor.d/abstractions/app/chromium | 3 +-- .../abstractions/bus/org.gnome.ScreenSaver | 21 --------------- .../bus/session/org.freedesktop.ScreenSaver | 26 +++++++++++++++++++ .../org.gnome.ScreenSaver} | 12 +++++---- apparmor.d/abstractions/screensaver | 14 ++++++++++ apparmor.d/groups/gnome/gnome-session-binary | 4 +-- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/profiles-a-f/discord | 2 +- apparmor.d/profiles-a-f/element-desktop | 2 +- apparmor.d/profiles-a-f/freetube | 2 +- apparmor.d/profiles-m-r/pinentry-gnome3 | 2 +- apparmor.d/profiles-s-z/signal-desktop | 2 +- apparmor.d/profiles-s-z/spotify | 2 +- apparmor.d/profiles-s-z/totem | 2 +- apparmor.d/profiles-s-z/vlc | 2 +- 15 files changed, 59 insertions(+), 39 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.gnome.ScreenSaver create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver rename apparmor.d/abstractions/bus/{org.freedesktop.ScreenSaver => session/org.gnome.ScreenSaver} (51%) create mode 100644 apparmor.d/abstractions/screensaver diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 8f991c2300..dad131d649 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -26,11 +26,9 @@ include include include - include include include include - include include include include @@ -40,6 +38,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver deleted file mode 100644 index 46d1a1006c..0000000000 --- a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.gnome.ScreenSaver label=gjs-console - - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member=GetActive - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member={ActiveChanged,WakeUpScreen} - peer=(name="@{busname}", label=gjs-console), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver new file mode 100644 index 0000000000..ee837b886c --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow checking status, activating and locking the screensaver + + abi , + + dbus send bus=session path=/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit} + peer=(name=org.freedesktop.ScreenSaver), + + dbus send bus=session path=/{,org/freedesktop/}ScreenSaver + interface=org.freedesktop.ScreenSaver + member={GetActive,GetActiveTime,Lock,SetActive} + peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), + + dbus receive bus=session path=/org/freedesktop/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={ActiveChanged,WakeUpScreen} + peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver similarity index 51% rename from apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver rename to apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver index f73768e9f8..27c4566371 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver +++ b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver @@ -2,18 +2,20 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow checking status, activating and locking the screensaver (GNOME version) + abi , - dbus send bus=session path=/ScreenSaver - interface=org.freedesktop.ScreenSaver - member={Inhibit,UnInhibit} - peer=(name=org.freedesktop.ScreenSaver), + dbus send bus=session path=/{,org/gnome/}ScreenSaver + interface=org.gnome.ScreenSaver + member={GetActive,GetActiveTime,Lock,SetActive} + peer=(name=@{busname}, label=gjs-console), dbus receive bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver member={ActiveChanged,WakeUpScreen} peer=(name=@{busname}, label=gjs-console), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/screensaver b/apparmor.d/abstractions/screensaver new file mode 100644 index 0000000000..1a93690918 --- /dev/null +++ b/apparmor.d/abstractions/screensaver @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow checking status, activating and locking the screensaver + + abi , + + include if exists + include if exists + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 447c030d6d..b011935ae1 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -14,13 +14,13 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include - include include - include + include include include include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 379f7b8148..39cf990ca4 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -23,7 +23,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -31,6 +30,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include network inet stream, network netlink raw, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 3b34d5055c..e12c25b9d1 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -18,9 +18,9 @@ profile discord @{exec_path} flags=(attach_disconnected) { include include include - include include include + include include include diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index ec7ee9c65d..f87486af35 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -18,10 +18,10 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 95e37b4d6e..958f9b5ee1 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -18,10 +18,10 @@ profile freetube @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include include diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index f4a61b07b4..b60d929e26 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -11,8 +11,8 @@ profile pinentry-gnome3 @{exec_path} { include include include - include include + include signal receive set=int, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index bf07409190..d91285558b 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -18,10 +18,10 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index ed1ccfe1c4..659d650fee 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -22,7 +22,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -31,6 +30,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index fc582cae2b..d8b4649563 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -10,10 +10,10 @@ include profile totem @{exec_path} flags=(attach_disconnected) { include include - include include include include + include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index d572ce9b8a..ccf1abb61d 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -14,7 +14,6 @@ profile vlc @{exec_path} { include include include - include include include include @@ -27,6 +26,7 @@ profile vlc @{exec_path} { include include include + include include include From 5cc5a019d4b875ebb283b31848bf9413a8d8e76d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 17:40:42 +0200 Subject: [PATCH 0529/1736] feat(profile): snap: add support for dev version. --- apparmor.d/groups/snap/snap | 4 ++-- apparmor.d/groups/snap/snap-discard-ns | 2 +- apparmor.d/groups/snap/snap-failure | 2 +- apparmor.d/groups/snap/snap-seccomp | 2 +- apparmor.d/groups/snap/snap-update-ns | 2 +- apparmor.d/groups/snap/snapd | 4 ++-- apparmor.d/groups/snap/snapd-aa-prompt-listener | 2 +- apparmor.d/groups/snap/snapd-aa-prompt-ui | 2 +- apparmor.d/groups/snap/snapd-apparmor | 2 +- 9 files changed, 11 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 927d7a3da5..0d38fc0557 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -6,8 +6,8 @@ abi , include -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{bin_dirs}/snap profile snap @{exec_path} flags=(attach_disconnected) { diff --git a/apparmor.d/groups/snap/snap-discard-ns b/apparmor.d/groups/snap/snap-discard-ns index 38396f3ebe..0ccb3f1c7c 100644 --- a/apparmor.d/groups/snap/snap-discard-ns +++ b/apparmor.d/groups/snap/snap-discard-ns @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-discard-ns profile snap-discard-ns @{exec_path} { diff --git a/apparmor.d/groups/snap/snap-failure b/apparmor.d/groups/snap/snap-failure index edc9845e8c..bed3a2d123 100644 --- a/apparmor.d/groups/snap/snap-failure +++ b/apparmor.d/groups/snap/snap-failure @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-failure profile snap-failure @{exec_path} { diff --git a/apparmor.d/groups/snap/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp index 2a14fd583f..90c1724beb 100644 --- a/apparmor.d/groups/snap/snap-seccomp +++ b/apparmor.d/groups/snap/snap-seccomp @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-seccomp profile snap-seccomp @{exec_path} flags=(attach_disconnected) { diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 98ee0e5e73..e831cc90cd 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-update-ns profile snap-update-ns @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 06de560634..4a928e6d41 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -6,8 +6,8 @@ abi , include -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd profile snapd @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd-aa-prompt-listener b/apparmor.d/groups/snap/snapd-aa-prompt-listener index 7b9adced79..37730ba6f8 100644 --- a/apparmor.d/groups/snap/snapd-aa-prompt-listener +++ b/apparmor.d/groups/snap/snapd-aa-prompt-listener @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-listener profile snapd-aa-prompt-listener @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd-aa-prompt-ui b/apparmor.d/groups/snap/snapd-aa-prompt-ui index 0d26f42d3e..99dc98efe3 100644 --- a/apparmor.d/groups/snap/snapd-aa-prompt-ui +++ b/apparmor.d/groups/snap/snapd-aa-prompt-ui @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-ui profile snapd-aa-prompt-ui @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd-apparmor b/apparmor.d/groups/snap/snapd-apparmor index 63251a976c..47b939fa0e 100644 --- a/apparmor.d/groups/snap/snapd-apparmor +++ b/apparmor.d/groups/snap/snapd-apparmor @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-apparmor profile snapd-apparmor @{exec_path} { From 458126e7d7fea79a92b84fef53a455f79b8c0445 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 18:14:32 +0200 Subject: [PATCH 0530/1736] refractor(profile): add notification abs, move bus notifications. --- apparmor.d/abstractions/app/chromium | 2 +- .../bus/org.freedesktop.Notifications | 26 ------------------- .../bus/session/org.freedesktop.Notifications | 21 +++++++++++++++ .../bus/{ => session}/org.gtk.Notifications | 0 apparmor.d/abstractions/notifications | 12 +++++++++ apparmor.d/groups/gnome/gnome-extension-ding | 2 +- apparmor.d/groups/gnome/gnome-shell | 3 +-- apparmor.d/groups/gnome/gnome-software | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-a-f/dropbox | 2 +- apparmor.d/profiles-a-f/filezilla | 2 +- apparmor.d/profiles-m-r/remmina | 2 +- apparmor.d/profiles-s-z/session-desktop | 2 +- apparmor.d/profiles-s-z/spotify | 4 ++- apparmor.d/profiles-s-z/transmission | 2 +- 16 files changed, 47 insertions(+), 39 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.Notifications create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.Notifications rename apparmor.d/abstractions/bus/{ => session}/org.gtk.Notifications (100%) create mode 100644 apparmor.d/abstractions/notifications diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index dad131d649..f08a096ca0 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -25,7 +25,6 @@ include include include - include include include include @@ -38,6 +37,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications deleted file mode 100644 index 6962bf7ecf..0000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.freedesktop.Notifications label=gjs-console - - dbus send bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member={GetCapabilities,GetServerInformation,Notify} - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member={NotificationClosed,CloseNotification} - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member=Notify - peer=(name=org.freedesktop.DBus, label=gjs-console), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications new file mode 100644 index 0000000000..5c10a9eaed --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.freedesktop.Notifications label="@{pp_notification}" + + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + member={GetCapabilities,GetServerInformation,Notify,CloseNotification} + peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + member={ActionInvoked,NotificationClosed,NotificationReplied} + peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.Notifications b/apparmor.d/abstractions/bus/session/org.gtk.Notifications similarity index 100% rename from apparmor.d/abstractions/bus/org.gtk.Notifications rename to apparmor.d/abstractions/bus/session/org.gtk.Notifications diff --git a/apparmor.d/abstractions/notifications b/apparmor.d/abstractions/notifications new file mode 100644 index 0000000000..8232b54b5d --- /dev/null +++ b/apparmor.d/abstractions/notifications @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 695be9f0d9..e47cc66a32 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -19,7 +19,6 @@ profile gnome-extension-ding @{exec_path} { include include include - include include include include @@ -29,6 +28,7 @@ profile gnome-extension-ding @{exec_path} { include include include + include unix (send,receive) type=stream addr=none peer=(label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 5eb78d8bb3..0876b90d19 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -25,9 +25,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include - include include include include @@ -41,6 +39,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index f3845daefb..baaac245f3 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -13,11 +13,11 @@ profile gnome-software @{exec_path} { include include include - include include include include include + include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 39cf990ca4..63ab49c5ed 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -18,7 +18,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -30,6 +29,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 8e9cddd542..0de63ac64b 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -14,13 +14,13 @@ profile update-notifier @{exec_path} { include include include - include include include include include include include + include include unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index f40d69799a..57487b15c1 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -16,11 +16,11 @@ include profile dropbox @{exec_path} { include include - include include include include include + include include include include diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 366c2aed65..78781ba282 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -11,12 +11,12 @@ include profile filezilla @{exec_path} { include include - include include include include include include + include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index c2bc95465c..17ca1ec5a7 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -16,7 +16,6 @@ profile remmina @{exec_path} { include include include - include include include include @@ -25,6 +24,7 @@ profile remmina @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index dc190b7876..cafccd791d 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -17,9 +17,9 @@ profile session-desktop @{exec_path} { include include include - include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 659d650fee..56f5e91b8b 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -19,8 +19,9 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include - include + include include include include @@ -30,6 +31,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index ad219f1ab8..78d67787dd 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -12,12 +12,12 @@ profile transmission @{exec_path} flags=(attach_disconnected) { include include include - include include include include include include + include include include include From bd295d2a9d2fe0afc6361ca8528eb531051e9f0c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 21:23:04 +0200 Subject: [PATCH 0531/1736] refractor: move gtk dbus to they own abs. --- .../abstractions/bus/session/org.gtk.Actions | 22 +++++++++++++++++++ .../abstractions/bus/session/org.gtk.Settings | 18 +++++++++++++++ apparmor.d/abstractions/gtk.d/complete | 19 ++-------------- 3 files changed, 42 insertions(+), 17 deletions(-) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.Actions create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.Settings diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Actions b/apparmor.d/abstractions/bus/session/org.gtk.Actions new file mode 100644 index 0000000000..899f244a82 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Actions @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), + + dbus receive bus=session + interface=org.gtk.Actions + member={Activate,DescribeAll,SetState}, + + dbus send bus=session + interface=org.gtk.Actions + member=Changed, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Settings b/apparmor.d/abstractions/bus/session/org.gtk.Settings new file mode 100644 index 0000000000..9d2dd282a0 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Settings @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gsd-xsettings), + dbus receive bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=gsd-xsettings), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 99cf70d972..356e977056 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -2,23 +2,8 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus receive bus=session - interface=org.gtk.Actions - member={Activate,DescribeAll,SetState} - peer=(name=@{busname}), - - dbus send bus=session - interface=org.gtk.Actions - member=Changed, - - dbus send bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gsd-xsettings), - dbus receive bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=@{busname}, label=gsd-xsettings), + include + include @{lib}/{,@{multiarch}/}gtk*/** mr, From bd7ae9bb56badbb168d88dc0de859f59a1ad7344 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 21:23:40 +0200 Subject: [PATCH 0532/1736] chore: improve comment in type definition. --- pkg/prebuild/builder/stacked-dbus.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go index 33af33df7d..e33ecf4b7f 100644 --- a/pkg/prebuild/builder/stacked-dbus.go +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -19,7 +19,7 @@ var ( } ) -// Fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 +// StackedDbus is a fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 type StackedDbus struct { prebuild.Base } From eee8241eb7649a302b65f6e840018755dd308b04 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 21:28:53 +0200 Subject: [PATCH 0533/1736] chore: cosmetic fixes. --- .../abstractions/bus/session/org.freedesktop.Notifications | 2 +- apparmor.d/abstractions/bus/session/org.gtk.Notifications | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications index 5c10a9eaed..b51c4bdcb2 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications @@ -16,6 +16,6 @@ member={ActionInvoked,NotificationClosed,NotificationReplied} peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Notifications b/apparmor.d/abstractions/bus/session/org.gtk.Notifications index ad1a1ffad9..151c642a82 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.Notifications +++ b/apparmor.d/abstractions/bus/session/org.gtk.Notifications @@ -11,6 +11,6 @@ member={AddNotification,RemoveNotification} peer=(name=org.gtk.Notifications, label=gnome-shell), - include if exists + include if exists # vim:syntax=apparmor From 7eaae9e68c701e24710784c52e9db9fd2d44da87 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 22:25:57 +0200 Subject: [PATCH 0534/1736] fix(profile): wrong path in abstraction. --- apparmor.d/abstractions/notifications | 4 ++-- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 5 +++-- apparmor.d/groups/gnome/gnome-extension-gsconnect | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/notifications b/apparmor.d/abstractions/notifications index 8232b54b5d..81d5cc94c2 100644 --- a/apparmor.d/abstractions/notifications +++ b/apparmor.d/abstractions/notifications @@ -4,8 +4,8 @@ abi , - include - include + include + include include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index c9585e2aba..92e6c94849 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -17,15 +16,17 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include include include include include + include + include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 3f57b3035d..22c02a97f5 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -21,7 +21,6 @@ profile gnome-extension-gsconnect @{exec_path} { include include include - include include include include @@ -29,6 +28,7 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include include include include From 7cfff26ee273fca78aaea077cf63166d4883e2cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 22:46:52 +0200 Subject: [PATCH 0535/1736] fix(profile): abstraction not updated. --- apparmor.d/profiles-s-z/superproductivity | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 73a86672fb..f7abf758b1 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -20,13 +20,13 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include include include include include include include + include network inet stream, network inet6 stream, From a1ba00bec3e964e11cae0dd94346f8aebdffc188 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 23:00:13 +0200 Subject: [PATCH 0536/1736] feat(profile): general profile update. --- apparmor.d/groups/apparmor/apparmor_parser | 4 ++-- apparmor.d/groups/apt/debconf-frontend | 4 +++- apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/bluetooth/obexd | 5 +++++ apparmor.d/groups/cron/anacron | 3 +++ apparmor.d/groups/cups/cups-browsed | 4 +++- apparmor.d/groups/flatpak/flatpak | 3 +++ apparmor.d/groups/flatpak/flatpak-system-helper | 8 +++++++- apparmor.d/groups/freedesktop/wireplumber | 8 +++++--- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/gnome/deja-dup-monitor | 13 +++++++++++++ apparmor.d/groups/gnome/gdm-session | 11 ++++++----- apparmor.d/groups/gnome/gnome-calculator | 1 + apparmor.d/groups/gnome/gnome-control-center | 3 ++- apparmor.d/groups/gnome/gnome-session | 3 +++ apparmor.d/groups/gnome/gnome-session-binary | 5 +++-- apparmor.d/groups/gnome/gnome-shell-calendar-server | 1 + apparmor.d/groups/gnome/gnome-system-monitor | 5 +++-- apparmor.d/groups/gnome/gnome-text-editor | 1 + apparmor.d/groups/gnome/gsd-housekeeping | 1 + apparmor.d/groups/gnome/gsd-usb-protection | 1 + apparmor.d/groups/gnome/gsd-wwan | 7 +++++++ apparmor.d/groups/gnome/gsd-xsettings | 2 +- apparmor.d/groups/gnome/ptyxis | 1 + apparmor.d/groups/kde/DiscoverNotifier | 1 + apparmor.d/groups/procps/htop | 1 + apparmor.d/groups/ssh/sshd | 2 ++ apparmor.d/groups/systemd/systemd-coredump | 3 +++ apparmor.d/groups/systemd/systemd-detect-virt | 3 +++ apparmor.d/groups/systemd/systemd-remount-fs | 3 ++- apparmor.d/groups/systemd/systemd-udevd | 8 ++++++++ apparmor.d/groups/systemd/zram-generator | 8 ++++++-- apparmor.d/groups/ubuntu/apport-gtk | 1 + apparmor.d/groups/utils/who | 2 +- apparmor.d/profiles-a-f/finalrd | 1 + apparmor.d/profiles-g-l/gsettings | 1 - apparmor.d/profiles-g-l/issue-generator | 3 ++- apparmor.d/profiles-m-r/mimetype | 2 +- apparmor.d/profiles-s-z/signal-desktop | 1 + apparmor.d/profiles-s-z/udev-fido_id | 1 + apparmor.d/profiles-s-z/update-info-dir | 3 ++- apparmor.d/profiles-s-z/wsdd | 8 +++++++- apparmor.d/profiles-s-z/xournalpp | 2 +- 43 files changed, 121 insertions(+), 30 deletions(-) diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser index 0a9f9fcaf2..a5769931c6 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @@ -46,7 +46,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, deny network netlink raw, # file_inherit - deny /apparmor/.null rw, + /opt/Mullvad*/resources/apparmor_mullvad r, # FIXME: WTF you thing you are doing mullvad? include if exists } diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index 4660755d6f..6e80839fe7 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -25,7 +25,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{bin}/stty ix, @{sbin}/update-secureboot-policy Px, - # debconf apps + # Debconf apps @{bin}/adequate Px, @{bin}/debconf-apt-progress Px, @{bin}/linux-check-removal Px, @@ -49,6 +49,8 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{lib}/dkms/dkms-* rPUx, @{lib}/dkms/dkms_* rPUx, + /etc/libpaper.d/texlive-base rPUx, + /usr/share/debconf/{,**} r, /etc/inputrc r, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 7d2073768f..8ae76e706c 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -76,6 +76,7 @@ profile dpkg-scripts @{exec_path} { @{run}/** rw, @{efi}/grub/* rw, + /tmp/fmtutil.@{rand8} rw, /tmp/grub.@{rand10} rw, /tmp/sed@{rand6} rw, /tmp/tmp.@{rand10} rw, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 65ad4c0e5a..3ea17a4e50 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -25,6 +25,11 @@ profile obexd @{exec_path} { member=Release peer=(name=:*, label="@{p_bluetoothd}"), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/groups/cron/anacron index 3756c1d032..3acfc14fd2 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/groups/cron/anacron @@ -28,6 +28,7 @@ profile anacron @{exec_path} { @{tmp}/file@{rand6} rw, /tmp/anacron-@{rand6} rw, + /tmp/anacron-@{rand6}@{c} rw, profile run-parts { include @@ -39,7 +40,9 @@ profile anacron @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/file@{rand6} rw, + /tmp/anacron-@{rand6} rw, + /tmp/anacron-@{rand6}@{c} rw, include if exists } diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index a7773a57fd..7330d67c98 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -49,9 +49,11 @@ profile cups-browsed @{exec_path} { /etc/cups/{,**} r, - /var/cache/cups/{,**} rw, /var/log/cups/{,**} rw, + /var/cache/cups/{,**} rw, + owner /var/cache/cups-browsed/{,**} rw, + owner @{tmp}/@{hex} rw, @{run}/cups/certs/* r, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index c540b9db8e..e73408a0a0 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -154,6 +154,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain capability setuid, + unix type=seqpacket peer=(label=flatpak-system-helper), + unix type=stream peer=(label=flatpak), + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 0ca01d01de..cdfef1bad2 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -28,6 +28,11 @@ profile flatpak-system-helper @{exec_path} { ptrace read, + unix type=seqpacket peer=(label=dbus-system), + unix type=seqpacket peer=(label=flatpak), + unix type=seqpacket peer=(label=flatpak//fusermount), + unix type=seqpacket peer=(label=unconfined), + #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper @{exec_path} mr, @@ -54,7 +59,8 @@ profile flatpak-system-helper @{exec_path} { @{tmp}/remote-summary-sig.@{rand6} r, @{tmp}/remote-summary.@{rand6} r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 7aff8bdd28..aefdc339d7 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -47,8 +47,8 @@ profile wireplumber @{exec_path} { /usr/share/wireplumber/{,**} r, owner @{desktop_local_dirs}/ w, - owner @{desktop_local_dirs}/state/ w, - owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, + owner @{desktop_state_dirs}/ w, + owner @{desktop_state_dirs}/wireplumber/{,**} rw, owner @{HOME}/.local/ w, owner @{user_state_dirs}/ w, @@ -81,8 +81,10 @@ profile wireplumber @{exec_path} { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/status r, @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 89acacd34a..21c99827b5 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -68,7 +68,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{lib}/xdg-desktop-portal-validate-icon rPx, - @{open_path} rPx -> child-open, + @{open_path} mrPx -> child-open, / r, @{att}/.flatpak-info r, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index fcafbda5f8..a0fb366abb 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -18,6 +18,8 @@ profile deja-dup-monitor @{exec_path} { include include include + include + include network netlink raw, @@ -39,15 +41,26 @@ profile deja-dup-monitor @{exec_path} { member=GetAll peer=(name=@{busname}, label=power-profiles-daemon), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{bin}/chrt rix, @{bin}/ionice rix, @{bin}/deja-dup Px, + /usr/share/gvfs/remote-volume-monitors/{,**} r, + /var/tmp/ r, /tmp/ r, + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 9a42bcdf1a..c08d12a07d 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -14,11 +14,12 @@ profile gdm-session @{exec_path} { include include - signal (receive) set=(hup term) peer=gdm-session-worker, - signal (receive) set=(term) peer=gdm, - signal (send) set=(term) peer=dbus-session, - signal (send) set=(term) peer=gnome-session-binary, - signal (send) set=(term) peer=xorg, + signal receive set=(hup term) peer=gdm-session-worker, + signal receive set=(term) peer=gdm, + signal send set=(term) peer=dbus-session, + signal send set=(term) peer=gnome-session-binary, + signal send set=(term) peer=xorg, + signal send set=term peer=gnome-session, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 2e553d9f40..4e83bfb76e 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -10,6 +10,7 @@ include profile gnome-calculator @{exec_path} { include include + include include # Needed to get currency exchange rates diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index fde43420a7..111facf645 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -130,7 +130,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, + owner @{user_config_dirs}/mimeapps.list w, + owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw, owner @{user_games_dirs}/**.png r, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 1f29958d1b..7bcf804312 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -9,7 +9,10 @@ include @{exec_path} = @{bin}/gnome-session profile gnome-session @{exec_path} { include + include include + include + include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index b011935ae1..f4c61c5c6c 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -28,8 +28,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(term) peer=gsd-*, + signal receive set=(term, hup) peer=gdm*, + signal send set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @@ -67,6 +67,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{gdm_cache_dirs}/gdm/Xauthority r, + owner @{gdm_config_dirs}/ rw, owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 6ddbd4b4c3..37bb7b3742 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -11,6 +11,7 @@ profile gnome-shell-calendar-server @{exec_path} { include include include + include include #aa:dbus own bus=session name=org.gnome.Shell.CalendarServer diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index e4ac12011c..8bcb629a98 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -22,9 +22,9 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - ptrace (read), + ptrace read, - signal (send) set=(kill term cont stop), + signal send set=(kill term cont stop), #aa:dbus own bus=session name=org.gnome.SystemMonitor @@ -75,6 +75,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/smaps r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/diskstats r, @{PROC}/vmstat r, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index c399eadc75..5c8ab7c8ab 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -12,6 +12,7 @@ profile gnome-text-editor @{exec_path} { include include include + include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 35f43a93eb..83fcbd7c66 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -17,6 +17,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 3bfffdb6ab..7f03d9fc5d 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -12,6 +12,7 @@ profile gsd-usb-protection @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection diff --git a/apparmor.d/groups/gnome/gsd-wwan b/apparmor.d/groups/gnome/gsd-wwan index ab2b2b0898..3a5ee53df3 100644 --- a/apparmor.d/groups/gnome/gsd-wwan +++ b/apparmor.d/groups/gnome/gsd-wwan @@ -10,10 +10,17 @@ include profile gsd-wwan @{exec_path} { include include + include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Wwan + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 2e21750b94..7618dc3b6a 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -43,7 +43,7 @@ profile gsd-xsettings @{exec_path} { dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts - member=UserAdded + member={UserAdded,UserDeleted} peer=(name=@{busname}, label="@{p_accounts_daemon}"), dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 838dc940c8..b0239f4044 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -12,6 +12,7 @@ profile ptyxis @{exec_path} { include include include + include unix type=stream peer=(label=ptyxis-agent), diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 2307c709fb..0965396abf 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -34,6 +34,7 @@ profile DiscoverNotifier @{exec_path} { @{exec_path} mr, @{bin}/apt-config rPx, + @{bin}/plasma-discover rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index 4937f68753..ef14d9ca9e 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -112,6 +112,7 @@ profile htop @{exec_path} { @{PROC}/@{pids}/oom_score r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/@{pids}/task/ r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 40cf0bca2c..633076ad6a 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -69,6 +69,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + @{sbin}/sshd.hmac r, + @{bin}/@{shells} Ux, #aa:exclude RBAC @{bin}/false ix, @{sbin}/nologin Px, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index db1854f1fb..061b93ffd4 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -52,6 +52,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{att}/@{run}/systemd/coredump rw, @{run}/systemd/coredump rw, + @{PROC}/@{pids}/auxv r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/comm r, @@ -59,9 +60,11 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/limits r, + @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/ns/ r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/setgroups r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 9b78b7c043..ca6eae3adc 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -43,6 +43,9 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { /dev/cpu/@{int}/msr r, + deny capability net_admin, + deny capability perfmon, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 96b182e5f9..73213160b3 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -23,7 +23,8 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { @{bin}/mount rix, - /etc/blkid.conf r, + @{etc_ro}/blkid.conf r, + @{etc_ro}/blkid.conf.d/{,**} r, /etc/fstab r, @{run}/host/container-manager r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 640e48f3f4..cb9592d473 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -128,6 +128,14 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { include include + capability sys_module, + + @{sh_path} rix, + @{bin}/kmod ix, + + @{sys}/module/*/initstate r, + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index 473848ef3b..193bfc9b6b 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -13,7 +13,7 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/kmod rCx, + @{bin}/kmod rCx -> kmod, @{bin}/systemd-detect-virt rPx, @{lib}/systemd/systemd-makefs rPx, @@ -31,10 +31,14 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { owner /dev/pts/@{int} rw, - profile kmod { + profile kmod flags=(attach_disconnected) { include include + capability sys_module, + + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 3d2cbd63de..d7480a212f 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -17,6 +17,7 @@ profile apport-gtk @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who index d951bfe03a..d9ca9e164d 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/groups/utils/who @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/who +@{exec_path} = @{bin}/{,gnu}who profile who @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index b22730a279..7ce69ab643 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/finalrd profile finalrd @{exec_path} { include + include capability dac_read_search, capability sys_admin, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 2e0eb2cf71..9b8eca8ee2 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -16,7 +16,6 @@ profile gsettings @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 7783c8005f..093cd7100f 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -19,6 +19,7 @@ profile issue-generator @{exec_path} { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cmp rix, + @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, @@ -30,7 +31,7 @@ profile issue-generator @{exec_path} { @{run}/agetty.reload w, @{run}/issue rw, @{run}/issue.@{rand10} rw, - @{run}/issue.d/{,**} r, + @{run}/issue.d/{,**} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index 1576050b51..32950dbc4e 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/mimetype @{bin}/*_perl/mimetype profile mimetype @{exec_path} { include - include + include include @{exec_path} r, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index d91285558b..001f8605a5 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -21,6 +21,7 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id index 9c686b19d9..453e0093ab 100644 --- a/apparmor.d/profiles-s-z/udev-fido_id +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -14,6 +14,7 @@ profile udev-fido_id @{exec_path} { @{exec_path} mr, /etc/udev/udev.conf r, + /etc/udev/udev.conf.d/{,**} r, @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/platform/**/report_descriptor r, diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir index fe06b32afd..dc2a0d7aac 100644 --- a/apparmor.d/profiles-s-z/update-info-dir +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -14,8 +14,9 @@ profile update-info-dir @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/install-info Px, + @{bin}/cp ix, @{bin}/find ix, + @{bin}/install-info Px, @{bin}/rm ix, /etc/environment r, diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index fc69557939..b72cff3c45 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -9,9 +9,14 @@ include @{exec_path} = @{bin}/wsdd profile wsdd @{exec_path} { include + include include include + # wsdd can create its own chroot as a built-in security mechanism. + # This is used by default in the systemd wsdd-server service. + capability sys_chroot, + network inet dgram, network inet stream, network inet6 dgram, @@ -28,7 +33,8 @@ profile wsdd @{exec_path} { owner /var/lib/libuuid/clock.txt rw, @{run}/uuidd/request rw, - owner @{run}/user/@{uid}/gvfsd/wsdd w, + owner @{run}/user/@{uid}/wsdd w, + owner @{run}/user/@{uid}/*/wsdd w, include if exists } diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp index 6442fe8b91..0d6c4d65f1 100644 --- a/apparmor.d/profiles-s-z/xournalpp +++ b/apparmor.d/profiles-s-z/xournalpp @@ -37,7 +37,7 @@ profile xournalpp @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/snd/controlC@{int} w, - /dev/snd/pcmC@{rand4} rw, + /dev/snd/pcmC@{int}D@{int}[cp] w, include if exists } From 4f9d2703d4851a196b0e4af88d549f4b24bdc2b4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 1 Sep 2025 15:07:01 +0200 Subject: [PATCH 0537/1736] build: separate the base-strict abs from the re-attach builder. Enable the use of the base-strict abs on all setup. --- apparmor.d/abstractions/attached/base | 2 +- cmd/prebuild/main.go | 5 +++-- pkg/prebuild/builder/attach.go | 5 +---- pkg/prebuild/builder/base-strict.go | 32 +++++++++++++++++++++++++++ 4 files changed, 37 insertions(+), 7 deletions(-) create mode 100644 pkg/prebuild/builder/base-strict.go diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 29c685f559..8741942ff3 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -8,7 +8,7 @@ abi , - include + include @{att}/@{run}/systemd/journal/dev-log w, @{att}/@{run}/systemd/journal/socket w, diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 62685202fb..5eb1ab2f25 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -32,8 +32,9 @@ func init() { // Build tasks applied by default builder.Register( - "userspace", // Resolve variable in profile attachments - "hotfix", // Temporary fix for #74, #80 & #235 + "userspace", // Resolve variable in profile attachments + "hotfix", // Temporary fix for #74, #80 & #235 + "base-strict", // Use base-strict as base abstraction ) // Matrix of ABI/Apparmor version to integrate with diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index d279081291..66ef18aefd 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -49,10 +49,7 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { } else { insert = "@{att} = /\n" - profile = strings.ReplaceAll(profile, - "include ", - "include ", - ) + } return strings.Replace(profile, origin, insert+origin, 1), nil diff --git a/pkg/prebuild/builder/base-strict.go b/pkg/prebuild/builder/base-strict.go new file mode 100644 index 0000000000..29a0656299 --- /dev/null +++ b/pkg/prebuild/builder/base-strict.go @@ -0,0 +1,32 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "strings" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +type BaseStrict struct { + prebuild.Base +} + +func init() { + RegisterBuilder(&BaseStrict{ + Base: prebuild.Base{ + Keyword: "base-strict", + Msg: "Feat: use 'base-strict' as base abstraction", + }, + }) +} + +func (b BaseStrict) Apply(opt *Option, profile string) (string, error) { + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) + return profile, nil +} From 7c6f7767575b2a0b6ed7870c6bd38483c42e1fb1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 1 Sep 2025 15:12:30 +0200 Subject: [PATCH 0538/1736] build: set default att to "" when not enabled. It fixes various issues with multiple / that are not collapsed in they canonical form in file rules See https://gitlab.com/apparmor/apparmor/-/issues/450#note_2158840105 --- apparmor.d/tunables/multiarch.d/system | 3 +-- pkg/prebuild/prepare/attach.go | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index cf8575db0b..b29be3f0c8 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -69,7 +69,6 @@ # Default attachment path when re-attached path disconnected path is ignored. # Disabled on abi3 and Ubuntu 25.04+ # See https://apparmor.pujol.io/development/internal/#re-attached-path -@{att}=/ -alias / -> //, +@{att}="" # vim:syntax=apparmor diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go index 3331c73dc6..4523382d85 100644 --- a/pkg/prebuild/prepare/attach.go +++ b/pkg/prebuild/prepare/attach.go @@ -32,7 +32,6 @@ func (p ReAttach) Apply() ([]string, error) { if err != nil { return res, err } - out = strings.ReplaceAll(out, "@{att}=/", "# @{att}=/") - out = strings.ReplaceAll(out, "alias / -> //,", "#alias / -> //,") + out = strings.ReplaceAll(out, `@{att}=""`, `# @{att}=""`) return res, path.WriteFile([]byte(out)) } From 09c1f61bb7aab8f9aff5e7c87cee66d9d9104b83 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 1 Sep 2025 15:54:28 +0200 Subject: [PATCH 0539/1736] build(debian): use deb-systemd-invoke and minor lintian fixes. --- debian/apparmor.d.postinst | 4 +--- debian/apparmor.d.postrm | 4 +--- debian/control | 6 +++--- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index 2f8c90ae09..361af7b913 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -8,8 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -if systemctl is-active -q apparmor; then - systemctl reload apparmor -fi +deb-systemd-invoke reload apparmor.service exit 0 diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index 2f8c90ae09..361af7b913 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -8,8 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -if systemctl is-active -q apparmor; then - systemctl reload apparmor -fi +deb-systemd-invoke reload apparmor.service exit 0 diff --git a/debian/control b/debian/control index 56ad928ba2..85c4d3786a 100644 --- a/debian/control +++ b/debian/control @@ -18,6 +18,6 @@ Architecture: any Depends: apparmor-profiles Conflicts: apparmor-profiles-extra Provides: apparmor-profiles-extra -Description: Full set of AppArmor profiles (~ 1500 profiles) - apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine - most Linux based applications and processes. +Description: Full set of AppArmor profiles (~ 2000 profiles) + apparmor.d is a set of over 2000 AppArmor profiles whose aim is to confine + most Linux based applications and processes. From 2b07398cef01bf511fafd8c66d631598baae1e8d Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 3 Sep 2025 03:28:16 +0200 Subject: [PATCH 0540/1736] flatpak-app ntsync --- apparmor.d/groups/flatpak/flatpak-app | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index e8fe195fb7..e6be7ef4f5 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -98,6 +98,8 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { owner @{run}/ld-so-cache-dir/* rw, owner @{run}/user/ r, + /dev/ntsync r, + include if exists include if exists } From 2c0b5405db7242b8d0b6704fc9998927bee30c9c Mon Sep 17 00:00:00 2001 From: Jose Maldonado aka Yukiteru Date: Fri, 29 Aug 2025 19:06:48 -0400 Subject: [PATCH 0541/1736] firewall-applet: update profile --- apparmor.d/groups/firewall/firewall-applet | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/groups/firewall/firewall-applet b/apparmor.d/groups/firewall/firewall-applet index 280bd9d049..bd144b7e28 100644 --- a/apparmor.d/groups/firewall/firewall-applet +++ b/apparmor.d/groups/firewall/firewall-applet @@ -21,6 +21,9 @@ profile firewall-applet @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/cgroup r, + + owner @{user_config_dirs}/firewall/applet.conf rwkl, include if exists } From 237622f3efd6c7c8b11482086f2ca31fa47cc915 Mon Sep 17 00:00:00 2001 From: Jose Maldonado aka Yukiteru Date: Fri, 29 Aug 2025 13:54:42 -0400 Subject: [PATCH 0542/1736] rpcbind: update profile rpcbind: update profile --- apparmor.d/groups/network/rpcbind | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind index 1d81292fd1..0650470ac5 100644 --- a/apparmor.d/groups/network/rpcbind +++ b/apparmor.d/groups/network/rpcbind @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2023 Jeroen Rijken +# Copyright (C) 2025 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,9 +10,18 @@ include @{exec_path} = @{sbin}/rpcbind profile rpcbind @{exec_path} flags=(complain) { include + include + + capability setgid, + capability setuid, @{exec_path} rm, + /etc/netconfig r, + + @{run}/rpcbind.lock rwkl, + @{run}/rpcbind/*.xdr rwkl, + include if exists } From 4c84b572cda4433a664b1488e980034886652629 Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Tue, 2 Sep 2025 05:12:04 +0200 Subject: [PATCH 0543/1736] glxgears can't access X cookie --- apparmor.d/profiles-g-l/glxgears | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/glxgears b/apparmor.d/profiles-g-l/glxgears index 1e27790df4..cfd9f0dac1 100644 --- a/apparmor.d/profiles-g-l/glxgears +++ b/apparmor.d/profiles-g-l/glxgears @@ -25,6 +25,7 @@ profile glxgears @{exec_path} { @{exec_path} mr, owner @{HOME}/.Xauthority r, + owner @{run}/user/@{uid}/xauth_@{rand6} r, include if exists } From e43d9078089c4b46c8f48d08ebacacf83327b3f1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 2 Sep 2025 00:06:57 +0200 Subject: [PATCH 0544/1736] chore: cosmetic. --- Justfile | 78 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/Justfile b/Justfile index e434586c4d..2c4c0e8d44 100644 --- a/Justfile +++ b/Justfile @@ -49,44 +49,44 @@ c := "--connect=qemu:///system" # VM prefix prefix := "aa-" -[doc('Show this help message')] +# Show this help message help: @just --list --unsorted @printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information." +# Build the go programs [group('build')] -[doc('Build the go programs')] build: @go build -o {{build}}/ ./cmd/aa-log @go build -o {{build}}/ ./cmd/prebuild +# Prebuild the profiles in enforced mode [group('build')] -[doc('Prebuild the profiles in enforced mode')] enforce: build @./{{build}}/prebuild --buildir {{build}} +# Prebuild the profiles in complain mode [group('build')] -[doc('Prebuild the profiles in complain mode')] complain: build ./{{build}}/prebuild --buildir {{build}} --complain +# Prebuild the profiles in FSP mode [group('build')] -[doc('Prebuild the profiles in FSP mode')] fsp: build @./{{build}}/prebuild --buildir {{build}} --full +# Prebuild the profiles in FSP mode (complain) [group('build')] -[doc('Prebuild the profiles in FSP mode (complain)')] fsp-complain: build @./{{build}}/prebuild --buildir {{build}} --complain --full +# Prebuild the profiles in FSP mode (debug) [group('build')] -[doc('Prebuild the profiles in FSP mode (debug)')] fsp-debug: build @./{{build}}/prebuild --buildir {{build}} --complain --full --debug +# Install prebuild profiles [group('install')] -[doc('Install prebuild profiles')] install: #!/usr/bin/env bash set -eu -o pipefail @@ -113,8 +113,8 @@ install: install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" done +# Locally install prebuild profiles [group('install')] -[doc('Locally install prebuild profiles')] local +names: #!/usr/bin/env bash set -eu -o pipefail @@ -135,39 +135,39 @@ local +names: done; systemctl restart apparmor || sudo journalctl -xeu apparmor.service +# Prebuild, install, and load a dev profile [group('install')] -[doc('Prebuild, install, and load a dev profile')] dev name: go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}` sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}} sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service +# Build & install apparmor.d on Arch based systems [group('packages')] -[doc('Build & install apparmor.d on Arch based systems')] pkg: @makepkg --syncdeps --install --cleanbuild --force --noconfirm +# Build & install apparmor.d on Debian based systems [group('packages')] -[doc('Build & install apparmor.d on Debian based systems')] dpkg: @bash dists/build.sh dpkg @sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb +# Build & install apparmor.d on OpenSUSE based systems [group('packages')] -[doc('Build & install apparmor.d on OpenSUSE based systems')] rpm: @bash dists/build.sh rpm @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm +# Run the unit tests [group('tests')] -[doc('Run the unit tests')] tests: @go test ./cmd/... -v -cover -coverprofile=coverage.out @go test ./pkg/... -v -cover -coverprofile=coverage.out @go tool cover -func=coverage.out +# Run the linters [group('linter')] -[doc('Run the linters')] lint: golangci-lint run packer fmt tests/packer/ @@ -177,34 +177,34 @@ lint: tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm +# Run style checks on the profiles [group('linter')] -[doc('Run style checks on the profiles')] check: @bash tests/check.sh +# Generate the man pages [group('docs')] -[doc('Generate the man pages')] man: @pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md +# Build the documentation [group('docs')] -[doc('Build the documentation')] docs: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict +# Serve the documentation [group('docs')] -[doc('Serve the documentation')] serve: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve -[doc('Remove all build artifacts')] +# Remove all build artifacts clean: @rm -rf \ debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ {{pkgdest}}/{{pkgname}}* {{build}} coverage.out +# Build the package in a clean OCI container [group('packages')] -[doc('Build the package in a clean OCI container')] package dist: #!/usr/bin/env bash set -eu -o pipefail @@ -219,8 +219,8 @@ package dist: fi bash dists/docker.sh $dist $version +# Build the VM image [group('vm')] -[doc('Build the VM image')] img dist flavor: (package dist) @mkdir -p {{base_dir}} packer build -force \ @@ -237,8 +237,8 @@ img dist flavor: (package dist) -var output_dir={{output_dir}} \ tests/packer/ +# Create the machine [group('vm')] -[doc('Create the machine')] create dist flavor: @cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 @virt-install {{c}} \ @@ -257,53 +257,53 @@ create dist flavor: --sound model=ich9 \ --noautoconsole +# Start a machine [group('vm')] -[doc('Start a machine')] up dist flavor: @virsh {{c}} start {{prefix}}{{dist}}-{{flavor}} +# Stops the machine [group('vm')] -[doc('Stops the machine')] halt dist flavor: @virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}} +# Reboot the machine [group('vm')] -[doc('Reboot the machine')] reboot dist flavor: @virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}} +# Destroy the machine [group('vm')] -[doc('Destroy the machine')] destroy dist flavor: @virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true @virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram @rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 +# Connect to the machine [group('vm')] -[doc('Connect to the machine')] ssh dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` +# Mount the shared directory on the machine [group('vm')] -[doc('Mount the shared directory on the machine')] mount dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' +# Unmout the shared directory on the machine [group('vm')] -[doc('Unmout the shared directory on the machine')] umount dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' +# List the machines [group('vm')] -[doc('List the machines')] list: @printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State" @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' +# List the VM images [group('vm')] -[doc('List the VM images')] images: #!/usr/bin/env bash set -eu -o pipefail @@ -320,8 +320,8 @@ images: } ' +# List the VM images that can be created [group('vm')] -[doc('List the VM images that can be created')] available: #!/usr/bin/env bash set -eu -o pipefail @@ -337,36 +337,36 @@ available: } ' +# Install dependencies for the integration tests [group('tests')] -[doc('Install dependencies for the integration tests')] init: @bash tests/requirements.sh +# Run the integration tests [group('tests')] -[doc('Run the integration tests')] integration name="": bats --recursive --timing --print-output-on-failure tests/integration/{{name}} +# Install dependencies for the integration tests (machine) [group('tests')] -[doc('Install dependencies for the integration tests (machine)')] tests-init dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init +# Synchronize the integration tests (machine) [group('tests')] -[doc('Synchronize the integration tests (machine)')] tests-sync dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ +# Re-synchronize the integration tests (machine) [group('tests')] -[doc('Re-synchronize the integration tests (machine)')] tests-resync dist flavor: (mount dist flavor) \ (tests-sync dist flavor) \ (umount dist flavor) +# Run the integration tests (machine) [group('tests')] -[doc('Run the integration tests (machine)')] tests-run dist flavor name="": (tests-resync dist flavor) ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ bats --recursive --pretty --timing --print-output-on-failure \ From 7963479dbc944ea2fa18da16ad5a4224f73cc8fa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 13:21:34 +0200 Subject: [PATCH 0545/1736] build: various cleanup --- dists/build.sh | 2 +- dists/docker.sh | 4 ++-- dists/flags/main.flags | 4 ++-- dists/flags/ubuntu.flags | 1 + 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/dists/build.sh b/dists/build.sh index 9b9f9e765d..e33c48695f 100644 --- a/dists/build.sh +++ b/dists/build.sh @@ -16,7 +16,7 @@ readonly VERSION main() { case "$COMMAND" in pkg) - PKGDEST="$OUTPUT" makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar + PKGDEST="$OUTPUT" BUILDDIR=/tmp/makepkg makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar ;; dpkg) diff --git a/dists/docker.sh b/dists/docker.sh index 2e581883c0..45191adb89 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -25,7 +25,7 @@ readonly VERSION PACKAGER _start() { local img="$1" - docker start "$img" + docker start "$img" || return 1 } _is_running() { @@ -65,7 +65,7 @@ build_in_docker_makepkg() { --env PKGDEST="$BUILDIR" --env PACKAGER="$PACKAGER" \ --env BUILDDIR=/tmp/build \ "$BASEIMAGE/$dist" - docker exec "$img" sudo pacman -Syu --noconfirm --noprogressbar + docker exec "$img" sudo pacman -Sy --noconfirm --noprogressbar fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh pkg diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 057c7c2982..2c01d9553e 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -230,7 +230,7 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain -mdadm complain +mdadm attach_disconnected,complain mdadm-mkconf complain ModemManager attach_disconnected,complain mount attach_disconnected,complain @@ -327,7 +327,7 @@ systemd-generator-ds-identify attach_disconnected,complain systemd-generator-environment-arch complain systemd-generator-environment-flatpak complain systemd-generator-environment-snapd attach_disconnected,complain -systemd-generator-friendly-recover attach_disconnected,complain +systemd-generator-friendly-recovery attach_disconnected,complain systemd-generator-fstab attach_disconnected,complain systemd-generator-getty attach_disconnected,complain systemd-generator-gpt-auto attach_disconnected,complain diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index 7339702a2d..125575ce19 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -8,6 +8,7 @@ apt-helper complain check-new-release-gtk complain do-release-upgrade complain dpkg-genbuildinfo complain +esm_cache complain fanctl attach_disconnected,complain hwe-support-status complain list-oem-metapackages complain From d9df02f3f860f94d91d85862205adf872d75b9a7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 13:22:39 +0200 Subject: [PATCH 0546/1736] tests(packer): update opensuse images. --- tests/cloud-init/opensuse-gnome.user-data.yml | 18 ++++++- tests/cloud-init/opensuse-kde.user-data.yml | 14 ++++- .../cloud-init/opensuse-server.user-data.yml | 7 +++ tests/cloud-init/opensuse.yml | 54 +++++++++++++++++++ 4 files changed, 91 insertions(+), 2 deletions(-) diff --git a/tests/cloud-init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml index 3ab5a6c08c..b59d66af38 100644 --- a/tests/cloud-init/opensuse-gnome.user-data.yml +++ b/tests/cloud-init/opensuse-gnome.user-data.yml @@ -1,6 +1,22 @@ #cloud-config -packages: *core-packages +packages: *gnome-packages + +runcmd: + # Replace SELinux by AppArmor in kernel parameters + - sed -i 's/security=selinux selinux=1/apparmor=1 apparmor.debug=1/g' /etc/default/grub + + # Regenerate grub.cfg + - grub2-mkconfig -o /boot/grub2/grub.cfg + + # Ensure auditd is enabled + - systemctl enable systemd-journald-audit.socket write_files: - *shared-directory # Setup shared directory + + - path: /etc/sysconfig/displaymanager + append: true + content: | + DISPLAYMANAGER="gdm" + diff --git a/tests/cloud-init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml index 3ab5a6c08c..2058846dd8 100644 --- a/tests/cloud-init/opensuse-kde.user-data.yml +++ b/tests/cloud-init/opensuse-kde.user-data.yml @@ -1,6 +1,18 @@ #cloud-config -packages: *core-packages +packages: *kde-packages + +# apparmor.debug=1 +runcmd: + # Replace SELinux by AppArmor in kernel parameters + - sed -i 's/security=selinux selinux=1/apparmor=1/g' /etc/default/grub + + # Regenerate grub.cfg + - grub2-mkconfig -o /boot/grub2/grub.cfg write_files: - *shared-directory # Setup shared directory + - path: /etc/sysconfig/displaymanager + append: true + content: | + DISPLAYMANAGER="sddm" diff --git a/tests/cloud-init/opensuse-server.user-data.yml b/tests/cloud-init/opensuse-server.user-data.yml index 98b78ec80b..b6d35cd686 100644 --- a/tests/cloud-init/opensuse-server.user-data.yml +++ b/tests/cloud-init/opensuse-server.user-data.yml @@ -2,6 +2,13 @@ packages: *core-packages +runcmd: + # Replace SELinux by AppArmor in kernel parameters + - sed -i 's/security=selinux selinux=1/apparmor=1 apparmor.debug=1/g' /etc/default/grub + + # Regenerate grub.cfg + - grub2-mkconfig -o /boot/grub2/grub.cfg + write_files: - *shared-directory # Setup shared directory - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/opensuse.yml b/tests/cloud-init/opensuse.yml index 57c6336785..ab0954c6ae 100644 --- a/tests/cloud-init/opensuse.yml +++ b/tests/cloud-init/opensuse.yml @@ -2,9 +2,11 @@ # Core packages for OpenSUSE core-packages: &core-packages + - pattern:apparmor - apparmor-profiles - bash-completion - distribution-release + - docker - git - go - golang-packaging @@ -12,5 +14,57 @@ core-packages: &core-packages - just - rpmbuild - rsync + - systemd-container + - systemd-homed - vim +gnome-packages: &gnome-packages + # Core packages for OpenSUSE + - pattern:apparmor + - apparmor-profiles + - bash-completion + - distribution-release + - docker + - git + - go + - golang-packaging + - htop + - just + - rpmbuild + - rsync + - systemd-container + - systemd-homed + - vim + + # Gnome packages for OpenSUSE + - pattern:gnome + - gdm + - spice-vdagent + - terminator + - loupe + - ptyxis + +kde-packages: &kde-packages + # Core packages for OpenSUSE + - pattern:apparmor + - apparmor-profiles + - bash-completion + - distribution-release + - docker + - git + - go + - golang-packaging + - htop + - just + - rpmbuild + - rsync + - systemd-container + - systemd-homed + - vim + + # KDE packages for OpenSUSE + - pattern:kde_plasma + - pattern:kde + - sddm + - spice-vdagent + - terminator From 5795114328ad8952c826b8e82e475500d84eb94a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 13:23:49 +0200 Subject: [PATCH 0547/1736] tests(packer): success on cloud-init failure. --- tests/packer/builds.pkr.hcl | 4 ++-- tests/packer/clean.sh | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index 48a5fafb63..98e923fd99 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -71,10 +71,10 @@ build { "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for Cloud-Init...'; sleep 20; done", # Ensure cloud-init is successful - # "cloud-init status", + "cloud-init status || cloud-init collect-logs --tarfile /root/cloud-init.tar.gz", # Remove logs and artifacts so cloud-init can re-run - # "cloud-init clean", + "cloud-init clean || true", # Install local files and config "bash /tmp/init.sh", diff --git a/tests/packer/clean.sh b/tests/packer/clean.sh index f7518a2f6b..23c587d4fe 100644 --- a/tests/packer/clean.sh +++ b/tests/packer/clean.sh @@ -60,8 +60,7 @@ clean_pacman() { clean_zypper() { _msg "Cleaning zypper cache" - zypper update -y - zypper clean -y + zypper clean --all } # Make the image as impersonal as possible. From a0f1c55ab475a9c3f6d9ad26bf8d91b7d53036d2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 15:12:40 +0200 Subject: [PATCH 0548/1736] doc: update roadmap. --- docs/development/roadmap.md | 49 ++++++++++++++++++++++++++++--------- 1 file changed, 38 insertions(+), 11 deletions(-) diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index 2585208e51..379241a495 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -6,11 +6,18 @@ title: Roadmap This is the current list of features that must be implemented to get to a stable release -- [x] **Play machine** +- [x] **[Play machine](https://github.com/roddhjav/play)** -- [ ] **[Sub packages](https://github.com/roddhjav/apparmor.d/issues/464)** - - [x] Move most profiles into groups such that - - [ ] New simplified build system to generate the packages with profile dependencies check +- [ ] **[Sub packages](https://github.com/roddhjav/apparmor.d/issues/464)** + - [x] Move most profiles into groups + - [ ] Provide complain/enforced packages version + - [ ] normal/FSP/server packages variants + +- [ ] **Build system** + - [ ] Continuous release on the main branch, ~2 releases per week + - [ ] Provide packages repo for ubuntu/debian + - [x] Add a `just` target to install the profiles in the right place + - [x] Fully drop the Makefile in favor of `just` - [ ] **Tests** - [x] Tests VM for all supported targets (see [tests/vm](vm.md)) @@ -22,14 +29,26 @@ This is the current list of features that must be implemented to get to a stable - [ ] **General improvements** - [ ] Provide a proper fix for [#74](https://github.com/roddhjav/apparmor.d/issues/74), [#80](https://github.com/roddhjav/apparmor.d/issues/80) & [#235](https://github.com/roddhjav/apparmor.d/issues/235) - - [x] The apt/dpkg profiles needs to be reworked -- [ ] Build system - - [ ] Continuous release on the main branch, ~2 releases per week - - [ ] Provide packages repo for ubuntu/debian - - [ ] Provide complain/enforced packages version - - [x] Add a `just` target to install the profiles in the right place - - [x] Fully drop the Makefile in favor of `just` +- [ ] **Abstractions** + - [ ] Document all abstractions + - [ ] Split and reorganize some big abs into set of smaller abstractions. + Strictly follow the new abstractions guidelines (layer 0, layer 1, etc.) + - [ ] Abstraction based profiles: + Most of the accesses needed by GUI based application are commons. As such 80-90% of the profile content should be handled by abstractions (internally they will have conditions). + - [ ] Test new interface like abstractions + - notifications + - audio-bluetooth + - secrets-service + - media-keys + - ... + - [ ] Rewrite the desktop abstraction to only contains other abs. No direct rules in it. + - [ ] Rewrite the DE specific abstraction to be a layer 1 abs + +- [ ] **Security improvements** + - [ ] Limit the use of `abstractions/common/systemd` + - [ ] Ensure systemctl restart/stop/reload is always confined and filtered by unit (dbus only) + - [ ] Revisit the usae of `systemd-tty-ask-password-agent` ## Next features @@ -45,8 +64,16 @@ This is the current list of features that must be implemented to get to a stable - [ ] Debug tool to show the profiles transition tree, and ensure no profile is missing - [x] Remove the `default` profile +- [ ] **Define roles** + - [ ] Unrestricted shell role without FSP enabled + - [ ] Define the roles when FSP is enabled + ## Done +**General improvements** + +- [x] The apt/dpkg profiles has been rewritten + **Abstractions** - [x] New `audio-client` and `audio-server` abstractions From d86cf03dabfe1ba614341278ea42cb0a078df52e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 15:13:25 +0200 Subject: [PATCH 0549/1736] build(debian): post script must not fail. --- debian/apparmor.d.postinst | 2 +- debian/apparmor.d.postrm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index 361af7b913..840f3196b4 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -8,6 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -deb-systemd-invoke reload apparmor.service +deb-systemd-invoke reload apparmor.service || true exit 0 diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index 361af7b913..840f3196b4 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -8,6 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -deb-systemd-invoke reload apparmor.service +deb-systemd-invoke reload apparmor.service || true exit 0 From c7177eedde336a0bbef70e8fcc4413eaf07d88f1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 15:16:25 +0200 Subject: [PATCH 0550/1736] doc: update documentation. --- docs/development/abstractions.md | 9 +++++++++ docs/issues.md | 30 +++++++++++++----------------- 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md index f1ac6e18e3..cd82f5d219 100644 --- a/docs/development/abstractions.md +++ b/docs/development/abstractions.md @@ -217,6 +217,14 @@ Minimal set of rules for sandboxed programs using `bwrap`. A profile using this A minimal set of rules for chromium based application. Handle access for internal sandbox. +It works as a *function* and requires some variables to be provided as *arguments* and set in the header of the calling profile: + +!!! note "" + + [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/steam/steam#L24-L25) + ``` sh linenums="24" + @{domain} = org.chromium.Chromium + ``` ### **`common/electron`** @@ -227,6 +235,7 @@ A minimal set of rules for all electron based UI applications. It works as a *fu [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/7d1380530aa56f31589ccc6a360a8144f3601731/apparmor.d/profiles-s-z/spotify#L10-L13) ``` sh linenums="10" @{name} = spotify + @{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/docs/issues.md b/docs/issues.md index 1db3b195ae..2f38f4c5a1 100644 --- a/docs/issues.md +++ b/docs/issues.md @@ -6,28 +6,24 @@ title: Known issues Known bugs are tracked on the meta issue **[#75](https://github.com/roddhjav/apparmor.d/issues/74)**. -## Complain mode +## Ubuntu -A profile in *complain* mode cannot break the program it confines. However, there are some **major exceptions**: +### Dbus -1. `deny` rules are enforced even in *complain* mode, -2. `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile, -3. If AppArmor does not find the profile to transition `rPx`. +Ubuntu fully supports dbus mediation with apparmor. If it is a value added by Ubuntu from other distributions, it can also lead to some breakage if you enforce some profiles. *Do not enforce the rules on Ubuntu Desktop.* + +Note: Ubuntu server has been more tested and will work without issues with enforced rules. -## Pacman "could not get current working directory" +### Snap -```sh -$ sudo pacman -Syu -... -error: could not get current working directory -:: Processing package changes... -... -``` +Apparmor.d needs to be fully integrated with snap, otherwise your snap applications may not work properly. As of today, it is a work in progress. -This is **a feature, not a bug!** It can safely be ignored. Pacman tries to get your current directory. You will only get this error when you run pacman in your home directory. -According to the Arch Linux guideline, on Arch Linux, packages cannot install files under `/home/`. Therefore, the [`pacman`][pacman] profile purposely does not allow access of your home directory. +## Complain mode + +A profile in *complain* mode cannot break the program it confines. However, there are some **major exceptions**: -This provides a basic protection against some packages (on the AUR) that may have rogue install script. +1. `deny` rules are enforced even in *complain* mode, +2. `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile, +3. If AppArmor does not find the profile to transition `rPx`. -[pacman]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/pacman/pacman From 470025c09025861a4fbee72a3f424ff7b0219044 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 19:39:18 +0200 Subject: [PATCH 0551/1736] build(debian): update list of profile to hide. Nb: we cannot use these profiles as they would break with apparmor.d profiles (they don't expect confined peer). --- pkg/prebuild/files.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/files.go b/pkg/prebuild/files.go index 504f05c1c0..d9879570b3 100644 --- a/pkg/prebuild/files.go +++ b/pkg/prebuild/files.go @@ -11,9 +11,12 @@ import ( ) // Hide is the default content of debian/apparmor.d.hide. Whonix has special addition. -var Hide = `# This file is generated by "make", all edit will be lost. +var Hide = `# This file is generated by "just", all edit will be lost. /etc/apparmor.d/usr.bin.firefox +/etc/apparmor.d/usr.bin.swtpm +/etc/apparmor.d/usr.bin.wsdd +/etc/apparmor.d/usr.libexec.geoclue /etc/apparmor.d/usr.sbin.cups-browsed /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/usr.sbin.rsyslogd From 2aead7e93b0dce022401c5f42b8eeb23cb3e01a9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 22:01:20 +0200 Subject: [PATCH 0552/1736] build(arch): initial pkbuild for splited packages. Note: it is not enabled yet. --- PKGBUILD | 111 ++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 102 insertions(+), 9 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index dfbb46735a..a68ba817df 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -3,8 +3,15 @@ # Warning: for development only, use https://aur.archlinux.org/packages/apparmor.d-git for production use. -pkgname=apparmor.d -pkgver=0.001 +pkgbase=apparmor.d +pkgname=( + apparmor.d + # apparmor.d.enforced + # apparmor.d.fsp apparmor.d.fsp.enforced + # apparmor.d.server apparmor.d.server.enforced + # apparmor.d.server.fsp apparmor.d.server.fsp.enforced +) +pkgver=0.0001 pkgrel=1 pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') @@ -12,10 +19,9 @@ url="https://github.com/roddhjav/apparmor.d" license=('GPL-2.0-only') depends=('apparmor>=4.1.0' 'apparmor<5.0.0') makedepends=('go' 'git' 'rsync' 'just') -conflicts=("$pkgname-git") pkgver() { - cd "$srcdir/$pkgname" + cd "$srcdir/$pkgbase" echo "0.$(git rev-list --count HEAD)" } @@ -24,17 +30,104 @@ prepare() { } build() { - cd "$srcdir/$pkgname" + cd "$srcdir/$pkgbase" export CGO_CPPFLAGS="${CPPFLAGS}" export CGO_CFLAGS="${CFLAGS}" export CGO_CXXFLAGS="${CXXFLAGS}" export CGO_LDFLAGS="${LDFLAGS}" + export GOPATH="${srcdir}" export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw" export DISTRIBUTION=arch - just complain + local -A modes=( + # Mapping of modes to just build target. + [default]=complain + # [enforced]=enforce + # [fsp]=fsp-complain + # [fsp.enforced]=fsp + # [server]=server-complain + # [server.enforced]=server + # [server.fsp]=server-fsp-complain + # [server.fsp.enforced]=server-fsp + ) + for mode in "${!modes[@]}"; do + just build=".build/$mode" "${modes[$mode]}" + done } -package() { - cd "$srcdir/$pkgname" - just destdir="$pkgdir" install +_conflicts() { + local mode="$1" + local pattern=".$mode" + if [[ "$mode" == "default" ]]; then + pattern="" + else + echo "$pkgbase" + fi + for pkg in "${pkgname[@]}"; do + if [[ "$pkg" == "${pkgbase}${pattern}" ]]; then + continue + fi + echo "$pkg" + done +} + +_install() { + local mode="${1:?}" + cd "$srcdir/$pkgbase" + just build=".build/$mode" destdir="$pkgdir" install +} + +package_apparmor.d() { + mode=default + pkgdesc="$pkgdesc (complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.enforced() { + mode=enforced + pkgdesc="$pkgdesc (enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.fsp() { + mode="fsp" + pkgdesc="$pkgdesc (FSP mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.fsp.enforced() { + mode="fsp.enforced" + pkgdesc="$pkgdesc (FSP enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server() { + mode="server" + pkgdesc="$pkgdesc (server complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.enforced() { + mode="server.enforced" + pkgdesc="$pkgdesc (server enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.fsp() { + mode="server.fsp" + pkgdesc="$pkgdesc (server FSP complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.fsp.enforced() { + mode="server.fsp.enforced" + pkgdesc="$pkgdesc (server FSP enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode } From ab7cba2da6e283f6f7e2eed1b746271b3bbda512 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 22:16:40 +0200 Subject: [PATCH 0553/1736] build: add early support for server version of the package. --- docs/development/build.md | 44 ++++++++++++++++++++++++++------------- pkg/prebuild/cli/cli.go | 27 +++++++++++++++++++++--- 2 files changed, 54 insertions(+), 17 deletions(-) diff --git a/docs/development/build.md b/docs/development/build.md index eaa2487a24..b767e4e4ed 100644 --- a/docs/development/build.md +++ b/docs/development/build.md @@ -10,18 +10,22 @@ go run ./cmd/prebuild -h ``` ``` -aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] +aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE] Prebuild apparmor.d profiles for a given distribution and apply internal built-in directives. Options: - -h, --help Show this help message and exit. - -c, --complain Set complain flag on all profiles. - -e, --enforce Set enforce flag on all profiles. - -a, --abi ABI Target apparmor ABI. - -f, --full Set AppArmor for full system policy. - -F, --file Only prebuild a given file. + -h, --help Show this help message and exit. + -c, --complain Set complain flag on all profiles. + -e, --enforce Set enforce flag on all profiles. + -a, --abi ABI Target apparmor ABI. + -v, --version V Target apparmor version. + -f, --full Set AppArmor for full system policy. + -s, --server Set AppArmor for server. + -b, --buildir DIR Root build directory. + -F, --file Only prebuild a given file. + --debug Enable debug mode. Prepare tasks: configure - Set distribution specificities @@ -31,21 +35,27 @@ Prepare tasks: overwrite - Overwrite dummy upstream profiles synchronise - Initialize a new clean apparmor.d build directory ignore - Ignore profiles and files from: + server - Configure AppArmor for server systemd-default - Configure systemd unit drop in files to a profile for some units systemd-early - Configure systemd unit drop in files to ensure some service start after apparmor + attach - Configure tunable for re-attached path Build tasks: - abi3 - Convert all profiles from abi 4.0 to abi 3.0 - attach - Re-attach disconnected path - complain - Set complain flag on all profiles - enforce - All profiles have been enforced - fsp - Prevent unconfined transitions in profile rules - hotfix - Temporary fix for #74, #80 & #235 - userspace - Resolve variable in profile attachments + userspace - Fix: resolve variable in profile attachments + abi3 - Build: convert all profiles from abi 4.0 to abi 3.0 + attach - Feat: re-attach disconnected path + base-strict - Feat: use 'base-strict' as base abstraction + complain - Build: set complain flag on all profiles + debug - Build: debug mode enabled + enforce - Build: all profiles have been enforced + fsp - Feat: prevent unconfined transitions in profile rules + hotfix - Fix: temporary solution for #74, #80 & #235 + stacked-dbus - Fix: resolve peer label variable in dbus rules Directive: #aa:dbus own bus= name= [interface=AARE] [path=AARE] #aa:dbus talk bus= name= label= [interface=AARE] [path=AARE] + #aa:dbus common bus= name= label= #aa:exec [P|U|p|u|PU|pu|] profiles... #aa:only filters... #aa:exclude filters... @@ -66,6 +76,12 @@ Ignore profiles and files as defined in the `dist/ignore` directory. See [workfl *Enabled by default. Can be disabled in `cmd/prebuild/main.go`* +### **`server`** + +Configure AppArmor for server. Desktop related groups and profiles that use desktop abstraction are not included. [hotfix](#hotfix) is also disabled, as it is only needed on desktop system. It is mostly intended to be used on server with FSP enabled. E.g: [the play machine](https://github.com/roddhjav/play). + +*Enable with the `--server` option in the prebuild command.* + ### **`merge`** Merge profiles from `apparmor.d/group/`, `apparmor.d/profiles-*-*/` to a unified directory in `.build/apparmor.d` that AppArmor can parse. diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 8abfb43239..981331edd2 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -7,6 +7,8 @@ package cli import ( "flag" "fmt" + "os" + "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/logging" @@ -20,7 +22,7 @@ import ( const ( nilABI = 0 nilVer = 0.0 - usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] [--version V] [--file FILE] + usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE] Prebuild apparmor.d profiles for a given distribution and apply internal built-in directives. @@ -32,7 +34,8 @@ Options: -a, --abi ABI Target apparmor ABI. -v, --version V Target apparmor version. -f, --full Set AppArmor for full system policy. - -b, --buildir DIR Root build directory. + -s, --server Set AppArmor for server. + -b, --buildir DIR Root build directory. -F, --file Only prebuild a given file. --debug Enable debug mode. ` @@ -43,6 +46,7 @@ var ( complain bool enforce bool full bool + server bool debug bool abi int version float64 @@ -55,6 +59,8 @@ func init() { flag.BoolVar(&help, "help", false, "Show this help message and exit.") flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.") flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.") + flag.BoolVar(&server, "s", false, "Set AppArmor for server.") + flag.BoolVar(&server, "server", false, "Set AppArmor for server.") flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.") flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.") flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.") @@ -81,7 +87,22 @@ func Configure() { flag.Parse() if help { flag.Usage() - return + os.Exit(0) + } + + if server { + idx := slices.Index(prepare.Prepares, prepare.Tasks["merge"]) + if idx == -1 { + prepare.Register("server") + } else { + prepare.Prepares = slices.Insert(prepare.Prepares, idx, prepare.Tasks["server"]) + } + + // Remove hotfix task as it is not needed on server + idx = slices.Index(prepare.Prepares, prepare.Tasks["hotfix"]) + if idx != -1 { + prepare.Prepares = slices.Delete(prepare.Prepares, idx, idx+1) + } } if full && paths.New("apparmor.d/groups/_full").Exist() { From ec88fcbfcb2a928bb543bdc0497946ff6fe840cc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:18:31 +0200 Subject: [PATCH 0554/1736] feat(abs): add the camera abstraction --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/abstractions/camera | 35 +++++++++++++++++++ apparmor.d/abstractions/common/app | 2 +- apparmor.d/groups/browsers/epiphany | 3 +- apparmor.d/groups/freedesktop/pipewire | 2 +- .../groups/freedesktop/pipewire-media-session | 2 +- apparmor.d/groups/freedesktop/pulseaudio | 3 +- apparmor.d/groups/freedesktop/wireplumber | 3 +- apparmor.d/profiles-s-z/signal-desktop | 1 + apparmor.d/profiles-s-z/vlc | 2 +- 10 files changed, 44 insertions(+), 11 deletions(-) create mode 100644 apparmor.d/abstractions/camera diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index f08a096ca0..725b57fca9 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -30,6 +30,7 @@ include include include + include include include include @@ -44,7 +45,6 @@ include include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/abstractions/camera b/apparmor.d/abstractions/camera new file mode 100644 index 0000000000..0f5cff363e --- /dev/null +++ b/apparmor.d/abstractions/camera @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to all cameras + + abi , + + # Allow detection of cameras. Leaks plugged in USB device info + @{sys}/bus/usb/devices/ r, + @{sys}/devices/@{pci}/usb@{int}/**/busnum r, + @{sys}/devices/@{pci}/usb@{int}/**/devnum r, + @{sys}/devices/@{pci}/usb@{int}/**/idProduct r, + @{sys}/devices/@{pci}/usb@{int}/**/idVendor r, + @{sys}/devices/@{pci}/usb@{int}/**/interface r, + @{sys}/devices/@{pci}/usb@{int}/**/modalias r, + @{sys}/devices/@{pci}/usb@{int}/**/speed r, + + @{sys}/class/video4linux/ r, + @{sys}/devices/**/video4linux/** r, + @{sys}/devices/**/video4linux/video@{int}/ r, + @{sys}/devices/**/video4linux/video@{int}/uevent r, + + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/c81:@{int} r, # For video4linux + + # VideoCore cameras (shared device with VideoCore/EGL) + /dev/vchiq rw, + + # Access to video /dev devices + /dev/video@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 5072cadfd6..d0b36188b2 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -16,6 +16,7 @@ include include include + include include include include @@ -30,7 +31,6 @@ include include include - include dbus bus=accessibility, dbus bus=session, diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 86b293e8d0..45a32868e9 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -12,6 +12,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -61,8 +62,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/* r, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 02a370cdc2..c8c89ac13b 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -14,8 +14,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { include include include + include include - include capability sys_ptrace, diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index af6f30e9c9..83ee32baad 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -14,9 +14,9 @@ profile pipewire-media-session @{exec_path} { include include include + include include include - include network bluetooth raw, network bluetooth seqpacket, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 05e4c3ec2a..28d8b9d319 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -18,6 +18,7 @@ profile pulseaudio @{exec_path} { include include include + include include include include @@ -105,7 +106,6 @@ profile pulseaudio @{exec_path} { @{sys}/devices/**/sound/**/{uevent,pcm_class} r, @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, - @{sys}/devices/virtual/video4linux/video@{int}/uevent r, deny @{sys}/module/apparmor/parameters/enabled r, @@ -114,7 +114,6 @@ profile pulseaudio @{exec_path} { owner @{PROC}/@{pids}/cmdline r, /dev/media@{int} r, - /dev/video@{int} rw, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index aefdc339d7..708e5a6e8c 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -16,9 +16,9 @@ profile wireplumber @{exec_path} { include include include + include include include - include network bluetooth raw, network bluetooth seqpacket, @@ -71,7 +71,6 @@ profile wireplumber @{exec_path} { @{sys}/bus/ r, @{sys}/bus/media/devices/ r, - @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, @{sys}/devices/**/device:*/{,**/}path r, @{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/uevent r, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 001f8605a5..4abe053f65 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -19,6 +19,7 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index ccf1abb61d..3a3a77313f 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -17,6 +17,7 @@ profile vlc @{exec_path} { include include include + include include include include @@ -85,7 +86,6 @@ profile vlc @{exec_path} { /dev/shm/#@{int} rw, /dev/snd/ r, /dev/tty r, - /dev/video@{int} rw, owner /dev/tty@{int} rw, # Silencer From c2ecc756b2e424926b7d0ac79b99b8f20c911de2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:30:52 +0200 Subject: [PATCH 0555/1736] feat(abs): add the media-control abstraction --- apparmor.d/abstractions/media-control | 20 +++++++++++++++++++ apparmor.d/groups/freedesktop/pipewire | 3 +-- apparmor.d/groups/freedesktop/pulseaudio | 3 +-- apparmor.d/groups/freedesktop/wireplumber | 3 +-- apparmor.d/groups/gnome/gnome-boxes | 5 ++--- apparmor.d/groups/gnome/gnome-control-center | 4 ++-- apparmor.d/groups/gnome/gnome-shell | 5 ++--- apparmor.d/groups/gnome/localsearch | 3 --- .../groups/gnome/org.gnome.NautilusPreviewer | 5 ++--- apparmor.d/profiles-a-f/cheese | 5 ++--- apparmor.d/profiles-s-z/v4l2-ctl | 6 ++---- apparmor.d/profiles-s-z/virt-manager | 5 ++--- 12 files changed, 37 insertions(+), 30 deletions(-) create mode 100644 apparmor.d/abstractions/media-control diff --git a/apparmor.d/abstractions/media-control b/apparmor.d/abstractions/media-control new file mode 100644 index 0000000000..1cdcf66f2c --- /dev/null +++ b/apparmor.d/abstractions/media-control @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to media controller such as microphones, and video capture hardware. +# See: https://www.kernel.org/doc/Documentation/userspace-api/media/mediactl/media-controller-intro.rst + + abi , + + # Control of media devices + /dev/media@{int} rwk, + + # Access to V4L subnodes configuration + # See https://www.kernel.org/doc/html/v4.12/media/uapi/v4l/dev-subdev.html + /dev/v4l-subdev@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index c8c89ac13b..04b08ecc4c 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -15,6 +15,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { include include include + include include capability sys_ptrace, @@ -66,8 +67,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 28d8b9d319..5c7c49c3df 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -26,6 +26,7 @@ profile pulseaudio @{exec_path} { include include include + include include ptrace (trace) peer=@{profile_name}, @@ -113,8 +114,6 @@ profile pulseaudio @{exec_path} { owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/cmdline r, - /dev/media@{int} r, - # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 708e5a6e8c..aa78d96675 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -18,6 +18,7 @@ profile wireplumber @{exec_path} { include include include + include include network bluetooth raw, @@ -65,7 +66,6 @@ profile wireplumber @{exec_path} { @{run}/systemd/users/@{uid} r, @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) - @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @@ -86,7 +86,6 @@ profile wireplumber @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, /dev/udmabuf rw, include if exists diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 1447715b78..cd46dd069c 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -13,10 +13,12 @@ profile gnome-boxes @{exec_path} { include include include + include include include include include + include include include include @@ -80,9 +82,6 @@ profile gnome-boxes @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, - /dev/media@{int} rw, - /dev/video@{int} rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, profile virsh { diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 111facf645..10f3102320 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -17,11 +17,13 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include + include include include include include include + include include include include @@ -191,8 +193,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/*/comm rw, /dev/ r, - /dev/media@{int} r, - /dev/video@{int} rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 0876b90d19..7344b735b7 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -32,18 +32,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include include include include + include include include include include include - include capability sys_nice, capability sys_ptrace, @@ -321,7 +322,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @@ -379,7 +379,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/media@{int} rw, /dev/tty@{int} rw, @{att}/dev/dri/card@{int} rw, @{att}/dev/input/event@{int} rw, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 049b3c402f..d5700db7c4 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -68,9 +68,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index f084e7b126..e1bde22381 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -10,14 +10,15 @@ include profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { include include + include include include include include include + include include include - include network netlink raw, @@ -52,8 +53,6 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/comm w, owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/media@{int} r, - include if exists } diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese index b89fa42f24..33b933be2f 100644 --- a/apparmor.d/profiles-a-f/cheese +++ b/apparmor.d/profiles-a-f/cheese @@ -11,10 +11,12 @@ include profile cheese @{exec_path} { include include + include include include include include + include include include @@ -49,9 +51,6 @@ profile cheese @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/v4l2-ctl b/apparmor.d/profiles-s-z/v4l2-ctl index e398049de0..ddb86b9a2d 100644 --- a/apparmor.d/profiles-s-z/v4l2-ctl +++ b/apparmor.d/profiles-s-z/v4l2-ctl @@ -9,14 +9,12 @@ include @{exec_path} = @{bin}/v4l2-ctl profile v4l2-ctl @{exec_path} { include + include include - include + include @{exec_path} mr, - /dev/media@{int} rw, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 8a1b5f3556..f820d29534 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -16,12 +16,14 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { include include include + include include include include include include include + include include include include @@ -101,9 +103,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, - /dev/media@{int} r, - /dev/video@{int} rw, - # Silence the noise deny /usr/share/virt-manager/{,**} w, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, From 5484f84764d2f1bc9c5ccf28494fdec5ada382aa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:32:06 +0200 Subject: [PATCH 0556/1736] tests(build): add tests for the stacked-dbus build task. --- pkg/prebuild/builder/core_test.go | 24 ++++++++++++++++++++++++ pkg/prebuild/builder/stacked-dbus.go | 2 +- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go index 06ceb1d284..c6c493472d 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/prebuild/builder/core_test.go @@ -231,6 +231,30 @@ func TestBuilder_Apply(t *testing.T) { want: "", wantErr: true, }, + { + name: "stacked-dbus-1", + b: Builders["stacked-dbus"], + profile: ` +profile foo { + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + +}`, + want: ` +profile foo { +dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label=dbus-session), +dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), + +}`, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go index e33ecf4b7f..eca8122c6b 100644 --- a/pkg/prebuild/builder/stacked-dbus.go +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -72,7 +72,7 @@ func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { toResolve = append(toResolve, k) } - rulesByParagraph, paragraphs, err := parse(kind, profile) // + rulesByParagraph, paragraphs, err := parse(kind, profile) if err != nil { return "", err } From 64d71ffb6e762b5ba51302087731bbeb8577631d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:45:08 +0200 Subject: [PATCH 0557/1736] build: attach: ensure we don't recursivelly call ourself. --- pkg/prebuild/builder/attach.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index 66ef18aefd..1ec5e06b1c 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -31,6 +31,9 @@ func init() { func (b ReAttach) Apply(opt *Option, profile string) (string, error) { var insert string var origin = "profile " + opt.Name + if opt.File.HasSuffix("attached/base") { + return profile, nil // Do not re-attach twice + } if strings.Contains(profile, "attach_disconnected") { insert = "@{att} = /att/" + opt.Name + "/\n" @@ -42,13 +45,17 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { "include ", "include ", ) + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) profile = strings.ReplaceAll(profile, "include ", "include ", ) } else { - insert = "@{att} = /\n" + insert = "@{att} = \"\"\n" } From 8c33125b5ec251c6c8996ea23f24c5380c597a8c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:46:12 +0200 Subject: [PATCH 0558/1736] build: add missing server build task. --- pkg/prebuild/prepare/server.go | 105 +++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 pkg/prebuild/prepare/server.go diff --git a/pkg/prebuild/prepare/server.go b/pkg/prebuild/prepare/server.go new file mode 100644 index 0000000000..85f98e75da --- /dev/null +++ b/pkg/prebuild/prepare/server.go @@ -0,0 +1,105 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package prepare + +import ( + "fmt" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +var ( + serverIgnorePatterns = []string{ + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + } + serverIgnoreGroups = []string{ + "akonadi", + "avahi", + "bluetooth", + "browsers", + "cosmic", + "cups", + "display-manager", + "flatpak", + "freedesktop", + "gnome", + "gvfs", + "hyprland", + "kde", + "lxqt", + "steam", + "xfce", + "zed", + } +) + +type Server struct { + prebuild.Base +} + +func init() { + RegisterTask(&Server{ + Base: prebuild.Base{ + Keyword: "server", + Msg: "Configure AppArmor for server", + }, + }) +} + +func (p Server) Apply() ([]string, error) { + res := []string{} + + // Ignore desktop related groups + groupNb := 0 + for _, group := range serverIgnoreGroups { + path := prebuild.RootApparmord.Join("groups", group) + if path.IsDir() { + if err := path.RemoveAll(); err != nil { + return res, err + } + groupNb++ + } else { + res = append(res, fmt.Sprintf("Group %s not found, ignoring", path)) + } + } + + // Ignore profiles using a desktop related abstraction + fileNb := 0 + files, _ := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) + for _, file := range files { + if !file.Exist() { + continue + } + profile, err := file.ReadFileAsString() + if err != nil { + return res, err + } + for _, pattern := range serverIgnorePatterns { + if strings.Contains(profile, pattern) { + if err := file.RemoveAll(); err != nil { + return res, err + } + fileNb++ + break + } + } + } + + res = append(res, fmt.Sprintf("%d groups ignored", groupNb)) + res = append(res, fmt.Sprintf("%d profiles ignored", fileNb)) + return res, nil +} From e2f11d46b0a81322bfef9394d440a30edfc67958 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:48:59 +0200 Subject: [PATCH 0559/1736] tests(check): make the script configurable. Such that it can be used in downstream project with different folder structure. --- tests/check.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 60e23c6942..861ca84fa6 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -11,9 +11,11 @@ set -eu -o pipefail RES=$(mktemp) echo "false" >"$RES" MAX_JOBS=$(nproc) +APPARMORD=${CHECK_APPARMORD:-apparmor.d} +SBIN_LIST=${CHECK_SBIN_LIST:-tests/sbin.list} declare WITH_CHECK declare _check_is_disabled -readonly RES MAX_JOBS APPARMORD="apparmor.d" +readonly APPARMORD SBIN_LIST RES MAX_JOBS readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } _warn() { @@ -500,14 +502,14 @@ _check_udev() { check_sbin() { local file name jobs - mapfile -t sbin Date: Sat, 6 Sep 2025 23:51:12 +0200 Subject: [PATCH 0560/1736] tests(check): add support for global exclusion. --- tests/check.sh | 42 ++++++++++++++++++++++++++++++++++-------- 1 file changed, 34 insertions(+), 8 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 861ca84fa6..5b35f88167 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -15,6 +15,8 @@ APPARMORD=${CHECK_APPARMORD:-apparmor.d} SBIN_LIST=${CHECK_SBIN_LIST:-tests/sbin.list} declare WITH_CHECK declare _check_is_disabled +declare _check_is_disabled_global +_FILE_IGNORE_ALL=false readonly APPARMORD SBIN_LIST RES MAX_JOBS readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } @@ -44,6 +46,11 @@ _in_array() { _is_enabled() { local check="$1" if _in_array "$check" "${WITH_CHECK[@]}"; then + if [[ -n "${_check_is_disabled_global+x}" && ${#_check_is_disabled_global[@]} -gt 0 ]]; then + if _in_array "$check" "${_check_is_disabled_global[@]}"; then + return 1 + fi + fi if [[ -z "${_check_is_disabled+x}" || ${#_check_is_disabled[@]} -eq 0 ]]; then return 0 fi @@ -70,10 +77,18 @@ _ignore_lint() { local checks line="$1" if [[ "$line" =~ ^[[:space:]]*$_IGNORE_LINT=.*$ ]]; then - # Start of an ignore block - _IGNORE_LINT_BLOCK=true + # Start of an ignore block (or file-wide if in header) checks="${line#*"$_IGNORE_LINT="}" - read -ra _check_is_disabled <<<"${checks//,/ }" + read -ra _parsed <<<"${checks//,/ }" + if (( line_number <= 10 )); then + # Treat as file-wide ignore + _check_is_disabled_global=("${_parsed[@]}") + _FILE_IGNORE_ALL=true + _IGNORE_LINT_BLOCK=false + return 0 + fi + _IGNORE_LINT_BLOCK=true + _check_is_disabled=("${_parsed[@]}") elif [[ $_IGNORE_LINT_BLOCK == true && "$line" =~ ^[[:space:]]*$ ]]; then # New paragraph, end of block @@ -81,22 +96,33 @@ _ignore_lint() { _check_is_disabled=() elif [[ $_IGNORE_LINT_BLOCK == true ]]; then - # Nothing to do, we are in a block + # Nothing to do, we are in a block/paragraph return 0 elif [[ "$line" == *"$_IGNORE_LINT="* ]]; then - # Inline ignore + # Inline ignore (or file-wide if in header) checks="${line#*"$_IGNORE_LINT="}" - read -ra _check_is_disabled <<<"${checks//,/ }" + read -ra _parsed <<<"${checks//,/ }" + if (( line_number <= 10 )); then + _check_is_disabled_global=("${_parsed[@]}") + _FILE_IGNORE_ALL=true + return 0 + fi + _check_is_disabled=("${_parsed[@]}") else - _check_is_disabled=() + # Do not clear if file-wide ignore is set + if ! $_FILE_IGNORE_ALL; then + _check_is_disabled=() + fi fi } _check() { local file="$1" - local line_number=0 + line_number=0 + _FILE_IGNORE_ALL=false + _check_is_disabled_global=() while IFS= read -r line; do line_number=$((line_number + 1)) From c239203e724df124cd0c0e4a35794e661a84b065 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:55:42 +0200 Subject: [PATCH 0561/1736] feat(abs): add the tpm abstraction. --- apparmor.d/abstractions/tpm | 16 ++++++++++++++++ apparmor.d/profiles-a-f/fwupd | 3 +-- apparmor.d/profiles-s-z/sbctl | 4 +--- 3 files changed, 18 insertions(+), 5 deletions(-) create mode 100644 apparmor.d/abstractions/tpm diff --git a/apparmor.d/abstractions/tpm b/apparmor.d/abstractions/tpm new file mode 100644 index 0000000000..ef7b30a2b7 --- /dev/null +++ b/apparmor.d/abstractions/tpm @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2016-2017 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Communication to the system TPM chip over /dev/tpm@{int} and kernel TPM +# resource manager /dev/tpmrm@{int} + + abi , + + /dev/tpm@{int} rw, + /dev/tpmrm@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index d7a72c2365..8447bff3ef 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -20,6 +20,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include + include capability dac_override, capability dac_read_search, @@ -133,8 +134,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /dev/mei@{int} rw, /dev/mem r, /dev/mtd@{int} rw, - /dev/tpm@{int} rw, - /dev/tpmrm@{int} rw, /dev/wmi/* r, profile gpg flags=(attach_disconnected,complain) { diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index ef007a32ce..a4fdbac88c 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/sbctl profile sbctl @{exec_path} { include + include capability dac_read_search, capability linux_immutable, @@ -34,9 +35,6 @@ profile sbctl @{exec_path} { @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, - /dev/pts/@{int} rw, - /dev/tpmrm@{int} rw, - # File Inherit deny network inet stream, deny network inet6 stream, From 2efdd6f5274af00e48adc4da0ab77e03805191f4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:43:44 +0200 Subject: [PATCH 0562/1736] feat(profile): improve ufw-init fix #843 --- apparmor.d/groups/firewall/ufw-init | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init index aae80b87d9..fcb9d8b6c0 100644 --- a/apparmor.d/groups/firewall/ufw-init +++ b/apparmor.d/groups/firewall/ufw-init @@ -11,8 +11,10 @@ profile ufw-init @{exec_path} { include include + capability dac_override, capability dac_read_search, capability net_admin, + capability net_raw, network inet dgram, network inet raw, @@ -27,12 +29,29 @@ profile ufw-init @{exec_path} { @{sbin}/sysctl rCx -> sysctl, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, + @{bin}/kmod rCx -> kmod, /etc/default/ufw r, /etc/ufw/* r, + @{run}/xtables.lock rwk, + @{PROC}/@{pid}/net/ip_tables_names r, - # @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/sys/kernel/modprobe r, + + profile kmod { + include + include + + capability sys_module, + + @{run}/xtables.lock r, + + @{sys}/module/compression r, + @{sys}/module/x_tables/initstate r, + + include if exists + } profile sysctl { include From 1defbbc416b3fcb74acc8a35707c3c6c1a68ae49 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:47:24 +0200 Subject: [PATCH 0563/1736] fix(abs): tmp path for wine tmp data. fix #836 --- apparmor.d/abstractions/wine | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine index 28d15cf76a..145cd763a0 100644 --- a/apparmor.d/abstractions/wine +++ b/apparmor.d/abstractions/wine @@ -9,9 +9,9 @@ owner @{user_share_dirs}/applications/wine/ rw, owner @{user_share_dirs}/applications/wine/**/ rw, - owner @{tmp}/.wine-@{uid}/ rw, - owner @{tmp}/.wine-@{uid}/** rwk, - owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, + owner @{att}/@{tmp}/.wine-@{uid}/ rw, + owner @{att}/@{tmp}/.wine-@{uid}/** rwk, + owner @{att}/@{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, owner /dev/shm/wine-@{hex6}-fsync rw, owner /dev/shm/wine-@{hex6}@{h}-fsync rw, From 06d476ccaa5eca22a6c70f1d39c13f8d061b6590 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:48:54 +0200 Subject: [PATCH 0564/1736] fix(profile): att on logind fix #833 --- apparmor.d/groups/systemd/systemd-logind | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 2713546333..05c812b189 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -136,7 +136,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - /dev/dri/card@{int} rw, + @{att}/dev/dri/card@{int} rw, /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, /dev/tty@{int} rw, From 4771e56d88d2e30032cb2de3e71247eee3210ddd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:49:59 +0200 Subject: [PATCH 0565/1736] feat(profile): git: allow transition to github cli. fix #829 --- apparmor.d/profiles-g-l/git | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 0538f5da01..01b491b989 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -65,6 +65,7 @@ profile git @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, + @{bin}/gh rPUx, @{bin}/man rPx, @{bin}/meld rPUx, @{lib}/code/extensions/git/dist/askpass.sh rPx, From 5fe9e0ee9e88984b01006fd797e1a386ade091bd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:52:40 +0200 Subject: [PATCH 0566/1736] feat(profile): support for Tumbleweed gs path. see #828 --- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/kde/kioworker | 2 +- tests/check.sh | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index acae9b7a13..642d7ef5cb 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -62,7 +62,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/chmod rix, @{bin}/cp rix, @{bin}/{,e}grep rix, - @{bin}/gs rix, + @{bin}/gs{,.bin} rix, @{bin}/gsc rix, @{bin}/hostname rix, @{bin}/ippfind rix, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 71465df976..0fc81a764d 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -41,7 +41,7 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, - @{bin}/gs rix, + @{bin}/gs{,.bin} rix, #aa:exec kio_http_cache_cleaner diff --git a/tests/check.sh b/tests/check.sh index 5b35f88167..b54bc157a2 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -221,6 +221,7 @@ declare -A EQUIVALENTS=( ["awk"]="{m,g,}awk" ["gawk"]="{m,g,}awk" ["grep"]="{,e}grep" + ["gs"]="gs{,.bin}" ["which"]="which{,.debianutils}" ) _check_equivalent() { From a87449268b227f1242445a9d66f52b62279dac94 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 20:05:19 +0200 Subject: [PATCH 0567/1736] feat(profile): various improvement for Tumbleweed fix #828 --- apparmor.d/abstractions/kde-strict | 2 +- apparmor.d/groups/kde/dolphin | 9 +++++++-- apparmor.d/groups/kde/kwin_x11 | 1 + apparmor.d/groups/kde/okular | 5 ++++- apparmor.d/profiles-g-l/libreoffice | 9 ++++++--- 5 files changed, 19 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index a06a29da47..b448c542d1 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -46,7 +46,7 @@ owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk, + owner @{user_config_dirs}/session/*_* rwlk, owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 2d3b099d7f..022c0beecc 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -25,7 +25,11 @@ profile dolphin @{exec_path} { network netlink raw, - signal (send) set=(term) peer=kioworker, + signal send set=hup peer=@{p_systemd}, + signal send set=term peer=kioworker, + + ptrace read peer=@{p_systemd}, + ptrace read peer=okular, @{exec_path} mr, @@ -109,10 +113,11 @@ profile dolphin @{exec_path} { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, @{sys}/devices/virtual/block/dm-@{int}/uevent r, - /dev/tty r, + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index f4f955a4f6..ac80b3b18a 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -41,6 +41,7 @@ profile kwin_x11 @{exec_path} { /usr/share/kwin-x11/{,**} r, /usr/share/kwin/{,**} r, /usr/share/plasma/desktoptheme/{,**} r, + /usr/share/sounds/*/stereo/*.oga r, /etc/machine-id r, /etc/xdg/plasmarc r, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index acd9b74303..a2ffad26fc 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -23,6 +23,8 @@ profile okular @{exec_path} { network netlink raw, + ptrace read peer=@{p_systemd}, + signal send set=term peer=kioworker, @{exec_path} mr, @@ -69,7 +71,7 @@ profile okular @{exec_path} { owner @{user_state_dirs}/#@{int} rw, owner @{user_state_dirs}/okularstaterc rw, - owner @{user_state_dirs}/okularstaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/okularstaterc.@{rand6} rwlk -> @{user_state_dirs}/#@{int}, owner @{user_state_dirs}/okularstaterc.lock rwk, owner @{tmp}/#@{int} rw, @@ -82,6 +84,7 @@ profile okular @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, profile gpg { include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index dfb9361f3b..de1c4a8564 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -78,21 +78,24 @@ profile libreoffice @{exec_path} { /usr/share/mythes/{,**} r, /usr/share/thumbnailers/{,**} r, + /etc/cups/ppd/*.ppd r, /etc/java{,-}{,@{version}}-openjdk/{,**} r, /etc/libreoffice/{,**} r, - /etc/paperspecs r, /etc/papersize r, + /etc/paperspecs r, /etc/xdg/* r, /var/tmp/ r, owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, owner @{user_cache_dirs}/libreoffice/{,**} rw, + + owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/libreoffice/ rw, owner @{user_config_dirs}/libreoffice/** rwk, - owner @{user_config_dirs}/soffice.*.lock rwk, owner @{user_config_dirs}/plasma_workspace.notifyrc r, - owner @{user_config_dirs}/kservicemenurc r, + owner @{user_config_dirs}/soffice.*.lock rwk, + owner @{user_config_dirs}/soffice.binrc r, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/user-places.xbel r, From e370a66c5be6193117a75e3e7c3f3b0d72564495 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 20:10:51 +0200 Subject: [PATCH 0568/1736] fix(profile): issues with stacking fix #819 --- apparmor.d/groups/freedesktop/xdg-settings | 2 +- apparmor.d/groups/gnome/gnome-calculator | 2 +- apparmor.d/groups/procps/pgrep | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index cb7edf8229..840500c529 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/xdg-settings -profile xdg-settings @{exec_path} { +profile xdg-settings @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 4e83bfb76e..2f1cc0e89f 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gnome-calculator -profile gnome-calculator @{exec_path} { +profile gnome-calculator @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep index 489f55bd7e..d10c1e772a 100644 --- a/apparmor.d/groups/procps/pgrep +++ b/apparmor.d/groups/procps/pgrep @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/pgrep -profile pgrep @{exec_path} { +profile pgrep @{exec_path} flags=(attach_disconnected) { include include include From fda63da65e42a19f2216ecff92783cfa7675e3bd Mon Sep 17 00:00:00 2001 From: sbrantler Date: Wed, 3 Sep 2025 13:17:58 +0200 Subject: [PATCH 0569/1736] Add xfce-clipman --- apparmor.d/groups/xfce/xfce-clipman | 31 +++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 apparmor.d/groups/xfce/xfce-clipman diff --git a/apparmor.d/groups/xfce/xfce-clipman b/apparmor.d/groups/xfce/xfce-clipman new file mode 100644 index 0000000000..270f7266fe --- /dev/null +++ b/apparmor.d/groups/xfce/xfce-clipman @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2025 Sighy Brantler +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xfce4-clipman +profile xfce-clipman @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /etc/xdg/xfce4/panel/xfce4-clipman-actions.xml r, + + owner @{user_cache_dirs}/xfce4/clipman/ r, + owner @{user_cache_dirs}/xfce4/clipman/* rw, + + owner @{user_config_dirs}/autostart/ r, + owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop rw, + owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop.@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor From 0f0082fd5b5fa2bb10244651f4ab81dacb6146c7 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Mon, 11 Aug 2025 10:27:07 -0600 Subject: [PATCH 0570/1736] Add profile for kinit --- apparmor.d/profiles-g-l/kinit | 39 +++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 apparmor.d/profiles-g-l/kinit diff --git a/apparmor.d/profiles-g-l/kinit b/apparmor.d/profiles-g-l/kinit new file mode 100644 index 0000000000..26cdcbd183 --- /dev/null +++ b/apparmor.d/profiles-g-l/kinit @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/kinit +profile kinit @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + #Config Files + /etc/krb5.conf r, + /etc/krb5.conf.d/{,**} r, + + #Host keytab file + /etc/krb5.keytab r, + + #User keytab file + /var/lib/krb5/user/*/client.keytab r, + + #Credentials cache + /tmp/krb5cc_* rwk, + /tmp/tkt* rwk, + + include if exists +} + +# vim:syntax=apparmor From 4f4f5c464e7b0fb9b2392a0cbaec15b321c379a2 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Mon, 11 Aug 2025 10:27:57 -0600 Subject: [PATCH 0571/1736] Add profile for kdestroy --- apparmor.d/profiles-g-l/kdestroy | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 apparmor.d/profiles-g-l/kdestroy diff --git a/apparmor.d/profiles-g-l/kdestroy b/apparmor.d/profiles-g-l/kdestroy new file mode 100644 index 0000000000..1e34b01932 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdestroy @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/kdestroy +profile kdestroy @{exec_path} { + include + + @{exec_path} mr, + + #Allow root to destroy other users' creds cache + capability dac_override, + + #Config Files + /etc/krb5.conf r, + /etc/krb5.conf.d/{,**} r, + + #Credentials cache + /tmp/krb5cc_* rwk, + /tmp/tkt* rwk, + + include if exists +} + +# vim:syntax=apparmor From a4798a2f383f205584a8cf11f715d4b0b3ea6ceb Mon Sep 17 00:00:00 2001 From: doublez13 Date: Mon, 11 Aug 2025 10:28:50 -0600 Subject: [PATCH 0572/1736] Add profile for klist --- apparmor.d/profiles-g-l/klist | 36 +++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 apparmor.d/profiles-g-l/klist diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist new file mode 100644 index 0000000000..0dc0c89ba6 --- /dev/null +++ b/apparmor.d/profiles-g-l/klist @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/klist +profile klist @{exec_path} { + include + + @{exec_path} mr, + + #Allow root to list other users' creds cache + capability dac_override, + capability dac_read_search, + + #Config Files + /etc/krb5.conf r, + /etc/krb5.conf.d/{,**} r, + + #Host keytab file + /etc/krb5.keytab r, + + #User keytab file + /var/lib/krb5/user/*/client.keytab rk, + + #Credentials cache + /tmp/krb5cc_* rk, + /tmp/tkt* rk, + + include if exists +} + +# vim:syntax=apparmor From 7a610bb5fa9ad2ae370a71170c4142c0cdc8cdbe Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:37:53 -0600 Subject: [PATCH 0573/1736] Formatting Fix --- apparmor.d/profiles-g-l/kdestroy | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-g-l/kdestroy b/apparmor.d/profiles-g-l/kdestroy index 1e34b01932..0a4ed9ab5b 100644 --- a/apparmor.d/profiles-g-l/kdestroy +++ b/apparmor.d/profiles-g-l/kdestroy @@ -10,11 +10,11 @@ include profile kdestroy @{exec_path} { include - @{exec_path} mr, - #Allow root to destroy other users' creds cache capability dac_override, + @{exec_path} mr, + #Config Files /etc/krb5.conf r, /etc/krb5.conf.d/{,**} r, From 00f63f77e1881067c3ff447ac2b5dbbaa6fe2db1 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:39:34 -0600 Subject: [PATCH 0574/1736] Formatting Fix --- apparmor.d/profiles-g-l/klist | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist index 0dc0c89ba6..9deeeedd88 100644 --- a/apparmor.d/profiles-g-l/klist +++ b/apparmor.d/profiles-g-l/klist @@ -10,12 +10,12 @@ include profile klist @{exec_path} { include - @{exec_path} mr, - #Allow root to list other users' creds cache capability dac_override, capability dac_read_search, + @{exec_path} mr, + #Config Files /etc/krb5.conf r, /etc/krb5.conf.d/{,**} r, From c51f189ca0f6723475a0db2d860f58c28ccc8496 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:46:04 -0600 Subject: [PATCH 0575/1736] Use abstractions where possible --- apparmor.d/profiles-g-l/kdestroy | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/apparmor.d/profiles-g-l/kdestroy b/apparmor.d/profiles-g-l/kdestroy index 0a4ed9ab5b..ccc0a2b25a 100644 --- a/apparmor.d/profiles-g-l/kdestroy +++ b/apparmor.d/profiles-g-l/kdestroy @@ -9,16 +9,13 @@ include @{exec_path} = @{bin}/kdestroy profile kdestroy @{exec_path} { include + include #Allow root to destroy other users' creds cache capability dac_override, @{exec_path} mr, - #Config Files - /etc/krb5.conf r, - /etc/krb5.conf.d/{,**} r, - #Credentials cache /tmp/krb5cc_* rwk, /tmp/tkt* rwk, From 415bd4aa445e587e1e7df523af998c49dcd14758 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:48:57 -0600 Subject: [PATCH 0576/1736] Use abstractions where possible --- apparmor.d/profiles-g-l/kinit | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/apparmor.d/profiles-g-l/kinit b/apparmor.d/profiles-g-l/kinit index 26cdcbd183..067886f891 100644 --- a/apparmor.d/profiles-g-l/kinit +++ b/apparmor.d/profiles-g-l/kinit @@ -10,6 +10,7 @@ include profile kinit @{exec_path} { include include + include network inet dgram, network inet6 dgram, @@ -19,13 +20,6 @@ profile kinit @{exec_path} { @{exec_path} mr, - #Config Files - /etc/krb5.conf r, - /etc/krb5.conf.d/{,**} r, - - #Host keytab file - /etc/krb5.keytab r, - #User keytab file /var/lib/krb5/user/*/client.keytab r, From e86f77fa4bfd8a46fea4555f8829231737fcad51 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:50:41 -0600 Subject: [PATCH 0577/1736] Use abstractions where possible --- apparmor.d/profiles-g-l/klist | 7 ------- 1 file changed, 7 deletions(-) diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist index 9deeeedd88..c9e30b7757 100644 --- a/apparmor.d/profiles-g-l/klist +++ b/apparmor.d/profiles-g-l/klist @@ -16,13 +16,6 @@ profile klist @{exec_path} { @{exec_path} mr, - #Config Files - /etc/krb5.conf r, - /etc/krb5.conf.d/{,**} r, - - #Host keytab file - /etc/krb5.keytab r, - #User keytab file /var/lib/krb5/user/*/client.keytab rk, From cbc4f19b8bdf264e56e138e36c16b4f3b7bdcc6c Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 08:10:11 -0600 Subject: [PATCH 0578/1736] Be more specific on client keytab path --- apparmor.d/profiles-g-l/kinit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/kinit b/apparmor.d/profiles-g-l/kinit index 067886f891..706a11c10a 100644 --- a/apparmor.d/profiles-g-l/kinit +++ b/apparmor.d/profiles-g-l/kinit @@ -21,7 +21,7 @@ profile kinit @{exec_path} { @{exec_path} mr, #User keytab file - /var/lib/krb5/user/*/client.keytab r, + /var/lib/krb5/user/@{uid}/client.keytab r, #Credentials cache /tmp/krb5cc_* rwk, From 9cac4eeb901cfd4b5ce3633c26525ade4ff1afbe Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 08:11:43 -0600 Subject: [PATCH 0579/1736] Be more specific on client keytab path --- apparmor.d/profiles-g-l/klist | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist index c9e30b7757..71411ccc92 100644 --- a/apparmor.d/profiles-g-l/klist +++ b/apparmor.d/profiles-g-l/klist @@ -17,7 +17,7 @@ profile klist @{exec_path} { @{exec_path} mr, #User keytab file - /var/lib/krb5/user/*/client.keytab rk, + /var/lib/krb5/user/@{uid}/client.keytab rk, #Credentials cache /tmp/krb5cc_* rk, From b1c0cfdab5ec66b3806117ed0be4d00a701a69e2 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 08:20:53 -0600 Subject: [PATCH 0580/1736] Use abstractions where possible --- apparmor.d/profiles-g-l/klist | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist index 71411ccc92..f21f34295e 100644 --- a/apparmor.d/profiles-g-l/klist +++ b/apparmor.d/profiles-g-l/klist @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/klist profile klist @{exec_path} { include + include #Allow root to list other users' creds cache capability dac_override, From 5c3c1522571432c0d5398959962974d7410de9ba Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 08:35:36 -0600 Subject: [PATCH 0581/1736] Run kerberos utils in complain mode --- dists/flags/main.flags | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2c01d9553e..cd9a0e5a65 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -185,6 +185,7 @@ kconf_update complain kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain +kdestroy complain kdump_mem_estimator complain kdump-config attach_disconnected,complain kdump-tools-init complain,attach_disconnected @@ -193,9 +194,11 @@ kernel-install complain kernel-postinst-kdump complain keyboxd complain kglobalacceld complain +kinit complain kio_http_cache_cleaner complain kiod complain kioworker complain +klist complain konsole attach_disconnected,mediate_deleted,complain kscreen_backend_launcher complain kscreen_osd_service complain From 0ffc8f9fa6bbfa0af350019a1420c23fdbded7fd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 20:56:44 +0200 Subject: [PATCH 0582/1736] fix: self raised linter issue. --- apparmor.d/groups/cups/cups-backend-pdf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/cups/cups-backend-pdf b/apparmor.d/groups/cups/cups-backend-pdf index 6f658b0645..21da6bf93e 100644 --- a/apparmor.d/groups/cups/cups-backend-pdf +++ b/apparmor.d/groups/cups/cups-backend-pdf @@ -25,7 +25,7 @@ profile cups-backend-pdf @{exec_path} { @{sh_path} rix, @{bin}/cp rix, - @{bin}/gs rix, + @{bin}/gs{,.bin} rix, @{bin}/gsc rix, @{lib}/ghostscript/** mr, From 6400bc725c78d569dc70804e0f9c92d4fb35d787 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 21:20:32 +0200 Subject: [PATCH 0583/1736] tests: update some unit tests to the last changes. --- pkg/prebuild/builder/core_test.go | 48 ++++++++++++++++++++++++++++- pkg/prebuild/directive/dbus.go | 17 +++++++--- pkg/prebuild/directive/dbus_test.go | 8 +++-- 3 files changed, 64 insertions(+), 9 deletions(-) diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go index c6c493472d..6bcf74647f 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/prebuild/builder/core_test.go @@ -253,12 +253,58 @@ dbus send bus=session path=/org/freedesktop/DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), +}`, + }, + { + name: "base-strict-1", + b: Builders["base-strict"], + profile: ` +profile foo { + include +}`, + want: ` +profile foo { + include +}`, + }, + { + name: "attach-1", + b: Builders["attach"], + profile: ` +profile attach-1 flags=(attach_disconnected) { + include + include + include +}`, + want: ` +@{att} = /att/attach-1/ +profile attach-1 flags=(attach_disconnected,attach_disconnected.path=@{att}) { + include + include + include +}`, + }, + { + name: "attach-2", + b: Builders["attach"], + profile: ` +profile attach-2 flags=(complain) { + include + include + include +}`, + want: ` +@{att} = "" +profile attach-2 flags=(complain) { + include + include + include }`, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - opt := &Option{File: prebuild.RootApparmord.Join(tt.name)} + opt := &Option{File: prebuild.RootApparmord.Join(tt.name), Name: tt.name} got, err := tt.b.Apply(opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Builder.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index 891eb9e1de..4862597bbf 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -135,7 +135,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { } res = append(res, - // DBus.Properties + // DBus.Properties: reply to properties request from anyone &aa.Dbus{ Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Properties", @@ -143,7 +143,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { PeerName: `"{@{busname},org.freedesktop.DBus}"`, }, - // DBus.Introspectable + // DBus.Introspectable: allow clients to introspect the service &aa.Dbus{ Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Introspectable", @@ -151,7 +151,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { PeerName: `"@{busname}"`, }, - // DBus.ObjectManager + // DBus.ObjectManager: allow clients to enumerate sources &aa.Dbus{ Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", @@ -170,7 +170,14 @@ func (d Dbus) own(rules map[string]string) aa.Rules { func (d Dbus) talk(rules map[string]string) aa.Rules { interfaces := getInterfaces(rules) - res := aa.Rules{} + res := aa.Rules{ + &aa.Unix{ + Type: "stream", + Address: "none", + PeerLabel: rules["label"], + PeerAddr: "none", + }, + } // Interfaces for _, iface := range interfaces { @@ -198,7 +205,7 @@ func (d Dbus) talk(rules map[string]string) aa.Rules { PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], }, - // DBus.ObjectManager + // DBus.ObjectManager: allow clients to enumerate sources &aa.Dbus{ Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", diff --git a/pkg/prebuild/directive/dbus_test.go b/pkg/prebuild/directive/dbus_test.go index 0844fd7450..d6e90bb993 100644 --- a/pkg/prebuild/directive/dbus_test.go +++ b/pkg/prebuild/directive/dbus_test.go @@ -8,7 +8,7 @@ import ( "testing" ) -const dbusOwnSystemd1 = ` include +const dbusOwnSystemd1 = ` include dbus bind bus=system name=org.freedesktop.systemd1{,.*}, dbus receive bus=system path=/org/freedesktop/systemd1{,/**} @@ -73,7 +73,7 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", }, profile: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", - want: ` include + want: ` include dbus bind bus=session name=com.rastersoft.ding{,.*}, dbus receive bus=session path=/com/rastersoft/ding{,/**} @@ -120,7 +120,9 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", }, profile: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", - want: ` dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} + want: ` unix type=stream addr=none peer=(label=accounts-daemon, addr=none), + + dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.Accounts{,.*} peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} From c4ebf8903e30ec49a16c7d5aeea74b726aeab8f1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 21:43:06 +0200 Subject: [PATCH 0584/1736] tests(builder): cleanup build settings between tests. --- cmd/prebuild/main_test.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cmd/prebuild/main_test.go b/cmd/prebuild/main_test.go index d3c28f0253..7bf2c0e1ad 100644 --- a/cmd/prebuild/main_test.go +++ b/cmd/prebuild/main_test.go @@ -10,6 +10,8 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" + "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" ) func chdirGitRoot() { @@ -49,6 +51,8 @@ func Test_main(t *testing.T) { chdirGitRoot() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { + prepare.Prepares = []prepare.Task{} + builder.Builds = []builder.Builder{} prebuild.Distribution = tt.dist main() }) From 237daecedb362bf405b19b5402b5221d78f1f533 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 22:07:03 +0200 Subject: [PATCH 0585/1736] tests: remove prebuild main test. - the same is tested in the build process - unit test is done in the prebuild pkg --- cmd/prebuild/main_test.go | 60 --------------------------------------- 1 file changed, 60 deletions(-) delete mode 100644 cmd/prebuild/main_test.go diff --git a/cmd/prebuild/main_test.go b/cmd/prebuild/main_test.go deleted file mode 100644 index 7bf2c0e1ad..0000000000 --- a/cmd/prebuild/main_test.go +++ /dev/null @@ -1,60 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package main - -import ( - "os" - "os/exec" - "testing" - - "github.com/roddhjav/apparmor.d/pkg/prebuild" - "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" - "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" -) - -func chdirGitRoot() { - cmd := exec.Command("git", "rev-parse", "--show-toplevel") - out, err := cmd.Output() - if err != nil { - panic(err) - } - root := string(out[0 : len(out)-1]) - if err := os.Chdir(root); err != nil { - panic(err) - } -} - -func Test_main(t *testing.T) { - tests := []struct { - name string - dist string - }{ - { - name: "Build for Archlinux", - dist: "arch", - }, - { - name: "Build for Ubuntu", - dist: "ubuntu", - }, - { - name: "Build for Debian", - dist: "debian", - }, - { - name: "Build for OpenSUSE Tumbleweed", - dist: "opensuse", - }, - } - chdirGitRoot() - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - prepare.Prepares = []prepare.Task{} - builder.Builds = []builder.Builder{} - prebuild.Distribution = tt.dist - main() - }) - } -} From 627700a152bbea3fdfd10c4c97009c92b4933bfb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 22:07:31 +0200 Subject: [PATCH 0586/1736] build: set config for ubuntu 25.10 --- cmd/prebuild/main.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 5eb1ab2f25..455621e5ba 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -49,6 +49,9 @@ func init() { case "noble": prebuild.ABI = 4 prebuild.Version = 4.0 + case "questing": + prebuild.ABI = 4 + prebuild.Version = 5.0 } case "debian": From b45e1f36fee6fc038b8867f9ffc62a2ab866e433 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 22:59:00 +0200 Subject: [PATCH 0587/1736] build: add support for downstream project in some prepare tasks. --- pkg/prebuild/cli/cli.go | 5 ++++- pkg/prebuild/directories.go | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 981331edd2..bf768c050b 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -139,8 +139,11 @@ func Configure() { builder.Register("stacked-dbus") } else { + if !prebuild.DownStream { + prepare.Register("attach") + } builder.Register("attach") - prepare.Register("attach") + } default: diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index 37cbc69bca..201d8c841a 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -13,6 +13,9 @@ var ( // AppArmor version Version = 4.0 + // Tells the build we are a downstream project using apparmor.d as dependency + DownStream = false + // Either or not RBAC is enabled RBAC = false From f61f200427be4032873d39add37cf1f3f6796ca8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 23:52:11 +0200 Subject: [PATCH 0588/1736] build: ignore more abstraction for the server edition. --- pkg/prebuild/prepare/server.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/prebuild/prepare/server.go b/pkg/prebuild/prepare/server.go index 85f98e75da..fb9a1f602d 100644 --- a/pkg/prebuild/prepare/server.go +++ b/pkg/prebuild/prepare/server.go @@ -14,6 +14,9 @@ import ( var ( serverIgnorePatterns = []string{ + "include ", + "include ", + "include ", "include ", "include ", "include ", From ca1827ea1207242018ba604c7a789b6beb0992e9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 23:53:02 +0200 Subject: [PATCH 0589/1736] fix: missing attach_disconnected in parrent profile while subprofile was using it. --- apparmor.d/groups/utils/su | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index 866da3d6a4..e5293021c7 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/su -profile su @{exec_path} { +profile su @{exec_path} flags=(attach_disconnected) { include include include From aec8e413b36e0a8845ace7483a2299a9b957dc66 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Thu, 4 Sep 2025 16:58:49 +0200 Subject: [PATCH 0590/1736] fix slurp --- apparmor.d/profiles-s-z/slurp | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp index c4250275e5..c795ee08ef 100644 --- a/apparmor.d/profiles-s-z/slurp +++ b/apparmor.d/profiles-s-z/slurp @@ -16,6 +16,7 @@ profile slurp @{exec_path} { # often used in combination with grim screen cature tool owner /dev/shm/grim-@{rand6} rw, + owner /dev/shm/@{uuid} r, include if exists } From d9ecbdbe4b87418e6ed2e4432240eaadc5bad8ad Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Mon, 8 Sep 2025 16:14:44 +0200 Subject: [PATCH 0591/1736] slurp review fixes --- apparmor.d/profiles-s-z/slurp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp index c795ee08ef..740af9b7bc 100644 --- a/apparmor.d/profiles-s-z/slurp +++ b/apparmor.d/profiles-s-z/slurp @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/slurp profile slurp @{exec_path} { include + include + include @{exec_path} mr, @@ -16,7 +18,6 @@ profile slurp @{exec_path} { # often used in combination with grim screen cature tool owner /dev/shm/grim-@{rand6} rw, - owner /dev/shm/@{uuid} r, include if exists } From b569d447031d6a8fe31cdfc1fd0a3540e71f1ded Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 22:09:38 +0200 Subject: [PATCH 0592/1736] feat(profile): update apt profiles. --- apparmor.d/abstractions/common/apt | 6 +++++- apparmor.d/groups/apt/apt | 4 +++- apparmor.d/groups/apt/apt-helper | 2 ++ apparmor.d/groups/apt/apt-methods-http | 2 ++ apparmor.d/groups/apt/deb-systemd-invoke | 2 ++ apparmor.d/groups/apt/dpkg | 3 +++ apparmor.d/groups/apt/dpkg-buildflags | 5 ++++- apparmor.d/groups/apt/dpkg-checkbuilddeps | 11 ++++++++--- apparmor.d/groups/apt/dpkg-script-apparmor | 7 +++++++ apparmor.d/groups/apt/dpkg-scripts | 4 ++++ apparmor.d/groups/apt/unattended-upgrade | 4 ++++ 11 files changed, 44 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/common/apt index a267fd9098..bec8d9a20a 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/common/apt @@ -6,6 +6,7 @@ abi , /usr/share/dpkg/cputable r, + /usr/share/dpkg/ostable r, /usr/share/dpkg/tupletable r, /usr/share/dpkg/varianttable r, @@ -19,6 +20,9 @@ /etc/apt/sources.list.d/ r, /etc/apt/sources.list.d/*.{sources,list} r, + /etc/apt/trusted.gpg r, + /etc/apt/trusted.gpg.d/{,*} r, + /var/lib/apt/lists/{,**} r, /var/lib/apt/extended_states r, @@ -26,7 +30,7 @@ /var/cache/apt/srcpkgcache.bin r, /var/lib/dpkg/status r, - /var/lib/ubuntu-advantage/apt-esm/{,**} r, + /var/lib/ubuntu-advantage/apt-esm/{,**} r, #aa:only ubuntu owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 9bdabb1c2e..ade8bee61c 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -147,6 +147,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /tmp/ r, /tmp/apt-changelog-*/ w, /tmp/apt-changelog-*/*.changelog w, + /tmp/apt-tmp-index.@{rand6} rw, owner @{tmp}/apt-changelog-*/.apt-acquire-privs-test.* rw, owner @{tmp}/apt-dpkg-install-*/ rw, owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, @@ -190,6 +191,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/bunzip2 rix, @{bin}/chmod rix, + @{bin}/bzip2 rix, @{bin}/gunzip rix, @{bin}/gzip rix, @{bin}/patch rix, @@ -197,7 +199,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/xz rix, - /etc/dpkg/origins/debian r, + /etc/dpkg/origins/* r, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, owner @{HOME}/** rwkl -> @{HOME}/**, diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper index 5a2d7dd55a..f16e98d2f3 100644 --- a/apparmor.d/groups/apt/apt-helper +++ b/apparmor.d/groups/apt/apt-helper @@ -25,6 +25,8 @@ profile apt-helper @{exec_path} { capability net_admin, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 61be160dc6..77a418b077 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -74,6 +74,8 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) { @{run}/ubuntu-advantage/aptnews.json rw, owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw, + @{run}/systemd/resolve/io.systemd.Resolve rw, + @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index d2e9e92606..824d3b4dd9 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -15,6 +15,8 @@ profile deb-systemd-invoke @{exec_path} { capability net_admin, capability sys_resource, + ptrace read peer=@{p_systemd}, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 2c1ac1ce53..986c6f1880 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -18,6 +18,9 @@ profile dpkg @{exec_path} { capability fowner, capability fsetid, capability setgid, + capability sys_ptrace, + + ptrace read peer=apt, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg-buildflags b/apparmor.d/groups/apt/dpkg-buildflags index 467d0d50e0..1a4055f77b 100644 --- a/apparmor.d/groups/apt/dpkg-buildflags +++ b/apparmor.d/groups/apt/dpkg-buildflags @@ -14,10 +14,13 @@ profile dpkg-buildflags @{exec_path} flags=(complain) { @{exec_path} r, - /etc/dpkg/origins/debian r, + /usr/share/lto-disabled-list/lto-disabled-list r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /usr/share/dpkg/abitable r, + + /etc/dpkg/origins/* r, owner @{user_config_dirs}/dpkg/buildflags.conf r, diff --git a/apparmor.d/groups/apt/dpkg-checkbuilddeps b/apparmor.d/groups/apt/dpkg-checkbuilddeps index 6f54d39672..712a74e8ca 100644 --- a/apparmor.d/groups/apt/dpkg-checkbuilddeps +++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps @@ -11,16 +11,21 @@ include profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { include include + include @{exec_path} r, - /etc/dpkg/origins/debian r, - - /var/lib/dpkg/status r, + @{bin}/dpkg rPx, + @{bin}/@{multiarch}gcc-@{int} mrix, + /usr/share/dpkg/ostable r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /etc/dpkg/origins/* r, + + /var/lib/dpkg/status r, + # For package building owner @{user_build_dirs}/**/debian/control r, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 38a068ac0d..73a4f6c46f 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -2,6 +2,8 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# TODO: merge with dpkg-scripts + abi , include @@ -16,8 +18,13 @@ profile dpkg-script-apparmor @{exec_path} { @{exec_path} mrix, @{bin}/{,e}grep ix, + @{bin}/cat ix, + @{bin}/chmod ix, + @{bin}/mkdir ix, @{bin}/deb-systemd-helper Px, + @{bin}/dpkg-maintscript-helper Px, + @{bin}/dpkg Px -> child-dpkg, @{bin}/deb-systemd-invoke Px, @{bin}/dpkg-divert ix, @{bin}/systemctl Cx -> systemctl, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 8ae76e706c..acde577de1 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -114,6 +114,10 @@ profile dpkg-scripts @{exec_path} { capability sys_ptrace, capability sys_resource, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + ptrace read peer=@{p_systemd}, + @{bin}/systemd-tty-ask-password-agent Px, @{pager_path} Px -> child-pager, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index d501a325f1..ebdc88d085 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -38,6 +38,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, + #aa:dbus own bus=system name=com.ubuntu.UnattendedUpgrade + @{exec_path} mr, @{bin}/ r, @@ -70,6 +72,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{lib}/zsys-system-autosnapshot Px, /usr/share/distro-info/* r, + /usr/share/dbus-1/interfaces/*UnattendedUpgrade*.xml r, @{etc_ro}/login.defs r, @{etc_ro}/security/capability.conf r, @@ -127,6 +130,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/attr/current r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/fd/ r, From 394dc54ceb7ff80bbbde064992f1580eee64e0ac Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 22:13:12 +0200 Subject: [PATCH 0593/1736] feat(profile): update snap profiles. --- apparmor.d/groups/snap/snap | 31 +++++++++++++++++++++++++-- apparmor.d/groups/snap/snap-update-ns | 4 +++- apparmor.d/groups/snap/snapd | 14 ++++++++---- 3 files changed, 42 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 0d38fc0557..9530b8594b 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -17,13 +17,19 @@ profile snap @{exec_path} flags=(attach_disconnected) { include include include + include capability chown, capability dac_override, capability dac_read_search, capability setuid, capability sys_admin, + capability sys_ptrace, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, network netlink raw, ptrace read peer=snap.*, @@ -36,7 +42,7 @@ profile snap @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=io.snapcraft.SessionAgent #aa:dbus own bus=session name=io.snapcraft.Settings - #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.snap-store + #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.* #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @@ -59,9 +65,11 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{bin}/gpg{,2} rCx -> gpg, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-run rCx -> run, # Start snap from the cli + @{bin}/unsquashfs rCx -> unsquashfs, @{bin}/xdg-settings rCx -> xdg-settings, - @{lib_dirs}/** mr, + @{bin_dirs}/xdelta3 ix, + @{lib_dirs}/** mr, @{lib_dirs}/snapd/snap-confine rPx, @{lib_dirs}/snapd/snap-seccomp rPx, @{lib_dirs}/snapd/snapd rPx, @@ -80,6 +88,9 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{HOME}/.snap/{,**} rw, @{HOME}/snap/{,**} rw, + @{user_pkg_dirs}/** r, + + owner @{tmp}/read-file@{int}/unpack/{,**} w, owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, @{run}/user/@{uid}/bus rw, @@ -176,14 +187,30 @@ profile snap @{exec_path} flags=(attach_disconnected) { include include + capability net_admin, + network unix stream, + network (send receive) netlink raw, + @{run}/systemd/notify w, owner @{run}/user/@{uid}/systemd/notify rw, owner @{run}/user/@{uid}/systemd/private rw, include if exists } + profile unsquashfs { + include + + @{bin}/unsquashfs mr, + + /**.snap r, + + owner /tmp/read-file@{int}/unpack/{,**} w, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index e831cc90cd..5d08a4240d 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -34,7 +34,9 @@ profile snap-update-ns @{exec_path} { @{lib_dirs}/**.so* mr, @{lib}/@{multiarch}/webkit2gtk-@{version}/ w, - /usr/share/xml/iso-codes/ w, + + /usr/share/xml/ r, + /usr/share/xml/iso-codes/ rw, /var/lib/snapd/mount/{,*} r, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 4a928e6d41..87e535b3f5 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -97,10 +97,11 @@ profile snapd @{exec_path} { @{lib_dirs}/snapd/snap-update-ns rPx, /usr/share/bash-completion/{,**} r, - /usr/share/dbus-1/{system,session}.d/{,snapd*} rw, + /usr/share/dbus-1/{system,session}.d/ rw, + /usr/share/dbus-1/{system,session}.d/snapd* rw, /usr/share/dbus-1/services/*snap* r, /usr/share/polkit-1/actions/{,**} r, - /usr/share/polkit-1/actions/snap.*.policy r, + /usr/share/polkit-1/actions/snap.*.policy* rw, @{etc_ro}/environment r, /etc/apparmor.d/*snapd.snap* r, @@ -190,6 +191,8 @@ profile snapd @{exec_path} { network netlink raw, + ptrace read peer=@{p_systemd}, + /etc/systemd/system/{,**/} r, /etc/systemd/system/snap* rw, /etc/systemd/user/{,**/} rw, @@ -229,9 +232,12 @@ profile snapd @{exec_path} { include @{sbin}/runuser mr, - @{bin}/tar ix, - owner @{HOME}/snap/*/common/.cache/{,**} r, + @{sh_path} ix, + @{bin}/gzip ix, + @{bin}/tar ix, + + owner @{HOME}/snap/*/{,**} r, include if exists } From f69a7e7213d81ddd0c3c760400edfdc025be05e0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:04:36 +0200 Subject: [PATCH 0594/1736] feat(profile): update gnome profiles. --- .../bus/org.gnome.keyring.internal.Prompter | 2 + .../gnome/evolution-addressbook-factory | 2 + .../groups/gnome/evolution-calendar-factory | 1 + apparmor.d/groups/gnome/gdm | 25 ++++++----- apparmor.d/groups/gnome/gdm-generate-config | 3 +- apparmor.d/groups/gnome/gio-launch-desktop | 2 + apparmor.d/groups/gnome/gnome-calculator | 2 + apparmor.d/groups/gnome/gnome-calendar | 15 +++---- apparmor.d/groups/gnome/gnome-control-center | 9 +++- .../groups/gnome/gnome-disk-image-mounter | 7 +++ apparmor.d/groups/gnome/gnome-extension-ding | 4 +- .../groups/gnome/gnome-extension-gsconnect | 1 + apparmor.d/groups/gnome/gnome-keyring-daemon | 9 ++-- apparmor.d/groups/gnome/gnome-session | 10 +++++ apparmor.d/groups/gnome/gnome-shell | 44 ++++++++++--------- apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/gnome/gnome-text-editor | 1 + apparmor.d/groups/gnome/gsd-housekeeping | 2 +- apparmor.d/groups/gnome/gsd-power | 10 ++++- .../groups/gnome/gsd-print-notifications | 2 +- apparmor.d/groups/gnome/gsd-sharing | 5 +++ apparmor.d/groups/gnome/gsd-usb-protection | 5 +++ apparmor.d/groups/gnome/kgx | 1 + apparmor.d/groups/gnome/localsearch | 7 +++ apparmor.d/groups/gnome/mutter-x11-frames | 1 + apparmor.d/groups/gnome/nautilus | 9 ++++ apparmor.d/groups/gnome/papers | 9 ++++ apparmor.d/groups/gnome/ptyxis | 2 +- apparmor.d/groups/gnome/ptyxis-agent | 11 ++++- apparmor.d/groups/gnome/tracker-extract | 5 +-- apparmor.d/groups/gnome/tracker-miner | 4 +- apparmor.d/tunables/multiarch.d/system-users | 2 +- 32 files changed, 154 insertions(+), 59 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter index 1c3e8f7608..0816b046f2 100644 --- a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter +++ b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter @@ -11,6 +11,8 @@ abi , + unix type=stream peer=(label=gnome-keyring-daemon), + dbus send bus=session path=/org/gnome/keyring/Prompter interface=org.gnome.keyring.internal.Prompter member={BeginPrompting,PerformPrompt,StopPrompting} diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index b56af123da..56fd3ce3fc 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -27,7 +27,9 @@ profile evolution-addressbook-factory @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookCursor #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookFactory + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookView dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 3d1d00f286..2ee416bd99 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -12,6 +12,7 @@ profile evolution-calendar-factory @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 4c84fe822e..3f958cb7ed 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -17,6 +17,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { capability chown, capability dac_override, capability dac_read_search, + capability fowner, capability fsetid, capability kill, capability net_admin, @@ -54,6 +55,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/*.desktop r, /usr/share/xsessions/*.desktop r, + /etc/.pwd.lock rwk, /etc/default/locale r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, @@ -66,18 +68,17 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /var/log/gdm{3,}/ rw, - owner @{GDM_HOME}/block-initial-setup rw, - - @{run}/gdm{3,}/greeter/ rw, - @{run}/systemd/seats/seat@{int} r, - @{run}/systemd/sessions/* r, - @{run}/systemd/users/@{uid} r, - owner @{run}/gdm{3,}.pid rw, - owner @{run}/gdm{3,}/ rw, - owner @{run}/gdm{3,}/custom.conf r, - owner @{run}/gdm{3,}/dbus/ w, - owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w, - owner @{run}/gdm{3,}/gdm.pid rw, + @{GDM_HOME}/ rw, + @{GDM_HOME}/** rw, + + @{run}/gdm{,3}/ rw, + owner @{run}/gdm{,3}.pid rw, + owner @{run}/gdm{,3}/dbus/ rw, + owner @{run}/gdm{,3}/dbus/dbus-@{rand8} rw, + + @{run}/systemd/seats/seat@{int} r, + @{run}/systemd/sessions/* r, + @{run}/systemd/users/@{uid} r, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 6e67866f53..c5e6d4cd57 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -44,8 +44,9 @@ profile gdm-generate-config @{exec_path} { @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/status r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, profile pgrep { diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index a3d285e943..eb76f12075 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -33,6 +33,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { @{bin}/gnome-terminal rPUx, @{lib}/gio-launch-desktop rix, + @{lib}/*/** rPx, + @{lib}/* rPx, owner @{HOME}/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 2f1cc0e89f..4ab9b165f7 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -20,6 +20,8 @@ profile gnome-calculator @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.gnome.Calculator + @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 7d6d5246d5..872fc6858c 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -24,20 +24,19 @@ profile gnome-calendar @{exec_path} { #aa:dbus own bus=session name=org.gnome.Calendar + #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar path=/org/gnome/evolution/dataserver/ label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarFactory label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarView label=evolution-calendar-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source path=/org/gnome/evolution/dataserver/ label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.SourceManager label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Subprocess label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color #aa:dbus talk bus=session name=org.gnome.Shell.SearchProvider2 path=/org/gnome/Calendar/SearchProvider label=gnome-shell - #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" - - dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=evolution-source-registry), @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 10f3102320..8ef24e9ce5 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -41,10 +41,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Settings #aa:dbus own bus=session name=org.bluez.obex.Agent1 + #aa:dbus talk bus=session name=org.bluez.AgentManager1 label=bluetoothd #aa:dbus talk bus=session name=org.bluez.obex label=obexd #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell - #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary + #aa:dbus talk bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*" #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell @@ -53,6 +54,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}" #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" @@ -63,6 +65,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=NetworkManager), + @{exec_path} mr, @{bin}/@{shells} rUx, diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 379a887b3e..519a248d82 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -9,10 +9,17 @@ include @{exec_path} = @{bin}/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include + include + include + include + include + include include include include + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + @{exec_path} mr, # Allow to mount user files diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index e47cc66a32..be7edcd794 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -58,8 +58,8 @@ profile gnome-extension-ding @{exec_path} { @{share_dirs}/{,**} r, /usr/share/thumbnailers/{,*.thumbnailer} r, - owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, + owner @{user_desktop_dirs}/ r, + owner @{user_templates_dirs}/ r, owner @{user_share_dirs}/nautilus/scripts/ r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 22c02a97f5..7af7b8b2fd 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -75,6 +75,7 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{run}/user/@{uid}/gsconnect/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + owner @{run}/user/@{uid}/keyring/ssh rw, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 6752f54d4e..595b3fd480 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -19,12 +19,15 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { capability ipc_lock, - signal (receive) set=(term) peer=gdm, - signal (send) set=(term) peer=ssh-agent, + signal receive set=(term) peer=gdm, + signal send set=(term) peer=ssh-agent, + + unix type=stream peer=(label=snap.*), #aa:dbus own bus=session name=org.gnome.keyring #aa:dbus own bus=session name=org.freedesktop.{S,s}ecret{,s} - #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret + #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret path=/org/freedesktop/portal/desktop + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Request path=/org/freedesktop/portal/desktop/ label=xdg-desktop-portal dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 7bcf804312..257e91c0a5 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -16,6 +16,14 @@ profile gnome-session @{exec_path} { include include + signal receive set=term peer=gdm, + signal receive set=term peer=gdm-session, + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mrix, @{shells_path} rix, @@ -64,6 +72,8 @@ profile gnome-session @{exec_path} { owner @{HOME}/ r, + owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 7344b735b7..8278ac648c 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -24,13 +24,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include include include include + include include include include @@ -72,6 +72,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=com.canonical.{U,u}nity + #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/dbusmenu} #aa:dbus own bus=session name=com.rastersoft.dingextension #aa:dbus own bus=session name=org.ayatana.NotificationItem #aa:dbus own bus=session name=org.freedesktop.a11y.Manager @@ -79,6 +80,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher + #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting # Talk with gnome-shell @@ -87,32 +89,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label="@{p_power_profiles_daemon}" #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding + #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs #aa:dbus talk bus=session name=org.gnome.* label=gnome-* - #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label="*" + #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=* #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - # System bus - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=RegisterAuthenticationAgent - peer=(name=:*, label="@{p_polkitd}"), - dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent - interface=org.freedesktop.PolicyKit1.AuthenticationAgent - member=BeginAuthentication - peer=(name=:*, label="@{p_polkitd}"), - - dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager - interface=org.freedesktop.NetworkManager.AgentManager - member={RegisterWithCapabilities,Unregister} - peer=(name=:*, label=NetworkManager), # Session bus @@ -156,7 +145,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -181,8 +170,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sh_path} rCx -> shell, @{bin}/pkexec rCx -> pkexec, - @{lib}/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, + @{lib}/gio-launch-desktop rCx -> open, + @{python_path} rCx -> python, @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, /usr/share/gnome-shell/extensions/*/** rPUx, @@ -278,15 +268,16 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w, - owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, owner @{user_cache_dirs}/gnome-software/icons/{,**} r, + owner @{user_cache_dirs}/gsconnect/@{hex32} r, owner @{user_cache_dirs}/libgweather/{,**} rw, owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, + owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, @{run}/gdm{3,}/dbus/dbus-@{rand8} rw, owner @{run}/user/@{uid}/app/*/*.@{rand6} r, @@ -337,7 +328,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/gpu_busy_percent r, @{sys}/devices/@{pci}/input@{int}/{properties,name} r, + @{sys}/devices/@{pci}/mem_info_vram_* r, @{sys}/devices/@{pci}/net/*/statistics/collisions r, @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r, @@ -351,6 +344,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/platform/**/input@{int}/{properties,name} r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/net/*/statistics/collisions r, @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, @@ -431,6 +426,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include if exists } + profile python { + include + include + + # /usr/share/gnome-shell/extensions/{,**} + + include if exists + } + profile open flags=(attach_disconnected,mediate_deleted,complain) { include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index baaac245f3..2474363180 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -45,6 +45,7 @@ profile gnome-software @{exec_path} { @{bin}/baobab rPUx, @{bin}/bwrap rPx -> flatpak-app, @{bin}/fusermount{,3} rCx -> fusermount, + @{bin}/gnome-control-center rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 5c8ab7c8ab..8aa950e2c0 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -10,6 +10,7 @@ include profile gnome-text-editor @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 83fcbd7c66..35714fa0b7 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -11,9 +11,9 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 63ab49c5ed..0f77b023e0 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -40,16 +40,22 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Power #aa:dbus talk bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.Shell.Brightness label=gnome-shell dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight member=GetBrightness - peer=(name=:*, label="@{p_upowerd}"), + peer=(name=@{busname}, label="@{p_upowerd}"), dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gsd-xsettings), + peer=(name=@{busname}, label=gsd-xsettings), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=Suspend + peer=(name=@{busname}, label="@{p_systemd_logind}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 59123f4851..c5be27f270 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -30,7 +30,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/cups/cupsd/Notifier interface=org.cups.cupsd.Notifier - member={ServerStarted,PrinterDeleted,PrinterStopped} + member={ServerStarted,PrinterDeleted,PrinterStateChanged,PrinterStopped,PrinterAdded} peer=(name=@{busname}, label=cups-notifier-dbus), dbus receive bus=session diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 7b47b06767..b6d90d5e3d 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -31,6 +31,11 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/3 + interface=org.freedesktop.NetworkManager.VPN.Connection + member=VpnStateChanged + peer=(name=@{busname}, label=NetworkManager), + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 7f03d9fc5d..59e67d9bff 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -16,6 +16,11 @@ profile gsd-usb-protection @{exec_path} { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index a32a3d8c34..f843d6c142 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -39,6 +39,7 @@ profile kgx @{exec_path} { @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index d5700db7c4..c041cdf99b 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -47,6 +47,8 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { /usr/share/osinfo/{,**} r, /usr/share/poppler/{,**} r, + /etc/fstab r, + # Allow to search user files owner @{HOME}/ r, owner @{HOME}/{,**} r, @@ -57,6 +59,11 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/tracker3/files/ rw, owner @{user_cache_dirs}/tracker3/files/** rwk, + owner @{GDM_HOME}/ r, + owner @{GDM_HOME}/*/ r, + owner @{gdm_cache_dirs}/tracker3/{,**} rwk, + owner @{gdm_config_dirs}/user-dirs.dirs r, + @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index ae225aa650..92e619e5c8 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -29,6 +29,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r, + owner @{gdm_cache_dirs}//fontconfig/ rw, owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index d8e7c33416..a91a154a7f 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -66,6 +66,15 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { member=NameHasOwner peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session + interface=org.freedesktop.Application + member=Open, + + dbus send bus=session path=/org/gnome/Nautilus + interface=org.gtk.Application + member={CommandLine,DescribeAll} + peer=(name=org.gnome.Nautilus, label=nautilus), + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 0318c72654..6c4fe6f123 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -20,18 +20,27 @@ profile papers @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + dbus send bus=session path=/org/freedesktop/portal/desktop/session/1_4509/gtk1155412026 + interface=org.freedesktop.portal.Session + member=Close + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + @{exec_path} mr, @{open_path} Cx -> open, /usr/share/poppler/{,**} r, + /etc/passwd r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db-journal rw, + /tmp/ r, + /var/tmp/ r, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/papers-@{int}/{,**} rw, owner @{tmp}/gtkprint_@{rand6} rw, diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index b0239f4044..ac47b54600 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -16,7 +16,7 @@ profile ptyxis @{exec_path} { unix type=stream peer=(label=ptyxis-agent), - #aa:dbus own bus=session name=org.gnome.Ptyxis + #aa:dbus own bus=session name=org.gnome.Ptyxis interface+=org.freedesktop.Application @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 982afd90d4..2735e0c5d8 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -16,10 +16,12 @@ profile ptyxis-agent @{exec_path} { include include - signal send set=hup peer=unconfined, + signal send set=hup peer=@{p_systemd}, ptrace read, + unix type=stream peer=(label=ptyxis), + @{exec_path} mr, @{bin}/podman Px, @@ -42,8 +44,15 @@ profile ptyxis-agent @{exec_path} { unix bind type=stream addr=@@{udbus}/bus/systemd-run/, @{bin}/systemd-run mr, + + # The shell is not confined on purpose. @{bin}/@{shells} Ux, + # Some CLI program can be launched directly from Gnome Shell + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, + owner @{run}/user/@{uid}/systemd/private rw, include if exists diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index e8612f7b6c..3f9f492818 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -13,6 +13,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -20,6 +21,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include include + include include network netlink raw, @@ -73,9 +75,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} r, - /dev/video@{int} rw, - # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 6b358c8b0e..7f7a3a8e4e 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -15,11 +15,13 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include + include include include include include include + include include include @@ -86,8 +88,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - /dev/video@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 1513aae2f2..07450efff5 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -5,7 +5,7 @@ # Define some extra paths for some commonly used system user # Full path of the GDM configuration directories -@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/home/{,gdm-}greeter/ +@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/{,home/}{,gdm-}greeter/ @{gdm_cache_dirs}=@{GDM_HOME}/.cache/ @{gdm_config_dirs}=@{GDM_HOME}/.config/ @{gdm_local_dirs}=@{GDM_HOME}/.local/ From 009fb9285d497eae14b08032b43f44e81c862823 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:05:34 +0200 Subject: [PATCH 0595/1736] feat(profile): update gvfsd profiles. --- apparmor.d/groups/gvfs/gvfsd-fuse | 12 ++++++++++-- apparmor.d/groups/gvfs/gvfsd-sftp | 20 +++++++++----------- apparmor.d/groups/gvfs/gvfsd-wsdd | 2 ++ 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 2695a1bf70..4741b0f318 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -23,17 +23,25 @@ profile gvfsd-fuse @{exec_path} { dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=RegisterFuse - peer=(name=:*, label=gvfsd), + peer=(name=@{busname}, label=gvfsd), dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label=gvfsd-sftp), @{exec_path} mr, @{bin}/fusermount{,3} rCx -> fusermount, + owner @{run}/user/@{uid}/gvfsd-fuse/ rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} w, + @{PROC}/sys/fs/pipe-max-size r, /dev/fuse rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 76bb55e986..1019a15251 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -17,28 +17,26 @@ profile gvfsd-sftp @{exec_path} { include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + #aa:dbus talk bus=session name=org.gtk.vfs.{M,m}ountTracker label=gvfsd dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member=GetConnection - peer=(name=@{busname}, label=gnome-extension-gsconnect), - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}, label=nautilus), + peer=(name=@{busname}), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd), + peer=(name=@{busname}, label=gvfsd), dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name=:*, label=gvfsd), + peer=(name=@{busname}, label=gvfsd), + + dbus send bus=session path=/org/gtk/gvfs/mountop/@{int} + interface=org.gtk.vfs.MountOperation + member={AskQuestion,AskPassword} + peer=(name=@{busname}), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 0dee4e73bb..7f4c207189 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -15,6 +15,7 @@ profile gvfsd-wsdd @{exec_path} { include include + network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd @@ -47,6 +48,7 @@ profile gvfsd-wsdd @{exec_path} { @{bin}/env mr, @{bin}/wsdd rPx, + @{run}/avahi-daemon/socket rw, @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{run}/user/@{uid}/gvfsd/wsdd rw, From fecb4dbca6645341359e367e80d70a5e222f13be Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:06:35 +0200 Subject: [PATCH 0596/1736] feat(profile): update flatpak profiles. --- apparmor.d/groups/flatpak/flatpak | 13 +++++++++++++ apparmor.d/groups/flatpak/flatpak-portal | 1 + apparmor.d/groups/flatpak/flatpak-session-helper | 5 +++++ apparmor.d/groups/flatpak/flatpak-system-helper | 1 + 4 files changed, 20 insertions(+) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index e73408a0a0..bd749db409 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -40,6 +40,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain signal send peer=flatpak-app, + unix type=seqpacket peer=(label=flatpak-system-helper), + unix type=stream peer=(label=flatpak//fusermount), + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @@ -47,6 +50,16 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ReloadConfig + peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), + + dbus send bus=system path=/org/freedesktop/Flatpak/SystemHelper + interface=org.freedesktop.Flatpak.SystemHelper + member=GetRevokefsFd + peer=(name=org.freedesktop.Flatpak.SystemHelper), + @{exec_path} mr, @{bin}/bwrap rPx -> flatpak-app, diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index fdbdb9189f..97f9f4911c 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -11,6 +11,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper b/apparmor.d/groups/flatpak/flatpak-session-helper index 162e3b4481..8a8f5afb7c 100644 --- a/apparmor.d/groups/flatpak/flatpak-session-helper +++ b/apparmor.d/groups/flatpak/flatpak-session-helper @@ -21,6 +21,11 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.Flatpak + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{shells_path} rUx -> user_unconfined, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index cdfef1bad2..0bd74bdcba 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -34,6 +34,7 @@ profile flatpak-system-helper @{exec_path} { unix type=seqpacket peer=(label=unconfined), #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon @{exec_path} mr, From d0657d2c26644a386bc0078ec6f83ffebaa1a03e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:10:19 +0200 Subject: [PATCH 0597/1736] feat(profile): update network profiles. --- apparmor.d/groups/network/NetworkManager | 30 ++++++++++++++++++++++ apparmor.d/groups/network/netplan | 9 +++++++ apparmor.d/groups/network/netplan-generate | 2 ++ apparmor.d/groups/network/nmcli | 14 ++++++++++ apparmor.d/groups/network/openvpn | 2 ++ 5 files changed, 57 insertions(+) diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index f27449e77f..2959441c4c 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -48,6 +48,23 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}), + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=gnome-control-center), + + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=nm-online), + dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher member=Action2 @@ -63,6 +80,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { member={InterfacesAdded,InterfacesRemoved} peer=(name=org.freedesktop.DBus), + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=cockpit-bridge), + @{exec_path} mr, @{sh_path} rix, @@ -84,9 +106,14 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, /usr/share/netplan/netplan.script rPx, + @{lib}/netplan/@{int2}-network-manager-all.yaml w, + /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/iproute2/{,**} r, + /etc/netplan/ r, + /etc/netplan/90-NM-@{uuid}.yaml r, + @{att}/ r, /etc/ r, @@ -110,7 +137,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/rfkill/ r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/resolve/io.systemd.Resolve rw, + @{run}/netplan/ r, @{run}/network/ifstate r, @{run}/NetworkManager/{,**} rw, @{run}/nm-*.pid rw, @@ -135,6 +164,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, + /dev/net/tun rw, /dev/rfkill rw, profile systemctl { diff --git a/apparmor.d/groups/network/netplan b/apparmor.d/groups/network/netplan index 5855131a8b..a0fad0a937 100644 --- a/apparmor.d/groups/network/netplan +++ b/apparmor.d/groups/network/netplan @@ -9,9 +9,12 @@ include @{exec_path} = /usr/share/netplan/netplan.script profile netplan @{exec_path} flags=(attach_disconnected) { include + include include include + #aa;dbus owb bus=system name=io.netplan.Netplan + @{exec_path} mr, @{lib}/netplan/generate rPx, @@ -20,6 +23,8 @@ profile netplan @{exec_path} flags=(attach_disconnected) { /usr/share/netplan/{,**} r, + /etc/netplan/{,*} r, + @{run}/netplan/ r, profile udevadm { @@ -42,6 +47,10 @@ profile netplan @{exec_path} flags=(attach_disconnected) { capability net_admin, + ptrace read peer=@{p_systemd}, + + @{run}/udev/control rw, + include if exists } diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate index 74ed20aafb..cea17b81cb 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan-generate @@ -26,6 +26,8 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) { @{run}/NetworkManager/conf.d/ rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf.@{rand6} rw, + @{run}/NetworkManager/conf.d/netplan.conf rw, + @{run}/NetworkManager/conf.d/netplan.conf.@{rand6} rw, @{run}/NetworkManager/system-connections/ rw, @{run}/NetworkManager/system-connections/* rw, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 6065a12daf..b4da14960c 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -16,11 +16,25 @@ profile nmcli @{exec_path} { capability sys_nice, #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded + peer=(name=@{busname}, label=NetworkManager), + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesRemoved + peer=(name=@{busname}, label=NetworkManager), + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, @{pager_path} rPx -> child-pager, + /etc/netplan/* r, + owner @{HOME}/.nm-vpngate/*.ovpn r, owner @{HOME}/.cert/nm-openvpn/*.pem rw, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index b5a6b83ef2..2a513b84e0 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -66,6 +66,8 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/net/route r, + /dev/net/tun rw, + profile update-resolv { include include From ff8efaecd209909a48bc7cd6677763fb4cd7e19b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:11:25 +0200 Subject: [PATCH 0598/1736] feat(profile): update arch profiles. --- apparmor.d/groups/pacman/pacdiff | 33 +++++++++++++------- apparmor.d/groups/pacman/pacman-hook-systemd | 2 ++ 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index cab9eed4b2..eef9926667 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/pacdiff profile pacdiff @{exec_path} flags=(attach_disconnected) { include - include capability dac_read_search, capability mknod, @@ -20,17 +19,18 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/cat rix, - @{bin}/cmp rix, - @{bin}/find rix, - @{bin}/locate rix, - @{bin}/pacman rix, - @{bin}/pacman-conf rPx, - @{bin}/pacsort rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/tput rix, + @{bin}/{m,g,}awk ix, + @{bin}/cat ix, + @{bin}/cmp ix, + @{bin}/find ix, + @{bin}/locate ix, + @{bin}/pacman ix, + @{bin}/pacman-conf Px, + @{bin}/pacsort ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/tput ix, + @{editor_path} Cx -> editor, # packages files / r, @@ -44,6 +44,15 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { /dev/tty rw, /dev/pts/@{int} rw, + profile editor { + include + include + + /etc/** rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 0878385c54..860fb34eaa 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -46,6 +46,8 @@ profile pacman-hook-systemd @{exec_path} { capability net_admin, capability sys_resource, + ptrace read peer=@{p_systemd}, + signal send set=(cont, term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent Px, From 98063fa7711c03f624a149227b2ef3672b866469 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:15:42 +0200 Subject: [PATCH 0599/1736] feat(profile): rewrite the pacman profile. --- apparmor.d/groups/pacman/pacman | 167 +++++++++++++++++++------------- 1 file changed, 101 insertions(+), 66 deletions(-) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 427ac01412..41b45c9d0e 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -46,71 +46,49 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/gpgconf rCx -> gpg, - @{bin}/gpgsm rCx -> gpg, - - # Pacman hooks & install scripts - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/appstreamcli rPx, - @{bin}/arch-audit rPx, - @{bin}/archlinux-java rPx, - @{bin}/bootctl rPx, - @{bin}/cert-sync rPx, - @{bin}/checkrebuild rPUx, - @{bin}/dconf rPx, - @{bin}/dot rix, - @{bin}/fc-cache{,-32} rPx, - @{bin}/filecap rix, - @{bin}/gdbus rix, - @{bin}/gdk-pixbuf-query-loaders rPx, - @{bin}/getent rix, - @{bin}/gettext rix, - @{bin}/ghc-pkg-@{version} rPx, - @{bin}/gio-querymodules rPx, - @{bin}/glib-compile-schemas rPx, - @{sbin}/groupadd rPx, - @{bin}/gtk-query-immodules-* rPx, - @{bin}/gtk{,4}-update-icon-cache rPx, - @{sbin}/iconvconfig rix, - @{bin}/install-catalog rPx, - @{bin}/install-info rPx, - @{sbin}/iscsi-iname rix, - @{bin}/journalctl rPx, - @{bin}/killall rix, - @{sbin}/ldconfig rix, - @{sbin}/locale-gen rPx, - @{bin}/limine-install rPUx, - @{bin}/mkinitcpio rPx, - @{sbin}/needrestart rPx, - @{bin}/pacdiff rPx, - @{bin}/pacman-key rPx, - @{bin}/pkgfile rPUx, - @{bin}/pkill rix, - @{bin}/rsync rix, - @{bin}/sbctl rPx, - @{sbin}/setcap rix, - @{bin}/setfacl rix, - @{sbin}/sysctl rPx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-* rPx, - @{bin}/tput rix, - @{bin}/update-ca-trust rPx, - @{bin}/update-desktop-database rPx, - @{sbin}/update-grub rPx, - @{bin}/update-mime-database rPx, - @{bin}/vercmp rix, - @{bin}/which{,.debianutils} rix, - @{bin}/xmlcatalog rix, - @{lib}/systemd/systemd-* rPx, - @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rPx, - @{lib}/vlc/vlc-cache-gen rPx, - /opt/Mullvad*/resources/mullvad-setup rPx, - /usr/share/code-features/patch.py rPx, - /usr/share/code-marketplace/patch.py rPx, - /usr/share/libalpm/scripts/* rPUx, - /usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx, + # Pacman's keyring + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/gpgconf Cx -> gpg, + @{bin}/gpgsm Cx -> gpg, + + # Common program found in hooks & install scripts + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/dot ix, + @{bin}/filecap ix, + @{bin}/getent ix, + @{bin}/gettext ix, + @{bin}/gzip ix, + @{bin}/rsync ix, + @{bin}/setfacl ix, + @{bin}/tput ix, + @{bin}/vercmp ix, + @{bin}/which{,.debianutils} ix, + @{bin}/xmlcatalog ix, + @{sbin}/iconvconfig ix, + @{sbin}/iscsi-iname ix, + @{sbin}/setcap ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/gdbus Cx -> bus, + @{bin}/killall Cx -> pkill, + @{bin}/kmod Cx -> kmod, + @{bin}/pkill Cx -> pkill, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/ldconfig Cx -> ldconfig, + + #aa:lint ignore=too-wide + # Hooks & install scripts can legitimately start/restart anything + # PU is only used as a safety fallback. + @{bin}/** PUx, + @{sbin}/** PUx, + /opt/*/** PUx, + /etc/** PUx, + /usr/share/** PUx, + + @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} Px, + @{lib}/systemd/systemd-* Px, + @{lib}/vlc/vlc-cache-gen Px, # For shell pwd, keept as it can annoy users to see error in pacman output /**/ r, @@ -196,6 +174,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_resource, + ptrace read peer=@{p_systemd}, + signal send set=cont peer=child-pager, signal send set=(cont term) peer=systemd-tty-ask-password-agent, signal receive set=(term winch) peer=makepkg//sudo, @@ -207,11 +187,66 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/*.journal* r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, include if exists } + profile bus { + include + include + include + + @{bin}/gdbus rix, + + include if exists + } + + profile pkill { + include + include + + @{bin}/killall mr, + @{bin}/pkill mr, + + include if exists + } + + profile kmod { + include + include + + include if exists + } + + profile ldconfig { + include + include + + @{sh_path} rix, + @{sbin}/ldconfig mrix, + + @{lib}/ r, + /usr/local/ r, + /usr/local/lib/ r, + + /opt/cuda/**/@{lib}/ r, + /opt/cuda/**/@{lib}/@{multiarch}/ r, + + /etc/ld.so.cache rw, + /etc/ld.so.cache~ rw, + + /var/cache/ldconfig/ rw, + owner /var/cache/ldconfig/aux-cache* rw, + + include if exists + } + include if exists include if exists } From e549863d4adf82147f9c17763cfe367d5ebf746c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:20:27 +0200 Subject: [PATCH 0600/1736] feat(profile): update systemd profiles. --- .../systemd-generator-system-update | 3 ++- apparmor.d/groups/systemd/coredumpctl | 2 +- apparmor.d/groups/systemd/localectl | 2 +- apparmor.d/groups/systemd/systemd-detect-virt | 1 + apparmor.d/groups/systemd/systemd-dissect | 2 +- apparmor.d/groups/systemd/systemd-hostnamed | 2 ++ apparmor.d/groups/systemd/systemd-journald | 2 +- apparmor.d/groups/systemd/systemd-localed | 14 +++++++++++++- apparmor.d/groups/systemd/systemd-logind | 13 +++++++------ apparmor.d/groups/systemd/systemd-machine-id-setup | 2 +- apparmor.d/groups/systemd/systemd-rfkill | 1 + apparmor.d/groups/systemd/systemd-sleep-hdparm | 2 ++ apparmor.d/groups/systemd/systemd-sleep-sysstat | 3 +++ apparmor.d/groups/systemd/systemd-sleep-upgrades | 1 + apparmor.d/groups/systemd/systemd-timedated | 8 ++++++++ 15 files changed, 45 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-system-update b/apparmor.d/groups/systemd-generators/systemd-generator-system-update index 557e4ab6e8..9767a2e727 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-system-update +++ b/apparmor.d/groups/systemd-generators/systemd-generator-system-update @@ -13,7 +13,8 @@ profile systemd-generator-system-update @{exec_path} flags=(attach_disconnected) @{exec_path} mr, - @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/status r, include if exists } diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index d1ee1141c8..06969ef47e 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -68,7 +68,7 @@ profile coredumpctl @{exec_path} flags=(complain) { @{PROC}/@{pids}/fd/ r, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index 0d46dbfed9..9792fb75f9 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/localectl -profile localectl @{exec_path} { +profile localectl @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index ca6eae3adc..9b49c20fcb 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -45,6 +45,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { deny capability net_admin, deny capability perfmon, + deny network (send receive) netlink raw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 0381b93b11..1bbb918586 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -27,7 +27,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, - ptrace read peer=unconfined, + ptrace read peer=@{p_systemd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 01d04989b8..8fae34b296 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -44,6 +44,8 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_serial r, + @{sys}/devices/virtual/dmi/id/product_uuid r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/uevent r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 2765d8f101..e0a8a2e474 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -28,7 +28,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted network netlink raw, - ptrace (read), + ptrace read, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index e98bef0095..cefab3890f 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -24,18 +24,30 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{bin}/cat ix, + @{bin}/gzip ix, + @{bin}/localedef ix, + @{bin}/rm ix, + @{bin}/sort ix, + @{sbin}/locale-gen rPx, + + /usr/share/i18n/{,**} r, /usr/share/kbd/keymaps/{,**} r, - /usr/share/xkeyboard-config-2/{,**} r, /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, /usr/share/xkeyboard-config-2/{,**} r, + /etc/ r, /etc/.#locale.conf@{hex16} rw, + /etc/.#locale.gen@{hex16} rw, /etc/.#vconsole.conf* rw, /etc/default/.#locale* rw, /etc/default/keyboard r, /etc/default/locale rw, /etc/locale.conf rw, + /etc/locale.gen rw, + /etc/nsswitch.conf r, + /etc/passwd r, /etc/vconsole.conf rw, /etc/X11/xorg.conf.d/ rw, /etc/X11/xorg.conf.d/.#*.conf@{hex} rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 05c812b189..c5e87b3e23 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -124,12 +124,13 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{sys}/module/vt/parameters/default_utf8 r, @{sys}/power/{state,resume_offset,resume,disk} r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/sessionid r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/1/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index c791e63751..a2115a9262 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -17,7 +17,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_chroot, - ptrace (read), + ptrace read, mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index bf983ea7ab..34e7255abb 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -13,6 +13,7 @@ profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, capability sys_ptrace, network netlink raw, diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 4cbe617553..5b9c51dbe8 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -13,6 +13,8 @@ profile systemd-sleep-hdparm @{exec_path} { @{exec_path} mr, @{sh_path} r, + @{lib}/pm-utils/power.d/*hdparm-apm ix, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-sysstat b/apparmor.d/groups/systemd/systemd-sleep-sysstat index 94e2e8daf7..e29a41a7a9 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-sysstat +++ b/apparmor.d/groups/systemd/systemd-sleep-sysstat @@ -12,6 +12,9 @@ profile systemd-sleep-sysstat @{exec_path} { @{exec_path} mr, + @{lib}/sysstat/sa{1,2} Px, + @{lib}/sysstat/debian-sa{1,2} Px, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-upgrades b/apparmor.d/groups/systemd/systemd-sleep-upgrades index 4f2cce637d..c2c107b1f9 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-upgrades +++ b/apparmor.d/groups/systemd/systemd-sleep-upgrades @@ -11,6 +11,7 @@ profile systemd-sleep-upgrades @{exec_path} { include @{exec_path} mr, + @{sh_path} r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index ffed031b5f..b65f2b7afa 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -23,6 +23,14 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={DisableUnitFiles,EnableUnitFiles} + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={JobRemoved,Reload,StartUnit,StopUnit} + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, From 43175387474acabd2e877e78f709c13e9643e999 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:21:34 +0200 Subject: [PATCH 0601/1736] feat(profile): update ubuntu profiles. --- apparmor.d/groups/ubuntu/software-properties-dbus | 9 +++++++-- apparmor.d/groups/ubuntu/software-properties-gtk | 2 -- apparmor.d/groups/ubuntu/ubuntu-advantage | 3 ++- apparmor.d/groups/ubuntu/update-notifier | 13 +++++++++++++ 4 files changed, 22 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 8d55ec0b78..cc73877094 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -19,11 +19,16 @@ profile software-properties-dbus @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus receive bus=system interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=software-properties-gtk), + peer=(name=@{busname}, label=software-properties-gtk), + + dbus receive bus=system path=/ + interface=com.ubuntu.SoftwareProperties + member=Reload + peer=(name=@{busname}, label=software-properties-gtk), @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index af91c7eaa8..cd858737b1 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -44,12 +44,10 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { /usr/share/pixmaps/ r, /usr/share/python-apt/{,**} r, /usr/share/software-properties/{,**} r, - /usr/share/themes/{,**} r, /usr/share/ubuntu-drivers-common/detect/{,**} r, /usr/share/X11/xkb/{,**} r, /usr/share/xml/iso-codes/{,**} r, /usr/share/software-properties/gtkbuilder/* r, - /usr/share/xkeyboard-config-2/{,**} r, /etc/apport/blacklist.d/{,*} r, /etc/default/apport r, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index e8d847e92e..ea9742d4cd 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -60,9 +60,10 @@ profile ubuntu-advantage @{exec_path} { @{run}/ubuntu-advantage/{,**} rw, - @{PROC}/version_signature r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, + @{PROC}/1/cgroup r, + @{PROC}/version_signature r, owner @{PROC}/@{pid}/fd/ r, profile systemctl { diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 0de63ac64b..4c60b4aafa 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -28,6 +28,11 @@ profile update-notifier @{exec_path} { #aa:dbus talk bus=system name=org.debian.apt label=apt #aa:dbus talk bus=session name=org.ayatana.NotificationItem interface+=org.kde.StatusNotifierItem label=gnome-shell + dbus receive bus=system path=/com/ubuntu/UnattendedUpgrade/Pending + interface=com.ubuntu.UnattendedUpgrade.Pending + member=Finished + peer=(name=@{busname}, label=unattended-upgrade), + @{exec_path} mr, @{sh_path} rix, @@ -49,6 +54,7 @@ profile update-notifier @{exec_path} { @{lib}/update-notifier/package-system-locked rPx, /usr/share/apport/apport-checkreports rPx, /usr/share/apport/apport-gtk rPx, + @{open_path} Cx -> open, @{lib}/@{python_name}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, @@ -95,6 +101,13 @@ profile update-notifier @{exec_path} { include if exists } + profile open { + include + include + + include if exists + } + include if exists } From c7b99bb84e9098e57a368c1a237838f11095116d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:26:31 +0200 Subject: [PATCH 0602/1736] feat(profile): update some core profiles. --- apparmor.d/profiles-g-l/kdump-config | 2 + apparmor.d/profiles-g-l/kdump-tools-init | 2 + apparmor.d/profiles-g-l/kdump_mem_estimator | 2 + apparmor.d/profiles-g-l/kernel-postinst-kdump | 8 +++- apparmor.d/profiles-g-l/logrotate | 2 + apparmor.d/profiles-m-r/initramfs-hooks | 6 ++- apparmor.d/profiles-m-r/mdadm | 1 + apparmor.d/profiles-m-r/mkinitramfs | 48 ++++++------------- apparmor.d/profiles-m-r/needrestart | 2 + apparmor.d/profiles-m-r/rsyslogd | 1 + 10 files changed, 37 insertions(+), 37 deletions(-) diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index 2bd8ef6b94..75c5366126 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -72,6 +72,8 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/profiles-g-l/kdump-tools-init b/apparmor.d/profiles-g-l/kdump-tools-init index b5af4dcc91..7767831a87 100644 --- a/apparmor.d/profiles-g-l/kdump-tools-init +++ b/apparmor.d/profiles-g-l/kdump-tools-init @@ -29,6 +29,8 @@ profile kdump-tools-init @{exec_path} flags=(attach_disconnected) { capability net_admin, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/profiles-g-l/kdump_mem_estimator b/apparmor.d/profiles-g-l/kdump_mem_estimator index b80a893436..5f85af3fea 100644 --- a/apparmor.d/profiles-g-l/kdump_mem_estimator +++ b/apparmor.d/profiles-g-l/kdump_mem_estimator @@ -27,6 +27,8 @@ profile kdump_mem_estimator @{exec_path} { capability net_admin, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index 50606695ab..eb17c5355e 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -31,8 +31,7 @@ profile kernel-postinst-kdump @{exec_path} { / r, - /etc/initramfs-tools/conf.d/{,**} r, - /etc/initramfs-tools/initramfs.conf r, + /etc/initramfs-tools/{,**} r, owner /var/lib/kdump/** rw, @@ -49,6 +48,11 @@ profile kernel-postinst-kdump @{exec_path} { include include + @{sys}/module/*/ r, + @{sys}/module/*/coresize r, + @{sys}/module/*/holders/ r, + @{sys}/module/*/refcnt r, + include if exists } diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 0dee9ed6a0..781a01a278 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -80,6 +80,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, + ptrace read peer=@{p_systemd}, + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=KillUnit diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 1365367643..89a57310f3 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -10,6 +10,7 @@ include profile initramfs-hooks @{exec_path} { include include + include include @{exec_path} mr, @@ -37,9 +38,9 @@ profile initramfs-hooks @{exec_path} { @{lib}/ r, @{lib}/** mr, + /usr/share/*/initramfs/{,**} r, /usr/share/initramfs-tools/{,**} r, /usr/share/plymouth/{,**} r, - /usr/share/cryptsetup/initramfs/{,**} r, /etc/console-setup/{,**} r, /etc/cryptsetup-initramfs/{,**} r, @@ -81,8 +82,9 @@ profile initramfs-hooks @{exec_path} { include include - @{bin}/ldd mr, @{bin}/* mr, + @{sbin}/* mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, @{lib}/ld-linux.so* mr, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 4cc5fc9fb3..e40f6b1e3c 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -12,6 +12,7 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { include include + capability dac_read_search, capability sys_admin, mqueue (read getattr) type=posix /, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index c6caf364f3..d94e5aa447 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -33,6 +33,7 @@ profile mkinitramfs @{exec_path} { @{bin}/cpio rix, @{bin}/dirname rix, @{bin}/env rix, + @{bin}/find rix, @{bin}/getopt rix, @{bin}/gzip rix, @{bin}/id rix, @@ -56,10 +57,9 @@ profile mkinitramfs @{exec_path} { @{bin}/xargs rix, @{bin}/xz rix, @{bin}/zstd rix, - @{sbin}/blkid rPx, @{lib}/dracut/dracut-install rix, + @{sbin}/blkid rPx, - @{bin}/find rCx -> find, @{bin}/kmod rCx -> kmod, @{sbin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, @@ -113,11 +113,16 @@ profile mkinitramfs @{exec_path} { @{sys}/bus/ r, @{sys}/bus/*/drivers/ r, - @{sys}/devices/platform/ r, - @{sys}/devices/platform/**/ r, - @{sys}/devices/platform/**/modalias r, + @{sys}/devices/ r, + @{sys}/devices/**/ r, + @{sys}/devices/**/modalias r, + @{sys}/devices/**/uevent r, @{sys}/module/compression r, @{sys}/module/firmware_class/parameters/path r, + @{sys}/class/ r, + @{sys}/class/*/ r, + + @{sys}/bus/platform/drivers/simple-framebuffer/ r, @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @@ -129,17 +134,14 @@ profile mkinitramfs @{exec_path} { include include - @{bin}/ldd mr, - @{lib}/@{multiarch}/ld-linux-*so* mr, - @{lib}/ld-linux.so* mr, - - @{sh_path} rix, - @{bin}/kmod mr, - @{lib}/initramfs-tools/bin/* mr, - + @{sh_path} rix, @{lib}/@{multiarch}/ld-*.so* rix, @{lib}/ld-*.so{,.2} rix, + @{bin}/* mr, + @{sbin}/* mr, + @{lib}/** mr, + include if exists } @@ -160,26 +162,6 @@ profile mkinitramfs @{exec_path} { include if exists } - profile find { - include - include - - @{bin}/find mr, - - # pwd dir - / r, - /etc/ r, - /root/ r, - - /usr/share/initramfs-tools/scripts/{,**/} r, - /etc/initramfs-tools/scripts/{,**/} r, - - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/{,**/} r, - owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r, - - include if exists - } - profile kmod { include include diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 8c908ddb40..c553937538 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -59,7 +59,9 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index ede981f580..c5e5ac051d 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -45,6 +45,7 @@ profile rsyslogd @{exec_path} { @{PROC}/cmdline r, @{PROC}/kmsg r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, include if exists } From 1b97efa21595f170d2a9466b91f2ee8a611f5d0e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:27:15 +0200 Subject: [PATCH 0603/1736] feat(abs): add org.gtk.Menus. --- .../abstractions/bus/session/org.gtk.Menus | 18 ++++++++++++++++++ apparmor.d/abstractions/gtk.d/complete | 1 + 2 files changed, 19 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.Menus diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Menus b/apparmor.d/abstractions/bus/session/org.gtk.Menus new file mode 100644 index 0000000000..b21c080671 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Menus @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session + interface=org.gtk.Menus + member={Start,End} + peer=(name=@{busname}), + + dbus send bus=session + interface=org.gtk.Menus + member=Changed, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 356e977056..0b69d8ee1a 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only include + include include @{lib}/{,@{multiarch}/}gtk*/** mr, From 17eac0b62c0ee7dccb0c0c3642b41ce2df238aa7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:30:02 +0200 Subject: [PATCH 0604/1736] feat(abs): add missing dbus rule on org.freedesktop.DBus --- apparmor.d/groups/bus/dbus-session | 6 +++--- apparmor.d/groups/bus/dbus-system | 6 ++++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index cc6b33f61c..27e228e2c1 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -31,10 +31,10 @@ profile dbus-session flags=(attach_disconnected) { signal (send) set=(term hup kill) peer=xdg-*, #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} - dbus receive bus=session path=/org/freedesktop/DBus + dbus receive bus=session interface=org.freedesktop.DBus - member=Hello - peer=(name=@{busname}), + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name="{@{busname},org.freedesktop.DBus}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 4dec1d4073..235c44cd4f 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -36,8 +36,8 @@ profile dbus-system flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} dbus receive bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=Hello - peer=(name=@{busname}), + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name="{@{busname},org.freedesktop.DBus}"), dbus receive bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Activator @@ -82,6 +82,7 @@ profile dbus-system flags=(attach_disconnected) { @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/oom_score_adj r, + @{PROC}/@{pid}/status r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, @@ -91,6 +92,7 @@ profile dbus-system flags=(attach_disconnected) { @{att}/dev/dri/card@{int} rw, @{att}/dev/input/event@{int} rw, + @{att}/dev/pts/ptmx rw, include if exists } From d32fd036503bd197d649ba85657eaf079854b2c1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:30:30 +0200 Subject: [PATCH 0605/1736] feat(profile): improve ibus-portal. --- apparmor.d/groups/bus/ibus-portal | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 53edb4b00b..6ea4891a71 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -15,11 +15,12 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.freedesktop.portal.IBus + #aa:dbus own bus=session name=org.freedesktop.IBus dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, From c7e999fe30e5cb43e61cdca01eea3e18fa5fb0c7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:32:29 +0200 Subject: [PATCH 0606/1736] feat(profile): update freedesktop profiles. --- apparmor.d/groups/freedesktop/pulseaudio | 2 +- apparmor.d/groups/freedesktop/wireplumber | 2 ++ apparmor.d/groups/freedesktop/xdg-dbus-proxy | 3 +++ apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 ++ .../groups/freedesktop/xdg-desktop-portal-gnome | 10 +++++----- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 12 +++--------- apparmor.d/groups/freedesktop/xdg-settings | 2 +- apparmor.d/groups/freedesktop/xorg | 3 ++- 8 files changed, 19 insertions(+), 17 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 5c7c49c3df..ce1dffd58b 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -21,9 +21,9 @@ profile pulseaudio @{exec_path} { include include include + include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index aa78d96675..84d6675de5 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -27,6 +27,7 @@ profile wireplumber @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int} + #aa:dbus own bus=session name=org.pipewire.Telephony dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -77,6 +78,7 @@ profile wireplumber @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index be66f7484d..c1f255c759 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -21,6 +21,9 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { network unix stream, + #aa:dbus talk bus=session name=org.freedesktop.portal.Flatpak label=flatpak-portal + #aa:dbus talk bus=session name=org.freedesktop.portal.Request path=/org/freedesktop/portal/desktop label=xdg-desktop-portal + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThread* diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 21c99827b5..ec2cc86be3 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -52,6 +52,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit label=xdg-desktop-portal-gtk #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal @@ -101,6 +102,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/ r, + @{PROC}/@{pids}/status r, @{PROC}/*/ r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index ca5f62f820..b6c77f3365 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -16,6 +16,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -24,6 +25,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include + include include network unix stream, @@ -36,17 +38,13 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label="gvfs-*-volume-monitor" dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Background member=RunningApplicationsChanged peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - dbus send bus=session path=/org/gtk/Notifications - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties member=GetAll @@ -85,6 +83,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{tmp}/gtkprint@{rand6} r, owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + @{run}/mount/utab r, owner @{PROC}/@{pid}/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 92e6c94849..9688df798c 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -35,18 +35,12 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk + #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Settings label=xdg-desktop-portal + dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings peer=(name=:*), - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Settings - member=SettingChanged - peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - - dbus send bus=session path=/org/gtk/Notifications - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index 840500c529..fd05bcee9a 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -15,7 +15,7 @@ profile xdg-settings @{exec_path} flags=(attach_disconnected) { @{exec_path} r, - @{sh_path} r, + @{sh_path} mr, @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat ix, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index c14af6d6e5..bfec4405c8 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -133,8 +133,9 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{PROC}/ioports r, @{PROC}/mtrr rw, + /dev/ r, /dev/fb@{int} rw, - /dev/input/event@{int} rw, + @{att}/dev/input/event@{int} rw, /dev/input/mouse@{int} rw, /dev/shm/#@{int} rw, /dev/shm/shmfd-* rw, From 4d7e03a9e2f743fc32661c1741ce50f0d99cddd6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:34:44 +0200 Subject: [PATCH 0607/1736] feat(profile): add missing grep to locale-gen. --- apparmor.d/groups/utils/locale-gen | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/utils/locale-gen b/apparmor.d/groups/utils/locale-gen index 3620018a7c..5366f14039 100644 --- a/apparmor.d/groups/utils/locale-gen +++ b/apparmor.d/groups/utils/locale-gen @@ -18,6 +18,7 @@ profile locale-gen @{exec_path} { @{exec_path} mr, @{sh_path} rix, + @{bin}/{e,}grep rix, @{bin}/cat rix, @{bin}/gzip rix, @{bin}/localedef rix, From e5012e381efa8eefb028f661606aa159e0cd46a1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:39:13 +0200 Subject: [PATCH 0608/1736] chore: pids means all pid. --- apparmor.d/groups/_full/sd | 39 +++++++++++++++-------------- apparmor.d/groups/bus/dbus-system | 12 ++++----- apparmor.d/profiles-m-r/needrestart | 12 ++++----- 3 files changed, 32 insertions(+), 31 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 13864f2dd9..ccdbf338b1 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -195,25 +195,26 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { @{sys}/firmware/efi/efivars/** w, @{sys}/fs/cgroup/{,**} w, - @{PROC}/@{pid}/attr/apparmor/exec w, - @{PROC}/@{pid}/attr/current r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/gid_map w, - @{PROC}/@{pid}/limits r, - @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/oom_score_adj rw, - @{PROC}/@{pid}/sessionid r, - @{PROC}/@{pid}/setgroups r, - @{PROC}/@{pid}/setgroups w, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/uid_map r, - @{PROC}/@{pid}/uid_map w, + @{PROC}/@{pids}/attr/apparmor/exec w, + @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/fdinfo/@{int} r, + @{PROC}/@{pids}/gid_map w, + @{PROC}/@{pids}/limits r, + @{PROC}/@{pids}/loginuid rw, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/oom_score_adj rw, + @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/setgroups r, + @{PROC}/@{pids}/setgroups w, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/uid_map r, + @{PROC}/@{pids}/uid_map w, @{PROC}/cmdline r, @{PROC}/interrupts r, @{PROC}/irq/@{int}/node r, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 235c44cd4f..1b62a1086e 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -77,12 +77,12 @@ profile dbus-system flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, - @{PROC}/@{pid}/attr/apparmor/current r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/mounts r, - @{PROC}/@{pid}/oom_score_adj r, - @{PROC}/@{pid}/status r, + @{PROC}/@{pids}/attr/apparmor/current r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/oom_score_adj r, + @{PROC}/@{pids}/status r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index c553937538..a09008ac3c 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -56,12 +56,12 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /tmp/@{word10}/ rw, @{PROC}/ r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/maps r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/status r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/maps r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, From 69fcef01b7b5d9003f902512be3d7c2543da5ce8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:50:23 +0200 Subject: [PATCH 0609/1736] feat(profile): add a large profile for mkosi. --- apparmor.d/profiles-m-r/mkosi | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 apparmor.d/profiles-m-r/mkosi diff --git a/apparmor.d/profiles-m-r/mkosi b/apparmor.d/profiles-m-r/mkosi new file mode 100644 index 0000000000..f6489a501a --- /dev/null +++ b/apparmor.d/profiles-m-r/mkosi @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This profile is large on purpose: +# - It is required to have a profile for mkosi to allow userns. +# - Mkosi uses a lot of different binaries and scripts inside sandbox. +# - Using the unconfined flag would Pix everything, we do not want that as the +# transitioned profile would have to account for mkosi paths too. + +abi , + +include + +@{exec_path} = @{bin}/mkosi @{user_share_dirs}/pipx/venvs/*/bin/mkosi +profile mkosi @{exec_path} flags=(attach_disconnected,mediate_deleted) { + include + + all, + userns, + + include if exists +} + +# vim:syntax=apparmor From e09251d2669a0161aef2eb75e5d92c1c74a86f56 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:53:00 +0200 Subject: [PATCH 0610/1736] feat(abs): update org.freedesktop.PolicyKit1 --- .../abstractions/bus/org.freedesktop.PolicyKit1 | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index 9dfab74815..2a4e8c1e55 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Can talk to polkitd's CheckAuthorization API + abi , #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @@ -13,17 +15,13 @@ dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1, label="@{p_polkitd}"), + member={CheckAuthorization,CancelCheckAuthorization} + peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name="@{busname}", label="@{p_polkitd}"), - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1), + member=RegisterAuthenticationAgentWithOptions + peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), include if exists From fce5de8d198df15219422e0b6867609a3f3ee85d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:55:29 +0200 Subject: [PATCH 0611/1736] feat(abs): update org.freedesktop.PackageKit --- .../abstractions/bus/org.freedesktop.PackageKit | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit index f6cde20301..a4f9ba9b9f 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit +++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit @@ -2,6 +2,9 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow communication with PackageKit transactions. Transactions are exported +# with random object paths that currently take the form /@{int}_@{hex8}. + abi , #aa:dbus common bus=system name=org.freedesktop.PackageKit label=packagekitd @@ -16,6 +19,14 @@ member=StateHasChanged peer=(name=org.freedesktop.PackageKit), + dbus send bus=system path=/@{int}_@{hex8} + interface=org.freedesktop.PackageKit.Transaction + peer=(label=packagekitd), + + dbus receive bus=system path=/@{int}_@{hex8} + interface=org.freedesktop.PackageKit.Transaction + peer=(label=packagekitd), + include if exists # vim:syntax=apparmor From 93c94836e292a2e4b39cea261e6891e30b74d6a6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:56:14 +0200 Subject: [PATCH 0612/1736] feat(abs): add snapcraft dbus reference call. --- .../bus/session/io.snapcraft.Launcher | 21 +++++++++++++++++++ .../io.snapcraft.PrivilegedDesktopLauncher | 16 ++++++++++++++ .../bus/session/io.snapcraft.Settings | 16 ++++++++++++++ 3 files changed, 53 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/io.snapcraft.Launcher create mode 100644 apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher create mode 100644 apparmor.d/abstractions/bus/session/io.snapcraft.Settings diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher b/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher new file mode 100644 index 0000000000..ca2bf92c81 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow use of snapd's internal xdg-open + + abi , + + dbus send bus=session path=/ + interface=com.canonical.SafeLauncher + member=OpenURL + peer=(name=@{busname}, label=snap), + + dbus send bus=session path=/io/snapcraft/Launcher + interface=io.snapcraft.Launcher + member={OpenURL,OpenFile} + peer=(name=@{busname}, label=snap), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher b/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher new file mode 100644 index 0000000000..704d9010d1 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Can identify and launch other snaps. + + abi , + + dbus send bus=session path=/io/snapcraft/PrivilegedDesktopLauncher + interface=io.snapcraft.PrivilegedDesktopLauncher + member=OpenDesktopEntry + peer=(name=io.snapcraft.Launcher, label=snap), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Settings b/apparmor.d/abstractions/bus/session/io.snapcraft.Settings new file mode 100644 index 0000000000..c50753cd6e --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.Settings @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow use of snapd's internal 'xdg-settings' + + abi , + + dbus send bus=session path=/io/snapcraft/Settings + interface=io.snapcraft.Settings + member={Check,CheckSub,Get,GetSub,Set,SetSub} + peer=(name=io.snapcraft.Settings, label=snap), + + include if exists + +# vim:syntax=apparmor From 8f0ee240007ba41dee39f721bc22fff6163171ba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:57:10 +0200 Subject: [PATCH 0613/1736] feat(abs): add org.gtk.vfs.MountOperation --- .../bus/session/org.gtk.vfs.MountOperation | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation new file mode 100644 index 0000000000..ff8c928f8f --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session path=/org/gtk/gvfs/mountop/@{int} + interface=org.gtk.vfs.MountOperation + member={AskQuestion,AskPassword} + peer=(name=@{busname}, label=gvfsd-*), + + include if exists + +# vim:syntax=apparmor From 76c5586688218983fe9203fd894e8cc794a895e2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:58:11 +0200 Subject: [PATCH 0614/1736] feat(abs): add org.freedesktop.IBus.Portal --- .../bus/session/org.freedesktop.IBus.Portal | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal b/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal new file mode 100644 index 0000000000..e7c0f9ceff --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow access to the IBus portal + + abi , + + dbus send bus=session path=/org/freedesktop/IBus + interface=org.freedesktop.IBus.Portal + member=CreateInputContext + peer=(name=org.freedesktop.portal.IBus), + + dbus send bus=session path=/org/freedesktop/IBus/InputContext_@{int} + interface=org.freedesktop.IBus.InputContext + peer=(label=ibus-daemon), + + dbus receive bus=session path=/org/freedesktop/IBus/InputContext_@{int} + interface=org.freedesktop.IBus.InputContext + peer=(label=ibus-daemon), + + include if exists + +# vim:syntax=apparmor From 865bac4cc6a2c7d79a37503b5d02985655a29532 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:59:07 +0200 Subject: [PATCH 0615/1736] feat(abs): update org.freedesktop.ColorManager. --- apparmor.d/abstractions/bus/org.freedesktop.ColorManager | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index e230924297..13d1868980 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -16,17 +16,17 @@ dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=CreateDevice - peer=(name="@{busname}", label="@{p_colord}"), + peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={DeviceAdded,DeviceRemoved} - peer=(name="@{busname}", label="@{p_colord}"), + peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), dbus (receive, send) bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager - member=FindDeviceByProperty - peer=(name="@{busname}", label="@{p_colord}"), + member={FindDeviceByProperty,FindDeviceById} + peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), include if exists From 0c90adb24d81bab5f241c853be367e62f8fea01f Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 11 Sep 2025 17:04:37 -0600 Subject: [PATCH 0616/1736] Update mdadm There were lots of missing components of mdadm. I have a few scripts that create and tear down MD RAID arrays. I've ran them all and added the missing entries. Note that mdadm has the ability to run in daemon mode and send mail when an array fails. That's why it requires all the network entries. --- apparmor.d/profiles-m-r/mdadm | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index e40f6b1e3c..94a178ce75 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2025 Alexandre Pujol +# Copyright (C) 2025 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,12 +15,22 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_admin, + capability mknod, + capability net_admin, + + network netlink raw, mqueue (read getattr) type=posix /, @{exec_path} mr, + @{sh_path} rix, + @{bin}/sendmail rPUx, + + /etc/mdadm.conf r, + @{run}/initctl r, + @{run}/mdadm/* rwk, /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, @@ -27,13 +38,17 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/class r, @{sys}/devices/@{pci}/device r, @{sys}/devices/@{pci}/vendor r, + @{sys}/devices/virtual/block/md*/** rw, + @{sys}/module/md_mod/** rw, @{PROC}/@{pid}/fd/ r, @{PROC}/cmdline r, @{PROC}/kcore r, @{PROC}/partitions r, + @{PROC}/mdstat rw, /dev/**/ r, + /dev/.tmp.md.* rw, include if exists } From c4bad04fed083d93c51c7040266f2a7bd179b550 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 11 Sep 2025 17:15:32 -0600 Subject: [PATCH 0617/1736] mdadm Make the linter happy :) --- apparmor.d/profiles-m-r/mdadm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 94a178ce75..a3fba94797 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -24,8 +24,8 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} rix, - @{bin}/sendmail rPUx, + @{sh_path} rix, + @{sbin}/sendmail rPUx, /etc/mdadm.conf r, From 1540315d5caab3d5e6a87dd4c5ea4c31114d1058 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 12 Sep 2025 07:38:44 -0600 Subject: [PATCH 0618/1736] mdadm: include all config file locations pulled from strings --- apparmor.d/profiles-m-r/mdadm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index a3fba94797..b0397eb8d4 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -27,7 +27,8 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{sbin}/sendmail rPUx, - /etc/mdadm.conf r, + /etc/{,mdadm/}mdadm.conf r, + /etc/{,mdadm/}mdadm.conf.d/* r, @{run}/initctl r, @{run}/mdadm/* rwk, From 1d2b271dfcf96c739a79d7909161da2396cfc943 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 12 Sep 2025 10:26:41 -0600 Subject: [PATCH 0619/1736] ssh-keygen: allow execution of ssh-sk-helper The ssh-sk-helper profile was added last year but never hooked into the ssh-keygen profile. This is needed for generating SSH keys that live on a yubikey. --- apparmor.d/groups/ssh/ssh-keygen | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index 1b6dd5e985..738268b0a4 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -15,6 +15,8 @@ profile ssh-keygen @{exec_path} { @{exec_path} mr, + @{lib}/{,ssh/}ssh-sk-helper rPx -> ssh-sk-helper, + /etc/ssh/moduli rw, /etc/ssh/ssh_host_*_key* rw, From c67773947ec9951c18fd511093be9bea78aa79de Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 12 Sep 2025 08:09:04 -0600 Subject: [PATCH 0620/1736] ssh: allow ssh to authenticate to remote hosts using kerberos tickets --- apparmor.d/groups/ssh/ssh | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index bf71a8463e..c2926a3a4b 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -12,6 +12,7 @@ profile ssh @{exec_path} { include include include + include include network inet stream, From 53501d8bf4bcf462c643e0c4fd81f4fd82865b79 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 12 Sep 2025 12:25:55 -0600 Subject: [PATCH 0621/1736] ssh: allow ssh to write to the kerberos CC when it picks up a ticket --- apparmor.d/groups/ssh/ssh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index c2926a3a4b..0d68264901 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -44,6 +44,8 @@ profile ssh @{exec_path} { owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/config r, + owner @{tmp}/krb5cc_* rwk, + audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, From fda74f574f4c3ec693c20eaaf6a19a737ddee178 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:02:35 +0200 Subject: [PATCH 0622/1736] chore(abs): add some device description. --- apparmor.d/abstractions/dri | 3 +++ apparmor.d/abstractions/nvidia-strict | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index dd8f7b55ac..128da00d08 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -28,8 +28,11 @@ @{sys}/devices/@{pci}/uevent r, @{sys}/devices/@{pci}/vendor r, + # Allow access to all cards /dev/dri/ r, /dev/dri/card@{int} rw, + + # Video Acceleration API /dev/dri/renderD128 rw, /dev/dri/renderD129 rw, diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index a7529eb9ae..8fd78a7022 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -36,8 +36,14 @@ owner @{PROC}/@{pid}/task/@{tid}/comm r, /dev/char/195:@{u8} w, # Nvidia graphics devices + + # Nvidia proprietary modset driver /dev/nvidia-modeset rw, + + # Nvidia graphics devices /dev/nvidia@{int} rw, + + # Nvidia's control device /dev/nvidiactl rw, deny owner @{HOME}/.nv/.local/share/gvfs-metadata/* r, From 56948a54eb1461ad4dd8e78a42185bb8e5de4819 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:03:20 +0200 Subject: [PATCH 0623/1736] feat(abs): reorganise the audio abstractions. --- apparmor.d/abstractions/audio-client | 6 ++++++ apparmor.d/abstractions/audio-server | 5 ----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 8261913095..1ebdf4c762 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -57,12 +57,18 @@ owner @{run}/user/@{uid}/pulse/ rw, owner @{run}/user/@{uid}/pulse/native rw, + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/+sound:card@{int} r, # For sound card + + @{sys}/class/ r, @{sys}/class/sound/ r, /dev/shm/ r, owner /dev/shm/pulse-shm-@{int} rw, /dev/snd/controlC@{int} r, + /dev/snd/pcmC@{int}D@{int}[cp] r, + /dev/snd/timer r, include if exists diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server index 10bcef426e..a7f89b91bc 100644 --- a/apparmor.d/abstractions/audio-server +++ b/apparmor.d/abstractions/audio-server @@ -9,11 +9,6 @@ include - @{run}/udev/data/+sound:card@{int} r, # for sound card - - @{sys}/class/ r, - @{sys}/class/sound/ r, - @{PROC}/asound/** rw, /dev/admmidi* rw, From 122b004c2e6be12d64f0eb0a3e3835cd0e8fef35 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:29:29 +0200 Subject: [PATCH 0624/1736] feat(abs): aff the uinput abs. --- apparmor.d/abstractions/uinput | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 apparmor.d/abstractions/uinput diff --git a/apparmor.d/abstractions/uinput b/apparmor.d/abstractions/uinput new file mode 100644 index 0000000000..b97d1eb8a6 --- /dev/null +++ b/apparmor.d/abstractions/uinput @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2020 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow write access to the uinput device for emulating input devices from +# userspace for sending input events. + + abi , + + /dev/uinput rw, + /dev/input/uinput rw, + + include if exists + +# vim:syntax=apparmor From 7cf4719728569dc207122236ff5a187ff2375a8f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:35:07 +0200 Subject: [PATCH 0625/1736] feat(abs): add the secrets-service abs. --- .../bus/session/org.freedesktop.Secret | 49 +++++++++++++++++++ apparmor.d/abstractions/secrets-service | 33 +++++++++++++ 2 files changed, 82 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.Secret create mode 100644 apparmor.d/abstractions/secrets-service diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret new file mode 100644 index 0000000000..8ded1b6d7c --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Provide full access to the secret-service API: +# - https://standards.freedesktop.org/secret-service/) +# +# The secret-service allows managing (add/delete/lock/etc) collections and +# (add/delete/etc) items within collections. The API also has the concept of +# aliases for collections which is typically used to access the default +# collection. While it would be possible for an application developer to use a +# snap-specific collection and mediate by object path, application developers +# are meant to instead to treat collections (typically the default collection) +# as a database of key/value attributes each with an associated secret that +# applications may query. Because AppArmor does not mediate member data, +# typical and recommended usage of the API does not allow for application +# isolation. For details, see: +# - https://standards.freedesktop.org/secret-service/ch03.html +# + + abi , + + #aa:dbus common bus=session name=org.freedesktop.{S,s}ecret label=gnome-keyring-daemon + + dbus send bus=session path=/org/freedesktop/secrets{,/**} + interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), + + dbus receive bus=session path=/org/freedesktop/secrets{,/**} + interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), + + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-keyring-daemon), + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.Secret.Service + member=ReadAlias + peer=(name=org.freedesktop.secrets, label=gnome-keyring-daemon), + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.Secret.Service + member=SearchItems + peer=(name=@{busname}, label=gnome-keyring-daemon), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/secrets-service b/apparmor.d/abstractions/secrets-service new file mode 100644 index 0000000000..71b7c7d825 --- /dev/null +++ b/apparmor.d/abstractions/secrets-service @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Provide full access to the secret-service API: +# - https://standards.freedesktop.org/secret-service/) +# +# The secret-service allows managing (add/delete/lock/etc) collections and +# (add/delete/etc) items within collections. The API also has the concept of +# aliases for collections which is typically used to access the default +# collection. While it would be possible for an application developer to use a +# snap-specific collection and mediate by object path, application developers +# are meant to instead to treat collections (typically the default collection) +# as a database of key/value attributes each with an associated secret that +# applications may query. Because AppArmor does not mediate member data, +# typical and recommended usage of the API does not allow for application +# isolation. For details, see: +# - https://standards.freedesktop.org/secret-service/ch03.html +# + + abi , + + include + + dbus send bus=session path=/org/gnome/keyring/daemon + interface=org.gnome.keyring.Daemon + member=GetEnvironment + peer=(name=org.gnome.keyring, label=gnome-keyring-daemon), + + include if exists + +# vim:syntax=apparmor From db347d13de5610ddcd0338f23e082a9b0e544f74 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:37:35 +0200 Subject: [PATCH 0626/1736] feat(abs): revisit and restrict the devices-usb abs. --- apparmor.d/abstractions/devices-usb | 13 +++++++++++-- apparmor.d/abstractions/devices-usb-read | 23 +++++++++++++---------- 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 85f8f6b92e..3361f10ec2 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -3,13 +3,22 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow raw access to all connected USB devices + abi , include - /dev/bus/usb/@{int}/@{int} wk, + @{PROC}/tty/drivers r, + + /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} wk, + + # Allow access to all ttyUSB devices too + /dev/ttyACM@{int} wk, + /dev/ttyUSB@{int} wk, - @{sys}/devices/**/usb@{int}/{,**} w, + # Allow raw access to USB printers (i.e. for receipt printers in POS systems). + /dev/usb/lp@{int} wk, include if exists diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read index 836a5f3c74..ea3131d591 100644 --- a/apparmor.d/abstractions/devices-usb-read +++ b/apparmor.d/abstractions/devices-usb-read @@ -3,26 +3,29 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , +# Allow detection of usb devices. Leaks plugged in USB device info - /dev/ r, - /dev/bus/usb/ r, - /dev/bus/usb/@{int}/ r, - /dev/bus/usb/@{int}/@{int} r, + abi , @{sys}/class/ r, @{sys}/class/usbmisc/ r, @{sys}/bus/ r, @{sys}/bus/usb/ r, - @{sys}/bus/usb/devices/{,**} r, - - @{sys}/devices/**/usb@{int}/{,**} r, + @{sys}/bus/usb/devices/ r, + @{sys}/devices/**/usb@{int}/ r, + @{sys}/devices/**/usb@{int}/** r, # Udev data about usb devices (~equal to content of lsusb -v) @{run}/udev/data/+usb:* r, # Identifies all USB devices - @{run}/udev/data/c16[6,7]:@{int} r, # USB modems - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/b180:@{int} r, # USB block devices + @{run}/udev/data/c16{6,7}:@{d} r, # ACM USB modems + @{run}/udev/data/c18{0,8,9}:@{int} r, # USB character devices + + /dev/ r, + /dev/bus/usb/ r, + /dev/bus/usb/@{int}/ r, + /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} r, include if exists From 26f905bcc2d7e454b66ff0329e4476ede43a97db Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:38:34 +0200 Subject: [PATCH 0627/1736] feat(abs): X-strict: use tunables. --- apparmor.d/abstractions/X-strict | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 9330d2223f..a92058206d 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -5,10 +5,10 @@ abi , # The unix socket to use to connect to the display - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), - unix type=stream addr="@/tmp/.ICE-unix/[0-9]*", - unix type=stream addr="@/tmp/.X11-unix/X[0-9]*", + unix (connect, receive, send) type=stream peer=(addr=@/tmp/.ICE-unix/@{int}), + unix (connect, receive, send) type=stream peer=(addr=@/tmp/.X11-unix/X@{int}), + unix type=stream addr=@/tmp/.ICE-unix/@{int}, + unix type=stream addr=@/tmp/.X11-unix/X@{int}, /usr/share/X11/{,**} r, /usr/share/xsessions/{,*.desktop} r, # Available Xsessions @@ -16,13 +16,13 @@ /etc/X11/cursors/{,**} r, - owner @{HOME}/.ICEauthority rw, # ICEauthority files required for X authentication, per user + owner @{HOME}/.ICEauthority r, # ICEauthority files required for X authentication, per user owner @{HOME}/.Xauthority rw, # Xauthority files required for X connections, per user owner @{HOME}/.xsession-errors rw, - /tmp/.ICE-unix/* rw, + /tmp/.ICE-unix/@{int} rw, /tmp/.X@{int}-lock rw, - /tmp/.X11-unix/* rw, + /tmp/.X11-unix/X@{int} rw, owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int}, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland From 170575fbff343a6c376bbebb9acac171ffbba3b6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:40:54 +0200 Subject: [PATCH 0628/1736] feat(abs): ensure graphics devices are in nvidia-strict. --- apparmor.d/abstractions/graphics-full | 6 ------ apparmor.d/abstractions/nvidia-strict | 18 +++++++++++++----- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index 1e2c97224d..de5f865b52 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -8,13 +8,7 @@ include include - @{sys}/devices/@{pci}/numa_node r, - - @{PROC}/devices r, - /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools rw, include if exists diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 8fd78a7022..a14691a9cd 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -6,7 +6,7 @@ @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, - /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so.* mr, + /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so{,.*} mr, /usr/share/nvidia/nvidia-application-profiles-* r, @@ -24,13 +24,17 @@ owner @{user_cache_dirs}/nvidia/GLCache/ rw, owner @{user_cache_dirs}/nvidia/GLCache/** rwk, + @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/memory/block_size_bytes r, @{sys}/module/nvidia/version r, - @{PROC}/driver/nvidia/params r, - @{PROC}/modules r, - @{PROC}/sys/vm/max_map_count r, - @{PROC}/sys/vm/mmap_min_addr r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + @{PROC}/driver/nvidia/gpus/@{pci_id}/information r, + @{PROC}/driver/nvidia/params r, + @{PROC}/modules r, + @{PROC}/sys/vm/max_map_count r, + @{PROC}/sys/vm/mmap_min_addr r, + @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/comm r, @@ -43,6 +47,10 @@ # Nvidia graphics devices /dev/nvidia@{int} rw, + # Nvidia's Unified Memory driver + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools rw, + # Nvidia's control device /dev/nvidiactl rw, From 34cc1ab131ef8400a104a2b93131663f3e2f21e8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:42:10 +0200 Subject: [PATCH 0629/1736] feat(abs): graphics: limit access to cpu sys value. --- apparmor.d/abstractions/graphics | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index 79872ceb4c..c4edd09b47 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -13,14 +13,22 @@ /etc/libva.conf r, @{sys}/bus/pci/devices/ r, - @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r, + + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/id r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/level r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/size r, @{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r, @{sys}/devices/system/cpu/cpu@{int}/online r, - @{sys}/devices/system/cpu/cpu@{int}/topology/* r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/* r, + @{sys}/devices/system/cpu/cpu@{int}/topology/core_cpus r, + @{sys}/devices/system/cpu/cpu@{int}/topology/physical_package_id r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, @{sys}/devices/system/cpu/present r, + @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/system/node/node@{int}/cpumap r, include if exists From 51bcdd5e148cc6f44c4ba560c8aede87e437531c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:43:40 +0200 Subject: [PATCH 0630/1736] feat(abs): add the input abs. --- apparmor.d/abstractions/common/app | 5 +---- apparmor.d/abstractions/common/game | 5 +---- apparmor.d/abstractions/input | 26 ++++++++++++++++++++++++++ 3 files changed, 28 insertions(+), 8 deletions(-) create mode 100644 apparmor.d/abstractions/input diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index d0b36188b2..70a50b8c1e 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -26,6 +26,7 @@ include include include + include include include include @@ -72,8 +73,6 @@ @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{sys}/ r, @{sys}/block/ r, @{sys}/bus/ r, @@ -143,8 +142,6 @@ owner @{att}/dev/shm/@{uuid} r, /dev/hidraw@{int} rw, - /dev/input/ r, - /dev/input/event@{int} rw, /dev/ptmx rw, /dev/pts/ptmx rw, /dev/tty rw, diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 6b97b014c5..753d4cf0bc 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -17,6 +17,7 @@ include include include + include include include @@ -108,11 +109,7 @@ /dev/ r, /dev/hidraw@{int} rw, - /dev/input/ r, - /dev/input/event@{int} rw, - /dev/input/js@{int} rw, /dev/tty rw, - /dev/uinput rw, include if exists diff --git a/apparmor.d/abstractions/input b/apparmor.d/abstractions/input new file mode 100644 index 0000000000..57905fd0cf --- /dev/null +++ b/apparmor.d/abstractions/input @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Canonical Ltd +# Copyright (C) 2022-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow reading and writing to raw input devices + + abi , + + # network netlink raw, + + # Allow reading for supported event reports for all input devices. See + # https://www.kernel.org/doc/Documentation/input/event-codes.txt + @{sys}/devices/**/input@{int}/capabilities/* r, + + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + /dev/input/ r, + /dev/input/event@{int} rw, + /dev/input/mice rw, + /dev/input/mouse@{int} rw, + + include if exists + +# vim:syntax=apparmor From 8c6b0ce33f12020f067d530e1927310eab721605 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:47:50 +0200 Subject: [PATCH 0631/1736] feat(profile): cleanup profiles using the new abs. --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/abstractions/common/app | 3 +++ apparmor.d/abstractions/common/game | 5 +---- apparmor.d/groups/bluetooth/bluetoothd | 2 +- apparmor.d/groups/steam/steam | 4 +--- apparmor.d/profiles-s-z/spice-vdagentd | 2 +- 6 files changed, 8 insertions(+), 10 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 725b57fca9..efb108586a 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -34,7 +34,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 70a50b8c1e..043ed71254 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -28,8 +28,11 @@ include include include + include include include + include + include include include diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 753d4cf0bc..2198c8537c 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -20,6 +20,7 @@ include include include + include @{bin}/uname rix, @{bin}/xdg-settings rPx, @@ -67,9 +68,6 @@ owner /dev/shm/mono.@{int} rw, owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{sys}/ r, @{sys}/bus/ r, @{sys}/class/ r, @@ -80,7 +78,6 @@ @{sys}/devices/@{pci}/net/*/carrier r, @{sys}/devices/**/input@{int}/ r, @{sys}/devices/**/input@{int}/**/{vendor,product} r, - @{sys}/devices/**/input@{int}/capabilities/* r, @{sys}/devices/**/input/input@{int}/ r, @{sys}/devices/**/uevent r, @{sys}/devices/system/ r, diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index 2800a4124d..12c8e2e806 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -12,6 +12,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { include include include + include # Needed for configuring HCI interfaces capability net_admin, @@ -57,7 +58,6 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/hostname r, /dev/uhid rw, - /dev/uinput rw, /dev/rfkill rw, /dev/hidraw@{int} rw, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index abfab75d71..e3fcb1931c 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -41,6 +41,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include capability sys_ptrace, @@ -245,7 +246,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/input/ r, - /dev/uinput w, deny /opt/** r, @@ -353,8 +353,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/report_descriptor r, @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,interface} r, - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, @{PROC}/version r, diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index 95013d8e0a..33957504c6 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -11,6 +11,7 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_nice, @@ -24,7 +25,6 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, - /dev/uinput rw, /dev/vport@{int}p@{int} rw, include if exists From ad406da5de2a886b916001956ee0ebc0fb463974 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:49:08 +0200 Subject: [PATCH 0632/1736] feat(abs): add org.freedesktop.portal.Settings. --- .../session/org.freedesktop.portal.Settings | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings new file mode 100644 index 0000000000..01cf21c46a --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=Read + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=ReadAll + peer=(name=@{busname}, label=xdg-desktop-portal), + + include if exists + +# vim:syntax=apparmor From 608ff3db0ce9dece45f437253af461ce5d49e5ce Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:50:01 +0200 Subject: [PATCH 0633/1736] fix(abs): ColorManager peer name. --- apparmor.d/abstractions/bus/org.freedesktop.ColorManager | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 13d1868980..46201fc239 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -16,17 +16,17 @@ dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=CreateDevice - peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={DeviceAdded,DeviceRemoved} - peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), dbus (receive, send) bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={FindDeviceByProperty,FindDeviceById} - peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), include if exists From 4bbe0a1a32072f0224d58d694614664bec56b505 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:55:32 +0200 Subject: [PATCH 0634/1736] feat(abs): use the new secrets-service abstraction. --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/groups/gnome/evolution-source-registry | 2 +- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/seahorse | 2 +- apparmor.d/profiles-g-l/gitg | 2 +- apparmor.d/profiles-m-r/protonmail | 2 +- apparmor.d/profiles-m-r/remmina | 2 +- apparmor.d/profiles-s-z/spotify | 2 +- apparmor.d/profiles-s-z/vlc | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index efb108586a..2b03d50115 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -25,7 +25,6 @@ include include include - include include include include @@ -40,6 +39,7 @@ include include include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 299d0738b7..38122b7c0c 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,12 +10,12 @@ include profile evolution-source-registry @{exec_path} { include include - include include include include include include + include include network inet stream, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 8278ac648c..a86ef9e371 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -27,7 +27,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -43,6 +42,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 2f190dfabb..3a643bad7f 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -15,11 +15,11 @@ profile seahorse @{exec_path} { include include include - include include include include include + include include #aa:dbus own bus=session name=org.gnome.seahorse.Application interface+=org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/profiles-g-l/gitg b/apparmor.d/profiles-g-l/gitg index ff5e124448..d668fbfd21 100644 --- a/apparmor.d/profiles-g-l/gitg +++ b/apparmor.d/profiles-g-l/gitg @@ -10,10 +10,10 @@ include profile gitg @{exec_path} { include include - include include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index 0ac23267bc..f5548f6967 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -17,8 +17,8 @@ include profile protonmail @{exec_path} flags=(attach_disconnected) { include include - include include + include network inet stream, network inet dgram, diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 17ca1ec5a7..23d13694e7 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -16,7 +16,6 @@ profile remmina @{exec_path} { include include include - include include include include @@ -25,6 +24,7 @@ profile remmina @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 56f5e91b8b..8917fa3a2d 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -23,7 +23,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -33,6 +32,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 3a3a77313f..dc6e4825a7 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -14,7 +14,6 @@ profile vlc @{exec_path} { include include include - include include include include @@ -28,6 +27,7 @@ profile vlc @{exec_path} { include include include + include include include From ddfe75f23f4f661027a3e04c55f3f3911909aacc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 01:05:02 +0200 Subject: [PATCH 0635/1736] refractor(abs): move org.kde.StatusNotifierItem inside the session abs dir. --- .../bus/{ => session}/org.kde.StatusNotifierItem | 7 +------ apparmor.d/profiles-s-z/superproductivity | 2 +- apparmor.d/profiles-s-z/vlc | 1 + 3 files changed, 3 insertions(+), 7 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.kde.StatusNotifierItem (79%) diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem similarity index 79% rename from apparmor.d/abstractions/bus/org.kde.StatusNotifierItem rename to apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem index 87fd06727d..d017d44e3c 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem @@ -23,11 +23,6 @@ member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), - dbus send bus=session path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), - - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index f7abf758b1..ee8ee627bf 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -24,7 +24,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include + include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index dc6e4825a7..7e9c318660 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -16,6 +16,7 @@ profile vlc @{exec_path} { include include include + include include include include From f199cfe84dbe28b50c3136c738a42f5939c57f3f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 01:06:51 +0200 Subject: [PATCH 0636/1736] feat(abs): app: minor improvement to common app action. --- apparmor.d/abstractions/common/app | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 043ed71254..a05bc2364e 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -40,7 +40,7 @@ dbus bus=session, dbus bus=system, - /usr/** r, + /usr/** rk, /usr/share/** rk, /etc/{,**} r, @@ -85,6 +85,7 @@ @{sys}/bus/pci/slots/@{int}/address r, @{sys}/class/*/ r, @{sys}/devices/** r, + @{sys}/devices/virtual/dmi/id/bios_version k, @{sys}/fs/cgroup/user.slice/* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/* r, @@ -96,11 +97,13 @@ @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm rk, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/net/** r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, + @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/@{tid}/stat r, @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/bus/pci/devices r, From cd6bb7bd52c92085511aced5b6dcec89bf0278ef Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 01:09:31 +0200 Subject: [PATCH 0637/1736] feat(abs): add NEEDS-VARIABLE to abs using variable. Will be used by aa-logprof. --- apparmor.d/abstractions/app/chromium | 5 +++++ apparmor.d/abstractions/app/firefox | 4 ++++ apparmor.d/abstractions/common/app | 1 + apparmor.d/abstractions/common/bwrap | 1 + apparmor.d/abstractions/common/chromium | 1 + apparmor.d/abstractions/common/electron | 5 +++++ apparmor.d/abstractions/common/steam-game | 3 +++ 7 files changed, 20 insertions(+) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 2b03d50115..62a8432baa 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -2,6 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: domain +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Full set of rules for all chromium based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 238bf9e8bb..e0321f62fa 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -2,6 +2,10 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Full set of rules for all firefox based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index a05bc2364e..5a93050d62 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -2,6 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: att # Common rules for applications sandboxed using bwrap. diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index da73b82179..2d3ab179f8 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: att # A minimal set of rules for sandboxed programs using bwrap. # A profile using this abstraction still needs to set: diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 78441fe088..340092f233 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -2,6 +2,7 @@ # Copyright (C) 2022 Mikhail Morfikov # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: domain # This abstraction is for chromium based application. Chromium based browsers # need to use abstractions/app/chromium instead. diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index b581c90732..253eab72be 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -1,6 +1,11 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: domain +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Minimal set of rules for all electron based UI application. It works as a # *function* and requires some variables to be provided as *arguments* and set diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game index b60e74a104..851588220c 100644 --- a/apparmor.d/abstractions/common/steam-game +++ b/apparmor.d/abstractions/common/steam-game @@ -1,6 +1,9 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: app_dirs +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: share_dirs abi , From 84f3f947cb343c81af50d2cc1868260c7c8ab846 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 01:11:18 +0200 Subject: [PATCH 0638/1736] feat(abs): improve chromium common. --- apparmor.d/abstractions/common/chromium | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 340092f233..23f4544a34 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -17,9 +17,14 @@ userns, + # Required for dropping into PID namespace. Keep in mind that until the + # process drops this capability it can escape confinement, but once it + # drops CAP_SYS_ADMIN we are ok. + capability sys_admin, + + # All of these are for sanely dropping from root and chrooting capability setgid, # If kernel.unprivileged_userns_clone = 1 capability setuid, # If kernel.unprivileged_userns_clone = 1 - capability sys_admin, capability sys_chroot, capability sys_ptrace, @@ -33,20 +38,22 @@ owner @{tmp}/.@{domain}.@{rand6} rw, owner @{tmp}/.@{domain}.@{rand6}/ rw, - owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie w, - owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket w, + owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie rw, + owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket rw, owner @{tmp}/scoped_dir@{rand6}/ rw, - owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, - owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, - owner @{tmp}/scoped_dir@{rand6}/SS w, + owner @{tmp}/scoped_dir@{rand6}/SingletonCookie rw, + owner @{tmp}/scoped_dir@{rand6}/SingletonSocket rw, + owner @{tmp}/scoped_dir@{rand6}/SS rw, /dev/shm/ r, owner /dev/shm/.@{domain}.@{rand6} rw, @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/tty/tty@{int}/active r, + + # Allow getting the manufacturer and model of the computer where chromium is currently running. @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/tty/tty@{int}/active r, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/setgroups w, From 31cbe5e2e9fdf0deaceb9bc2adee764809a68a6e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 11:33:24 +0200 Subject: [PATCH 0639/1736] fix(profile): revert 06d476c fix #855 --- apparmor.d/groups/systemd/systemd-logind | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index c5e87b3e23..6b102829da 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -137,7 +137,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/fdinfo/@{int} r, + /dev/dri/card@{int} rw, @{att}/dev/dri/card@{int} rw, + /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, /dev/tty@{int} rw, From bd487d1b6653d0db9304873a9e52642b56b2f207 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 11:58:25 +0200 Subject: [PATCH 0640/1736] fear(profile): remove profile for spectre-meltdown-checker. --- .../profiles-s-z/spectre-meltdown-checker | 186 ------------------ 1 file changed, 186 deletions(-) delete mode 100644 apparmor.d/profiles-s-z/spectre-meltdown-checker diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker deleted file mode 100644 index 6e5af12885..0000000000 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ /dev/null @@ -1,186 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /{,usr/}{,local/}bin/spectre-meltdown-checker{,.sh} -profile spectre-meltdown-checker @{exec_path} { - include - include - - # Needed to read the /dev/cpu/@{int}/msr device - capability sys_rawio, - - # Needed to read system logs - capability syslog, - - # Used by readlink - capability sys_ptrace, - ptrace (read), - - @{exec_path} r, - - @{bin}/ r, - @{bin}/{,@{multiarch}-}objdump rix, - @{bin}/{,@{multiarch}-}readelf rix, - @{bin}/{,@{multiarch}-}strings rix, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,g,m}awk rix, - @{bin}/base64 rix, - @{bin}/basename rix, - @{bin}/bunzip2 rix, - @{bin}/cat rix, - @{bin}/ccache rCx -> ccache, - @{bin}/cut rix, - @{bin}/date rix, - @{bin}/dd rix, - @{bin}/dirname rix, - @{bin}/dmesg rix, - @{bin}/find rix, - @{bin}/gunzip rix, - @{bin}/gzip rix, - @{bin}/head rix, - @{bin}/id rix, - @{sbin}/iucode_tool rix, - @{bin}/kmod rCx -> kmod, - @{bin}/lzop rix, - @{bin}/mktemp rix, - @{bin}/mount rix, - @{bin}/nproc rix, - @{bin}/od rix, - @{bin}/perl rix, - @{bin}/pgrep rCx -> pgrep, - @{sbin}/rdmsr rix, - @{bin}/readlink rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/seq rix, - @{bin}/sort rix, - @{bin}/stat rix, - @{bin}/tail rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/unzip rix, - @{bin}/xargs rix, - @{bin}/xz rix, - @{bin}/zstd rix, - - # To fetch MCE.db from the MCExtractor project - @{bin}/wget rCx -> mcedb, - @{bin}/sqlite3 rCx -> mcedb, - owner @{tmp}/mcedb-* rw, - owner @{tmp}/smc-* rw, - owner @{tmp}/{,smc-}intelfw-*/ rw, - owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, - owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw, - owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw, - - owner @{HOME}/.mcedb rw, - - /tmp/ r, - owner @{tmp}/{config,kernel}-* rw, - - owner /dev/cpu/@{int}/cpuid r, - owner /dev/cpu/@{int}/msr rw, - owner /dev/kmsg r, - - @{efi}/ r, - @{efi}/config r, - @{efi}/System.map-* r, - @{efi}/vmlinuz-* r, - - @{sys}/devices/system/cpu/vulnerabilities/* r, - @{sys}/module/kvm_intel/parameters/ept r, - - @{PROC}/ r, - @{PROC}/config.gz r, - @{PROC}/cmdline r, - @{PROC}/kallsyms r, - @{PROC}/modules r, - - # find and denoise - @{PROC}/@{pids}/{status,exe} r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/*/ r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # For shell pwd - /root/ r, - /etc/ r, - - profile ccache { - include - - @{bin}/ccache mr, - - @{lib}/llvm-[0-9]*/bin/clang rix, - @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{bin}/{,@{multiarch}-}g++-[0-9]* rix, - - /media/ccache/*/** rw, - - /etc/debian_version r, - - include if exists - } - - profile pgrep { - include - include - - include if exists - } - - profile mcedb { - include - include - include - include - - deny capability net_admin, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{bin}/wget mr, - @{bin}/sqlite3 mr, - - /etc/wgetrc r, - owner @{HOME}/.wget-hsts rwk, - owner @{HOME}/.mcedb rw, - - /tmp/ r, - owner @{tmp}/{,smc-}mcedb-* rwk, - owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, - - /usr/share/publicsuffix/public_suffix_list.* r, - - include if exists - } - - profile kmod { - include - include - - capability sys_module, - - owner @{sys}/module/cpuid/** r, - owner @{sys}/module/msr/** r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor From 4982ff104ddf57c7e92d4fcff5f33437bf71cbaa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 12:03:00 +0200 Subject: [PATCH 0641/1736] feat(profile): remove rules not needed anymore Moved into the nvidia-strict abs. --- apparmor.d/profiles-m-r/nvidia-settings | 2 -- apparmor.d/profiles-m-r/nvidia-smi | 2 -- apparmor.d/profiles-m-r/nvtop | 3 +-- 3 files changed, 1 insertion(+), 6 deletions(-) diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index 771bbb3b64..893770a4b3 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -33,8 +33,6 @@ profile nvidia-settings @{exec_path} flags=(attach_disconnected) { /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} r, - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index 1d6d62e2bd..eb42bd59bb 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -26,8 +26,6 @@ profile nvidia-smi @{exec_path} { /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index d0553d1864..fc51b5b9e3 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -10,7 +10,7 @@ include profile nvtop @{exec_path} flags=(attach_disconnected) { include include - include + include include capability sys_ptrace, @@ -54,7 +54,6 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/dri/ r, /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, From 34aa208ec98f3baafd7042543f79929f5658dc91 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 16:11:16 +0200 Subject: [PATCH 0642/1736] refractor(abs): reorganize dbus abstraction (1) --- .../abstractions/bus/org.freedesktop.resolve1 | 16 ---------------- .../bus/{ => system}/org.freedesktop.locale1 | 3 +-- .../bus/{ => system}/org.gnome.DisplayManager | 4 ++-- apparmor.d/groups/flatpak/flatpak | 2 +- .../groups/gnome/evolution-addressbook-factory | 2 +- apparmor.d/groups/gnome/gdm-session | 2 +- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/gsd-keyboard | 2 +- apparmor.d/groups/kde/startplasma | 2 +- 9 files changed, 9 insertions(+), 26 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.resolve1 rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.locale1 (70%) rename apparmor.d/abstractions/bus/{ => system}/org.gnome.DisplayManager (73%) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 deleted file mode 100644 index fe6d52dc67..0000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa-dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" - - dbus send bus=system path=/org/freedesktop/resolve1 - interface=org.freedesktop.resolve1.Manager - member={ResolveAddress,ResolveHostname,ResolveRecord,ResolveService} - peer=(name=org.freedesktop.resolve1, label="@{p_systemd_resolved}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 similarity index 70% rename from apparmor.d/abstractions/bus/org.freedesktop.locale1 rename to apparmor.d/abstractions/bus/system/org.freedesktop.locale1 index 1348c8a39b..e2377a14bc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 @@ -4,12 +4,11 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.locale1), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager similarity index 73% rename from apparmor.d/abstractions/bus/org.gnome.DisplayManager rename to apparmor.d/abstractions/bus/system/org.gnome.DisplayManager index 741631f4b6..4833b1512e 100644 --- a/apparmor.d/abstractions/bus/org.gnome.DisplayManager +++ b/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2023-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +11,6 @@ member=RegisterDisplay peer=(name="@{busname}", label=gdm), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index bd749db409..4ef675aef0 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -13,7 +13,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 56fd3ce3fc..adf2aa2640 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -11,7 +11,7 @@ profile evolution-addressbook-factory @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index c08d12a07d..5d2e3e21ea 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -11,8 +11,8 @@ profile gdm-session @{exec_path} { include include include - include include + include signal receive set=(hup term) peer=gdm-session-worker, signal receive set=(term) peer=gdm, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a86ef9e371..1fb7efd7df 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -23,7 +23,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index cbb8ccf714..80f19f93a7 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -14,7 +14,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index a8c8cbd13d..64e332dc5b 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -12,7 +12,7 @@ profile startplasma @{exec_path} { include include include - include + include include include From 3c49755d189be4fa86c714b22ba5d175bf1901c0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 23:52:37 +0200 Subject: [PATCH 0643/1736] refractor(abs): reorganize dbus abstraction (2) - new upower-observe abstraction --- apparmor.d/abstractions/app/chromium | 5 ++--- .../bus/{ => session}/org.gnome.ArchiveManager1 | 2 +- .../org.gnome.Nautilus.FileOperations2 | 2 +- .../bus/{ => system}/org.freedesktop.ColorManager | 4 ++-- .../bus/{ => system}/org.freedesktop.UPower | 2 +- apparmor.d/groups/cups/cupsd | 11 +---------- apparmor.d/groups/freedesktop/upower | 2 +- apparmor.d/groups/freedesktop/wireplumber | 3 ++- apparmor.d/groups/gnome/gnome-extension-ding | 4 ++-- apparmor.d/groups/gnome/gnome-shell | 14 +++++++++++--- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/groups/gnome/localsearch | 2 +- apparmor.d/groups/gnome/tracker-miner | 2 +- apparmor.d/groups/kde/kde-powerdevil | 2 +- apparmor.d/groups/kde/kscreenlocker_greet | 4 ++-- apparmor.d/groups/kde/plasmashell | 2 +- apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/kde/sddm-greeter | 2 +- apparmor.d/groups/ubuntu/update-manager | 2 +- apparmor.d/profiles-m-r/power-profiles-daemon | 2 +- apparmor.d/profiles-s-z/thermald | 2 +- 22 files changed, 37 insertions(+), 38 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.ArchiveManager1 (86%) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.Nautilus.FileOperations2 (76%) rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.ColorManager (90%) rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.UPower (94%) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 62a8432baa..9c5b16eddb 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -27,13 +27,11 @@ include include include - include + include include include - include include include - include include include include @@ -48,6 +46,7 @@ include include include + include include include diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 similarity index 86% rename from apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 rename to apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 index 6bfa6114b8..f69667e081 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 @@ -11,6 +11,6 @@ member=GetSupportedTypes peer=(name="@{busname}", label="@{p_file_roller}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 similarity index 76% rename from apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 rename to apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 index 178139a8d8..8a3e7d74e9 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 +++ b/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 @@ -6,6 +6,6 @@ #aa:dbus common bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager similarity index 90% rename from apparmor.d/abstractions/bus/org.freedesktop.ColorManager rename to apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager index 46201fc239..4b5dcc746e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager @@ -15,7 +15,7 @@ dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager - member=CreateDevice + member={CreateProfile,CreateDevice,DeleteDevice} peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager @@ -28,6 +28,6 @@ member={FindDeviceByProperty,FindDeviceById} peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower similarity index 94% rename from apparmor.d/abstractions/bus/org.freedesktop.UPower rename to apparmor.d/abstractions/bus/system/org.freedesktop.UPower index 64b400a3e3..aa6a613717 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower @@ -29,6 +29,6 @@ member={DeviceAdded,DeviceRemoved} peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 642d7ef5cb..0a23ce476a 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -12,7 +12,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { include include include - include + include include include @@ -46,15 +46,6 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=cups-notifier-dbus, - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member=DeleteDevice - peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member=FindDeviceById - peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 0f6f9abebe..83652914f6 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -13,7 +13,7 @@ profile upower @{exec_path} { include include - #aa:dbus own bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 84d6675de5..fc9029ef38 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -15,11 +15,12 @@ profile wireplumber @{exec_path} { include include include - include + include include include include include + include network bluetooth raw, network bluetooth seqpacket, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index be7edcd794..e41718803d 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -19,8 +19,8 @@ profile gnome-extension-ding @{exec_path} { include include include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 1fb7efd7df..d8853aa3b5 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -28,7 +28,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -45,6 +44,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include capability sys_nice, capability sys_ptrace, @@ -73,17 +73,25 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=com.canonical.{U,u}nity #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/dbusmenu} + #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting #aa:dbus own bus=session name=com.rastersoft.dingextension #aa:dbus own bus=session name=org.ayatana.NotificationItem #aa:dbus own bus=session name=org.freedesktop.a11y.Manager + #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=org.gtk.Actions path=/** #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications + #aa:dbus own bus=session name=org.kde.StatusNotifierItem path=/ #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher - #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting + # Talk with gnome-shell + # The strategy with dbus rules in this profile is first to declare all communications + # needed on buses and to limit them only to their profiles in apparmor.d. As such, + # only dbus directive is used for this. Later, some communications could be + # restricted. + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" @@ -95,6 +103,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs + #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy #aa:dbus talk bus=session name=org.gnome.* label=gnome-* #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=* #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus @@ -102,7 +111,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - # Session bus dbus send bus=session path=/org/gnome/** diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 7f02d8bf42..32869cdbc3 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -16,7 +16,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -26,6 +25,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 0f77b023e0..f3be82dfd1 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -20,7 +20,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -31,6 +30,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include network inet stream, network netlink raw, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index c041cdf99b..66420cace0 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -11,7 +11,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -24,6 +23,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 7f7a3a8e4e..e7cdc1a388 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -11,7 +11,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -24,6 +23,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 01706e6492..f40c86e035 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -17,11 +17,11 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) include include include - include include include include include + include capability wake_alarm, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index ddd14b5c23..192d3f957d 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -13,15 +13,15 @@ profile kscreenlocker_greet @{exec_path} { include include include - include include - include + include include include include include include include + include network netlink raw, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 45f0d43e9e..cc99072661 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -18,7 +18,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include - include include include include @@ -31,6 +30,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include userns, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 08835eaf01..1b8930f06c 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -14,12 +14,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include include include + include include capability audit_write, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index c9aca546ac..47383bb75d 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -13,13 +13,13 @@ profile sddm-greeter @{exec_path} { include include include - include include include include include include include + include network netlink raw, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index bcdcf108d1..34284388ee 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -17,7 +17,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -26,6 +25,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 178bf28c66..e4e923159c 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -12,8 +12,8 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include include include - include include + include capability dac_read_search, capability net_admin, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index b663865e86..4c27ee2cae 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -13,7 +13,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { include include include - include + include capability sys_boot, From 94444077a8be642422836617398638ebc6cafccc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 23:53:05 +0200 Subject: [PATCH 0644/1736] feat(profile): update attachement for gnome-extension-ding --- apparmor.d/groups/gnome/gnome-extension-ding | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index e41718803d..400b28b6ee 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -9,7 +9,7 @@ include @{share_dirs} = /usr/share/gnome-shell/extensions/ding@rastersoft.com @{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/ding@rastersoft.com -@{exec_path} = @{share_dirs}/{,app/}ding.js +@{exec_path} = @{share_dirs}/app/{ding,createThumbnail}.js profile gnome-extension-ding @{exec_path} { include include From e4b6e7e92b80adbb548800663495a3e4e6c8117f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 00:01:10 +0200 Subject: [PATCH 0645/1736] feat(abs): add the devices-u2f abs. --- apparmor.d/abstractions/app/chromium | 4 +--- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/abstractions/common/app | 2 +- apparmor.d/abstractions/devices-u2f | 23 +++++++++++++++++++++++ 4 files changed, 26 insertions(+), 5 deletions(-) create mode 100644 apparmor.d/abstractions/devices-u2f diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 9c5b16eddb..1c504d2a81 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -36,6 +36,7 @@ include include include + include include include include @@ -154,9 +155,7 @@ @{sys}/class/**/ r, @{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r, @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/**/report_descriptor r, @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @@ -181,7 +180,6 @@ owner @{PROC}/@{pid}/task/@{tid}/stat r, /dev/ r, - /dev/hidraw@{int} rw, /dev/tty rw, owner /dev/tty@{int} rw, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index e0321f62fa..21534208f3 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -31,6 +31,7 @@ include include include + include include include include @@ -164,7 +165,6 @@ owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 /dev/ r, - /dev/hidraw@{int} rw, /dev/tty rw, /dev/video@{int} rw, owner /dev/tty@{int} rw, # File Inherit diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 5a93050d62..e83efdb89c 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -21,6 +21,7 @@ include include include + include include include include @@ -148,7 +149,6 @@ @{att}/dev/dri/renderD129 rw, owner @{att}/dev/shm/@{uuid} r, - /dev/hidraw@{int} rw, /dev/ptmx rw, /dev/pts/ptmx rw, /dev/tty rw, diff --git a/apparmor.d/abstractions/devices-u2f b/apparmor.d/abstractions/devices-u2f new file mode 100644 index 0000000000..c707d66e04 --- /dev/null +++ b/apparmor.d/abstractions/devices-u2f @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to Universal 2nd Factor (U2F) devices + + abi , + + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + + # Needed for dynamic assignment of U2F devices + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{sys}/devices/**/i2c*/**/report_descriptor r, + @{sys}/devices/**/usb@{int}/**/report_descriptor r, + + # Allow raw access HDI (Human Interface Devices) wich is how U2F devices are exposed + /dev/hidraw@{int} rw, + + include if exists + +# vim:syntax=apparmor From 939a2b7f4bd2068746b8be936fe5c66aa2140575 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 00:01:30 +0200 Subject: [PATCH 0646/1736] feat(abs): add upower-observe --- apparmor.d/abstractions/upower-observe | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 apparmor.d/abstractions/upower-observe diff --git a/apparmor.d/abstractions/upower-observe b/apparmor.d/abstractions/upower-observe new file mode 100644 index 0000000000..67478bb6d4 --- /dev/null +++ b/apparmor.d/abstractions/upower-observe @@ -0,0 +1,13 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Can query UPower for power devices, history and statistics. + + abi , + + include + + include if exists + +# vim:syntax=apparmor From 8e73353cc8c2335dfbc92c1e0fdc7628ade4b904 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 00:09:16 +0200 Subject: [PATCH 0647/1736] feat(abs): add pcscd --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/abstractions/pcscd | 19 +++++++++++++++++++ apparmor.d/groups/gnome/gsd-smartcard | 6 +++--- apparmor.d/groups/gnome/seahorse | 2 +- apparmor.d/profiles-m-r/pkcs11-register | 3 +-- apparmor.d/profiles-m-r/rngd | 2 +- 7 files changed, 27 insertions(+), 9 deletions(-) create mode 100644 apparmor.d/abstractions/pcscd diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 1c504d2a81..6e447bf05f 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -42,6 +42,7 @@ include include include + include include include include @@ -107,7 +108,6 @@ /etc/@{name}/{,**} r, /etc/fstab r, - /etc/{,opensc/}opensc.conf r, / r, owner @{HOME}/ r, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 21534208f3..7630b85763 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -37,6 +37,7 @@ include include include + include include include include @@ -80,7 +81,6 @@ /usr/share/webext/{,**} r, /usr/share/xul-ext/kwallet5/* r, - /etc/{,opensc/}opensc.conf r, /etc/@{name}/{,**} r, /etc/fstab r, /etc/lsb-release r, diff --git a/apparmor.d/abstractions/pcscd b/apparmor.d/abstractions/pcscd new file mode 100644 index 0000000000..33a981279e --- /dev/null +++ b/apparmor.d/abstractions/pcscd @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows interacting with PC/SC Smart Card Daemon + + abi , + + # Configuration file for OPENSC + /etc/opensc.conf r, + /etc/opensc/opensc.conf r, + + # Socket for communication between PCSCD and PS/SC API library + @{run}/pcscd/pcscd.comm rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 98ce848ba3..d42fb486b6 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -9,13 +9,14 @@ include @{exec_path} = @{lib}/gsd-smartcard profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include include include - include + include signal (receive) set=(term, hup) peer=gdm*, @@ -31,7 +32,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /etc/{,opensc/}opensc.conf r, /etc/tpm2-tss/* rk, /var/tmp/ r, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 3a643bad7f..1fac28dfa8 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -19,6 +19,7 @@ profile seahorse @{exec_path} { include include include + include include include @@ -34,7 +35,6 @@ profile seahorse @{exec_path} { /etc/pki/trust/blocklist/ r, /etc/gcrypt/hwf.deny r, - /etc/{,opensc/}opensc.conf r, owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register index 989f6ec8bf..d775cafe52 100644 --- a/apparmor.d/profiles-m-r/pkcs11-register +++ b/apparmor.d/profiles-m-r/pkcs11-register @@ -9,11 +9,10 @@ include @{exec_path} = @{bin}/pkcs11-register profile pkcs11-register @{exec_path} { include + include @{exec_path} mr, - /etc/{,opensc/}opensc.conf r, - owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/profiles.ini r, owner @{HOME}/.pki/nssdb/pkcs11.txt r, diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index ebbf0a5abc..2e548d40cc 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -12,6 +12,7 @@ profile rngd @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_read_search, capability net_admin, @@ -24,7 +25,6 @@ profile rngd @{exec_path} flags=(attach_disconnected) { /etc/conf.d/rngd r, /etc/machine-id r, - /etc/{,opensc/}opensc.conf r, /var/lib/dbus/machine-id r, @{sys}/devices/virtual/misc/hw_random/rng_available r, From 962b372390f837f7162f97fa78fbe4b24204af26 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 01:08:15 +0200 Subject: [PATCH 0648/1736] fix(profile): qemu-ga path on opensuse. --- apparmor.d/profiles-m-r/qemu-ga | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 5173c50d87..f8fd84d3f7 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/qemu-ga +@{exec_path} = @{sbin}/qemu-ga @{bin}/qemu-ga #aa:lint ignore=sbin profile qemu-ga @{exec_path} { include From 2ceaa16d9a53027a77092739738ec0491e76c39a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 13:06:06 +0200 Subject: [PATCH 0649/1736] feat(abs): rewrite the avahi abs, add avahi-observe --- apparmor.d/abstractions/app/chromium | 3 +- apparmor.d/abstractions/avahi-observe | 25 +++++++++++++++ .../org.freedesktop.Avahi.AddressResolver | 25 +++++++++++++++ .../org.freedesktop.Avahi.DomainBrowser | 25 +++++++++++++++ .../org.freedesktop.Avahi.HostNameResolver | 25 +++++++++++++++ .../org.freedesktop.Avahi.RecordBrowser | 25 +++++++++++++++ .../bus/system/org.freedesktop.Avahi.Server | 31 +++++++++++++++++++ .../org.freedesktop.Avahi.ServiceBrowser | 23 ++++++++++++++ .../org.freedesktop.Avahi.ServiceResolver | 25 +++++++++++++++ .../org.freedesktop.Avahi.ServiceTypeBrowser | 25 +++++++++++++++ apparmor.d/abstractions/common/app | 2 +- apparmor.d/groups/avahi/avahi-browse | 8 ++--- apparmor.d/groups/avahi/avahi-resolve | 14 ++------- apparmor.d/groups/avahi/avahi-set-host-name | 3 ++ apparmor.d/groups/cups/cups-backend-dnssd | 2 +- apparmor.d/groups/cups/cups-browsed | 4 ++- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/cups/ippfind | 2 +- apparmor.d/groups/freedesktop/colord | 3 +- apparmor.d/groups/freedesktop/geoclue | 3 +- apparmor.d/groups/freedesktop/pulseaudio | 21 +++---------- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 2 +- apparmor.d/groups/gnome/gnome-control-center | 2 +- .../gnome/gnome-control-center-goa-helper | 2 +- .../groups/gnome/gsd-print-notifications | 25 +++------------ apparmor.d/groups/gnome/seahorse | 2 +- apparmor.d/groups/gvfs/gvfsd-dnssd | 3 +- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-m-r/murmurd | 2 +- apparmor.d/profiles-m-r/remmina | 2 +- 30 files changed, 267 insertions(+), 71 deletions(-) create mode 100644 apparmor.d/abstractions/avahi-observe create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 6e447bf05f..1635741ed1 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -25,10 +25,9 @@ abi , include + include include include - include - include include include include diff --git a/apparmor.d/abstractions/avahi-observe b/apparmor.d/abstractions/avahi-observe new file mode 100644 index 0000000000..aac14fa7dc --- /dev/null +++ b/apparmor.d/abstractions/avahi-observe @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2016 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows domain, record, service, and service type browsing as well as address, +# host and service resolving + + abi , + + include + + include + include + include + include + include + include + include + + @{run}/avahi-daemon/socket rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver new file mode 100644 index 0000000000..f6a1a251cd --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Address resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=AddressResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser new file mode 100644 index 0000000000..39f5e4496f --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Domain browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=DomainBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/DomainBrowser@{int} + interface=org.freedesktop.Avahi.DomainBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/DomainBrowser@{int} + interface=org.freedesktop.Avahi.DomainBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver new file mode 100644 index 0000000000..403a4db0f7 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Hostname resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=HostNameResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/HostNameResolver@{int} + interface=org.freedesktop.Avahi.HostNameResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/HostNameResolver@{int} + interface=org.freedesktop.Avahi.HostNameResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser new file mode 100644 index 0000000000..bff079b134 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Record browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=RecordBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server new file mode 100644 index 0000000000..bfc87b3cca --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + # Allow service introspection + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + # Allow accessing DBus properties and resolving + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={Get*,Resolve*,IsNSSSupportAvailable} + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + # Allow receiving anything from the Avahi server + dbus receive bus=system + interface=org.freedesktop.Avahi.Server + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser new file mode 100644 index 0000000000..6a3b1510d5 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} + interface=org.freedesktop.Avahi.ServiceBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} + interface=org.freedesktop.Avahi.ServiceBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver new file mode 100644 index 0000000000..d90e9ca147 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Service resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser new file mode 100644 index 0000000000..93affdc51e --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Service type browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceTypeBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceTypeBrowser@{int} + interface=org.freedesktop.Avahi.ServiceTypeBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} + interface=org.freedesktop.Avahi.ServiceTypeBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index e83efdb89c..091cfbbb42 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -13,6 +13,7 @@ abi , include + include include include include @@ -73,7 +74,6 @@ @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/avahi-daemon/socket rw, # Allow access to avahi-daemon socket. @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index 3ac729baa5..805d54b2ba 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -11,14 +11,10 @@ include profile avahi-browse @{exec_path} { include include - include + include + include include - dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} - interface=org.freedesktop.Avahi.ServiceTypeBrowser - member={ItemNew,AllForNow,CacheExhausted} - peer=(name=:*, label="@{p_avahi_daemon}"), - @{exec_path} mr, @{lib}/@{multiarch}/avahi/service-types.db rwk, diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index 1a66b4726b..d45cffca39 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -11,19 +11,11 @@ include profile avahi-resolve @{exec_path} { include include - include + include + include + include include - dbus send bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - member={Free,HostNameResolverNew} - peer=(name=:*, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - member={Failure,Found} - peer=(name=:*, label="@{p_avahi_daemon}"), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/avahi/avahi-set-host-name b/apparmor.d/groups/avahi/avahi-set-host-name index dd9eaba6c6..45df7ce939 100644 --- a/apparmor.d/groups/avahi/avahi-set-host-name +++ b/apparmor.d/groups/avahi/avahi-set-host-name @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,6 +10,8 @@ include @{exec_path} = @{bin}/avahi-set-host-name profile avahi-set-host-name @{exec_path} { include + include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/cups/cups-backend-dnssd b/apparmor.d/groups/cups/cups-backend-dnssd index 1009a0ef2f..8772006608 100644 --- a/apparmor.d/groups/cups/cups-backend-dnssd +++ b/apparmor.d/groups/cups/cups-backend-dnssd @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/cups/backend/dnssd profile cups-backend-dnssd @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 7330d67c98..1e47287ac1 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -10,8 +10,10 @@ include profile cups-browsed @{exec_path} { include include - include include + include + include + include include include include diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 0a23ce476a..ec0bbfd678 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -11,7 +11,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/cups/ippfind b/apparmor.d/groups/cups/ippfind index c2a944b112..fe43472374 100644 --- a/apparmor.d/groups/cups/ippfind +++ b/apparmor.d/groups/cups/ippfind @@ -10,7 +10,7 @@ include profile ippfind @{exec_path} { include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index b3cda6307e..c069b7afd5 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -11,8 +11,9 @@ include profile colord @{exec_path} flags=(attach_disconnected) { include include - include include + include + include include include include diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index fbc7a7582b..04eeba5216 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -11,9 +11,10 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { include include include - include include include + include + include include include include diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index ce1dffd58b..346ae7257b 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -14,10 +14,12 @@ profile pulseaudio @{exec_path} { include include include - include - include include include + include + include + include + include include include include @@ -49,26 +51,11 @@ profile pulseaudio @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member=Found - peer=(name=:*, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} - interface=org.freedesktop.Avahi.ServiceBrowser - member=ItemRemove - peer=(name=:*, label="@{p_avahi_daemon}"), - dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=org.bluez), - dbus send bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member={Found,Free} - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - @{exec_path} mrix, @{lib}/pulse/gsettings-helper rix, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index c1f255c759..fafdea3a52 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -14,7 +14,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 8ef24e9ce5..b4128b1af6 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -10,11 +10,11 @@ include profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include + include include include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 1fa7d70503..21a326fe65 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -9,11 +9,11 @@ include @{exec_path} = @{lib}/gnome-control-center-goa-helper profile gnome-control-center-goa-helper @{exec_path} { include + include include include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index c5be27f270..5d037961f4 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -9,11 +9,14 @@ include @{exec_path} = @{lib}/gsd-print-notifications profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include - include include include - include include + include + include + include + include + include include include @@ -38,24 +41,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=@{busname}, label=gnome-shell), - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=RecordBrowserNew - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), - dbus send bus=system path=/Client@{int}/RecordBrowser@{int} - interface=org.freedesktop.Avahi.RecordBrowser - member=Free - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), - - dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} - interface=org.freedesktop.Avahi.RecordBrowser - member={CacheExhausted,ItemNew} - peer=(name=@{busname}, label=avahi-daemon), - dbus receive bus=system path=/Client4/RecordBrowser3 - interface=org.freedesktop.Avahi.RecordBrowser - member=ItemNew - peer=(name=@{busname}, label=avahi-daemon), - @{exec_path} mr, @{lib}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 1fac28dfa8..96b60ab722 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -9,11 +9,11 @@ include @{exec_path} = @{bin}/seahorse profile seahorse @{exec_path} { include + include include include include include - include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index ab786106c6..a4eb428216 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -12,9 +12,10 @@ profile gvfsd-dnssd @{exec_path} { include include include - include include include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index de1c4a8564..63f348f9b1 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -11,11 +11,11 @@ include profile libreoffice @{exec_path} { include include + include include include include include - include include include include diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index 2065dd8141..e0bd8d9762 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -10,7 +10,7 @@ include profile murmurd @{exec_path} { include include - include + include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 23d13694e7..90db69a139 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -10,11 +10,11 @@ include profile remmina @{exec_path} { include include + include include include include include - include include include include From 63c9c8cc2da2085d884e80ca42f9c624106367dd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 13:11:23 +0200 Subject: [PATCH 0650/1736] refractor(abs): move org.kde.kwalletd --- apparmor.d/abstractions/bus/{ => session}/org.kde.kwalletd | 4 ++-- apparmor.d/abstractions/secrets-service | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.kde.kwalletd (50%) diff --git a/apparmor.d/abstractions/bus/org.kde.kwalletd b/apparmor.d/abstractions/bus/session/org.kde.kwalletd similarity index 50% rename from apparmor.d/abstractions/bus/org.kde.kwalletd rename to apparmor.d/abstractions/bus/session/org.kde.kwalletd index 1ae5a1ace2..0afce1cdf5 100644 --- a/apparmor.d/abstractions/bus/org.kde.kwalletd +++ b/apparmor.d/abstractions/bus/session/org.kde.kwalletd @@ -1,9 +1,9 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/secrets-service b/apparmor.d/abstractions/secrets-service index 71b7c7d825..083672cc92 100644 --- a/apparmor.d/abstractions/secrets-service +++ b/apparmor.d/abstractions/secrets-service @@ -22,6 +22,7 @@ abi , include + include dbus send bus=session path=/org/gnome/keyring/daemon interface=org.gnome.keyring.Daemon From b471f8359a29e79d14f7e66648a136a85eaad3d0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 13:14:18 +0200 Subject: [PATCH 0651/1736] feat(profile): update cups-browsed --- apparmor.d/groups/cups/cups-browsed | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 1e47287ac1..ca1dc96308 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{sbin}/cups-browsed -profile cups-browsed @{exec_path} { +profile cups-browsed @{exec_path} flags=(attach_disconnected) { include include include @@ -18,9 +18,8 @@ profile cups-browsed @{exec_path} { include include -# capability net_admin, + capability net_admin, capability net_bind_service, -# capability sys_nice, network inet dgram, network inet6 dgram, @@ -28,20 +27,12 @@ profile cups-browsed @{exec_path} { network inet6 stream, network netlink raw, - dbus receive bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=StateChanged - peer=(name=:*, label="@{p_avahi_daemon}"), + #aa:dbus talk bus=system name=org.cups.cupsd.Notifier label=cups-notifier-dbus dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions - peer=(name=:*, label=NetworkManager), - - dbus receive bus=system path=/org/cups/cupsd/Notifier - interface=org.cups.cupsd.Notifier - member={PrinterDeleted,PrinterStopped} - peer=(name=@{busname}, label=cups-notifier-dbus), + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, @@ -59,7 +50,7 @@ profile cups-browsed @{exec_path} { owner @{tmp}/@{hex} rw, @{run}/cups/certs/* r, - @{run}/avahi-daemon/socket rw, # TODO: in abs 'avahi' ? + @{run}/avahi-daemon/socket rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, From d9ff4aecd757f41b5b8e401e20611ab3e18862dd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 15:24:49 +0200 Subject: [PATCH 0652/1736] build: add test build target. --- Justfile | 8 ++++++++ pkg/prebuild/cli/cli.go | 6 ++++++ pkg/prebuild/directive/filter.go | 4 ++++ pkg/prebuild/directories.go | 3 +++ 4 files changed, 21 insertions(+) diff --git a/Justfile b/Justfile index 2c4c0e8d44..64e333079c 100644 --- a/Justfile +++ b/Justfile @@ -65,11 +65,19 @@ build: enforce: build @./{{build}}/prebuild --buildir {{build}} +# Prebuild the profiles in enforce mode (test) +enforce-test: build + @./{{build}}/prebuild --buildir {{build}} --test + # Prebuild the profiles in complain mode [group('build')] complain: build ./{{build}}/prebuild --buildir {{build}} --complain +# Prebuild the profiles in complain mode (test) +complain-test: build + @./{{build}}/prebuild --buildir {{build}} --complain --test + # Prebuild the profiles in FSP mode [group('build')] fsp: build diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index bf768c050b..afed5aedf8 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -37,6 +37,7 @@ Options: -s, --server Set AppArmor for server. -b, --buildir DIR Root build directory. -F, --file Only prebuild a given file. + --test Enable test mode. --debug Enable debug mode. ` ) @@ -48,6 +49,7 @@ var ( full bool server bool debug bool + test bool abi int version float64 file string @@ -74,6 +76,7 @@ func init() { flag.StringVar(&buildir, "b", "", "Root build directory.") flag.StringVar(&buildir, "buildir", "", "Root build directory.") flag.BoolVar(&debug, "debug", false, "Enable debug mode.") + flag.BoolVar(&test, "test", false, "Enable test mode.") } func Configure() { @@ -118,6 +121,9 @@ func Configure() { if debug { builder.Register("debug") } + if test { + prebuild.Test = true + } } else if enforce { builder.Register("enforce") } diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index b6ec56816b..ac632471b9 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -43,6 +43,10 @@ func filterRuleForUs(opt *Option) bool { return true } + if prebuild.Test && slices.Contains(opt.ArgList, "test") { + return true + } + abiStr := fmt.Sprintf("abi%d", prebuild.ABI) if slices.Contains(opt.ArgList, abiStr) { return true diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index 201d8c841a..486a45d140 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -19,6 +19,9 @@ var ( // Either or not RBAC is enabled RBAC = false + // Either or not we are in test mode + Test = false + // Pkgname is the name of the package Pkgname = "apparmor.d" From 4609595c26bcf1e129f885186784922762f73f5f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 15:34:04 +0200 Subject: [PATCH 0653/1736] refractor(abs): common/apt -> apt. --- apparmor.d/abstractions/{common => }/apt | 2 +- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/apt/apt-cache | 2 +- apparmor.d/groups/apt/apt-cdrom | 2 +- apparmor.d/groups/apt/apt-config | 2 +- apparmor.d/groups/apt/apt-extracttemplates | 2 +- apparmor.d/groups/apt/apt-file | 2 +- apparmor.d/groups/apt/apt-forktracer | 2 +- apparmor.d/groups/apt/apt-helper | 2 +- apparmor.d/groups/apt/apt-mark | 2 +- apparmor.d/groups/apt/apt-show-versions | 2 +- apparmor.d/groups/apt/aptitude | 2 +- apparmor.d/groups/apt/command-not-found | 2 +- apparmor.d/groups/apt/debtags | 2 +- apparmor.d/groups/apt/dpkg-checkbuilddeps | 2 +- apparmor.d/groups/apt/dpkg-db-backup | 2 +- apparmor.d/groups/apt/dpkg-maintscript-helper | 2 +- apparmor.d/groups/apt/querybts | 6 +++--- apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/apt/synaptic | 2 +- apparmor.d/groups/apt/unattended-upgrade | 2 +- apparmor.d/groups/apt/unattended-upgrade-shutdown | 2 +- apparmor.d/groups/apt/update-apt-xapian-index | 2 +- apparmor.d/groups/grub/grub-sort-version | 2 +- apparmor.d/groups/kde/kded | 2 +- apparmor.d/groups/ubuntu/apport | 2 +- apparmor.d/groups/ubuntu/apport-gtk | 2 +- apparmor.d/groups/ubuntu/apt-esm-hook | 2 +- apparmor.d/groups/ubuntu/apt-esm-json-hook | 2 +- apparmor.d/groups/ubuntu/apt_news | 2 +- apparmor.d/groups/ubuntu/check-new-release-gtk | 2 +- apparmor.d/groups/ubuntu/do-release-upgrade | 2 +- apparmor.d/groups/ubuntu/hwe-support-status | 2 +- apparmor.d/groups/ubuntu/list-oem-metapackages | 2 +- apparmor.d/groups/ubuntu/package-data-downloader | 2 +- apparmor.d/groups/ubuntu/software-properties-dbus | 2 +- apparmor.d/groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/ubuntu/ubuntu-advantage | 2 +- apparmor.d/groups/ubuntu/update-manager | 2 +- apparmor.d/groups/ubuntu/update-motd-updates-available | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-m-r/packagekitd | 2 +- apparmor.d/profiles-m-r/pycompile | 4 ++-- 43 files changed, 46 insertions(+), 46 deletions(-) rename apparmor.d/abstractions/{common => }/apt (95%) diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/apt similarity index 95% rename from apparmor.d/abstractions/common/apt rename to apparmor.d/abstractions/apt index bec8d9a20a..2802ac2a80 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/apt @@ -35,6 +35,6 @@ owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index ade8bee61c..8581fe7245 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt @{bin}/apt-get @{sbin}/aptd profile apt @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/groups/apt/apt-cache b/apparmor.d/groups/apt/apt-cache index 1251fe4492..afd34f7e5d 100644 --- a/apparmor.d/groups/apt/apt-cache +++ b/apparmor.d/groups/apt/apt-cache @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-cache profile apt-cache @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index a99b964c73..0ce1462615 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-cdrom profile apt-cdrom @{exec_path} flags=(complain) { include - include + include include capability dac_read_search, diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index 505a4b0378..834bcbd8cf 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-config profile apt-config @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index beb563f31e..6fbfad65ba 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/apt-extracttemplates @{lib}/apt/apt-extracttemplates profile apt-extracttemplates @{exec_path} { include + include include - include capability dac_read_search, diff --git a/apparmor.d/groups/apt/apt-file b/apparmor.d/groups/apt/apt-file index bc140acd14..6551f21a73 100644 --- a/apparmor.d/groups/apt/apt-file +++ b/apparmor.d/groups/apt/apt-file @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-file profile apt-file @{exec_path} { include - include + include include @{exec_path} r, diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer index 2fbb5d95bd..3eec09d60b 100644 --- a/apparmor.d/groups/apt/apt-forktracer +++ b/apparmor.d/groups/apt/apt-forktracer @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-forktracer profile apt-forktracer @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper index f16e98d2f3..18b6d72412 100644 --- a/apparmor.d/groups/apt/apt-helper +++ b/apparmor.d/groups/apt/apt-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/apt/apt-helper profile apt-helper @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-mark b/apparmor.d/groups/apt/apt-mark index 4af469c306..c174267f59 100644 --- a/apparmor.d/groups/apt/apt-mark +++ b/apparmor.d/groups/apt/apt-mark @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-mark profile apt-mark @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-show-versions b/apparmor.d/groups/apt/apt-show-versions index 16dc584b33..514b952ff0 100644 --- a/apparmor.d/groups/apt/apt-show-versions +++ b/apparmor.d/groups/apt/apt-show-versions @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-show-versions profile apt-show-versions @{exec_path} { include - include + include include include diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index 9254be27da..b3f411c844 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -10,9 +10,9 @@ include @{exec_path} = @{bin}/aptitude{,-curses} profile aptitude @{exec_path} flags=(complain) { include + include include include - include # To remove the following errors: # W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index b42649d7cb..6d09e34c0b 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -12,7 +12,7 @@ include @{exec_path} += @{lib}/command-not-found profile command-not-found @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/apt/debtags b/apparmor.d/groups/apt/debtags index 3e3fd2ab97..53e5964bde 100644 --- a/apparmor.d/groups/apt/debtags +++ b/apparmor.d/groups/apt/debtags @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/debtags profile debtags @{exec_path} { include + include include - include include #capability sys_tty_config, diff --git a/apparmor.d/groups/apt/dpkg-checkbuilddeps b/apparmor.d/groups/apt/dpkg-checkbuilddeps index 712a74e8ca..297a45f843 100644 --- a/apparmor.d/groups/apt/dpkg-checkbuilddeps +++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/dpkg-checkbuilddeps profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { include + include include - include @{exec_path} r, diff --git a/apparmor.d/groups/apt/dpkg-db-backup b/apparmor.d/groups/apt/dpkg-db-backup index d83bdbb45b..8e99e70c50 100644 --- a/apparmor.d/groups/apt/dpkg-db-backup +++ b/apparmor.d/groups/apt/dpkg-db-backup @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/dpkg/dpkg-db-backup profile dpkg-db-backup @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper index dfb881e327..aa9232c737 100644 --- a/apparmor.d/groups/apt/dpkg-maintscript-helper +++ b/apparmor.d/groups/apt/dpkg-maintscript-helper @@ -21,8 +21,8 @@ profile dpkg-maintscript-helper @{exec_path} { profile dpkg { include + include include - include capability dac_read_search, diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index 2a2063d8ef..87967d164c 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -10,14 +10,14 @@ include @{exec_path} = @{bin}/querybts profile querybts @{exec_path} { include - include - include + include include + include include + include include include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index a814eaaa97..a6584a23d2 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/reportbug profile reportbug @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index 36e299a0ce..c482862998 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/synaptic @{bin}/synaptic-pkexec profile synaptic @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index ebdc88d085..d2da77bc37 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -10,11 +10,11 @@ include @{exec_path} = @{bin}/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include + include include include include include - include include include include diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index 1fb667fae3..f7b94d68dd 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -9,10 +9,10 @@ include @{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include + include include include include - include include include diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index index f829ab3ffa..6ea4f19fb2 100644 --- a/apparmor.d/groups/apt/update-apt-xapian-index +++ b/apparmor.d/groups/apt/update-apt-xapian-index @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/update-apt-xapian-index profile update-apt-xapian-index @{exec_path} { include + include include - include include @{exec_path} r, diff --git a/apparmor.d/groups/grub/grub-sort-version b/apparmor.d/groups/grub/grub-sort-version index 5e65fe8359..6ece8a60bb 100644 --- a/apparmor.d/groups/grub/grub-sort-version +++ b/apparmor.d/groups/grub/grub-sort-version @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/grub/grub-sort-version profile grub-sort-version @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 93c70329e2..2ebc6a5fa0 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/kded5 @{bin}/kded6 profile kded @{exec_path} { include + include #aa:only apt include include include @@ -18,7 +19,6 @@ profile kded @{exec_path} { include include include - include #aa:only apt include include include diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 2fa7bb92a7..255dc551ac 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -9,7 +9,7 @@ include @{exec_path} = /usr/share/apport/apport profile apport @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index d7480a212f..b6815adeac 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -9,12 +9,12 @@ include @{exec_path} = /usr/share/apport/apport-gtk profile apport-gtk @{exec_path} { include + include include include include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook index a04fc771d4..2555d03731 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-hook profile apt-esm-hook @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index 2edc099700..e8f03807d4 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-json-hook profile apt-esm-json-hook @{exec_path} { include - include + include include unix (receive, send) type=stream peer=(label=apt), diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news index 9734803e46..91c8b29cc2 100644 --- a/apparmor.d/groups/ubuntu/apt_news +++ b/apparmor.d/groups/ubuntu/apt_news @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt_news.py profile apt_news @{exec_path} flags=(attach_disconnected) { include - include + include include include diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 65a19e0e04..d0e5c8f1e2 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-release-upgrader/check-new-release-gtk profile check-new-release-gtk @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index 2d3eebbc2f..e9c4c9ab31 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/do-release-upgrade profile do-release-upgrade @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status index d5ad6e06cf..c85fb9966b 100644 --- a/apparmor.d/groups/ubuntu/hwe-support-status +++ b/apparmor.d/groups/ubuntu/hwe-support-status @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/hwe-support-status profile hwe-support-status @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 91bc4876f7..5e4b09ce31 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -9,8 +9,8 @@ include @{exec_path} = @{lib}/update-notifier/list-oem-metapackages profile list-oem-metapackages @{exec_path} { include + include include - include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/package-data-downloader b/apparmor.d/groups/ubuntu/package-data-downloader index 37f7f72a5b..1703d27cda 100644 --- a/apparmor.d/groups/ubuntu/package-data-downloader +++ b/apparmor.d/groups/ubuntu/package-data-downloader @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/package-data-downloader profile package-data-downloader @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index cc73877094..72e016573a 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/software-properties/software-properties-dbus profile software-properties-dbus @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index cd858737b1..5111a0278e 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/software-properties-gtk profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -16,7 +17,6 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index ea9742d4cd..4ede61bc80 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/ubuntu-advantage profile ubuntu-advantage @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 34284388ee..d242ae0d67 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/update-manager profile update-manager @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -18,7 +19,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index 88967baf85..09775cb6f4 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/update-motd-updates-available profile update-motd-updates-available @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 4c60b4aafa..70d980713c 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/update-notifier profile update-notifier @{exec_path} { include + include include include include @@ -16,7 +17,6 @@ profile update-notifier @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 19f6a515e1..e5b54c34e6 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -9,11 +9,11 @@ include @{exec_path} = @{lib}/packagekitd profile packagekitd @{exec_path} flags=(attach_disconnected) { include + include #aa:only apt include include include include - include #aa:only apt include include diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index c308dcd915..105264ec2a 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/py{,3}compile @{bin}/py{,3}clean profile pycompile @{exec_path} flags=(attach_disconnected,complain) { include - include + include include include @@ -32,8 +32,8 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { profile dpkg { include + include include - include capability dac_read_search, From ff21c9157c4608f49f6aa7b12665fd02d0a3922b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 15:34:32 +0200 Subject: [PATCH 0654/1736] tests(profile): add common autopkgtest paths. --- apparmor.d/abstractions/apt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/abstractions/apt b/apparmor.d/abstractions/apt index 2802ac2a80..25106ad6e5 100644 --- a/apparmor.d/abstractions/apt +++ b/apparmor.d/abstractions/apt @@ -35,6 +35,9 @@ owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, + #aa:only test + /tmp/autopkgtest.@{rand6}/** rwk, + include if exists # vim:syntax=apparmor From bf3b8345fccd475b09da20ded1a9be6e32bd731a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 16:26:28 +0200 Subject: [PATCH 0655/1736] refractor(abs): move gtk bus interfaces. --- .../bus/session/org.gtk.MountOperationHandler | 14 ++++++++++++++ .../org.gtk.Private.RemoteVolumeMonitor | 2 +- .../bus/{ => session}/org.gtk.vfs.Daemon | 6 ++++-- .../bus/{ => session}/org.gtk.vfs.Metadata | 6 +++--- .../bus/session/org.gtk.vfs.MountOperation | 2 +- .../bus/{ => session}/org.gtk.vfs.MountTracker | 10 ++++++---- .../abstractions/bus/session/org.gtk.vfs.Spawner | 14 ++++++++++++++ 7 files changed, 43 insertions(+), 11 deletions(-) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler rename apparmor.d/abstractions/bus/{ => session}/org.gtk.Private.RemoteVolumeMonitor (91%) rename apparmor.d/abstractions/bus/{ => session}/org.gtk.vfs.Daemon (72%) rename apparmor.d/abstractions/bus/{ => session}/org.gtk.vfs.Metadata (80%) rename apparmor.d/abstractions/bus/{ => session}/org.gtk.vfs.MountTracker (89%) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner diff --git a/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler b/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler new file mode 100644 index 0000000000..3fce0d7192 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/MountOperationHandler + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor b/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor similarity index 91% rename from apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor rename to apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor index 9060c8c15d..b8160dcb21 100644 --- a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor +++ b/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor @@ -19,6 +19,6 @@ member={VolumeAdded,DriveDisconnected,DriveConnected,DriveChanged} peer=(name="@{busname}", label=gvfs-*-volume-monitor), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon similarity index 72% rename from apparmor.d/abstractions/bus/org.gtk.vfs.Daemon rename to apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon index 93ad35fe59..edf954ac57 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon @@ -1,7 +1,9 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2023-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Each daemon (main and for mounts) implement this. + abi , dbus send bus=session path=/org/gtk/vfs/Daemon @@ -14,6 +16,6 @@ member=GetConnection peer=(name=@{busname}), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata similarity index 80% rename from apparmor.d/abstractions/bus/org.gtk.vfs.Metadata rename to apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata index ce6e600823..9f1a77daf3 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata @@ -13,13 +13,13 @@ dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member={Set,Move,GetTreeFromDevice,Remove} - peer=(name="@{busname}", label=gvfsd-metadata), + peer=(name=@{busname}, label=gvfsd-metadata), dbus receive bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member=AttributeChanged - peer=(name="@{busname}", label=gvfsd-metadata), + peer=(name=@{busname}, label=gvfsd-metadata), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation index ff8c928f8f..54dfc837f1 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation @@ -6,7 +6,7 @@ dbus receive bus=session path=/org/gtk/gvfs/mountop/@{int} interface=org.gtk.vfs.MountOperation - member={AskQuestion,AskPassword} + member={AskPassword,AskQuestion} peer=(name=@{busname}, label=gvfsd-*), include if exists diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker similarity index 89% rename from apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker rename to apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker index c455d4f183..107c3dc139 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker @@ -2,21 +2,23 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# The mount tracking interface. + abi , dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker - member=ListMountableInfo + member=LookupMount peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker - member=LookupMount + member=ListMounts2 peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker - member=ListMounts2 + member=ListMountableInfo peer=(name="@{busname}", label=gvfsd), dbus receive bus=session path=/org/gtk/vfs/mounttracker @@ -24,6 +26,6 @@ member={Mounted,Unmounted} peer=(name="@{busname}", label=gvfsd), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner new file mode 100644 index 0000000000..71c0dd1579 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=@{busname}, label=gvfsd), + + include if exists + +# vim:syntax=apparmor From 5cae18e064f6f3a7eb47b9553af322c781fbb068 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 16:45:54 +0200 Subject: [PATCH 0656/1736] feat(abs): add the gtk-strict abstraction. --- apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/gnome-strict | 2 +- apparmor.d/abstractions/gnome.d/complete | 2 +- apparmor.d/abstractions/kde-strict | 2 +- apparmor.d/abstractions/lxqt | 2 +- apparmor.d/abstractions/xfce | 2 +- apparmor.d/groups/apt/debconf-frontend | 2 +- apparmor.d/groups/kde/gmenudbusmenuproxy | 1 - apparmor.d/groups/kde/kcminit | 1 - apparmor.d/groups/kde/kconf_update | 1 - apparmor.d/groups/kde/kded | 1 - apparmor.d/groups/kde/kwalletd | 1 - apparmor.d/profiles-m-r/obconf | 2 +- 13 files changed, 8 insertions(+), 13 deletions(-) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 3bfbcc887e..316e7374e7 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -12,7 +12,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 4d2d390ee8..a3afccb761 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -7,7 +7,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 3dece8578e..3d4b47f9f1 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - include + include dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index b448c542d1..f00594038a 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -7,7 +7,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index f20c24a323..ba7347d8c1 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -7,7 +7,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 3046c8f6d5..eaf50f6d04 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -6,7 +6,7 @@ include include - include + include include include include diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index 6e80839fe7..0a7706fe15 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -14,7 +14,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { include include include - include + include capability dac_read_search, diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index b30e39cdcb..f63a832954 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -13,7 +13,6 @@ profile gmenudbusmenuproxy @{exec_path} { include include include - include include include diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 4f8b10a327..59f60c2853 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -11,7 +11,6 @@ profile kcminit @{exec_path} { include include include - include include #aa:dbus own bus=session name=org.kde.{KCM,kcm}init path=/kcminit diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index ee42fef98a..6a01748fd2 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -12,7 +12,6 @@ profile kconf_update @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 2ebc6a5fa0..ec5a1ee360 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -23,7 +23,6 @@ profile kded @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index de175635a3..baaad7dcb5 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -17,7 +17,6 @@ profile kwalletd @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf index 7b11aaac5c..d283466f5e 100644 --- a/apparmor.d/profiles-m-r/obconf +++ b/apparmor.d/profiles-m-r/obconf @@ -11,7 +11,7 @@ include profile obconf @{exec_path} { include include - include + include include include include From 784ced0da32c3b380b01336f72a20c36de431c6e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 18:08:44 +0200 Subject: [PATCH 0657/1736] feat(abs): reorganise the gtk/gvfs abs. --- .../abstractions/bus/session/org.gtk.vfs.Mountable | 14 ++++++++++++++ .../abstractions/bus/session/org.gtk.vfs.Spawner | 2 +- apparmor.d/abstractions/common/gnome | 1 - apparmor.d/groups/bus/ibus-daemon | 2 +- apparmor.d/groups/bus/ibus-dconf | 2 +- apparmor.d/groups/bus/ibus-engine-simple | 2 +- apparmor.d/groups/bus/ibus-extension-gtk3 | 1 - apparmor.d/groups/bus/ibus-memconf | 2 +- apparmor.d/groups/bus/ibus-x11 | 1 - apparmor.d/groups/flatpak/flatpak | 1 - .../groups/freedesktop/xdg-desktop-portal-gtk | 1 - .../xdg-desktop-portal-rewrite-launchers | 2 +- .../groups/freedesktop/xdg-user-dirs-gtk-update | 1 - apparmor.d/groups/gnome/deja-dup-monitor | 6 +++--- .../groups/gnome/evolution-addressbook-factory | 2 +- apparmor.d/groups/gnome/evolution-alarm-notify | 1 - apparmor.d/groups/gnome/evolution-calendar-factory | 4 ++-- apparmor.d/groups/gnome/evolution-source-registry | 2 +- apparmor.d/groups/gnome/gio-launch-desktop | 3 +-- apparmor.d/groups/gnome/gnome-calendar | 1 - apparmor.d/groups/gnome/gnome-characters | 1 - apparmor.d/groups/gnome/gnome-clocks | 1 - apparmor.d/groups/gnome/gnome-control-center | 1 - .../groups/gnome/gnome-control-center-goa-helper | 1 - .../gnome/gnome-control-center-search-provider | 1 - apparmor.d/groups/gnome/gnome-disk-image-mounter | 2 +- apparmor.d/groups/gnome/gnome-extension-ding | 7 +++---- apparmor.d/groups/gnome/gnome-extension-gsconnect | 8 ++++---- apparmor.d/groups/gnome/gnome-initial-setup | 1 - apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/gnome-software | 1 - apparmor.d/groups/gnome/gnome-system-monitor | 5 ++--- apparmor.d/groups/gnome/gnome-terminal-server | 1 - apparmor.d/groups/gnome/goa-daemon | 1 - apparmor.d/groups/gnome/goa-identity-service | 2 +- apparmor.d/groups/gnome/gsd-color | 1 - apparmor.d/groups/gnome/gsd-housekeeping | 1 - apparmor.d/groups/gnome/gsd-keyboard | 1 - apparmor.d/groups/gnome/gsd-media-keys | 3 +-- apparmor.d/groups/gnome/gsd-power | 1 - apparmor.d/groups/gnome/gsd-wacom | 1 - apparmor.d/groups/gnome/localsearch | 5 ++--- apparmor.d/groups/gnome/mutter-x11-frames | 1 - apparmor.d/groups/gnome/nautilus | 2 +- apparmor.d/groups/gnome/ptyxis | 1 - apparmor.d/groups/gnome/ptyxis-agent | 2 +- apparmor.d/groups/gnome/seahorse | 1 - apparmor.d/groups/gnome/tracker-extract | 5 ++--- apparmor.d/groups/gnome/tracker-miner | 5 ++--- apparmor.d/groups/ubuntu/apport-gtk | 1 - apparmor.d/groups/ubuntu/check-new-release-gtk | 1 - apparmor.d/groups/ubuntu/livepatch-notification | 1 - apparmor.d/groups/ubuntu/software-properties-gtk | 1 - .../groups/ubuntu/ubuntu-advantage-notification | 1 - apparmor.d/groups/ubuntu/update-manager | 1 - apparmor.d/groups/ubuntu/update-notifier | 1 - apparmor.d/profiles-a-f/atril | 1 - apparmor.d/profiles-a-f/calibre | 1 - apparmor.d/profiles-a-f/engrampa | 3 +-- apparmor.d/profiles-a-f/file-roller | 2 -- apparmor.d/profiles-g-l/gimp | 1 + apparmor.d/profiles-g-l/libreoffice | 5 ++--- apparmor.d/profiles-m-r/remmina | 2 +- apparmor.d/profiles-s-z/spice-vdagent | 1 - apparmor.d/profiles-s-z/spotify | 1 - apparmor.d/profiles-s-z/superproductivity | 2 +- apparmor.d/profiles-s-z/terminator | 1 - apparmor.d/profiles-s-z/virt-manager | 2 ++ 68 files changed, 57 insertions(+), 88 deletions(-) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable new file mode 100644 index 0000000000..603ef709b5 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=@{busname}, label=gvfsd), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner index 71c0dd1579..7090afe24f 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index f0dd20f478..b9f36cf6ce 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -10,7 +10,6 @@ include include include - include include include include diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index 3fdab031bf..b326138d64 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -10,7 +10,7 @@ include profile ibus-daemon @{exec_path} flags=(attach_disconnected) { include include - include + include include include diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 817d63175e..bac225ebc2 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -11,7 +11,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include include include - include + include include include diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index e900fc3f5a..8bdc3c79cd 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -11,7 +11,7 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal (receive) set=term peer=ibus-daemon, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 34d881a8a1..0973fce49e 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -12,7 +12,6 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 5233f86037..b1f1445b34 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -10,7 +10,7 @@ include profile ibus-memconf @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 698eeedb67..cf7b40190f 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -13,7 +13,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 4ef675aef0..3fee701a82 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -14,7 +14,6 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 9688df798c..35199d8595 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -18,7 +18,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers index 62adb343ba..2fa8cc01fa 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers @@ -10,7 +10,7 @@ include profile xdg-desktop-portal-rewrite-launchers @{exec_path} { include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index cf488af63b..1b818267fc 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -11,7 +11,6 @@ profile xdg-user-dirs-gtk-update @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index a0fb366abb..59b3c5d408 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -13,9 +13,9 @@ profile deja-dup-monitor @{exec_path} { include include include - include - include - include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index adf2aa2640..1b9051a4a4 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -13,7 +13,7 @@ profile evolution-addressbook-factory @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 174cb323f3..9f8c51a75d 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -12,7 +12,6 @@ profile evolution-alarm-notify @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 2ee416bd99..87cce8fbca 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -12,8 +12,8 @@ profile evolution-calendar-factory @{exec_path} { include include include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 38122b7c0c..0732646b5e 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,7 +10,7 @@ include profile evolution-source-registry @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index eb76f12075..3652dd6e94 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -19,8 +19,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 872fc6858c..2173e3d62c 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -14,7 +14,6 @@ profile gnome-calendar @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 7ce936e52d..b5ae5672ab 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -12,7 +12,6 @@ profile gnome-characters @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index bdffedb721..92886c8876 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -12,7 +12,6 @@ profile gnome-clocks @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index b4128b1af6..c27f32fec0 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -16,7 +16,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 21a326fe65..aeb59295fb 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -14,7 +14,6 @@ profile gnome-control-center-goa-helper @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 51c8f51075..6d24e72c10 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -11,7 +11,6 @@ profile gnome-control-center-search-provider @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 519a248d82..55d49e250d 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -13,7 +13,7 @@ profile gnome-disk-image-mounter @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 400b28b6ee..f56af9f679 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -21,10 +21,9 @@ profile gnome-extension-ding @{exec_path} { include include include - include - include - include - include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 7af7b8b2fd..8ac7830ccb 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -21,10 +21,10 @@ profile gnome-extension-gsconnect @{exec_path} { include include include - include - include - include - include + include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 40b8bc9b5f..7f4b818e36 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -15,7 +15,6 @@ profile gnome-initial-setup @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index d8853aa3b5..55e95d0066 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -29,7 +29,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 2474363180..0b1602fbbb 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -13,7 +13,6 @@ profile gnome-software @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 8bcb629a98..152b28ff7d 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -10,9 +10,8 @@ include profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include + include include include diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index cda4568c1d..7a9bad4da5 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -14,7 +14,6 @@ profile gnome-terminal-server @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 8176d6c7c7..b7c138285b 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -12,7 +12,6 @@ profile goa-daemon @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 3992811c24..4509a61591 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -11,7 +11,7 @@ profile goa-identity-service @{exec_path} { include include include - include + include #aa:dbus own bus=session name=org.gnome.Identity diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 1b12a68cda..a0b3fac6bd 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -16,7 +16,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 35714fa0b7..8d8b9fc1b6 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -12,7 +12,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 80f19f93a7..f4f2830b8f 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -16,7 +16,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 32869cdbc3..9f6f70fbc4 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -18,8 +18,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index f3be82dfd1..a6165ddcf1 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -22,7 +22,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 484dda29d2..50da29b5fd 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -14,7 +14,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 66420cace0..ea1566757f 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -11,9 +11,8 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 92e619e5c8..f50bdbd9be 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -13,7 +13,6 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index a91a154a7f..07abe1c081 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -18,7 +18,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index ac47b54600..3195d7f030 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/ptyxis profile ptyxis @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 2735e0c5d8..6418193a68 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -10,7 +10,7 @@ include profile ptyxis-agent @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 96b60ab722..090a9cbe70 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -15,7 +15,6 @@ profile seahorse @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 3f9f492818..e200ecb421 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -10,9 +10,8 @@ include profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index e7cdc1a388..85b7b0d534 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -11,9 +11,8 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include + include include include include diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index b6815adeac..0cd509473b 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -14,7 +14,6 @@ profile apport-gtk @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index d0e5c8f1e2..5df19d8974 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -13,7 +13,6 @@ profile check-new-release-gtk @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index 4d5ecb46a0..e003054a5f 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -12,7 +12,6 @@ profile livepatch-notification @{exec_path} { include include include - include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 5111a0278e..2f6398f1eb 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -16,7 +16,6 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index bf3d4c6c05..093fdbed71 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -12,7 +12,6 @@ profile ubuntu-advantage-notification @{exec_path} { include include include - include include include diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index d242ae0d67..a874ca346f 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -18,7 +18,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 70d980713c..f66345b67c 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -15,7 +15,6 @@ profile update-notifier @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 284c359110..c95f6be554 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -13,7 +13,6 @@ profile atril @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index bba3dfedba..60843b0a6b 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -16,7 +16,6 @@ profile calibre @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index c302ff4004..8137edd8d1 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -13,8 +13,7 @@ profile engrampa @{exec_path} { include include include - include - include + include include include include diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 5ec394807c..3d13b813f7 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -9,8 +9,6 @@ include @{exec_path} = @{bin}/file-roller profile file-roller @{exec_path} { include - include - include include include include diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index 67b625d620..ad324e1532 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -11,6 +11,7 @@ profile gimp @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 63f348f9b1..bc6516fc25 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -18,9 +18,8 @@ profile libreoffice @{exec_path} { include include include - include - include - include + include + include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 90db69a139..b8b361e12f 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -16,7 +16,7 @@ profile remmina @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 158ea6a7fa..18e3fc248f 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -18,7 +18,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 8917fa3a2d..f3c4acf4fd 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -24,7 +24,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index ee8ee627bf..a7adf91faf 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -23,7 +23,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 59c78396db..e9baf97e1f 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -13,7 +13,6 @@ profile terminator @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index f820d29534..9802ecd5a5 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -16,6 +16,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include From 1fba94a197d93e9032a4f99dbe46eca3afaba671 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 18:14:30 +0200 Subject: [PATCH 0658/1736] feat(profile): update gvfs services to the abs changes. --- .../groups/gvfs/gvfs-afc-volume-monitor | 2 +- .../groups/gvfs/gvfs-goa-volume-monitor | 4 +-- .../groups/gvfs/gvfs-gphoto2-volume-monitor | 2 +- .../groups/gvfs/gvfs-mtp-volume-monitor | 2 +- .../groups/gvfs/gvfs-udisks2-volume-monitor | 4 +-- apparmor.d/groups/gvfs/gvfsd | 8 +++-- apparmor.d/groups/gvfs/gvfsd-admin | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-afc | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-afp | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-afp-browse | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-archive | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-burn | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-cdda | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-computer | 9 ++++++ apparmor.d/groups/gvfs/gvfsd-dav | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-dnssd | 26 +++------------- apparmor.d/groups/gvfs/gvfsd-ftp | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-fuse | 16 +++------- apparmor.d/groups/gvfs/gvfsd-google | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-gphoto2 | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-http | 24 +++++--------- apparmor.d/groups/gvfs/gvfsd-localtest | 3 ++ apparmor.d/groups/gvfs/gvfsd-metadata | 6 +++- apparmor.d/groups/gvfs/gvfsd-mtp | 16 ++++++++-- apparmor.d/groups/gvfs/gvfsd-network | 26 +++------------- apparmor.d/groups/gvfs/gvfsd-nfs | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-recent | 19 +++--------- apparmor.d/groups/gvfs/gvfsd-sftp | 31 ++++++------------- apparmor.d/groups/gvfs/gvfsd-smb | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-smb-browse | 18 +++++------ apparmor.d/groups/gvfs/gvfsd-trash | 22 +++---------- apparmor.d/groups/gvfs/gvfsd-wsdd | 24 +++----------- 32 files changed, 238 insertions(+), 167 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 7f50d8b45c..32136d710c 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -17,7 +17,7 @@ profile gvfs-afc-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 3f2fb01380..017a66e842 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -17,12 +17,12 @@ profile gvfs-goa-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus send bus=session path=/org/gnome/OnlineAccounts interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=goa-daemon), + peer=(name=@{busname}, label=goa-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index dd03254b11..ece97e6887 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -21,7 +21,7 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index 6fbbc6092c..fd3b380126 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -20,7 +20,7 @@ profile gvfs-mtp-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 4ed214b716..80f7f86a9c 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -12,7 +12,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -35,7 +35,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index c124c5855a..e3e3edfaea 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -18,20 +18,22 @@ profile gvfsd @{exec_path} { #aa:dbus own bus=session name=org.gtk.vfs.Daemon #aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker + # The server side of abstractions/bus/session/org.gtk.vfs.Mountable dbus send bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd-*), + peer=(name=@{busname}, label=gvfsd-*), + # The server side of abstractions/bus/session/org.gtk.vfs.Spawner dbus receive bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd-*), + peer=(name=@{busname}, label=gvfsd-*), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 44248cbe3e..5a1fd1c82d 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include + include + include + include + include include include @@ -19,6 +23,13 @@ profile gvfsd-admin @{exec_path} { capability fowner, capability setuid, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, #aa:lint ignore=too-wide diff --git a/apparmor.d/groups/gvfs/gvfsd-afc b/apparmor.d/groups/gvfs/gvfsd-afc index 68d4b689ec..da231f469f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afc +++ b/apparmor.d/groups/gvfs/gvfsd-afc @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afc profile gvfsd-afc @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp b/apparmor.d/groups/gvfs/gvfsd-afp index eeaaec0590..db6fe5a480 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp +++ b/apparmor.d/groups/gvfs/gvfsd-afp @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp profile gvfsd-afp @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp-browse b/apparmor.d/groups/gvfs/gvfsd-afp-browse index 48680f12f1..a39e257850 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp-browse +++ b/apparmor.d/groups/gvfs/gvfsd-afp-browse @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp-browse profile gvfsd-afp-browse @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive index 918841320e..68b1e7765b 100644 --- a/apparmor.d/groups/gvfs/gvfsd-archive +++ b/apparmor.d/groups/gvfs/gvfsd-archive @@ -10,9 +10,20 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-archive profile gvfsd-archive @{exec_path} { include + include + include + include + include include include + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{HOME}/**.{tar,tar.gz,zip} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-burn b/apparmor.d/groups/gvfs/gvfsd-burn index b70fa71101..09062241ad 100644 --- a/apparmor.d/groups/gvfs/gvfsd-burn +++ b/apparmor.d/groups/gvfs/gvfsd-burn @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-burn profile gvfsd-burn @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-cdda b/apparmor.d/groups/gvfs/gvfsd-cdda index 0648f5dc04..356f8dcd38 100644 --- a/apparmor.d/groups/gvfs/gvfsd-cdda +++ b/apparmor.d/groups/gvfs/gvfsd-cdda @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-cdda profile gvfsd-cdda @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index 6eebca7386..667b448c41 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -11,9 +11,18 @@ include profile gvfsd-computer @{exec_path} { include include + include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-afc-volume-monitor + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 77e1a2f6f6..b335724cbc 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-dav profile gvfsd-dav @{exec_path} { include + include + include + include + include include include include @@ -24,6 +28,13 @@ profile gvfsd-dav @{exec_path} { network inet6 dgram, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index a4eb428216..aad9de3a0e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -12,32 +12,14 @@ profile gvfsd-dnssd @{exec_path} { include include include - include - include + include + include + include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member={MountLocation,LookupMount,RegisterMount} - peer=(name="@{busname}", label=gvfsd), - - dbus receive bus=session path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp index 5b7c833a5e..3b36fc4f1f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-ftp +++ b/apparmor.d/groups/gvfs/gvfsd-ftp @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-ftp profile gvfsd-ftp @{exec_path} { include + include + include + include + include include include include @@ -20,6 +24,13 @@ profile gvfsd-ftp @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 4741b0f318..f67068f494 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -11,7 +11,9 @@ include profile gvfsd-fuse @{exec_path} { include include - include + include + include + include include capability sys_admin, @@ -20,21 +22,13 @@ profile gvfsd-fuse @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterFuse - peer=(name=@{busname}, label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/ + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=@{busname}, label=gnome-shell), - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}, label=gvfsd-sftp), - @{exec_path} mr, @{bin}/fusermount{,3} rCx -> fusermount, diff --git a/apparmor.d/groups/gvfs/gvfsd-google b/apparmor.d/groups/gvfs/gvfsd-google index eb80f3a7a4..819e84c393 100644 --- a/apparmor.d/groups/gvfs/gvfsd-google +++ b/apparmor.d/groups/gvfs/gvfsd-google @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-google profile gvfsd-google @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-gphoto2 b/apparmor.d/groups/gvfs/gvfsd-gphoto2 index 688f03c27a..0544000c0c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-gphoto2 +++ b/apparmor.d/groups/gvfs/gvfsd-gphoto2 @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-gphoto2 profile gvfsd-gphoto2 @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index f51ef2afe3..2678bde40b 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -11,9 +11,11 @@ include profile gvfsd-http @{exec_path} { include include - include + include + include + include include - include + # include include include include @@ -25,25 +27,15 @@ profile gvfsd-http @{exec_path} { network netlink raw, unix type=stream peer=(label=gnome-shell), + unix type=stream peer=(label=gnome-extension-gsconnect), #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name=:*, label=gvfsd), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-localtest b/apparmor.d/groups/gvfs/gvfsd-localtest index 5ffbabb40b..d1af3c60c7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-localtest +++ b/apparmor.d/groups/gvfs/gvfsd-localtest @@ -10,6 +10,9 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-localtest profile gvfsd-localtest @{exec_path} { include + include + include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index f6f3820bb2..8565856d91 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -11,6 +11,9 @@ include profile gvfsd-metadata @{exec_path} { include include + include + include + include include network netlink raw, @@ -18,11 +21,12 @@ profile gvfsd-metadata @{exec_path} { signal (receive) set=(usr1) peer=pacman, #aa:dbus own bus=session name=org.gtk.vfs.Metadata path=/org/gtk/vfs/{m,M}etadata + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 3c747b8b3f..8d5ad78c58 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-mtp profile gvfsd-mtp @{exec_path} { include + include + include + include + include include include include @@ -19,10 +23,18 @@ profile gvfsd-mtp @{exec_path} { network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, - owner @{HOME}/{,**} rw, # FIXME: ? - owner @{MOUNTS}/{,**} rw, + owner @{HOME}/ r, + owner @{HOME}/** rw, + owner @{MOUNTS}/** rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 46f543fa43..7874686bc8 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,38 +11,20 @@ include profile gvfsd-network @{exec_path} { include include - include - include + include + include + include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member={MountLocation,LookupMount,RegisterMount} - peer=(name="@{busname}", label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=@{busname}, label=gnome-shell), - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}), - @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-nfs b/apparmor.d/groups/gvfs/gvfsd-nfs index 575d9de39c..aae859d737 100644 --- a/apparmor.d/groups/gvfs/gvfsd-nfs +++ b/apparmor.d/groups/gvfs/gvfsd-nfs @@ -10,12 +10,23 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-nfs profile gvfsd-nfs @{exec_path} { include + include + include + include + include include network inet stream, network inet6 stream, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 1219c8cbdd..ca59d75cdc 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -11,27 +11,16 @@ include profile gvfsd-recent @{exec_path} { include include - include - include + include + include + include include include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name="@{busname}", label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 1019a15251..862ef88aad 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -11,32 +11,21 @@ include profile gvfsd-sftp @{exec_path} { include include - include + include + include + include include include include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.{M,m}ountTracker label=gvfsd - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=@{busname}, label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=@{busname}, label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/mountop/@{int} - interface=org.gtk.vfs.MountOperation - member={AskQuestion,AskPassword} - peer=(name=@{busname}), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 24891e9c36..9d99a43af4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-smb profile gvfsd-smb @{exec_path} { include + include + include + include + include include include @@ -19,6 +23,13 @@ profile gvfsd-smb @{exec_path} { network inet dgram, network inet6 dgram, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, /etc/samba/smb.conf r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index a90cddc504..66099563ee 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -11,7 +11,9 @@ include profile gvfsd-smb-browse @{exec_path} { include include - include + include + include + include include include include @@ -23,16 +25,12 @@ profile gvfsd-smb-browse @{exec_path} { network inet6 dgram, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_smb_browse + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index e13f870c72..070c41a840 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,7 +11,9 @@ include profile gvfsd-trash @{exec_path} { include include - include + include + include + include include include include @@ -21,26 +23,12 @@ profile gvfsd-trash @{exec_path} { network inet6 stream, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name="@{busname}", label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="@{busname}", label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 7f4c207189..4ea39c7d0a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -11,32 +11,16 @@ profile gvfsd-wsdd @{exec_path} { include include include - include - include + include + include + include include network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name="@{busname}", label=gvfsd), - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}, label=gvfsd-network), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable From 14ec69cd150a8926d52c5e9495edb46e37923c5b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 18:38:02 +0200 Subject: [PATCH 0659/1736] profile(abs): rewrite the way we manage accessibility - Add some missing dbus access - Split bus access in abstractions - Use trough the new accessibility abs. --- apparmor.d/abstractions/accessibility | 15 +++++ .../abstractions/bus/accessibility/org.a11y | 65 +++++++++++++++++++ apparmor.d/abstractions/bus/org.a11y | 63 ------------------ apparmor.d/abstractions/bus/session/org.a11y | 29 +++++++++ 4 files changed, 109 insertions(+), 63 deletions(-) create mode 100644 apparmor.d/abstractions/accessibility create mode 100644 apparmor.d/abstractions/bus/accessibility/org.a11y delete mode 100644 apparmor.d/abstractions/bus/org.a11y create mode 100644 apparmor.d/abstractions/bus/session/org.a11y diff --git a/apparmor.d/abstractions/accessibility b/apparmor.d/abstractions/accessibility new file mode 100644 index 0000000000..5bd8c98e7d --- /dev/null +++ b/apparmor.d/abstractions/accessibility @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow communication with Assistive Technology Service Provider Interface (AT-SPI + + abi , + + include + include + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/accessibility/org.a11y b/apparmor.d/abstractions/bus/accessibility/org.a11y new file mode 100644 index 0000000000..0145fc494b --- /dev/null +++ b/apparmor.d/abstractions/bus/accessibility/org.a11y @@ -0,0 +1,65 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # Allow the accessibility services in the user session to send us any events + + dbus receive bus=accessibility + peer=(label="@{p_at_spi2_registryd}"), + + # Allow querying for capabilities and registering + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member=NotifyListenersSync + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + # org.a11y.atspi is not designed for application isolation and these rules + # can be used to send change events for other processes. + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Event.Object + member=ChildrenChanged + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Accessible + member=Get* + peer=(label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} + interface=org.a11y.atspi.Event.Object + member={ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved} + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/cache + interface=org.a11y.atspi.Cache + member={AddAccessible,RemoveAccessible} + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y deleted file mode 100644 index c99f5f8bd0..0000000000 --- a/apparmor.d/abstractions/bus/org.a11y +++ /dev/null @@ -1,63 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - # Accessibility bus - - dbus receive bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=EventListenerDeregistered - peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry), - - # Session bus - - dbus send bus=session path=/org/a11y/bus - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=Get - peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.a11y b/apparmor.d/abstractions/bus/session/org.a11y new file mode 100644 index 0000000000..8f517fe993 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.a11y @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), + + include if exists + +# vim:syntax=apparmor From af6fbd2bfdf5a7d158a08f159c534867f5ccc1d2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 19:15:43 +0200 Subject: [PATCH 0660/1736] feat(profile): set accessibility use. --- apparmor.d/abstractions/accessibility | 2 +- apparmor.d/abstractions/app/firefox | 1 - apparmor.d/abstractions/app/open | 4 +--- apparmor.d/abstractions/common/app | 2 -- apparmor.d/abstractions/common/gnome | 2 -- apparmor.d/abstractions/desktop | 1 + apparmor.d/abstractions/gnome-strict | 1 + apparmor.d/abstractions/kde-strict | 1 + apparmor.d/abstractions/lxqt | 3 ++- apparmor.d/abstractions/xfce | 1 + apparmor.d/groups/bluetooth/blueman | 1 - apparmor.d/groups/bus/dbus-accessibility | 2 +- apparmor.d/groups/bus/ibus-extension-gtk3 | 2 -- apparmor.d/groups/bus/ibus-x11 | 2 -- apparmor.d/groups/flatpak/flatpak | 2 -- .../groups/freedesktop/polkit-gnome-authentication-agent | 1 - .../groups/freedesktop/polkit-kde-authentication-agent | 2 -- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 3 +-- apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 2 -- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 2 -- apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update | 1 - apparmor.d/groups/gnome/evolution-alarm-notify | 2 -- apparmor.d/groups/gnome/gnome-control-center | 2 -- apparmor.d/groups/gnome/gnome-control-center-goa-helper | 2 -- .../groups/gnome/gnome-control-center-print-renderer | 2 -- apparmor.d/groups/gnome/gnome-disk-image-mounter | 2 -- apparmor.d/groups/gnome/gnome-extension-ding | 2 -- apparmor.d/groups/gnome/gnome-extension-gsconnect | 2 -- apparmor.d/groups/gnome/gnome-initial-setup | 2 -- apparmor.d/groups/gnome/gnome-session-binary | 2 -- apparmor.d/groups/gnome/gnome-shell | 3 --- apparmor.d/groups/gnome/gnome-terminal-server | 2 -- apparmor.d/groups/gnome/gsd-color | 2 -- apparmor.d/groups/gnome/gsd-keyboard | 2 -- apparmor.d/groups/gnome/gsd-media-keys | 2 -- apparmor.d/groups/gnome/gsd-power | 2 -- apparmor.d/groups/gnome/gsd-wacom | 2 -- apparmor.d/groups/gnome/gsd-xsettings | 2 -- apparmor.d/groups/gnome/loupe | 2 -- apparmor.d/groups/gnome/mutter-x11-frames | 2 -- apparmor.d/groups/gnome/nautilus | 2 -- apparmor.d/groups/gnome/seahorse | 2 -- apparmor.d/groups/kde/DiscoverNotifier | 2 -- apparmor.d/groups/kde/baloorunner | 2 -- apparmor.d/groups/kde/gmenudbusmenuproxy | 2 -- apparmor.d/groups/kde/kaccess | 2 -- apparmor.d/groups/kde/kactivitymanagerd | 1 - apparmor.d/groups/kde/kde-powerdevil | 2 -- apparmor.d/groups/kde/kded | 4 +--- apparmor.d/groups/kde/kglobalacceld | 2 -- apparmor.d/groups/kde/konsole | 2 -- apparmor.d/groups/kde/kscreen_backend_launcher | 2 -- apparmor.d/groups/kde/ksmserver | 1 - apparmor.d/groups/kde/ksmserver-logout-greeter | 2 -- apparmor.d/groups/kde/ksplashqml | 2 -- apparmor.d/groups/kde/kstart | 1 - apparmor.d/groups/kde/kwalletd | 2 -- apparmor.d/groups/kde/kwin_wayland | 2 -- apparmor.d/groups/kde/kwin_x11 | 1 - apparmor.d/groups/kde/plasmashell | 2 -- apparmor.d/groups/kde/systemsettings | 2 -- apparmor.d/groups/kde/xembedsniproxy | 2 -- apparmor.d/groups/lxqt/lxqt-globalkeysd | 1 - apparmor.d/groups/lxqt/lxqt-session | 1 - apparmor.d/groups/network/mullvad-gui | 2 -- apparmor.d/groups/systemd/busctl | 2 -- apparmor.d/groups/ubuntu/apport-gtk | 2 -- apparmor.d/groups/ubuntu/check-new-release-gtk | 2 -- apparmor.d/groups/ubuntu/livepatch-notification | 2 -- apparmor.d/groups/ubuntu/software-properties-gtk | 2 -- apparmor.d/groups/ubuntu/ubuntu-advantage-notification | 2 -- apparmor.d/groups/ubuntu/update-manager | 2 -- apparmor.d/groups/ubuntu/update-notifier | 2 -- apparmor.d/groups/xfce/thunar | 1 - apparmor.d/groups/xfce/thunar-volman | 1 - apparmor.d/groups/xfce/xfce-clipman-settings | 1 - apparmor.d/groups/xfce/xfce-notifyd | 1 - apparmor.d/groups/xfce/xfce-panel | 1 - apparmor.d/groups/xfce/xfce-power-manager | 1 - apparmor.d/groups/xfce/xfce-screensaver | 1 - apparmor.d/groups/xfce/xfce-session | 1 - apparmor.d/groups/xfce/xfce-terminal | 1 - apparmor.d/groups/xfce/xfdesktop | 1 - apparmor.d/groups/xfce/xfsettingsd | 1 - apparmor.d/groups/xfce/xfwm | 1 - apparmor.d/profiles-a-f/alacarte | 2 -- apparmor.d/profiles-a-f/atril | 7 +------ apparmor.d/profiles-a-f/calibre | 2 -- apparmor.d/profiles-a-f/engrampa | 2 -- apparmor.d/profiles-a-f/evince | 2 -- apparmor.d/profiles-a-f/evince-previewer | 2 +- apparmor.d/profiles-g-l/kerneloops-applet | 2 -- apparmor.d/profiles-g-l/libreoffice | 2 -- apparmor.d/profiles-m-r/qbittorrent | 2 -- apparmor.d/profiles-m-r/remmina | 2 -- apparmor.d/profiles-m-r/rustdesk | 2 -- apparmor.d/profiles-s-z/YACReaderLibrary | 1 - apparmor.d/profiles-s-z/simple-scan | 2 -- apparmor.d/profiles-s-z/spice-vdagent | 2 -- apparmor.d/profiles-s-z/spotify | 4 +--- apparmor.d/profiles-s-z/superproductivity | 2 -- apparmor.d/profiles-s-z/terminator | 2 -- apparmor.d/profiles-s-z/transmission | 2 -- apparmor.d/profiles-s-z/virt-manager | 2 -- apparmor.d/profiles-s-z/vlc | 3 --- apparmor.d/profiles-s-z/wireshark | 1 - 106 files changed, 14 insertions(+), 185 deletions(-) diff --git a/apparmor.d/abstractions/accessibility b/apparmor.d/abstractions/accessibility index 5bd8c98e7d..894ee467e4 100644 --- a/apparmor.d/abstractions/accessibility +++ b/apparmor.d/abstractions/accessibility @@ -2,7 +2,7 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Allow communication with Assistive Technology Service Provider Interface (AT-SPI +# Allow communication with Assistive Technology Service Provider Interface (AT-SPI) abi , diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 7630b85763..0648e68d16 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -22,7 +22,6 @@ include include include - include include include include diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 3d91de2351..8dffc39b99 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -7,8 +7,8 @@ abi , + include include - include include # We cannot use `@{open_path} mrix,` here because it includes: @@ -31,8 +31,6 @@ # if @{DE} == kde include - include - include include include diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 091cfbbb42..28badc6dbf 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -14,10 +14,8 @@ include include - include include include - include include include include diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index b9f36cf6ce..6dcb26860f 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -6,9 +6,7 @@ abi , - include include - include include include include diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 316e7374e7..66742f02a8 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -9,6 +9,7 @@ abi , + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index a3afccb761..47efde3066 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -4,6 +4,7 @@ abi , + include include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index f00594038a..17952414c6 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -4,6 +4,7 @@ abi , + include include include include diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index ba7347d8c1..8d83aefdc8 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -4,8 +4,9 @@ abi , - include + include include + include include include include diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index eaf50f6d04..c7e4642364 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -4,6 +4,7 @@ abi , + include include include include diff --git a/apparmor.d/groups/bluetooth/blueman b/apparmor.d/groups/bluetooth/blueman index 469fb24a0e..08a553c1d3 100644 --- a/apparmor.d/groups/bluetooth/blueman +++ b/apparmor.d/groups/bluetooth/blueman @@ -11,7 +11,6 @@ include profile blueman @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index c254fcd2d3..910ae00084 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -11,7 +11,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 0973fce49e..2fa49e50fd 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-extension-gtk3 profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include - include include - include include include include diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index cf7b40190f..ce1c2b1083 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -10,9 +10,7 @@ include profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include - include include - include include include include diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 3fee701a82..341db555e1 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/flatpak profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) { include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index f1ca0fd31e..bb48d0c5be 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -13,7 +13,6 @@ include profile polkit-gnome-authentication-agent @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 5e7a75a8db..8a08f02d0b 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -11,10 +11,8 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index fafdea3a52..031f03ac41 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -9,11 +9,10 @@ include @{exec_path} = @{bin}/xdg-dbus-proxy profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include + include include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index b6c77f3365..95daf29355 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 35199d8595..d1ae86e150 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 1b818267fc..feb1b9bd64 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 9f8c51a75d..501685b224 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify profile evolution-alarm-notify @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index c27f32fec0..9f78fb4fda 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -11,10 +11,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index aeb59295fb..8b813d2603 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -10,10 +10,8 @@ include profile gnome-control-center-goa-helper @{exec_path} { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 59679deb8c..cbd1f1a75b 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 55d49e250d..d9959691b8 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index f56af9f679..9f848be8e6 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -13,11 +13,9 @@ include profile gnome-extension-ding @{exec_path} { include include - include include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 8ac7830ccb..2592eb77e0 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -13,10 +13,8 @@ include profile gnome-extension-gsconnect @{exec_path} { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 7f4b818e36..7439e0fb65 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/gnome-initial-setup profile gnome-initial-setup @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index f4c61c5c6c..5359a70df6 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 55e95d0066..a82278a6c8 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -10,15 +10,12 @@ include profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include include include include include - include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 7a9bad4da5..fe380daddd 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -10,9 +10,7 @@ include profile gnome-terminal-server @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index a0b3fac6bd..0acdbaf389 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -10,10 +10,8 @@ include profile gsd-color @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index f4f2830b8f..b700a7df98 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -10,10 +10,8 @@ include profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 9f6f70fbc4..3ca105656e 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -10,10 +10,8 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index a6165ddcf1..d20ad65d0b 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -10,11 +10,9 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include - include include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 50da29b5fd..0bb1d50d10 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -10,9 +10,7 @@ include profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include - include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 7618dc3b6a..84abb82e01 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/gsd-xsettings profile gsd-xsettings @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index cabcca0628..ea55ee9028 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index f50bdbd9be..d5c83a31b1 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -10,9 +10,7 @@ include profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include include - include include - include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 07abe1c081..d3906051c2 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -9,11 +9,9 @@ include @{exec_path} = @{bin}/nautilus profile nautilus @{exec_path} flags=(attach_disconnected) { include - include include include include - include include include include diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 090a9cbe70..c34526ee1e 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -10,10 +10,8 @@ include profile seahorse @{exec_path} { include include - include include include - include include include include diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 0965396abf..b5e1b4ae8c 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -10,10 +10,8 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier profile DiscoverNotifier @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 64372f4972..33660a776f 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -10,9 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner profile baloorunner @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index f63a832954..dbca9fcf51 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/gmenudbusmenuproxy profile gmenudbusmenuproxy @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 8258d1bdec..1fdb4b9201 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -10,9 +10,7 @@ include profile kaccess @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index ead285e5f1..1cc6b41d1e 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -11,7 +11,6 @@ include profile kactivitymanagerd @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index f40c86e035..7d6daeda62 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -11,10 +11,8 @@ include profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) { include include - include include include - include include include include diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index ec5a1ee360..678c64e71c 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -11,14 +11,12 @@ profile kded @{exec_path} { include include #aa:only apt include - include include include - include - include include include include + include include include include diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index b9c09d0c61..156bdf9281 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include - include include - include include #aa:dbus own bus=session name=org.kde.KGlobalAccel path=/kglobalaccel diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index fa55e177d6..446d8a08d4 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -11,9 +11,7 @@ include profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include - include include include include diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index 00b4c96307..e44ee1f834 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -10,9 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher profile kscreen_backend_launcher @{exec_path} { include - include include - include include include diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index f4d54c2954..09a228e29d 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -11,7 +11,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index e46237c2a8..711da6e9d1 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -11,10 +11,8 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}ksmserver-logout-greeter profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include - include include include include diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index ea80e28cd8..770625988d 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/ksplashqml profile ksplashqml @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/kde/kstart b/apparmor.d/groups/kde/kstart index fa0f88f754..04d084d0c2 100644 --- a/apparmor.d/groups/kde/kstart +++ b/apparmor.d/groups/kde/kstart @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/kstart profile kstart @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index baaad7dcb5..0a685d8e54 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -11,9 +11,7 @@ include profile kwalletd @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index e2e3ecfe0a..224835ac2d 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -10,10 +10,8 @@ include profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include - include include include include diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index ac80b3b18a..8cc233ff2c 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/kwin_x11 profile kwin_x11 @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index cc99072661..600d1be483 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -11,10 +11,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include - include include include - include include include include diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index a78225b675..9558a65282 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -10,9 +10,7 @@ include profile systemsettings @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 93259822e5..5c36f579ef 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/xembedsniproxy profile xembedsniproxy @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/lxqt/lxqt-globalkeysd b/apparmor.d/groups/lxqt/lxqt-globalkeysd index 8729b1abb1..a9a75aa90b 100644 --- a/apparmor.d/groups/lxqt/lxqt-globalkeysd +++ b/apparmor.d/groups/lxqt/lxqt-globalkeysd @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/lxqt-globalkeysd profile lxqt-globalkeysd @{exec_path} { include - include include include diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index 085b444b19..910ea7c5fd 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -11,7 +11,6 @@ include profile lxqt-session @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 639d3ce4bf..132e25e6d7 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -15,9 +15,7 @@ include @{exec_path} = @{lib_dirs}/mullvad-gui profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include - include include - include include network inet stream, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 04ed76e721..eed7080f8a 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/busctl profile busctl @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 0cd509473b..6d90cadda2 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -11,9 +11,7 @@ profile apport-gtk @{exec_path} { include include include - include include - include include include include diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 5df19d8974..2b7b2b4eee 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -10,9 +10,7 @@ include profile check-new-release-gtk @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index e003054a5f..fb8eb259e1 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/livepatch-notification profile livepatch-notification @{exec_path} { include - include include - include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 2f6398f1eb..836adbb557 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -11,10 +11,8 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index 093fdbed71..a44e226bc9 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/ubuntu-advantage-notification profile ubuntu-advantage-notification @{exec_path} { include - include include - include include include diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index a874ca346f..873f06b675 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -11,10 +11,8 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index f66345b67c..06e851b451 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -11,10 +11,8 @@ profile update-notifier @{exec_path} { include include include - include include include - include include include include diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index 2fcd83048e..10096bce25 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/thunar profile thunar @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman index fc73a14c9a..41e098548e 100644 --- a/apparmor.d/groups/xfce/thunar-volman +++ b/apparmor.d/groups/xfce/thunar-volman @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/thunar-volman profile thunar-volman @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings index 9e74d80469..021a377b85 100644 --- a/apparmor.d/groups/xfce/xfce-clipman-settings +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-clipman-settings profile xfce-clipman-settings @{exec_path} { include - include include include diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd index c594b8ed31..be813a84de 100644 --- a/apparmor.d/groups/xfce/xfce-notifyd +++ b/apparmor.d/groups/xfce/xfce-notifyd @@ -10,7 +10,6 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/notifyd/xfce4-notifyd profile xfce-notifyd @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index b04ed2eb94..00c5d87000 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-panel @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 profile xfce-panel @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index 91be9eede5..11ccca455a 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -10,7 +10,6 @@ include profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index 2c0f13bc18..e9e19cca58 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-screensaver profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index beddcce1f5..be0f5c73d8 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -11,7 +11,6 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 8d2f06a750..0f88363269 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-terminal profile xfce-terminal @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index ff36e8459b..6bc5ec15c9 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -10,7 +10,6 @@ include profile xfdesktop @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index 22db3f80d2..d3f88c1962 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -10,7 +10,6 @@ include profile xfsettingsd @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/xfce/xfwm b/apparmor.d/groups/xfce/xfwm index 7ecd2c8fe5..c41e5254ff 100644 --- a/apparmor.d/groups/xfce/xfwm +++ b/apparmor.d/groups/xfce/xfwm @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfwm4 profile xfwm @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index b4cfb56e6a..87908dc9e5 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/alacarte profile alacarte @{exec_path} flags=(attach_disconnected) { include - include include - include include include include diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index c95f6be554..55502dd3eb 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -10,18 +10,13 @@ include @{exec_path} = @{bin}/atril{,-*} profile atril @{exec_path} { include - include include - include include include - include - include - include + include include include include - include network netlink raw, diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index 60843b0a6b..281d157183 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -12,9 +12,7 @@ include @{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer @{bin}/web2disk profile calibre @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 8137edd8d1..3e650962fe 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -10,9 +10,7 @@ include @{exec_path} = @{bin}/engrampa profile engrampa @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index e07c91f3d9..d6969807f6 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/evince @{lib}/evinced profile evince @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/profiles-a-f/evince-previewer b/apparmor.d/profiles-a-f/evince-previewer index 1597c35af3..dcd28ddc9f 100644 --- a/apparmor.d/profiles-a-f/evince-previewer +++ b/apparmor.d/profiles-a-f/evince-previewer @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/evince-previewer profile evince-previewer @{exec_path} { include - include + include include include include diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index 758ead716f..d9d5568790 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -10,10 +10,8 @@ include @{exec_path} = @{bin}/kerneloops-applet profile kerneloops-applet @{exec_path} { include - include include include - include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index bc6516fc25..cc2ee8c2a4 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -12,10 +12,8 @@ profile libreoffice @{exec_path} { include include include - include include include - include include include include diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 5d9cba0879..e0d430443f 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -10,10 +10,8 @@ include @{exec_path} = @{bin}/qbittorrent profile qbittorrent @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index b8b361e12f..80e58fd7c4 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -11,10 +11,8 @@ profile remmina @{exec_path} { include include include - include include include - include include include include diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index acdad56400..3e6791ddcc 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -10,9 +10,7 @@ include profile rustdesk @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index 38336fbc73..e6c231df3c 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/YACReaderLibrary profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include include diff --git a/apparmor.d/profiles-s-z/simple-scan b/apparmor.d/profiles-s-z/simple-scan index f79b284fbb..a005708db5 100644 --- a/apparmor.d/profiles-s-z/simple-scan +++ b/apparmor.d/profiles-s-z/simple-scan @@ -9,8 +9,6 @@ include @{exec_path} = @{bin}/simple-scan profile simple-scan @{exec_path} { include - include - include include include include diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 18e3fc248f..2af3f99ae8 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -11,10 +11,8 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include - include include include - include include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index f3c4acf4fd..a3c4b822a3 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -17,11 +17,9 @@ include profile spotify @{exec_path} flags=(attach_disconnected) { include include - include include include - include - include + include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index a7adf91faf..b84322ae09 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -16,10 +16,8 @@ include profile superproductivity @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index e9baf97e1f..e8a2533b92 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -10,9 +10,7 @@ include profile terminator @{exec_path} flags=(attach_disconnected) { include include - include include - include include include include diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index 78d67787dd..9c4a8e6736 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/transmission-{gtk,qt} profile transmission @{exec_path} flags=(attach_disconnected) { include - include include - include include include include diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 9802ecd5a5..92dc977d93 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,10 +12,8 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 7e9c318660..bda3010fa0 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -11,10 +11,7 @@ include profile vlc @{exec_path} { include include - include include - include - include include include include diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index c29543d6b8..a07d6bad14 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -11,7 +11,6 @@ include @{exec_path} = @{bin}/wireshark profile wireshark @{exec_path} { include - include include include include From efa28446f930af3032645b0b9e3197f2d439e6e3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 19:23:43 +0200 Subject: [PATCH 0661/1736] feat(abs): add bus-session to electron As it is a layer 2 abstraction, we can safelly add it. --- apparmor.d/abstractions/common/electron | 1 + apparmor.d/groups/network/mullvad-gui | 1 - apparmor.d/profiles-a-f/cider | 8 ++------ apparmor.d/profiles-a-f/discord | 1 - apparmor.d/profiles-a-f/element-desktop | 1 - apparmor.d/profiles-a-f/freetube | 1 - apparmor.d/profiles-m-r/protonmail | 1 - apparmor.d/profiles-s-z/session-desktop | 1 - apparmor.d/profiles-s-z/signal-desktop | 2 +- apparmor.d/profiles-s-z/spotify | 1 - apparmor.d/profiles-s-z/superproductivity | 2 +- 11 files changed, 5 insertions(+), 15 deletions(-) diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 253eab72be..dd4976f5eb 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -20,6 +20,7 @@ abi , + include include include include diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 132e25e6d7..133e4bc00e 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -15,7 +15,6 @@ include @{exec_path} = @{lib_dirs}/mullvad-gui profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include - include include network inet stream, diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider index 2b203e9890..be59811a15 100644 --- a/apparmor.d/profiles-a-f/cider +++ b/apparmor.d/profiles-a-f/cider @@ -15,15 +15,11 @@ include @{exec_path} = @{bin}/{C,c}ider @{lib_dirs}/Cider profile cider @{exec_path} { include - include - include + include + include include - include include include - include - include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index e12c25b9d1..0991a243ee 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -17,7 +17,6 @@ include profile discord @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index f87486af35..59cfa3577a 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -16,7 +16,6 @@ include profile element-desktop @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 958f9b5ee1..be75567cd4 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -17,7 +17,6 @@ include profile freetube @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index f5548f6967..8a6a2982ed 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -16,7 +16,6 @@ include @{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton* profile protonmail @{exec_path} flags=(attach_disconnected) { include - include include include diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index cafccd791d..4fd9dff69b 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -16,7 +16,6 @@ include profile session-desktop @{exec_path} { include include - include include include include diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 4abe053f65..53f3d20b16 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -17,7 +17,7 @@ include profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index a3c4b822a3..f70d4e7c9e 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -17,7 +17,6 @@ include profile spotify @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index b84322ae09..838944aa81 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -16,7 +16,7 @@ include profile superproductivity @{exec_path} flags=(attach_disconnected) { include include - include + include include include include From 59bdb157cf260eb2dd46651e063c2e226bbe401f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:00:12 +0200 Subject: [PATCH 0662/1736] feat(abs): add the mediakeys abs. --- .../bus/{ => session}/org.gnome.SettingsDaemon.MediaKeys | 0 apparmor.d/profiles-a-f/evince | 2 +- apparmor.d/profiles-s-z/spotify | 4 +--- 3 files changed, 2 insertions(+), 4 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.SettingsDaemon.MediaKeys (100%) diff --git a/apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys similarity index 100% rename from apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys rename to apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index d6969807f6..89087df4bc 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -16,6 +16,7 @@ profile evince @{exec_path} { include include include + include include include include @@ -28,7 +29,6 @@ profile evince @{exec_path} { #aa:dbus own bus=session name=org.gnome.evince - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label="@{p_gsd_media_keys}" #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} rix, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index f70d4e7c9e..052757da24 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -18,14 +18,12 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include include - include include - include include include include + include include include include From 4526e96318610985fd66ff7cd5626a63410666da Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:03:22 +0200 Subject: [PATCH 0663/1736] feat(abs): add the gtk-strict abs. --- apparmor.d/abstractions/gtk-strict | 74 ++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 apparmor.d/abstractions/gtk-strict diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict new file mode 100644 index 0000000000..0bf0ab41ca --- /dev/null +++ b/apparmor.d/abstractions/gtk-strict @@ -0,0 +1,74 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + include + include + include + + @{lib}/{,@{multiarch}/}gtk-2.0/{,**} mr, + @{lib}/{,@{multiarch}/}gtk-3.0/{,**} mr, + @{lib}/{,@{multiarch}/}gtk-4.0/{,**} mr, + + /usr/share/gtksourceview-2.0/{,**} r, + /usr/share/gtksourceview-3.0/{,**} r, + /usr/share/gtksourceview-4/{,**} r, + /usr/share/gtksourceview-5/{,**} r, + + /usr/share/gtk-2.0/ r, + /usr/share/gtk-2.0/gtkrc r, + + /usr/share/gtk-3.0/ r, + /usr/share/gtk-3.0/settings.ini r, + + /usr/share/gtk-4.0/ r, + /usr/share/gtk-4.0/settings.ini r, + + /etc/gtk/gtkrc r, + + /etc/gtk-2.0/ r, + /etc/gtk-2.0/gtkrc r, + + /etc/gtk-3.0/ r, + /etc/gtk-3.0/*.conf r, + /etc/gtk-3.0/settings.ini r, + + /etc/gtk-4.0/ r, + /etc/gtk-4.0/*.conf r, + /etc/gtk-4.0/settings.ini r, + + owner @{HOME}/.gtk r, + owner @{HOME}/.gtkrc r, + owner @{HOME}/.gtkrc-2.0 r, + owner @{HOME}/.gtk-bookmarks r, + + owner @{user_cache_dirs}/gtk-4.0/ rw, + owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/{,*} rw, + owner @{user_cache_dirs}/gtkrc r, + owner @{user_cache_dirs}/gtkrc-2.0 r, + + owner @{user_config_dirs}/gtk-2.0/ rw, + owner @{user_config_dirs}/gtk-2.0/gtkfilechooser.ini* rw, + + owner @{user_config_dirs}/gtk-3.0/ rw, + owner @{user_config_dirs}/gtk-3.0/bookmarks r, + owner @{user_config_dirs}/gtk-3.0/colors.css r, + owner @{user_config_dirs}/gtk-3.0/gtk.css r, + owner @{user_config_dirs}/gtk-3.0/servers r, + owner @{user_config_dirs}/gtk-3.0/settings.ini r, + owner @{user_config_dirs}/gtk-3.0/window_decorations.css r, + + owner @{user_config_dirs}/gtk-4.0/ rw, + owner @{user_config_dirs}/gtk-4.0/bookmarks r, + owner @{user_config_dirs}/gtk-4.0/colors.css r, + owner @{user_config_dirs}/gtk-4.0/gtk.css r, + owner @{user_config_dirs}/gtk-4.0/servers r, + owner @{user_config_dirs}/gtk-4.0/settings.ini r, + owner @{user_config_dirs}/gtk-4.0/window_decorations.css r, + + include if exists + +# vim:syntax=apparmor From f3a4372966569d58fd20addc9c2d00a493af85f9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:08:51 +0200 Subject: [PATCH 0664/1736] refractor(profile): bus/org.bluez -> bus/system/org.bluez. --- apparmor.d/abstractions/app/chromium | 1 + apparmor.d/abstractions/bus/{ => system}/org.bluez | 2 +- apparmor.d/groups/freedesktop/pulseaudio | 2 +- apparmor.d/groups/freedesktop/upowerd | 2 +- apparmor.d/groups/freedesktop/wireplumber | 3 +-- apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/network/NetworkManager | 2 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-m-r/mpris-proxy | 3 +-- apparmor.d/profiles-s-z/spotify | 1 + 10 files changed, 10 insertions(+), 9 deletions(-) rename apparmor.d/abstractions/bus/{ => system}/org.bluez (96%) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 1635741ed1..313f516872 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -31,6 +31,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/system/org.bluez similarity index 96% rename from apparmor.d/abstractions/bus/org.bluez rename to apparmor.d/abstractions/bus/system/org.bluez index 461ad9f94a..acaa7bb36e 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/system/org.bluez @@ -36,6 +36,6 @@ member=RegisterApplication peer=(name=org.bluez, label="@{p_bluetoothd}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 346ae7257b..2069580625 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -16,7 +16,7 @@ profile pulseaudio @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index d583858314..201e49f3cc 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -11,7 +11,7 @@ include profile upowerd @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index fc9029ef38..90eb46dc42 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -12,10 +12,9 @@ profile wireplumber @{exec_path} { include include include - include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a82278a6c8..f46a8461d4 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -27,6 +27,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 2959441c4c..fca80465da 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -11,7 +11,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 8447bff3ef..65793364d8 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -11,7 +11,7 @@ include profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include - include + include include include include diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy index 2f31aea799..3a5dfffb6d 100644 --- a/apparmor.d/profiles-m-r/mpris-proxy +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -11,8 +11,7 @@ profile mpris-proxy @{exec_path} { include include include - include - include + include #aa:dbus own bus=session name=org.mpris.MediaPlayer2 dbus receive bus=session path=/ diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 052757da24..d1a60a8c71 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -21,6 +21,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include include include From 48aeefa0a306efd28dfa5c83fa73e2e14639ea13 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:13:37 +0200 Subject: [PATCH 0665/1736] fix: linting issue. --- .../abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys index 3a461a85a7..93d8308281 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys +++ b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys @@ -18,6 +18,6 @@ interface=org.gnome.SettingsDaemon.MediaKeys peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), - include if exists + include if exists # vim:syntax=apparmor From 5559670a37d611bcb053f26a6d0588498442b97f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:37:47 +0200 Subject: [PATCH 0666/1736] feat(abs): add mediakeys --- apparmor.d/abstractions/mediakeys | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 apparmor.d/abstractions/mediakeys diff --git a/apparmor.d/abstractions/mediakeys b/apparmor.d/abstractions/mediakeys new file mode 100644 index 0000000000..ecf839cda8 --- /dev/null +++ b/apparmor.d/abstractions/mediakeys @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow requesting interest in receiving media key events. This tells Gnome +# settings that our application should be notified when key events we are +# interested in are pressed, and allows us to receive those events. + + abi , + + include + + include if exists + +# vim:syntax=apparmor From 8c66d39a1e64c721ebb6f6c1421922d70abc0e3c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:39:38 +0200 Subject: [PATCH 0667/1736] feat(profile): merge dpkg-script-* profile into dpkg-scripts. --- apparmor.d/groups/apt/dpkg-script-apparmor | 74 --------------------- apparmor.d/groups/apt/dpkg-script-kmod | 18 ----- apparmor.d/groups/apt/dpkg-script-linux | 56 ---------------- apparmor.d/groups/apt/dpkg-script-systemd | 77 ---------------------- apparmor.d/groups/apt/dpkg-scripts | 5 +- 5 files changed, 4 insertions(+), 226 deletions(-) delete mode 100644 apparmor.d/groups/apt/dpkg-script-apparmor delete mode 100644 apparmor.d/groups/apt/dpkg-script-kmod delete mode 100644 apparmor.d/groups/apt/dpkg-script-linux delete mode 100644 apparmor.d/groups/apt/dpkg-script-systemd diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor deleted file mode 100644 index 73a4f6c46f..0000000000 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ /dev/null @@ -1,74 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# TODO: merge with dpkg-scripts - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/apparmor* -profile dpkg-script-apparmor @{exec_path} { - include - include - - capability dac_read_search, - - @{exec_path} mrix, - - @{bin}/{,e}grep ix, - @{bin}/cat ix, - @{bin}/chmod ix, - @{bin}/mkdir ix, - - @{bin}/deb-systemd-helper Px, - @{bin}/dpkg-maintscript-helper Px, - @{bin}/dpkg Px -> child-dpkg, - @{bin}/deb-systemd-invoke Px, - @{bin}/dpkg-divert ix, - @{bin}/systemctl Cx -> systemctl, - @{sbin}/apparmor_parser Px, - - /usr/share/apparmor.d/** rw, - - /etc/apparmor.d/** rw, - - /var/lib/dpkg/diversions rw, - /var/lib/dpkg/diversions-new rw, - /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, - - /var/lib/dpkg/info/*.list r, - /var/lib/dpkg/info/format r, - /var/lib/dpkg/status r, - /var/lib/dpkg/triggers/File r, - /var/lib/dpkg/triggers/Unincorp r, - /var/lib/dpkg/updates/ r, - /var/lib/dpkg/updates/@{int} r, - - profile systemctl { - include - include - - capability net_admin, - capability sys_resource, - capability dac_override, - capability dac_read_search, - - signal send set=(cont term) peer=systemd-tty-ask-password-agent, - - @{bin}/systemd-tty-ask-password-agent rix, - - @{run}/user/@{uid}/systemd/ask-password/ rw, - @{run}/user/@{uid}/systemd/ask-password-block/{,*} rw, - - owner @{run}/systemd/ask-password/ rw, - owner @{run}/systemd/ask-password-block/{,*} rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-kmod b/apparmor.d/groups/apt/dpkg-script-kmod deleted file mode 100644 index f900bba170..0000000000 --- a/apparmor.d/groups/apt/dpkg-script-kmod +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/kmod* -profile dpkg-script-kmod @{exec_path} { - include - - @{exec_path} mrix, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux deleted file mode 100644 index af578be50b..0000000000 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/linux* -profile dpkg-script-linux @{exec_path} { - include - include - - capability dac_read_search, - - @{exec_path} mrix, - - @{bin}/cat ix, - @{bin}/mkdir ix, - @{bin}/rm ix, - @{bin}/run-parts ix, - @{bin}/stty ix, - - @{bin}/deb-systemd-helper Px, - @{bin}/deb-systemd-invoke Px, - @{bin}/dpkg-maintscript-helper Px, - @{bin}/dpkg-trigger Px, - @{bin}/kmod Px, - @{bin}/linux-check-removal Px, - @{bin}/linux-update-symlinks Px, - @{bin}/systemctl Cx -> systemctl, - - /usr/share/{update,reboot}-notifier/notify-reboot-required Px, - /etc/kernel/{,header_}postinst.d/* Px, - /etc/kernel/postrm.d/* Px, - /etc/kernel/preinst.d/* Px, - /etc/kernel/prerm.d/* Px, - - /etc/kernel/*.d/ r, - - @{lib}/linux/triggers/* w, - @{lib}/modules/*/.fresh-install w, - - profile systemctl { - include - include - - capability net_admin, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd deleted file mode 100644 index 6c76e6f707..0000000000 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ /dev/null @@ -1,77 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/systemd* -profile dpkg-script-systemd @{exec_path} { - include - include - - capability dac_read_search, - - @{exec_path} mrix, - - @{coreutils_path} rix, - @{bin}/bootctl Px, - @{bin}/deb-systemd-helper Px, - @{bin}/deb-systemd-invoke Px, - @{bin}/dpkg Cx -> dpkg, - @{bin}/dpkg-divert Px, - @{bin}/dpkg-maintscript-helper Px, - @{bin}/journalctl Px, - @{bin}/kernel-install mrPx, - @{bin}/systemctl Cx -> systemctl, - @{bin}/systemd-machine-id-setup Px, - @{bin}/systemd-sysusers Px, - @{bin}/systemd-tmpfiles Px, - @{lib}/systemd/systemd-sysctl Px, - @{sbin}/pam-auth-update Px, - - /etc/systemd/system/*.wants/ rw, - /etc/systemd/system/*.wants/* rw, - - /etc/pam.d/sed@{rand6} rw, - /etc/pam.d/common-password rw, - - @{efi}/ r, - - /var/lib/systemd/{,*} rw, - /var/log/journal/ rw, - - profile dpkg { - include - include - include - - capability dac_read_search, - - @{bin}/dpkg mr, - - /etc/dpkg/dpkg.cfg r, - /etc/dpkg/dpkg.cfg.d/{,*} r, - - include if exists - } - - profile systemctl { - include - include - - capability net_admin, - capability sys_resource, - - signal send set=(cont term) peer=systemd-tty-ask-password-agent, - - @{bin}/systemd-tty-ask-password-agent Px, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index acde577de1..2434c9db95 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -63,8 +63,10 @@ profile dpkg-scripts @{exec_path} { /*/ r, @{bin}/ r, @{bin}/* w, + @{sbin}/ r, + @{sbin}/* w, @{lib}/ r, - @{lib}/** w, + @{lib}/** wl -> @{lib}/**, /opt/*/** rw, #aa:lint ignore=too-wide @@ -80,6 +82,7 @@ profile dpkg-scripts @{exec_path} { /tmp/grub.@{rand10} rw, /tmp/sed@{rand6} rw, /tmp/tmp.@{rand10} rw, + /tmp/updateppds.@{rand6} rw, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, From d2e941163fb0221c0ddc1e99a492e65e490dc364 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:43:39 +0200 Subject: [PATCH 0668/1736] feat(abs): add mpris --- .../{ => session}/org.mpris.MediaPlayer2.Player | 4 ++-- apparmor.d/abstractions/mpris | 17 +++++++++++++++++ apparmor.d/profiles-s-z/spotify | 4 +--- apparmor.d/profiles-s-z/vlc | 4 +--- 4 files changed, 21 insertions(+), 8 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.mpris.MediaPlayer2.Player (89%) create mode 100644 apparmor.d/abstractions/mpris diff --git a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player similarity index 89% rename from apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player rename to apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player index d71b7ac1ea..b2b9340740 100644 --- a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player +++ b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2023-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -33,6 +33,6 @@ member=Seeked peer=(name=org.freedesktop.DBus), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mpris b/apparmor.d/abstractions/mpris new file mode 100644 index 0000000000..f06c8560e2 --- /dev/null +++ b/apparmor.d/abstractions/mpris @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow operating as an MPRIS player. + + abi , + + include + + # Allow binding to the well-known DBus mpris interface based on the app's name + # See: https://specifications.freedesktop.org/mpris-spec/latest/ + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.@{profile_name} + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index d1a60a8c71..b04432e393 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -25,6 +25,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -35,8 +36,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify - #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys @@ -46,7 +45,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { member=RetrieveSecret peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), - @{exec_path} mrix, @{sh_path} mr, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index bda3010fa0..05866296d7 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -22,6 +22,7 @@ profile vlc @{exec_path} { include include include + include include include include @@ -35,9 +36,6 @@ profile vlc @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.vlc - #aa:dbus talk bus=session name=org.mpris.MediaPlayer2.Player label=unconfined - @{exec_path} mrix, @{open_path} rPx -> child-open-help, From 5492ab1c4ecef1c09b007bbe05c29eee1c4faa7e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:48:25 +0200 Subject: [PATCH 0669/1736] feat(profile): rewrite the gjs profile. --- apparmor.d/groups/gnome/gjs | 133 ++++++++++++++++++++++++ apparmor.d/groups/gnome/gjs-console | 108 ------------------- apparmor.d/groups/gnome/gnome-extension | 29 ++++++ apparmor.d/groups/gnome/gnome-shell | 2 +- 4 files changed, 163 insertions(+), 109 deletions(-) create mode 100644 apparmor.d/groups/gnome/gjs delete mode 100644 apparmor.d/groups/gnome/gjs-console create mode 100644 apparmor.d/groups/gnome/gnome-extension diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs new file mode 100644 index 0000000000..f726ab66b2 --- /dev/null +++ b/apparmor.d/groups/gnome/gjs @@ -0,0 +1,133 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# GNOME JavaScript interpreter. It is used to run some gnome internal app +# as well as third party extensions. +# +# Therefore, by default, some extension are confined under this profile. To fix +# this, the various programs using gjs must never run gjs as module, they need +# to run it as executable with a specific script. +# +# This currently concerns: +# - gnome-extension-ding (used to not be started as a module) +# - org.gnome.ScreenSaver (simple dbus service) +# - org.gnome.Shell.Extensions (full UI app, requires gnome-strict, graphics, ...) +# - org.gnome.Shell.Notifications (simple dbus service) +# - org.gnome.Shell.Screencast (simple dbus service) + +abi , + +include + +@{exec_path} = @{bin}/gjs-console +profile gjs @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + # Only needed by org.gnome.Shell.Extensions + include + include + + # Only needed by gnome-extension-ding + include + include + include + include + include + include + include + include + + unix type=stream peer=(label=gnome-shell), + + signal receive set=(term hup) peer=gdm, + + #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions + #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface+=org.gtk.Actions + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus* + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus* + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + #aa:dbus own bus=session name=org.gnome.Shell.Screencast + #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell + + #aa:dbus own bus=session name=org.freedesktop.Notifications + #aa:dbus own bus=session name=org.gnome.ScreenSaver + #aa:dbus own bus=session name=org.gnome.Shell.Extensions + #aa:dbus own bus=session name=org.gnome.Shell.Notifications + + @{exec_path} mrix, + + # gnome-extension-ding + @{sh_path} rix, + @{bin}/env rix, + @{bin}/gnome-control-center rPx, + @{bin}/nautilus rPx, + + @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + @{lib}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + + /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + + /usr/share/dconf/profile/gdm r, + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gnome-shell/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, + /usr/share/thumbnailers/{,**} r, + + owner @{gdm_cache_dirs}/gstreamer-1.0/registry.@{arch}.bin r, + owner @{gdm_config_dirs}/dconf/user r, + owner @{GDM_HOME}/greeter-dconf-defaults r, + + owner @{user_cache_dirs}/gstreamer-1.0/ rw, + owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + + owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, + owner @{user_share_dirs}/nautilus/scripts/ r, + + owner @{user_desktop_dirs}/ r, + owner @{user_templates_dirs}/ r, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + /dev/ r, + /dev/dri/ r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + profile gstreamer { + include + include + include + include + include + + network (bind create getattr setopt getopt) netlink raw, + + @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mr, + @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner mr, + @{lib}/gstreamer-1.0/gst-plugin-scanner mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console deleted file mode 100644 index 6d6d6ea852..0000000000 --- a/apparmor.d/groups/gnome/gjs-console +++ /dev/null @@ -1,108 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# TODO: GNOME JavaScript interpreter. It is used to run some gnome internal app -# as well as third party extensions. Therefore, by default, some extension are -# confined under this profile. The resulting profile is quite broad. -# This architecture needs to be rethinked. - -abi , - -include - -@{exec_path} = @{bin}/gjs-console -profile gjs-console @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - - network netlink raw, - - unix type=stream peer=(label=gnome-shell), - - signal receive set=(term hup) peer=gdm*, - - #aa:dbus own bus=session name=org.freedesktop.Notifications - #aa:dbus own bus=session name=org.gnome.ScreenSaver - #aa:dbus own bus=session name=org.gnome.Shell.Extensions - #aa:dbus own bus=session name=org.gnome.Shell.Notifications - #aa:dbus own bus=session name=org.gnome.Shell.Screencast - - #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell - - dbus send bus=session path=/org/gnome/Shell - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell - interface=org.gnome.Shell.Extensions - member=ListExtensions - peer=(name=:*, label=gnome-shell), - - @{exec_path} mr, - - @{bin}/ r, - @{bin}/* PUx, - @{lib}/** PUx, - - /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - - /etc/openni2/OpenNI.ini r, - - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/gnome-shell/{,**} r, - /usr/share/thumbnailers/{,**} r, - - /tmp/ r, - /var/tmp/ r, - - owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwl, - owner @{gdm_cache_dirs}/gstreamer-1.0/ rw, - owner @{gdm_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{gdm_config_dirs}/dconf/user r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - - owner @{HOME}/ r, - - owner @{user_cache_dirs}/gstreamer-1.0/ rw, - owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, - owner @{user_share_dirs}/nautilus/scripts/ r, - - owner @{user_desktop_dirs}/ r, - owner @{user_templates_dirs}/ r, - - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - /dev/ r, - /dev/tty rw, - - deny @{user_share_dirs}/gvfs-metadata/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-extension b/apparmor.d/groups/gnome/gnome-extension new file mode 100644 index 0000000000..e13eca8322 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-extension @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# gjs started from gnome-shell should (in theory) only run gnome extensions. + +abi , + +include + +@{exec_path} = @{bin}/gjs-console +profile gnome-extension { + include + include + include + include + include + include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f46a8461d4..24c069e720 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -162,7 +162,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/unzip rix, @{bin}/flatpak rPx, - @{bin}/gjs-console rPx, + @{bin}/gjs-console rPx -> gnome-extension, @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, @{bin}/sensors rPx, From b76fe7c3429e4323834953d2e2d08e1b65e8a244 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:57:37 +0200 Subject: [PATCH 0670/1736] refractor(profile): move org.gnome.SessionManager This is the stage 1 of rewriting access to the session manager. --- apparmor.d/abstractions/app/chromium | 2 +- .../{ => session}/org.gnome.SessionManager | 22 +++++++++---------- apparmor.d/groups/bus/at-spi2-registryd | 2 +- apparmor.d/groups/bus/dbus-accessibility | 2 +- .../groups/freedesktop/xdg-desktop-portal-gtk | 2 +- apparmor.d/groups/gnome/gnome-keyring-daemon | 2 +- apparmor.d/groups/gnome/gsd-a11y-settings | 2 +- apparmor.d/groups/gnome/gsd-color | 2 +- apparmor.d/groups/gnome/gsd-datetime | 2 +- apparmor.d/groups/gnome/gsd-housekeeping | 2 +- apparmor.d/groups/gnome/gsd-keyboard | 2 +- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- .../groups/gnome/gsd-print-notifications | 1 - apparmor.d/groups/gnome/gsd-printer | 5 +++-- apparmor.d/groups/gnome/gsd-rfkill | 2 +- apparmor.d/groups/gnome/gsd-screensaver-proxy | 2 +- apparmor.d/groups/gnome/gsd-sharing | 2 +- apparmor.d/groups/gnome/gsd-smartcard | 2 +- apparmor.d/groups/gnome/gsd-sound | 4 ++-- apparmor.d/groups/gnome/gsd-usb-protection | 3 +++ apparmor.d/groups/gnome/gsd-wacom | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 5 ++--- apparmor.d/groups/gnome/nautilus | 2 +- apparmor.d/groups/ubuntu/apport | 2 +- apparmor.d/profiles-a-f/evince | 2 +- apparmor.d/profiles-a-f/filezilla | 2 +- apparmor.d/profiles-a-f/freetube | 2 +- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-s-z/superproductivity | 2 +- apparmor.d/profiles-s-z/totem | 2 +- 31 files changed, 45 insertions(+), 45 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.SessionManager (61%) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 313f516872..dcb29fecb6 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -30,7 +30,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager similarity index 61% rename from apparmor.d/abstractions/bus/org.gnome.SessionManager rename to apparmor.d/abstractions/bus/session/org.gnome.SessionManager index a532b67f2a..4c641776ba 100644 --- a/apparmor.d/abstractions/bus/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager @@ -1,48 +1,46 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# FIXME: Too large, restrict it. - abi , - #aa:dbus common bus=session name=org.gnome.SessionManager label=gnome-session-binary + #aa:dbus common bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={RegisterClient,IsSessionRunning} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Inhibit,Uninhibit} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Setenv,IsSessionRunning} - peer=(name=org.gnome.SessionManager, label=gnome-session-binary), + peer=(name=org.gnome.SessionManager, label="{gnome-session-binary,gnome-session-service}"), dbus receive bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus send bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member=EndSessionResponse - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus receive bus=session path=/org/gnome/SessionManager/Presence interface=org.gnome.SessionManager.Presence member=StatusChanged - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index 26311b5752..fec6d7897f 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -13,7 +13,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal receive set=term peer=gdm, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 910ae00084..c9b9a15385 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -12,7 +12,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index d1ae86e150..b7906c5e23 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -14,7 +14,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 595b3fd480..e39ef0dc07 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -15,7 +15,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include include include - include + include capability ipc_lock, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 34ce2884da..22aaba1642 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -10,7 +10,7 @@ include profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 0acdbaf389..1a52321b1c 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -13,7 +13,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index af1784e68c..0364f3f2b6 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -10,7 +10,7 @@ include profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 8d8b9fc1b6..497462a039 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -11,7 +11,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index b700a7df98..be27a873e9 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -13,7 +13,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 3ca105656e..b299ab7ffd 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -15,7 +15,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index d20ad65d0b..d3ac6b456c 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -19,7 +19,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 5d037961f4..22ec520cb1 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -11,7 +11,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index b85a40f044..a768c8d1ed 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-printer profile gsd-printer @{exec_path} flags=(attach_disconnected) { include - include include include - include + include + include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 5f1c13d9d7..7283c5c00f 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -15,7 +15,7 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include include include - include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index 546a252d73..ac2f9229db 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -11,7 +11,7 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include include include - include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index b6d90d5e3d..9d432ae13e 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -12,7 +12,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index d42fb486b6..5143b9984f 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -10,7 +10,7 @@ include profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 2b64ddf068..ff2d307664 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -12,8 +12,8 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include include include diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 59e67d9bff..bcdb353a87 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -10,6 +10,9 @@ include profile gsd-usb-protection @{exec_path} { include include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 0bb1d50d10..3d4f2cb050 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -11,7 +11,7 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 84abb82e01..20151eec0e 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -13,10 +13,9 @@ profile gsd-xsettings @{exec_path} { include include include - include + include include - include - include + include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index d3906051c2..c405a3bf86 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -15,7 +15,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 255dc551ac..211dda9ccb 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -11,7 +11,7 @@ profile apport @{exec_path} flags=(attach_disconnected) { include include include - include + include include include diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 89087df4bc..10b5ad4af4 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -12,7 +12,7 @@ profile evince @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 78781ba282..16bafb8864 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -11,7 +11,7 @@ include profile filezilla @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index be75567cd4..b820f249c1 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -17,7 +17,7 @@ include profile freetube @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index cc2ee8c2a4..7e4feed45b 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -15,7 +15,7 @@ profile libreoffice @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 838944aa81..f812fc5707 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -20,7 +20,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index d8b4649563..d1e429d45c 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -10,7 +10,7 @@ include profile totem @{exec_path} flags=(attach_disconnected) { include include - include + include include include include From e6e0cc07102a54a8557c155ffb817b0608339a48 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:59:12 +0200 Subject: [PATCH 0671/1736] fix(profile): missing updated bus abstraction paths. --- apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 3 +-- apparmor.d/groups/virt/libvirtd | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 95daf29355..30b4152041 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -14,8 +14,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include include include diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 23e8e20d1e..378449352a 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -19,7 +19,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include From 6a77b7ed8b9683ebcaf92470b64cc33deca9b9d8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 21:07:43 +0200 Subject: [PATCH 0672/1736] fix(profile): missing updated bus abstraction paths. --- apparmor.d/abstractions/mediakeys | 2 +- apparmor.d/groups/gnome/gjs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/mediakeys b/apparmor.d/abstractions/mediakeys index ecf839cda8..d9aafa7646 100644 --- a/apparmor.d/abstractions/mediakeys +++ b/apparmor.d/abstractions/mediakeys @@ -8,7 +8,7 @@ abi , - include + include include if exists diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index f726ab66b2..de9d25a14e 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -115,7 +115,7 @@ profile gjs @{exec_path} flags=(attach_disconnected) { include include include - include + include include network (bind create getattr setopt getopt) netlink raw, From 9db6bf4a3583a94d4109e0b0eb9d95e121fc8119 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 16 Sep 2025 20:42:35 +0200 Subject: [PATCH 0673/1736] feat(abs): add the themes abs. fix #860 --- apparmor.d/abstractions/desktop | 1 + apparmor.d/abstractions/gnome-strict | 1 + apparmor.d/abstractions/kde-strict | 1 + apparmor.d/abstractions/lxqt | 1 + apparmor.d/abstractions/themes | 14 ++++++++++++++ apparmor.d/abstractions/xfce | 1 + 6 files changed, 19 insertions(+) create mode 100644 apparmor.d/abstractions/themes diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 66742f02a8..c4abbd574d 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -18,6 +18,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 47efde3066..227377f3a6 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -13,6 +13,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 17952414c6..79e97b23f3 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -13,6 +13,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index 8d83aefdc8..913ab3eb32 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -10,6 +10,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/themes b/apparmor.d/abstractions/themes new file mode 100644 index 0000000000..13fe70bc6a --- /dev/null +++ b/apparmor.d/abstractions/themes @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /usr/share/themes/{,**} r, + + owner @{HOME}/.themes/{,**} r, + owner @{user_share_dirs}/themes/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index c7e4642364..df13363fc1 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -8,6 +8,7 @@ include include include + include include include include From 8e488e0c5345f7aa2e4488c46024f4fe3a4ce05b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 16 Sep 2025 23:41:22 +0200 Subject: [PATCH 0674/1736] feat(profile): update simple-scan. --- apparmor.d/profiles-s-z/simple-scan | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/simple-scan b/apparmor.d/profiles-s-z/simple-scan index a005708db5..64ee9fb11a 100644 --- a/apparmor.d/profiles-s-z/simple-scan +++ b/apparmor.d/profiles-s-z/simple-scan @@ -7,10 +7,13 @@ abi , include @{exec_path} = @{bin}/simple-scan -profile simple-scan @{exec_path} { +profile simple-scan @{exec_path} flags=(attach_disconnected) { include + include + include include include + include include network inet dgram, @@ -21,9 +24,14 @@ profile simple-scan @{exec_path} { @{open_path} rPx -> child-open-help, - /usr/share/snmp/{,**} r, + @{system_share_dirs}/snmp/{,**} r, /etc/sane.d/{,**} r, + /etc/snmp/snmp.conf r, + + owner /var/lib/snmp/{mib,cert}_indexes/ rw, + owner /var/lib/snmp/mibs/{iana,ietf}/ r, + owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, @{sys}/bus/scsi/devices/ r, @{sys}/devices/virtual/dmi/id/board_name r, @@ -34,6 +42,9 @@ profile simple-scan @{exec_path} { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/scsi/scsi r, + @{PROC}/sys/dev/parport/ r, + @{PROC}/sys/dev/parport/parport@{int}/base-addr r, + @{PROC}/sys/dev/parport/parport@{int}/irq r, /dev/video@{int} rw, From 6cca455112200e7a12359f5fd6eb6addd121a041 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 10:49:16 +0200 Subject: [PATCH 0675/1736] fix(profile): ensure systemd-logind works with systemd 258 fix #867 --- apparmor.d/groups/systemd/systemd-logind | 20 +++++++++---------- apparmor.d/groups/systemd/systemd-update-done | 3 +++ apparmor.d/groups/systemd/systemd-userwork | 3 +++ 3 files changed, 15 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 6b102829da..e2612ff16f 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-logind -profile systemd-logind @{exec_path} flags=(attach_disconnected) { +profile systemd-logind @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -94,23 +94,21 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, @{run}/systemd/inhibit/ rw, - @{run}/systemd/inhibit/.#* rw, - @{run}/systemd/inhibit/@{int}{,.ref} rw, + @{run}/systemd/inhibit/* rwlk, @{run}/systemd/seats/ rw, - @{run}/systemd/seats/.#seat* rw, - @{run}/systemd/seats/seat@{int} rw, - @{run}/systemd/sessions/{,*} rw, - @{run}/systemd/sessions/*.ref rw, - @{run}/systemd/shutdown/.#scheduled* rw, - @{run}/systemd/shutdown/scheduled rw, + @{run}/systemd/seats/* rwlk, + @{run}/systemd/sessions/ rw, + @{run}/systemd/sessions/* rwlk, + @{run}/systemd/shutdown/ rw, + @{run}/systemd/shutdown/* rwlk, @{run}/systemd/users/ rw, - @{run}/systemd/users/.#* rw, - @{run}/systemd/users/@{uid} rw, + @{run}/systemd/users/* rwlk, @{sys}/bus/serial-base/drivers/port/uevent r, @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, @{sys}/devices/** r, + @{sys}/devices/**/uevent rw, @{sys}/devices/**/brightness rw, @{sys}/devices/virtual/tty/tty@{int}/active r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done index e7a44d01d4..76ba6f5c45 100644 --- a/apparmor.d/groups/systemd/systemd-update-done +++ b/apparmor.d/groups/systemd/systemd-update-done @@ -16,8 +16,11 @@ profile systemd-update-done @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/ r, /etc/.#.updated@{hex} rw, /etc/.updated w, + + /var/ r, /var/.#.updated@{hex} rw, /var/.updated w, diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork index 2521c655ee..ed75125c96 100644 --- a/apparmor.d/groups/systemd/systemd-userwork +++ b/apparmor.d/groups/systemd/systemd-userwork @@ -21,6 +21,9 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) { /etc/gshadow r, /etc/machine-id r, /etc/shadow r, + /etc/userdb/ r, + + @{run}/userdb/ r, include if exists } From 49e34eca0ed984f4ab6fdbbf4d022a6629e52850 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 10:57:12 +0200 Subject: [PATCH 0676/1736] feat(profile): dbus: ensure dbus can receive any user files. --- apparmor.d/groups/bus/dbus-session | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 27e228e2c1..1b3ac11c80 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -56,6 +56,7 @@ profile dbus-session flags=(attach_disconnected) { # Dbus can receive any user files owner @{HOME}/** r, + owner @{att}/@{HOME}/** r, owner @{HOME}/.var/app/*/**/.ref rw, owner @{HOME}/.var/app/*/**/logs/* rw, From 415afe2116a66d5a7eea442d61d78e601b71a186 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 10:59:37 +0200 Subject: [PATCH 0677/1736] feat(profile): update upowerd --- apparmor.d/groups/freedesktop/upowerd | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 201e49f3cc..3d79c706fb 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -16,6 +16,9 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { include include + capability net_admin, + capability sys_admin, + network netlink raw, #aa:dbus own bus=system name=org.freedesktop.UPower @@ -28,6 +31,11 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { /var/lib/upower/ r, /var/lib/upower/history-*.dat{,.*} rw, + owner /tmp/tmp@{rand8} r, + owner /tmp/umockdev.@{rand6}/{,**} rw, + owner /tmp/upower-cfg-@{word8} rw, + owner /tmp/upower-history-@{word8}/{,**} rw, + @{run}/udev/data/ r, # Lists all udev data files @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) From 4ccead34fda556cc55e6eb002bae8fb7003b9f7e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 11:01:48 +0200 Subject: [PATCH 0678/1736] feat(profile): update system profiles. --- apparmor.d/groups/systemd/systemd-journald | 2 ++ apparmor.d/groups/systemd/systemd-sleep | 2 ++ apparmor.d/groups/systemd/systemd-sleep-sysstat | 1 + apparmor.d/groups/systemd/systemd-tty-ask-password-agent | 2 +- apparmor.d/groups/systemd/systemd-udevd | 1 + 5 files changed, 7 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index e0a8a2e474..cd51fcc169 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -49,6 +49,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+ieee80211:* r, # For Wi-Fi devices, such as wireless network cards and access points. @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+mdio_bus:* r, # For Management Data Input/Output (Ethernet PHY (physical layer) devices) @@ -64,6 +65,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices @{run}/udev/data/b8:@{int} r, # for /dev/sd* @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c108:@{int} r, # For /dev/ppp diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index a55bf752db..c566a8b0a0 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -17,6 +17,8 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_resource, + unix bind type=stream addr=@@{udbus}/bus/systemd-sleep/system, + @{exec_path} mr, @{sh_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-sleep-sysstat b/apparmor.d/groups/systemd/systemd-sleep-sysstat index e29a41a7a9..83ecc284a0 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-sysstat +++ b/apparmor.d/groups/systemd/systemd-sleep-sysstat @@ -11,6 +11,7 @@ profile systemd-sleep-sysstat @{exec_path} { include @{exec_path} mr, + @{sh_path} r, @{lib}/sysstat/sa{1,2} Px, @{lib}/sysstat/debian-sa{1,2} Px, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index b318bf3dd5..24e0522a5c 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/systemd-tty-ask-password-agent -profile systemd-tty-ask-password-agent @{exec_path} { +profile systemd-tty-ask-password-agent @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index cb9592d473..decffb4286 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -72,6 +72,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{lib}/open-iscsi/net-interface-handler rPx, @{lib}/pm-utils/power.d/* rPUx, @{lib}/snapd/snap-device-helper rPx, + @{lib}/switcheroo-control-check-discrete-amdgpu rPUx, @{lib}/systemd/systemd-* rPx, @{lib}/udev/* rPUx, /usr/share/hplip/config_usb_printer.py rPUx, From 659f7b4a22150e41f11baf06561223eaac8468e5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 11:03:41 +0200 Subject: [PATCH 0679/1736] feat(profile): update some kde profiles. --- apparmor.d/groups/kde/kwin_wayland | 2 ++ apparmor.d/groups/kde/sddm-greeter | 2 ++ 2 files changed, 4 insertions(+) diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 224835ac2d..6a0ef608bc 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -18,7 +18,9 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + # See https://community.kde.org/Distributions/Packaging_Recommendations#KWin_package_configuration capability sys_nice, + capability sys_ptrace, network netlink raw, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 47383bb75d..8b05b9cb9d 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -23,6 +23,8 @@ profile sddm-greeter @{exec_path} { network netlink raw, + signal receive set=term peer=sddm, + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=ListActivatableNames From 0bf8f9337f5ec88aecac213f6d9206af38d1db76 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 11:10:12 +0200 Subject: [PATCH 0680/1736] feat(profile): minor profiles improvments. --- apparmor.d/groups/gnome/gjs | 2 ++ apparmor.d/profiles-s-z/sfdisk | 2 ++ apparmor.d/profiles-s-z/update-info-dir | 6 ++++++ apparmor.d/profiles-s-z/update-shells | 8 ++++---- apparmor.d/profiles-s-z/xsane-gimp | 4 +++- 5 files changed, 17 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index de9d25a14e..388c90b142 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -93,6 +93,8 @@ profile gjs @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{GDM_HOME}/greeter-dconf-defaults r, + owner @{HOME}/ r, + owner @{user_cache_dirs}/gstreamer-1.0/ rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk index 05ab2273f9..ea282f2691 100644 --- a/apparmor.d/profiles-s-z/sfdisk +++ b/apparmor.d/profiles-s-z/sfdisk @@ -17,6 +17,8 @@ profile sfdisk @{exec_path} { @{exec_path} mr, + /var/tmp/.#sfdisk@{hex16} rw, + # For backups owner @{HOME}/**.{bak,back} rwk, owner @{MOUNTS}/*/**.{bak,back} rwk, diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir index dc2a0d7aac..bbd5222a9a 100644 --- a/apparmor.d/profiles-s-z/update-info-dir +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -19,8 +19,14 @@ profile update-info-dir @{exec_path} { @{bin}/install-info Px, @{bin}/rm ix, + /usr/share/info/ r, + /usr/share/info/dir rw, + /usr/share/info/dir.old w, + /etc/environment r, + / r, + include if exists } diff --git a/apparmor.d/profiles-s-z/update-shells b/apparmor.d/profiles-s-z/update-shells index 5922c1a147..007982632a 100644 --- a/apparmor.d/profiles-s-z/update-shells +++ b/apparmor.d/profiles-s-z/update-shells @@ -26,11 +26,11 @@ profile update-shells @{exec_path} { /usr/share/debianutils/shells.d/{,**} r, /usr/share/dpkg/sh/dpkg-error.sh r, - /etc/shells r, - /etc/shells.tmp w, + /etc/shells rw, + /etc/shells.tmp rw, - /var/lib/shells.state r, - /var/lib/shells.state.tmp w, + /var/lib/shells.state rw, + /var/lib/shells.state.tmp rw, include if exists } diff --git a/apparmor.d/profiles-s-z/xsane-gimp b/apparmor.d/profiles-s-z/xsane-gimp index 4273e803dc..633035a1b5 100644 --- a/apparmor.d/profiles-s-z/xsane-gimp +++ b/apparmor.d/profiles-s-z/xsane-gimp @@ -34,7 +34,9 @@ profile xsane-gimp @{exec_path} { @{sys}/devices/@{pci}/{model,type,vendor} r, @{PROC}/scsi/scsi r, - @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r, + @{PROC}/sys/dev/parport/ r, + @{PROC}/sys/dev/parport/parport@{int}/base-addr r, + @{PROC}/sys/dev/parport/parport@{int}/irq r, include if exists } From 4dd4d3ebd100cedf861d17a2d3690a24edfa8325 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 11:30:26 +0200 Subject: [PATCH 0681/1736] feat(tunable): add support for gnucoreutils. New alternative location in ubuntu 25.10 --- apparmor.d/tunables/multiarch.d/paths | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index cca5443706..c3db2c200b 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -12,6 +12,7 @@ # Coreutils programs that should not have dedicated profile @{coreutils_path} = @{bin}/@{coreutils} +@{coreutils_path} += @{bin}/gnu@{coreutils} #aa:only ubuntu # Python interpreters @{python_path} = @{bin}/@{python_name} From 86d9bbad4c34eec32f7945293b86778d306dbc48 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 17:09:45 +0200 Subject: [PATCH 0682/1736] feat(abs): update nvidia-strict. --- apparmor.d/abstractions/nvidia-strict | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index a14691a9cd..7d975ad8c4 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -11,6 +11,7 @@ /usr/share/nvidia/nvidia-application-profiles-* r, /etc/nvidia/nvidia-application-profiles-* r, + /etc/nvidia/nvidia-application-profiles-rc.d/{,*} r, /etc/vdpau_wrapper.cfg r, owner @{HOME}/.nv/ w, @@ -26,6 +27,7 @@ @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/memory/block_size_bytes r, + @{sys}/module/nvidia_drm/version r, @{sys}/module/nvidia/version r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, @@ -36,7 +38,7 @@ @{PROC}/sys/vm/mmap_min_addr r, @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/comm r, /dev/char/195:@{u8} w, # Nvidia graphics devices From b4ba960c387b8d2c66e7f477eede13fa700bb707 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 17:10:56 +0200 Subject: [PATCH 0683/1736] feat(profile): firefox: add integration with 1Password --- apparmor.d/groups/browsers/firefox | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index f9ba190a3a..3f83775d93 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -52,6 +52,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{bin}/browserpass rPx, @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, @{lib}/browserpass/browserpass-native rPx, + /opt/1Password/1Password-BrowserSupport rPx, /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, From 5382e8f865c9690f92afdb43f0bc3c3ac2b1da84 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 17:14:02 +0200 Subject: [PATCH 0684/1736] fix(profile): ensure sddm-greeter has the disconnected flag. --- apparmor.d/groups/kde/sddm-greeter | 2 +- dists/flags/main.flags | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 8b05b9cb9d..56c1427878 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/sddm-greeter{,-qt6} -profile sddm-greeter @{exec_path} { +profile sddm-greeter @{exec_path} flags=(attach_disconnected) { include include include diff --git a/dists/flags/main.flags b/dists/flags/main.flags index cd9a0e5a65..94eb1c07b8 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -278,7 +278,7 @@ run-parts complain runuser complain sdcv complain sddm attach_disconnected,mediate_deleted,complain -sddm-greeter complain +sddm-greeter attach_disconnected,complain secure-time-sync attach_disconnected,complain sftp-server complain sing-box complain From eef0e922edebed7c62fa157ed3797b06f2b4e7be Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 13:39:53 +0200 Subject: [PATCH 0685/1736] feat(profile): put back some chromium tmp files. Some access are covered by common/chromium, however, the full browser needs more. fix #865 --- apparmor.d/abstractions/app/chromium | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index dcb29fecb6..2b5dfbfa6f 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -139,7 +139,11 @@ /tmp/ r, /var/tmp/ r, + owner @{tmp}/.@{domain}.@{rand6}/** rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, + owner @{tmp}/cache/Default/ rw, + owner @{tmp}/cache/Default/** rwk, + owner @{tmp}/scoped_dir@{rand6}/{,**} rw, owner @{tmp}/tmp.@{rand10} rw, owner @{tmp}/tmp.@{rand6} rw, owner @{tmp}/tmp.@{rand6}/ rw, @@ -161,6 +165,7 @@ @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, + @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/pressure/{memory,cpu,io} r, @{PROC}/sys/fs/inotify/max_user_watches r, From e806708ebdfa1147eed12e4d9b5f81b8bf91eb7e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 14:39:14 +0200 Subject: [PATCH 0686/1736] feat(profile): mkfs-btrfs add sys_rawio fix #844 --- apparmor.d/groups/filesystem/mkfs-btrfs | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/filesystem/mkfs-btrfs b/apparmor.d/groups/filesystem/mkfs-btrfs index 54c83e5598..fc619228b5 100644 --- a/apparmor.d/groups/filesystem/mkfs-btrfs +++ b/apparmor.d/groups/filesystem/mkfs-btrfs @@ -13,6 +13,7 @@ profile mkfs-btrfs @{exec_path} { include capability sys_admin, + capability sys_rawio, @{exec_path} mr, From e5ca8623498a91e4689432dcc12d7274777ce783 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 14:41:53 +0200 Subject: [PATCH 0687/1736] fix(profile): flatpak: remove denied gvfs data. fix #862 --- apparmor.d/groups/flatpak/flatpak | 2 -- 1 file changed, 2 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 341db555e1..0b33cb6dcb 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -134,8 +134,6 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain /dev/tty rw, /dev/tty@{int} rw, - deny owner @{user_share_dirs}/gvfs-metadata/* r, - profile gpg { include include From 356acec7d620745a084b2b8dd99dde46e78df322 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 14:53:36 +0200 Subject: [PATCH 0688/1736] feat(profile): gnome-shell: improve icon management. fix #861 --- apparmor.d/groups/gnome/gnome-shell | 9 +++++---- apparmor.d/tunables/multiarch.d/extensions | 4 ++++ 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 24c069e720..a1090a15a6 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -183,8 +183,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, /usr/share/gnome-shell/extensions/*/** rPUx, - /snap/*/@{uid}/**.@{image_ext} r, - /usr/share/**.@{image_ext} r, + /snap/*/@{uid}/**.@{icon_ext} r, + /usr/share/**.@{icon_ext} r, /usr/share/**/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/byobu/desktop/byobu* r, @@ -246,7 +246,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/.mozilla/native-messaging-hosts/ rw, owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, - owner @{HOME}/.var/app/**.@{image_ext} r, + owner @{HOME}/.var/app/**.@{icon_ext} r, owner @{HOME}/.var/app/**/ r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, @@ -286,6 +286,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, @{run}/gdm{3,}/dbus/dbus-@{rand8} rw, + owner @{run}/user/@{uid}/app/*/.org.chromium.Chromium.@{rand6}/*.@{icon_ext} r, owner @{run}/user/@{uid}/app/*/*.@{rand6} r, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, @@ -300,7 +301,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /tmp/dbus-@{rand8} rw, owner @{tmp}/.org.chromium.Chromium.@{rand6} r, owner @{tmp}/.org.chromium.Chromium.@{rand6}/ r, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/status_icon_@{int}.png r, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/*.@{icon_ext} r, owner @{tmp}/@{rand6}.shell-extension.zip rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, diff --git a/apparmor.d/tunables/multiarch.d/extensions b/apparmor.d/tunables/multiarch.d/extensions index d7f7450aa2..4d9ea7d651 100644 --- a/apparmor.d/tunables/multiarch.d/extensions +++ b/apparmor.d/tunables/multiarch.d/extensions @@ -432,6 +432,10 @@ @{image_ext} += [xX][wW][dD] # xwd @{image_ext} += [xX][yY][zZ][eE] # xyze +# Icons +@{icon_ext} = [pP][nN][gG] # png +@{icon_ext} += [iI][cC][oO] # ico + # Models @{model_ext} = [bB][aA][rR][yY] # bary @{model_ext} += [bB][sS][pP] # bsp From a18f73f3266ba7fd3fcad0309fdd5b8dbfe68512 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 14:56:49 +0200 Subject: [PATCH 0689/1736] fix(profile): ensure ffmpeg works with any graphics hardware. fix #851 --- apparmor.d/profiles-a-f/ffmpeg | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/apparmor.d/profiles-a-f/ffmpeg b/apparmor.d/profiles-a-f/ffmpeg index 8633444d8d..8ab42e392a 100644 --- a/apparmor.d/profiles-a-f/ffmpeg +++ b/apparmor.d/profiles-a-f/ffmpeg @@ -12,7 +12,7 @@ profile ffmpeg @{exec_path} { include include include - include + include include include include @@ -33,12 +33,9 @@ profile ffmpeg @{exec_path} { owner @{user_music_dirs}/** rw, owner @{user_videos_dirs}/** rw, - owner @{tmp}/*.{png,jpg} rw, # To generate thumbnails in some apps + owner @{tmp}/*.@{image_ext} rw, # To generate thumbnails in some apps owner @{tmp}/vidcutter/** rw, # TMP files for apps using ffmpeg - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, - include if exists } From 35993bde5969bf0a111d2973c8647ce95ca9e91e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 14:58:33 +0200 Subject: [PATCH 0690/1736] fix(profile): hyprland fix #848 --- apparmor.d/groups/hyprland/hyprland | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index cd3270e496..164253f1dd 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -39,6 +39,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/.hyprpicker_* rw, owner @{run}/user/@{uid}/hypr/{,**} rw, owner @{att}/dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, @{run}/systemd/sessions/@{int} r, From a57a6f5267e30f839969e64cb3b82b1ac958958b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 15:00:59 +0200 Subject: [PATCH 0691/1736] fix: temporary remove comments. precise network control is still a wip. fix #856 --- apparmor.d/groups/gvfs/gvfsd-wsdd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 4ea39c7d0a..bc672de047 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -16,7 +16,7 @@ profile gvfsd-wsdd @{exec_path} { include include - network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), + network inet dgram, network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd From 8371a9d1a98d9eb5ff4afd6af8c71dbee58c67ea Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 15:07:26 +0200 Subject: [PATCH 0692/1736] feat(profile): update zfs profiles. fix #845 --- apparmor.d/profiles-s-z/zfs | 6 ++++-- apparmor.d/profiles-s-z/zpool | 7 +++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index e28a2e439d..a4608ca447 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{local/,}{s,}bin/zfs +@{exec_path} = @{bin}/zfs profile zfs @{exec_path} { include include @@ -23,10 +23,12 @@ profile zfs @{exec_path} { # Sanoid generates temorary files with random names including underscores, directly under /tmp. # https://github.com/jimsalterjrs/sanoid/issues/758 - /tmp/* rw, + /tmp/@{word10} rw, @{run}/zfs-list.cache@* rw, + @{sys}/module/zfs/*/ r, + @{PROC}/@{pids}/mounts r, @{PROC}/sys/fs/pipe-max-size r, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index e6033d9d28..89a3e1b296 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -6,17 +6,20 @@ abi , include -@{exec_path} = /{usr/,}{local/,}{s,}bin/zpool +@{exec_path} = @{bin}/zpool profile zpool @{exec_path} { include include capability sys_admin, + mount fstype=zfs options=(rw noatime) hdzpool -> @{MOUNTS}/, + mount fstype=zfs options=(rw noatime) sszpool -> @{MOUNTS}/, + @{exec_path} mr, @{sh_path} rix, - /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, + @{lib}/zfs-linux/zpool.d/* rix, /usr/share/zfs/{,**} r, From 9e901bfbcea5fa5cf743defb38896f0d19a47bb7 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 18 Sep 2025 08:21:38 -0600 Subject: [PATCH 0693/1736] Create profile for tickrs --- apparmor.d/profiles-s-z/tickrs | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 apparmor.d/profiles-s-z/tickrs diff --git a/apparmor.d/profiles-s-z/tickrs b/apparmor.d/profiles-s-z/tickrs new file mode 100644 index 0000000000..9a4f7cd69f --- /dev/null +++ b/apparmor.d/profiles-s-z/tickrs @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/tickrs +profile tickrs @{exec_path} { + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + owner @{HOME}/.config/tickrs/{,**} rw, + + @{sys}/fs/cgroup/**/cpu.max r, + owner @{PROC}/@{pid}/cgroup r, + + include if exists +} + +# vim:syntax=apparmor From 26048d938eb634947e6b82531ddcd537e9960d50 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 18 Sep 2025 08:33:32 -0600 Subject: [PATCH 0694/1736] tickrs: make the linter happy --- apparmor.d/profiles-s-z/tickrs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/tickrs b/apparmor.d/profiles-s-z/tickrs index 9a4f7cd69f..131e1102b5 100644 --- a/apparmor.d/profiles-s-z/tickrs +++ b/apparmor.d/profiles-s-z/tickrs @@ -21,7 +21,7 @@ profile tickrs @{exec_path} { @{exec_path} mr, - owner @{HOME}/.config/tickrs/{,**} rw, + owner @{user_config_dirs}/tickrs/{,**} rw, @{sys}/fs/cgroup/**/cpu.max r, owner @{PROC}/@{pid}/cgroup r, From e3ace801c4a8c63cddf5b9bfdff5c8d84a02f82c Mon Sep 17 00:00:00 2001 From: valoq Date: Tue, 9 Sep 2025 22:15:25 +0200 Subject: [PATCH 0695/1736] add poppler tools --- apparmor.d/profiles-m-r/pdfattach | 22 ++++++++++++++++++++++ apparmor.d/profiles-m-r/pdfdetach | 22 ++++++++++++++++++++++ apparmor.d/profiles-m-r/pdffonts | 21 +++++++++++++++++++++ apparmor.d/profiles-m-r/pdfimages | 22 ++++++++++++++++++++++ apparmor.d/profiles-m-r/pdfinfo | 21 +++++++++++++++++++++ apparmor.d/profiles-m-r/pdfseparate | 22 ++++++++++++++++++++++ apparmor.d/profiles-m-r/pdfsig | 23 +++++++++++++++++++++++ apparmor.d/profiles-m-r/pdftocairo | 22 ++++++++++++++++++++++ apparmor.d/profiles-m-r/pdftohtml | 22 ++++++++++++++++++++++ apparmor.d/profiles-m-r/pdftoppm | 22 ++++++++++++++++++++++ apparmor.d/profiles-m-r/pdftops | 22 ++++++++++++++++++++++ apparmor.d/profiles-m-r/pdftotext | 2 +- apparmor.d/profiles-m-r/pdfunite | 22 ++++++++++++++++++++++ 13 files changed, 264 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/profiles-m-r/pdfattach create mode 100644 apparmor.d/profiles-m-r/pdfdetach create mode 100644 apparmor.d/profiles-m-r/pdffonts create mode 100644 apparmor.d/profiles-m-r/pdfimages create mode 100644 apparmor.d/profiles-m-r/pdfinfo create mode 100644 apparmor.d/profiles-m-r/pdfseparate create mode 100644 apparmor.d/profiles-m-r/pdfsig create mode 100644 apparmor.d/profiles-m-r/pdftocairo create mode 100644 apparmor.d/profiles-m-r/pdftohtml create mode 100644 apparmor.d/profiles-m-r/pdftoppm create mode 100644 apparmor.d/profiles-m-r/pdftops create mode 100644 apparmor.d/profiles-m-r/pdfunite diff --git a/apparmor.d/profiles-m-r/pdfattach b/apparmor.d/profiles-m-r/pdfattach new file mode 100644 index 0000000000..5a063422e7 --- /dev/null +++ b/apparmor.d/profiles-m-r/pdfattach @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdfattach +profile pdfattach @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdfdetach b/apparmor.d/profiles-m-r/pdfdetach new file mode 100644 index 0000000000..bf6e589cc7 --- /dev/null +++ b/apparmor.d/profiles-m-r/pdfdetach @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdfdetach +profile pdfdetach @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdffonts b/apparmor.d/profiles-m-r/pdffonts new file mode 100644 index 0000000000..8cc71b2464 --- /dev/null +++ b/apparmor.d/profiles-m-r/pdffonts @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdffonts +profile pdffonts @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdfimages b/apparmor.d/profiles-m-r/pdfimages new file mode 100644 index 0000000000..0f3a6681b1 --- /dev/null +++ b/apparmor.d/profiles-m-r/pdfimages @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdfimages +profile pdfimages @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdfinfo b/apparmor.d/profiles-m-r/pdfinfo new file mode 100644 index 0000000000..a481ad3239 --- /dev/null +++ b/apparmor.d/profiles-m-r/pdfinfo @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdfinfo +profile pdfinfo @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdfseparate b/apparmor.d/profiles-m-r/pdfseparate new file mode 100644 index 0000000000..1026719f8e --- /dev/null +++ b/apparmor.d/profiles-m-r/pdfseparate @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdfseparate +profile pdfseparate @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdfsig b/apparmor.d/profiles-m-r/pdfsig new file mode 100644 index 0000000000..5f4cb3ce71 --- /dev/null +++ b/apparmor.d/profiles-m-r/pdfsig @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdfsig +profile pdfsig @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdftocairo b/apparmor.d/profiles-m-r/pdftocairo new file mode 100644 index 0000000000..65a8800577 --- /dev/null +++ b/apparmor.d/profiles-m-r/pdftocairo @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdftocairo +profile pdftocairo @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdftohtml b/apparmor.d/profiles-m-r/pdftohtml new file mode 100644 index 0000000000..3c44be2f51 --- /dev/null +++ b/apparmor.d/profiles-m-r/pdftohtml @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdftohtml +profile pdftohtml @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdftoppm b/apparmor.d/profiles-m-r/pdftoppm new file mode 100644 index 0000000000..4924a91d8b --- /dev/null +++ b/apparmor.d/profiles-m-r/pdftoppm @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdftoppm +profile pdftoppm @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdftops b/apparmor.d/profiles-m-r/pdftops new file mode 100644 index 0000000000..1a390c576c --- /dev/null +++ b/apparmor.d/profiles-m-r/pdftops @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdftops +profile pdftops @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdftotext b/apparmor.d/profiles-m-r/pdftotext index 0394687f73..7fb2bed7bf 100644 --- a/apparmor.d/profiles-m-r/pdftotext +++ b/apparmor.d/profiles-m-r/pdftotext @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 valoq +# Copyright (C) 2025 valoq # SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/profiles-m-r/pdfunite b/apparmor.d/profiles-m-r/pdfunite new file mode 100644 index 0000000000..ea2b776aee --- /dev/null +++ b/apparmor.d/profiles-m-r/pdfunite @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdfunite +profile pdfunite @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor From 3f7b83904ae8807fa04d4be38306f0a18cfa751d Mon Sep 17 00:00:00 2001 From: valoq Date: Tue, 9 Sep 2025 22:59:35 +0200 Subject: [PATCH 0696/1736] remove whitespace --- apparmor.d/profiles-m-r/pdfunite | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/pdfunite b/apparmor.d/profiles-m-r/pdfunite index ea2b776aee..7b2019af5a 100644 --- a/apparmor.d/profiles-m-r/pdfunite +++ b/apparmor.d/profiles-m-r/pdfunite @@ -11,7 +11,7 @@ profile pdfunite @{exec_path} { include include include - + @{exec_path} mr, /usr/share/poppler/{,**} r, From f5d7140b283556407155588bd6e70c0a58728283 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 10 Sep 2025 11:42:13 +0200 Subject: [PATCH 0697/1736] fix pdftoppm --- apparmor.d/profiles-m-r/pdftoppm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/profiles-m-r/pdftoppm b/apparmor.d/profiles-m-r/pdftoppm index 4924a91d8b..86953b8b9d 100644 --- a/apparmor.d/profiles-m-r/pdftoppm +++ b/apparmor.d/profiles-m-r/pdftoppm @@ -9,8 +9,10 @@ include @{exec_path} = @{bin}/pdftoppm profile pdftoppm @{exec_path} { include + include include include + include @{exec_path} mr, From eeb42cc089f47d5ef83e41503a7244974b6c60e9 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 10 Sep 2025 11:50:56 +0200 Subject: [PATCH 0698/1736] fix pdftoppm --- apparmor.d/profiles-m-r/pdftoppm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/pdftoppm b/apparmor.d/profiles-m-r/pdftoppm index 86953b8b9d..3ae603bf1f 100644 --- a/apparmor.d/profiles-m-r/pdftoppm +++ b/apparmor.d/profiles-m-r/pdftoppm @@ -12,12 +12,13 @@ profile pdftoppm @{exec_path} { include include include - include @{exec_path} mr, /usr/share/poppler/{,**} r, + owner /tmp/{,**} rw, + include if exists } From 793c085fa0bb0996a7c687beaac353a14d14ea1a Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 10 Sep 2025 14:47:49 +0200 Subject: [PATCH 0699/1736] restrict tmp writes --- apparmor.d/profiles-m-r/pdftoppm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/pdftoppm b/apparmor.d/profiles-m-r/pdftoppm index 3ae603bf1f..4be131bd3b 100644 --- a/apparmor.d/profiles-m-r/pdftoppm +++ b/apparmor.d/profiles-m-r/pdftoppm @@ -17,7 +17,11 @@ profile pdftoppm @{exec_path} { /usr/share/poppler/{,**} r, - owner /tmp/{,**} rw, + owner /tmp/{,**}.ppm w, + owner /tmp/{,**}.png w, + owner /tmp/{,**}.jpg w, + owner /tmp/{,**}.jpeg w, + owner /tmp/{,**}.tiff w, include if exists } From 03d82fbed1ca6527865e66282e3b35c938369fc4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 15:49:48 +0200 Subject: [PATCH 0700/1736] feat(profile): ensure that all systemd generator can ptrace systemd. --- .../groups/systemd-generators/systemd-generator-bless-boot | 2 ++ .../groups/systemd-generators/systemd-generator-cloud-init | 2 ++ .../groups/systemd-generators/systemd-generator-cryptsetup | 2 ++ apparmor.d/groups/systemd-generators/systemd-generator-debug | 2 ++ .../systemd-generators/systemd-generator-environment-arch | 2 ++ .../systemd-generators/systemd-generator-environment-flatpak | 2 ++ .../systemd-generators/systemd-generator-environment-snapd | 2 ++ .../systemd-generators/systemd-generator-friendly-recovery | 2 ++ apparmor.d/groups/systemd-generators/systemd-generator-fstab | 2 ++ apparmor.d/groups/systemd-generators/systemd-generator-getty | 3 +++ .../groups/systemd-generators/systemd-generator-gpt-auto | 2 ++ .../systemd-generators/systemd-generator-hibernate-resume | 2 ++ .../groups/systemd-generators/systemd-generator-integritysetup | 2 ++ apparmor.d/groups/systemd-generators/systemd-generator-openvpn | 2 ++ apparmor.d/groups/systemd-generators/systemd-generator-ostree | 2 ++ apparmor.d/groups/systemd-generators/systemd-generator-snapd | 2 ++ .../groups/systemd-generators/systemd-generator-sshd-socket | 2 ++ .../groups/systemd-generators/systemd-generator-system-update | 2 ++ .../groups/systemd-generators/systemd-generator-user-autostart | 2 ++ .../systemd-generators/systemd-generator-user-environment | 2 ++ .../groups/systemd-generators/systemd-generator-veritysetup | 2 +- 21 files changed, 42 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot b/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot index 32e2aac65d..88c1d3ad42 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot +++ b/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot @@ -11,6 +11,8 @@ profile systemd-generator-bless-boot @{exec_path} flags=(attach_disconnected) { include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init b/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init index 698a4fcb9d..fae2afac0c 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init +++ b/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init @@ -12,6 +12,8 @@ profile systemd-generator-cloud-init @{exec_path} flags=(attach_disconnected) { include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup b/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup index 1979dba1d0..beffa8e175 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup +++ b/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup @@ -12,6 +12,8 @@ profile systemd-generator-cryptsetup @{exec_path} flags=(attach_disconnected) { include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, /etc/crypttab r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-debug b/apparmor.d/groups/systemd-generators/systemd-generator-debug index 4ce9d2974e..d0ec3f82ea 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-debug +++ b/apparmor.d/groups/systemd-generators/systemd-generator-debug @@ -11,6 +11,8 @@ profile systemd-generator-debug @{exec_path} flags=(attach_disconnected) { include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch b/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch index 738144547e..aee9ee573c 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch +++ b/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch @@ -12,6 +12,8 @@ profile systemd-generator-environment-arch @{exec_path} { include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{sh_path} r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak b/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak index a4ba2afe10..7d0e91e79c 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak +++ b/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak @@ -11,6 +11,8 @@ profile systemd-generator-environment-flatpak @{exec_path} { include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd index b18bd6bd50..162be13037 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd +++ b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd @@ -10,6 +10,8 @@ include profile systemd-generator-environment-snapd @{exec_path} flags=(attach_disconnected) { include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery b/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery index 1af9fe22f9..f2f6554e6c 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery +++ b/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery @@ -10,6 +10,8 @@ include profile systemd-generator-friendly-recovery @{exec_path} flags=(attach_disconnected) { include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-fstab b/apparmor.d/groups/systemd-generators/systemd-generator-fstab index 193ff22af6..44a3f8db48 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-fstab +++ b/apparmor.d/groups/systemd-generators/systemd-generator-fstab @@ -15,6 +15,8 @@ profile systemd-generator-fstab @{exec_path} { capability dac_read_search, capability mknod, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, /etc/fstab r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-getty b/apparmor.d/groups/systemd-generators/systemd-generator-getty index 0eadabec8b..78f08c3ad3 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-getty +++ b/apparmor.d/groups/systemd-generators/systemd-generator-getty @@ -12,12 +12,15 @@ profile systemd-generator-getty @{exec_path} flags=(attach_disconnected) { include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{run}/systemd/generator/getty.target.wants/ w, @{run}/systemd/generator/getty.target.wants/serial-getty@ttyS@{int}.service w, @{sys}/devices/virtual/tty/console/active r, + @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto index 4bf0092d07..444315108d 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto @@ -14,6 +14,8 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) { capability sys_admin, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, / r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume b/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume index 7c5e9ec806..8979388dc9 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume +++ b/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume @@ -11,6 +11,8 @@ profile systemd-generator-hibernate-resume @{exec_path} flags=(attach_disconnect include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup index 72ef280612..5ac1ea004c 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup +++ b/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup @@ -11,6 +11,8 @@ profile systemd-generator-integritysetup @{exec_path} flags=(attach_disconnected include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn index 780c63d569..7b2130db3a 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn +++ b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn @@ -10,6 +10,8 @@ include profile systemd-generator-openvpn @{exec_path} flags=(attach_disconnected) { include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{sh_path} r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ostree b/apparmor.d/groups/systemd-generators/systemd-generator-ostree index ce2ecaf439..9a3d610cbd 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ostree +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ostree @@ -10,6 +10,8 @@ include profile systemd-generator-ostree @{exec_path} flags=(attach_disconnected) { include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-snapd b/apparmor.d/groups/systemd-generators/systemd-generator-snapd index 8544a7938f..85ea9734cd 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-snapd +++ b/apparmor.d/groups/systemd-generators/systemd-generator-snapd @@ -10,6 +10,8 @@ include profile systemd-generator-snapd @{exec_path} flags=(attach_disconnected) { include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{PROC}/1/mountinfo r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket b/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket index f08df7d90e..8e90be300d 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket +++ b/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket @@ -15,6 +15,8 @@ profile systemd-generator-sshd-socket @{exec_path} { network inet6 dgram, network netlink raw, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{etc_ro}/ssh/sshd_config r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-system-update b/apparmor.d/groups/systemd-generators/systemd-generator-system-update index 9767a2e727..84127551f6 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-system-update +++ b/apparmor.d/groups/systemd-generators/systemd-generator-system-update @@ -11,6 +11,8 @@ profile systemd-generator-system-update @{exec_path} flags=(attach_disconnected) include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart index ff4c746646..7e98e166ec 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart @@ -15,6 +15,8 @@ profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected capability net_admin, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{etc_ro}/xdg/autostart/{,*.desktop} r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-user-environment b/apparmor.d/groups/systemd-generators/systemd-generator-user-environment index 27db220782..d62127fa03 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-user-environment +++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-environment @@ -14,6 +14,8 @@ profile systemd-generator-user-environment @{exec_path} flags=(attach_disconnect capability net_admin, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup index 97776312f6..9cdb1c1574 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup +++ b/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup @@ -11,7 +11,7 @@ profile systemd-generator-veritysetup @{exec_path} flags=(attach_disconnected) { include include - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, @{exec_path} mr, From fdf4d60b72b198d60a7731ff315f2e347d56ee09 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 15:50:50 +0200 Subject: [PATCH 0701/1736] feat(profile): simplify unattended-upgrade. --- apparmor.d/groups/apt/unattended-upgrade | 29 +----------------------- 1 file changed, 1 insertion(+), 28 deletions(-) diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index d2da77bc37..94a10b0755 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -74,34 +74,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /usr/share/distro-info/* r, /usr/share/dbus-1/interfaces/*UnattendedUpgrade*.xml r, - @{etc_ro}/login.defs r, - @{etc_ro}/security/capability.conf r, - /etc/apport/report-ignore/{,**} r, - /etc/apt/*.list r, - /etc/apt/apt.conf.d/{,**} r, - /etc/debian_version r, - /etc/default/{,**} r, - /etc/dpkg/origins/{,debian,ubuntu} r, - /etc/fwupd/{,**} r, - /etc/grub.d/* r, - /etc/init.d/* r, - /etc/issue{.net,} r, - /etc/kernel/*.d/*grub* r, - /etc/legal r, - /etc/lsb-release r, - /etc/machine-id r, - /etc/pam.d/* r, - /etc/pki/fwupd-metadata/{,**} r, - /etc/pki/fwupd/{,**} r, - /etc/profile.d/* r, - /etc/ssh/moduli r, - @{etc_ro}/ssh/sshd_config r, - @{etc_ro}/ssh/sshd_config.d/{,*} r, - /etc/ufw/{,**} r, - /etc/update-manager/{,**} r, - /etc/update-motd.d/{,**} r, - /etc/vim/{,**} r, - /etc/vmware-tools/{,**} r, + @{etc_ro}/** r, /var/log/unattended-upgrades/{,**} rw, /var/crash/*.crash rw, From 10cabcfe8e66cd2f86b2a3a0b57d8091100ed977 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 15:55:32 +0200 Subject: [PATCH 0702/1736] feat(profile): update apt profiles. Add support for autopkgtest in test mode. --- apparmor.d/groups/apt/apt-ftparchive | 4 +--- apparmor.d/groups/apt/apt-methods-copy | 8 +------- apparmor.d/groups/apt/apt-methods-file | 7 +------ apparmor.d/groups/apt/dpkg-buildflags | 5 ++++- apparmor.d/groups/apt/dpkg-deb | 3 +++ apparmor.d/groups/apt/dpkg-genbuildinfo | 3 +++ apparmor.d/groups/apt/dpkg-genchanges | 3 +++ apparmor.d/groups/apt/dpkg-split | 3 +++ 8 files changed, 19 insertions(+), 17 deletions(-) diff --git a/apparmor.d/groups/apt/apt-ftparchive b/apparmor.d/groups/apt/apt-ftparchive index f7e9b46515..a60bf9a06d 100644 --- a/apparmor.d/groups/apt/apt-ftparchive +++ b/apparmor.d/groups/apt/apt-ftparchive @@ -10,12 +10,10 @@ include @{exec_path} = @{bin}/apt-ftparchive profile apt-ftparchive @{exec_path} { include + include @{exec_path} mr, - /etc/apt/apt.conf r, - /etc/apt/apt.conf.d/{,*} r, - # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, diff --git a/apparmor.d/groups/apt/apt-methods-copy b/apparmor.d/groups/apt/apt-methods-copy index e2878e108d..238a2bdd9d 100644 --- a/apparmor.d/groups/apt/apt-methods-copy +++ b/apparmor.d/groups/apt/apt-methods-copy @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/apt/methods/copy profile apt-methods-copy @{exec_path} { include + include include include @@ -35,13 +36,6 @@ profile apt-methods-copy @{exec_path} { /etc/ r, /root/ r, - /etc/apt/apt.conf.d/{,*} r, - /etc/apt/apt.conf r, - - /usr/share/dpkg/cputable r, - /usr/share/dpkg/tupletable r, - - /var/lib/apt/lists/{,**} r, owner /var/lib/apt/lists/* rw, owner /var/lib/apt/lists/partial/* rw, diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index 781f9714e3..25afbcb357 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/apt/methods/file profile apt-methods-file @{exec_path} { include + include include include @@ -31,19 +32,13 @@ profile apt-methods-file @{exec_path} { @{lib}/apt/apt-helper rix, /etc/apt/apt-mirrors.txt r, - /etc/apt/apt.conf r, - /etc/apt/apt.conf.d/{,*} r, /etc/apt/mirrors/* r, - /usr/share/dpkg/cputable r, - /usr/share/dpkg/tupletable r, - # For shell pwd / r, /etc/ r, /root/ r, - /var/lib/apt/lists/{,**} rw, owner /var/lib/apt/lists/partial/* rw, /var/log/cron-apt/temp w, diff --git a/apparmor.d/groups/apt/dpkg-buildflags b/apparmor.d/groups/apt/dpkg-buildflags index 1a4055f77b..86a748f693 100644 --- a/apparmor.d/groups/apt/dpkg-buildflags +++ b/apparmor.d/groups/apt/dpkg-buildflags @@ -8,12 +8,15 @@ abi , include @{exec_path} = @{bin}/dpkg-buildflags -profile dpkg-buildflags @{exec_path} flags=(complain) { +profile dpkg-buildflags @{exec_path} flags=(attach_disconnected) { include include @{exec_path} r, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/@{multiarch}gcc-@{int} mrix, + /usr/share/lto-disabled-list/lto-disabled-list r, /usr/share/dpkg/cputable r, diff --git a/apparmor.d/groups/apt/dpkg-deb b/apparmor.d/groups/apt/dpkg-deb index 4fedbcd5f8..97d4d382c9 100644 --- a/apparmor.d/groups/apt/dpkg-deb +++ b/apparmor.d/groups/apt/dpkg-deb @@ -33,6 +33,9 @@ profile dpkg-deb @{exec_path} { owner @{tmp}/dpkg-deb.@{rand6}/ rw, owner @{tmp}/dpkg-deb.@{rand6}/* rw, + #aa:only test + /tmp/autopkgtest.@{rand6}/{,**} rw, + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-genbuildinfo b/apparmor.d/groups/apt/dpkg-genbuildinfo index b9853ca326..536098fa06 100644 --- a/apparmor.d/groups/apt/dpkg-genbuildinfo +++ b/apparmor.d/groups/apt/dpkg-genbuildinfo @@ -37,6 +37,9 @@ profile dpkg-genbuildinfo @{exec_path} { owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, + #aa:only test + /tmp/autopkgtest.@{rand6}/** rwk, + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-genchanges b/apparmor.d/groups/apt/dpkg-genchanges index 7c7ad1681e..0ba28c80a3 100644 --- a/apparmor.d/groups/apt/dpkg-genchanges +++ b/apparmor.d/groups/apt/dpkg-genchanges @@ -26,6 +26,9 @@ profile dpkg-genchanges @{exec_path} flags=(complain) { # For package building owner @{user_build_dirs}/** rw, + #aa:only test + /tmp/autopkgtest.@{rand6}/{,**} rw, + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-split b/apparmor.d/groups/apt/dpkg-split index e307e9867b..28dff622ea 100644 --- a/apparmor.d/groups/apt/dpkg-split +++ b/apparmor.d/groups/apt/dpkg-split @@ -29,6 +29,9 @@ profile dpkg-split @{exec_path} { @{user_pkg_dirs}/** r, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, + #aa:only test + /tmp/autopkgtest.@{rand6}/** rwk, + include if exists } From 90db4b14f2fbac55b7e8d8ad6ddf2a912007f66b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 16:09:49 +0200 Subject: [PATCH 0703/1736] feat(abs): globally deny LTTng. --- apparmor.d/abstractions/base-strict | 1 + apparmor.d/abstractions/lttng | 21 +++++++++++++++++++ apparmor.d/groups/freedesktop/wireplumber | 4 ---- .../groups/gnome/gnome-desktop-thumbnailers | 3 --- 4 files changed, 22 insertions(+), 7 deletions(-) create mode 100644 apparmor.d/abstractions/lttng diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 22ca5ec5ef..63169d497a 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -17,6 +17,7 @@ include include include + include # Allow us to signal ourselves signal peer=@{profile_name}, diff --git a/apparmor.d/abstractions/lttng b/apparmor.d/abstractions/lttng new file mode 100644 index 0000000000..9220655310 --- /dev/null +++ b/apparmor.d/abstractions/lttng @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# LTTng is an open source tracing framework for Linux - https://lttng.org +# +# Lttng tracing is very noisy and should not be allowed by confined apps. + + abi , + + deny @{run}/shm/lttng-ust-@{int} rw, + deny owner @{run}/shm/lttng-ust-@{int}-@{uid} rw, + deny owner @{run}/shm/lttng-ust-@{int}-@{int} rw, + + deny /dev/shm/lttng-ust-wait-@{int} rw, + deny owner /dev/shm/lttng-ust-wait-@{int}-@{int} rw, + deny owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 90eb46dc42..2df34a4f4c 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -60,10 +60,6 @@ profile wireplumber @{exec_path} { owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, - /dev/shm/lttng-ust-wait-@{int} rw, - owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, - owner /dev/shm/lttng-ust-wait-@{int}-@{int} rw, - @{run}/systemd/users/@{uid} r, @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index 8c637920b3..436d824431 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -27,9 +27,6 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{tmp}/gnome-desktop-thumbnailer.png w, owner @{tmp}/gsf-thumbnailer-@{rand6} rw, - owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, - owner /dev/shm/lttng-ust-wait-@{int} rw, - include if exists } From 4503ad63cf22a668eb2161396cd75a8a8ec4b871 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 16:11:38 +0200 Subject: [PATCH 0704/1736] feat(profile): update own apparmor profles. --- apparmor.d/groups/apparmor/aa-log | 3 +++ apparmor.d/groups/apparmor/apparmor_parser | 9 +++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log index 1a3e0aeffe..80e3961257 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -21,6 +21,9 @@ profile aa-log @{exec_path} { /var/log/audit/* r, /var/log/syslog* r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + /dev/tty@{int} rw, profile journalctl { diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser index a5769931c6..4e3216d72f 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -21,15 +21,17 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/snapd/apparmor.d/{,**} r, @{lib_dirs}/snapd/apparmor/{,**} r, + /opt/Mullvad*/resources/apparmor_mullvad r, + + /usr/share/apparmor-features/{,**} r, + /usr/share/apparmor/{,**} r, + /etc/apparmor.d/{,**} r, /etc/apparmor.d/cache.d/{,**} rw, /etc/apparmor/{,**} r, /etc/apparmor/cache.d/{,**} rw, /etc/apparmor/earlypolicy/{,**} rw, - /usr/share/apparmor-features/{,**} r, - /usr/share/apparmor/{,**} r, - owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} r, owner /snap/core@{int}/@{int}/etc/apparmor/* r, owner /var/cache/apparmor/{,**} rw, @@ -46,7 +48,6 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, deny network netlink raw, # file_inherit - /opt/Mullvad*/resources/apparmor_mullvad r, # FIXME: WTF you thing you are doing mullvad? include if exists } From dc1b69d0be6189f99ae04805e0bb8888b6de59ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 16:13:38 +0200 Subject: [PATCH 0705/1736] feat(profles): update core fsp profiles. --- apparmor.d/groups/_full/sd | 7 ++++++- apparmor.d/groups/_full/sdu | 5 +++-- apparmor.d/groups/_full/systemd-user | 7 +++++++ 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index ccdbf338b1..93d3e362c0 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -2,6 +2,8 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +#aa:lint ignore=too-wide + # Part of the systemd (as PID 1) profile. # sd is a profile for SystemD-executor run as root, it is used to run all services @@ -58,7 +60,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { capability sys_tty_config, capability syslog, - network alg seqpacket, + network alg seqpacket, # kernel crypto API network bluetooth, network inet dgram, network inet stream, @@ -94,6 +96,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { mqueue (read getattr) type=posix /, + signal peer=*//&sd, signal peer=sd//&*, signal receive peer=@{p_systemd}, signal send, @@ -183,12 +186,14 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { @{run}/* rw, @{run}/*/ rw, @{run}/*/* rw, + @{run}/*/*/ rw, @{run}/systemd/{,**} rw, owner @{run}/*/** rw, @{run}/udev/**/ r, @{run}/udev/data/+*:* r, # Identifies all subsystems @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/** r, @{sys}/fs/bpf/systemd/{,**} w, diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index f9c50b65f0..51b2325ea6 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -35,6 +35,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { unix type=dgram peer=(label=@{p_systemd_user}), + #aa:dbus talk bus=system name=org label="*" dbus bus=session, @{exec_path} mr, @@ -113,7 +114,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { deny capability net_admin, - profile shell flags=(attach_disconnected,mediate_deleted,complain) { + profile shell flags=(attach_disconnected,mediate_deleted) { include @{sh_path} mr, @@ -122,7 +123,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { include if exists } - profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { + profile systemctl flags=(attach_disconnected,mediate_deleted) { include include diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index b3d751be13..af3011e83e 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +#aa:lint ignore=too-wide + # Profile for 'systemd --user', not PID 1 but the user manager for any UID. # It does not specify an attachment path because it is intended to be used only # via "px -> systemd-user" exec transitions from the `systemd` profile. @@ -36,6 +38,11 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { #aa:dbus own bus=session name=org.freedesktop.systemd1 + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mrix, # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) From ee67dbba6f55dd9c716b5aeaee978a359e67f2d3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 16:16:54 +0200 Subject: [PATCH 0706/1736] feat(profile): ensure child-open-* profile can open app through snap/flatpak. --- apparmor.d/groups/children/child-open-browsers | 4 +++- apparmor.d/groups/children/child-open-editor | 4 +++- apparmor.d/groups/children/child-open-help | 6 ++++-- apparmor.d/groups/children/child-open-strict | 6 ++++-- 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/children/child-open-browsers b/apparmor.d/groups/children/child-open-browsers index 473276bff6..2a65321a39 100644 --- a/apparmor.d/groups/children/child-open-browsers +++ b/apparmor.d/groups/children/child-open-browsers @@ -19,7 +19,9 @@ profile child-open-browsers flags=(attach_disconnected,mediate_deleted) { include include - @{browsers_path} rPx, + @{browsers_path} Px, + @{bin}/flatpak Px, + @{bin}/snap Px, include if exists include if exists diff --git a/apparmor.d/groups/children/child-open-editor b/apparmor.d/groups/children/child-open-editor index 16d3dc868b..45c22fde58 100644 --- a/apparmor.d/groups/children/child-open-editor +++ b/apparmor.d/groups/children/child-open-editor @@ -19,7 +19,9 @@ profile child-open-editor flags=(attach_disconnected,mediate_deleted) { include include - @{editor_ui_path} PUx, + @{editor_ui_path} PUx, + @{bin}/flatpak Px, + @{bin}/snap Px, include if exists include if exists diff --git a/apparmor.d/groups/children/child-open-help b/apparmor.d/groups/children/child-open-help index 1150d16d3a..0b80bca63f 100644 --- a/apparmor.d/groups/children/child-open-help +++ b/apparmor.d/groups/children/child-open-help @@ -10,8 +10,10 @@ profile child-open-help flags=(attach_disconnected,mediate_deleted) { include include - @{browsers_path} rPx, - @{help_path} rPx, + @{browsers_path} Px, + @{help_path} Px, + @{bin}/flatpak Px, + @{bin}/snap Px, include if exists include if exists diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict index 4296f03aff..46e3569db1 100644 --- a/apparmor.d/groups/children/child-open-strict +++ b/apparmor.d/groups/children/child-open-strict @@ -15,8 +15,10 @@ profile child-open-strict flags=(attach_disconnected,mediate_deleted) { include include - @{browsers_path} Px, - @{file_explorers_path} Px, + @{browsers_path} Px, + @{file_explorers_path} Px, + @{bin}/snap Px, + @{bin}/flatpak Px, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix, From 2af907d74384f8d15280587f42f157121a90212e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 16:18:15 +0200 Subject: [PATCH 0707/1736] feat(abs): add nvidia-drivers. --- apparmor.d/abstractions/nvidia-drivers | 30 +++++++++++++++++++ .../groups/children/child-modprobe-nvidia | 10 +------ 2 files changed, 31 insertions(+), 9 deletions(-) create mode 100644 apparmor.d/abstractions/nvidia-drivers diff --git a/apparmor.d/abstractions/nvidia-drivers b/apparmor.d/abstractions/nvidia-drivers new file mode 100644 index 0000000000..0137e42221 --- /dev/null +++ b/apparmor.d/abstractions/nvidia-drivers @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow creating nvidia device files to be used by unprivileged user-space programs + + abi , + + capability mknod, + + # To read dynamically allocated MAJOR for nvidia-uvm + @{PROC}/devices r, + + # Nvidia proprietary modset driver + /dev/nvidia-modeset w, + + # Nvidia's Unified Memory driver + /dev/nvidia-uvm w, + /dev/nvidia-uvm-tools w, + + # Nvidia graphics devices + /dev/nvidia@{int} rw, + + # Global control device for driver-wide operations. + /dev/nvidiactl rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 8e991cee7c..b16bfb007c 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -19,11 +19,10 @@ include @{exec_path} = @{bin}/nvidia-modprobe profile child-modprobe-nvidia flags=(attach_disconnected) { include - include + include capability chown, capability fsetid, - capability mknod, capability sys_admin, capability syslog, @@ -34,20 +33,13 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/config r, - @{PROC}/devices r, @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, @{PROC}/driver/nvidia/params r, - @{PROC}/modules r, owner /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 owner /dev/char/195:@{u8} w, # Nvidia graphics devices - /dev/nvidia-modeset w, - /dev/nvidia-uvm w, - /dev/nvidia-uvm-tools w, - /dev/nvidia@{int} rw, - /dev/nvidiactl rw, owner /dev/nvidia-caps/ w, owner /dev/nvidia-caps/nvidia-cap@{int} w, From 00d236660371239bf1a7d3fa34c0b0594223b1f0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 16:20:22 +0200 Subject: [PATCH 0708/1736] feat(profile): rename gjs-console to gjs in peer label. --- apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver | 4 ++-- apparmor.d/groups/freedesktop/xdg-screensaver | 2 +- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/tunables/multiarch.d/profiles | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver index 27c4566371..b7ae6b200c 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver +++ b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver @@ -9,12 +9,12 @@ dbus send bus=session path=/{,org/gnome/}ScreenSaver interface=org.gnome.ScreenSaver member={GetActive,GetActiveTime,Lock,SetActive} - peer=(name=@{busname}, label=gjs-console), + peer=(name=@{busname}, label=gjs), dbus receive bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver member={ActiveChanged,WakeUpScreen} - peer=(name=@{busname}, label=gjs-console), + peer=(name=@{busname}, label=gjs), include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver index dd7d17118d..351292a8b0 100644 --- a/apparmor.d/groups/freedesktop/xdg-screensaver +++ b/apparmor.d/groups/freedesktop/xdg-screensaver @@ -47,7 +47,7 @@ profile xdg-screensaver @{exec_path} flags=(complain) { include #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy - #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console + #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs include if exists } diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a1090a15a6..62987c1cf4 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -105,7 +105,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=session name=org.gnome.* label=gnome-* #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=* #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus - #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console + #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index d4fefb0b0b..e26319f2c0 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -72,7 +72,7 @@ # Fit to an action that can be handled by multiple profiles depending on the software installed and the distribution # Notification -@{pp_notification}={plasmashell,gjs-console} +@{pp_notification}={plasmashell,gjs} @{pp_app_indicator}={plasmashell,gnome-shell} @{pp_dbusmenu}={plasmashell,nautilus} From ef79363a072ba784c6388b13b40253ce0742f0e0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 17:42:21 +0200 Subject: [PATCH 0709/1736] feat(abs): add udev c226 to the dri abs. --- apparmor.d/abstractions/dri | 2 ++ apparmor.d/groups/freedesktop/plymouthd | 1 - apparmor.d/groups/freedesktop/xorg | 1 - apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/hyprland/hyprland | 1 - apparmor.d/groups/kde/kwin_wayland | 1 - apparmor.d/groups/systemd/systemd-logind | 2 +- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- apparmor.d/groups/virt/virtnodedevd | 2 +- apparmor.d/profiles-g-l/labwc | 1 - apparmor.d/profiles-m-r/nvtop | 1 - apparmor.d/profiles-s-z/switcheroo-control | 2 +- 12 files changed, 6 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index 128da00d08..3146b8a3c8 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -17,6 +17,8 @@ /etc/drirc r, + @{run}/udev/data/c226:@{int} r, # For DRI card /dev/dri/card@{int} + @{sys}/devices/@{pci}/class r, @{sys}/devices/@{pci}/config r, @{sys}/devices/@{pci}/device r, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 0a23906610..c740a1d6a5 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -48,7 +48,6 @@ profile plymouthd @{exec_path} { @{run}/plymouth/{,**} rw, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* @{sys}/bus/ r, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index bfec4405c8..021cd96b01 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -109,7 +109,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{sys}/bus/ r, @{sys}/bus/pci/devices/ r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 62987c1cf4..dd650a9ca5 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -325,7 +325,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/uevent r, diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 164253f1dd..20c7cc514a 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -54,7 +54,6 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{sys}/bus/ r, @{sys}/class/input/ r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 6a0ef608bc..ab33ba2bf0 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -140,7 +140,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index e2612ff16f..e5f927ba6d 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -86,7 +86,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,mediate_deleted) @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c89:@{int} r, # For I2C bus interface @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* + @{run}/udev/data/c226:@{int} r, # For DRI card /dev/dri/card@{int} @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{att}/@{run}/systemd/notify w, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 8f673e2617..755cd220d2 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -72,7 +72,7 @@ profile subiquity-console-conf @{exec_path} { @{run}/udev/data/c89:@{int} r, # For I2C bus interface @{run}/udev/data/c108:@{int} r, # For /dev/ppp @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* + @{run}/udev/data/c226:@{int} r, # For DRI card /dev/dri/card@{int} @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/n@{int} r, # For network interfaces diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index fb593068e6..4034018f8d 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -69,7 +69,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c202:@{int} r, # CPU model-specific registers @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c226:@{int} r, # For DRI card /dev/dri/card@{int} @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/n@{int} r, # For network interfaces diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index ab624f0992..351ffc116d 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -46,7 +46,6 @@ profile labwc @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{run}/systemd/sessions/* r, @{run}/systemd/seats/seat@{int} r, diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index fc51b5b9e3..96634e7bc5 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -27,7 +27,6 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index eecb98b282..fd7473365f 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -24,7 +24,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* + @{run}/udev/data/c226:@{int} r, # For DRI card /dev/dri/card@{int} @{sys}/bus/ r, @{sys}/class/ r, From 2c9d21e510def603f00b75920aea01a83cc5bb97 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 17:53:24 +0200 Subject: [PATCH 0710/1736] feat(abs): add the nss abs. --- apparmor.d/abstractions/common/chromium | 8 ++------ apparmor.d/abstractions/nss | 20 ++++++++++++++++++++ apparmor.d/profiles-m-r/mkcert | 1 + 3 files changed, 23 insertions(+), 6 deletions(-) create mode 100644 apparmor.d/abstractions/nss diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 23f4544a34..00dd5a4600 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -15,6 +15,8 @@ abi , + include + userns, # Required for dropping into PID namespace. Keep in mind that until the @@ -28,12 +30,6 @@ capability sys_chroot, capability sys_ptrace, - owner @{HOME}/.pki/ rw, - owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_share_dirs}/.@{domain}.@{rand6} rw, owner @{tmp}/.@{domain}.@{rand6} rw, diff --git a/apparmor.d/abstractions/nss b/apparmor.d/abstractions/nss new file mode 100644 index 0000000000..3ff04292f0 --- /dev/null +++ b/apparmor.d/abstractions/nss @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Network Security Services (NSS) + +# It only allows access to the system-provided configuration files, not the ones +# that are applications specific. + + abi , + + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkcert b/apparmor.d/profiles-m-r/mkcert index 3ae643e1dc..bedbbab020 100644 --- a/apparmor.d/profiles-m-r/mkcert +++ b/apparmor.d/profiles-m-r/mkcert @@ -12,6 +12,7 @@ profile mkcert @{exec_path} { include include include + include include network netlink raw, From eb9725f8e275636399dcb8f14cc9c74560b3a653 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:00:59 +0200 Subject: [PATCH 0711/1736] feat(abs): update camera & media-control abs --- apparmor.d/abstractions/camera | 7 ++++--- apparmor.d/abstractions/media-control | 2 ++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/camera b/apparmor.d/abstractions/camera index 0f5cff363e..21cc11418c 100644 --- a/apparmor.d/abstractions/camera +++ b/apparmor.d/abstractions/camera @@ -6,6 +6,9 @@ abi , + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/c81:@{int} r, # For video4linux + # Allow detection of cameras. Leaks plugged in USB device info @{sys}/bus/usb/devices/ r, @{sys}/devices/@{pci}/usb@{int}/**/busnum r, @@ -17,12 +20,10 @@ @{sys}/devices/@{pci}/usb@{int}/**/speed r, @{sys}/class/video4linux/ r, - @{sys}/devices/**/video4linux/** r, @{sys}/devices/**/video4linux/video@{int}/ r, @{sys}/devices/**/video4linux/video@{int}/uevent r, - @{run}/udev/data/+usb:* r, # Identifies all USB devices - @{run}/udev/data/c81:@{int} r, # For video4linux + /dev/ r, # VideoCore cameras (shared device with VideoCore/EGL) /dev/vchiq rw, diff --git a/apparmor.d/abstractions/media-control b/apparmor.d/abstractions/media-control index 1cdcf66f2c..b4fbc0f34c 100644 --- a/apparmor.d/abstractions/media-control +++ b/apparmor.d/abstractions/media-control @@ -8,6 +8,8 @@ abi , + @{sys}/bus/media/devices/ r, + # Control of media devices /dev/media@{int} rwk, From 308d27a5dd07754c37c0b873ceb2a53e73365c68 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:01:56 +0200 Subject: [PATCH 0712/1736] feat(abs): base: allow signal from pkill --- apparmor.d/abstractions/base-strict | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 63169d497a..e65e45d625 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -33,9 +33,10 @@ signal receive peer=@{p_systemd}, signal receive peer=@{p_systemd_user}, - # Htop like programs can send any signal to any process + # Htop like programs can send any signals to any processes signal receive peer=btop, signal receive peer=htop, + signal receive peer=pkill, signal receive peer=top, signal receive set=(cont,term,kill,stop) peer=gnome-system-monitor, From 365736863a883095cf48083898dcccc5ff0d87cd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:03:48 +0200 Subject: [PATCH 0713/1736] feat(abs): remove the not used user-data abs. prompt is not yet supported. --- apparmor.d/abstractions/user-data | 49 ------------------------------- 1 file changed, 49 deletions(-) delete mode 100644 apparmor.d/abstractions/user-data diff --git a/apparmor.d/abstractions/user-data b/apparmor.d/abstractions/user-data deleted file mode 100644 index 6406b3e84a..0000000000 --- a/apparmor.d/abstractions/user-data +++ /dev/null @@ -1,49 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Gives access to non-hidden files in user's $HOME. -# Warning: experiemental, only for abi 4+, requires a prompting client. - - abi , - - # Allow accessing the GNOME crypto services prompt APIs as used by - # applications using libgcr (such as pinentry-gnome3) for secure pin - # entry to unlock GPG keys etc. See: - # https://developer.gnome.org/gcr/unstable/GcrPrompt.html - # https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html - # https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711 - dbus send bus=session path=/org/gnome/keyring/Prompter - interface=org.gnome.keyring.internal.Prompter - member={BeginPrompting,PerformPrompt,StopPrompting} - peer=(name="{@{busname}", label=pinentry-*), - dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} - interface=org.gnome.keyring.internal.Prompter.Callback - member={PromptReady,PromptDone} - peer=(name="{@{busname}", label=pinentry-*), - - # Allow read access to toplevel $HOME & mounts for the user. - prompt owner @{HOME}/ r, - prompt owner @{MOUNTS}/ r, - - # Allow read/write access to all files in @{HOME}, except snap application - # data in @{HOME}/snap and toplevel hidden directories in @{HOME}. - prompt owner @{HOME}/[^s.]** rwlk, - prompt owner @{HOME}/s[^n]** rwlk, - prompt owner @{HOME}/sn[^a]** rwlk, - prompt owner @{HOME}/sna[^p]** rwlk, - prompt owner @{HOME}/snap[^/]** rwlk, - prompt owner @{HOME}/{s,sn,sna}{,/} rwlk, - - # Allow access to mounts (/mnt/*/, /media/*/, @{run}/media/@{user}/*/, gvfs) - # for non-hidden files owned by the user. - prompt owner @{MOUNTS}/[^.]** rwlk, - - # Disallow writes to the well-known directory included in - # the user's PATH on several distributions - audit deny @{HOME}/bin/{,**} wl, - audit deny @{HOME}/bin wl, - - include if exists - -# vim:syntax=apparmor From fdf89f6fa9072f369bdcbca51a17b9c29077484f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:07:44 +0200 Subject: [PATCH 0714/1736] feat(abs): improve the u2f abs. --- apparmor.d/abstractions/devices-u2f | 5 +++++ apparmor.d/groups/ssh/ssh | 9 +-------- apparmor.d/groups/ssh/ssh-sk-helper | 10 ++-------- 3 files changed, 8 insertions(+), 16 deletions(-) diff --git a/apparmor.d/abstractions/devices-u2f b/apparmor.d/abstractions/devices-u2f index c707d66e04..e823d76e40 100644 --- a/apparmor.d/abstractions/devices-u2f +++ b/apparmor.d/abstractions/devices-u2f @@ -12,6 +12,11 @@ # Needed for dynamic assignment of U2F devices @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/ r, + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/hidraw/ r, + @{sys}/class/hidraw/hidraw@{int} r, @{sys}/devices/**/i2c*/**/report_descriptor r, @{sys}/devices/**/usb@{int}/**/report_descriptor r, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 0d68264901..dcaa416fee 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -11,6 +11,7 @@ include profile ssh @{exec_path} { include include + include include include include @@ -52,17 +53,9 @@ profile ssh @{exec_path} { owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/keyring/ssh rw, - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/hidraw/hidraw@{int} r, - owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/fd/ r, - /dev/hidraw@{int} rwk, - include if exists } diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper index ff9de97c32..79f5d22da7 100644 --- a/apparmor.d/groups/ssh/ssh-sk-helper +++ b/apparmor.d/groups/ssh/ssh-sk-helper @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 valoq +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,18 +10,11 @@ include @{exec_path} = @{lib}/{,ssh/}ssh-sk-helper profile ssh-sk-helper flags=(complain) { include + include include @{exec_path} mr, - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/hidraw/hidraw@{int} r, - - /dev/hidraw@{int} rwk, - include if exists } From 22873640a6ae3d16ab489c867ebc148890f0d7c7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:12:15 +0200 Subject: [PATCH 0715/1736] chore(abs): remove deduplicated rule. --- apparmor.d/abstractions/disks-read | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index e33ec2c3fa..ee97ff04db 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -17,7 +17,6 @@ @{sys}/devices/@{pci}/ata@{int}/** r, @{sys}/devices/@{pci}/block/{s,v}d[a-z]/ r, @{sys}/devices/@{pci}/block/{s,v}d[a-z]/** r, - @{sys}/devices/@{pci}/host@{int}/** r, @{sys}/devices/@{pci}/usb@{int}/** r, @{sys}/devices/@{pci}/virtio@{int}/** r, @{sys}/devices/**/host@{int}/** r, From 7e1261953336cb284984718624a9357735ec1c51 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:25:09 +0200 Subject: [PATCH 0716/1736] refractor(abs): add deskop base abstractions. --- apparmor.d/abstractions/desktop | 47 ++-------------------------- apparmor.d/abstractions/gnome-base | 22 +++++++++++++ apparmor.d/abstractions/gnome-strict | 15 ++------- apparmor.d/abstractions/kde-base | 43 +++++++++++++++++++++++++ apparmor.d/abstractions/kde-strict | 33 ++----------------- apparmor.d/abstractions/xfce | 15 ++++++--- apparmor.d/abstractions/xfce-base | 16 ++++++++++ 7 files changed, 100 insertions(+), 91 deletions(-) create mode 100644 apparmor.d/abstractions/gnome-base create mode 100644 apparmor.d/abstractions/kde-base create mode 100644 apparmor.d/abstractions/xfce-base diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index c4abbd574d..a087c43848 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -26,56 +26,15 @@ # if @{DE} == gnome - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - - @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, - - /etc/gnome/* r, - - / r, - - owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + include if exists # else if @{DE} == kde - @{lib}/kde{,3,4}/*.so mr, - @{lib}/kde{,3,4}/plugins/*/ r, - @{lib}/kde{,3,4}/plugins/*/*.so mr, - - /usr/share/knotifications{5,6}/*.notifyrc r, - - /etc/xdg/baloofilerc r, - /etc/xdg/kcminputrc r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - - owner @{user_cache_dirs}/#@{int} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, - - owner @{user_config_dirs}/baloofilerc r, - owner @{user_config_dirs}/dolphinrc r, - owner @{user_config_dirs}/kcminputrc r, - owner @{user_config_dirs}/kdedefaults/ r, - owner @{user_config_dirs}/kdedefaults/kcminputrc r, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, - owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/@{profile_name}* rwlk, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/trashrc r, + include # else if @{DE} == xfce - /usr/share/xfce{,4}/ r, - - owner @{user_config_dirs}/xfce4/help{,ers}.rc rw, - owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw, + include # end diff --git a/apparmor.d/abstractions/gnome-base b/apparmor.d/abstractions/gnome-base new file mode 100644 index 0000000000..c186283232 --- /dev/null +++ b/apparmor.d/abstractions/gnome-base @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal gnome specific rules. + + abi , + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(label=gnome-shell), + + @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, + + / r, + + owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 227377f3a6..195f3b0c59 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -4,6 +4,7 @@ abi , + # Common abstractions for any desktop environment include include include @@ -19,23 +20,13 @@ include include - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + # Gnome specific rules + include /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, - - /etc/gnome/* r, - - / r, - - owner @{user_share_dirs}/gnome-shell/session.gvdb rw, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-base b/apparmor.d/abstractions/kde-base new file mode 100644 index 0000000000..2962bd2993 --- /dev/null +++ b/apparmor.d/abstractions/kde-base @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal kde specific rules. + + abi , + + @{lib}/kde{,3,4}/*.so mr, + @{lib}/kde{,3,4}/plugins/*/ r, + @{lib}/kde{,3,4}/plugins/*/*.so mr, + + /usr/share/knotifications{5,6}/*.notifyrc r, + /usr/share/kubuntu-default-settings/{,**} r, + + /etc/xdg/baloofilerc r, + /etc/xdg/kcminputrc r, + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, + + owner @{user_cache_dirs}/#@{int} rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, + + owner @{user_config_dirs}/baloofilerc r, + owner @{user_config_dirs}/dolphinrc r, + owner @{user_config_dirs}/kcminputrc r, + owner @{user_config_dirs}/kdedefaults/ r, + owner @{user_config_dirs}/kdedefaults/kcminputrc r, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/session/ rw, + owner @{user_config_dirs}/session/*_* rwlk, + owner @{user_config_dirs}/session/#@{int} rw, + owner @{user_config_dirs}/trashrc r, + + owner @{user_share_dirs}/#@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 79e97b23f3..42f58fa7a0 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -4,6 +4,7 @@ abi , + # Common abstractions for any desktop environment include include include @@ -19,40 +20,12 @@ include include - @{lib}/kde{,3,4}/*.so mr, - @{lib}/kde{,3,4}/plugins/*/ r, - @{lib}/kde{,3,4}/plugins/*/*.so mr, + # Kde specific rules + include /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/knotifications{5,6}/*.notifyrc r, - /usr/share/kubuntu-default-settings/{,**} r, #aa:only ubuntu - - /etc/xdg/baloofilerc r, - /etc/xdg/kcminputrc r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - - owner @{user_cache_dirs}/#@{int} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, - - owner @{user_config_dirs}/baloofilerc r, - owner @{user_config_dirs}/dolphinrc r, - owner @{user_config_dirs}/kcminputrc r, - owner @{user_config_dirs}/kdedefaults/ r, - owner @{user_config_dirs}/kdedefaults/kcminputrc r, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, - owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/*_* rwlk, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/trashrc r, - - owner @{user_share_dirs}/#@{int} rw, include if exists diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index df13363fc1..193af858b6 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -4,19 +4,24 @@ abi , + # Common abstractions for any desktop environment include + include include - include + include include + include + include + include + include include + include include include include - /usr/share/xfce{,4}/ r, - - owner @{user_config_dirs}/xfce4/help{,ers}.rc rw, - owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw, + # XFCE specific rules + include include if exists diff --git a/apparmor.d/abstractions/xfce-base b/apparmor.d/abstractions/xfce-base new file mode 100644 index 0000000000..04233c84bb --- /dev/null +++ b/apparmor.d/abstractions/xfce-base @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal xfce specific rules. + + abi , + + /usr/share/xfce{,4}/ r, + + owner @{user_config_dirs}/xfce4/help{,ers}.rc rw, + owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw, + + include if exists + +# vim:syntax=apparmor From 2b9318c32e4784f4a0c34af9dddac840b1b70bf0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:26:41 +0200 Subject: [PATCH 0717/1736] chore(abs): cleanup vulkan-strict --- apparmor.d/abstractions/vulkan-strict | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index d4dd2fae64..1ad04157b7 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -28,7 +28,9 @@ @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/devices/@{pci}/drm/ r, - @{sys}/devices/@{pci}/drm/card@{int}/gt_{min,cur,max}_freq_mhz r, + @{sys}/devices/@{pci}/drm/card@{int}/gt_cur_freq_mhz r, + @{sys}/devices/@{pci}/drm/card@{int}/gt_max_freq_mhz r, + @{sys}/devices/@{pci}/drm/card@{int}/gt_min_freq_mhz r, @{sys}/devices/@{pci}/drm/card@{int}/metrics/ r, @{sys}/devices/@{pci}/drm/card@{int}/metrics/@{uuid}/id r, From 582428c06efc886bf835b9d15880676b08b55e47 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:34:45 +0200 Subject: [PATCH 0718/1736] feat(profiles): various minor improvements. --- apparmor.d/abstractions/glibc | 2 +- apparmor.d/groups/bluetooth/blueman | 2 +- apparmor.d/groups/bluetooth/obexd | 2 +- apparmor.d/groups/gnome/gjs | 13 ++++++++++--- apparmor.d/groups/gnome/ptyxis-agent | 2 +- apparmor.d/groups/network/mullvad-daemon | 1 + apparmor.d/groups/network/nm-openvpn-service | 3 ++- apparmor.d/groups/procps/htop | 3 ++- apparmor.d/groups/ubuntu/apport | 13 +++++++------ apparmor.d/groups/virt/dockerd | 1 + apparmor.d/groups/xfce/xfce-clipman | 7 ++++--- apparmor.d/groups/xfce/xfce-session | 4 ++-- apparmor.d/profiles-a-f/dracut-install | 2 ++ apparmor.d/profiles-m-r/rfkill | 6 +++--- 14 files changed, 38 insertions(+), 23 deletions(-) diff --git a/apparmor.d/abstractions/glibc b/apparmor.d/abstractions/glibc index 8536470bd5..09f7277d50 100644 --- a/apparmor.d/abstractions/glibc +++ b/apparmor.d/abstractions/glibc @@ -27,7 +27,7 @@ owner @{PROC}/@{pid}/status r, # @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps, - # but in a format that is simpler to manage, because it doesn't require to + # but in a format that is easier to manage, because it doesn't require to # parse the text data inside a file, but just reading the contents of # a directory. owner @{PROC}/@{pid}/map_files/ r, diff --git a/apparmor.d/groups/bluetooth/blueman b/apparmor.d/groups/bluetooth/blueman index 08a553c1d3..59c76e33a4 100644 --- a/apparmor.d/groups/bluetooth/blueman +++ b/apparmor.d/groups/bluetooth/blueman @@ -25,7 +25,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) { network netlink raw, network bluetooth raw, - ptrace (read) peer=gjs-console, + ptrace read peer=gjs, #aa:dbus own bus=session name=org.blueman.Applet #aa:dbus own bus=session name=org.blueman.Manager diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 3ea17a4e50..ee56ba6e83 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -23,7 +23,7 @@ profile obexd @{exec_path} { dbus receive bus=system path=/org/bluez/obex/@{uuid} interface=org.bluez.Profile1 member=Release - peer=(name=:*, label="@{p_bluetoothd}"), + peer=(name=@{busname}, label="@{p_bluetoothd}"), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index 388c90b142..3585fe2d96 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -89,14 +89,14 @@ profile gjs @{exec_path} flags=(attach_disconnected) { /usr/share/xkeyboard-config-2/{,**} r, /usr/share/thumbnailers/{,**} r, - owner @{gdm_cache_dirs}/gstreamer-1.0/registry.@{arch}.bin r, + owner @{gdm_cache_dirs}/gstreamer-@{int}.@{int}/registry.@{arch}.bin{,.tmp@{rand6}} rw, owner @{gdm_config_dirs}/dconf/user r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{HOME}/ r, - owner @{user_cache_dirs}/gstreamer-1.0/ rw, - owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + owner @{user_cache_dirs}/gstreamer-@{int}.@{int}/ rw, + owner @{user_cache_dirs}/gstreamer-@{int}.@{int}/registry.@{arch}.bin{,.tmp@{rand6}} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, owner @{user_share_dirs}/nautilus/scripts/ r, @@ -115,8 +115,10 @@ profile gjs @{exec_path} flags=(attach_disconnected) { profile gstreamer { include + include include include + include include include @@ -126,6 +128,11 @@ profile gjs @{exec_path} flags=(attach_disconnected) { @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner mr, @{lib}/gstreamer-1.0/gst-plugin-scanner mr, + owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, + owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, + + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + include if exists } diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 6418193a68..dafb0505b8 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -35,7 +35,7 @@ profile ptyxis-agent @{exec_path} { /dev/ptmx rw, - profile shell { + profile shell flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index d5c93fc5c7..7506313ba3 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -65,6 +65,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/system.slice/mullvad-early-boot-blocking.service/cpu.max r, @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw, @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service index 943386f61d..a3db0c896d 100644 --- a/apparmor.d/groups/network/nm-openvpn-service +++ b/apparmor.d/groups/network/nm-openvpn-service @@ -7,8 +7,9 @@ abi , include @{exec_path} = @{lib}/{,NetworkManager/}nm-openvpn-service -profile nm-openvpn-service @{exec_path} { +profile nm-openvpn-service @{exec_path} flags=(attach_disconnected) { include + include include capability kill, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index ef14d9ca9e..b02b0f6925 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/htop -profile htop @{exec_path} { +profile htop @{exec_path} flags=(attach_disconnected) { include include include @@ -91,6 +91,7 @@ profile htop @{exec_path} { @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, + @{PROC}/spl/kstat/zfs/arcstats r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/sched_autogroup_enabled r, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 211dda9ccb..40b3f14d6e 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -28,8 +28,8 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/{,e,f}grep rix, - @{bin}/dpkg rPx -> &child-dpkg, - @{bin}/dpkg-divert rPx -> &child-dpkg-divert, + @{bin}/dpkg rPx -> apport//&child-dpkg, + @{bin}/dpkg-divert rPx -> apport//&child-dpkg-divert, @{bin}/gdbus rix, @{bin}/md5sum rix, @@ -66,10 +66,11 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{run}/apport.lock rwk, @{run}/log/journal/ r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/sys/fs/suid_dumpable w, @{PROC}/sys/kernel/core_pattern w, @{PROC}/sys/kernel/core_pipe_limit w, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 0a214ccd14..d90dbe8fe8 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -109,6 +109,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/cpuset.cpus.effective r, @{sys}/fs/cgroup/cpuset.mems.effective r, + @{sys}/fs/cgroup/system.slice/docker.service/cpu.max r, @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/groups/xfce/xfce-clipman b/apparmor.d/groups/xfce/xfce-clipman index 270f7266fe..45d2f42318 100644 --- a/apparmor.d/groups/xfce/xfce-clipman +++ b/apparmor.d/groups/xfce/xfce-clipman @@ -16,10 +16,11 @@ profile xfce-clipman @{exec_path} { @{exec_path} mr, - /etc/xdg/xfce4/panel/xfce4-clipman-actions.xml r, + @{bin}/xfce4-clipman-history rix, - owner @{user_cache_dirs}/xfce4/clipman/ r, - owner @{user_cache_dirs}/xfce4/clipman/* rw, + /etc/xdg/autostart/xfce4-clipman*.desktop r, + + owner @{user_cache_dirs}/xfce4/clipman/{,**} rw, owner @{user_config_dirs}/autostart/ r, owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop rw, diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index be0f5c73d8..bdb4b8d365 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -9,10 +9,10 @@ include @{exec_path} = @{bin}/xfce4-session profile xfce-session @{exec_path} flags=(attach_disconnected) { include - include + include include + include include - include include include include diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install index e99760a73e..5137cde8c7 100644 --- a/apparmor.d/profiles-a-f/dracut-install +++ b/apparmor.d/profiles-a-f/dracut-install @@ -17,6 +17,8 @@ profile dracut-install @{exec_path} { /etc/modprobe.d/{,**} r, + / r, + @{sys}/devices/platform/{,**/} r, @{sys}/devices/platform/**/modalias r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-m-r/rfkill b/apparmor.d/profiles-m-r/rfkill index c65298b27b..9c5946f222 100644 --- a/apparmor.d/profiles-m-r/rfkill +++ b/apparmor.d/profiles-m-r/rfkill @@ -13,10 +13,10 @@ profile rfkill @{exec_path} { @{exec_path} mr, - /dev/rfkill rw, + @{sys}/devices/**/rfkill/rfkill@{int}/name r, + @{sys}/devices/**/rfkill/rfkill@{int}/type r, - @{sys}/devices/@{pci}/rfkill@{int}/{name,type} r, - @{sys}/devices/platform/**/rfkill/rfkill@{int}/{name,type} r, + /dev/rfkill rw, include if exists } From 71527e512c5726ce1107802fa505f674ba861949 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:44:33 +0200 Subject: [PATCH 0719/1736] fix(abs): x11: tmp file too strict. fix #872 --- apparmor.d/abstractions/X-strict | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index a92058206d..316f1e3bb5 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -22,7 +22,7 @@ /tmp/.ICE-unix/@{int} rw, /tmp/.X@{int}-lock rw, - /tmp/.X11-unix/X@{int} rw, + /tmp/.X11-unix/X@{int}{,_} rw, owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int}, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland From b1ac57e6fc6edac4550ed247ecd299d5b7529633 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:46:57 +0200 Subject: [PATCH 0720/1736] feat(profile): udisk: add support for squashfs. --- apparmor.d/groups/filesystem/udisksd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 91d4a8569d..37fe5b4b33 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -35,8 +35,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/, # Allow mounting of loop devices (ISO files) - mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/, - mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3,squashfs} /dev/loop[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3,squashfs} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/, # Allow mounting of cdrom mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/, From 65b73d7e5d3228dbd583f506d8a583679f77583b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:47:48 +0200 Subject: [PATCH 0721/1736] feat(profile): update flatpak. --- apparmor.d/groups/flatpak/flatpak | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 0b33cb6dcb..b8ededbf0d 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -9,14 +9,17 @@ include @{exec_path} = @{bin}/flatpak profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) { include + include include include include include include - include + include + include include include + include userns, @@ -25,6 +28,12 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain capability net_admin, capability sys_ptrace, + # Manage the sandbox + capability setgid, + capability setuid, + capability sys_admin, + capability sys_chroot, + network inet dgram, network inet6 dgram, network inet stream, @@ -33,7 +42,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, - ptrace (read) peer=flatpak-app, + ptrace read peer=flatpak-app, + ptrace read peer=flatpak.*, + ptrace read peer=bwrap.*, signal send peer=flatpak-app, @@ -66,6 +77,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{bin}/gpgsm rCx -> gpg, @{lib}/revokefs-fuse rix, + # For flatpack enter, the shell is not confined on purpose. + @{bin}/@{shells} rUx, + @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, @{lib}/polkit-agent-helper-[0-9] rPx, @@ -74,6 +88,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain /etc/flatpak/{,**} r, /etc/pulse/client.conf r, + / r, @{att}/ r, /var/lib/flatpak/{,**} rwlk, From ab3622344030214f7d6d2296d297d6aba1d8f008 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:50:56 +0200 Subject: [PATCH 0722/1736] refractor(abs): remove deprecated org.freedesktop.Avahi --- .../abstractions/bus/org.freedesktop.Avahi | 46 ------------------- 1 file changed, 46 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.Avahi diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi deleted file mode 100644 index 4ddf95af32..0000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ /dev/null @@ -1,46 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=system name=org.freedesktop.Avahi label="@{p_avahi_daemon}" - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=org.freedesktop.Avahi), - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member={GetAPIVersion,GetState,Service*New} - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} - interface=org.freedesktop.Avahi.ServiceBrowser - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} - interface=org.freedesktop.Avahi.ServiceBrowser - member={ItemNew,ItemRemove,AllForNow,CacheExhausted} - peer=(name="@{busname}", label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=StateChanged - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member=Found - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor From c9756eacb6955a11ffe18d754820c33bd874bbcd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 19:09:15 +0200 Subject: [PATCH 0723/1736] feat(profile): add missing some avahi access. --- apparmor.d/groups/cups/cups-browsed | 1 + apparmor.d/groups/cups/cupsd | 1 + apparmor.d/groups/gvfs/gvfsd-dnssd | 1 + 3 files changed, 3 insertions(+) diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index ca1dc96308..b4c0dc644f 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -14,6 +14,7 @@ profile cups-browsed @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index ec0bbfd678..145e43076d 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -12,6 +12,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index aad9de3a0e..a87c5bbc17 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -17,6 +17,7 @@ profile gvfsd-dnssd @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd From ea171aba10929cba845f50902acd284dd621627e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 19:27:45 +0200 Subject: [PATCH 0724/1736] feat(profile): update gnome profiles. --- apparmor.d/groups/gnome/gdm | 3 ++- apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/gnome/gnome-control-center | 2 ++ .../groups/gnome/gnome-photos-thumbnailer | 4 ++-- apparmor.d/groups/gnome/gnome-shell | 17 +++++++++-------- apparmor.d/groups/gnome/gnome-terminal-server | 2 ++ apparmor.d/groups/gnome/gnome-text-editor | 2 +- apparmor.d/groups/gnome/goa-identity-service | 4 ++-- apparmor.d/groups/gnome/gsd-media-keys | 11 +---------- .../groups/gnome/org.gnome.NautilusPreviewer | 2 ++ apparmor.d/groups/gnome/ptyxis-agent | 7 ++++++- apparmor.d/groups/gvfs/gvfsd-localtest | 8 ++++++++ dists/flags/main.flags | 10 +++++----- 13 files changed, 43 insertions(+), 31 deletions(-) diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 3f958cb7ed..d202d5199d 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -71,8 +71,9 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{GDM_HOME}/ rw, @{GDM_HOME}/** rw, + @{run}/gdm{,3}.pid rw, @{run}/gdm{,3}/ rw, - owner @{run}/gdm{,3}.pid rw, + @{run}/gdm{,3}/gdm.pid rw, owner @{run}/gdm{,3}/dbus/ rw, owner @{run}/gdm{,3}/dbus/dbus-@{rand8} rw, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 3bab1b134b..ca83c2fa2f 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -37,7 +37,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal send set=hup peer=dbus-accessibility, signal send set=hup peer=dbus-session, signal send set=hup peer=dconf-service, - signal send set=hup peer=gjs-console, + signal send set=hup peer=gjs, signal send set=hup peer=gnome-*, signal send set=hup peer=gsd-*, signal send set=hup peer=ibus-*, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 9f78fb4fda..e2de80f8ff 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -41,7 +41,9 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.bluez.AgentManager1 label=bluetoothd #aa:dbus talk bus=session name=org.bluez.obex label=obexd #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store + #aa:dbus talk bus=session name=org.gnome.Identity label=goa-identity-service #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*" #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index 31d9b79876..a954502a32 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -17,9 +17,9 @@ profile gnome-photos-thumbnailer @{exec_path} { owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/babl/{,**} r, - owner @{user_cache_dirs}/gegl-*/{,**} r, + owner @{user_cache_dirs}/gegl-@{version}/{,**} r, owner @{user_cache_dirs}/gnome-photos/thumbnails/{,**} rw, - owner @{user_share_dirs}/gegl-*/{,**} r, + owner @{user_share_dirs}/gegl-@{version}/{,**} r, owner /dev/shm/DzlCounters-@{int} rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index dd650a9ca5..428c314e22 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -131,7 +131,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus receive bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved - peer=(name=:*, label="@{p_systemd_user}"), + peer=(name=@{busname}, label="@{p_systemd_user}"), dbus send bus=session path=/MenuBar interface=com.canonical.dbusmenu @@ -141,12 +141,12 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=session path=/StatusNotifierItem interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session path=/org/mpris/MediaPlayer2 interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session interface=org.freedesktop.DBus.Introspectable @@ -314,14 +314,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/tags/seat/ r, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+dmi:id r, # for motherboard info @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+dmi:id r, # for motherboard info + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index fe380daddd..1a14549f7a 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -35,6 +35,8 @@ profile gnome-terminal-server @{exec_path} { @{exec_path} mr, + @{bin}/byobu PUx, + @{bin}/env ix, @{lib}/gnome-terminal-preferences ix, # The shell is not confined on purpose. diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 8aa950e2c0..4576608568 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gnome-text-editor -profile gnome-text-editor @{exec_path} { +profile gnome-text-editor @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 4509a61591..3efc1ac448 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -18,12 +18,12 @@ profile goa-identity-service @{exec_path} { dbus send bus=session path=/org/gnome/OnlineAccounts interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=goa-daemon), + peer=(name=@{busname}, label=goa-daemon), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index b299ab7ffd..5446af78d5 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -30,6 +30,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { network netlink raw, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.MediaKeys + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Power label=gsd-power #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell @@ -43,16 +44,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { member=ListNames peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session path=/org/gnome/SettingsDaemon/Power - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gsd-power), - - dbus receive bus=session path=/org/gnome/SettingsDaemon/Power - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=@{busname}, label=gsd-power), - @{exec_path} mr, @{open_path} rPx -> child-open, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index e1bde22381..6a48af3f55 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -53,6 +53,8 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/comm w, owner @{PROC}/@{pid}/task/@{tid}/stat r, + /dev/ r, + include if exists } diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index dafb0505b8..154b65bf24 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/ptyxis-agent -profile ptyxis-agent @{exec_path} { +profile ptyxis-agent @{exec_path} flags=(attach_disconnected) { include include include @@ -22,6 +22,11 @@ profile ptyxis-agent @{exec_path} { unix type=stream peer=(label=ptyxis), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{bin}/podman Px, diff --git a/apparmor.d/groups/gvfs/gvfsd-localtest b/apparmor.d/groups/gvfs/gvfsd-localtest index d1af3c60c7..bdd3feb460 100644 --- a/apparmor.d/groups/gvfs/gvfsd-localtest +++ b/apparmor.d/groups/gvfs/gvfsd-localtest @@ -11,9 +11,17 @@ include profile gvfsd-localtest @{exec_path} { include include + include include include + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 94eb1c07b8..6431eb7eaa 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -212,7 +212,7 @@ landscape-sysinfo.wrapper complain language-validate attach_disconnected,complain last complain lastlog complain -libreoffice complain +libreoffice attach_disconnected,complain libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain @@ -220,7 +220,7 @@ lightdm-session complain linux-check-removal complain linux-update-symlinks complain locale-gen complain -localectl complain +localectl attach_disconnected,complain localsearch complain localsearch-control complain localsearch-writeback complain @@ -269,8 +269,8 @@ plymouth-set-default-theme attach_disconnected,complain plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted pollinate complain -ptyxis complain -ptyxis-agent complain +ptyxis attach_disconnected,complain +ptyxis-agent attach_disconnected,complain pycompile complain qdbus complain remmina complain @@ -291,7 +291,7 @@ snap-seccomp attach_disconnected,complain snap-update-ns complain snapd complain snapd-apparmor complain -snapshot complain +snapshot attach_disconnected,complain speech-dispatcher complain sshd-auth complain ssservice complain From 0a206eb49df5c5700ab7c4c0d9e1704a0ca8272f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 19:29:49 +0200 Subject: [PATCH 0725/1736] feat(profile): prevent ps from ptrace. --- apparmor.d/groups/procps/ps | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/procps/ps b/apparmor.d/groups/procps/ps index 7663cbf5da..ab6f3486c7 100644 --- a/apparmor.d/groups/procps/ps +++ b/apparmor.d/groups/procps/ps @@ -14,9 +14,6 @@ profile ps @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, - capability sys_ptrace, - - ptrace (read), @{exec_path} mr, @@ -52,6 +49,14 @@ profile ps @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/* r, + # While commands like 'ps', 'ip netns identify ', 'ip netns pids foo', etc + # trigger a 'ptrace trace' denial, they aren't actually tracing other + # processes. Unfortunately, the kernel overloads trace such that the LSMs are + # unable to distinguish between tracing other processes and other accesses. + deny capability sys_ptrace, + deny ptrace trace, + deny ptrace read, + include if exists } From 714f535a540805956c253e42241a7ecf97bef149 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 21 Sep 2025 12:25:52 +0200 Subject: [PATCH 0726/1736] Update sddm-greeter: add mediate_deleted profile sddm-greeter flags=(mediate_deleted) { owner link /var/lib/sddm/.cache/sddm-greeter-qt6/qtpipelinecache-@{arch}-little_endian-lp64/#@{int8} , # Failed name lookup - deleted entry owner link /var/lib/sddm/.cache/sddm-greeter-qt6/qtpipelinecache-@{arch}-little_endian-lp64/qqpc_opengl.BalADW -> /var/lib/sddm/.cache/sddm-greeter-qt6/qtpipelinecache-@{arch}-little_endian-lp64/#@{int8}, owner link /var/lib/sddm/.cache/sddm-greeter-qt6/qtpipelinecache-@{arch}-little_endian-lp64/qqpc_opengl.cgulsP -> /var/lib/sddm/.cache/sddm-greeter-qt6/qtpipelinecache-@{arch}-little_endian-lp64/#@{int8}, --- apparmor.d/groups/kde/sddm-greeter | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 56c1427878..4fa1d0a3f4 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/sddm-greeter{,-qt6} -profile sddm-greeter @{exec_path} flags=(attach_disconnected) { +profile sddm-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -48,8 +48,11 @@ profile sddm-greeter @{exec_path} flags=(attach_disconnected) { /etc/sddm.conf r, /etc/sddm.conf.d/{,*} r, /etc/xdg/plasmarc r, - /var/lib/AccountsService/icons/* r, - /var/lib/dbus/machine-id r, + + /var/lib/AccountsService/icons/* r, + /var/lib/dbus/machine-id r, + owner /var/lib/sddm/.cache/sddm-greeter/qtshadercache-x86_64-little_endian-lp64/#@{int8} rw, + owner /var/lib/sddm/.cache/sddm-greeter/qtshadercache-x86_64-little_endian-lp64/qqpc_opengl.@{rand6} l -> /var/lib/sddm/.cache/sddm-greeter/qtshadercache-x86_64-little_endian-lp64/#@{int8}, @{SDDM_HOME}/state.conf r, owner @{SDDM_HOME}/** rw, From 364c863cd0301c687d9c2c7a50853fe76f4987bf Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 21 Sep 2025 12:38:00 +0200 Subject: [PATCH 0727/1736] Update main.flags: adding mediate_deleted to sddm-greeter --- dists/flags/main.flags | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 6431eb7eaa..0ca1809519 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -278,7 +278,7 @@ run-parts complain runuser complain sdcv complain sddm attach_disconnected,mediate_deleted,complain -sddm-greeter attach_disconnected,complain +sddm-greeter attach_disconnected,mediate_deleted,complain secure-time-sync attach_disconnected,complain sftp-server complain sing-box complain From 57fd6a939a6094bb4cdb905b455fa4f68905960a Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 21 Sep 2025 17:50:34 +0200 Subject: [PATCH 0728/1736] Update sddm-greeter --- apparmor.d/groups/kde/sddm-greeter | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 4fa1d0a3f4..f382cc76d4 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -49,11 +49,9 @@ profile sddm-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/sddm.conf.d/{,*} r, /etc/xdg/plasmarc r, - /var/lib/AccountsService/icons/* r, - /var/lib/dbus/machine-id r, - owner /var/lib/sddm/.cache/sddm-greeter/qtshadercache-x86_64-little_endian-lp64/#@{int8} rw, - owner /var/lib/sddm/.cache/sddm-greeter/qtshadercache-x86_64-little_endian-lp64/qqpc_opengl.@{rand6} l -> /var/lib/sddm/.cache/sddm-greeter/qtshadercache-x86_64-little_endian-lp64/#@{int8}, - + /var/lib/AccountsService/icons/* r, + /var/lib/dbus/machine-id r, + @{SDDM_HOME}/state.conf r, owner @{SDDM_HOME}/** rw, owner @{SDDM_HOME}/#@{int} mrw, From 8174a6d2ec8041796f1c0a5377830a478146414c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 20:12:35 +0200 Subject: [PATCH 0729/1736] fix(profile): linter issue. --- apparmor.d/groups/kde/sddm-greeter | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index f382cc76d4..49496ec15f 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -48,10 +48,10 @@ profile sddm-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/sddm.conf r, /etc/sddm.conf.d/{,*} r, /etc/xdg/plasmarc r, - + /var/lib/AccountsService/icons/* r, /var/lib/dbus/machine-id r, - + @{SDDM_HOME}/state.conf r, owner @{SDDM_HOME}/** rw, owner @{SDDM_HOME}/#@{int} mrw, From 71b81ff27258e9af911bd05e38e762d64acf9245 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Mon, 22 Sep 2025 02:43:27 +0200 Subject: [PATCH 0730/1736] fix zpool --- apparmor.d/profiles-s-z/zpool | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 89a3e1b296..4c1c30c7c8 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -13,8 +13,7 @@ profile zpool @{exec_path} { capability sys_admin, - mount fstype=zfs options=(rw noatime) hdzpool -> @{MOUNTS}/, - mount fstype=zfs options=(rw noatime) sszpool -> @{MOUNTS}/, + mount fstype=zfs options=(rw noatime) * -> @{MOUNTS}/, @{exec_path} mr, From 500db221917e4e3991e4e95ddda61ab0263362c3 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Mon, 22 Sep 2025 12:50:02 +0200 Subject: [PATCH 0731/1736] Update lscpu: adding attach_disconnected See https://github.com/roddhjav/apparmor.d/issues/874 --- apparmor.d/groups/utils/lscpu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/utils/lscpu b/apparmor.d/groups/utils/lscpu index caa2b56281..ae87ad10f2 100644 --- a/apparmor.d/groups/utils/lscpu +++ b/apparmor.d/groups/utils/lscpu @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lscpu -profile lscpu @{exec_path} { +profile lscpu @{exec_path} flags=(attach_disconnected) { include include From acca23f1a9aa29d4583da0d04054de58dcc9e772 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Mon, 22 Sep 2025 12:51:29 +0200 Subject: [PATCH 0732/1736] Update main.flags: adding lscpu --- dists/flags/main.flags | 1 + 1 file changed, 1 insertion(+) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 0ca1809519..3254f3c01d 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -227,6 +227,7 @@ localsearch-writeback complain login attach_disconnected,complain loginctl complain low-memory-monitor attach_disconnected,complain +lscpu attach_disconnected lvm attach_disconnected,complain lvmconfig complain lvmdump complain From c256243ac8391aeb42baff53be839ff269986fa9 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Mon, 22 Sep 2025 12:59:50 +0200 Subject: [PATCH 0733/1736] Update flatpak: adding gschemas abs `ALLOWED flatpak open /usr/share/glib-2.0/schemas/gschemas.compiled comm=flatpak requested_mask=r denied_mask=r` --- apparmor.d/groups/flatpak/flatpak | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index b8ededbf0d..da93bf30d4 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -16,6 +16,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include include + include include include include From bbc75147e235c56d8e2dd4e36e0d6554a44b9de8 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Mon, 22 Sep 2025 18:04:40 +0200 Subject: [PATCH 0734/1736] fix zpool again --- apparmor.d/profiles-s-z/zpool | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 4c1c30c7c8..f8ae5d91ae 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -13,7 +13,7 @@ profile zpool @{exec_path} { capability sys_admin, - mount fstype=zfs options=(rw noatime) * -> @{MOUNTS}/, + mount fstype=zfs options=(rw noatime) ** -> @{MOUNTS}/, @{exec_path} mr, From 18cd23b6bbdcd5ac8e454a80b301e0ee95a5260b Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Mon, 22 Sep 2025 18:47:56 +0200 Subject: [PATCH 0735/1736] zpool review fix --- apparmor.d/profiles-s-z/zpool | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index f8ae5d91ae..1e8c843c06 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -13,7 +13,7 @@ profile zpool @{exec_path} { capability sys_admin, - mount fstype=zfs options=(rw noatime) ** -> @{MOUNTS}/, + mount fstype=zfs options=(rw noatime) -> @{MOUNTS}/, @{exec_path} mr, From 1eb38912fff124dbb1f407a40ac717bc87c835e4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Sep 2025 21:45:36 +0200 Subject: [PATCH 0736/1736] fix(profile): grub-probe add attach_disconnected flag. --- apparmor.d/groups/grub/grub-probe | 2 +- dists/flags/main.flags | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index c767d2f022..877fdbd0a7 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{sbin}/grub-probe -profile grub-probe @{exec_path} { +profile grub-probe @{exec_path} flags=(attach_disconnected) { include include include diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 3254f3c01d..34b95af651 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -149,7 +149,7 @@ grub-mkstandalone complain grub-mount complain grub-multi-install complain grub-ntldr-img complain -grub-probe complain +grub-probe attach_disconnected,complain grub-reboot complain grub-render-label complain grub-script-check complain From cddbd9ca3f36426397d9e21678dd0d667d84cea4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Sep 2025 21:47:06 +0200 Subject: [PATCH 0737/1736] fix(profile): bluetoothd dbus definition. --- apparmor.d/groups/bluetooth/bluetoothd | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index 12c8e2e806..ff9b8586e4 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -24,17 +24,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { network alg seqpacket, network netlink raw, - #aa:dbus own bus=system name=org.bluez - - dbus send bus=system path=/{,MediaEndpoint} - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}), - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member={InterfacesRemoved,InterfacesAdded} - peer=(name=org.freedesktop.DBus), + #aa:dbus own bus=system name=org.bluez path=/{,**} @{exec_path} mr, From 43b621a1616abece8e39e8dc01dcb2f2767623dd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Sep 2025 21:58:04 +0200 Subject: [PATCH 0738/1736] feat(profile): apparmor_parser: more generic path for apparmor profiles from opt app Usually shipped for usner unconfined profile We cannot deny them otherwise the parser will fail and the app won't be allowed to run. --- apparmor.d/groups/apparmor/apparmor_parser | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser index 4e3216d72f..f65ac2ed69 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -21,7 +21,8 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/snapd/apparmor.d/{,**} r, @{lib_dirs}/snapd/apparmor/{,**} r, - /opt/Mullvad*/resources/apparmor_mullvad r, + /opt/*/resources/apparmor_* r, + /opt/*/resources/apparmor-profile r, /usr/share/apparmor-features/{,**} r, /usr/share/apparmor/{,**} r, From 5dbff7127b3c7741f9b295825a9026a17e189306 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Sep 2025 22:00:30 +0200 Subject: [PATCH 0739/1736] feat(profile): improve some kmod path. --- apparmor.d/groups/apt/dpkg-scripts | 4 ++++ apparmor.d/profiles-m-r/initramfs-hooks | 1 + apparmor.d/profiles-m-r/mkinitramfs | 10 ++++++---- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 2434c9db95..f493047092 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -106,6 +106,10 @@ profile dpkg-scripts @{exec_path} { include include + @{lib}/modules/*/modules.* w, + + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 89a57310f3..c3c2c9f4dc 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -63,6 +63,7 @@ profile initramfs-hooks @{exec_path} { owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, owner /var/tmp/mkinitramfs-@{rand6} rw, owner /var/tmp/mkinitramfs-*_@{rand6} rw, + owner /var/tmp/mkinitramfs-EFW_@{rand10}/{,**} rwl, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index d94e5aa447..800013c9af 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -167,16 +167,18 @@ profile mkinitramfs @{exec_path} { include owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/ r, - owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw, - owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r, + owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw, + owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/@{lib}/modules/{,**} r, owner /tmp/tmp.@{rand10}/usr/lib/modules/*/ r, - owner /tmp/tmp.@{rand10}/usr/lib/modules/*/modules.* rw, - owner /tmp/tmp.@{rand10}/usr/lib/modules/*/updates/{,**} r, owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/{,**/} r, owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/**/*.ko* r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/modules.* rw, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/updates/{,**} r, @{sys}/module/compression r, From 2a6f51e83486ef8966557b6b17ae9067d488c31a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Sep 2025 22:03:24 +0200 Subject: [PATCH 0740/1736] feat(profile): improve kernel profile. --- apparmor.d/profiles-g-l/kernel | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index c46b5556e0..ea444f7f18 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -57,6 +57,8 @@ profile kernel @{exec_path} { /etc/apt/apt.conf.d/ r, /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, + /var/lib/kdump/* w, + @{run}/reboot-required w, @{run}/reboot-required.pkgs rw, From 8009afb39ebb9701d4d3058698c8935024695d84 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Sep 2025 22:40:09 +0200 Subject: [PATCH 0741/1736] fix(profile): add some missing uevent. --- apparmor.d/groups/freedesktop/boltd | 2 +- apparmor.d/groups/freedesktop/colord | 2 +- apparmor.d/groups/gnome/org.gnome.NautilusPreviewer | 1 + apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor | 1 + apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor | 2 ++ apparmor.d/groups/virt/libvirtd | 1 + apparmor.d/profiles-a-f/fprintd | 2 +- apparmor.d/profiles-m-r/rngd | 1 + apparmor.d/profiles-s-z/switcheroo-control | 2 +- 9 files changed, 10 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/groups/freedesktop/boltd index 5b72f8427b..d7888698d4 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -33,7 +33,7 @@ profile boltd @{exec_path} flags=(attach_disconnected) { @{sys}/bus/thunderbolt/devices/ r, @{sys}/bus/wmi/devices/ r, @{sys}/class/ r, - @{sys}/devices/@{pci}/@{uuid}/uevent r, + @{sys}/devices/@{pci}/uevent r, @{sys}/devices/@{pci}/device r, @{sys}/devices/@{pci}/domain@{int}/ r, @{sys}/devices/@{pci}/domain@{int}/{security,uevent} r, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index c069b7afd5..54c0d147e7 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -55,9 +55,9 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{sys}/bus/scsi/devices/ r, @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/{vendor,model,type} r, @{sys}/devices/@{pci}/drm/card@{int}/**/{enabled,edid} r, - @{sys}/devices/@{pci}/uevent r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index 6a48af3f55..63b12165cc 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -40,6 +40,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/devices/@{pci_bus}/uevent r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index ece97e6887..592f608098 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -28,6 +28,7 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { /etc/fstab r, @{sys}/class/scsi_generic/ r, + @{sys}/devices/**/uevent r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index fd3b380126..a699371990 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -24,6 +24,8 @@ profile gvfs-mtp-volume-monitor @{exec_path} { @{exec_path} mr, + @{sys}/devices/**/uevent r, + include if exists } diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 378449352a..aae554b929 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -212,6 +212,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/mm/hugepages/{,**} r, @{sys}/kernel/security/apparmor/profiles r, + @{sys}/module/*/uevent r, @{sys}/module/kvm_*/parameters/* r, @{sys}/module/vhost/parameters/max_mem_regions r, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 8a5f9c01a9..924fe4bc61 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -33,7 +33,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, - @{sys}/devices/**/hidraw/hidraw@{int}/uevent r, + @{sys}/devices/**/uevent r, include if exists } diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 2e548d40cc..0a704f0e7a 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -27,6 +27,7 @@ profile rngd @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, + @{sys}/devices/**/uevent r, @{sys}/devices/virtual/misc/hw_random/rng_available r, @{PROC}/sys/kernel/random/poolsize r, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index fd7473365f..dff61fb5df 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -29,8 +29,8 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/drm/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/uevent r, @{sys}/devices/virtual/**/uevent r, include if exists From df41b5029a0666830d847aac476cb4980b1fda59 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Sep 2025 23:25:10 +0200 Subject: [PATCH 0742/1736] fix(profile): add some missing uevent. --- apparmor.d/groups/freedesktop/wireplumber | 1 + apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 2 ++ apparmor.d/groups/gnome/gjs | 2 ++ apparmor.d/profiles-g-l/gimp | 2 +- apparmor.d/profiles-s-z/simple-scan | 1 + dists/flags/main.flags | 5 +++-- 6 files changed, 10 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 2df34a4f4c..c4d4c9c177 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -71,6 +71,7 @@ profile wireplumber @{exec_path} { @{sys}/devices/**/device:*/{,**/}path r, @{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/uevent r, + @{sys}/devices/**/uevent r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/bios_vendor r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 30b4152041..c42d939f52 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -84,6 +84,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, + @{sys}/devices/**/uevent r, + owner @{PROC}/@{pid}/ r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index 3585fe2d96..a25cb8d38f 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -133,6 +133,8 @@ profile gjs @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/devices/**/uevent r, + include if exists } diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index ad324e1532..57c6a72e02 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gimp{,-*} -profile gimp @{exec_path} { +profile gimp @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-s-z/simple-scan b/apparmor.d/profiles-s-z/simple-scan index 64ee9fb11a..6eb46a22b6 100644 --- a/apparmor.d/profiles-s-z/simple-scan +++ b/apparmor.d/profiles-s-z/simple-scan @@ -34,6 +34,7 @@ profile simple-scan @{exec_path} flags=(attach_disconnected) { owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, @{sys}/bus/scsi/devices/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/virtual/dmi/id/board_name r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/board_version r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 34b95af651..dbed099598 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -227,7 +227,9 @@ localsearch-writeback complain login attach_disconnected,complain loginctl complain low-memory-monitor attach_disconnected,complain -lscpu attach_disconnected +lsfd attach_disconnected,complain +lslocks attach_disconnected,complain +lsns attach_disconnected,complain lvm attach_disconnected,complain lvmconfig complain lvmdump complain @@ -255,7 +257,6 @@ nvidia-persistenced complain ollama attach_disconnected,complain os-prober attach_disconnected,complain pam_kwallet_init complain -papers complain passimd attach_disconnected,complain pkla-admin-identities complain pkla-check-authorization complain From c1846fe7fc82c74ad20a257cacca6d4552c4611b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Sep 2025 23:30:39 +0200 Subject: [PATCH 0743/1736] refractor(abs): common/bwrap -> bwrap This abstraction used to be considered as layer 2. It is now however a layer 0 abstraction. As such it needs to be moved. --- apparmor.d/abstractions/{common => }/bwrap | 2 +- apparmor.d/groups/browsers/epiphany | 2 +- apparmor.d/groups/flatpak/flatpak-app | 2 +- .../groups/freedesktop/xdg-desktop-portal-validate-icon | 2 +- apparmor.d/groups/gnome/gnome-control-center | 2 +- apparmor.d/groups/gnome/gnome-control-center-goa-helper | 2 +- apparmor.d/groups/gnome/gnome-desktop-thumbnailers | 2 +- apparmor.d/groups/gnome/loupe | 2 +- apparmor.d/groups/steam/steam | 4 ++-- apparmor.d/groups/steam/steam-game-proton | 2 +- apparmor.d/profiles-a-f/foliate | 2 +- apparmor.d/profiles-a-f/fractal | 2 +- apparmor.d/profiles-m-r/metadata-cleaner | 2 +- apparmor.d/profiles-s-z/totem | 2 +- apparmor.d/profiles-s-z/wechat-universal | 2 +- apparmor.d/profiles-s-z/wemeet | 2 +- 16 files changed, 17 insertions(+), 17 deletions(-) rename apparmor.d/abstractions/{common => }/bwrap (97%) diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/bwrap similarity index 97% rename from apparmor.d/abstractions/common/bwrap rename to apparmor.d/abstractions/bwrap index 2d3ab179f8..47a16085a4 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/bwrap @@ -61,6 +61,6 @@ owner @{att}/@{PROC}/@{pid}/setgroups rw, owner @{att}/@{PROC}/@{pid}/uid_map rw, - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 45a32868e9..81610322b9 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -13,7 +13,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index e6be7ef4f5..7fcd7d8a89 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -26,7 +26,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { include include include - include + include capability dac_override, capability dac_read_search, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon index 2c6c37538c..e73cb054c5 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-validate-icon profile xdg-desktop-portal-validate-icon @{exec_path} flags=(attach_disconnected) { include - include + include include capability dac_override, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index e2de80f8ff..d146f576d1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -204,7 +204,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { profile bwrap flags=(attach_disconnected) { include - include + include @{bin}/bwrap mr, diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 8b813d2603..687ac4d9e1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -64,7 +64,7 @@ profile gnome-control-center-goa-helper @{exec_path} { profile bwrap flags=(attach_disconnected,complain) { include - include + include @{bin}/bwrap mr, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index 436d824431..b0bb1cb46d 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -8,7 +8,7 @@ include profile gnome-desktop-thumbnailers flags=(attach_disconnected) { include - include + include include include diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index ea55ee9028..4714a4cdbd 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -63,7 +63,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { profile bwrap flags=(attach_disconnected) { include - include + include unix type=stream peer=(label=loupe), diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index e3fcb1931c..36b725c549 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -252,7 +252,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { profile web flags=(attach_disconnected,mediate_deleted,complain) { include include - include + include include include include @@ -378,7 +378,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { profile check flags=(attach_disconnected,mediate_deleted,complain) { include - include + include include capability dac_override, diff --git a/apparmor.d/groups/steam/steam-game-proton b/apparmor.d/groups/steam/steam-game-proton index 1b094c2a3e..1ace879b95 100644 --- a/apparmor.d/groups/steam/steam-game-proton +++ b/apparmor.d/groups/steam/steam-game-proton @@ -16,7 +16,7 @@ include @{exec_path} = @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { include - include + include include include include diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index a07976ce9b..e36f7f8da0 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/foliate profile foliate @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index a7222a6642..7b771246aa 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -46,7 +46,7 @@ profile fractal @{exec_path} flags=(attach_disconnected) { profile bwrap flags=(attach_disconnected) { include - include + include signal receive set=kill peer=fractal, diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner index 808427d859..b9e2ba4523 100644 --- a/apparmor.d/profiles-m-r/metadata-cleaner +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -42,7 +42,7 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { profile bwrap flags=(attach_disconnected) { include - include + include include signal receive set=(kill) peer=metadata-cleaner, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index d1e429d45c..9d55b7cd2a 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -61,7 +61,7 @@ profile totem @{exec_path} flags=(attach_disconnected) { profile bwrap flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 94da6c60ee..72e2d0adda 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -16,7 +16,7 @@ include profile wechat-universal @{exec_path} flags=(attach_disconnected) { include include - include + include include include diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet index 0b83e44c82..e943228bd7 100644 --- a/apparmor.d/profiles-s-z/wemeet +++ b/apparmor.d/profiles-s-z/wemeet @@ -14,7 +14,7 @@ include profile wemeet @{exec_path} flags=(attach_disconnected) { include include - include + include include include include From b8071c0fe9add9ba866d4cc1cf766b9db17cec78 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Sep 2025 00:15:14 +0200 Subject: [PATCH 0744/1736] feat(profile): Improve restriction of bwrap when used with glycin. Bwrap needs privileges to create a sandbox. If the sandbox runs in the same profile as bwrap, then it runs with a lot of access. Most of these accesses are either dropped early by bwrap or not available from within the sandbox. It is still a good practice to ensure that bwrap and the sandboxed app run in different profile (separation, defence in depth...). However, due to the use of the no-new-pris flag by bwrap, this requires stacking bwrap & the app profile together. It is not a security issue (on the contrary). But it may be complex to manage. --- apparmor.d/groups/gnome/loupe | 14 ++++++++++---- apparmor.d/profiles-a-f/fractal | 18 ++++++++++++++---- 2 files changed, 24 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 4714a4cdbd..d82de2adfc 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -70,13 +70,19 @@ profile loupe @{exec_path} flags=(attach_disconnected) { signal receive set=kill peer=loupe, @{bin}/bwrap mr, - @{lib}/glycin-loaders/*/glycin-* rix, + @{lib}/glycin-loaders/*/glycin-* Px -> loupe//bwrap//&loupe//glycin, - owner @{PROC}/@{pid}/fd/ r, + include if exists + } - deny @{user_share_dirs}/gvfs-metadata/* r, + profile glycin flags=(attach_disconnected) { + include - include if exists + unix type=stream peer=(label=loupe), + + @{lib}/glycin-loaders/*/glycin-* mr, + + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 7b771246aa..60e6e14672 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -51,15 +51,25 @@ profile fractal @{exec_path} flags=(attach_disconnected) { signal receive set=kill peer=fractal, @{bin}/bwrap mr, - @{lib}/glycin-loaders/*/glycin-* rix, + @{lib}/glycin-loaders/*/glycin-* Px -> fractal//bwrap//&fractal//glycin, + + /usr/share/gtksourceview-@{d}/{,**} r, owner @{run}/user/@{uid}/fractal/.tmp@{rand6} r, - owner @{PROC}/@{pid}/fd/ r, + include if exists + } + + profile glycin flags=(attach_disconnected) { + include - deny @{user_share_dirs}/gvfs-metadata/* r, + @{lib}/glycin-loaders/*/glycin-* mr, - include if exists + @{att}/usr/share/gtksourceview-@{d}/{,**} r, + + owner @{att}/@{run}/user/@{uid}/fractal/.tmp@{rand6} r, + + include if exists } include if exists From 9ea457418065da3e89f624e84efa1f20630fac9a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Sep 2025 19:53:32 +0200 Subject: [PATCH 0745/1736] feat(abs): add the gvfs-backend abstraction. --- apparmor.d/abstractions/gvfs-backend | 28 +++++++++++++++++++++++++ apparmor.d/groups/gvfs/gvfsd-admin | 11 +--------- apparmor.d/groups/gvfs/gvfsd-afc | 11 +--------- apparmor.d/groups/gvfs/gvfsd-afp | 11 +--------- apparmor.d/groups/gvfs/gvfsd-afp-browse | 11 +--------- apparmor.d/groups/gvfs/gvfsd-archive | 11 +--------- apparmor.d/groups/gvfs/gvfsd-burn | 11 +--------- apparmor.d/groups/gvfs/gvfsd-cdda | 11 +--------- apparmor.d/groups/gvfs/gvfsd-computer | 10 +-------- apparmor.d/groups/gvfs/gvfsd-dav | 11 +--------- apparmor.d/groups/gvfs/gvfsd-dnssd | 10 +-------- apparmor.d/groups/gvfs/gvfsd-ftp | 11 +--------- apparmor.d/groups/gvfs/gvfsd-fuse | 11 +--------- apparmor.d/groups/gvfs/gvfsd-google | 11 +--------- apparmor.d/groups/gvfs/gvfsd-gphoto2 | 11 +--------- apparmor.d/groups/gvfs/gvfsd-http | 12 ++--------- apparmor.d/groups/gvfs/gvfsd-localtest | 11 +--------- apparmor.d/groups/gvfs/gvfsd-metadata | 10 +-------- apparmor.d/groups/gvfs/gvfsd-mtp | 11 +--------- apparmor.d/groups/gvfs/gvfsd-network | 10 +-------- apparmor.d/groups/gvfs/gvfsd-nfs | 11 +--------- apparmor.d/groups/gvfs/gvfsd-recent | 9 -------- apparmor.d/groups/gvfs/gvfsd-sftp | 10 +-------- apparmor.d/groups/gvfs/gvfsd-smb | 11 +--------- apparmor.d/groups/gvfs/gvfsd-smb-browse | 10 +-------- apparmor.d/groups/gvfs/gvfsd-trash | 10 +-------- apparmor.d/groups/gvfs/gvfsd-wsdd | 13 +++--------- 27 files changed, 56 insertions(+), 252 deletions(-) create mode 100644 apparmor.d/abstractions/gvfs-backend diff --git a/apparmor.d/abstractions/gvfs-backend b/apparmor.d/abstractions/gvfs-backend new file mode 100644 index 0000000000..fb925118bc --- /dev/null +++ b/apparmor.d/abstractions/gvfs-backend @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow to act as a gvfs backend app + + abi , + + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + # Server's side of session/org.gtk.vfs.MountOperation + dbus send bus=session path=/org/gtk/gvfs/mountop/@{int} + interface=org.gtk.vfs.MountOperation + member={AskPassword,AskQuestion} + peer=(name=@{busname}), + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 5a1fd1c82d..e10c5da5c6 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -11,9 +11,7 @@ include profile gvfsd-admin @{exec_path} { include include - include - include - include + include include include @@ -23,13 +21,6 @@ profile gvfsd-admin @{exec_path} { capability fowner, capability setuid, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, #aa:lint ignore=too-wide diff --git a/apparmor.d/groups/gvfs/gvfsd-afc b/apparmor.d/groups/gvfs/gvfsd-afc index da231f469f..18d5d491fd 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afc +++ b/apparmor.d/groups/gvfs/gvfsd-afc @@ -11,16 +11,7 @@ include profile gvfsd-afc @{exec_path} { include include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp b/apparmor.d/groups/gvfs/gvfsd-afp index db6fe5a480..b844778a41 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp +++ b/apparmor.d/groups/gvfs/gvfsd-afp @@ -11,16 +11,7 @@ include profile gvfsd-afp @{exec_path} { include include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp-browse b/apparmor.d/groups/gvfs/gvfsd-afp-browse index a39e257850..929b503173 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp-browse +++ b/apparmor.d/groups/gvfs/gvfsd-afp-browse @@ -11,16 +11,7 @@ include profile gvfsd-afp-browse @{exec_path} { include include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive index 68b1e7765b..5d72f2aaa2 100644 --- a/apparmor.d/groups/gvfs/gvfsd-archive +++ b/apparmor.d/groups/gvfs/gvfsd-archive @@ -11,19 +11,10 @@ include profile gvfsd-archive @{exec_path} { include include - include - include - include + include include include - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, owner @{HOME}/**.{tar,tar.gz,zip} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-burn b/apparmor.d/groups/gvfs/gvfsd-burn index 09062241ad..25c6baf9fb 100644 --- a/apparmor.d/groups/gvfs/gvfsd-burn +++ b/apparmor.d/groups/gvfs/gvfsd-burn @@ -11,16 +11,7 @@ include profile gvfsd-burn @{exec_path} { include include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-cdda b/apparmor.d/groups/gvfs/gvfsd-cdda index 356f8dcd38..63050efddc 100644 --- a/apparmor.d/groups/gvfs/gvfsd-cdda +++ b/apparmor.d/groups/gvfs/gvfsd-cdda @@ -11,16 +11,7 @@ include profile gvfsd-cdda @{exec_path} { include include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index 667b448c41..5df7f98669 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -11,18 +11,10 @@ include profile gvfsd-computer @{exec_path} { include include - include - include - include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-afc-volume-monitor - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index b335724cbc..85344d0d46 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -11,9 +11,7 @@ include profile gvfsd-dav @{exec_path} { include include - include - include - include + include include include include @@ -28,13 +26,6 @@ profile gvfsd-dav @{exec_path} { network inet6 dgram, network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index a87c5bbc17..39795a4a94 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -12,20 +12,12 @@ profile gvfsd-dnssd @{exec_path} { include include include - include - include - include + include include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp index 3b36fc4f1f..77afc6e751 100644 --- a/apparmor.d/groups/gvfs/gvfsd-ftp +++ b/apparmor.d/groups/gvfs/gvfsd-ftp @@ -11,9 +11,7 @@ include profile gvfsd-ftp @{exec_path} { include include - include - include - include + include include include include @@ -24,13 +22,6 @@ profile gvfsd-ftp @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index f67068f494..809a2a2814 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -11,9 +11,7 @@ include profile gvfsd-fuse @{exec_path} { include include - include - include - include + include include capability sys_admin, @@ -22,13 +20,6 @@ profile gvfsd-fuse @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, @{bin}/fusermount{,3} rCx -> fusermount, diff --git a/apparmor.d/groups/gvfs/gvfsd-google b/apparmor.d/groups/gvfs/gvfsd-google index 819e84c393..1709457dc1 100644 --- a/apparmor.d/groups/gvfs/gvfsd-google +++ b/apparmor.d/groups/gvfs/gvfsd-google @@ -11,16 +11,7 @@ include profile gvfsd-google @{exec_path} { include include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-gphoto2 b/apparmor.d/groups/gvfs/gvfsd-gphoto2 index 0544000c0c..e82299f271 100644 --- a/apparmor.d/groups/gvfs/gvfsd-gphoto2 +++ b/apparmor.d/groups/gvfs/gvfsd-gphoto2 @@ -11,16 +11,7 @@ include profile gvfsd-gphoto2 @{exec_path} { include include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 2678bde40b..94667e71fa 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -11,11 +11,9 @@ include profile gvfsd-http @{exec_path} { include include - include - include - include + include include - # include + include include include include @@ -30,12 +28,6 @@ profile gvfsd-http @{exec_path} { unix type=stream peer=(label=gnome-extension-gsconnect), #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-localtest b/apparmor.d/groups/gvfs/gvfsd-localtest index bdd3feb460..840be20129 100644 --- a/apparmor.d/groups/gvfs/gvfsd-localtest +++ b/apparmor.d/groups/gvfs/gvfsd-localtest @@ -11,16 +11,7 @@ include profile gvfsd-localtest @{exec_path} { include include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index 8565856d91..64c0d79622 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -11,9 +11,7 @@ include profile gvfsd-metadata @{exec_path} { include include - include - include - include + include include network netlink raw, @@ -21,12 +19,6 @@ profile gvfsd-metadata @{exec_path} { signal (receive) set=(usr1) peer=pacman, #aa:dbus own bus=session name=org.gtk.vfs.Metadata path=/org/gtk/vfs/{m,M}etadata - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 8d5ad78c58..4b810f2223 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -11,9 +11,7 @@ include profile gvfsd-mtp @{exec_path} { include include - include - include - include + include include include include @@ -23,13 +21,6 @@ profile gvfsd-mtp @{exec_path} { network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, owner @{HOME}/ r, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 7874686bc8..5b2d386dfb 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,19 +11,11 @@ include profile gvfsd-network @{exec_path} { include include - include - include - include + include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-nfs b/apparmor.d/groups/gvfs/gvfsd-nfs index aae859d737..6fd0d740a2 100644 --- a/apparmor.d/groups/gvfs/gvfsd-nfs +++ b/apparmor.d/groups/gvfs/gvfsd-nfs @@ -11,22 +11,13 @@ include profile gvfsd-nfs @{exec_path} { include include - include - include - include + include include network inet stream, network inet6 stream, network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index ca59d75cdc..a7855beedc 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -11,21 +11,12 @@ include profile gvfsd-recent @{exec_path} { include include - include - include - include include include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 862ef88aad..8c91c29136 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -11,21 +11,13 @@ include profile gvfsd-sftp @{exec_path} { include include - include - include - include + include include include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 9d99a43af4..906bef2c8b 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -11,9 +11,7 @@ include profile gvfsd-smb @{exec_path} { include include - include - include - include + include include include @@ -23,13 +21,6 @@ profile gvfsd-smb @{exec_path} { network inet dgram, network inet6 dgram, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, /etc/samba/smb.conf r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 66099563ee..8002ec677f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -11,9 +11,7 @@ include profile gvfsd-smb-browse @{exec_path} { include include - include - include - include + include include include include @@ -25,12 +23,6 @@ profile gvfsd-smb-browse @{exec_path} { network inet6 dgram, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_smb_browse - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 070c41a840..5ff83af32c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,9 +11,7 @@ include profile gvfsd-trash @{exec_path} { include include - include - include - include + include include include include @@ -23,12 +21,6 @@ profile gvfsd-trash @{exec_path} { network inet6 stream, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index bc672de047..9012682c41 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -11,21 +11,14 @@ profile gvfsd-wsdd @{exec_path} { include include include - include - include - include + include include + include - network inet dgram, + network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, From e9594d77e1d60fb67615ec5c06ee005295566f9b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Sep 2025 21:57:14 +0200 Subject: [PATCH 0746/1736] feat(profile): add gnome-session-service. It is a replacement of the old gnome-session-binary. --- apparmor.d/groups/gnome/gnome-session-service | 83 +++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 84 insertions(+) create mode 100644 apparmor.d/groups/gnome/gnome-session-service diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service new file mode 100644 index 0000000000..aca7afb288 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -0,0 +1,83 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/gnome-session-service +profile gnome-session-service @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + + #aa:dbus own bus=session name=org.gnome.SessionManager + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + + @{exec_path} mr, + + @{bin}/session-migration rPx, + + @{lib}/gio-launch-desktop rCx -> open, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, + + /usr/share/dconf/profile/gdm r, + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gdm/greeter/applications/{,**} r, + /usr/share/gdm/greeter/autostart/{,*.desktop} r, + /usr/share/gnome-session/hardware-compatibility r, + /usr/share/gnome-session/sessions/*.session r, + /usr/share/gnome/autostart/{,*.desktop} r, + + @{etc_ro}/xdg/autostart/{,*.desktop} r, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, + + owner @{run}/user/@{uid}/systemd/notify w, + + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + + profile open { + include + + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr, + @{lib}/gio-launch-desktop mr, + + @{sh_path} rPx -> gnome-session-service//shell, + @{lib}/** PUx, + @{bin}/** PUx, + /opt/*/** PUx, + /usr/share/*/** PUx, + /usr/local/bin/** PUx, + /usr/games/** PUx, + + include if exists + } + + profile shell { + include + + @{sh_path} mr, + + @{bin}/im-launch Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index dbed099598..d5f3355b12 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -128,6 +128,7 @@ gnome-extension-gsconnect complain gnome-extension-manager complain gnome-initial-setup complain gnome-remote-desktop-daemon complain +gnome-session-service attach_disconnected,complain grub-bios-setup complain grub-editenv complain grub-file complain From 9baf879a3dda5bf5a04be2e7c83865ada215fc28 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Sep 2025 22:17:46 +0200 Subject: [PATCH 0747/1736] feat(abs): add desktop user dconf path to the dconf abs. --- apparmor.d/abstractions/audio-client | 1 + apparmor.d/abstractions/dconf.d/complete | 6 ++++++ apparmor.d/groups/bus/dbus-accessibility | 5 ----- apparmor.d/groups/bus/ibus-dconf | 4 ---- apparmor.d/groups/bus/ibus-extension-gtk3 | 3 --- apparmor.d/groups/freedesktop/pulseaudio | 1 - apparmor.d/groups/freedesktop/xdg-desktop-portal | 3 --- apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 5 ----- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 4 ---- apparmor.d/groups/gnome/gdm-session | 2 +- apparmor.d/groups/gnome/gjs | 4 ---- apparmor.d/groups/gnome/gnome-initial-setup | 3 --- apparmor.d/groups/gnome/gnome-session-binary | 3 --- apparmor.d/groups/gnome/gnome-session-service | 2 -- apparmor.d/groups/gnome/gnome-shell | 4 ---- apparmor.d/groups/gnome/gsd-a11y-settings | 3 --- apparmor.d/groups/gnome/gsd-color | 5 ----- apparmor.d/groups/gnome/gsd-datetime | 5 ----- apparmor.d/groups/gnome/gsd-housekeeping | 5 ----- apparmor.d/groups/gnome/gsd-keyboard | 5 ----- apparmor.d/groups/gnome/gsd-media-keys | 5 ----- apparmor.d/groups/gnome/gsd-power | 6 ------ apparmor.d/groups/gnome/gsd-sharing | 6 ------ apparmor.d/groups/gnome/gsd-smartcard | 5 ----- apparmor.d/groups/gnome/gsd-sound | 5 ----- apparmor.d/groups/gnome/gsd-wacom | 5 ----- apparmor.d/groups/gnome/gsd-xsettings | 5 ----- apparmor.d/groups/gnome/mutter-x11-frames | 5 ----- apparmor.d/groups/gnome/tracker-extract | 3 --- apparmor.d/groups/gnome/tracker-miner | 3 --- apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor | 2 -- apparmor.d/groups/ubuntu/check-new-release-gtk | 2 -- apparmor.d/profiles-g-l/gsettings | 4 ---- 33 files changed, 8 insertions(+), 121 deletions(-) diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 1ebdf4c762..f11aa5d7d8 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -31,6 +31,7 @@ owner @{desktop_config_dirs}/pulse/client.conf r, owner @{desktop_config_dirs}/pulse/client.conf.d/{,*.conf} r, owner @{desktop_config_dirs}/pulse/cookie rwk, + owner @{desktop_config_dirs}/seat@{int}/config/pulse/cookie rk, owner @{HOME}/.alsoftrc r, owner @{HOME}/.asoundrc r, diff --git a/apparmor.d/abstractions/dconf.d/complete b/apparmor.d/abstractions/dconf.d/complete index 1796c7ca0a..744fcda7b9 100644 --- a/apparmor.d/abstractions/dconf.d/complete +++ b/apparmor.d/abstractions/dconf.d/complete @@ -3,6 +3,12 @@ # SPDX-License-Identifier: GPL-2.0-only /usr/share/dconf/profile/gdm r, + /usr/share/gdm/greeter-dconf-defaults r, + + owner @{DESKTOP_HOME}/greeter-dconf-defaults r, + + owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_config_dirs}/seat@{int}/config/dconf/user r, owner @{user_config_dirs}/glib-2.0/settings/keyfile r, # When GSETTINGS_BACKEND=keyfile diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index c9b9a15385..16128bfeca 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -51,16 +51,11 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { @{lib}/at-spi2{,-core}/at-spi2-registryd rPx, /usr/share/dbus-1/accessibility-services/{,**} r, - /usr/share/dconf/profile/gdm r, /usr/share/defaults/at-spi2/{,**} r, - /usr/share/gdm/greeter-dconf-defaults r, /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{DESKTOP_HOME}/greeter-dconf-defaults r, - owner @{desktop_config_dirs}/dconf/user r, - owner @{HOME}/.Xauthority r, owner @{tmp}/xauth_@{rand6} r, diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index bac225ebc2..3a5839f71d 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -25,9 +25,6 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/dconf/profile/gdm r, - /etc/dconf/db/ibus r, /etc/dconf/profile/ibus r, @@ -38,7 +35,6 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/dconf/user rw, owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 2fa49e50fd..be81cec27e 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -38,11 +38,8 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, /usr/share/ibus/{,**} r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{desktop_config_dirs}/dconf/user r, owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 2069580625..9edd71a664 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -71,7 +71,6 @@ profile pulseaudio @{exec_path} { owner @{desktop_cache_dirs}/gstreamer-1.0/ rw, owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{desktop_config_dirs}/dconf/user r, owner @{desktop_config_dirs}/pulse/{,**} rw, owner @{desktop_config_dirs}/pulse/cookie k, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index ec2cc86be3..5bed44b085 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -75,14 +75,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{att}/.flatpak-info r, owner /att/**/ r, - /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, - /usr/share/gdm/greeter-dconf-defaults r, /etc/sysconfig/proxy r, @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/user-dirs.dirs r, # The portal can receive any user file as it is a file chooser for UI app. diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index c42d939f52..cd557c7058 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -58,16 +58,11 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { @{bin}/* r, /opt/** r, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/thumbnailers/{,**} r, - owner @{desktop_cache_dirs}/dconf/user r, owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, - owner @{desktop_config_dirs}/dconf/user r, owner @{desktop_share_dirs}/applications/{,**} r, - owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{HOME}/ r, owner @{HOME}/* r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index b7906c5e23..b101a5db00 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -41,16 +41,12 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/gdm/greeter-dconf-defaults r, - / r, owner /att/**/ r, owner /var/lib/xkb/server-@{int}.xkm rw, owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, - owner @{gdm_config_dirs}/dconf/user r, - owner /var/lib/gdm3/greeter-dconf-defaults r, owner @{tmp}/runtime-*/xauth_@{rand6} r, diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 5d2e3e21ea..1a2d96a084 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -47,7 +47,7 @@ profile gdm-session @{exec_path} { owner @{gdm_cache_dirs}/gdm/ rw, owner @{gdm_cache_dirs}/gdm/Xauthority rw, owner @{gdm_config_dirs}/dconf/user r, - owner @{GDM_HOME}/greeter-dconf-defaults r, + owner @{DESKTOP_HOME}/greeter-dconf-defaults r, @{run}/gdm{3,}/custom.conf r, owner @{run}/user/@{uid}/gdm/ w, diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index a25cb8d38f..f2fa6acc42 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -83,15 +83,11 @@ profile gjs @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gnome-shell/{,**} r, /usr/share/xkeyboard-config-2/{,**} r, /usr/share/thumbnailers/{,**} r, owner @{gdm_cache_dirs}/gstreamer-@{int}.@{int}/registry.@{arch}.bin{,.tmp@{rand6}} rw, - owner @{gdm_config_dirs}/dconf/user r, - owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{HOME}/ r, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 7439e0fb65..1e8bc36232 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -45,7 +45,6 @@ profile gnome-initial-setup @{exec_path} { @{lib}/gnome-initial-setup-goa-helper rix, @{lib}/@{multiarch}/ld-linux-*.so* rix, - /usr/share/dconf/profile/gdm r, /usr/share/gnome-initial-setup/{,**} r, /usr/share/xml/iso-codes/{,**} r, @@ -57,8 +56,6 @@ profile gnome-initial-setup @{exec_path} { /var/log/installer/telemetry r, #aa:only ubuntu - owner @{GDM_HOME}/greeter-dconf-defaults r, - #aa:only ubuntu owner @{user_cache_dirs}/ubuntu-report/ rw, owner @{user_cache_dirs}/ubuntu-report/* rw, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 5359a70df6..e61404754b 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -52,8 +52,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{lib}/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/gdm/greeter/autostart/{,*.desktop} r, /usr/share/gnome-session/hardware-compatibility r, @@ -70,7 +68,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, owner @{gdm_config_dirs}/user-dirs.dirs r, - owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_share_dirs}/applications/{,**} r, owner @{user_config_dirs}/autostart/{,*.desktop} r, diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index aca7afb288..7dec5c5970 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -32,8 +32,6 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { @{lib}/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/gdm/greeter/autostart/{,*.desktop} r, /usr/share/gnome-session/hardware-compatibility r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 428c314e22..5e023e7373 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -188,10 +188,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/**/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/byobu/desktop/byobu* r, - /usr/share/dconf/profile/gdm r, /usr/share/desktop-directories/{,*.directory} r, /usr/share/gdm/BuiltInSessions/{,*.desktop} r, - /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/libgweather/Locations.xml r, /usr/share/libinput*/{,**} r, @@ -216,7 +214,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{att}/ r, owner @{att}/.flatpak-info r, - owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_cache_dirs}/ w, owner @{gdm_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk, owner @{gdm_cache_dirs}/fontconfig/{,*} rwl, @@ -226,7 +223,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_cache_dirs}/libgweather/ r, owner @{gdm_cache_dirs}/nvidia/GLCache/ rw, owner @{gdm_cache_dirs}/nvidia/GLCache/** rwk, - owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/ibus/ rw, owner @{gdm_config_dirs}/ibus/bus/ rw, owner @{gdm_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 22aaba1642..d093036d44 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -26,9 +26,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - @{gdm_config_dirs}/dconf/user r, @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 1a52321b1c..50d4bebc66 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -34,13 +34,8 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - /etc/timezone r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/icc/ rw, owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 0364f3f2b6..f2ada6c02c 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -33,13 +33,8 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gnome-settings-daemon/datetime/backward r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, - owner @{user_cache_dirs}/geocode-glib/* r, @{run}/systemd/sessions/@{int} r, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 497462a039..87e8b80658 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -33,11 +33,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { /etc/fstab r, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ w, owner @{user_share_dirs}/applications/ rw, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index be27a873e9..180023940e 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -27,12 +27,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - - owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/.gsd-keyboard.settings-ported* rw, - owner @{gdm_config_dirs}/dconf/user r, owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw, owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 5446af78d5..9dba59b868 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -48,13 +48,8 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, /usr/share/sounds/freedesktop/stereo/*.oga r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/udev/data/+sound:card@{int} r, # For sound card diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index d3ac6b456c..c90de7135d 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -56,12 +56,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, - @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 9d432ae13e..b49d2e274a 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -38,12 +38,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, - @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 5143b9984f..6f04854b34 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -29,17 +29,12 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - /etc/tpm2-tss/* rk, /var/tmp/ r, /tmp/ r, owner @{GDM_HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk, - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index ff2d307664..6c9bb24ae6 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -28,11 +28,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/sounds/ rw, owner @{user_share_dirs}/sounds/ rw, diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 3d4f2cb050..225eca4be6 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -23,13 +23,8 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, /usr/share/libwacom/{,*} r, - owner @{gdm_config_dirs}/dconf/user r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 20151eec0e..b5a96584d5 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -62,16 +62,11 @@ profile gsd-xsettings @{exec_path} { @{bin}/xrdb rPx, @{lib}/{,ibus/}ibus-x11 rPx, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - /etc/X11/Xsession.options r, @{etc_ro}/xdg/Xwayland-session.d/ r, @{etc_ro}/xdg/Xwayland-session.d/* rix, - owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, - owner @{gdm_config_dirs}/dconf/user r, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index d5c83a31b1..289509055b 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -22,13 +22,8 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - - owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_cache_dirs}//fontconfig/ rw, owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl, - owner @{gdm_config_dirs}/dconf/user r, @{sys}/devices/@{pci}/boot_vga r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index e200ecb421..ee2afcefca 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -33,7 +33,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter/applications/*.desktop r, /usr/share/ladspa/rdf/{,**} r, /usr/share/osinfo/{,**} r, @@ -44,13 +43,11 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { /etc/blkid.conf r, /etc/fstab r, - owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_cache_dirs}/ rw, owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, owner @{gdm_cache_dirs}/gstreamer-1.0/ rw, owner @{gdm_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, owner @{gdm_cache_dirs}/tracker3/{,**} rw, - owner @{gdm_config_dirs}/dconf/user r, # Allow to search user files owner @{HOME}/{,**} r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 85b7b0d534..e6fdee6c25 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -45,7 +45,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { @{lib}/tracker-extract-3 rix, - /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r, /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/ladspa/rdf/{,**} r, @@ -59,10 +58,8 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { /etc/timezone r, owner @{GDM_HOME}/ r, - owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_cache_dirs}/gstreamer-*/registry.*.bin r, owner @{gdm_cache_dirs}/tracker3/{,tracker3/}files/{,**} rwk, - owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, # Allow to search user files diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 80f7f86a9c..1bca3cf895 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -54,8 +54,6 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { owner @{MOUNTS}/autorun.inf r, - owner @{desktop_config_dirs}/dconf/user r, - @{run}/mount/utab r, @{PROC}/ r, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 2b7b2b4eee..588d63f084 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -35,7 +35,6 @@ profile check-new-release-gtk @{exec_path} { /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, /usr/share/update-manager/{,**} r, - /usr/share/dconf/profile/gdm r, /etc/update-manager/{,**} r, @@ -43,7 +42,6 @@ profile check-new-release-gtk @{exec_path} { /var/cache/apt/ rw, - owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{desktop_cache_dirs}/update-manager-core/ rwk, owner @{desktop_cache_dirs}/update-manager-core/meta-release-lts rw, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 9b8eca8ee2..cc8dfa4470 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -16,12 +16,8 @@ profile gsettings @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - owner @{desktop_cache_dirs}/dconf/user rw, owner @{desktop_config_dirs}/dconf/user rw, - owner @{DESKTOP_HOME}/greeter-dconf-defaults r, # file_inherit deny network netlink raw, From 66aab34070eb497de7d9e8c1f8b0d0d4e81084fe Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Sep 2025 22:30:23 +0200 Subject: [PATCH 0748/1736] feat(profile): update gnome profiles. --- apparmor.d/groups/gnome/gdm | 1 + apparmor.d/groups/gnome/gjs | 9 +++++++++ apparmor.d/groups/gnome/gnome-session | 1 + .../groups/gnome/gnome-session-init-worker | 18 ++++++++++++++++++ apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/gnome-software | 3 ++- apparmor.d/tunables/multiarch.d/profiles | 1 + 7 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/gnome/gnome-session-init-worker diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index d202d5199d..765a2f5870 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -71,6 +71,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{GDM_HOME}/ rw, @{GDM_HOME}/** rw, + @{run}/gdm/home/ rw, @{run}/gdm{,3}.pid rw, @{run}/gdm{,3}/ rw, @{run}/gdm{,3}/gdm.pid rw, diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index f2fa6acc42..48dee288a8 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -31,6 +31,7 @@ profile gjs @{exec_path} flags=(attach_disconnected) { # Only needed by org.gnome.Shell.Extensions include + include include # Only needed by gnome-extension-ding @@ -111,7 +112,10 @@ profile gjs @{exec_path} flags=(attach_disconnected) { profile gstreamer { include + include + include include + include include include include @@ -120,6 +124,11 @@ profile gjs @{exec_path} flags=(attach_disconnected) { network (bind create getattr setopt getopt) netlink raw, + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mr, @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner mr, @{lib}/gstreamer-1.0/gst-plugin-scanner mr, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 257e91c0a5..afcc16b19c 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -51,6 +51,7 @@ profile gnome-session @{exec_path} { @{bin}/flatpak rCx -> flatpak, @{bin}/gsettings rPx, @{lib}/gnome-session-binary rPx, + @{lib}/gnome-session-init-worker rPx, /usr/share/im-config/{,**} r, /usr/share/libdebuginfod-common/debuginfod.sh r, diff --git a/apparmor.d/groups/gnome/gnome-session-init-worker b/apparmor.d/groups/gnome/gnome-session-init-worker new file mode 100644 index 0000000000..787bbda17d --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-session-init-worker @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/gnome-session-init-worker +profile gnome-session-init-worker @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 5e023e7373..0824254460 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -299,6 +299,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/.org.chromium.Chromium.@{rand6}/ r, owner @{tmp}/.org.chromium.Chromium.@{rand6}/*.@{icon_ext} r, owner @{tmp}/@{rand6}.shell-extension.zip rw, + owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 0b1602fbbb..71719b1705 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -106,9 +106,10 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, + owner @{tmp}/#@{int} rw, + owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, owner @{tmp}/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, - owner @{tmp}/#@{int} rw, owner @{run}/user/@{uid}/.dbus-proxy/ rw, owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} rw, diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index e26319f2c0..13409e6fc2 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -36,6 +36,7 @@ @{p_fwupd}=fwupd @{p_fwupdmgr}=fwupdmgr @{p_geoclue}=geoclue +@{p_gnome_session}={gnome-session-binary,gnome-session-service} @{p_gnome_shell}=gnome-shell @{p_gsd_media_keys}=gsd-media-keys @{p_irqbalance}=irqbalance From 655750d96f0a8a07ad8a7fed6f68af8638e9c364 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Sep 2025 22:43:01 +0200 Subject: [PATCH 0749/1736] feat(abs): improve the bwrap abs. --- apparmor.d/abstractions/bwrap | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/bwrap b/apparmor.d/abstractions/bwrap index 47a16085a4..35382e1fba 100644 --- a/apparmor.d/abstractions/bwrap +++ b/apparmor.d/abstractions/bwrap @@ -3,10 +3,16 @@ # SPDX-License-Identifier: GPL-2.0-only # NEEDS-VARIABLE: att -# A minimal set of rules for sandboxed programs using bwrap. +# Bubblewrap creates isolated environments for applications. It requires the +# sys_admin capability to enter a new PID namespace. Until this capability is +# dropped, the process can potentially escape confinement. For this reason, we +# typically transition to another application profile, even if it requires +# managing a stacked set of profiles since bwrap sets the no_new_privs (nnp) +# flag. The resulting profile should take the form: //& +# # A profile using this abstraction still needs to set: # - the flag: attach_disconnected -# - bwrap execution: '@{bin}/bwrap rix,' +# - bwrap execution: '@{bin}/bwrap ix,' or memory mapping '@{bin}/bwrap mr,' abi , @@ -44,6 +50,7 @@ owner /tmp/newroot/ w, owner /tmp/oldroot/ w, + owner / r, @{att}/ r, @{att}/@{run}/.userns r, From 560ae989212e12c687fb4ba70c013e6592bf65b8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Sep 2025 23:46:23 +0200 Subject: [PATCH 0750/1736] feat: initial global support for lycin-loaders. See https://github.com/roddhjav/apparmor.d/issues/881 for more details. --- apparmor.d/abstractions/app/bwrap-glycin | 38 ++++++++++++++++++++ apparmor.d/groups/browsers/firefox | 5 +++ apparmor.d/groups/children/glycin | 44 ++++++++++++++++++++++++ apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/loupe | 31 +++-------------- apparmor.d/profiles-a-f/fractal | 36 ++++--------------- apparmor.d/profiles-s-z/terminator | 2 ++ apparmor.d/profiles-s-z/thunderbird | 5 +++ 8 files changed, 105 insertions(+), 57 deletions(-) create mode 100644 apparmor.d/abstractions/app/bwrap-glycin create mode 100644 apparmor.d/groups/children/glycin diff --git a/apparmor.d/abstractions/app/bwrap-glycin b/apparmor.d/abstractions/app/bwrap-glycin new file mode 100644 index 0000000000..48e3fcde9c --- /dev/null +++ b/apparmor.d/abstractions/app/bwrap-glycin @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Base set of rules for glycin-loaders sandboxed with bwrap. +# - It is safe to use when used like in the glycin profile. +# - It is **not** safe to use when used by a profile stacking glycin + +# See https://github.com/roddhjav/apparmor.d/issues/881 for more details. + + abi , + + include + include + + unix type=stream peer=(label=glycin), + unix type=stream peer=(label=glycin//app), + + signal send set=kill peer=*//&glycin, + + ptrace read peer=*//&glycin, + + @{bin}/bwrap mr, + + @{bin}/true ix, + + /usr/share/glycin-loaders/{,**} r, + + /usr/share/gtksourceview-2.0/{,**} r, + /usr/share/gtksourceview-3.0/{,**} r, + /usr/share/gtksourceview-4/{,**} r, + /usr/share/gtksourceview-5/{,**} r, + + owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 3f83775d93..2b0c11dfa5 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -15,6 +15,7 @@ include @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} profile firefox @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -33,6 +34,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, + # glycin-loaders sandboxed profile stack + @{bin}/bwrap Px -> firefox//&glycin, + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> firefox//&glycin//&glycin//app, + @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, @{lib}/mozilla/plugins/ r, diff --git a/apparmor.d/groups/children/glycin b/apparmor.d/groups/children/glycin new file mode 100644 index 0000000000..ce04e1c103 --- /dev/null +++ b/apparmor.d/groups/children/glycin @@ -0,0 +1,44 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Confine glycin-loaders sandboxed with bwrap. It also confines bwrap itself. +# for this use case. + +abi , + +include + +profile glycin flags=(attach_disconnected,complain) { + include + include + + signal receive set=kill, + + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> glycin//&glycin//app, + + # Safe deny of inherited files from parent process. + deny owner @{user_cache_dirs}/** r, + deny owner /tmp/*/** w, + deny @{sys}/devices/system/memory/* r, + deny /dev/dri/* rw, + + profile app flags=(attach_disconnected,complain) { + include + + @{lib}/glycin-loaders/@{d}+/glycin-* mr, + + @{att}/usr/share/glycin-loaders/{,**} r, + + @{att}/usr/share/gtksourceview-2.0/{,**} r, + @{att}/usr/share/gtksourceview-3.0/{,**} r, + @{att}/usr/share/gtksourceview-4/{,**} r, + @{att}/usr/share/gtksourceview-5/{,**} r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 0824254460..1945fd1030 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -161,6 +161,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/unzip rix, + @{bin}/bwrap rPx -> glycin, @{bin}/flatpak rPx, @{bin}/gjs-console rPx -> gnome-extension, @{bin}/glib-compile-schemas rPx, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index d82de2adfc..5fac344483 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -21,9 +21,10 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include - unix type=stream peer=(label=loupe//bwrap), + unix type=stream peer=(label=glycin), + unix type=stream peer=(label=glycin//app), - signal send set=kill peer=loupe//bwrap, + signal send set=kill peer=glycin, #aa:dbus own bus=session name=org.gnome.Loupe interface+=org.freedesktop.Application @@ -36,7 +37,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/bwrap rCx -> bwrap, + @{bin}/bwrap rPx -> glycin, @{open_path} rPx -> child-open-help, /usr/share/glycin-loaders/{,**} r, @@ -61,30 +62,6 @@ profile loupe @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/* r, - profile bwrap flags=(attach_disconnected) { - include - include - - unix type=stream peer=(label=loupe), - - signal receive set=kill peer=loupe, - - @{bin}/bwrap mr, - @{lib}/glycin-loaders/*/glycin-* Px -> loupe//bwrap//&loupe//glycin, - - include if exists - } - - profile glycin flags=(attach_disconnected) { - include - - unix type=stream peer=(label=loupe), - - @{lib}/glycin-loaders/*/glycin-* mr, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 60e6e14672..3093254d53 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -22,12 +22,16 @@ profile fractal @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal send set=kill peer=fractal//bwrap, + signal send set=kill peer=glycin, + unix type=stream peer=(label=glycin), + unix type=stream peer=(label=glycin//app), + + #aa:dbus own bus=session name=org.gnome.Fractal @{exec_path} mr, + @{bin}/bwrap rPx -> glycin, @{open_path} rPx -> child-open-help, - @{bin}/bwrap rCx -> bwrap, /usr/share/glycin-loaders/{,**} r, /usr/share/xml/iso-codes/{,**} r, @@ -44,34 +48,6 @@ profile fractal @{exec_path} flags=(attach_disconnected) { /dev/ r, - profile bwrap flags=(attach_disconnected) { - include - include - - signal receive set=kill peer=fractal, - - @{bin}/bwrap mr, - @{lib}/glycin-loaders/*/glycin-* Px -> fractal//bwrap//&fractal//glycin, - - /usr/share/gtksourceview-@{d}/{,**} r, - - owner @{run}/user/@{uid}/fractal/.tmp@{rand6} r, - - include if exists - } - - profile glycin flags=(attach_disconnected) { - include - - @{lib}/glycin-loaders/*/glycin-* mr, - - @{att}/usr/share/gtksourceview-@{d}/{,**} r, - - owner @{att}/@{run}/user/@{uid}/fractal/.tmp@{rand6} r, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index e8a2533b92..729c5b4da8 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -36,6 +36,8 @@ profile terminator @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{python_path} rix, + @{bin}/bwrap rPx -> glycin, + # The shell is not confined on purpose. @{bin}/@{shells} rUx, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index da163c2ae2..4bf8a86dad 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -15,6 +15,7 @@ include @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} profile thunderbird @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -26,6 +27,10 @@ profile thunderbird @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/glxtest rPx -> thunderbird//&thunderbird-glxtest, @{lib_dirs}/vaapitest rPx -> thunderbird//&thunderbird-vaapitest, + # glycin-loaders sandboxed profile stack + @{bin}/bwrap Px -> thunderbird//&glycin, + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> thunderbird//&glycin//&glycin//app, + @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, From a178d10853351e4b7cb16128e653be5cb6f5ae6d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Sep 2025 23:48:54 +0200 Subject: [PATCH 0751/1736] chore: fix linter issue --- apparmor.d/abstractions/bwrap | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/bwrap b/apparmor.d/abstractions/bwrap index 35382e1fba..5db3ed3924 100644 --- a/apparmor.d/abstractions/bwrap +++ b/apparmor.d/abstractions/bwrap @@ -3,11 +3,11 @@ # SPDX-License-Identifier: GPL-2.0-only # NEEDS-VARIABLE: att -# Bubblewrap creates isolated environments for applications. It requires the +# Bubblewrap creates isolated environments for applications. It requires the # sys_admin capability to enter a new PID namespace. Until this capability is # dropped, the process can potentially escape confinement. For this reason, we -# typically transition to another application profile, even if it requires -# managing a stacked set of profiles since bwrap sets the no_new_privs (nnp) +# typically transition to another application profile, even if it requires +# managing a stacked set of profiles since bwrap sets the no_new_privs (nnp) # flag. The resulting profile should take the form: //& # # A profile using this abstraction still needs to set: From 33594a0c2030bf0345f63a9dc3740da29153c2c2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 24 Sep 2025 00:17:07 +0200 Subject: [PATCH 0752/1736] feat(abs): add initial version of network-manager-observe. --- apparmor.d/abstractions/network-manager-observe | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 apparmor.d/abstractions/network-manager-observe diff --git a/apparmor.d/abstractions/network-manager-observe b/apparmor.d/abstractions/network-manager-observe new file mode 100644 index 0000000000..21a50b0bb8 --- /dev/null +++ b/apparmor.d/abstractions/network-manager-observe @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows observing NetworkManager settings. It grants access to listing +# MAC addresses, previous networks, etc but not secrets. + + abi , + + include + + include if exists + +# vim:syntax=apparmor From c5572a29052a713b7d2f01149d4e3814c0f00a03 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 24 Sep 2025 00:50:56 +0200 Subject: [PATCH 0753/1736] feat(abs): add glycin tmp file to gtk and gtk-strict. --- apparmor.d/abstractions/gtk-strict | 2 ++ apparmor.d/abstractions/gtk.d/complete | 2 ++ 2 files changed, 4 insertions(+) diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict index 0bf0ab41ca..cee18e59fc 100644 --- a/apparmor.d/abstractions/gtk-strict +++ b/apparmor.d/abstractions/gtk-strict @@ -69,6 +69,8 @@ owner @{user_config_dirs}/gtk-4.0/settings.ini r, owner @{user_config_dirs}/gtk-4.0/window_decorations.css r, + owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 0b69d8ee1a..6649bafa4d 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -18,4 +18,6 @@ owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini r, owner @{user_config_dirs}/gtk-{3,4}.0/window_decorations.css r, + owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, + # vim:syntax=apparmor From 878626653cd623f636f2fd89923d4ab22b3f65e6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 24 Sep 2025 21:55:39 +0200 Subject: [PATCH 0754/1736] feat(profile): rename glycin//app to glycin//loaders and minor fixes. See #881 --- apparmor.d/abstractions/app/bwrap-glycin | 4 +++- apparmor.d/groups/browsers/firefox | 2 +- apparmor.d/groups/children/glycin | 12 +++++++----- apparmor.d/groups/gnome/loupe | 2 +- apparmor.d/profiles-a-f/fractal | 3 ++- apparmor.d/profiles-s-z/thunderbird | 2 +- 6 files changed, 15 insertions(+), 10 deletions(-) diff --git a/apparmor.d/abstractions/app/bwrap-glycin b/apparmor.d/abstractions/app/bwrap-glycin index 48e3fcde9c..a3a5ceee61 100644 --- a/apparmor.d/abstractions/app/bwrap-glycin +++ b/apparmor.d/abstractions/app/bwrap-glycin @@ -14,11 +14,13 @@ include unix type=stream peer=(label=glycin), - unix type=stream peer=(label=glycin//app), + unix type=stream peer=(label=glycin//loaders), signal send set=kill peer=*//&glycin, + signal send set=kill peer=glycin//&*, ptrace read peer=*//&glycin, + ptrace read peer=glycin//&*, @{bin}/bwrap mr, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 2b0c11dfa5..b1a6b53a54 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -36,7 +36,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { # glycin-loaders sandboxed profile stack @{bin}/bwrap Px -> firefox//&glycin, - @{lib}/glycin-loaders/@{d}+/glycin-* Px -> firefox//&glycin//&glycin//app, + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> firefox//&glycin//&glycin//loaders, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, diff --git a/apparmor.d/groups/children/glycin b/apparmor.d/groups/children/glycin index ce04e1c103..b00913e1ad 100644 --- a/apparmor.d/groups/children/glycin +++ b/apparmor.d/groups/children/glycin @@ -15,16 +15,18 @@ profile glycin flags=(attach_disconnected,complain) { signal receive set=kill, - @{lib}/glycin-loaders/@{d}+/glycin-* Px -> glycin//&glycin//app, + @{lib}/glycin-loaders/@{d}+/glycin-* Cx -> &glycin//loaders, # Safe deny of inherited files from parent process. - deny owner @{user_cache_dirs}/** r, + deny owner @{HOME}/.*/** rw, deny owner /tmp/*/** w, - deny @{sys}/devices/system/memory/* r, + deny @{sys}/devices/system/** r, + deny /dev/shm/** rw, deny /dev/dri/* rw, - profile app flags=(attach_disconnected,complain) { + profile loaders flags=(attach_disconnected,complain) { include + include @{lib}/glycin-loaders/@{d}+/glycin-* mr, @@ -35,7 +37,7 @@ profile glycin flags=(attach_disconnected,complain) { @{att}/usr/share/gtksourceview-4/{,**} r, @{att}/usr/share/gtksourceview-5/{,**} r, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 5fac344483..b40640b5c7 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -22,7 +22,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include unix type=stream peer=(label=glycin), - unix type=stream peer=(label=glycin//app), + unix type=stream peer=(label=glycin//loaders), signal send set=kill peer=glycin, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 3093254d53..d50bc48cd3 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -23,8 +23,9 @@ profile fractal @{exec_path} flags=(attach_disconnected) { network netlink raw, signal send set=kill peer=glycin, + unix type=stream peer=(label=glycin), - unix type=stream peer=(label=glycin//app), + unix type=stream peer=(label=glycin//loaders), #aa:dbus own bus=session name=org.gnome.Fractal diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 4bf8a86dad..0934e69861 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -29,7 +29,7 @@ profile thunderbird @{exec_path} flags=(attach_disconnected) { # glycin-loaders sandboxed profile stack @{bin}/bwrap Px -> thunderbird//&glycin, - @{lib}/glycin-loaders/@{d}+/glycin-* Px -> thunderbird//&glycin//&glycin//app, + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> thunderbird//&glycin//&glycin//loaders, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, From c9f1471a63cb74add77db46e56c2b3d94df106cd Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 25 Sep 2025 19:23:18 +0200 Subject: [PATCH 0755/1736] Update texstudio Add bibtex --- apparmor.d/profiles-s-z/texstudio | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio index 52e9e53e68..2f96d32b8a 100644 --- a/apparmor.d/profiles-s-z/texstudio +++ b/apparmor.d/profiles-s-z/texstudio @@ -18,6 +18,7 @@ profile texstudio @{exec_path} { @{exec_path} mr, + @{bin}/bibtex ix, @{bin}/pdflatex ix, @{bin}/pdftex ix, @{bin}/kpsewhich ix, From ba52165bc429bfc599d37eccf115f34a17e80688 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 20:45:42 +0200 Subject: [PATCH 0756/1736] feat(abs): add glycin-loaders to gtk abs. --- apparmor.d/abstractions/gtk-strict | 2 ++ apparmor.d/abstractions/gtk.d/complete | 2 ++ 2 files changed, 4 insertions(+) diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict index cee18e59fc..ed016bb241 100644 --- a/apparmor.d/abstractions/gtk-strict +++ b/apparmor.d/abstractions/gtk-strict @@ -18,6 +18,8 @@ /usr/share/gtksourceview-4/{,**} r, /usr/share/gtksourceview-5/{,**} r, + /usr/share/glycin-loaders/{,**} r, + /usr/share/gtk-2.0/ r, /usr/share/gtk-2.0/gtkrc r, diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 6649bafa4d..9900b088e3 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -8,6 +8,8 @@ @{lib}/{,@{multiarch}/}gtk*/** mr, + /usr/share/glycin-loaders/{,**} r, + /etc/gtk-{3,4}.0/settings.ini r, owner @{user_config_dirs}/gtk-{3,4}.0/ rw, From cbe7aabeece6e97073d3de26072a154f014dc184 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 20:57:02 +0200 Subject: [PATCH 0757/1736] feat(abs): update gdm config & state path. --- apparmor.d/abstractions/dconf.d/complete | 4 +++- apparmor.d/abstractions/user-dirs | 2 ++ apparmor.d/tunables/multiarch.d/system-users | 4 ++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/dconf.d/complete b/apparmor.d/abstractions/dconf.d/complete index 744fcda7b9..668faa06ed 100644 --- a/apparmor.d/abstractions/dconf.d/complete +++ b/apparmor.d/abstractions/dconf.d/complete @@ -8,7 +8,9 @@ owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{desktop_config_dirs}/dconf/user r, - owner @{desktop_config_dirs}/seat@{int}/config/dconf/user r, + + owner @{user_cache_dirs}/dconf/ r, + owner @{user_cache_dirs}/dconf/user r, owner @{user_config_dirs}/glib-2.0/settings/keyfile r, # When GSETTINGS_BACKEND=keyfile diff --git a/apparmor.d/abstractions/user-dirs b/apparmor.d/abstractions/user-dirs index 189f8eb38e..c1b6c85a6a 100644 --- a/apparmor.d/abstractions/user-dirs +++ b/apparmor.d/abstractions/user-dirs @@ -7,6 +7,8 @@ /etc/xdg/user-dirs.conf r, /etc/xdg/user-dirs.defaults r, + owner @{desktop_config_dirs}/user-dirs.dirs r, + owner @{user_config_dirs}/user-dirs.dirs r, include if exists diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 07450efff5..94f5a59f5f 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -7,10 +7,10 @@ # Full path of the GDM configuration directories @{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/{,home/}{,gdm-}greeter/ @{gdm_cache_dirs}=@{GDM_HOME}/.cache/ -@{gdm_config_dirs}=@{GDM_HOME}/.config/ +@{gdm_config_dirs}=@{GDM_HOME}/.config/ @{GDM_HOME}/seat@{int}/config/ @{gdm_local_dirs}=@{GDM_HOME}/.local/ @{gdm_share_dirs}=@{GDM_HOME}/.local/share/ -@{gdm_state_dirs}=@{GDM_HOME}/.local/state/ +@{gdm_state_dirs}=@{GDM_HOME}/.local/state/ @{GDM_HOME}/seat@{int}/state/ # Full path of the SDDM configuration directories @{SDDM_HOME}=/var/lib/sddm/ From d4347fb88c2c65d41a033409f85d90b255fa85c1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 20:57:53 +0200 Subject: [PATCH 0758/1736] feat(abs): use etc_ro in desktop-files. --- apparmor.d/abstractions/desktop-files | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/desktop-files b/apparmor.d/abstractions/desktop-files index 9c0a8b941c..b56abdbe72 100644 --- a/apparmor.d/abstractions/desktop-files +++ b/apparmor.d/abstractions/desktop-files @@ -10,10 +10,10 @@ @{system_share_dirs}/gnome/applications/{,**} r, @{system_share_dirs}/xfce4/applications/{,**} r, - /etc/gnome/defaults.list r, - /etc/xfce4/defaults.list r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/{,**} r, + @{etc_ro}/gnome/defaults.list r, + @{etc_ro}/xdg/menus/ r, + @{etc_ro}/xdg/menus/applications-merged/{,**} r, + @{etc_ro}/xfce4/defaults.list r, /var/lib/snapd/desktop/applications/{,**} r, From 838330cac74c0f5584dbaad80e5e829bb0d69615 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 20:59:38 +0200 Subject: [PATCH 0759/1736] feat(abs): update cuda lib location. --- apparmor.d/abstractions/nvidia-strict | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 7d975ad8c4..2923e51d6e 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -6,7 +6,8 @@ @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, - /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so{,.*} mr, + /opt/cuda/targets/@{arch}-linux/lib/*.so mr, + /opt/cuda/targets/@{arch}-linux/lib/*.so.* mr, /usr/share/nvidia/nvidia-application-profiles-* r, From 81ef8423879ed988f4386091d3618a74f3221e24 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:00:13 +0200 Subject: [PATCH 0760/1736] feat(abs): add boot_vga to dri. --- apparmor.d/abstractions/dri | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index 3146b8a3c8..1232e85303 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -19,6 +19,7 @@ @{run}/udev/data/c226:@{int} r, # For DRI card /dev/dri/card@{int} + @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/@{pci}/class r, @{sys}/devices/@{pci}/config r, @{sys}/devices/@{pci}/device r, From 2eb17639e9874ee8c2cfef1b82d3d582359b370c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:02:03 +0200 Subject: [PATCH 0761/1736] feat(abs): add cache dir to dconf. --- apparmor.d/abstractions/dconf-write | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write index 72a9435270..88f94e5760 100644 --- a/apparmor.d/abstractions/dconf-write +++ b/apparmor.d/abstractions/dconf-write @@ -10,6 +10,9 @@ include include + owner @{user_cache_dirs}/dconf/ w, + owner @{user_cache_dirs}/dconf/user w, + owner @{user_config_dirs}/glib-2.0/settings/keyfile w, # When GSETTINGS_BACKEND=keyfile owner @{run}/user/@{uid}/dconf/ w, From ac1d6bdb99c26b8ec65cb00686f3d9040d523abf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:03:29 +0200 Subject: [PATCH 0762/1736] feat(abs): update core dbus own path --- apparmor.d/abstractions/bus/accessibility/own | 4 ++-- apparmor.d/abstractions/bus/session/own | 4 ++-- apparmor.d/abstractions/bus/system/own | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/bus/accessibility/own b/apparmor.d/abstractions/bus/accessibility/own index d1eab1ce7b..7cb1a4dbb1 100644 --- a/apparmor.d/abstractions/bus/accessibility/own +++ b/apparmor.d/abstractions/bus/accessibility/own @@ -10,12 +10,12 @@ abi , - dbus send bus=accessibility path=/org/freedesktop/DBus + dbus send bus=accessibility path=/{,org/freedesktop/DBus} interface=org.freedesktop.DBus member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), - dbus send bus=accessibility path=/org/freedesktop/DBus + dbus send bus=accessibility path=/{,org/freedesktop/DBus} interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), diff --git a/apparmor.d/abstractions/bus/session/own b/apparmor.d/abstractions/bus/session/own index d975ebb48b..18bc607a84 100644 --- a/apparmor.d/abstractions/bus/session/own +++ b/apparmor.d/abstractions/bus/session/own @@ -10,12 +10,12 @@ abi , - dbus send bus=session path=/org/freedesktop/DBus + dbus send bus=session path=/{,org/freedesktop/DBus} interface=org.freedesktop.DBus member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session path=/org/freedesktop/DBus + dbus send bus=session path=/{,org/freedesktop/DBus} interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), diff --git a/apparmor.d/abstractions/bus/system/own b/apparmor.d/abstractions/bus/system/own index 2b1130b323..17d216859f 100644 --- a/apparmor.d/abstractions/bus/system/own +++ b/apparmor.d/abstractions/bus/system/own @@ -10,12 +10,12 @@ abi , - dbus send bus=system path=/org/freedesktop/DBus + dbus send bus=system path=/{,org/freedesktop/DBus} interface=org.freedesktop.DBus member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - dbus send bus=system path=/org/freedesktop/DBus + dbus send bus=system path=/{,org/freedesktop/DBus} interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), From cf0da21109050a210920e1704b6124ef419eb099 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:06:12 +0200 Subject: [PATCH 0763/1736] feat(abs): update bus interfaces. --- .../bus/session/org.freedesktop.Notifications | 4 +-- .../bus/session/org.freedesktop.Secret | 6 +--- .../bus/session/org.gnome.ArchiveManager1 | 2 +- .../bus/session/org.gnome.ScreenSaver | 5 +++ .../bus/session/org.gnome.SessionManager | 36 +++++++++---------- .../bus/session/org.gtk.vfs.Daemon | 7 +++- .../bus/session/org.gtk.vfs.MountTracker | 9 ++--- .../bus/system/org.freedesktop.locale1 | 5 +++ 8 files changed, 43 insertions(+), 31 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications index b51c4bdcb2..4ebccd6904 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications @@ -9,12 +9,12 @@ dbus send bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.Notifications member={GetCapabilities,GetServerInformation,Notify,CloseNotification} - peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + peer=(label="@{pp_notification}"), dbus receive bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.Notifications member={ActionInvoked,NotificationClosed,NotificationReplied} - peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + peer=(label="@{pp_notification}"), include if exists diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret index 8ded1b6d7c..1b6c0cd11e 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret @@ -21,7 +21,7 @@ abi , - #aa:dbus common bus=session name=org.freedesktop.{S,s}ecret label=gnome-keyring-daemon + #aa:dbus common bus=session name=org.freedesktop.Secret path=/org/freedesktop/secrets{,/**} label=gnome-keyring-daemon dbus send bus=session path=/org/freedesktop/secrets{,/**} interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} @@ -31,10 +31,6 @@ interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), - dbus send bus=session path=/org/freedesktop/secrets - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gnome-keyring-daemon), dbus send bus=session path=/org/freedesktop/secrets interface=org.freedesktop.Secret.Service member=ReadAlias diff --git a/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 index f69667e081..21424ceefd 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 @@ -9,7 +9,7 @@ dbus send bus=session path=/org/gnome/ArchiveManager1 interface=org.gnome.ArchiveManager1 member=GetSupportedTypes - peer=(name="@{busname}", label="@{p_file_roller}"), + peer=(name=@{busname}, label="@{p_file_roller}"), include if exists diff --git a/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver index b7ae6b200c..0a65e8562b 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver +++ b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver @@ -11,6 +11,11 @@ member={GetActive,GetActiveTime,Lock,SetActive} peer=(name=@{busname}, label=gjs), + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member=GetActive + peer=(name=org.gnome.ScreenSaver, label=gjs), + dbus receive bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver member={ActiveChanged,WakeUpScreen} diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager index 4c641776ba..7067b5fffc 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager @@ -4,42 +4,42 @@ abi , - #aa:dbus common bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" + #aa:dbus common bus=session name=org.gnome.SessionManager label="@{p_gnome_session}" dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={RegisterClient,IsSessionRunning} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + peer=(name=@{busname}, label="@{p_gnome_session}"), - dbus send bus=session path=/org/gnome/SessionManager + dbus receive bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager - member={Inhibit,Uninhibit} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + member={ClientAdded,ClientRemoved} + peer=(name=@{busname}, label="@{p_gnome_session}"), - dbus send bus=session path=/org/gnome/SessionManager + dbus receive bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager - member={Setenv,IsSessionRunning} - peer=(name=org.gnome.SessionManager, label="{gnome-session-binary,gnome-session-service}"), + member=SessionRunning + peer=(name=@{busname}, label="@{p_gnome_session}"), dbus receive bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager - member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + member={InhibitorAdded,InhibitorRemoved} + peer=(name=@{busname}, label="@{p_gnome_session}"), + + dbus receive bus=session path=/org/gnome/SessionManager/Presence + interface=org.gnome.SessionManager.Presence + member=StatusChanged + peer=(name=@{busname}, label="@{p_gnome_session}"), - dbus send bus=session path=/org/gnome/SessionManager/Client@{int} + dbus send bus=session path=/org/gnome/SessionManager/Client8 interface=org.gnome.SessionManager.ClientPrivate member=EndSessionResponse - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + peer=(name=@{busname}, label="@{p_gnome_session}"), dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), - - dbus receive bus=session path=/org/gnome/SessionManager/Presence - interface=org.gnome.SessionManager.Presence - member=StatusChanged - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + peer=(name=@{busname}, label="@{p_gnome_session}"), include if exists diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon index edf954ac57..6187b53ef4 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon @@ -8,9 +8,14 @@ dbus send bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon - member={GetConnection,ListMonitorImplementations,ListMountableInfo} + member=ListMonitorImplementations peer=(name=@{busname}, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label="gvfsd{,-*}"), + dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member=GetConnection diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker index 107c3dc139..8090039c7b 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker @@ -2,24 +2,25 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# The mount tracking interface. +# The mount tracking interface. Allows to lookup mounts by ID and list mountable +# info. Allow to receive mount/umount signals from the mount tracker (gvfsd). abi , dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=LookupMount - peer=(name="@{busname}", label=gvfsd), + peer=(name=@{busname}, label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMounts2 - peer=(name="@{busname}", label=gvfsd), + peer=(name=@{busname}, label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMountableInfo - peer=(name="@{busname}", label=gvfsd), + peer=(name=@{busname}, label=gvfsd), dbus receive bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 index e2377a14bc..ea972d2de2 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 @@ -9,6 +9,11 @@ member=GetAll peer=(name=org.freedesktop.locale1), + dbus send bus=system path=/org/freedesktop/locale1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=systemd-localed), + include if exists # vim:syntax=apparmor From 91e621e65c44c91c038eeacfe17646315a004643 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:15:38 +0200 Subject: [PATCH 0764/1736] feat(abs): add the session-manager abstraction. --- .../bus/session/org.gnome.SessionManager | 4 ++++ apparmor.d/abstractions/session-manager | 15 +++++++++++++++ apparmor.d/groups/bus/at-spi2-registryd | 4 ++-- apparmor.d/groups/bus/dbus-accessibility | 2 +- .../groups/freedesktop/xdg-desktop-portal-gtk | 2 +- apparmor.d/groups/gnome/gnome-keyring-daemon | 4 ++-- apparmor.d/groups/gnome/gsd-a11y-settings | 2 +- apparmor.d/groups/gnome/gsd-color | 4 ++-- apparmor.d/groups/gnome/gsd-datetime | 2 +- apparmor.d/groups/gnome/gsd-housekeeping | 2 +- apparmor.d/groups/gnome/gsd-keyboard | 4 ++-- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/groups/gnome/gsd-print-notifications | 2 +- apparmor.d/groups/gnome/gsd-printer | 3 +-- apparmor.d/groups/gnome/gsd-rfkill | 4 ++-- apparmor.d/groups/gnome/gsd-screensaver-proxy | 4 ++-- apparmor.d/groups/gnome/gsd-sharing | 2 +- apparmor.d/groups/gnome/gsd-smartcard | 2 +- apparmor.d/groups/gnome/gsd-sound | 4 ++-- apparmor.d/groups/gnome/gsd-usb-protection | 2 +- apparmor.d/groups/gnome/gsd-wacom | 4 ++-- apparmor.d/groups/gnome/gsd-xsettings | 2 +- apparmor.d/groups/ubuntu/apport | 2 +- apparmor.d/profiles-s-z/superproductivity | 1 + 25 files changed, 50 insertions(+), 31 deletions(-) create mode 100644 apparmor.d/abstractions/session-manager diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager index 7067b5fffc..6859b2cc14 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager @@ -2,6 +2,10 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow registering a client with the session manager. This is needed for +# applications that want to be notified of session events, such as shutdown +# or logout, and to be able to inhibit those actions. + abi , #aa:dbus common bus=session name=org.gnome.SessionManager label="@{p_gnome_session}" diff --git a/apparmor.d/abstractions/session-manager b/apparmor.d/abstractions/session-manager new file mode 100644 index 0000000000..2c7b631800 --- /dev/null +++ b/apparmor.d/abstractions/session-manager @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow registering a client with the session manager. This is needed for +# applications that want to be notified of session events, such as shutdown +# or logout, and to be able to inhibit those actions. + + abi , + + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index fec6d7897f..85720531f1 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -10,10 +10,10 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi2-registryd profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include - include include include - include + include + include include signal receive set=term peer=gdm, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 16128bfeca..2a08e528ca 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -12,11 +12,11 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include include - include include include include include + include network inet dgram, network inet stream, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index b101a5db00..440d3ade83 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -14,7 +14,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -24,6 +23,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index e39ef0dc07..0dfac52bf9 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -10,12 +10,12 @@ include @{exec_path} = @{bin}/gnome-keyring-daemon profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include - include include include include include - include + include + include capability ipc_lock, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index d093036d44..6751837707 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -10,10 +10,10 @@ include profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include include - include include include include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 50d4bebc66..f2504a895f 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -9,15 +9,15 @@ include @{exec_path} = @{lib}/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include - include include include include - include + include include include include include + include network inet stream, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index f2ada6c02c..dd538de05c 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -10,11 +10,11 @@ include profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include include - include include include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 87e8b80658..06beec3325 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -11,12 +11,12 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include include include include include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 180023940e..0b0c671bf4 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -9,15 +9,15 @@ include @{exec_path} = @{lib}/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include - include include include include - include + include include include include include + include network inet stream, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 9dba59b868..b0e31a4ada 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -15,13 +15,13 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include include include include include include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index c90de7135d..4a5d1d2646 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -19,7 +19,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -27,6 +26,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 22ec520cb1..cc9a534d36 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -11,13 +11,13 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include include include - include include include include include include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index a768c8d1ed..16b326da6a 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -11,10 +11,9 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { include include include - include - include include include + include signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(hup) peer=gsd-print-notifications, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 7283c5c00f..d77f4a3cb2 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -9,13 +9,13 @@ include @{exec_path} = @{lib}/gsd-rfkill profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include - include include include include include include - include + include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index ac2f9229db..b0be4f8a11 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -9,9 +9,9 @@ include @{exec_path} = @{lib}/gsd-screensaver-proxy profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include - include include - include + include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index b49d2e274a..2c5d55fbfd 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -12,10 +12,10 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 6f04854b34..f5ad21e12b 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -10,13 +10,13 @@ include profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include include - include include include include include include include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 6c9bb24ae6..d1a3ed497c 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -9,13 +9,13 @@ include @{exec_path} = @{lib}/gsd-sound profile gsd-sound @{exec_path} flags=(attach_disconnected) { include - include include include - include include + include include include + include signal receive set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index bcdb353a87..2fbbad9b1c 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -12,10 +12,10 @@ profile gsd-usb-protection @{exec_path} { include include include - include include include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 225eca4be6..e36ff1362e 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -9,13 +9,13 @@ include @{exec_path} = @{lib}/gsd-wacom profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include - include include - include + include include include include include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index b5a96584d5..824cea2662 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -13,7 +13,6 @@ profile gsd-xsettings @{exec_path} { include include include - include include include include @@ -21,6 +20,7 @@ profile gsd-xsettings @{exec_path} { include include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 40b3f14d6e..35267de3c9 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -11,9 +11,9 @@ profile apport @{exec_path} flags=(attach_disconnected) { include include include - include include include + include capability chown, capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index f812fc5707..76f85db357 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -25,6 +25,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include + include network inet stream, network inet6 stream, From df7d2e0f642e273b39c96d53f97c6e8d6079c1da Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:23:48 +0200 Subject: [PATCH 0765/1736] feat(profile): expand avahi access for ippfind. --- apparmor.d/groups/cups/ippfind | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/cups/ippfind b/apparmor.d/groups/cups/ippfind index fe43472374..8040dadff0 100644 --- a/apparmor.d/groups/cups/ippfind +++ b/apparmor.d/groups/cups/ippfind @@ -11,6 +11,8 @@ profile ippfind @{exec_path} { include include include + include + include @{exec_path} mr, From 44349ffcddafa01daa0978d7a80f86e3234717e3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:31:32 +0200 Subject: [PATCH 0766/1736] feat(abs): move org.gnome.Mutter.IdleMonitor to gnome-strict. --- .../bus/{ => session}/org.gnome.Mutter.IdleMonitor | 8 +++++--- apparmor.d/abstractions/gnome-base | 2 ++ apparmor.d/groups/gnome/gnome-session-binary | 1 - apparmor.d/groups/gnome/gnome-session-service | 1 - apparmor.d/groups/gnome/gsd-media-keys | 1 - apparmor.d/groups/gnome/gsd-power | 1 - apparmor.d/profiles-s-z/superproductivity | 2 -- apparmor.d/profiles-s-z/telegram-desktop | 1 - 8 files changed, 7 insertions(+), 10 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.Mutter.IdleMonitor (79%) diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/session/org.gnome.Mutter.IdleMonitor similarity index 79% rename from apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor rename to apparmor.d/abstractions/bus/session/org.gnome.Mutter.IdleMonitor index d1ff350fcd..c248c34abd 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/session/org.gnome.Mutter.IdleMonitor @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow to get the current idle time + abi , #aa:dbus common bus=session name=org.gnome.Mutter.IdleMonitor label=gnome-shell @@ -9,7 +11,7 @@ dbus send bus=session path=/org/gnome/Mutter/IdleMonitor interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="@{busname}", label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor @@ -19,8 +21,8 @@ dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor member=WatchFired - peer=(name="@{busname}", label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-base b/apparmor.d/abstractions/gnome-base index c186283232..17a848de5a 100644 --- a/apparmor.d/abstractions/gnome-base +++ b/apparmor.d/abstractions/gnome-base @@ -6,6 +6,8 @@ abi , + include + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index e61404754b..afc90128b6 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -12,7 +12,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index 7dec5c5970..200c4ac2ab 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -11,7 +11,6 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index b0e31a4ada..5002f3f39f 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -14,7 +14,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 4a5d1d2646..8594fe8d55 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -18,7 +18,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 76f85db357..4254518d18 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -19,8 +19,6 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include - include include include include diff --git a/apparmor.d/profiles-s-z/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop index c1544af727..79d2095f99 100644 --- a/apparmor.d/profiles-s-z/telegram-desktop +++ b/apparmor.d/profiles-s-z/telegram-desktop @@ -12,7 +12,6 @@ profile telegram-desktop @{exec_path} { include include include - include include include include From 465f6e70af03c438438e2641ff179611e4ddfd4d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:37:18 +0200 Subject: [PATCH 0767/1736] feat(abs): add ibus-strict. --- apparmor.d/abstractions/ibus-strict | 18 ++++++++++++++++++ apparmor.d/groups/bus/ibus-daemon | 2 +- apparmor.d/groups/bus/ibus-engine-simple | 2 +- apparmor.d/groups/bus/ibus-extension-gtk3 | 2 +- apparmor.d/groups/bus/ibus-memconf | 2 +- apparmor.d/groups/bus/ibus-portal | 2 +- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/profiles-a-f/atril | 2 +- apparmor.d/profiles-a-f/engrampa | 2 +- apparmor.d/profiles-a-f/evince | 2 +- apparmor.d/profiles-m-r/qbittorrent | 2 +- apparmor.d/profiles-m-r/remmina | 2 +- apparmor.d/profiles-s-z/spotify | 1 + apparmor.d/profiles-s-z/superproductivity | 1 + apparmor.d/profiles-s-z/terminator | 1 + apparmor.d/profiles-s-z/vlc | 2 +- 16 files changed, 33 insertions(+), 12 deletions(-) create mode 100644 apparmor.d/abstractions/ibus-strict diff --git a/apparmor.d/abstractions/ibus-strict b/apparmor.d/abstractions/ibus-strict new file mode 100644 index 0000000000..949171b0b9 --- /dev/null +++ b/apparmor.d/abstractions/ibus-strict @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow communicating with ibus-daemon (this allows sniffing key events) + + abi , + + owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw, + + owner @{user_config_dirs}/ibus/ r, + owner @{user_config_dirs}/ibus/bus/ rw, + owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-@{int} rw, + owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-wayland-@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index b326138d64..163b9cc78f 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -11,7 +11,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal (receive) set=(usr1) peer=gnome-shell, diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 8bdc3c79cd..c183dba481 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -12,7 +12,7 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include include include - include + include signal (receive) set=term peer=ibus-daemon, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index be81cec27e..5553ec2ffc 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -13,7 +13,7 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal (receive) set=term peer=ibus-daemon, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index b1f1445b34..9cfa0e2927 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -12,7 +12,7 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal (receive) set=(term) peer=ibus-daemon, diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 6ea4891a71..8ade4a660b 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -10,7 +10,7 @@ include profile ibus-portal @{exec_path} flags=(attach_disconnected) { include include - include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 1945fd1030..43d61d73b6 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -34,7 +34,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include + include include include include diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 55502dd3eb..c31860cc68 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -14,7 +14,7 @@ profile atril @{exec_path} { include include include - include + include include include diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 3e650962fe..3ced4fcc78 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -15,7 +15,7 @@ profile engrampa @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 10b5ad4af4..12d757e1b8 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -15,7 +15,7 @@ profile evince @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index e0d430443f..a1ac4c3543 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -18,7 +18,7 @@ profile qbittorrent @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 80e58fd7c4..0737effc63 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -19,7 +19,7 @@ profile remmina @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index b04432e393..c3decdeebf 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -24,6 +24,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 4254518d18..441842fd45 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -22,6 +22,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 729c5b4da8..2f38799d5d 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -14,6 +14,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 05866296d7..afcf3c249d 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -21,7 +21,7 @@ profile vlc @{exec_path} { include include include - include + include include include include From dfd12febbae7fd0b214e48b0dfeb28d44c041197 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:40:37 +0200 Subject: [PATCH 0768/1736] feat(abs): add the localization abs. --- .../abstractions/bus/org.freedesktop.GeoClue2 | 30 ----------- .../bus/system/org.freedesktop.GeoClue2 | 16 ++++++ apparmor.d/abstractions/localization | 11 ++++ apparmor.d/groups/browsers/epiphany | 4 +- apparmor.d/groups/gnome/gnome-shell | 51 ++++++++++++++++--- 5 files changed, 73 insertions(+), 39 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 create mode 100644 apparmor.d/abstractions/localization diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 deleted file mode 100644 index 9957c7b677..0000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ /dev/null @@ -1,30 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" - dbus send bus=system path=/org/freedesktop/GeoClue2/Agent - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=org.freedesktop.DBus, label="@{p_geoclue}"), - - dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label="@{p_geoclue}"), - - dbus send bus=system path=/org/freedesktop/GeoClue2/Manager - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label="@{p_geoclue}"), - - dbus send bus=system path=/org/freedesktop/GeoClue2/Manager - interface=org.freedesktop.GeoClue2.Manager - member=AddAgent - peer=(name="@{busname}", label="@{p_geoclue}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 new file mode 100644 index 0000000000..026194fbb0 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" + + dbus send bus=system path=/org/freedesktop/GeoClue2/Manager + interface=org.freedesktop.GeoClue2.Manager + member=AddAgent + peer=(name="@{busname}", label="@{p_geoclue}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/localization b/apparmor.d/abstractions/localization new file mode 100644 index 0000000000..cdeb1ba1cf --- /dev/null +++ b/apparmor.d/abstractions/localization @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 81610322b9..2787871dbb 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -11,11 +11,11 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { include include include - include - include include + include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 43d61d73b6..de94b49b1b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -2,6 +2,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# TODO: some gnome extension run from this profile. It would be better to have a way to separate them. + abi , include @@ -18,7 +20,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -28,6 +29,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include @@ -35,6 +37,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include @@ -82,6 +85,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.kde.StatusNotifierItem path=/ #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher + # owning not strictly needed, but it simplifies things + #aa:dbus own bus=session name=org.mpris.MediaPlayer2 # Talk with gnome-shell @@ -133,11 +138,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { member=JobRemoved peer=(name=@{busname}, label="@{p_systemd_user}"), - dbus send bus=session path=/MenuBar - interface=com.canonical.dbusmenu - member={AboutToShow,GetLayout,GetGroupProperties} - peer=(name=:*), - + # FIXME: I think gnome-shell is the owner of the notifications, it should then be + # fully allowed to send/receive to/from anyone. + # FIXME: same for dbusmenu; icon things dbus send bus=session path=/StatusNotifierItem interface=org.freedesktop.DBus.Properties member={Get,GetAll} @@ -148,6 +151,40 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { member={Get,GetAll} peer=(name=@{busname}), + dbus receive bus=session + interface=org.gtk.Menus + member=Changed + peer=(name=@{busname}), + dbus send bus=session + interface=org.gtk.Menus + member=Start + peer=(name=@{busname}), + + # Needed as a dbus server to administrate the mpris interface + include + dbus send bus=system path=/{,org/freedesktop/DBus} + interface=org.freedesktop.DBus + member={ListNames,RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + dbus send bus=system path=/{,org/freedesktop/DBus} + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + dbus send bus=session path=/{,org/freedesktop/DBus} + interface=org.freedesktop.DBus + member={ListNames,RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/{,org/freedesktop/DBus} + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded + peer=(name=@{busname}, label=NetworkManager), + + dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -166,10 +203,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/gjs-console rPx -> gnome-extension, @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, + @{bin}/nvidia-smi rPx, # FIXME: for extension only @{bin}/sensors rPx, @{bin}/tecla rPx, @{bin}/Xwayland rPx, - @{bin}/nvidia-smi rPx, # FIXME; for extension only @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/mutter-x11-frames rPx, From de8e9998ea2d6d75f45ff80b56f2dabc4e26c9c5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:44:23 +0200 Subject: [PATCH 0769/1736] refractor(abs): fi.w1.wpa_supplicant1 -> system/fi.w1.wpa_supplicant1 --- .../bus/{ => system}/fi.w1.wpa_supplicant1 | 10 +++++----- apparmor.d/groups/freedesktop/geoclue | 2 +- apparmor.d/groups/network/NetworkManager | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) rename apparmor.d/abstractions/bus/{ => system}/fi.w1.wpa_supplicant1 (88%) diff --git a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 similarity index 88% rename from apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 rename to apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 index 7989ea4c59..0152774e1c 100644 --- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 @@ -26,16 +26,16 @@ member=Cancel peer=(name="@{busname}", label=wpa-supplicant), - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved - peer=(name="@{busname}", label=wpa-supplicant), - dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged} peer=(name="@{busname}", label=wpa-supplicant), + dbus receive bus=system path=/fi/w1/wpa_supplicant1 + interface=fi.w1.wpa_supplicant1 + member=InterfaceRemoved + peer=(name=@{busname}, label=wpa-supplicant), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 04eeba5216..3360c4881d 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -10,9 +10,9 @@ include profile geoclue @{exec_path} flags=(attach_disconnected) { include include - include include include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index fca80465da..d593e0f4ed 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -10,12 +10,12 @@ include profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include - include - include include include include include + include + include include include From eea9921e9df553c5bd1d39af11f4ff134868ce10 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:50:05 +0200 Subject: [PATCH 0770/1736] feat(abs): add org.gtk.vfs.MountTracker to gtk. --- apparmor.d/abstractions/gtk.d/complete | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 9900b088e3..2aff75be4b 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -5,6 +5,7 @@ include include include + include @{lib}/{,@{multiarch}/}gtk*/** mr, From 268b7219d537753789e58e4101b100c923a147f9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:53:20 +0200 Subject: [PATCH 0771/1736] feat(profile): update the dbus profiles. --- apparmor.d/groups/bus/dbus-accessibility | 2 +- apparmor.d/groups/bus/dbus-session | 10 ++++++---- apparmor.d/groups/bus/dbus-system | 7 ++++++- apparmor.d/groups/bus/ibus-portal | 5 +++++ 4 files changed, 18 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 2a08e528ca..270077860c 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -30,7 +30,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0), - #aa:dbus own bus=accessibility name=org.freedesktop.DBus + #aa:dbus own bus=accessibility name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} #aa:dbus own bus=session name=org.a11y.{B,b}us dbus receive bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 1b3ac11c80..7fafdfdb73 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -25,10 +25,12 @@ profile dbus-session flags=(attach_disconnected) { unix (send receive) type=stream addr=none peer=(label=gnome-shell, addr=none), - signal (receive) set=(term hup) peer=gdm{,-*}, - signal (send) set=(term hup kill) peer=dbus-accessibility, - signal (send) set=(term hup kill) peer=dconf-service, - signal (send) set=(term hup kill) peer=xdg-*, + signal (send receive) set=kill peer=dbus-session//&unconfined, + + signal receive set=(term hup) peer=gdm{,-*}, + signal send set=(term hup kill) peer=dbus-accessibility, + signal send set=(term hup kill) peer=dconf-service, + signal send set=(term hup kill) peer=xdg-*, #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} dbus receive bus=session diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 1b62a1086e..a2ee182bf8 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -33,7 +33,12 @@ profile dbus-system flags=(attach_disconnected) { ptrace read peer=@{p_systemd}, - #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} + # Internal stack dbus-system//&unconfined + signal (send receive) set=kill peer=dbus-system//&unconfined, + unix type=stream peer=(label=unconfined), + + #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} + dbus receive bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 8ade4a660b..d522539068 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -17,6 +17,11 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.portal.IBus #aa:dbus own bus=session name=org.freedesktop.IBus + dbus receive bus=session path=/org/freedesktop/IBus + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=@{busname}, label=ibus-daemon), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect From f431105e4117f99003cac57d313dd1f515e2e46f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:54:26 +0200 Subject: [PATCH 0772/1736] feat(profile): minor update on firefox. --- apparmor.d/groups/browsers/firefox | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index b1a6b53a54..8d420789b3 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -57,14 +57,15 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{bin}/browserpass rPx, @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, @{lib}/browserpass/browserpass-native rPx, - /opt/1Password/1Password-BrowserSupport rPx, + /opt/1Password/1Password-BrowserSupport rPUx, /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, owner @{user_config_dirs}/kioslaverc r, - owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, + owner @{user_config_dirs}/mimeapps.list w, + owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, owner @{user_share_dirs}/applications/userapp-Firefox-@{rand6}.desktop{,.@{rand6}} rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw, From 5dfef03c08f2df746e738bb48bd7c731712729dd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:55:57 +0200 Subject: [PATCH 0773/1736] feta(profile): update flatpak. --- apparmor.d/groups/flatpak/flatpak | 2 ++ apparmor.d/groups/flatpak/flatpak-session-helper | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index da93bf30d4..ef08a6b58d 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -136,9 +136,11 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{run}/user/@{uid}/.flatpak-cache rw, owner @{run}/user/@{uid}/.flatpak/ rw, owner @{run}/user/@{uid}/.flatpak/** rwlk -> @{run}/user/@{uid}/.flatpak/**, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, owner @{run}/user/@{uid}/app/ w, owner @{run}/user/@{uid}/app/*/ w, owner @{run}/user/@{uid}/systemd/private rw, + owner @{run}/user/@{uid}/wayland-@{int} rw, @{sys}/module/nvidia/version r, diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper b/apparmor.d/groups/flatpak/flatpak-session-helper index 8a8f5afb7c..ed9526eb0b 100644 --- a/apparmor.d/groups/flatpak/flatpak-session-helper +++ b/apparmor.d/groups/flatpak/flatpak-session-helper @@ -28,7 +28,7 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{shells_path} rUx -> user_unconfined, + @{shells_path} rUx, @{bin}/dbus-monitor rPUx, @{bin}/env rix, @{bin}/flatpak rPx, From c0d79b815f1a085585824783f721f881459c2adc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:58:23 +0200 Subject: [PATCH 0774/1736] feat(profile): update freedesktop profiles. --- apparmor.d/groups/freedesktop/boltd | 22 ++++++++++----- apparmor.d/groups/freedesktop/colord | 8 ++++-- apparmor.d/groups/freedesktop/wireplumber | 10 +++++-- .../groups/freedesktop/xdg-desktop-portal | 27 +++++++++++-------- .../freedesktop/xdg-desktop-portal-gnome | 1 + .../groups/freedesktop/xdg-permission-store | 1 + 6 files changed, 47 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/groups/freedesktop/boltd index d7888698d4..60dddbedfc 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -33,20 +33,28 @@ profile boltd @{exec_path} flags=(attach_disconnected) { @{sys}/bus/thunderbolt/devices/ r, @{sys}/bus/wmi/devices/ r, @{sys}/class/ r, - @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/device r, @{sys}/devices/@{pci}/domain@{int}/ r, - @{sys}/devices/@{pci}/domain@{int}/{security,uevent} r, @{sys}/devices/@{pci}/domain@{int}/**/ r, - @{sys}/devices/@{pci}/domain@{int}/**/{authorized,generation} r, - @{sys}/devices/@{pci}/domain@{int}/**/{boot,rx_lanes,rx_speed,tx_lanes,tx_speed} r, - @{sys}/devices/@{pci}/domain@{int}/**/{uevent,unique_id} r, - @{sys}/devices/@{pci}/domain@{int}/**/{vendor,device}_name r, + @{sys}/devices/@{pci}/domain@{int}/**/authorized r, + @{sys}/devices/@{pci}/domain@{int}/**/boot r, + @{sys}/devices/@{pci}/domain@{int}/**/device_name r, + @{sys}/devices/@{pci}/domain@{int}/**/generation r, + @{sys}/devices/@{pci}/domain@{int}/**/rx_lanes r, + @{sys}/devices/@{pci}/domain@{int}/**/rx_speed r, + @{sys}/devices/@{pci}/domain@{int}/**/tx_lanes r, + @{sys}/devices/@{pci}/domain@{int}/**/tx_speed r, + @{sys}/devices/@{pci}/domain@{int}/**/unique_id r, + @{sys}/devices/@{pci}/domain@{int}/**/vendor_name r, @{sys}/devices/@{pci}/domain@{int}/boot_acl rw, @{sys}/devices/@{pci}/domain@{int}/iommu_dma_protection r, + @{sys}/devices/@{pci}/domain@{int}/security r, @{sys}/devices/platform/**/uevent r, @{sys}/devices/platform/*/wmi_bus/wmi_bus-*/@{uuid}/force_power rw, - @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, include if exists } diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 54c0d147e7..e527f462ea 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -14,6 +14,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -56,8 +57,11 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, @{sys}/devices/**/uevent r, - @{sys}/devices/@{pci}/{vendor,model,type} r, - @{sys}/devices/@{pci}/drm/card@{int}/**/{enabled,edid} r, + @{sys}/devices/@{pci}/drm/card@{int}/**/edid r, + @{sys}/devices/@{pci}/drm/card@{int}/**/enabled r, + @{sys}/devices/@{pci}/model r, + @{sys}/devices/@{pci}/type r, + @{sys}/devices/@{pci}/vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index c4d4c9c177..720a294bd1 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -26,6 +26,8 @@ profile wireplumber @{exec_path} { network bluetooth stream, network netlink raw, + ptrace read peer=gnome-extension-gsconnect, + #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int} #aa:dbus own bus=session name=org.pipewire.Telephony @@ -48,6 +50,8 @@ profile wireplumber @{exec_path} { /usr/share/spa-*/bluez@{int}/{,*} r, /usr/share/wireplumber/{,**} r, + / r, + owner @{desktop_local_dirs}/ w, owner @{desktop_state_dirs}/ w, owner @{desktop_state_dirs}/wireplumber/{,**} rw, @@ -79,10 +83,12 @@ profile wireplumber @{exec_path} { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/status r, @{PROC}/1/cgroup r, @{PROC}/1/status r, - @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/udmabuf rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 5bed44b085..95f801a4ab 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -20,8 +20,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include + include include - include + include include include include @@ -36,25 +37,27 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { signal receive set=term peer=gdm, signal receive set=hup peer=gdm-session-worker, - #aa:dbus own bus=session name=org.freedesktop.portal.Desktop path=/org/freedesktop/portal/desktop interface={org.freedesktop.DBus.Properties,org.freedesktop{,.impl}.portal.{Settings,Background}} - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Realtime - member=MakeThread* - peer=(name=@{busname}), + unix type=stream peer=(label=snap.*), + + #aa:dbus own bus=session name=org.freedesktop.portal interface+=org.freedesktop.impl.portal + + # Receive registertration of from anyone dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.host.portal.Registry member=Register peer=(name=@{busname}), - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.NetworkMonitor - member=GetStatus - peer=(name=@{busname}, label=snap.*), + + dbus send bus=session path=/org/freedesktop/portal/desktop/session/1_125/gtk904232872 + interface=org.freedesktop.impl.portal.Session + member=Close + peer=(name=@{busname}, label=xdg-desktop-portal-gtk), #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit label=xdg-desktop-portal-gtk #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.GlobalShortcuts path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gnome + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit label=xdg-desktop-portal-gtk #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal dbus receive bus=session @@ -69,6 +72,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{lib}/xdg-desktop-portal-validate-icon rPx, + @{lib}/browserpass/browserpass-native rPx, @{open_path} mrPx -> child-open, / r, @@ -93,6 +97,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/.flatpak/{,*/*} r, + @{sys}/devices/**/uevent r, @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index cd557c7058..5d05630c51 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -34,6 +34,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider + #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label="gvfs-*-volume-monitor" diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 3b15d96886..0ce3ff1664 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -48,6 +48,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, owner @{user_share_dirs}/flatpak/db/screencast r, + owner @{user_share_dirs}/flatpak/db/webextensions rw, include if exists } From 484a96d833f52992e4ff55bc39d493bbad6a73bf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:58:53 +0200 Subject: [PATCH 0775/1736] feat(profile): add xdg-terminal-exec. --- .../groups/freedesktop/xdg-terminal-exec | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 apparmor.d/groups/freedesktop/xdg-terminal-exec diff --git a/apparmor.d/groups/freedesktop/xdg-terminal-exec b/apparmor.d/groups/freedesktop/xdg-terminal-exec new file mode 100644 index 0000000000..b79985c9a1 --- /dev/null +++ b/apparmor.d/groups/freedesktop/xdg-terminal-exec @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xdg-terminal-exec +profile xdg-terminal-exec @{exec_path} flags=(attach_disconnected) { + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk ix, + @{bin}/find ix, + @{bin}/ls ix, + @{bin}/md5sum ix, + @{bin}/tr ix, + + @{bin}/gnome-terminal Px, + + /usr/share/xdg-terminal-exec/{,**} r, + + owner @{HOME}/ r, + + owner @{user_cache_dirs}/xdg-terminal-exec rw, + owner @{user_config_dirs}/*-xdg-terminals.list r, + owner @{user_config_dirs}/xdg-terminals.list r, + + include if exists +} + +# vim:syntax=apparmor From cf90d0a855f7be0448c8416b98dd63ebe95bd484 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 22:03:47 +0200 Subject: [PATCH 0776/1736] feat(profile): update gnome profiles. --- apparmor.d/groups/gnome/gnome-clocks | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 10 ++++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index 92886c8876..6458d3c508 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -14,6 +14,7 @@ profile gnome-clocks @{exec_path} { include include include + include include network netlink raw, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 2592eb77e0..ed52d09f76 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -21,10 +21,11 @@ profile gnome-extension-gsconnect @{exec_path} { include include include - include include + include include include + include include include include @@ -37,7 +38,11 @@ profile gnome-extension-gsconnect @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect interface+=org.gtk.{Actions,Menus} + unix type=stream addr=none peer=(label=gvfsd-*, addr=none), + + #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect interface+={org.freedesktop.Application,org.gtk.{Actions,Application,Menus}} + + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.GSConnect.* dbus eavesdrop bus=session, @@ -49,6 +54,7 @@ profile gnome-extension-gsconnect @{exec_path} { @{bin}/openssl rix, @{bin}/ssh-add rix, + @{bin}/bwrap rPx -> glycin, @{bin}/dconf rPx, @{bin}/ssh-keygen rPx, @{bin}/xdg-screensaver rPx, From 7d7c78fb1bc8f36bf7fd83738ab78e8e012c8075 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 22:04:19 +0200 Subject: [PATCH 0777/1736] feat(profile): cleanup scdaemon --- apparmor.d/groups/gpg/scdaemon | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index 729455f7f9..6638f3fe4e 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -35,9 +35,7 @@ profile scdaemon @{exec_path} { owner /var/tmp/zypp.*/zypp-general-kr*/S.scdaemon w, owner /var/tmp/zypp.*/zypp-trusted-*/S.scdaemon w, - @{PROC}/@{pid}/task/@{tid}/comm rw, - - @{sys}/devices/@{pci}/bConfigurationValue r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } From 81081b219075557c7364803c8c24ff2fcf13fc43 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 22:06:49 +0200 Subject: [PATCH 0778/1736] feat(profile): add polkit rule in pkttyagent. --- apparmor.d/groups/polkit/pkttyagent | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/apparmor.d/groups/polkit/pkttyagent b/apparmor.d/groups/polkit/pkttyagent index 436447aefb..5882c6d400 100644 --- a/apparmor.d/groups/polkit/pkttyagent +++ b/apparmor.d/groups/polkit/pkttyagent @@ -21,6 +21,16 @@ profile pkttyagent @{exec_path} { ptrace read, signal (send, receive), + dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent + interface=org.freedesktop.PolicyKit1.AuthenticationAgent + member=BeginAuthentication + peer=(name=@{busname}, label="@{p_polkitd}"), + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=RegisterAuthenticationAgentWithOptions + peer=(name=@{busname}, label="@{p_polkitd}"), + @{exec_path} mr, @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, From 2b6e7379e1d87d812eaed0b2ef712556a6fd3196 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 22:08:27 +0200 Subject: [PATCH 0779/1736] feat(profile): remove ptrac from htop, cleanup ps. --- apparmor.d/groups/procps/htop | 11 ++++++++--- apparmor.d/groups/procps/ps | 2 ++ 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index b02b0f6925..e48d055838 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -16,15 +16,12 @@ profile htop @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability kill, capability sys_nice, - capability sys_ptrace, network netlink raw, signal send, signal receive set=hup peer=gnome-terminal-server, - ptrace read, - @{exec_path} mr, @{bin}/lsof rix, @@ -137,6 +134,14 @@ profile htop @{exec_path} flags=(attach_disconnected) { /dev/tty@{int} rw, + # While commands like 'ps', 'ip netns identify ', 'ip netns pids foo', etc + # trigger a 'ptrace trace' denial, they aren't actually tracing other + # processes. Unfortunately, the kernel overloads trace such that the LSMs are + # unable to distinguish between tracing other processes and other accesses. + deny capability sys_ptrace, + deny ptrace trace, + deny ptrace read, + include if exists } diff --git a/apparmor.d/groups/procps/ps b/apparmor.d/groups/procps/ps index ab6f3486c7..42eb272eae 100644 --- a/apparmor.d/groups/procps/ps +++ b/apparmor.d/groups/procps/ps @@ -53,6 +53,8 @@ profile ps @{exec_path} flags=(attach_disconnected) { # trigger a 'ptrace trace' denial, they aren't actually tracing other # processes. Unfortunately, the kernel overloads trace such that the LSMs are # unable to distinguish between tracing other processes and other accesses. + deny capability perfmon, + deny capability sys_admin, deny capability sys_ptrace, deny ptrace trace, deny ptrace read, From e7a7cb41165c8b4b0ece7e7c7ff53be51dddb72b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 22:09:00 +0200 Subject: [PATCH 0780/1736] feat(profile): glycin: deny more path. --- apparmor.d/groups/children/glycin | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/children/glycin b/apparmor.d/groups/children/glycin index b00913e1ad..4bde8a9571 100644 --- a/apparmor.d/groups/children/glycin +++ b/apparmor.d/groups/children/glycin @@ -20,6 +20,7 @@ profile glycin flags=(attach_disconnected,complain) { # Safe deny of inherited files from parent process. deny owner @{HOME}/.*/** rw, deny owner /tmp/*/** w, + deny /opt/*/** rw, deny @{sys}/devices/system/** r, deny /dev/shm/** rw, deny /dev/dri/* rw, From cb32e8829c7671da9b53777d7cfaadeb9af7242e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 22:14:29 +0200 Subject: [PATCH 0781/1736] feat(profile): general update. --- apparmor.d/profiles-a-f/freetube | 1 + apparmor.d/profiles-g-l/gimp | 9 +++-- apparmor.d/profiles-g-l/gsettings | 1 + apparmor.d/profiles-g-l/haveged | 3 ++ apparmor.d/profiles-g-l/inxi | 2 ++ apparmor.d/profiles-g-l/libreoffice | 7 +++- apparmor.d/profiles-m-r/mdadm | 3 +- apparmor.d/profiles-m-r/mkinitramfs | 2 +- apparmor.d/profiles-m-r/mpris-proxy | 7 ++++ apparmor.d/profiles-m-r/ollama | 4 +-- apparmor.d/profiles-m-r/packagekitd | 12 +++++++ apparmor.d/profiles-m-r/qemu-ga | 5 +++ apparmor.d/profiles-m-r/remmina | 1 - apparmor.d/profiles-m-r/reprepro | 40 +++++------------------ apparmor.d/profiles-s-z/snapshot | 9 +++-- apparmor.d/profiles-s-z/superproductivity | 2 ++ apparmor.d/profiles-s-z/sysstat-sadc | 7 ++-- apparmor.d/profiles-s-z/totem | 4 ++- apparmor.d/profiles-s-z/ucf | 1 + apparmor.d/profiles-s-z/vlc | 2 +- 20 files changed, 71 insertions(+), 51 deletions(-) diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index b820f249c1..6ee51adbba 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -31,6 +31,7 @@ profile freetube @{exec_path} flags=(attach_disconnected) { network netlink raw, #aa:dbus own bus=session name=org.mpris.MediaPlayer2.freetube path=/org/mpris/MediaPlayer2 + #aa:dbus talk bus=session name=org.freedesktop.PowerManagement label=kde-powerdevil @{exec_path} mrix, diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index 57c6a72e02..04860c1ded 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -22,6 +22,8 @@ profile gimp @{exec_path} flags=(attach_disconnected) { signal (send) set=(term, kill) peer=xsane-gimp, + #aa:dbus own bus=session name=org.gimp + #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @@ -40,6 +42,7 @@ profile gimp @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-help, @{lib}/gimp/@{version}/plug-ins/python-console/__pycache__/{,*} w, + @{lib}/@{multiarch}/gimp/@{version}/plug-ins/web-browser/web-browser ix, /usr/share/gimp/{,**} r, /usr/share/mypaint-data/{,**} r, @@ -58,15 +61,15 @@ profile gimp @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}//thumbnails/normal/gimp-thumb* rw, owner @{user_cache_dirs}/babl/{,**} rw, - owner @{user_cache_dirs}/gegl-*/{,**} r, - owner @{user_cache_dirs}/gegl-*/{,**} r, + owner @{user_cache_dirs}/gegl-@{version}/{,**} rw, + owner @{user_cache_dirs}/gegl-@{version}/{,**} rw, owner @{user_cache_dirs}/gimp/{,**} rw, owner @{user_cache_dirs}/GIMP/{,**} rw, owner @{user_config_dirs}/gimp/{,**} rw, owner @{user_config_dirs}/GIMP/{,**} rw, - owner @{user_share_dirs}/gegl-*/{,**} r, + owner @{user_share_dirs}/gegl-@{version}/{,**} r, owner @{user_share_dirs}/GIMP/{,**} rw, owner @{tmp}/gimp/{,**} rw, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index cc8dfa4470..b60c2ff66e 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -24,6 +24,7 @@ profile gsettings @{exec_path} flags=(attach_disconnected) { deny /etc/nsswitch.conf r, deny /etc/passwd r, deny /opt/*/** r, + deny owner /.cache/ w, deny owner @{user_config_dirs}/[^d]*/** rw, # all but dconf deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index 527629202b..8b15b31530 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -17,6 +17,9 @@ profile haveged @{exec_path} { @{exec_path} mr, + /dev/shm/sem.@{rand6} rw, + /dev/shm/sem.haveged_sem rwl -> /dev/shm/sem.@{rand6}, + @{sys}/devices/system/cpu/cpu@{int}/cache/ r, @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r, diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index e80875ca2f..2d6a67d4ad 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -13,6 +13,8 @@ profile inxi @{exec_path} { include include + capability dac_read_search, + network inet dgram, network inet6 dgram, network inet stream, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 7e4feed45b..0975d2fdca 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -8,7 +8,7 @@ include @{exec_path} = @{bin}/libreoffice @{bin}/soffice @{exec_path} += @{lib}/libreoffice/program/soffice -profile libreoffice @{exec_path} { +profile libreoffice @{exec_path} flags=(attach_disconnected) { include include include @@ -39,6 +39,11 @@ profile libreoffice @{exec_path} { #aa:dbus own bus=session name=org.libreoffice interface+=org.gtk.Actions + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=systemd-hostnamed), + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index b0397eb8d4..f53e1b11fe 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -44,9 +44,10 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/fd/ r, @{PROC}/cmdline r, + @{PROC}/devices r, @{PROC}/kcore r, - @{PROC}/partitions r, @{PROC}/mdstat rw, + @{PROC}/partitions r, /dev/**/ r, /dev/.tmp.md.* rw, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 800013c9af..5d38271df8 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -172,7 +172,7 @@ profile mkinitramfs @{exec_path} { owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/@{lib}/modules/{,**} r, + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/@{lib}/modules/{,**} r, owner /tmp/tmp.@{rand10}/usr/lib/modules/*/ r, owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/{,**/} r, diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy index 3a5dfffb6d..0bb994c04e 100644 --- a/apparmor.d/profiles-m-r/mpris-proxy +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -14,6 +14,13 @@ profile mpris-proxy @{exec_path} { include #aa:dbus own bus=session name=org.mpris.MediaPlayer2 + #aa:dbus own bus=system name=org.mpris.MediaPlayer2.Player path=/{,**} + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ListNames + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/profiles-m-r/ollama b/apparmor.d/profiles-m-r/ollama index 73447e33e8..165e3d3adf 100644 --- a/apparmor.d/profiles-m-r/ollama +++ b/apparmor.d/profiles-m-r/ollama @@ -44,9 +44,7 @@ profile ollama @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/mem_info_vram_used r, @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/node/node@{int}/cpumap r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, + @{PROC}/devices r, @{PROC}/sys/net/core/somaxconn r, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index e5b54c34e6..5bf1f3115a 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -51,6 +51,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/gzip rix, + @{bin}/id rix, @{sbin}/ldconfig rix, @{bin}/repo2solv rix, @{bin}/tar rix, @@ -61,6 +62,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/arch-audit rPx, #aa:only arch @{bin}/dpkg rPx -> child-dpkg, #aa:only apt @{bin}/fc-cache rPx, + @{bin}/systemctl rCx -> systemctl, @{bin}/glib-compile-schemas rPx, @{bin}/install-info rPx, @{bin}/ischroot rPx, @@ -113,6 +115,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, + /dev/ptmx r, /dev/tty rw, profile gpg { @@ -150,6 +153,15 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { include if exists } + profile systemctl { + include + include + + capability net_admin, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index f8fd84d3f7..ae8dae8559 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -10,6 +10,10 @@ include profile qemu-ga @{exec_path} { include + network bind netlink raw, + network inet stream, + network inet6 stream, + @{exec_path} mr, @{bin}/systemctl Cx -> systemctl, @@ -22,6 +26,7 @@ profile qemu-ga @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{PROC}/@{pid}/net/dev r, @{PROC}/sys/vm/max_map_count r, /dev/vport@{int}p@{int} rw, diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 0737effc63..e8ed68727a 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -42,7 +42,6 @@ profile remmina @{exec_path} { @{open_path} rPx -> child-open-browsers, /usr/share/remmina/{,**} r, - /usr/share/themes/{,**} r, /etc/fstab r, /etc/ssh/ssh_config r, diff --git a/apparmor.d/profiles-m-r/reprepro b/apparmor.d/profiles-m-r/reprepro index 866b7cbfa5..16336f8047 100644 --- a/apparmor.d/profiles-m-r/reprepro +++ b/apparmor.d/profiles-m-r/reprepro @@ -7,11 +7,10 @@ abi , include -@{REPO_DIR} = @{MOUNTS}/debuilder/repo - @{exec_path} = @{bin}/reprepro profile reprepro @{exec_path} { include + include @{exec_path} mr, @@ -19,42 +18,21 @@ profile reprepro @{exec_path} { @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgsm rCx -> gpg, - owner @{PROC}/@{pid}/fd/ r, - - # The repository dir - owner @{REPO_DIR}/debian/ r, - owner @{REPO_DIR}/debian/conf/{distributions,options} r, - - owner @{REPO_DIR}/debian/db/lockfile rw, - owner @{REPO_DIR}/debian/db/version{,.new} rw, - owner @{REPO_DIR}/debian/db/packages.db rw, - owner @{REPO_DIR}/debian/db/references.db rw, - owner @{REPO_DIR}/debian/db/release.caches.db rw, - owner @{REPO_DIR}/debian/db/contents.cache.db rw, - owner @{REPO_DIR}/debian/db/checksums.db rw, - - owner @{REPO_DIR}/debian/dists/*/*/binary-*/Packages{,.gz} w, - owner @{REPO_DIR}/debian/dists/*/*/binary-*/Packages{,.gz}.new rw, - owner @{REPO_DIR}/debian/dists/*/*/source/Sources{,.gz} w, - owner @{REPO_DIR}/debian/dists/*/*/source/Sources{,.gz}.new rw, - owner @{REPO_DIR}/debian/dists/*/{In,}Release{,.new} rw, - owner @{REPO_DIR}/debian/dists/*/Release.gpg{,.new} rw, - - owner @{REPO_DIR}/debian/**/ w, - owner @{REPO_DIR}/debian/pool/*/*/*/*.tar.* rw, - owner @{REPO_DIR}/debian/pool/*/*/*/*.dsc rw, - owner @{REPO_DIR}/debian/pool/*/*/*/*.deb rw, - owner @{REPO_DIR}/debian/pool/*/*/*/*.git rw, - - # Dirs containing .deb files - owner @{REPO_DIR}/*.deb r, /var/cache/apt/archives/*.deb r, + owner @{user_projects_dirs}/** r, + owner @{user_build_dirs}/** r, + + owner @{user_pkg_dirs}/ rw, + owner @{user_pkg_dirs}/** rwlk, + # For package building owner @{user_build_dirs}/pbuilder/result/*.{dsc,changes} r, owner @{user_build_dirs}/pbuilder/result/*.deb r, owner @{user_build_dirs}/pbuilder/result/*.tar.* r, + owner @{PROC}/@{pid}/fd/ r, + profile gpg { include diff --git a/apparmor.d/profiles-s-z/snapshot b/apparmor.d/profiles-s-z/snapshot index 91ca7cd69d..3e48a4bc7e 100644 --- a/apparmor.d/profiles-s-z/snapshot +++ b/apparmor.d/profiles-s-z/snapshot @@ -11,10 +11,15 @@ include profile snapshot @{exec_path} flags=(attach_disconnected) { include include + include include include + include include - include + + network netlink raw, + + #aa:dbus own bus=session name=org.gnome.Snapshot @{exec_path} mr, @@ -23,8 +28,6 @@ profile snapshot @{exec_path} flags=(attach_disconnected) { owner @{user_pictures_dirs}/Camera/{,**} rw, owner @{user_videos_dirs}/Camera/{,**} rw, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - include if exists } diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 441842fd45..5cdda4994c 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -39,6 +39,8 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + owner @{run}/user/@{uid}/speech-dispatcher/speechd.sock rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc index 7d91439383..30c5e0b3c5 100644 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -24,13 +24,10 @@ profile sysstat-sadc @{exec_path} { @{sys}/class/fc_host/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/net/*/duplex r, + @{sys}/devices/**/duplex r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/name r, - @{sys}/devices/**/net/*/duplex r, - @{sys}/devices/**/net/*/speed r, - @{sys}/devices/virtual/net/*/duplex r, - @{sys}/devices/virtual/net/*/speed r, + @{sys}/devices/**/speed r, @{PROC}/@{pid}/net/* r, @{PROC}/diskstats r, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index 9d55b7cd2a..1ec163874d 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -13,6 +13,7 @@ profile totem @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -21,7 +22,8 @@ profile totem @{exec_path} flags=(attach_disconnected) { signal (send) set=(kill) peer=totem//bwrap, - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.totem + #aa:dbus own bus=session name=org.gnome.Totem + #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 47826d3367..65ea284fa1 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -33,6 +33,7 @@ profile ucf @{exec_path} { @{bin}/sed rix, @{bin}/seq rix, @{bin}/stat rix, + @{bin}/stty rix, @{bin}/tr rix, @{bin}/which{,.debianutils} rix, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index afcf3c249d..50760f8c5b 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/{c,}vlc -profile vlc @{exec_path} { +profile vlc @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include From 8ffbcfc0b5987b99a6de6cb2333efe0ad92e8378 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 22:28:51 +0200 Subject: [PATCH 0782/1736] feat(abs): improve signal and ptrace in the glycin stack. --- apparmor.d/abstractions/app/bwrap-glycin | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app/bwrap-glycin b/apparmor.d/abstractions/app/bwrap-glycin index a3a5ceee61..d1a17b6c81 100644 --- a/apparmor.d/abstractions/app/bwrap-glycin +++ b/apparmor.d/abstractions/app/bwrap-glycin @@ -16,11 +16,13 @@ unix type=stream peer=(label=glycin), unix type=stream peer=(label=glycin//loaders), - signal send set=kill peer=*//&glycin, - signal send set=kill peer=glycin//&*, + signal send set=kill peer=@{profile_name}, + signal send set=kill peer=@{profile_name}//&glycin, + signal send set=kill peer=glycin, - ptrace read peer=*//&glycin, - ptrace read peer=glycin//&*, + ptrace read peer=@{profile_name}, + ptrace read peer=@{profile_name}//&glycin, + ptrace read peer=glycin, @{bin}/bwrap mr, From 487bf85af201b4c1665bd5cd394bd9e01ca800a8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 23:23:12 +0200 Subject: [PATCH 0783/1736] build: add build support for apparmor 4 vs apparmor 4.1 This is required to allow us the use of priority in apparmor 4.1+ --- pkg/prebuild/builder/abi.go | 17 +++++++++++++++++ pkg/prebuild/cli/cli.go | 9 ++++++++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index b0052d13fb..f61316390f 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -17,12 +17,19 @@ var ( ` all`, ` # all`, ` deny mqueue`, ` # deny mqueue`, }) + regApparmor41To40 = util.ToRegexRepl([]string{ + `priority=[0-9\-]*`, ``, + }) ) type ABI3 struct { prebuild.Base } +type APPARMOR40 struct { + prebuild.Base +} + func init() { RegisterBuilder(&ABI3{ Base: prebuild.Base{ @@ -30,8 +37,18 @@ func init() { Msg: "Build: convert all profiles from abi 4.0 to abi 3.0", }, }) + RegisterBuilder(&APPARMOR40{ + Base: prebuild.Base{ + Keyword: "apparmor4.0", + Msg: "Build: convert all profiles from apparmor 4.1 to 4.0 or less", + }, + }) } func (b ABI3) Apply(opt *Option, profile string) (string, error) { return regAbi4To3.Replace(profile), nil } + +func (b APPARMOR40) Apply(opt *Option, profile string) (string, error) { + return regApparmor41To40.Replace(profile), nil +} diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index afed5aedf8..868bf69d8c 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -133,8 +133,15 @@ func Configure() { } switch prebuild.ABI { case 3: - builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 + builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 + builder.Register("apparmor4.0") // Convert convert all profiles from apparmor 4.1 to 4.0 or less + case 4: + // priority support was added in 4.1 + if prebuild.Version == 4.0 { + builder.Register("apparmor4.0") + } + // Re-attach disconnected path if prebuild.Distribution == "ubuntu" && prebuild.Version >= 4.1 { // Ignored on ubuntu 25.04+ due to a memory leak that fully prevent From 36cd3bb8effaa9849a6b4694dfac932c63f60b58 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 23:35:25 +0200 Subject: [PATCH 0784/1736] feat(abs): add fontconfig-cache --- apparmor.d/abstractions/fontconfig-cache | 53 ++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 apparmor.d/abstractions/fontconfig-cache diff --git a/apparmor.d/abstractions/fontconfig-cache b/apparmor.d/abstractions/fontconfig-cache new file mode 100644 index 0000000000..509c8a3ba1 --- /dev/null +++ b/apparmor.d/abstractions/fontconfig-cache @@ -0,0 +1,53 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # The fontconfig cache can be generated via the following command: + # $ fc-cache -f -v + # + # There is no need to give apps the ability to create cache for their own. + # However, apps can generate the fontconfig cache if some cache files are missing. + # Therefore, if this behavior is desirable, you can use + # + # If not, you can block writing to the cache directories with + # + + abi , + + /var/cache/fontconfig/ r, + /var/cache/fontconfig/CACHEDIR.TAG r, + /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, + /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} r, + + owner @{gdm_cache_dirs}/fontconfig/ r, + owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG r, + owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.LCK r, + owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.NEW r, + owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.TMP-@{rand6} r, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} r, + + owner @{HOME}/.fontconfig/ r, + owner @{HOME}/.fontconfig/CACHEDIR.TAG r, + owner @{HOME}/.fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, + owner @{HOME}/.fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} r, + + owner @{user_cache_dirs}/fontconfig/ r, + owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG r, # {,.NEW,.LCK,.TMP-*} r, + owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, # {,.NEW,.LCK,.TMP-*} r, + owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} r, + + # This is to create .uuid file containing an UUID at a font directory. The UUID will be used to + # identify the font directory and is used to determine the cache filename if available. + /usr/share/**/.uuid r, + owner /usr/local/share/fonts/ r, + owner /usr/local/share/fonts/.uuid r, + owner @{HOME}/.fonts/ r, + owner @{HOME}/.fonts/.uuid r, + owner @{user_share_dirs}/fonts/ r, + owner @{user_share_dirs}/fonts/**/.uuid r, + + include if exists + +# vim:syntax=apparmor From a9fefa02932e03c3f43b0ba13a173ae2a1ee636d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 23:36:22 +0200 Subject: [PATCH 0785/1736] feat(abs): rewrite fontconfig read and cache abs. --- apparmor.d/abstractions/fontconfig-cache-read | 14 ++- .../abstractions/fontconfig-cache-write | 93 ++++++++++++------- 2 files changed, 68 insertions(+), 39 deletions(-) diff --git a/apparmor.d/abstractions/fontconfig-cache-read b/apparmor.d/abstractions/fontconfig-cache-read index 3067873780..1deddd130a 100644 --- a/apparmor.d/abstractions/fontconfig-cache-read +++ b/apparmor.d/abstractions/fontconfig-cache-read @@ -3,14 +3,18 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - # The fontconfig cache can be generated via the following command: - # $ fc-cache -f -v - # There's no need to give apps the ability to create cache for their own. Apps can generate the - # fontconfig cache if some cache files are missing, so if this behavior is desirable, you can use - # the "fontconfig-cache-write" abstraction. +# See for documentation. abi , + include if exists + + owner @{gdm_cache_dirs}/fontconfig/ r, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}.cache-?{,.NEW,.LCK,.TMP-*} r, + owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r, + deny @{gdm_cache_dirs}/fontconfig/ w, + deny @{gdm_cache_dirs}/fontconfig/** w, + owner @{user_cache_dirs}/fontconfig/ r, deny @{user_cache_dirs}/fontconfig/ w, deny @{user_cache_dirs}/fontconfig/** w, diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write index 922a15a6a7..a3b7379d21 100644 --- a/apparmor.d/abstractions/fontconfig-cache-write +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -3,42 +3,67 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# See for documentation. + abi , - owner @{user_cache_dirs}/fontconfig/ rw, - owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw, - owner @{user_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk, - owner @{user_cache_dirs}/fontconfig/*-le64.cache-@{int} w, - owner @{user_cache_dirs}/fontconfig/*-le64.cache-@{int}{,TMP-@{rand6},NEW,LCK} w, - - owner @{HOME}/.fontconfig/ rw, - owner @{HOME}/.fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw, - owner @{HOME}/.fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk, - - owner @{HOME}/.fonts/ rw, - link @{HOME}/.fonts/.uuid.LCK -> @{HOME}/.fonts/.uuid.TMP-*, - owner @{HOME}/.fonts/.uuid{,.NEW,.LCK,.TMP-*} r, - owner @{HOME}/.fonts/.uuid{,.NEW,.LCK,.TMP-*} w, - - # This is to create .uuid file containing an UUID at a font directory. The UUID will be used to - # identify the font directory and is used to determine the cache filename if available. - owner /usr/local/share/fonts/ rw, - owner /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} rw, - link /usr/local/share/fonts/.uuid.LCK -> /usr/local/share/fonts/.uuid.TMP-*, - # Should writing to these dirs be blocked? - /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} r, - deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w, - - /var/cache/fontconfig/ rw, - owner /var/cache/fontconfig/** rw, - owner /var/cache/fontconfig/*.cache-@{int} rwk, - owner /var/cache/fontconfig/*.cache-@{int}.LCK rwl, - owner /var/cache/fontconfig/CACHEDIR.TAG.LCK rwl, - - # For fonts downloaded via font-manager (###FIXME### when they fix resolving of vars) - owner @{user_share_dirs}/fonts/ rw, - owner @{user_share_dirs}/fonts/**/.uuid{,.NEW,.LCK,.TMP-*} rw, - link @{user_share_dirs}/fonts/**/.uuid.LCK -> @{user_share_dirs}/fonts/**/.uuid.TMP-*, + include + + owner /var/cache/fontconfig/ w, + owner /var/cache/fontconfig/CACHEDIR.TAG w, + owner /var/cache/fontconfig/CACHEDIR.TAG.LCK wl, + owner /var/cache/fontconfig/CACHEDIR.TAG.NEW w, + owner /var/cache/fontconfig/CACHEDIR.TAG.TMP-@{rand6} w, + owner /var/cache/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d} wl, + owner /var/cache/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.LCK wl, + owner /var/cache/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.NEW w, + owner /var/cache/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} wl, + owner /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.LCK wl, + owner /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW w, + owner /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + + owner @{gdm_cache_dirs}/fontconfig/ w, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} wl, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.LCK wl, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW w, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner @{gdm_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.NEW w, + owner @{gdm_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner @{gdm_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d} wl, + owner @{gdm_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.LCK wl, + owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG w, + owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.LCK wl, + owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.NEW w, + owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.TMP-@{rand6} w, + + owner @{HOME}/.fontconfig/ w, + owner @{HOME}/.fontconfig/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} wl, + owner @{HOME}/.fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.LCK wl, + owner @{HOME}/.fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW w, + owner @{HOME}/.fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner @{HOME}/.fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.NEW w, + owner @{HOME}/.fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner @{HOME}/.fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d} wl, + owner @{HOME}/.fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.LCK wl, + owner @{HOME}/.fontconfig/CACHEDIR.TAG w, + owner @{HOME}/.fontconfig/CACHEDIR.TAG.LCK wl, + owner @{HOME}/.fontconfig/CACHEDIR.TAG.NEW w, + owner @{HOME}/.fontconfig/CACHEDIR.TAG.TMP-@{rand6} w, + + owner @{user_cache_dirs}/fontconfig/ w, + owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} wl, + owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.LCK wl, + owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW w, + owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner @{user_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.NEW w, + owner @{user_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner @{user_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d} wl, + owner @{user_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.LCK wl, + owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG w, + owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG.LCK wl, + owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG.NEW w, + owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG.TMP-@{rand6} w, include if exists From 99c441c4cddf908f955959df582bb7becc54b934 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 26 Sep 2025 00:01:23 +0200 Subject: [PATCH 0786/1736] feat(profile): reduce the number of transition in some profile, Bipass the error `profile x has too many specified profile transitions` --- apparmor.d/abstractions/fontconfig-cache-read | 2 +- apparmor.d/abstractions/trash-strict | 10 +++++----- apparmor.d/groups/gnome/gnome-software | 2 +- apparmor.d/groups/kde/kded | 4 ++-- apparmor.d/groups/kde/kwin_wayland | 4 ++-- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/fontconfig-cache-read b/apparmor.d/abstractions/fontconfig-cache-read index 1deddd130a..26ba79f98e 100644 --- a/apparmor.d/abstractions/fontconfig-cache-read +++ b/apparmor.d/abstractions/fontconfig-cache-read @@ -7,7 +7,7 @@ abi , - include if exists + include owner @{gdm_cache_dirs}/fontconfig/ r, owner @{gdm_cache_dirs}/fontconfig/@{hex32}.cache-?{,.NEW,.LCK,.TMP-*} r, diff --git a/apparmor.d/abstractions/trash-strict b/apparmor.d/abstractions/trash-strict index a2b024d3ec..30d5188172 100644 --- a/apparmor.d/abstractions/trash-strict +++ b/apparmor.d/abstractions/trash-strict @@ -22,7 +22,7 @@ # Home trash location owner @{user_share_dirs}/Trash/ rw, owner @{user_share_dirs}/Trash/#@{int} rw, - owner @{user_share_dirs}/Trash/directorysizes{,.*} rwl -> @{user_share_dirs}/Trash/#@{int}, + owner @{user_share_dirs}/Trash/directorysizes{,.*} rwl, owner @{user_share_dirs}/Trash/files/{,**} rw, owner @{user_share_dirs}/Trash/info/ rw, owner @{user_share_dirs}/Trash/info/*.trashinfo{,.*} rw, @@ -35,7 +35,7 @@ owner @{MOUNTS}/.Trash/ rw, owner @{MOUNTS}/.Trash/@{uid}/ rw, owner @{MOUNTS}/.Trash/@{uid}/#@{int} rw, - owner @{MOUNTS}/.Trash/@{uid}/directorysizes{,.*} rwl -> @{MOUNTS}/.Trash/@{uid}/#@{int}, + owner @{MOUNTS}/.Trash/@{uid}/directorysizes{,.*} rwl, owner @{MOUNTS}/.Trash/@{uid}/files/{,**} rw, owner @{MOUNTS}/.Trash/@{uid}/info/ rw, owner @{MOUNTS}/.Trash/@{uid}/info/*.trashinfo{,.*} rw, @@ -47,7 +47,7 @@ # Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir owner @{MOUNTS}/.Trash-@{uid}/ rw, owner @{MOUNTS}/.Trash-@{uid}/#@{int} rw, - owner @{MOUNTS}/.Trash-@{uid}/directorysizes{,.*} rwl -> @{MOUNTS}/.Trash-@{uid}/#@{int}, + owner @{MOUNTS}/.Trash-@{uid}/directorysizes{,.*} rwl, owner @{MOUNTS}/.Trash-@{uid}/files/{,**} rw, owner @{MOUNTS}/.Trash-@{uid}/info/ rw, owner @{MOUNTS}/.Trash-@{uid}/info/*.trashinfo{,.*} rw, @@ -60,7 +60,7 @@ owner @{MOUNTS}/*/.Trash/ rw, owner @{MOUNTS}/*/.Trash/@{uid}/ rw, owner @{MOUNTS}/*/.Trash/@{uid}/#@{int} rw, - owner @{MOUNTS}/*/.Trash/@{uid}/directorysizes{,.*} rwl -> @{MOUNTS}/*/.Trash/@{uid}/#@{int}, + owner @{MOUNTS}/*/.Trash/@{uid}/directorysizes{,.*} rwl, owner @{MOUNTS}/*/.Trash/@{uid}/files/{,**} rw, owner @{MOUNTS}/*/.Trash/@{uid}/info/ rw, owner @{MOUNTS}/*/.Trash/@{uid}/info/*.trashinfo{,.*} rw, @@ -72,7 +72,7 @@ # Removable media's trash location when the admin doesn't create the .Trash/ folder in the top lvl dir owner @{MOUNTS}/*/.Trash-@{uid}/ rw, owner @{MOUNTS}/*/.Trash-@{uid}/#@{int} rw, - owner @{MOUNTS}/*/.Trash-@{uid}/directorysizes{,.*} rwl -> @{MOUNTS}/*/.Trash-@{uid}/#@{int}, + owner @{MOUNTS}/*/.Trash-@{uid}/directorysizes{,.*} rwl, owner @{MOUNTS}/*/.Trash-@{uid}/files/{,**} rw, owner @{MOUNTS}/*/.Trash-@{uid}/info/ rw, owner @{MOUNTS}/*/.Trash-@{uid}/info/*.trashinfo{,.*} rw, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 71719b1705..33b7551c2a 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -104,7 +104,7 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/flatpak/{app,runtime}/*/*/ r, owner @{user_share_dirs}/flatpak/overrides/* r, owner @{user_share_dirs}/flatpak/repo/ rw, - owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, + owner @{user_share_dirs}/flatpak/repo/** rwl, owner @{tmp}/#@{int} rw, owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 678c64e71c..cc402bbd94 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -156,7 +156,7 @@ profile kded @{exec_path} { owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/kcookiejar/#@{int} rw, owner @{user_share_dirs}/kcookiejar/cookies.lock rwk, - owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int}, + owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl, owner @{user_share_dirs}/kded{5,6}/{,**} rw, owner @{user_share_dirs}/kscreen/{,**} rwl, owner @{user_share_dirs}/kservices{5,6}/{,**} r, @@ -166,7 +166,7 @@ profile kded @{exec_path} { owner @{user_share_dirs}/user-places.xbel r, owner @{user_state_dirs}/#@{int} rw, - owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk, @{run}/mount/utab r, @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index ab33ba2bf0..276f332626 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -97,13 +97,13 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, - owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl, owner @{user_config_dirs}/khotkeysrc r, owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/kscreenlockerrc r, owner @{user_config_dirs}/kwinoutputconfig.json rw, owner @{user_config_dirs}/kwinrc.lock rwk, - owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl, owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/menus/** r, From 37290dd6124f507545347b083d553c799af78f9f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 26 Sep 2025 00:01:53 +0200 Subject: [PATCH 0787/1736] feat(profile): update userdbctl --- apparmor.d/groups/systemd/userdbctl | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index fa7c132973..199d322b09 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -12,6 +12,7 @@ profile userdbctl @{exec_path} flags=(attach_disconnected) { include include + capability net_admin, capability dac_read_search, capability sys_resource, @@ -23,10 +24,17 @@ profile userdbctl @{exec_path} flags=(attach_disconnected) { /etc/gshadow r, /etc/shadow r, + /etc/userdb/ rw, /etc/machine-id r, + @{run}/userdb/ rw, + @{run}/credentials/systemd-userdb-load-credentials.service/ r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/setgroups r, From 1e87a59f0aec73de548d20d616d65da8c036a68d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 26 Sep 2025 00:20:29 +0200 Subject: [PATCH 0788/1736] fix(profile): minor profile fixes. fix #877 --- .../groups/systemd-generators/systemd-generator-gpt-auto | 5 +++++ apparmor.d/groups/systemd/systemd-udevd | 2 ++ 2 files changed, 7 insertions(+) diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto index 444315108d..23f273dd6c 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto @@ -22,8 +22,13 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) { @{efi}/ r, /etc/fstab r, /usr/ r, + /home/ r, @{run}/systemd/generator.late/**.{,auto}mount w, + @{run}/systemd/generator.late/home.mount.wants/ w, + @{run}/systemd/generator.late/local-fs.target.d/ w, + @{run}/systemd/generator.late/local-fs.target.d/*.conf w, + @{run}/systemd/generator.late/local-fs.target.requires/ w, @{run}/systemd/generator.late/local-fs.target.wants/ w, @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index decffb4286..a40f1d1608 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -94,6 +94,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { /etc/systemd/network/ r, /etc/systemd/network/@{int2}-*.link r, + / r, + @{run}/credentials/systemd-udev-load-credentials.service/ r, @{run}/modprobe.d/ r, @{run}/systemd/network/ r, From 3edc59825a60cba2ad3314fb8f4763dddf0509a6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 26 Sep 2025 00:52:28 +0200 Subject: [PATCH 0789/1736] fix(profile): linter issues. --- apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 | 2 +- apparmor.d/abstractions/user-dirs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 index 0152774e1c..3f70b35b48 100644 --- a/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 @@ -36,6 +36,6 @@ member=InterfaceRemoved peer=(name=@{busname}, label=wpa-supplicant), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-dirs b/apparmor.d/abstractions/user-dirs index c1b6c85a6a..d33a6764c1 100644 --- a/apparmor.d/abstractions/user-dirs +++ b/apparmor.d/abstractions/user-dirs @@ -8,7 +8,7 @@ /etc/xdg/user-dirs.defaults r, owner @{desktop_config_dirs}/user-dirs.dirs r, - + owner @{user_config_dirs}/user-dirs.dirs r, include if exists From e8cb99cfc56898ed8f13da24cbe7ce465c85d104 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 27 Sep 2025 15:19:42 +0200 Subject: [PATCH 0790/1736] fix(profile): removed moved bus abstraction. --- apparmor.d/abstractions/app/chromium | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 2b5dfbfa6f..dee842ca15 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -29,7 +29,6 @@ include include include - include include include include From 7d9df934ea0feafaf81d49d14ea99b8301d2afa7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 27 Sep 2025 16:06:44 +0200 Subject: [PATCH 0791/1736] fix(profile): various small fixes in profiles. see #884 fix #877 #875 --- apparmor.d/groups/apparmor/aa-log | 2 ++ apparmor.d/groups/apt/apt | 2 ++ apparmor.d/groups/apt/apt-methods-file | 1 + apparmor.d/groups/apt/dpkg-scripts | 6 +++--- apparmor.d/groups/bus/dbus-session | 2 +- apparmor.d/groups/children/glycin | 2 ++ apparmor.d/groups/freedesktop/geoclue | 2 ++ .../groups/freedesktop/xdg-desktop-portal | 1 + apparmor.d/groups/gnome/gdm-generate-config | 3 +++ apparmor.d/groups/gnome/gnome-initial-setup | 1 + apparmor.d/groups/gnome/gnome-keyring-daemon | 5 +++++ apparmor.d/groups/gnome/gnome-session-ctl | 2 +- .../groups/gnome/gnome-session-init-worker | 8 ++++++++ apparmor.d/groups/gnome/gnome-session-service | 4 ++++ apparmor.d/groups/gnome/gsd-media-keys | 5 +---- apparmor.d/groups/gnome/gsd-wwan | 1 + apparmor.d/groups/gnome/nautilus | 1 + apparmor.d/groups/gnome/session-migration | 3 +++ apparmor.d/groups/gvfs/gvfsd-http | 3 ++- apparmor.d/groups/gvfs/gvfsd-recent | 1 + apparmor.d/groups/shadow/userdel | 1 + .../systemd-generator-openvpn | 2 ++ .../systemd-generators/systemd-generator-tpm2 | 1 + apparmor.d/groups/systemd/busctl | 2 ++ apparmor.d/groups/systemd/networkctl | 1 + apparmor.d/groups/systemd/systemd-coredump | 2 ++ apparmor.d/groups/systemd/systemd-homed | 5 +++-- apparmor.d/groups/systemd/systemd-machined | 9 ++++++--- apparmor.d/groups/systemd/systemd-networkd | 1 + apparmor.d/groups/systemd/systemd-nsresourced | 1 + .../groups/systemd/systemd-sleep-hdparm | 1 + apparmor.d/groups/systemd/systemd-sysusers | 5 +++++ .../groups/systemd/systemd-user-runtime-dir | 4 ++++ apparmor.d/groups/systemd/systemd-userdbd | 2 ++ apparmor.d/groups/ubuntu/apport | 1 + .../groups/ubuntu/software-properties-gtk | 2 +- .../groups/ubuntu/update-motd-fsck-at-reboot | 5 ++++- apparmor.d/groups/utils/lsfd | 19 ++++++++++--------- apparmor.d/groups/virt/cockpit-bridge | 1 + apparmor.d/profiles-m-r/pinentry-gnome3 | 11 ++++++++++- apparmor.d/profiles-m-r/pinentry-gtk | 11 +++++++++++ apparmor.d/profiles-m-r/pinentry-kwallet | 11 +++++++++++ apparmor.d/profiles-m-r/pinentry-qt | 11 +++++++++++ apparmor.d/profiles-m-r/remmina | 1 + apparmor.d/profiles-s-z/tlp | 2 ++ 45 files changed, 140 insertions(+), 27 deletions(-) diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log index 80e3961257..aed8e3163b 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -21,6 +21,8 @@ profile aa-log @{exec_path} { /var/log/audit/* r, /var/log/syslog* r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 8581fe7245..31b539dcd8 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -217,6 +217,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, + ptrace read peer=@{p_systemd}, + signal (send) set=(cont, term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent rPx, diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index 25afbcb357..6796a75630 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -39,6 +39,7 @@ profile apt-methods-file @{exec_path} { /etc/ r, /root/ r, + owner /var/lib/apt/lists/auxfiles/* rw, owner /var/lib/apt/lists/partial/* rw, /var/log/cron-apt/temp w, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index f493047092..138aac66c3 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -51,9 +51,9 @@ profile dpkg-scripts @{exec_path} { #aa:lint ignore=too-wide # Maintainer scripts can legitimately start/restart anything # PU is only used as a safety fallback. - @{bin}/** PUx, - @{sbin}/** PUx, - @{lib}/** PUx, + @{bin}/** mPUx, + @{sbin}/** mPUx, + @{lib}/** mPUx, /etc/** PUx, /usr/share/** PUx, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 7fafdfdb73..c4af45e111 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -58,7 +58,7 @@ profile dbus-session flags=(attach_disconnected) { # Dbus can receive any user files owner @{HOME}/** r, - owner @{att}/@{HOME}/** r, + owner @{att}/@{HOME}/** rk, owner @{HOME}/.var/app/*/**/.ref rw, owner @{HOME}/.var/app/*/**/logs/* rw, diff --git a/apparmor.d/groups/children/glycin b/apparmor.d/groups/children/glycin index 4bde8a9571..0580a3ad66 100644 --- a/apparmor.d/groups/children/glycin +++ b/apparmor.d/groups/children/glycin @@ -18,6 +18,8 @@ profile glycin flags=(attach_disconnected,complain) { @{lib}/glycin-loaders/@{d}+/glycin-* Cx -> &glycin//loaders, # Safe deny of inherited files from parent process. + deny network inet dgram, + deny network inet6 dgram, deny owner @{HOME}/.*/** rw, deny owner /tmp/*/** w, deny /opt/*/** rw, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 3360c4881d..e5697d4c9b 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -37,6 +37,8 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { /var/lib/nscd/services r, /var/lib/dbus/machine-id r, + @{run}/systemd/resolve/io.systemd.Resolve rw, + @{PROC}/@{pids}/cgroup r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 95f801a4ab..379500040c 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -22,6 +22,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index c5e6d4cd57..218b96e65c 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -42,6 +42,7 @@ profile gdm-generate-config @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, + @{PROC}/@{pid}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, @@ -55,6 +56,8 @@ profile gdm-generate-config @{exec_path} { @{bin}/pkill mr, + @{PROC}/@{pid}/ r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 1e8bc36232..22ac95148d 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -38,6 +38,7 @@ profile gnome-initial-setup @{exec_path} { @{bin}/df rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/locale rix, + @{bin}/lsb_release rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, @{bin}/xrandr rPx, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 0dfac52bf9..589919c5a8 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -39,6 +39,11 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { member=GetSession peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=Setenv + peer=(name=org.gnome.SessionManager, label="@{p_gnome_session}"), + @{exec_path} mr, @{bin}/ssh-add rix, diff --git a/apparmor.d/groups/gnome/gnome-session-ctl b/apparmor.d/groups/gnome/gnome-session-ctl index 04c4ce628e..74b6289440 100644 --- a/apparmor.d/groups/gnome/gnome-session-ctl +++ b/apparmor.d/groups/gnome/gnome-session-ctl @@ -23,7 +23,7 @@ profile gnome-session-ctl @{exec_path} { dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member=Initialized - peer=(name=org.gnome.SessionManager, label=gnome-session-binary), + peer=(name=org.gnome.SessionManager, label="@{p_gnome_session}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-session-init-worker b/apparmor.d/groups/gnome/gnome-session-init-worker index 787bbda17d..77f187ad7f 100644 --- a/apparmor.d/groups/gnome/gnome-session-init-worker +++ b/apparmor.d/groups/gnome/gnome-session-init-worker @@ -9,9 +9,17 @@ include @{exec_path} = @{lib}/gnome-session-init-worker profile gnome-session-init-worker @{exec_path} { include + include + include + include + + signal receive set=term peer=gdm, + signal receive set=term peer=gdm-session, @{exec_path} mr, + owner @{run}/user/@{uid}/gnome-session-leader-fifo w, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index 200c4ac2ab..2012b957d2 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -39,6 +39,10 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { @{etc_ro}/xdg/autostart/{,*.desktop} r, + owner @{user_config_dirs}/autostart/{,*.desktop} r, + + @{run}/systemd/users/@{uid} r, + @{run}/systemd/sessions/@{int} r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 5002f3f39f..f81a3698fe 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -55,10 +55,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # For /dev/bus/usb/** - @{sys}/devices/**/usb@{int}/{,**} r, - @{sys}/devices/@{pci}/sound/**/uevent r, - @{sys}/devices/platform/**/uevent r, - @{sys}/devices/virtual/**/uevent r, + @{sys}/devices/**/uevent r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/gnome/gsd-wwan b/apparmor.d/groups/gnome/gsd-wwan index 3a5ee53df3..c6beba9963 100644 --- a/apparmor.d/groups/gnome/gsd-wwan +++ b/apparmor.d/groups/gnome/gsd-wwan @@ -13,6 +13,7 @@ profile gsd-wwan @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Wwan diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index c405a3bf86..190c881da1 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -131,6 +131,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/net/wireless r, @{PROC}/sys/dev/i915/perf_stream_paranoid r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index b31532cae7..84e47b109c 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -19,7 +19,10 @@ profile session-migration @{exec_path} { @{sh_path} rix, @{python_path} rix, @{bin}/dconf rPx, + @{bin}/grep rix, @{bin}/gsettings rPx, + @{bin}/tr rix, + @{bin}/update-alternatives rPx, /usr/share/session-migration/scripts/* rix, /usr/share/session-migration/{,**} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 94667e71fa..e41ffdde4b 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -11,8 +11,9 @@ include profile gvfsd-http @{exec_path} { include include - include include + include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index a7855beedc..85822b6f44 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -13,6 +13,7 @@ profile gvfsd-recent @{exec_path} { include include include + include include include diff --git a/apparmor.d/groups/shadow/userdel b/apparmor.d/groups/shadow/userdel index 589c726d09..e82d5a1172 100644 --- a/apparmor.d/groups/shadow/userdel +++ b/apparmor.d/groups/shadow/userdel @@ -51,6 +51,7 @@ profile userdel @{exec_path} flags=(attach_disconnected) { /var/lib/*/{,**} rw, @{PROC}/ r, + @{PROC}/@{pid}/status r, @{PROC}/@{pids}/task/ r, include if exists diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn index 7b2130db3a..a9a5be11c6 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn +++ b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn @@ -10,6 +10,8 @@ include profile systemd-generator-openvpn @{exec_path} flags=(attach_disconnected) { include + capability sys_admin, + ptrace read peer=@{p_systemd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 index ee5d924cc0..3d23784a53 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 +++ b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 @@ -16,6 +16,7 @@ profile systemd-generator-tpm2 @{exec_path} flags=(attach_disconnected) { @{sys}/class/tpmrm/ r, @{sys}/devices/**/tpm/tpm@{int}/tpm_version_major r, + @{sys}/firmware@{efi}/efivars/LoaderTpm2ActivePcrBanks-@{uuid} r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index eed7080f8a..9d42178052 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/busctl profile busctl @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -65,6 +66,7 @@ profile busctl @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/loginuid r, @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/stat r, + @{PROC}/1/status r, include if exists } diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index a0d1471f95..1a65a4ff63 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -51,6 +51,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/@{hex32}/system.journal* r, /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + @{run}/systemd/netif/io.systemd.Network rw, @{att}/@{run}/systemd/netif/io.systemd.Network rw, @{run}/systemd/netif/links/ r, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 061b93ffd4..dd3a21bc23 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -39,11 +39,13 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{user_lib_dirs}/** r, /snap/*/@{int}/opt/** r, /snap/*/@{int}/usr/** r, + @{att}/ r, /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, owner @{HOME}/**.so* r, + owner @{HOME}/.var/app/*/** r, # Crash from flatpak apps /var/lib/systemd/coredump/{,**} rwl, diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index c53be3a353..c4d4800b2b 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -77,10 +77,11 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{run}/systemd/notify w, @{sys}/bus/ r, - @{sys}/fs/ r, @{sys}/class/ r, - @{sys}/kernel/uevent_seqnum r, @{sys}/devices/**/read_ahead_kb r, + @{sys}/devices/**/uevent r, + @{sys}/fs/ r, + @{sys}/kernel/uevent_seqnum r, @{PROC}/@{pid}/cgroup r, @{PROC}/devices r, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 520080082b..4d8919cb04 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-machined -profile systemd-machined @{exec_path} flags=(attach_disconnected) { +profile systemd-machined @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -35,6 +35,8 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { signal send set=rtmin+6 peer=systemd-nspawn, + ptrace read peer=@{p_systemd}, + ptrace read peer=libvirtd, ptrace read peer=systemd-nspawn, unix type=stream addr=@@{udbus}/bus/systemd-machine/system, @@ -57,14 +59,15 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { owner @{run}/systemd/nspawn/locks/ w, owner @{run}/systemd/nspawn/locks/** rwk, - @{run}/systemd/machine/{,**} rw, - @{run}/systemd/machines/{,**} rw, + @{run}/systemd/machine/{,**} rwl, + @{run}/systemd/machines/{,**} rwl, @{run}/systemd/notify w, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/gid_map r, @{PROC}/@{pid}/setgroups r, + @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/uid_map r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index ccb6d96299..7bf649327d 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -76,6 +76,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/rfkill@{int}/* r, @{sys}/devices/**/net/** r, + @{sys}/devices/**/uevent r, @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, diff --git a/apparmor.d/groups/systemd/systemd-nsresourced b/apparmor.d/groups/systemd/systemd-nsresourced index 97dcb3b057..b11ab12b53 100644 --- a/apparmor.d/groups/systemd/systemd-nsresourced +++ b/apparmor.d/groups/systemd/systemd-nsresourced @@ -12,6 +12,7 @@ profile systemd-nsresourced @{exec_path} flags=(attach_disconnected) { include capability bpf, + capability net_admin, capability perfmon, capability sys_resource, diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 5b9c51dbe8..982df7badd 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -13,6 +13,7 @@ profile systemd-sleep-hdparm @{exec_path} { @{exec_path} mr, @{sh_path} r, + @{bin}/grep ix, @{lib}/pm-utils/power.d/*hdparm-apm ix, include if exists diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index 2d250f63c2..2b31e4bb8c 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -12,10 +12,15 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { include include + capability audit_write, capability chown, capability fsetid, capability net_admin, + network netlink raw, + + ptrace read peer=@{p_systemd}, + signal send set=cont peer=child-pager, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 363b9a32d9..d2b91016cb 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -31,6 +31,10 @@ profile systemd-user-runtime-dir @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, + /dev/shm/ r, + /tmp/ r, + /var/tmp/ r, + @{run}/user/@{uid}/{,**} rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index f9fad36937..cb14a2c710 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -29,6 +29,7 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) /etc/shadow r, /etc/machine-id r, + /etc/userdb/{,**} r, @{att}/@{run}/systemd/notify w, @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, @@ -36,6 +37,7 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) @{att}/@{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/userdb/{,**} rw, + @{run}/userdb/ r, @{PROC}/@{pid}/cgroup r, @{PROC}/pressure/cpu r, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 35267de3c9..010f9139c9 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -69,6 +69,7 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/status r, @{PROC}/sys/fs/suid_dumpable w, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 836adbb557..702bc47321 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -59,7 +59,7 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { /dev/shm/ r, owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6}, - owner /dev/shm/sem.mp-@{rand8} rwl -> /dev/shm/sem.@{rand6}, + owner /dev/shm/sem.mp-@{word8} rwl -> /dev/shm/sem.@{rand6}, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index c244f2902d..52f3b86590 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -7,9 +7,11 @@ abi , include @{exec_path} = @{lib}/update-notifier/update-motd-fsck-at-reboot -profile update-motd-fsck-at-reboot @{exec_path} { +profile update-motd-fsck-at-reboot @{exec_path} flags=(attach_disconnected) { include + capability dac_read_search, + @{exec_path} mr, @{sbin}/dumpe2fs rPx, @@ -28,6 +30,7 @@ profile update-motd-fsck-at-reboot @{exec_path} { @{run}/motd.dynamic.new w, @{PROC}/uptime r, + @{PROC}/@{pid}/mountinfo r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/utils/lsfd b/apparmor.d/groups/utils/lsfd index 96e497ea65..adfdd207e6 100644 --- a/apparmor.d/groups/utils/lsfd +++ b/apparmor.d/groups/utils/lsfd @@ -49,15 +49,16 @@ profile lsfd @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/cpu_byteorder r, @{PROC}/ r, - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/net/* r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/syscall r, - @{PROC}/@{pid}/task/ r, + @{PROC}/@{pids}/ r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/fdinfo/@{int} r, + @{PROC}/@{pids}/maps r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/net/* r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/syscall r, + @{PROC}/@{pids}/task/ r, @{PROC}/devices r, @{PROC}/misc r, @{PROC}/partitions r, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index d8c71803d0..33cbc28578 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -136,6 +136,7 @@ profile cockpit-bridge @{exec_path} { include include + @{run}/udev/data/b@{int}:* r, # For block devices @{run}/udev/data/n@{int} r, # For network interfaces include if exists diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index b60d929e26..40990bf9b7 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -10,12 +10,21 @@ include profile pinentry-gnome3 @{exec_path} { include include - include include include signal receive set=int, + dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name=@{busname}), + + dbus send bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name=org.gnome.keyring.SystemPrompter), + @{exec_path} mr, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-m-r/pinentry-gtk b/apparmor.d/profiles-m-r/pinentry-gtk index d07a64a5ae..9cdcd432b6 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk +++ b/apparmor.d/profiles-m-r/pinentry-gtk @@ -10,10 +10,21 @@ include @{exec_path} = @{bin}/pinentry-gtk{,-2} profile pinentry-gtk @{exec_path} { include + include include include include + dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name=@{busname}), + + dbus send bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name=org.gnome.keyring.SystemPrompter), + @{exec_path} mr, @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-m-r/pinentry-kwallet b/apparmor.d/profiles-m-r/pinentry-kwallet index adff98c535..c70cdbf260 100644 --- a/apparmor.d/profiles-m-r/pinentry-kwallet +++ b/apparmor.d/profiles-m-r/pinentry-kwallet @@ -10,11 +10,22 @@ include @{exec_path} = @{bin}/pinentry-kwallet profile pinentry-kwallet @{exec_path} { include + include include include signal (send) set=(term, kill) peer=gpg-agent, + dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name=@{busname}), + + dbus send bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name=org.gnome.keyring.SystemPrompter), + @{exec_path} mr, @{bin}/date rix, diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index 66729769f6..947a57a708 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/pinentry-qt profile pinentry-qt @{exec_path} { include + include include include include @@ -19,6 +20,16 @@ profile pinentry-qt @{exec_path} { ptrace read peer=gpg-agent, + dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name=@{busname}), + + dbus send bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name=org.gnome.keyring.SystemPrompter), + @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index e8ed68727a..7ea88646a1 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -40,6 +40,7 @@ profile remmina @{exec_path} { @{exec_path} rm, @{open_path} rPx -> child-open-browsers, + @{bin}/lsb_release rPx, /usr/share/remmina/{,**} r, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 1592d3aee1..d6891c2db0 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -111,6 +111,8 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{run}/tlp/lock_tlp rw, # file_inherit + @{run}/udev/data/b@{int}:* r, # For block devices + include if exists } From 76cafe08ba9f6ccba6ce076125e9f68d1cfbabcd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 27 Sep 2025 16:42:13 +0200 Subject: [PATCH 0792/1736] feat(profiles): add global support for glycin loaders MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Globally add bwrap transition to the glycin profile in the gtk{-sẗrict} abstractions. It can be overwritten in profile when bwrap is needed for other purposes. Only enabled on apparmor 4.1, as older version do not support priority rule, and are not concerned by this resent update.this resent update. fix #884 fix #886 fix #887 fix #881 --- apparmor.d/abstractions/app/bwrap-glycin | 9 +++++---- apparmor.d/abstractions/gtk-strict | 8 ++++++++ apparmor.d/abstractions/gtk.d/complete | 8 ++++++++ apparmor.d/groups/browsers/epiphany | 1 + apparmor.d/groups/browsers/firefox | 3 ++- apparmor.d/groups/children/glycin | 4 ++++ apparmor.d/groups/gnome/gnome-desktop-thumbnailers | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 1 - apparmor.d/groups/gnome/gnome-shell | 3 +-- apparmor.d/groups/gnome/gnome-software | 1 - apparmor.d/groups/gnome/loupe | 10 ---------- apparmor.d/profiles-a-f/fractal | 7 ------- apparmor.d/profiles-s-z/terminator | 2 -- apparmor.d/profiles-s-z/thunderbird | 3 ++- 14 files changed, 32 insertions(+), 29 deletions(-) diff --git a/apparmor.d/abstractions/app/bwrap-glycin b/apparmor.d/abstractions/app/bwrap-glycin index d1a17b6c81..9cdbd8a7fd 100644 --- a/apparmor.d/abstractions/app/bwrap-glycin +++ b/apparmor.d/abstractions/app/bwrap-glycin @@ -1,9 +1,10 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no # Base set of rules for glycin-loaders sandboxed with bwrap. -# - It is safe to use when used like in the glycin profile. +# - It is very safe to use when used like in the glycin profile. # - It is **not** safe to use when used by a profile stacking glycin # See https://github.com/roddhjav/apparmor.d/issues/881 for more details. @@ -16,9 +17,9 @@ unix type=stream peer=(label=glycin), unix type=stream peer=(label=glycin//loaders), - signal send set=kill peer=@{profile_name}, - signal send set=kill peer=@{profile_name}//&glycin, - signal send set=kill peer=glycin, + signal (send receive) set=kill peer=@{profile_name}, + signal (send receive) set=kill peer=@{profile_name}//&glycin, + signal (send receive) set=kill peer=glycin, ptrace read peer=@{profile_name}, ptrace read peer=@{profile_name}//&glycin, diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict index ed016bb241..8b9fe0ce7e 100644 --- a/apparmor.d/abstractions/gtk-strict +++ b/apparmor.d/abstractions/gtk-strict @@ -9,6 +9,14 @@ include include + unix type=stream peer=(label=glycin), + unix type=stream peer=(label=glycin//loaders), + + signal send set=kill peer=glycin, + + #aa:only apparmor4.1 + priority=-1 @{bin}/bwrap Px -> glycin, + @{lib}/{,@{multiarch}/}gtk-2.0/{,**} mr, @{lib}/{,@{multiarch}/}gtk-3.0/{,**} mr, @{lib}/{,@{multiarch}/}gtk-4.0/{,**} mr, diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 2aff75be4b..9aad661719 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -7,6 +7,14 @@ include include + unix type=stream peer=(label=glycin), + unix type=stream peer=(label=glycin//loaders), + + signal send set=kill peer=glycin, + + #aa:only apparmor4.1 + priority=-1 @{bin}/bwrap Px -> glycin, + @{lib}/{,@{multiarch}/}gtk*/** mr, /usr/share/glycin-loaders/{,**} r, diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 2787871dbb..5589c7dec7 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -35,6 +35,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, @{bin}/bwrap rix, + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> epiphany//&glycin//loaders, /usr/share/enchant*/{,**} r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 8d420789b3..0f15e17efd 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -15,7 +15,7 @@ include @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} profile firefox @{exec_path} flags=(attach_disconnected) { include - include + include #aa:only apparmor4.1 include include include @@ -34,6 +34,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, + #aa:only apparmor4.1 # glycin-loaders sandboxed profile stack @{bin}/bwrap Px -> firefox//&glycin, @{lib}/glycin-loaders/@{d}+/glycin-* Px -> firefox//&glycin//&glycin//loaders, diff --git a/apparmor.d/groups/children/glycin b/apparmor.d/groups/children/glycin index 0580a3ad66..19ec6efb32 100644 --- a/apparmor.d/groups/children/glycin +++ b/apparmor.d/groups/children/glycin @@ -5,6 +5,9 @@ # Confine glycin-loaders sandboxed with bwrap. It also confines bwrap itself. # for this use case. +# Note: This profile does not specify an attachment path because it is +# intended to be used only via "Px -> glycin" exec transitions from other profiles. + abi , include @@ -20,6 +23,7 @@ profile glycin flags=(attach_disconnected,complain) { # Safe deny of inherited files from parent process. deny network inet dgram, deny network inet6 dgram, + deny /usr/share/icons/** r, deny owner @{HOME}/.*/** rw, deny owner /tmp/*/** w, deny /opt/*/** rw, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index b0bb1cb46d..6d8d91ec73 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -16,6 +16,7 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { @{bin}/bwrap mr, @{bin}/*-thumbnailer rix, + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> gnome-desktop-thumbnailers//&glycin//loaders, /usr/share/ladspa/rdf/{,**} r, /usr/share/poppler/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index ed52d09f76..700838ea8e 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -54,7 +54,6 @@ profile gnome-extension-gsconnect @{exec_path} { @{bin}/openssl rix, @{bin}/ssh-add rix, - @{bin}/bwrap rPx -> glycin, @{bin}/dconf rPx, @{bin}/ssh-keygen rPx, @{bin}/xdg-screensaver rPx, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index de94b49b1b..76cdda644a 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -198,7 +198,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/unzip rix, - @{bin}/bwrap rPx -> glycin, @{bin}/flatpak rPx, @{bin}/gjs-console rPx -> gnome-extension, @{bin}/glib-compile-schemas rPx, @@ -255,6 +254,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_cache_dirs}/ w, owner @{gdm_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk, owner @{gdm_cache_dirs}/fontconfig/{,*} rwl, + owner @{gdm_cache_dirs}/glycin/{,**} rw, owner @{gdm_cache_dirs}/gstreamer-@{int}/ rw, owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw, @@ -337,7 +337,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/.org.chromium.Chromium.@{rand6}/ r, owner @{tmp}/.org.chromium.Chromium.@{rand6}/*.@{icon_ext} r, owner @{tmp}/@{rand6}.shell-extension.zip rw, - owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 33b7551c2a..d8f3c3f008 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -107,7 +107,6 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/flatpak/repo/** rwl, owner @{tmp}/#@{int} rw, - owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, owner @{tmp}/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index b40640b5c7..5f58b6426d 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -21,11 +21,6 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include - unix type=stream peer=(label=glycin), - unix type=stream peer=(label=glycin//loaders), - - signal send set=kill peer=glycin, - #aa:dbus own bus=session name=org.gnome.Loupe interface+=org.freedesktop.Application #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @@ -37,15 +32,10 @@ profile loupe @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/bwrap rPx -> glycin, @{open_path} rPx -> child-open-help, - /usr/share/glycin-loaders/{,**} r, - / r, - owner @{user_cache_dirs}/glycin/{,**} rw, - @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index d50bc48cd3..edbb8c7541 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -22,19 +22,12 @@ profile fractal @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal send set=kill peer=glycin, - - unix type=stream peer=(label=glycin), - unix type=stream peer=(label=glycin//loaders), - #aa:dbus own bus=session name=org.gnome.Fractal @{exec_path} mr, - @{bin}/bwrap rPx -> glycin, @{open_path} rPx -> child-open-help, - /usr/share/glycin-loaders/{,**} r, /usr/share/xml/iso-codes/{,**} r, owner @{tmp}/.@{rand6} rw, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 2f38799d5d..769771b6a9 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -37,8 +37,6 @@ profile terminator @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{python_path} rix, - @{bin}/bwrap rPx -> glycin, - # The shell is not confined on purpose. @{bin}/@{shells} rUx, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 0934e69861..fc40375bb6 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -15,7 +15,7 @@ include @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} profile thunderbird @{exec_path} flags=(attach_disconnected) { include - include + include #aa:only apparmor4.1 include include include @@ -27,6 +27,7 @@ profile thunderbird @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/glxtest rPx -> thunderbird//&thunderbird-glxtest, @{lib_dirs}/vaapitest rPx -> thunderbird//&thunderbird-vaapitest, + #aa:only apparmor4.1 # glycin-loaders sandboxed profile stack @{bin}/bwrap Px -> thunderbird//&glycin, @{lib}/glycin-loaders/@{d}+/glycin-* Px -> thunderbird//&glycin//&glycin//loaders, From 2613ccee0bb876ef0191dbaf9783920f2c4c0501 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 27 Sep 2025 16:48:05 +0200 Subject: [PATCH 0793/1736] chore: linter fix --- apparmor.d/abstractions/gtk-strict | 2 +- apparmor.d/abstractions/gtk.d/complete | 2 +- apparmor.d/groups/gnome/gnome-session-init-worker | 2 +- apparmor.d/groups/gnome/session-migration | 2 +- apparmor.d/groups/shadow/userdel | 2 +- apparmor.d/groups/systemd/systemd-sleep-hdparm | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict index 8b9fe0ce7e..8dfa4c8941 100644 --- a/apparmor.d/abstractions/gtk-strict +++ b/apparmor.d/abstractions/gtk-strict @@ -12,7 +12,7 @@ unix type=stream peer=(label=glycin), unix type=stream peer=(label=glycin//loaders), - signal send set=kill peer=glycin, + signal send set=kill peer=glycin, #aa:only apparmor4.1 priority=-1 @{bin}/bwrap Px -> glycin, diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 9aad661719..c3ceda83d8 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -10,7 +10,7 @@ unix type=stream peer=(label=glycin), unix type=stream peer=(label=glycin//loaders), - signal send set=kill peer=glycin, + signal send set=kill peer=glycin, #aa:only apparmor4.1 priority=-1 @{bin}/bwrap Px -> glycin, diff --git a/apparmor.d/groups/gnome/gnome-session-init-worker b/apparmor.d/groups/gnome/gnome-session-init-worker index 77f187ad7f..a02ccc8c4a 100644 --- a/apparmor.d/groups/gnome/gnome-session-init-worker +++ b/apparmor.d/groups/gnome/gnome-session-init-worker @@ -13,7 +13,7 @@ profile gnome-session-init-worker @{exec_path} { include include - signal receive set=term peer=gdm, + signal receive set=term peer=gdm, signal receive set=term peer=gdm-session, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index 84e47b109c..b58a362063 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -19,7 +19,7 @@ profile session-migration @{exec_path} { @{sh_path} rix, @{python_path} rix, @{bin}/dconf rPx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gsettings rPx, @{bin}/tr rix, @{bin}/update-alternatives rPx, diff --git a/apparmor.d/groups/shadow/userdel b/apparmor.d/groups/shadow/userdel index e82d5a1172..06e6bba3ac 100644 --- a/apparmor.d/groups/shadow/userdel +++ b/apparmor.d/groups/shadow/userdel @@ -51,7 +51,7 @@ profile userdel @{exec_path} flags=(attach_disconnected) { /var/lib/*/{,**} rw, @{PROC}/ r, - @{PROC}/@{pid}/status r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/ r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 982df7badd..3cb15904ed 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -13,7 +13,7 @@ profile systemd-sleep-hdparm @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{lib}/pm-utils/power.d/*hdparm-apm ix, include if exists From 0ef6041dc38ccfd1c87699170518a56f03e1d9e6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 27 Sep 2025 16:55:09 +0200 Subject: [PATCH 0794/1736] tests: generalise autopkgtest path Only enabled for when build with just complain-test --- apparmor.d/abstractions/apt | 3 --- apparmor.d/abstractions/base-strict | 3 +++ apparmor.d/groups/apt/dpkg-deb | 3 --- apparmor.d/groups/apt/dpkg-genbuildinfo | 3 --- apparmor.d/groups/apt/dpkg-genchanges | 3 --- apparmor.d/groups/apt/dpkg-split | 3 --- 6 files changed, 3 insertions(+), 15 deletions(-) diff --git a/apparmor.d/abstractions/apt b/apparmor.d/abstractions/apt index 25106ad6e5..2802ac2a80 100644 --- a/apparmor.d/abstractions/apt +++ b/apparmor.d/abstractions/apt @@ -35,9 +35,6 @@ owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, - #aa:only test - /tmp/autopkgtest.@{rand6}/** rwk, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index e65e45d625..8f8f3c4ce7 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -129,6 +129,9 @@ # StackGuard, FormatGuard, etc., alerts can be properly logged. /dev/log w, + #aa:only test + /tmp/autopkgtest.@{rand6}/** rwk, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-deb b/apparmor.d/groups/apt/dpkg-deb index 97d4d382c9..4fedbcd5f8 100644 --- a/apparmor.d/groups/apt/dpkg-deb +++ b/apparmor.d/groups/apt/dpkg-deb @@ -33,9 +33,6 @@ profile dpkg-deb @{exec_path} { owner @{tmp}/dpkg-deb.@{rand6}/ rw, owner @{tmp}/dpkg-deb.@{rand6}/* rw, - #aa:only test - /tmp/autopkgtest.@{rand6}/{,**} rw, - include if exists } diff --git a/apparmor.d/groups/apt/dpkg-genbuildinfo b/apparmor.d/groups/apt/dpkg-genbuildinfo index 536098fa06..b9853ca326 100644 --- a/apparmor.d/groups/apt/dpkg-genbuildinfo +++ b/apparmor.d/groups/apt/dpkg-genbuildinfo @@ -37,9 +37,6 @@ profile dpkg-genbuildinfo @{exec_path} { owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - #aa:only test - /tmp/autopkgtest.@{rand6}/** rwk, - include if exists } diff --git a/apparmor.d/groups/apt/dpkg-genchanges b/apparmor.d/groups/apt/dpkg-genchanges index 0ba28c80a3..7c7ad1681e 100644 --- a/apparmor.d/groups/apt/dpkg-genchanges +++ b/apparmor.d/groups/apt/dpkg-genchanges @@ -26,9 +26,6 @@ profile dpkg-genchanges @{exec_path} flags=(complain) { # For package building owner @{user_build_dirs}/** rw, - #aa:only test - /tmp/autopkgtest.@{rand6}/{,**} rw, - include if exists } diff --git a/apparmor.d/groups/apt/dpkg-split b/apparmor.d/groups/apt/dpkg-split index 28dff622ea..e307e9867b 100644 --- a/apparmor.d/groups/apt/dpkg-split +++ b/apparmor.d/groups/apt/dpkg-split @@ -29,9 +29,6 @@ profile dpkg-split @{exec_path} { @{user_pkg_dirs}/** r, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - #aa:only test - /tmp/autopkgtest.@{rand6}/** rwk, - include if exists } From 81d433ff441b2d6b531600a94d50f9e14fa39878 Mon Sep 17 00:00:00 2001 From: myrslint <6370-myrslint@users.noreply.gitlab.archlinux.org> Date: Mon, 29 Sep 2025 11:44:36 +0000 Subject: [PATCH 0795/1736] Add allowed paths for correct generation of swap target The generator for GPT mounts also creates a swap target, when a swap partition is available. Write access to paths relating to this target was missing. They were added in this commit. --- apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto index 23f273dd6c..55dd48a191 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto @@ -25,7 +25,9 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) { /home/ r, @{run}/systemd/generator.late/**.{,auto}mount w, + @{run}/systemd/generator.late/**.swap w, @{run}/systemd/generator.late/home.mount.wants/ w, + @{run}/systemd/generator.late/swap.target.wants/ w, @{run}/systemd/generator.late/local-fs.target.d/ w, @{run}/systemd/generator.late/local-fs.target.d/*.conf w, @{run}/systemd/generator.late/local-fs.target.requires/ w, From 72616edabbc527a1af17abb5e282bc8d57b3116c Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 2 Oct 2025 14:33:42 +0200 Subject: [PATCH 0796/1736] minor fixes --- apparmor.d/abstractions/app/firefox | 1 + apparmor.d/groups/gvfs/gvfsd-wsdd | 3 ++- apparmor.d/profiles-a-f/dnscrypt-proxy | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 0648e68d16..72fd1f7db3 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -140,6 +140,7 @@ @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_sku r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 9012682c41..01e50cfa30 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -15,7 +15,8 @@ profile gvfsd-wsdd @{exec_path} { include include - network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), + ## network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), + network inet dgram, network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd diff --git a/apparmor.d/profiles-a-f/dnscrypt-proxy b/apparmor.d/profiles-a-f/dnscrypt-proxy index 5573aaf835..12323c9eb7 100644 --- a/apparmor.d/profiles-a-f/dnscrypt-proxy +++ b/apparmor.d/profiles-a-f/dnscrypt-proxy @@ -51,6 +51,8 @@ profile dnscrypt-proxy @{exec_path} { @{PROC}/sys/kernel/hostname r, @{PROC}/sys/net/core/somaxconn r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } From a17c93ca424c422313ec791f0c764a8f86849e74 Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Sat, 4 Oct 2025 12:20:11 +0200 Subject: [PATCH 0797/1736] Update xdg-desktop-portal DENIED xdg-desktop-portal open @{att}/ comm=pool-3 requested_mask=r denied_mask=r DENIED xdg-desktop-portal open @{att}/ comm=pool-1 requested_mask=r denied_mask=r DENIED xdg-desktop-portal open @{att}/ comm=pool-6 requested_mask=r denied_mask=r --- apparmor.d/groups/freedesktop/xdg-desktop-portal | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 379500040c..5888efdbd5 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -77,6 +77,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{open_path} mrPx -> child-open, / r, + @{att}/ r, @{att}/.flatpak-info r, owner /att/**/ r, From cdc782ce0836f3d5566fafb93cb43cbae21b3f58 Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Sat, 4 Oct 2025 10:47:10 +0200 Subject: [PATCH 0798/1736] Update xdg-desktop-portal-kde DENIED xdg-desktop-portal-kde link owner @{user_cache_dirs}/xdg-desktop-portal-kde/qmlcache/@{hex38}49.qmlc.HaAhtu -> @{user_cache_dirs}/xdg-desktop-portal-kde/qmlcache/#@{int8} comm=QQmlThread requested_mask=l denied_mask=l --- apparmor.d/groups/freedesktop/xdg-desktop-portal-kde | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index bd5981dcf3..2b67cd19c5 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -42,7 +42,7 @@ profile xdg-desktop-portal-kde @{exec_path} { owner @{desktop_config_dirs}/user-dirs.dirs r, - owner @{user_cache_dirs}/xdg-desktop-portal-kde/{,**} rw, + owner @{user_cache_dirs}/xdg-desktop-portal-kde/{,**} rwl, owner @{user_config_dirs}/autostart/org.kde.*.desktop r, owner @{user_config_dirs}/breezerc r, From 245734bceba96a441c84ebbb171fd62b4f9ac1c2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 30 Sep 2025 11:36:26 +0200 Subject: [PATCH 0799/1736] build: add initial structure for the release process. --- Justfile | 111 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 110 insertions(+), 1 deletion(-) diff --git a/Justfile b/Justfile index 64e333079c..5e24230483 100644 --- a/Justfile +++ b/Justfile @@ -6,10 +6,14 @@ # See https://apparmor.pujol.io/development/ for more information. # Build settings + destdir := "/" build := ".build" pkgdest := `pwd` / ".pkg" pkgname := "apparmor.d" +gpgkey := "06A26D531D56C42D66805049C5469996F0DF68EC" + +# The following variables are only used for the development and test VM # Admin username username := "user" @@ -49,10 +53,25 @@ c := "--connect=qemu:///system" # VM prefix prefix := "aa-" +usage := " +Build variables available: + build " + BLUE + "# Build directory (default: " + build + ")" + NORMAL + " + destdir " + BLUE + "# Installation destination (default: " + destdir + ")" + NORMAL + " + pkgdest " + BLUE + "# Package output directory (default: " + pkgdest + ")" + NORMAL + " + +Development variables available: + username " + BLUE + "# VM username (default: " + username + ")" + NORMAL + " + password " + BLUE + "# VM password (default: " + password + ")" + NORMAL + " + disk_size " + BLUE + "# VM disk size (default: " + disk_size + ")" + NORMAL + " + vcpus " + BLUE + "# VM CPU (default: " + vcpus + ")" + NORMAL + " + ram " + BLUE + "# VM RAM (default: " + ram + ")" + NORMAL + " + +See https://apparmor.pujol.io/development/ for more information." + # Show this help message help: @just --list --unsorted - @printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information." + @printf "%s\n" "{{usage}}" # Build the go programs [group('build')] @@ -66,6 +85,7 @@ enforce: build @./{{build}}/prebuild --buildir {{build}} # Prebuild the profiles in enforce mode (test) +[group('build')] enforce-test: build @./{{build}}/prebuild --buildir {{build}} --test @@ -75,6 +95,7 @@ complain: build ./{{build}}/prebuild --buildir {{build}} --complain # Prebuild the profiles in complain mode (test) +[group('build')] complain-test: build @./{{build}}/prebuild --buildir {{build}} --complain --test @@ -93,6 +114,31 @@ fsp-complain: build fsp-debug: build @./{{build}}/prebuild --buildir {{build}} --complain --full --debug +# Prebuild the profiles in server mode +[group('build')] +server: build + @./{{build}}/prebuild --buildir {{build}} --server + +# Prebuild the profiles in server mode (complain) +[group('build')] +server-complain: build + @./{{build}}/prebuild --buildir {{build}} --server --complain + +# Prebuild the profiles in server FSP mode +[group('build')] +server-fsp: build + @./{{build}}/prebuild --buildir {{build}} --server --full + +# Prebuild the profiles in server FSP mode (complain) +[group('build')] +server-fsp-complain: build + @./{{build}}/prebuild --buildir {{build}} --server --full --complain + +# Prebuild the profiles in server FSP mode (debug) +[group('build')] +server-fsp-debug: build + @./{{build}}/prebuild --buildir {{build}} --server --full --complain --debug + # Install prebuild profiles [group('install')] install: @@ -380,6 +426,69 @@ tests-run dist flavor name="": (tests-resync dist flavor) bats --recursive --pretty --timing --print-output-on-failure \ /home/{{username}}/Projects/tests/integration/{{name}} +# Get the current apparmor.d release version +[group('version')] +version: + @bash -c 'source PKGBUILD && echo "$pkgver"' + +# Create a new version number from the current release +[group('version')] +version-new: + @bash -c 'source PKGBUILD && echo $(echo "$pkgver" | awk "{print \$1 + 0.0001}")' + +# Create a new release +[group('release')] +release: tests lint commit archive publish + +# Write the new release version to package files & commit +[group('release')] +commit: + #!/usr/bin/env bash + set -eu -o pipefail + version=`just version-new` + cat > debian/changelog.tmp <<-EOF + {{pkgname}} (${version}-1) stable; urgency=medium + + * Release {{pkgname}} v${version} + + -- $(git config user.name) <$(git config user.email)> $(date -R) + + EOF + cat debian/changelog >> debian/changelog.tmp + mv debian/changelog.tmp debian/changelog + sed -i "s/^pkgver=.*/pkgver=$version/" PKGBUILD + sed -i "s/^Version:.*/Version: $version/" "dists/{{pkgname}}.spec" + echo git add PKGBUILD "dists/{{pkgname}}.spec" debian/changelog + echo git commit -S -m "Release version $version" + +# Create a release archive +[group('release')] +archive: + #!/usr/bin/env bash + set -eu -o pipefail + version=`just version` + git tag -a "v$version" -m "{{pkgname}} v$version" --local-user={{gpgkey}} + git archive \ + --format=tar.gz \ + --prefix={{pkgname}}-$version/ \ + --output={{pkgdest}}/{{pkgname}}-$version.tar.gz \ + v$version + gpg --armor --default-key {{gpgkey}} --detach-sig {{pkgdest}}/{{pkgname}}-$version.tar.gz + gpg --verify {{pkgdest}}/{{pkgname}}-$version.tar.gz.asc + +# Publish the new release on Github +[group('release')] +publish: + #!/usr/bin/env bash + set -eu -o pipefail + owner="roddhjav" + version=`just version` + git push origin main --tags + gh release create "v$version" --notes-from-tag --repo $owner/{{pkgname}} + gh release upload "v$version" --repo $owner/{{pkgname}} \ + {{pkgdest}}/{{pkgname}}-$version.tar.gz \ + {{pkgdest}}/{{pkgname}}-$version.tar.gz.asc + _get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ head -1 | \ From cdb2b413a2b8516dc58be057a47a2f533d10ae3c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 30 Sep 2025 11:37:51 +0200 Subject: [PATCH 0800/1736] build: dev: only parse the dev profile do not reload all profiles. --- Justfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Justfile b/Justfile index 5e24230483..fad65b76cc 100644 --- a/Justfile +++ b/Justfile @@ -194,7 +194,7 @@ local +names: dev name: go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}` sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}} - sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service + sudo apparmor_parser --write-cache --replace /etc/apparmor.d/{{name}} # Build & install apparmor.d on Arch based systems [group('packages')] From c7858006b08ecf79c3fac8ea1a1d0cedc6751df9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 30 Sep 2025 11:58:21 +0200 Subject: [PATCH 0801/1736] tests: use osinfo in vm naming It allows us to easily handle version information for each distribution. osinfo is by design the same as defined in qemu. --- Justfile | 121 +++++++++--------- dists/docker.sh | 10 +- docs/development/integration.md | 14 +- docs/development/vm.md | 114 +++++++++++------ ....yml => ubuntu24.04-desktop.user-data.yml} | 0 ....yml => ubuntu24.04-kubuntu.user-data.yml} | 0 ...a.yml => ubuntu24.04-server.user-data.yml} | 0 ....yml => ubuntu25.05-desktop.user-data.yml} | 0 ....yml => ubuntu25.05-kubuntu.user-data.yml} | 0 ...a.yml => ubuntu25.05-server.user-data.yml} | 0 .../ubuntu25.10-desktop.user-data.yml | 8 ++ tests/packer/builds.pkr.hcl | 15 ++- tests/packer/clean.sh | 7 - tests/packer/init.sh | 8 +- tests/packer/variables.pkr.hcl | 18 ++- 15 files changed, 180 insertions(+), 135 deletions(-) rename tests/cloud-init/{ubuntu24-desktop.user-data.yml => ubuntu24.04-desktop.user-data.yml} (100%) rename tests/cloud-init/{ubuntu24-kubuntu.user-data.yml => ubuntu24.04-kubuntu.user-data.yml} (100%) rename tests/cloud-init/{ubuntu24-server.user-data.yml => ubuntu24.04-server.user-data.yml} (100%) rename tests/cloud-init/{ubuntu25-desktop.user-data.yml => ubuntu25.05-desktop.user-data.yml} (100%) rename tests/cloud-init/{ubuntu25-kubuntu.user-data.yml => ubuntu25.05-kubuntu.user-data.yml} (100%) rename tests/cloud-init/{ubuntu25-server.user-data.yml => ubuntu25.05-server.user-data.yml} (100%) create mode 100644 tests/cloud-init/ubuntu25.10-desktop.user-data.yml diff --git a/Justfile b/Justfile index fad65b76cc..0d6a4a9780 100644 --- a/Justfile +++ b/Justfile @@ -255,30 +255,44 @@ serve: clean: @rm -rf \ debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ - {{pkgdest}}/{{pkgname}}* {{build}} coverage.out + {{pkgdest}}/{{pkgname}}* {{pkgdest}}/ubuntu {{pkgdest}}/debian \ + {{pkgdest}}/archlinux {{pkgdest}}/opensuse {{pkgdest}}/version \ + {{build}} coverage.out # Build the package in a clean OCI container [group('packages')] -package dist: +package dist version="": + bash dists/docker.sh {{dist}} {{version}} + +# Build all packages in a clean OCI container +[group('packages')] +packages: #!/usr/bin/env bash set -eu -o pipefail - dist="{{dist}}" - version="" - if [[ $dist =~ ubuntu([0-9]+) ]]; then - version="${BASH_REMATCH[1]}.04" - dist="ubuntu" - elif [[ $dist == debian* ]]; then - version="trixie" - dist="debian" - fi - bash dists/docker.sh $dist $version + declare -A matrix=( + ["archlinux"]="-" + ["debian"]="12 13" + ["ubuntu"]="22.04 24.04 25.04 25.10" + ["opensuse"]="-" + ) + for dist in "${!matrix[@]}"; do + IFS=' ' read -r -a versions <<< "${matrix[$dist]}" + for version in "${versions[@]}"; do + echo bash dists/docker.sh $dist $version + done + done # Build the VM image [group('vm')] -img dist flavor: (package dist) - @mkdir -p {{base_dir}} +img dist version flavor: (package dist version) + #!/usr/bin/env bash + set -eu -o pipefail + VERSION="{{version}}" + [[ "$VERSION" == "-" ]] && VERSION="" + mkdir -p {{base_dir}} packer build -force \ -var dist={{dist}} \ + -var version="$VERSION" \ -var flavor={{flavor}} \ -var prefix={{prefix}} \ -var username={{username}} \ @@ -293,19 +307,19 @@ img dist flavor: (package dist) # Create the machine [group('vm')] -create dist flavor: - @cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 +create osinfo flavor: + @cp -f {{base_dir}}/{{prefix}}{{osinfo}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{osinfo}}-{{flavor}}.qcow2 @virt-install {{c}} \ --import \ - --name {{prefix}}{{dist}}-{{flavor}} \ + --name {{prefix}}{{osinfo}}-{{flavor}} \ --vcpus {{vcpus}} \ --ram {{ram}} \ --machine q35 \ - {{ if dist == "archlinux" { "" } else { "--boot uefi" } }} \ + {{ if osinfo == "archlinux" { "" } else { "--boot uefi" } }} \ --memorybacking source.type=memfd,access.mode=shared \ - --disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \ + --disk path={{vm}}/{{prefix}}{{osinfo}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \ --filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \ - --os-variant "`just _get_osinfo {{dist}}`" \ + --os-variant "{{ if osinfo == "opensuse" { "opensusetumbleweed" } else { osinfo } }}" \ --graphics spice \ --audio id=1,type=spice \ --sound model=ich9 \ @@ -313,41 +327,41 @@ create dist flavor: # Start a machine [group('vm')] -up dist flavor: - @virsh {{c}} start {{prefix}}{{dist}}-{{flavor}} +up osinfo flavor: + @virsh {{c}} start {{prefix}}{{osinfo}}-{{flavor}} # Stops the machine [group('vm')] -halt dist flavor: - @virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}} +halt osinfo flavor: + @virsh {{c}} shutdown {{prefix}}{{osinfo}}-{{flavor}} # Reboot the machine [group('vm')] -reboot dist flavor: - @virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}} +reboot osinfo flavor: + @virsh {{c}} reboot {{prefix}}{{osinfo}}-{{flavor}} # Destroy the machine [group('vm')] -destroy dist flavor: - @virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true - @virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram - @rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 +destroy osinfo flavor: + @virsh {{c}} destroy {{prefix}}{{osinfo}}-{{flavor}} || true + @virsh {{c}} undefine {{prefix}}{{osinfo}}-{{flavor}} --nvram + @rm -fv {{vm}}/{{prefix}}{{osinfo}}-{{flavor}}.qcow2 # Connect to the machine [group('vm')] -ssh dist flavor: - @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` +ssh osinfo flavor: + @ssh {{sshopt}} {{username}}@`just _get_ip {{osinfo}} {{flavor}}` # Mount the shared directory on the machine [group('vm')] -mount dist flavor: - @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ +mount osinfo flavor: + @ssh {{sshopt}} {{username}}@`just _get_ip {{osinfo}} {{flavor}}` \ sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' # Unmout the shared directory on the machine [group('vm')] -umount dist flavor: - @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ +umount osinfo flavor: + @ssh {{sshopt}} {{username}}@`just _get_ip {{osinfo}} {{flavor}}` \ sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' # List the machines @@ -403,26 +417,26 @@ integration name="": # Install dependencies for the integration tests (machine) [group('tests')] -tests-init dist flavor: - @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ +tests-init osinfo flavor: + @ssh {{sshopt}} {{username}}@`just _get_ip {{osinfo}} {{flavor}}` \ just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init # Synchronize the integration tests (machine) [group('tests')] -tests-sync dist flavor: - @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ +tests-sync osinfo flavor: + @ssh {{sshopt}} {{username}}@`just _get_ip {{osinfo}} {{flavor}}` \ rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ # Re-synchronize the integration tests (machine) [group('tests')] -tests-resync dist flavor: (mount dist flavor) \ - (tests-sync dist flavor) \ - (umount dist flavor) +tests-resync osinfo flavor: (mount osinfo flavor) \ + (tests-sync osinfo flavor) \ + (umount osinfo flavor) # Run the integration tests (machine) [group('tests')] -tests-run dist flavor name="": (tests-resync dist flavor) - ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ +tests-run osinfo flavor name="": (tests-resync osinfo flavor) + ssh {{sshopt}} {{username}}@`just _get_ip {{osinfo}} {{flavor}}` \ bats --recursive --pretty --timing --print-output-on-failure \ /home/{{username}}/Projects/tests/integration/{{name}} @@ -489,20 +503,7 @@ publish: {{pkgdest}}/{{pkgname}}-$version.tar.gz \ {{pkgdest}}/{{pkgname}}-$version.tar.gz.asc -_get_ip dist flavor: - @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ +_get_ip osinfo flavor: + @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{osinfo}}-{{flavor}} | \ head -1 | \ grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' - -_get_osinfo dist: - #!/usr/bin/env python3 - osinfo = { - "archlinux": "archlinux", - "debian12": "debian12", - "debian13": "debian13", - "ubuntu22": "ubuntu22.04", - "ubuntu24": "ubuntu24.04", - "ubuntu25": "ubuntu25.04", - "opensuse": "opensusetumbleweed", - } - print(osinfo.get("{{dist}}", "{{dist}}")) diff --git a/dists/docker.sh b/dists/docker.sh index 45191adb89..bcc44b8e0a 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -4,7 +4,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Usage: -# just package ubuntu24 +# just package ubuntu 24.04 # just package archlinux # just package opensuse @@ -16,12 +16,13 @@ readonly PKGNAME=apparmor.d readonly VOLUME=/tmp/build readonly BUILDIR=/home/build/tmp readonly OUTDIR=".pkg" -readonly OUTPUT="$PWD/$OUTDIR" readonly DISTRIBUTION="${1:-}" -readonly RELEASE="${2:-}" +RELEASE="${2:-}" VERSION="0.$(git rev-list --count HEAD)" PACKAGER="$(git config user.name) <$(git config user.email)>" -readonly VERSION PACKAGER +[[ "$RELEASE" == "-" ]] && RELEASE="" +readonly OUTPUT="$PWD/$OUTDIR/$DISTRIBUTION/$RELEASE" +readonly RELEASE VERSION PACKAGER _start() { local img="$1" @@ -76,7 +77,6 @@ build_in_docker_dpkg() { local img dist="$1" target="$1" release="$2" [[ "$dist" == whonix ]] && dist=debian - [[ "$release" == "13" ]] && release=trixie img="$PREFIX$dist$release" if _exist "$img"; then if ! _is_running "$img"; then diff --git a/docs/development/integration.md b/docs/development/integration.md index b5c740f78f..f80404ce7c 100644 --- a/docs/development/integration.md +++ b/docs/development/integration.md @@ -16,14 +16,14 @@ Although the integration test suite is intended to be run in a [Development VM]( **Prepare the test environment:** ```sh -just img -just create +just img +just create ``` Example: ```sh -just img ubuntu25 desktop -just create ubuntu25 desktop +just img ubuntu 25.10 desktop +just create ubuntu25.10 desktop ``` **Install dependencies for the integration tests** @@ -33,7 +33,7 @@ just tests-init Example: ```sh -just tests-init ubuntu25 desktop +just tests-init ubuntu25.10 desktop ``` **Run the integration tests** @@ -45,12 +45,12 @@ just tests-run Example: ```sh -just tests-run ubuntu25 desktop +just tests-run ubuntu25.10 desktop ``` Partial tests can also be run. For example the following command will only run the tests in the `tests/integration/apt` directory on the `ubuntu25` `desktop` machine: ```sh -just tests-run ubuntu25 desktop apt +just tests-run ubuntu25.10 desktop apt ``` ## Create integration tests diff --git a/docs/development/vm.md b/docs/development/vm.md index 1091f7d5e6..871c2e93e9 100644 --- a/docs/development/vm.md +++ b/docs/development/vm.md @@ -13,59 +13,89 @@ $ just ``` Available recipes: - help # Show this help message - clean # Remove all build artifacts + help # Show this help message + clean # Remove all build artifacts [build] - build # Build the go programs - enforce # Prebuild the profiles in enforced mode - complain # Prebuild the profiles in complain mode - fsp # Prebuild the profiles in FSP mode - fsp-complain # Prebuild the profiles in FSP mode (complain) - fsp-debug # Prebuild the profiles in FSP mode (debug) + build # Build the go programs + enforce # Prebuild the profiles in enforced mode + enforce-test # Prebuild the profiles in enforce mode (test) + complain # Prebuild the profiles in complain mode + complain-test # Prebuild the profiles in complain mode (test) + fsp # Prebuild the profiles in FSP mode + fsp-complain # Prebuild the profiles in FSP mode (complain) + fsp-debug # Prebuild the profiles in FSP mode (debug) + server # Prebuild the profiles in server mode + server-complain # Prebuild the profiles in server mode (complain) + server-fsp # Prebuild the profiles in server FSP mode + server-fsp-complain # Prebuild the profiles in server FSP mode (complain) + server-fsp-debug # Prebuild the profiles in server FSP mode (debug) [install] - install # Install prebuild profiles - local +names # Locally install prebuild profiles - dev name # Prebuild, install, and load a dev profile + install # Install prebuild profiles + local +names # Locally install prebuild profiles + dev name # Prebuild, install, and load a dev profile [packages] - pkg # Build & install apparmor.d on Arch based systems - dpkg # Build & install apparmor.d on Debian based systems - rpm # Build & install apparmor.d on OpenSUSE based systems - package dist # Build the package in a clean OCI container - - [tests] - tests # Run the unit tests - init # Install dependencies for the integration tests - integration # Run the integration tests - tests-init dist flavor # Install dependencies for the integration tests (machine) - tests-sync dist flavor # Synchronize the integration tests (machine) - tests-resync dist flavor # Re-synchronize the integration tests (machine) - tests-run dist flavor name="" # Run the integration tests (machine) + pkg name="" # Build & install apparmor.d on Arch based systems + dpkg name="" # Build & install apparmor.d on Debian based systems + rpm name="" # Build & install apparmor.d on OpenSUSE based systems + package dist version="" # Build the package in a clean OCI container + packages # Build all packages in a clean OCI container [linter] - lint # Run the linters - check # Run style checks on the profiles + lint # Run the linters + check # Run style checks on the profiles + + [tests] + tests # Run the unit tests + init # Install dependencies for the integration tests + integration name="" # Run the integration tests + tests-init osinfo flavor # Install dependencies for the integration tests (machine) + tests-sync osinfo flavor # Synchronize the integration tests (machine) + tests-resync osinfo flavor # Re-synchronize the integration tests (machine) + tests-run osinfo flavor name="" # Run the integration tests (machine) [docs] - man # Generate the man pages - docs # Build the documentation - serve # Serve the documentation + man # Generate the man pages + docs # Build the documentation + serve # Serve the documentation [vm] - img dist flavor # Build the VM image - create dist flavor # Create the machine - up dist flavor # Start a machine - halt dist flavor # Stops the machine - reboot dist flavor # Reboot the machine - destroy dist flavor # Destroy the machine - ssh dist flavor # Connect to the machine - mount dist flavor # Mount the shared directory on the machine - umount dist flavor # Unmout the shared directory on the machine - list # List the machines - images # List the VM images - available # List the VM images that can be created + img dist version flavor # Build the VM image + create osinfo flavor # Create the machine + up osinfo flavor # Start a machine + halt osinfo flavor # Stops the machine + reboot osinfo flavor # Reboot the machine + destroy osinfo flavor # Destroy the machine + ssh osinfo flavor # Connect to the machine + mount osinfo flavor # Mount the shared directory on the machine + umount osinfo flavor # Unmout the shared directory on the machine + list # List the machines + images # List the VM images + available # List the VM images that can be created + + [version] + version # Get the current apparmor.d release version + version-new # Create a new version number from the current release + + [release] + release # Create a new release + commit # Write the new release version to package files & commit + archive # Create a release archive + publish # Publish the new release on Github + +Build variables available: + build # Build directory (default: .build) + destdir # Installation destination (default: /) + pkgdest # Package output directory (default/ .pkg) + +Development variables available: + username # VM username (default: user) + password # VM password (default: user) + disk_size # VM disk size (default: 40G) + vcpus # VM CPU (default: 12) + ram # VM RAM (default: 8192) See https://apparmor.pujol.io/development/ for more information. ``` @@ -108,7 +138,7 @@ ubuntu24 server A VM image can be build with: ```sh -$ just img archlinux gnome +$ just img archlinux - gnome ``` The image will then be showed in the list of images: diff --git a/tests/cloud-init/ubuntu24-desktop.user-data.yml b/tests/cloud-init/ubuntu24.04-desktop.user-data.yml similarity index 100% rename from tests/cloud-init/ubuntu24-desktop.user-data.yml rename to tests/cloud-init/ubuntu24.04-desktop.user-data.yml diff --git a/tests/cloud-init/ubuntu24-kubuntu.user-data.yml b/tests/cloud-init/ubuntu24.04-kubuntu.user-data.yml similarity index 100% rename from tests/cloud-init/ubuntu24-kubuntu.user-data.yml rename to tests/cloud-init/ubuntu24.04-kubuntu.user-data.yml diff --git a/tests/cloud-init/ubuntu24-server.user-data.yml b/tests/cloud-init/ubuntu24.04-server.user-data.yml similarity index 100% rename from tests/cloud-init/ubuntu24-server.user-data.yml rename to tests/cloud-init/ubuntu24.04-server.user-data.yml diff --git a/tests/cloud-init/ubuntu25-desktop.user-data.yml b/tests/cloud-init/ubuntu25.05-desktop.user-data.yml similarity index 100% rename from tests/cloud-init/ubuntu25-desktop.user-data.yml rename to tests/cloud-init/ubuntu25.05-desktop.user-data.yml diff --git a/tests/cloud-init/ubuntu25-kubuntu.user-data.yml b/tests/cloud-init/ubuntu25.05-kubuntu.user-data.yml similarity index 100% rename from tests/cloud-init/ubuntu25-kubuntu.user-data.yml rename to tests/cloud-init/ubuntu25.05-kubuntu.user-data.yml diff --git a/tests/cloud-init/ubuntu25-server.user-data.yml b/tests/cloud-init/ubuntu25.05-server.user-data.yml similarity index 100% rename from tests/cloud-init/ubuntu25-server.user-data.yml rename to tests/cloud-init/ubuntu25.05-server.user-data.yml diff --git a/tests/cloud-init/ubuntu25.10-desktop.user-data.yml b/tests/cloud-init/ubuntu25.10-desktop.user-data.yml new file mode 100644 index 0000000000..7f4183d494 --- /dev/null +++ b/tests/cloud-init/ubuntu25.10-desktop.user-data.yml @@ -0,0 +1,8 @@ +#cloud-config + +packages: *desktop-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index 98e923fd99..da8d0e53de 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -3,14 +3,15 @@ # SPDX-License-Identifier: GPL-2.0-only locals { - name = "${var.prefix}${var.dist}-${var.flavor}" + name = "${var.prefix}${var.dist}${var.version}-${var.flavor}" + osinfo = "${var.dist}${var.version}" } source "qemu" "default" { disk_image = true - iso_url = var.DM[var.dist].img_url - iso_checksum = "file:${var.DM[var.dist].img_checksum}" - iso_target_path = pathexpand("${var.iso_dir}/${basename("${var.DM[var.dist].img_url}")}") + iso_url = var.DM[local.osinfo].img_url + iso_checksum = "file:${var.DM[local.osinfo].img_checksum}" + iso_target_path = pathexpand("${var.iso_dir}/${basename("${var.DM[local.osinfo].img_url}")}") cpu_model = "host" cpus = var.cpus memory = var.ram @@ -38,11 +39,11 @@ source "qemu" "default" { username = "${var.username}" password = "${var.password}" ssh_key = file("${var.ssh_publickey}") - hostname = "${local.name}" + hostname = "${regex_replace(local.name, ".", "")}" } ), - file("${path.cwd}/tests/cloud-init/${regex_replace(var.dist, "[0-9]*$", "")}.yml"), - file("${path.cwd}/tests/cloud-init/${var.dist}-${var.flavor}.user-data.yml") + file("${path.cwd}/tests/cloud-init/${regex_replace(local.osinfo, "[0-9.]*$", "")}.yml"), + file("${path.cwd}/tests/cloud-init/${local.osinfo}-${var.flavor}.user-data.yml") ) } } diff --git a/tests/packer/clean.sh b/tests/packer/clean.sh index 23c587d4fe..de0d8562ab 100644 --- a/tests/packer/clean.sh +++ b/tests/packer/clean.sh @@ -69,8 +69,6 @@ impersonalize() { # Remove remaining pkg file, docs and caches dirs=( - /usr/share/doc - /usr/share/man /var/cache/ /var/lib/apt /var/lib/dhcp @@ -90,11 +88,6 @@ impersonalize() { truncate --size=0 /var/lib/dbus/machine-id remove=( - # Remove remaining pkg file, docs and caches - /usr/share/info/ - /usr/share/lintian/ - /usr/share/linda/ - # Remove history & unique ids /etc/adjtime /etc/ansible/ diff --git a/tests/packer/init.sh b/tests/packer/init.sh index 44a86220f0..8506a44178 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -27,10 +27,12 @@ main() { ;; debian | ubuntu) - # Do not install apparmor.d on the current development version - if [[ $VERSION_ID != "25.10" ]]; then - dpkg -i $SRC/*.deb || true + if [[ $VERSION_ID == "24.04" || $VERSION_ID == 12 ]]; then + apt-get purge -y just || true + sudo -u "$SUDO_USER" pipx install rust-just + sudo -u "$SUDO_USER" pipx ensurepath fi + dpkg -i $SRC/*.deb || true ;; opensuse*) diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index a44f984123..7301c94b3c 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -73,7 +73,13 @@ variable "prefix" { variable "dist" { description = "Distribution to target" type = string - default = "ubuntu24" + default = "ubuntu" +} + +variable "version" { + description = "Version to target" + type = string + default = "25.10" } variable "flavor" { @@ -101,18 +107,22 @@ variable "DM" { img_url = "https://cdimage.debian.org/images/cloud/trixie/latest/debian-13-genericcloud-amd64.qcow2" img_checksum = "https://cdimage.debian.org/images/cloud/trixie/latest/SHA512SUMS" } - "ubuntu22" : { + "ubuntu22.04" : { img_url = "https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img" img_checksum = "https://cloud-images.ubuntu.com/jammy/current/SHA256SUMS" }, - "ubuntu24" : { + "ubuntu24.04" : { img_url = "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img" img_checksum = "https://cloud-images.ubuntu.com/noble/current/SHA256SUMS" }, - "ubuntu25" : { + "ubuntu25.04" : { img_url = "https://cloud-images.ubuntu.com/plucky/current/plucky-server-cloudimg-amd64.img" img_checksum = "https://cloud-images.ubuntu.com/plucky/current/SHA256SUMS" }, + "ubuntu25.10" : { + img_url = "https://cloud-images.ubuntu.com/questing/current/questing-server-cloudimg-amd64.img" + img_checksum = "https://cloud-images.ubuntu.com/questing/current/SHA256SUMS" + }, "opensuse" : { img_url = "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-Cloud.qcow2" img_checksum = "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-Cloud.qcow2.sha256" From 0c824c8f8545f69e074b05e96d698904d4cbdcf1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 30 Sep 2025 16:39:50 +0200 Subject: [PATCH 0802/1736] tests(abs): allow more files by default during autopkgtest tests. --- apparmor.d/abstractions/base-strict | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 8f8f3c4ce7..ad37c517f0 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -130,7 +130,20 @@ /dev/log w, #aa:only test - /tmp/autopkgtest.@{rand6}/** rwk, + @{lib}/installed-tests/ r, + @{lib}/installed-tests/** rw, + /usr/share/installed-tests/{,**} r, + /usr/share/rubygems-integration/{,**} r, + /usr/share/mutter-*/tests/{,**} r, + owner /m-a/{,**} rw, + owner /test-dir/{,**} rw, + owner /test-path/{,**} rw, + owner /test-symlink/{,**} rw, + owner /test/{,**} rw, + owner /trigger{,s}/{,**} rw, + /tmp/autopkgtest* rwlkmix, + /tmp/autopkgtest*/ rw, + /tmp/autopkgtest*/** rwlkmix, include if exists From 706d2d352d81dbeafc0887c90180e0cd216c516b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 30 Sep 2025 16:42:15 +0200 Subject: [PATCH 0803/1736] tests(abs): add tests only mount rules for flatpak and fusermount. --- apparmor.d/groups/flatpak/flatpak | 9 +++++++++ apparmor.d/profiles-a-f/fusermount | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index ef08a6b58d..906069b8cc 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -152,6 +152,10 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain /dev/tty rw, /dev/tty@{int} rw, + #aa:only test + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) revokefs-fuse -> /tmp/test-flatpak-*/**, + /tmp/test-flatpak-@{rand6}/{,**} rw, + profile gpg { include include @@ -186,6 +190,11 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, + #aa:only test + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) revokefs-fuse -> /tmp/test-flatpak.*/**, + umount /tmp/test-flatpak-@{rand6}/**, + /tmp/test-flatpak-@{rand6}/{,**} rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index a84b85322f..a3eb86d143 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -48,6 +48,15 @@ profile fusermount @{exec_path} { @{run}/user/@{uid}/doc/ r, + #aa:only test + mount fstype=fuse options=(nodev, nosuid, ro) borgfs -> /tmp/pytest-of-ubuntu/**, + mount /tmp/tmp@{word8}/, + mount fstype=(fuse fuse.*) /tmp/autopkgtest.*/** -> /tmp/autopkgtest.*/**, + umount /tmp/tmp@{word8}/, + umount /tmp/autopkgtest.*/**, + /tmp/tmp@{word8}/ rw, + /tmp/tmp@{word8}/mountpoint/ rw, + include if exists } From 3fe7950936f7cb9a030f755a69aba8b69df55ad3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 30 Sep 2025 16:43:01 +0200 Subject: [PATCH 0804/1736] fix(abs): remobe owner requirement on /greeter-dconf-defaults --- apparmor.d/abstractions/dconf.d/complete | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/dconf.d/complete b/apparmor.d/abstractions/dconf.d/complete index 668faa06ed..df67986f19 100644 --- a/apparmor.d/abstractions/dconf.d/complete +++ b/apparmor.d/abstractions/dconf.d/complete @@ -5,7 +5,7 @@ /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - owner @{DESKTOP_HOME}/greeter-dconf-defaults r, + @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{desktop_config_dirs}/dconf/user r, From 21ae3c0717906797a964edfc252903d7a78cecb3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 30 Sep 2025 16:47:27 +0200 Subject: [PATCH 0805/1736] tests(profiles): add some tests rules. --- apparmor.d/abstractions/base-strict | 1 - apparmor.d/groups/network/NetworkManager | 4 ++++ .../groups/systemd-generators/systemd-generator-fstab | 3 +++ apparmor.d/groups/systemd/systemd-network-generator | 3 +++ apparmor.d/groups/systemd/systemd-sysusers | 3 +++ apparmor.d/profiles-a-f/borg | 6 ++++++ apparmor.d/profiles-g-l/glib-compile-schemas | 4 +++- 7 files changed, 22 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index ad37c517f0..004102db53 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -134,7 +134,6 @@ @{lib}/installed-tests/** rw, /usr/share/installed-tests/{,**} r, /usr/share/rubygems-integration/{,**} r, - /usr/share/mutter-*/tests/{,**} r, owner /m-a/{,**} rw, owner /test-dir/{,**} rw, owner /test-path/{,**} rw, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index d593e0f4ed..b5262263f3 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -167,6 +167,10 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /dev/net/tun rw, /dev/rfkill rw, + #aa:only test + /etc/netplan/10-test.yaml rw, + + profile systemctl { include include diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-fstab b/apparmor.d/groups/systemd-generators/systemd-generator-fstab index 44a3f8db48..d9b03c4b9f 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-fstab +++ b/apparmor.d/groups/systemd-generators/systemd-generator-fstab @@ -25,6 +25,9 @@ profile systemd-generator-fstab @{exec_path} { @{PROC}/@{pid}/cgroup r, + #aa:only test + /tmp/test-fstab-generator.@{rand10}/{,**} rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-network-generator b/apparmor.d/groups/systemd/systemd-network-generator index ceebbc5c2d..75bd79ab1e 100644 --- a/apparmor.d/groups/systemd/systemd-network-generator +++ b/apparmor.d/groups/systemd/systemd-network-generator @@ -19,6 +19,9 @@ profile systemd-network-generator @{exec_path} flags=(attach_disconnected) { @{run}/credentials/systemd-network-generator.service/ r, + #aa:only test + /tmp/test-network-generator-conversion.@{rand6}/{,**} rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index 2b31e4bb8c..164c3045c2 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -58,6 +58,9 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { deny network inet6 stream, deny network inet stream, + #aa:only test + /tmp/test-sysusers.@{rand10}/{,**} rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 544be3be04..171d2ce12b 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -78,6 +78,9 @@ profile borg @{exec_path} { /dev/fuse rw, + #aa:only test + mount fstype=fuse options=(ro nosuid nodev) borgfs -> /tmp/tmp@{word8}/**, + profile ccache { include @@ -107,6 +110,9 @@ profile borg @{exec_path} { @{MOUNTS}/ r, @{MOUNTS}/*/ r, + #aa:only test + mount fstype=fuse options=(ro nosuid nodev) borgfs -> /tmp/tmp@{word8}/**, + include if exists } diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index 59c56bb120..06a3c12d45 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -25,7 +25,9 @@ profile glib-compile-schemas @{exec_path} { owner @{user_share_dirs}/gnome-shell/extension{,-updates}/*/schemas/ r, owner @{user_share_dirs}/gnome-shell/extension{,-updates}/*/schemas/gschemas.compiled rw, owner @{user_share_dirs}/gnome-shell/extension{,-updates}/*/schemas/gschemas.compiled.@{rand6} rw, - owner @{user_share_dirs}/gnome-shell/extension{,-updates}/*/schemas/org.gnome.shell.extensions.*.gschema.xml r, + + #aa:only test + /usr/share/mutter-*/tests/{,**} rw, include if exists } From 2d8d9c29c70bde2e5cbd39dce2e33d1c5c0caea6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 30 Sep 2025 17:50:21 +0200 Subject: [PATCH 0806/1736] fix(profile): ensure pycompile can update all pycache. --- apparmor.d/profiles-m-r/pycompile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index 105264ec2a..348fefbc24 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -21,9 +21,10 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { @{bin}/dpkg rCx -> dpkg, - @{lib}/@{python_name}/**/__pycache__/ w, - @{lib}/@{python_name}/**/__pycache__/*.pyc w, - @{lib}/@{python_name}/**/__pycache__/*.pyc.* w, + #aa:only apparmor4.1 + priority=1 @{lib}/@{python_name}/**/__pycache__/ w, + priority=1 @{lib}/@{python_name}/**/__pycache__/*.pyc w, + priority=1 @{lib}/@{python_name}/**/__pycache__/*.pyc.* w, /usr/share/python3/{,**} r, From a3bbc9d6250c83f5551dd3eb00f5c1cb54a34637 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 00:35:05 +0200 Subject: [PATCH 0807/1736] build: support comparaison in version/abi number. --- pkg/prebuild/directive/filter.go | 85 ++++++++-- pkg/prebuild/directive/filter_test.go | 231 ++++++++++++++++++++++++++ 2 files changed, 303 insertions(+), 13 deletions(-) diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index ac632471b9..38bcd04149 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -7,7 +7,7 @@ package directive import ( "fmt" "regexp" - "slices" + "strconv" "strings" "github.com/roddhjav/apparmor.d/pkg/prebuild" @@ -38,24 +38,83 @@ func init() { }) } -func filterRuleForUs(opt *Option) bool { - if prebuild.RBAC && slices.Contains(opt.ArgList, "RBAC") { - return true +func cmp[T float64 | int](refValue T, operator string, value T) bool { + var res bool + switch operator { + case "<": + res = refValue < value + case "<=": + res = refValue <= value + case ">": + res = refValue > value + case ">=": + res = refValue >= value + case "==", "=": + res = refValue == value } + return res +} - if prebuild.Test && slices.Contains(opt.ArgList, "test") { - return true +func compare(refValue any, prefix string, arg string) bool { + pattern := fmt.Sprintf(`^%s(==|[<>]=?|=)(.+)$`, prefix) + re := regexp.MustCompile(pattern) + matches := re.FindStringSubmatch(arg) + if len(matches) < 3 { + return false } + operator := matches[1] + targetStr := matches[2] + + var res bool + switch refValue := refValue.(type) { + case int: + targetValue, err := strconv.Atoi(targetStr) + if err != nil { + panic(err) + } + res = cmp(refValue, operator, targetValue) - abiStr := fmt.Sprintf("abi%d", prebuild.ABI) - if slices.Contains(opt.ArgList, abiStr) { - return true + case float64: + targetValue, err := strconv.ParseFloat(targetStr, 64) + if err != nil { + panic(err) + } + res = cmp(refValue, operator, targetValue) + + default: + panic("unsupported type") } - versionStr := fmt.Sprintf("apparmor%.1f", prebuild.Version) - if slices.Contains(opt.ArgList, versionStr) { - return true + + return res +} + +func filterRuleForUs(opt *Option) bool { + for _, arg := range opt.ArgList { + var res bool + if prebuild.RBAC && arg == "RBAC" { + res = true + } + if prebuild.Test && arg == "test" { + res = true + } + if arg == prebuild.Distribution { + res = true + } + if arg == prebuild.Family { + res = true + } + if strings.HasPrefix(arg, "abi") { + res = compare(prebuild.ABI, "abi", arg) + } + if strings.HasPrefix(arg, "apparmor") { + res = compare(prebuild.Version, "apparmor", arg) + } + + if res { + return true + } } - return slices.Contains(opt.ArgList, prebuild.Distribution) || slices.Contains(opt.ArgList, prebuild.Family) + return false } func filter(only bool, opt *Option, profile string) (string, error) { diff --git a/pkg/prebuild/directive/filter_test.go b/pkg/prebuild/directive/filter_test.go index ebbd5ef5c0..4edfca3aaa 100644 --- a/pkg/prebuild/directive/filter_test.go +++ b/pkg/prebuild/directive/filter_test.go @@ -10,6 +10,127 @@ import ( "github.com/roddhjav/apparmor.d/pkg/prebuild" ) +func Test_cmp(t *testing.T) { + tests := []struct { + name string + operator string + refValue float64 + value float64 + want bool + }{ + { + name: "3.2 < 5.0", + operator: "<", + refValue: 3.2, + value: 5.0, + want: true, + }, + { + name: "5.0 == 5.0", + operator: "==", + refValue: 5.0, + value: 5.0, + want: true, + }, + { + name: "5.0 >= 4.1", + operator: ">=", + refValue: 5.0, + value: 4.1, + want: true, + }, + { + name: "3.2 < 5.0", + operator: "==", + refValue: 3.2, + value: 5.0, + want: false, + }, + { + name: "3.2 <= 5.0", + operator: "<=", + refValue: 3.2, + value: 5.0, + want: true, + }, + { + name: "4.1 >= 4.1", + operator: ">=", + refValue: 4.1, + value: 4.1, + want: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got := cmp(tt.refValue, tt.operator, tt.value) + if got != tt.want { + t.Errorf("cmp() = %v, want %v", got, tt.want) + } + }) + } +} + +func Test_compare(t *testing.T) { + tests := []struct { + name string + refValue float64 + arg string + want bool + }{ + { + name: "3.1 < 4.0", + refValue: 3.1, + arg: "apparmor<4.0", + want: true, + }, + { + name: "3.2 < 5.0", + refValue: 3.2, + arg: "apparmor<5.0", + want: true, + }, + { + name: "5.0 == 5.0", + refValue: 5.0, + arg: "apparmor==5.0", + want: true, + }, + { + name: "5.0 >= 4.1", + refValue: 5.0, + arg: "apparmor>=4.1", + want: true, + }, + { + name: "3.2 == 5.0", + refValue: 3.2, + arg: "apparmor==5.0", + want: false, + }, + { + name: "3.2 <= 5.0", + refValue: 3.2, + arg: "apparmor<=5.0", + want: true, + }, + { + name: "4.1 >= 4.1", + refValue: 4.1, + arg: "apparmor>=4.1", + want: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got := compare(tt.refValue, "apparmor", tt.arg) + if got != tt.want { + t.Errorf("compare() = %v, want %v", got, tt.want) + } + }) + } +} + func TestFilterOnly_Apply(t *testing.T) { tests := []struct { name string @@ -146,3 +267,113 @@ func TestFilterExclude_Apply(t *testing.T) { }) } } + +func TestFilterCmp_Apply(t *testing.T) { + tests := []struct { + name string + abi int + version float64 + opt *Option + want string + wantErr bool + }{ + { + name: "apparmor3.1<4.0", + version: 3.1, + opt: &Option{ + Name: "only", + ArgMap: map[string]string{}, + ArgList: []string{"apparmor<4.0"}, + File: nil, + Raw: " /dev/shm/ r, #aa:only apparmor>=4.1", + }, + want: " /dev/shm/ r,", + }, + { + name: "apparmor5.0>=4.1", + version: 5.0, + opt: &Option{ + Name: "only", + ArgMap: map[string]string{}, + ArgList: []string{"apparmor>=4.1"}, + File: nil, + Raw: " priority=100 @{bin}/bwrap Px, #aa:only apparmor>=4.1", + }, + want: " priority=100 @{bin}/bwrap Px,", + }, + { + name: "apparmor4.1>=4.1", + version: 4.1, + opt: &Option{ + Name: "only", + ArgMap: map[string]string{}, + ArgList: []string{"apparmor>=4.1"}, + File: nil, + Raw: " priority=100 @{bin}/bwrap Px, #aa:only apparmor>=4.1", + }, + want: " priority=100 @{bin}/bwrap Px,", + }, + { + name: "apparmor4.0>=4.1", + version: 4.0, + opt: &Option{ + Name: "only", + ArgMap: map[string]string{}, + ArgList: []string{"apparmor>=4.1"}, + File: nil, + Raw: " priority=100 @{bin}/bwrap Px, #aa:only apparmor>=4.1", + }, + want: "", + }, + { + name: "abi3=3", + abi: 3, + opt: &Option{ + Name: "only", + ArgMap: map[string]string{}, + ArgList: []string{"abi==3"}, + File: nil, + Raw: " /dev/shm/ r, #aa:only abi==3", + }, + want: " /dev/shm/ r,", + }, + { + name: "abi 3<4", + abi: 3, + opt: &Option{ + Name: "only", + ArgMap: map[string]string{}, + ArgList: []string{"abi<4"}, + File: nil, + Raw: " /efi/ r, #aa:only abi<4", + }, + want: " /efi/ r,", + }, + { + name: "abi 3>=5", + abi: 3, + opt: &Option{ + Name: "only", + ArgMap: map[string]string{}, + ArgList: []string{"abi>=5"}, + File: nil, + Raw: " /dev/shm/ r, #aa:only abi>=5", + }, + want: "", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + prebuild.Version = tt.version + prebuild.ABI = tt.abi + got, err := Directives["only"].Apply(tt.opt, tt.opt.Raw) + if (err != nil) != tt.wantErr { + t.Errorf("FilterOnly.Apply() error = %v, wantErr %v", err, tt.wantErr) + return + } + if got != tt.want { + t.Errorf("FilterOnly.Apply() = |%v|, want |%v|", got, tt.want) + } + }) + } +} From 672ea33e243e71f4ace7bed783831d9220dfa370 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 00:40:13 +0200 Subject: [PATCH 0808/1736] build: update filter directive to use version comparison. --- apparmor.d/abstractions/authentication.d/complete | 2 +- apparmor.d/abstractions/gtk-strict | 2 +- apparmor.d/abstractions/gtk.d/complete | 2 +- apparmor.d/groups/browsers/firefox | 4 ++-- apparmor.d/profiles-s-z/thunderbird | 4 ++-- apparmor.d/tunables/multiarch.d/profiles | 4 ++-- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete index a4ed65e8ca..1828e35166 100644 --- a/apparmor.d/abstractions/authentication.d/complete +++ b/apparmor.d/abstractions/authentication.d/complete @@ -5,7 +5,7 @@ @{bin}/pam-tmpdir-helper rPx, @{lib}/pam-tmpdir/pam-tmpdir-helper rPx, - #aa:only abi3 + #aa:only abi==3 @{sbin}/unix_chkpwd rPx, #aa:only whonix diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict index 8dfa4c8941..62dcd7244c 100644 --- a/apparmor.d/abstractions/gtk-strict +++ b/apparmor.d/abstractions/gtk-strict @@ -14,7 +14,7 @@ signal send set=kill peer=glycin, - #aa:only apparmor4.1 + #aa:only apparmor>=4.1 priority=-1 @{bin}/bwrap Px -> glycin, @{lib}/{,@{multiarch}/}gtk-2.0/{,**} mr, diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index c3ceda83d8..0fc6c3f1cf 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -12,7 +12,7 @@ signal send set=kill peer=glycin, - #aa:only apparmor4.1 + #aa:only apparmor>=4.1 priority=-1 @{bin}/bwrap Px -> glycin, @{lib}/{,@{multiarch}/}gtk*/** mr, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 0f15e17efd..288ea33db4 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -15,7 +15,7 @@ include @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} profile firefox @{exec_path} flags=(attach_disconnected) { include - include #aa:only apparmor4.1 + include #aa:only apparmor>=4.1 include include include @@ -34,7 +34,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, - #aa:only apparmor4.1 + #aa:only apparmor>=4.1 # glycin-loaders sandboxed profile stack @{bin}/bwrap Px -> firefox//&glycin, @{lib}/glycin-loaders/@{d}+/glycin-* Px -> firefox//&glycin//&glycin//loaders, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index fc40375bb6..846c802f68 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -15,7 +15,7 @@ include @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} profile thunderbird @{exec_path} flags=(attach_disconnected) { include - include #aa:only apparmor4.1 + include #aa:only apparmor>=4.1 include include include @@ -27,7 +27,7 @@ profile thunderbird @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/glxtest rPx -> thunderbird//&thunderbird-glxtest, @{lib_dirs}/vaapitest rPx -> thunderbird//&thunderbird-vaapitest, - #aa:only apparmor4.1 + #aa:only apparmor>=4.1 # glycin-loaders sandboxed profile stack @{bin}/bwrap Px -> thunderbird//&glycin, @{lib}/glycin-loaders/@{d}+/glycin-* Px -> thunderbird//&glycin//&glycin//loaders, diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index 13409e6fc2..67bf2b0ec2 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -15,11 +15,11 @@ # Name of the dbus daemon profiles @{p_dbus_accessibility}=dbus-accessibility -#aa:only apparmor4.1 +#aa:only apparmor>=4.1 @{p_dbus_system}={dbus-system,unconfined} @{p_dbus_session}={dbus-session,unconfined} -#aa:exclude apparmor4.1 +#aa:only apparmor<4.1 @{p_dbus_system}=dbus-system @{p_dbus_session}=dbus-session From 3ad39b114e7681c24fdbf71ef9d460c8ffb3b448 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 00:40:50 +0200 Subject: [PATCH 0809/1736] feat(tunable): precise the value of pci_id. --- apparmor.d/tunables/multiarch.d/system | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index b29be3f0c8..c5178dcad8 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -57,7 +57,7 @@ # --------------- # Shortcut for PCI device -@{pci_id}=@{hex}:@{hex2}:@{hex2}.@{h} +@{pci_id}=@{hex4}:@{hex2}:@{hex2}.@{h} @{pci_bus}=pci@{hex4}:@{hex2} @{pci}=@{pci_bus}/**/ From fb7b31aa7aa4136de271dc4db20c2e66447fa92d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 00:43:47 +0200 Subject: [PATCH 0810/1736] feat(abs): update paths in core bus abstraction. --- apparmor.d/abstractions/bus-accessibility | 2 +- apparmor.d/abstractions/bus-session | 2 +- apparmor.d/abstractions/bus-system | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/bus-accessibility b/apparmor.d/abstractions/bus-accessibility index 70850b2ba1..739e9bb326 100644 --- a/apparmor.d/abstractions/bus-accessibility +++ b/apparmor.d/abstractions/bus-accessibility @@ -4,7 +4,7 @@ abi , - dbus send bus=accessibility path=/org/freedesktop/DBus + dbus send bus=accessibility path=/{,org/freedesktop/DBus} interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index a1226d8e78..a714d8fcdb 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -6,7 +6,7 @@ unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/session, - dbus send bus=session path=/org/freedesktop/{dbus,DBus} + dbus send bus=session path=/{,org/freedesktop/{dbus,DBus}} interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system index d05c018c72..2f4a1eb3d5 100644 --- a/apparmor.d/abstractions/bus-system +++ b/apparmor.d/abstractions/bus-system @@ -6,7 +6,7 @@ unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/system, - dbus send bus=system path=/org/freedesktop/DBus + dbus send bus=system path=/{,org/freedesktop/DBus} interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), From 320d01346c98c811f6466c3703e69e388f781940 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 00:45:16 +0200 Subject: [PATCH 0811/1736] feat(abs): ensure gio-launch-desktop can be used in app/open. It is needed as this path is used in ubuntu. Needs priority, thus only for apparmor 4.1+ --- apparmor.d/abstractions/app/open | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 8dffc39b99..a7619f4380 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -23,6 +23,9 @@ @{bin}/gio-launch-desktop mrix, @{lib}/gio-launch-desktop mrix, + #aa:only apparmor>=4.1 + priority=-1 @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix, + @{bin}/env rix, @{sh_path} r, From bed408642c9cd31952fb53f5162cb0b3af92c936 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 00:48:34 +0200 Subject: [PATCH 0812/1736] feat(abs): add more sys input paths in the input abs. --- apparmor.d/abstractions/input | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/input b/apparmor.d/abstractions/input index 57905fd0cf..206a324457 100644 --- a/apparmor.d/abstractions/input +++ b/apparmor.d/abstractions/input @@ -7,12 +7,16 @@ abi , - # network netlink raw, - # Allow reading for supported event reports for all input devices. See # https://www.kernel.org/doc/Documentation/input/event-codes.txt @{sys}/devices/**/input@{int}/capabilities/* r, + @{sys}/devices/**/input@{int}/ r, + @{sys}/devices/**/input@{int}/event@{int}/uevent r, + @{sys}/devices/**/input@{int}/properties r, + @{sys}/devices/**/input@{int}/uevent r, + @{sys}/devices/virtual/input/mice/uevent r, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # for /dev/input/* From e331743741439372285a62bbab2b207d53ff32d7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 00:49:42 +0200 Subject: [PATCH 0813/1736] feat(abs): add missing cache path from the new fontconfig-cache abs. --- apparmor.d/abstractions/fontconfig-cache | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/abstractions/fontconfig-cache b/apparmor.d/abstractions/fontconfig-cache index 509c8a3ba1..5e5595d555 100644 --- a/apparmor.d/abstractions/fontconfig-cache +++ b/apparmor.d/abstractions/fontconfig-cache @@ -26,16 +26,19 @@ owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.NEW r, owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.TMP-@{rand6} r, owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW r, owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} r, owner @{HOME}/.fontconfig/ r, owner @{HOME}/.fontconfig/CACHEDIR.TAG r, owner @{HOME}/.fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, + owner @{HOME}/.fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW r, owner @{HOME}/.fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} r, owner @{user_cache_dirs}/fontconfig/ r, owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG r, # {,.NEW,.LCK,.TMP-*} r, owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, # {,.NEW,.LCK,.TMP-*} r, + owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW r, owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} r, # This is to create .uuid file containing an UUID at a font directory. The UUID will be used to From f063272114205d9ed76eedf0ce68d0b5c68b2713 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 00:50:44 +0200 Subject: [PATCH 0814/1736] feat(abs): add more sys cpu paths. --- apparmor.d/abstractions/graphics | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index c4edd09b47..bbda70f291 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -14,21 +14,28 @@ @{sys}/bus/pci/devices/ r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/coherency_line_size r, @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/id r, @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/level r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/shared_cpu_map r, @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/size r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/type r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/ways_of_associativity r, @{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r, @{sys}/devices/system/cpu/cpu@{int}/online r, @{sys}/devices/system/cpu/cpu@{int}/topology/core_cpus r, @{sys}/devices/system/cpu/cpu@{int}/topology/physical_package_id r, + @{sys}/devices/system/cpu/cpu@{int}/topology/thread_siblings r, + @{sys}/devices/system/cpu/cpu@{int}/topology/thread_siblings_list r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, @{sys}/devices/system/cpu/present r, @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/system/node/online r, include if exists From 47031123c19320a3b97b58e4fc2b22a835f488be Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 00:51:42 +0200 Subject: [PATCH 0815/1736] feat(abs): add goutputstream thumbnails. --- apparmor.d/abstractions/thumbnails-cache-write | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write index e3b559418b..1cee5aefcb 100644 --- a/apparmor.d/abstractions/thumbnails-cache-write +++ b/apparmor.d/abstractions/thumbnails-cache-write @@ -9,6 +9,7 @@ owner @{user_cache_dirs}/thumbnails/ w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ w, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/.goutputstream-@{rand6} rw, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png wl, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} wl, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int} w, From 759f03b807f0c465f70ec251ca6bb80b2acf0d39 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 00:52:44 +0200 Subject: [PATCH 0816/1736] feat(profile): add some missing rules to glycin. --- apparmor.d/groups/children/glycin | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/apparmor.d/groups/children/glycin b/apparmor.d/groups/children/glycin index 19ec6efb32..083979daa8 100644 --- a/apparmor.d/groups/children/glycin +++ b/apparmor.d/groups/children/glycin @@ -17,13 +17,19 @@ profile glycin flags=(attach_disconnected,complain) { include signal receive set=kill, + signal send set=kill peer=*//&glycin, + + ptrace read peer=*//&glycin, @{lib}/glycin-loaders/@{d}+/glycin-* Cx -> &glycin//loaders, # Safe deny of inherited files from parent process. deny network inet dgram, deny network inet6 dgram, + deny network inet stream, + deny network inet6 stream, deny /usr/share/icons/** r, + deny /usr/share/nvidia/** r, deny owner @{HOME}/.*/** rw, deny owner /tmp/*/** w, deny /opt/*/** rw, From 36161a4d62578f4a7e81d65f510f0463a394a036 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 00:56:35 +0200 Subject: [PATCH 0817/1736] feat(profile): update some gnome profiles. --- apparmor.d/groups/gnome/gjs | 18 ++++++++++++++++++ apparmor.d/groups/gnome/gnome-session-service | 1 + apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/nautilus | 7 +++++++ apparmor.d/groups/gnome/papers | 2 ++ 5 files changed, 29 insertions(+) diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index 48dee288a8..156acf9768 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -88,6 +88,8 @@ profile gjs @{exec_path} flags=(attach_disconnected) { /usr/share/xkeyboard-config-2/{,**} r, /usr/share/thumbnailers/{,**} r, + owner @{gdm_cache_dirs}/gstreamer-1.0/ w, + owner @{gdm_cache_dirs}/gstreamer-@{int}.@{int}/ w, owner @{gdm_cache_dirs}/gstreamer-@{int}.@{int}/registry.@{arch}.bin{,.tmp@{rand6}} rw, owner @{HOME}/ r, @@ -98,11 +100,27 @@ profile gjs @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, owner @{user_share_dirs}/nautilus/scripts/ r, + # To register extensions + owner @{user_config_dirs}/**/NativeMessagingHosts/ r, + owner @{user_config_dirs}/**/NativeMessagingHosts/org.gnome.shell.extensions.*.json w, + owner @{user_config_dirs}/**/NativeMessagingHosts/org.gnome.shell.extensions.*.json.@{rand6} rw, + owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.*.desktop w, + owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.*.desktop.@{rand6} w, + owner @{user_share_dirs}/dbus-1/services/ r, + owner @{user_share_dirs}/dbus-1/services/org.gnome.Shell.Extensions.*.service w, + owner @{user_share_dirs}/dbus-1/services/org.gnome.Shell.Extensions.*.service.@{rand6} rw, + owner @{user_share_dirs}/icons/**/org.gnome.Shell.Extensions.*.svg w, + owner @{user_share_dirs}/icons/**/org.gnome.Shell.Extensions.*.svg.@{rand6} w, + owner @{user_share_dirs}/icons/**/org.gnome.Shell.Extensions.GSConnect.svg w, + owner @{user_share_dirs}/icons/**/org.gnome.Shell.Extensions.GSConnect.svg.@{rand6} w, + owner @{user_desktop_dirs}/ r, owner @{user_templates_dirs}/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, /dev/ r, diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index 2012b957d2..025c1b1de2 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -14,6 +14,7 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { include include include + include include #aa:dbus own bus=session name=org.gnome.SessionManager diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 76cdda644a..23d6ed50fd 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -364,6 +364,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/**/uevent r, @{sys}/bus/ r, + @{sys}/class/backlight/ r, @{sys}/class/hwmon/ r, @{sys}/class/input/ r, @{sys}/class/net/ r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 190c881da1..b087ed2f74 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -28,6 +28,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { unix type=stream peer=(label=gnome-shell), + signal send set=kill peer=gnome-desktop-thumbnailers, + #aa:dbus own bus=session name=org.freedesktop.FileManager1 #aa:dbus own bus=session name=org.gnome.Nautilus interface+=org.gtk.{Application,Actions} #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 @@ -129,6 +131,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{PROC}/@{pids}/net/wireless r, @{PROC}/sys/dev/i915/perf_stream_paranoid r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 6c4fe6f123..f01d32af5c 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -48,6 +48,8 @@ profile papers @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, profile open { From e6e9cc4434e81145de3ea24fe9af79956d6ea91c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 01:01:13 +0200 Subject: [PATCH 0818/1736] feat(tunable): add alias for rust utils. --- apparmor.d/tunables/alias.d/coreutils | 6 +- apparmor.d/tunables/alias.d/uutils | 122 ++++++++++++++++++++++++++ 2 files changed, 125 insertions(+), 3 deletions(-) create mode 100644 apparmor.d/tunables/alias.d/uutils diff --git a/apparmor.d/tunables/alias.d/coreutils b/apparmor.d/tunables/alias.d/coreutils index 9fed4fefc8..d17d2de1b0 100644 --- a/apparmor.d/tunables/alias.d/coreutils +++ b/apparmor.d/tunables/alias.d/coreutils @@ -2,9 +2,9 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# In ubuntu 25.10, to make room for the coming rust utils, classic coreutils has -# moved to /usr/bin/gnu* names. To avoid breaking existing profiles, we -# provide aliases for all the coreutils names to their gnu* counterpart. +# In ubuntu 25.10, as gnutils and uutils are available, classic install paths +# are now link to one of these two implementations. To avoid breaking profiles, +# we provide aliases for all the coreutils names to their gnu* counterpart. alias /{,usr/}bin/dd -> /usr/bin/gnudd, alias /{,usr/}bin/tee -> /usr/bin/gnutee, diff --git a/apparmor.d/tunables/alias.d/uutils b/apparmor.d/tunables/alias.d/uutils new file mode 100644 index 0000000000..a67db7c57e --- /dev/null +++ b/apparmor.d/tunables/alias.d/uutils @@ -0,0 +1,122 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# In ubuntu 25.10, as gnutils and uutils are available, classic install paths +# are now link to one of these two implementations. To avoid breaking profiles, +# we provide aliases for all the coreutils names to their rust counterpart. + + alias /{,usr/}bin/mv -> /usr/lib/cargo/bin/coreutils/mv, + alias /{,usr/}bin/mkfifo -> /usr/lib/cargo/bin/coreutils/mkfifo, + alias /{,usr/}bin/dirname -> /usr/lib/cargo/bin/coreutils/dirname, + alias /{,usr/}bin/chown -> /usr/lib/cargo/bin/coreutils/chown, + alias /{,usr/}bin/whoami -> /usr/lib/cargo/bin/coreutils/whoami, + alias /{,usr/}bin/touch -> /usr/lib/cargo/bin/coreutils/touch, + alias /{,usr/}bin/expand -> /usr/lib/cargo/bin/coreutils/expand, + alias /{,usr/}bin/sha3sum -> /usr/lib/cargo/bin/coreutils/sha3sum, + alias /{,usr/}bin/od -> /usr/lib/cargo/bin/coreutils/od, + alias /{,usr/}bin/sum -> /usr/lib/cargo/bin/coreutils/sum, + alias /{,usr/}bin/fmt -> /usr/lib/cargo/bin/coreutils/fmt, + alias /{,usr/}bin/sync -> /usr/lib/cargo/bin/coreutils/sync, + alias /{,usr/}bin/dd -> /usr/lib/cargo/bin/coreutils/dd, + alias /{,usr/}bin/comm -> /usr/lib/cargo/bin/coreutils/comm, + alias /{,usr/}bin/chgrp -> /usr/lib/cargo/bin/coreutils/chgrp, + alias /{,usr/}bin/cksum -> /usr/lib/cargo/bin/coreutils/cksum, + alias /{,usr/}bin/dir -> /usr/lib/cargo/bin/coreutils/dir, + alias /{,usr/}bin/relpath -> /usr/lib/cargo/bin/coreutils/relpath, + alias /{,usr/}bin/base32 -> /usr/lib/cargo/bin/coreutils/base32, + alias /{,usr/}bin/ls -> /usr/lib/cargo/bin/coreutils/ls, + alias /{,usr/}bin/uniq -> /usr/lib/cargo/bin/coreutils/uniq, + alias /{,usr/}bin/tee -> /usr/lib/cargo/bin/coreutils/tee, + alias /{,usr/}bin/install -> /usr/lib/cargo/bin/coreutils/install, + alias /{,usr/}bin/link -> /usr/lib/cargo/bin/coreutils/link, + alias /{,usr/}bin/join -> /usr/lib/cargo/bin/coreutils/join, + alias /{,usr/}bin/cut -> /usr/lib/cargo/bin/coreutils/cut, + alias /{,usr/}bin/sha3-512sum -> /usr/lib/cargo/bin/coreutils/sha3-512sum, + alias /{,usr/}bin/basename -> /usr/lib/cargo/bin/coreutils/basename, + alias /{,usr/}bin/unlink -> /usr/lib/cargo/bin/coreutils/unlink, + alias /{,usr/}bin/true -> /usr/lib/cargo/bin/coreutils/true, + alias /{,usr/}bin/pinky -> /usr/lib/cargo/bin/coreutils/pinky, + alias /{,usr/}bin/logname -> /usr/lib/cargo/bin/coreutils/logname, + alias /{,usr/}bin/truncate -> /usr/lib/cargo/bin/coreutils/truncate, + alias /{,usr/}bin/stat -> /usr/lib/cargo/bin/coreutils/stat, + alias /{,usr/}bin/pwd -> /usr/lib/cargo/bin/coreutils/pwd, + alias /{,usr/}bin/id -> /usr/lib/cargo/bin/coreutils/id, + alias /{,usr/}bin/test -> /usr/lib/cargo/bin/coreutils/test, + alias /{,usr/}bin/realpath -> /usr/lib/cargo/bin/coreutils/realpath, + alias /{,usr/}bin/sha384sum -> /usr/lib/cargo/bin/coreutils/sha384sum, + alias /{,usr/}bin/nl -> /usr/lib/cargo/bin/coreutils/nl, + alias /{,usr/}bin/runcon -> /usr/lib/cargo/bin/coreutils/runcon, + alias /{,usr/}bin/rm -> /usr/lib/cargo/bin/coreutils/rm, + alias /{,usr/}bin/cat -> /usr/lib/cargo/bin/coreutils/cat, + alias /{,usr/}bin/dircolors -> /usr/lib/cargo/bin/coreutils/dircolors, + alias /{,usr/}bin/du -> /usr/lib/cargo/bin/coreutils/du, + alias /{,usr/}bin/printf -> /usr/lib/cargo/bin/coreutils/printf, + alias /{,usr/}bin/printenv -> /usr/lib/cargo/bin/coreutils/printenv, + alias /{,usr/}bin/mktemp -> /usr/lib/cargo/bin/coreutils/mktemp, + alias /{,usr/}bin/shake128sum -> /usr/lib/cargo/bin/coreutils/shake128sum, + alias /{,usr/}bin/ptx -> /usr/lib/cargo/bin/coreutils/ptx, + alias /{,usr/}bin/uname -> /usr/lib/cargo/bin/coreutils/uname, + alias /{,usr/}bin/md5sum -> /usr/lib/cargo/bin/coreutils/md5sum, + alias /{,usr/}bin/rmdir -> /usr/lib/cargo/bin/coreutils/rmdir, + alias /{,usr/}bin/sha3-384sum -> /usr/lib/cargo/bin/coreutils/sha3-384sum, + alias /{,usr/}bin/expr -> /usr/lib/cargo/bin/coreutils/expr, + alias /{,usr/}bin/factor -> /usr/lib/cargo/bin/coreutils/factor, + alias /{,usr/}bin/arch -> /usr/lib/cargo/bin/coreutils/arch, + alias /{,usr/}bin/numfmt -> /usr/lib/cargo/bin/coreutils/numfmt, + alias /{,usr/}bin/[ -> /usr/lib/cargo/bin/coreutils/[, + alias /{,usr/}bin/echo -> /usr/lib/cargo/bin/coreutils/echo, + alias /{,usr/}bin/tail -> /usr/lib/cargo/bin/coreutils/tail, + alias /{,usr/}bin/chmod -> /usr/lib/cargo/bin/coreutils/chmod, + alias /{,usr/}bin/sort -> /usr/lib/cargo/bin/coreutils/sort, + alias /{,usr/}bin/pathchk -> /usr/lib/cargo/bin/coreutils/pathchk, + alias /{,usr/}bin/shake256sum -> /usr/lib/cargo/bin/coreutils/shake256sum, + alias /{,usr/}bin/who -> /usr/lib/cargo/bin/coreutils/who, + alias /{,usr/}bin/mkdir -> /usr/lib/cargo/bin/coreutils/mkdir, + alias /{,usr/}bin/cp -> /usr/lib/cargo/bin/coreutils/cp, + alias /{,usr/}bin/date -> /usr/lib/cargo/bin/coreutils/date, + alias /{,usr/}bin/hashsum -> /usr/lib/cargo/bin/coreutils/hashsum, + alias /{,usr/}bin/basenc -> /usr/lib/cargo/bin/coreutils/basenc, + alias /{,usr/}bin/tsort -> /usr/lib/cargo/bin/coreutils/tsort, + alias /{,usr/}bin/hostid -> /usr/lib/cargo/bin/coreutils/hostid, + alias /{,usr/}bin/sleep -> /usr/lib/cargo/bin/coreutils/sleep, + alias /{,usr/}bin/pr -> /usr/lib/cargo/bin/coreutils/pr, + alias /{,usr/}bin/ln -> /usr/lib/cargo/bin/coreutils/ln, + alias /{,usr/}bin/sha256sum -> /usr/lib/cargo/bin/coreutils/sha256sum, + alias /{,usr/}bin/nohup -> /usr/lib/cargo/bin/coreutils/nohup, + alias /{,usr/}bin/unexpand -> /usr/lib/cargo/bin/coreutils/unexpand, + alias /{,usr/}bin/nproc -> /usr/lib/cargo/bin/coreutils/nproc, + alias /{,usr/}bin/csplit -> /usr/lib/cargo/bin/coreutils/csplit, + alias /{,usr/}bin/sha3-224sum -> /usr/lib/cargo/bin/coreutils/sha3-224sum, + alias /{,usr/}bin/env -> /usr/lib/cargo/bin/coreutils/env, + alias /{,usr/}bin/fold -> /usr/lib/cargo/bin/coreutils/fold, + alias /{,usr/}bin/groups -> /usr/lib/cargo/bin/coreutils/groups, + alias /{,usr/}bin/nice -> /usr/lib/cargo/bin/coreutils/nice, + alias /{,usr/}bin/readlink -> /usr/lib/cargo/bin/coreutils/readlink, + alias /{,usr/}bin/shuf -> /usr/lib/cargo/bin/coreutils/shuf, + alias /{,usr/}bin/head -> /usr/lib/cargo/bin/coreutils/head, + alias /{,usr/}bin/stdbuf -> /usr/lib/cargo/bin/coreutils/stdbuf, + alias /{,usr/}bin/wc -> /usr/lib/cargo/bin/coreutils/wc, + alias /{,usr/}bin/tac -> /usr/lib/cargo/bin/coreutils/tac, + alias /{,usr/}bin/base64 -> /usr/lib/cargo/bin/coreutils/base64, + alias /{,usr/}bin/sha224sum -> /usr/lib/cargo/bin/coreutils/sha224sum, + alias /{,usr/}bin/timeout -> /usr/lib/cargo/bin/coreutils/timeout, + alias /{,usr/}bin/sha1sum -> /usr/lib/cargo/bin/coreutils/sha1sum, + alias /{,usr/}bin/df -> /usr/lib/cargo/bin/coreutils/df, + alias /{,usr/}bin/tty -> /usr/lib/cargo/bin/coreutils/tty, + alias /{,usr/}bin/false -> /usr/lib/cargo/bin/coreutils/false, + alias /{,usr/}bin/split -> /usr/lib/cargo/bin/coreutils/split, + alias /{,usr/}bin/yes -> /usr/lib/cargo/bin/coreutils/yes, + alias /{,usr/}bin/b2sum -> /usr/lib/cargo/bin/coreutils/b2sum, + alias /{,usr/}bin/sha3-256sum -> /usr/lib/cargo/bin/coreutils/sha3-256sum, + alias /{,usr/}bin/chroot -> /usr/lib/cargo/bin/coreutils/chroot, + alias /{,usr/}bin/mknod -> /usr/lib/cargo/bin/coreutils/mknod, + alias /{,usr/}bin/vdir -> /usr/lib/cargo/bin/coreutils/vdir, + alias /{,usr/}bin/chcon -> /usr/lib/cargo/bin/coreutils/chcon, + alias /{,usr/}bin/shred -> /usr/lib/cargo/bin/coreutils/shred, + alias /{,usr/}bin/stty -> /usr/lib/cargo/bin/coreutils/stty, + alias /{,usr/}bin/tr -> /usr/lib/cargo/bin/coreutils/tr, + alias /{,usr/}bin/sha512sum -> /usr/lib/cargo/bin/coreutils/sha512sum, + alias /{,usr/}bin/seq -> /usr/lib/cargo/bin/coreutils/seq, + alias /{,usr/}bin/users -> /usr/lib/cargo/bin/coreutils/users, + alias /{,usr/}bin/paste -> /usr/lib/cargo/bin/coreutils/paste, From 56e0470947d03798748de250694ec6fca9f5b7c0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 20:50:07 +0200 Subject: [PATCH 0819/1736] feat(tunable): add rust utils paths to coreutils_path --- apparmor.d/tunables/multiarch.d/paths | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index c3db2c200b..dc793e27d3 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -13,6 +13,7 @@ # Coreutils programs that should not have dedicated profile @{coreutils_path} = @{bin}/@{coreutils} @{coreutils_path} += @{bin}/gnu@{coreutils} #aa:only ubuntu +@{coreutils_path} += @{lib}/cargo/bin/coreutils/@{coreutils} #aa:only ubuntu # Python interpreters @{python_path} = @{bin}/@{python_name} From 631918403408dec607084db7ec82abb0e7c91350 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 21:03:41 +0200 Subject: [PATCH 0820/1736] feat(profile): add more terminal from xdg-terminal-exec --- apparmor.d/groups/freedesktop/xdg-terminal-exec | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/freedesktop/xdg-terminal-exec b/apparmor.d/groups/freedesktop/xdg-terminal-exec index b79985c9a1..016f9b17f0 100644 --- a/apparmor.d/groups/freedesktop/xdg-terminal-exec +++ b/apparmor.d/groups/freedesktop/xdg-terminal-exec @@ -22,6 +22,7 @@ profile xdg-terminal-exec @{exec_path} flags=(attach_disconnected) { @{bin}/tr ix, @{bin}/gnome-terminal Px, + @{bin}/ptyxis Px, /usr/share/xdg-terminal-exec/{,**} r, From 9dc78f16526c6db6457de78ef31460c0f7921d02 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 21:37:48 +0200 Subject: [PATCH 0821/1736] fix(profiles): ensure @{att} does not add up / apparmor does not handle resolution of multiple / such as // or /// well. It cause issues when attached path is not enabled (on ubuntu). Simply setting the value as `@{att}@{run}` solves the issue. It only applies when @{att} is attached to another variable. (// also define namespace) --- apparmor.d/abstractions/app/systemctl | 2 +- apparmor.d/abstractions/attached/base | 6 +++--- apparmor.d/abstractions/bus-system | 3 +-- apparmor.d/abstractions/bwrap | 16 ++++++++-------- apparmor.d/abstractions/common/app | 2 +- apparmor.d/abstractions/wine | 6 +++--- apparmor.d/groups/_full/sd | 16 ++++++++-------- apparmor.d/groups/_full/systemd | 6 +++--- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/apt/unattended-upgrade | 2 +- .../groups/apt/unattended-upgrade-shutdown | 2 +- apparmor.d/groups/bus/dbus-system | 12 ++++++------ apparmor.d/groups/flatpak/flatpak | 3 +-- apparmor.d/groups/flatpak/flatpak-app | 2 +- apparmor.d/groups/flatpak/flatpak-portal | 4 ++-- apparmor.d/groups/freedesktop/boltd | 2 +- apparmor.d/groups/freedesktop/colord | 4 ++-- apparmor.d/groups/freedesktop/upowerd | 2 +- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 8 ++++---- apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/gnome/gnome-music | 2 +- apparmor.d/groups/gnome/gnome-session-binary | 4 ++-- apparmor.d/groups/gnome/gnome-session-service | 4 ++-- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/gnome-software | 2 +- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/groups/kde/kde-powerdevil | 2 +- apparmor.d/groups/kde/ksmserver | 2 +- apparmor.d/groups/kde/kwin_wayland | 2 +- apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/lxqt/lxqt-session | 2 +- apparmor.d/groups/network/ModemManager | 2 +- apparmor.d/groups/network/NetworkManager | 2 +- apparmor.d/groups/network/mullvad-gui | 2 +- apparmor.d/groups/network/netplan | 2 +- apparmor.d/groups/network/netplan-generate | 2 +- apparmor.d/groups/polkit/polkitd | 8 ++++---- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/ssh/sshd-session | 2 +- apparmor.d/groups/systemd/networkctl | 3 +-- apparmor.d/groups/systemd/systemd-coredump | 3 +-- apparmor.d/groups/systemd/systemd-hostnamed | 2 +- apparmor.d/groups/systemd/systemd-inhibit | 2 +- apparmor.d/groups/systemd/systemd-localed | 2 +- apparmor.d/groups/systemd/systemd-logind | 6 +++--- apparmor.d/groups/systemd/systemd-networkd | 2 +- apparmor.d/groups/systemd/systemd-oomd | 4 ++-- apparmor.d/groups/systemd/systemd-resolved | 2 +- apparmor.d/groups/systemd/systemd-timedated | 2 +- apparmor.d/groups/systemd/systemd-timesyncd | 2 +- apparmor.d/groups/systemd/systemd-udevd | 4 ++-- apparmor.d/groups/systemd/systemd-userdbd | 8 ++++---- apparmor.d/groups/ubuntu/update-manager | 2 +- apparmor.d/groups/utils/login | 2 +- apparmor.d/groups/utils/uuidd | 2 +- apparmor.d/groups/virt/cockpit-tls | 4 ++-- apparmor.d/groups/virt/dockerd | 2 +- apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/groups/virt/virtinterfaced | 2 +- apparmor.d/groups/virt/virtlogd | 2 +- apparmor.d/groups/virt/virtnetworkd | 2 +- apparmor.d/groups/virt/virtnodedevd | 2 +- apparmor.d/groups/virt/virtsecretd | 2 +- apparmor.d/groups/virt/virtstoraged | 2 +- apparmor.d/groups/xfce/xfce-power-manager | 2 +- apparmor.d/groups/xfce/xfce-screensaver | 2 +- apparmor.d/profiles-a-f/auditd | 2 +- apparmor.d/profiles-a-f/fprintd | 2 +- apparmor.d/profiles-a-f/fwupd | 4 ++-- apparmor.d/profiles-g-l/linuxqq | 2 +- apparmor.d/profiles-m-r/mission-control | 2 +- apparmor.d/profiles-m-r/needrestart | 2 +- apparmor.d/profiles-m-r/nvtop | 2 +- apparmor.d/profiles-m-r/packagekitd | 2 +- apparmor.d/profiles-m-r/psi | 2 +- apparmor.d/profiles-m-r/psi-plus | 2 +- apparmor.d/profiles-s-z/signal-desktop | 2 +- apparmor.d/profiles-s-z/superproductivity | 2 +- apparmor.d/profiles-s-z/wechat-universal | 2 +- 80 files changed, 124 insertions(+), 128 deletions(-) diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl index b707add4d0..4a7fb4aafe 100644 --- a/apparmor.d/abstractions/app/systemctl +++ b/apparmor.d/abstractions/app/systemctl @@ -15,7 +15,7 @@ @{bin}/systemctl mr, - @{att}/@{run}/systemd/private rw, + @{att}@{run}/systemd/private rw, owner @{run}/systemd/private rw, diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 8741942ff3..1ec3cda82b 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -10,9 +10,9 @@ include - @{att}/@{run}/systemd/journal/dev-log w, - @{att}/@{run}/systemd/journal/socket w, - @{att}/@{run}/systemd/journal/stdout rw, + @{att}@{run}/systemd/journal/dev-log w, + @{att}@{run}/systemd/journal/socket w, + @{att}@{run}/systemd/journal/stdout rw, @{att}/dev/null rw, diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system index 2f4a1eb3d5..b68b6159df 100644 --- a/apparmor.d/abstractions/bus-system +++ b/apparmor.d/abstractions/bus-system @@ -11,8 +11,7 @@ member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - @{run}/dbus/system_bus_socket rw, - @{att}/@{run}/dbus/system_bus_socket rw, + @{att}@{run}/dbus/system_bus_socket rw, include if exists diff --git a/apparmor.d/abstractions/bwrap b/apparmor.d/abstractions/bwrap index 5db3ed3924..b1070402b9 100644 --- a/apparmor.d/abstractions/bwrap +++ b/apparmor.d/abstractions/bwrap @@ -52,7 +52,7 @@ owner / r, @{att}/ r, - @{att}/@{run}/.userns r, + @{att}@{run}/.userns r, @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, @@ -60,13 +60,13 @@ @{PROC}/sys/kernel/seccomp/actions_avail r, owner @{PROC}/@{pid}/fd/ r, - @{att}/@{PROC}/sys/user/max_user_namespaces rw, - owner @{att}/@{PROC}/@{pid}/cgroup r, - owner @{att}/@{PROC}/@{pid}/fd/ r, - owner @{att}/@{PROC}/@{pid}/gid_map rw, - owner @{att}/@{PROC}/@{pid}/mountinfo r, - owner @{att}/@{PROC}/@{pid}/setgroups rw, - owner @{att}/@{PROC}/@{pid}/uid_map rw, + @{att}@{PROC}/sys/user/max_user_namespaces rw, + owner @{att}@{PROC}/@{pid}/cgroup r, + owner @{att}@{PROC}/@{pid}/fd/ r, + owner @{att}@{PROC}/@{pid}/gid_map rw, + owner @{att}@{PROC}/@{pid}/mountinfo r, + owner @{att}@{PROC}/@{pid}/setgroups rw, + owner @{att}@{PROC}/@{pid}/uid_map rw, include if exists diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 28badc6dbf..688e08674e 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -70,7 +70,7 @@ owner /dev/shm/** rwlk -> /dev/shm/**, owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine index 145cd763a0..a26488ee69 100644 --- a/apparmor.d/abstractions/wine +++ b/apparmor.d/abstractions/wine @@ -9,9 +9,9 @@ owner @{user_share_dirs}/applications/wine/ rw, owner @{user_share_dirs}/applications/wine/**/ rw, - owner @{att}/@{tmp}/.wine-@{uid}/ rw, - owner @{att}/@{tmp}/.wine-@{uid}/** rwk, - owner @{att}/@{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, + owner @{att}@{tmp}/.wine-@{uid}/ rw, + owner @{att}@{tmp}/.wine-@{uid}/** rwk, + owner @{att}@{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, owner /dev/shm/wine-@{hex6}-fsync rw, owner /dev/shm/wine-@{hex6}@{h}-fsync rw, diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 93d3e362c0..ab2eb488c5 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -173,14 +173,14 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { /var/log/** rw, /var/log/journal/** rwl -> /var/log/journal/**, - @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, - @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, - - @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, - @{att}/@{run}/systemd/notify rw, - @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, - @{att}/@{run}/systemd/userdb/io.systemd.Home rw, - @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, + @{att}@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}@{user_share_dirs}/icc/edid-@{hex32}.icc r, + + @{att}@{run}/systemd/io.systemd.ManagedOOM rw, + @{att}@{run}/systemd/notify rw, + @{att}@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}@{run}/systemd/userdb/io.systemd.Home rw, + @{att}@{run}/systemd/userdb/io.systemd.Multiplexer rw, @{run}/ rw, @{run}/* rw, diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index d1ee8fd1f0..c557e211b6 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -157,9 +157,9 @@ profile systemd flags=(attach_disconnected,mediate_deleted,complain) { owner /tmp/systemd-private-*/{,**} rw, owner /var/tmp/systemd-private-*/{,**} rw, - @{att}/@{run}/systemd/journal/dev-log r, - @{att}/@{run}/systemd/journal/socket r, - @{att}/@{run}/systemd/notify r, + @{att}@{run}/systemd/journal/dev-log r, + @{att}@{run}/systemd/journal/socket r, + @{att}@{run}/systemd/notify r, @{run}/ rw, @{run}/* rw, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 31b539dcd8..d401e3f28d 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -154,7 +154,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { owner @{tmp}/apt.conf.* rw, owner @{tmp}/apt.data.* rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 94a10b0755..11c0ca8032 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -93,7 +93,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /var/lib/apt/periodic/ w, /var/log/apt/*.log* rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/unattended-upgrades.lock rwk, owner @{run}/unattended-upgrades.pid rw, owner @{run}/unattended-upgrades.progress rw, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index f7b94d68dd..05bc97948a 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -28,7 +28,7 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { owner /var/log/unattended-upgrades/*.log* rw, - owner @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + owner @{att}@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/unattended-upgrades.lock rwk, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index a2ee182bf8..0ede85b4f2 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -64,16 +64,16 @@ profile dbus-system flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - @{att}/@{desktop_share_dirs}/icc/ r, - @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, - @{att}/@{user_share_dirs}/icc/ r, - @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}@{desktop_share_dirs}/icc/ r, + @{att}@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}@{user_share_dirs}/icc/ r, + @{att}@{user_share_dirs}/icc/edid-@{hex32}.icc r, # Dbus can receive any user files @{HOME}/** r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, @{run}/systemd/notify w, @{run}/systemd/users/@{int} r, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 906069b8cc..939650d82d 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -127,8 +127,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{tmp}/remote-summary.@{rand6} rw, owner /dev/shm/flatpak*/{,**} rw, - @{run}/.userns r, - @{att}/@{run}/.userns r, + @{att}@{run}/.userns r, @{run}/user/@{uid}/.dbus-proxy/ w, @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index 7fcd7d8a89..09062fd059 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -87,7 +87,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, - owner @{att}/@{HOME}/.var/app/** rwlkmix, + owner @{att}@{HOME}/.var/app/** rwlkmix, @{run}/parent/** r, @{run}/parent/app/.ref rk, diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index 97f9f4911c..55b6a509f4 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -39,8 +39,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { owner /att/**/ r, owner @{att}/.flatpak-info r, - owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, - owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, + owner @{att}@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, owner @{user_config_dirs}/user-dirs.dirs r, diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/groups/freedesktop/boltd index 60dddbedfc..4378f584cb 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -25,7 +25,7 @@ profile boltd @{exec_path} flags=(attach_disconnected) { owner @{run}/boltd/{,**} rw, - @{att}/@{run}/systemd/notify w, + @{att}@{run}/systemd/notify w, @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index e527f462ea..2f3d976a7a 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -45,8 +45,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { owner /var/lib/snmp/mibs/{iana,ietf}/ r, owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, - @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, - @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}@{user_share_dirs}/icc/edid-@{hex32}.icc r, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 3d79c706fb..ab61df1ab0 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -50,7 +50,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c116:@{int} r, # for ALSA - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/bus/hid/devices/ r, @{sys}/class/input/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index 031f03ac41..9275cb918a 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -30,11 +30,11 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner @{att}/@{HOME}/.var/app/** r, - owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, - owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, + owner @{att}@{HOME}/.var/app/** r, + owner @{att}@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, owner @{run}/flatpak/doc/** r, owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index ca83c2fa2f..6f7aca9864 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -119,7 +119,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{run}/gdm{3,}/dbus/ w, owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w, - @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, + @{att}@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, @{run}/cockpit/active.motd r, @{run}/faillock/@{user} rwk, @{run}/fscrypt/ rw, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 2f9795cebd..55c6006637 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -49,7 +49,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/grilo-plugins/ rwk, owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index afc90128b6..db0cab6031 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -73,8 +73,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gnome-session/ rw, owner @{user_config_dirs}/gnome-session/saved-session/ rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index 025c1b1de2..2e94eaf995 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -44,8 +44,8 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { @{run}/systemd/users/@{uid} r, @{run}/systemd/sessions/@{int} r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, owner @{run}/user/@{uid}/systemd/notify w, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 23d6ed50fd..328a3bb4e5 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -339,7 +339,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/@{rand6}.shell-extension.zip rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/systemd/users/@{uid} r, @{run}/systemd/seats/seat@{int} r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index d8f3c3f008..06771b2bf2 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -122,7 +122,7 @@ profile gnome-software @{exec_path} { owner /dev/shm/flatpak-com.*/ rw, owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/systemd/sessions/@{int} r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index f81a3698fe..9400f8040d 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -49,7 +49,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /usr/share/sounds/freedesktop/stereo/*.oga r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 8594fe8d55..06ce5b9fd4 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -59,7 +59,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 7d6daeda62..7e40a42693 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -60,7 +60,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk, owner @{user_config_dirs}/powermanagementprofilesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/mount/utab r, owner @{run}/user/@{uid}kcrash_@{int} rw, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 09a228e29d..250249f39a 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -71,7 +71,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/@{rand6} rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/user/@{uid}/KSMserver__[0-9] rw, /dev/tty r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 276f332626..848234dead 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -115,7 +115,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 1b8930f06c..bedd380e3a 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -179,7 +179,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/#@{int} rw, owner @{tmp}/sddm-auth* rw, - @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, + @{att}@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, @{run}/faillock/@{user} rwk, @{run}/sddm.pid rw, diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index 910ea7c5fd..b2c6c70f75 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -66,7 +66,7 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, owner @{user_config_dirs}/openbox/rc.xml r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{PROC}/ r, @{PROC}/uptime r, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 22b94effd5..3e22db6c4e 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -39,7 +39,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/n@{int} r, # For network interfaces - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/bus/ r, @{sys}/bus/usb/devices/ r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index b5262263f3..a3a7bb61ce 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -136,7 +136,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/net/rfkill/ r, @{sys}/class/rfkill/ r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/systemd/resolve/io.systemd.Resolve rw, @{run}/netplan/ r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 133e4bc00e..b167d59235 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -29,7 +29,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { @{bin}/gsettings rPx, @{open_path} rPx -> child-open-browsers, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/mullvad-vpn rw, diff --git a/apparmor.d/groups/network/netplan b/apparmor.d/groups/network/netplan index a0fad0a937..18559ba57a 100644 --- a/apparmor.d/groups/network/netplan +++ b/apparmor.d/groups/network/netplan @@ -33,7 +33,7 @@ profile netplan @{exec_path} flags=(attach_disconnected) { capability net_admin, - @{att}/@{run}/udev/control rw, + @{att}@{run}/udev/control rw, @{run}/udev/rules.d/90-netplan.rules rw, @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw, diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate index cea17b81cb..67b8a3a17b 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan-generate @@ -61,7 +61,7 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) { capability net_admin, - @{att}/@{run}/systemd/private rw, + @{att}@{run}/systemd/private rw, include if exists } diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index fa00311cd7..f91bb57eb0 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -55,10 +55,10 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { /var/lib/polkit{,-1}/localauthority/{,**} r, owner /var/lib/polkit{,-1}/.cache/ rw, - @{att}/@{run}/systemd/notify w, - @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, - @{att}/@{run}/systemd/userdb/io.systemd.Home rw, - @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, + @{att}@{run}/systemd/notify w, + @{att}@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}@{run}/systemd/userdb/io.systemd.Home rw, + @{att}@{run}/systemd/userdb/io.systemd.Multiplexer rw, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 633076ad6a..2476a4c5a1 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -107,7 +107,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{HOME}/@{XDG_SSH_DIR}/authorized_keys* r, owner @{user_cache_dirs}/{,motd*} rw, - @{att}/@{run}/systemd/sessions/@{int}.ref rw, + @{att}@{run}/systemd/sessions/@{int}.ref rw, @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session index ab86f3ad17..2b556041e8 100644 --- a/apparmor.d/groups/ssh/sshd-session +++ b/apparmor.d/groups/ssh/sshd-session @@ -73,7 +73,7 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/{,motd*} rw, - @{att}/@{run}/systemd/sessions/@{int}.ref w, + @{att}@{run}/systemd/sessions/@{int}.ref w, @{run}/cockpit/active.issue r, @{run}/motd.d/{,*} r, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 1a65a4ff63..b5a8f92fb7 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -51,8 +51,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/@{hex32}/system.journal* r, /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, - @{run}/systemd/netif/io.systemd.Network rw, - @{att}/@{run}/systemd/netif/io.systemd.Network rw, + @{att}@{run}/systemd/netif/io.systemd.Network rw, @{run}/systemd/netif/links/ r, @{run}/systemd/netif/leases/@{int} r, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index dd3a21bc23..5a0ffbaa90 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -51,8 +51,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted owner @{run}/user/@{uid}/snap.*/.org.chromium.Chromium.@{rand6} r, - @{att}/@{run}/systemd/coredump rw, - @{run}/systemd/coredump rw, + @{att}@{run}/systemd/coredump rw, @{PROC}/@{pids}/auxv r, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 8fae34b296..764dff6c8f 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -32,7 +32,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { /etc/machine-info rw, /etc/os-release r, - @{att}/@{run}/systemd/notify rw, + @{att}@{run}/systemd/notify rw, @{run}/systemd/default-hostname rw, @{run}/udev/data/+dmi:* r, # for motherboard info diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit index ae475ff48a..d5b12d462a 100644 --- a/apparmor.d/groups/systemd/systemd-inhibit +++ b/apparmor.d/groups/systemd/systemd-inhibit @@ -20,7 +20,7 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) { @{bin}/cat rix, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index cefab3890f..7a4f625651 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -53,7 +53,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { /etc/X11/xorg.conf.d/.#*.conf@{hex} rw, /etc/X11/xorg.conf.d/*.conf rw, - @{att}/@{run}/systemd/notify rw, + @{att}@{run}/systemd/notify rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index e5f927ba6d..bae6e366f7 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -89,9 +89,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,mediate_deleted) @{run}/udev/data/c226:@{int} r, # For DRI card /dev/dri/card@{int} @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{att}/@{run}/systemd/notify w, - @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, - @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, + @{att}@{run}/systemd/notify w, + @{att}@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}@{run}/systemd/userdb/io.systemd.Multiplexer rw, @{run}/systemd/inhibit/ rw, @{run}/systemd/inhibit/* rwlk, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 7bf649327d..1dedb69adf 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -57,7 +57,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { /etc/networkd-dispatcher/carrier.d/{,*} r, @{att}/ r, - @{att}/@{run}/systemd/notify rw, + @{att}@{run}/systemd/notify rw, @{run}/mount/utab r, @{run}/systemd/resolve/resolv.conf r, diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index ce61dba23e..61d7112452 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -24,8 +24,8 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { /etc/systemd/oomd.conf r, /etc/systemd/oomd.conf.d/{,**} r, - @{att}/@{run}/systemd/notify w, - @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, + @{att}@{run}/systemd/notify w, + @{att}@{run}/systemd/io.systemd.ManagedOOM rw, @{run}/systemd/io.system.ManagedOOM rw, @{run}/systemd/io.systemd.ManagedOOM rw, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 8f4b5bc579..a6139cc7b4 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -36,7 +36,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { /etc/systemd/resolved.conf r, /etc/systemd/resolved.conf.d/{,*} r, - @{att}/@{run}/systemd/notify w, + @{att}@{run}/systemd/notify w, @{run}/systemd/netif/links/* r, @{run}/systemd/resolve/{,**} rw, diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index b65f2b7afa..80b4ebadfd 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -43,7 +43,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { /etc/.#timezone* rw, /etc/timezone rw, - @{att}/@{run}/systemd/notify rw, + @{att}@{run}/systemd/notify rw, /dev/rtc@{int} r, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 2ac7f09fb5..55a76f63a2 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -34,7 +34,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { owner /var/lib/systemd/timesync/clock rw, - @{att}/@{run}/systemd/notify rw, + @{att}@{run}/systemd/notify rw, @{run}/resolvconf/*.conf r, @{run}/systemd/netif/state r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index a40f1d1608..dffe20da43 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -104,8 +104,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/private rw, @{run}/systemd/seats/seat@{int} r, - @{att}/@{run}/systemd/notify w, - @{att}/@{run}/udev/control rw, + @{att}@{run}/systemd/notify w, + @{att}@{run}/udev/control rw, @{run}/udev/ rw, @{run}/udev/** rwk, diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index cb14a2c710..47c0808721 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -31,10 +31,10 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) /etc/machine-id r, /etc/userdb/{,**} r, - @{att}/@{run}/systemd/notify w, - @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, - @{att}/@{run}/systemd/userdb/io.systemd.Home rw, - @{att}/@{run}/systemd/userdb/io.systemd.Machine rw, + @{att}@{run}/systemd/notify w, + @{att}@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}@{run}/systemd/userdb/io.systemd.Home rw, + @{att}@{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/userdb/{,**} rw, @{run}/userdb/ r, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 873f06b675..dc73291e2b 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -68,7 +68,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/update-manager-core/{,**} rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index cf9663e8e4..7b1755b20b 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -59,7 +59,7 @@ profile login @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/motd.legal-displayed rw, - @{att}/@{run}/systemd/sessions/@{int}.ref w, + @{att}@{run}/systemd/sessions/@{int}.ref w, @{run}/credentials/getty@tty@{int}.service/ r, @{run}/faillock/@{user} rwk, diff --git a/apparmor.d/groups/utils/uuidd b/apparmor.d/groups/utils/uuidd index 52f52b4a29..affe5e8fc4 100644 --- a/apparmor.d/groups/utils/uuidd +++ b/apparmor.d/groups/utils/uuidd @@ -20,7 +20,7 @@ profile uuidd @{exec_path} flags=(attach_disconnected) { owner /var/lib/libuuid/clock.txt rwk, owner /var/lib/libuuid/clock-cont.txt rwk, - @{att}/@{run}/uuidd/request rw, + @{att}@{run}/uuidd/request rw, @{run}/uuidd/request rw, @{run}/uuidd/uuidd.pid rwk, diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls index 8a345588aa..45aa0fabf3 100644 --- a/apparmor.d/groups/virt/cockpit-tls +++ b/apparmor.d/groups/virt/cockpit-tls @@ -17,8 +17,8 @@ profile cockpit-tls @{exec_path} flags=(attach_disconnected) { /etc/cockpit/ws-certs.d/{,**} r, - @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock rw, - @{att}/@{run}/cockpit/wsinstance/https-factory.sock rw, + @{att}@{run}/cockpit/wsinstance/https@@{hex64}.sock rw, + @{att}@{run}/cockpit/wsinstance/https-factory.sock rw, owner @{run}/cockpit/tls/{,**} rw, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index d90dbe8fe8..c64682cd86 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -83,7 +83,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { # TODO: should be in a sub profile started with pivot_root, not supported yet. /{,**} rwl, #aa:only apt - @{att}/@{lib}/containerd/** rw, + @{att}@{lib}/containerd/** rw, @{att}/var/lib/docker/{,**} rwk, /etc/docker/{,**} r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index aae554b929..6f4b8c4893 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -167,7 +167,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/ rw, owner @{run}/user/@{uid}/libvirt/** rwk, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/libvirt/ rw, @{run}/libvirt/** rwk, diff --git a/apparmor.d/groups/virt/virtinterfaced b/apparmor.d/groups/virt/virtinterfaced index 4737dd806f..6954bdd4ba 100644 --- a/apparmor.d/groups/virt/virtinterfaced +++ b/apparmor.d/groups/virt/virtinterfaced @@ -20,7 +20,7 @@ profile virtinterfaced @{exec_path} flags=(attach_disconnected) { @{lib}/gconv/gconv-modules rm, @{lib}/gconv/gconv-modules.d/{,*} r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/user/@{uid}/libvirt/common/system.token rwk, owner @{run}/user/@{uid}/libvirt/interface/ rw, owner @{run}/user/@{uid}/libvirt/interface/run/{,*} rwk, diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd index d362ad1088..9982446b90 100644 --- a/apparmor.d/groups/virt/virtlogd +++ b/apparmor.d/groups/virt/virtlogd @@ -28,7 +28,7 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/virtlogd.pid rwk, owner @{run}/user/@{uid}/libvirt/virtlogd* w, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/libvirt/common/system.token rwk, @{run}/libvirt/virtlogd-sock rw, diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd index 2d7df07b64..63e1314a94 100644 --- a/apparmor.d/groups/virt/virtnetworkd +++ b/apparmor.d/groups/virt/virtnetworkd @@ -24,7 +24,7 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) { owner /var/lib/libvirt/dnsmasq/*.macs* rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/libvirt/network/default.pid r, @{run}/utmp rk, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 4034018f8d..cfa1f0f5f5 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -32,7 +32,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { /etc/libvirt/*.conf r, /etc/mdevctl.d/{,**} r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/libvirt/common/system.token rwk, owner @{run}/libvirt/nodedev/ rw, diff --git a/apparmor.d/groups/virt/virtsecretd b/apparmor.d/groups/virt/virtsecretd index 9b3e7dda45..5b8b10cc91 100644 --- a/apparmor.d/groups/virt/virtsecretd +++ b/apparmor.d/groups/virt/virtsecretd @@ -20,7 +20,7 @@ profile virtsecretd @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/libvirt/secrets/ rw, owner @{user_config_dirs}/libvirt/secrets/run/{,*} rwk, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/user/@{uid}/libvirt/common/system.token rwk, owner @{run}/user/@{uid}/libvirt/secrets/ rw, diff --git a/apparmor.d/groups/virt/virtstoraged b/apparmor.d/groups/virt/virtstoraged index 00565fcf5b..74509f49b4 100644 --- a/apparmor.d/groups/virt/virtstoraged +++ b/apparmor.d/groups/virt/virtstoraged @@ -54,7 +54,7 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) { owner @{run}/libvirt/storage/{,**} rwk, owner @{run}/virtstoraged.pid rwk, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/utmp rwk, diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index 11ccca455a..6699a7116b 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -27,7 +27,7 @@ profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/stat r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, include if exists } diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index e9e19cca58..b75dcceee2 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -28,7 +28,7 @@ profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { /etc/xdg/menus/xfce4-screensavers.menu r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, include if exists } diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index 41fb158c09..0f995aebfc 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -27,7 +27,7 @@ profile auditd @{exec_path} flags=(attach_disconnected) { /var/log/audit/{,**} rw, - @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}@{run}/systemd/userdb/io.systemd.DynamicUser rw, owner @{run}/auditd.pid rwl, owner @{run}/auditd.state rw, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 924fe4bc61..649457bb3b 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -28,7 +28,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { /var/lib/fprint/{,**} rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 65793364d8..20a68d90fd 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -83,7 +83,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { owner /var/lib/fwupd/ rw, owner /var/lib/fwupd/** rwk, - @{att}/@{user_cache_dirs}/gnome-software/fwupd/{,**} r, + @{att}@{user_cache_dirs}/gnome-software/fwupd/{,**} r, owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r, owner @{user_cache_dirs}/gnome-software/fwupd/{,**} r, @@ -104,7 +104,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/kernel/security/tpm@{int}/binary_bios_measurements r, @{sys}/power/mem_sleep r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/motd.d/ r, @{run}/motd.d/@{int}-fwupd* rw, diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index ff2ffe6b87..3d1b30eeaa 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -36,7 +36,7 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/utmp r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index bf6c550939..9ff89a1e23 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -25,7 +25,7 @@ profile mission-control @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk, owner @{user_cache_dirs}/.mc_connections rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index a09008ac3c..45f89c13de 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -47,7 +47,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{bin}/* r, @{lib}/** r, @{sbin}/** r, - @{att}/@{lib}/** r, + @{att}@{lib}/** r, /usr/share/** r, /var/lib/*/** r, diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index 96634e7bc5..0bdd9d924a 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -23,7 +23,7 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/nvtop/{,**} rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 5bf1f3115a..51a426acc9 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -93,7 +93,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { owner @{tmp}/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw, owner @{tmp}/packagekit* rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 2ff7b4e710..8eec05a1b7 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -57,7 +57,7 @@ profile psi @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index f72147cc6f..451414e724 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -57,7 +57,7 @@ profile psi-plus @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 53f3d20b16..ad460ef424 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -44,7 +44,7 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { @{bin}/xdg-settings rPx -> signal-desktop//&xdg-settings, @{open_path} rPx -> child-open-strict, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, include if exists } diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 5cdda4994c..7d03f14b7f 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -37,7 +37,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { @{bin}/speech-dispatcher rPx, @{open_path} rPx -> child-open-strict, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/user/@{uid}/speech-dispatcher/speechd.sock rw, diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 72e2d0adda..3e850a7de5 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -47,7 +47,7 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.xwechat/{,**} rwk, owner @{HOME}/.sys1og.conf rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/utmp r, @{PROC}/@{pid}/net/route r, From a4e89f41046f64f79d38540aea36c5d13f79570e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 22:07:01 +0200 Subject: [PATCH 0822/1736] feat(profile): genera profiles update. --- apparmor.d/groups/pacman/pacman | 4 ++- apparmor.d/groups/procps/htop | 10 +++--- apparmor.d/groups/systemd/systemd-fsckd | 2 ++ apparmor.d/groups/virt/cockpit-session | 31 +++++++++++++------ apparmor.d/groups/virt/libvirtd | 22 +++++++++++-- apparmor.d/profiles-g-l/glib-compile-schemas | 7 +++-- apparmor.d/profiles-g-l/localsend | 12 +++++-- .../profiles-m-r/needrestart-dpkg-status | 3 +- apparmor.d/profiles-s-z/spice-vdagent | 9 ++++-- apparmor.d/profiles-s-z/superproductivity | 10 ++++-- apparmor.d/profiles-s-z/terminator | 5 +++ 11 files changed, 85 insertions(+), 30 deletions(-) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 41b45c9d0e..59fd4a689c 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -12,7 +12,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include include include - include include capability audit_write, @@ -169,6 +168,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { profile systemctl flags=(attach_disconnected) { include include + include capability net_admin, capability dac_read_search, @@ -211,6 +211,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include include + capability dac_read_search, + @{bin}/killall mr, @{bin}/pkill mr, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index e48d055838..9fa77c53e2 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -36,9 +36,7 @@ profile htop @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/htop/ rw, owner @{user_config_dirs}/htop/* rw, - @{sys}/bus/dax/devices/ r, - @{sys}/bus/i2c/devices/ r, - @{sys}/bus/soc/devices/ r, + @{sys}/bus/*/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, @{sys}/class/power_supply/ r, @@ -106,8 +104,9 @@ profile htop @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/net/dev r, - @{PROC}/@{pids}/oom_{,score_}adj r, + @{PROC}/@{pids}/oom_adj r, @{PROC}/@{pids}/oom_score r, + @{PROC}/@{pids}/oom_score_adj r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, @{PROC}/@{pids}/status r, @@ -121,8 +120,9 @@ profile htop @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/task/@{tid}/comm r, @{PROC}/@{pids}/task/@{tid}/environ r, @{PROC}/@{pids}/task/@{tid}/io r, - @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r, + @{PROC}/@{pids}/task/@{tid}/oom_adj r, @{PROC}/@{pids}/task/@{tid}/oom_score r, + @{PROC}/@{pids}/task/@{tid}/oom_score_adj r, @{PROC}/@{pids}/task/@{tid}/stat r, @{PROC}/@{pids}/task/@{tid}/statm r, @{PROC}/@{pids}/task/@{tid}/status r, diff --git a/apparmor.d/groups/systemd/systemd-fsckd b/apparmor.d/groups/systemd/systemd-fsckd index 7abde7c908..ea7170b6b5 100644 --- a/apparmor.d/groups/systemd/systemd-fsckd +++ b/apparmor.d/groups/systemd/systemd-fsckd @@ -16,6 +16,8 @@ profile systemd-fsckd @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_tty_config, + unix type=stream peer=(addr=@/org/freedesktop/plymouthd), + @{exec_path} mr, @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index ba51fc8a50..d0c5d86fc1 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -30,7 +30,7 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{bin}/cockpit-bridge rPx, @{lib}/cockpit/cockpit-pcp rPx, @{bin}/ssh-agent rPx, - @{bin}/ssh-add rix, + @{bin}/ssh-add rCx -> ssh-add, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, @@ -41,13 +41,6 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /etc/motd.d/ r, /etc/shells r, - @{att}/@{run}/systemd/sessions/*.ref rw, - - @{run}/cockpit/* r, - @{run}/faillock/@{user} rwk, - @{run}/motd.d/{,*} r, - @{run}/utmp rwk, - /var/log/btmp rw, /var/log/lastlog rw, /var/log/wtmp rwk, @@ -56,12 +49,32 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /var/lib/lastlog/lastlog2.db rwk, /var/lib/lastlog/lastlog2.db-journal rw, + @{att}@{run}/systemd/sessions/*.ref rw, + + @{run}/cockpit/* r, + @{run}/faillock/@{user} rwk, + @{run}/motd.d/{,*} r, + @{run}/utmp rwk, + + @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, - @{PROC}/@{pids}/fd/ r, /dev/tty rw, + profile ssh-add flags=(attach_disconnected) { + include + + @{bin}/ssh-add mr, + + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, + + owner @{tmp}/ssh-@{rand12}/ rw, + owner @{tmp}/ssh-@{rand12}/agent.@{int} rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 6f4b8c4893..bcc562fa25 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -98,6 +98,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=@{busname}, label=gnome-shell), + # include + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ListNames + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + @{exec_path} mr, @{lib}/libvirt/libvirt_iohelper rix, @@ -185,24 +191,34 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sys}/bus/pci/drivers/*/unbind w, @{sys}/class/[a-z]*/ r, @{sys}/devices/**/uevent r, - @{sys}/devices/@{pci}/{class,revision,subsystem_vendor,subsystem_device} r, - @{sys}/devices/@{pci}/{config,numa_node,device,vendor} r, + @{sys}/devices/@{pci}/class r, + @{sys}/devices/@{pci}/config r, + @{sys}/devices/@{pci}/device r, @{sys}/devices/@{pci}/driver_override w, @{sys}/devices/@{pci}/mdev_supported_types/{,**} r, @{sys}/devices/@{pci}/mdev_supported_types/*/create w, @{sys}/devices/@{pci}/net/*/{,**} r, + @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/@{pci}/remove w, @{sys}/devices/@{pci}/resource r, + @{sys}/devices/@{pci}/revision r, @{sys}/devices/@{pci}/sriov_totalvfs r, + @{sys}/devices/@{pci}/subsystem_device r, + @{sys}/devices/@{pci}/subsystem_vendor r, + @{sys}/devices/@{pci}/vendor r, + @{sys}/devices/@{pci}/distance r, + @{sys}/devices/@{pci}/meminfo r, @{sys}/devices/system/cpu/cpu@{int}/cache/{,**} r, @{sys}/devices/system/cpu/cpu@{int}/topology/{,**} r, @{sys}/devices/system/cpu/isolated r, @{sys}/devices/system/cpu/present r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/ r, - @{sys}/devices/system/node/node@{int}/{cpumap,distance,meminfo} r, + @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/devices/system/node/node@{int}/distance r, @{sys}/devices/system/node/node@{int}/hugepages/{,**} r, + @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/* r, @{sys}/devices/virtual/net/{,**} rw, diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index 06a3c12d45..9a5f24a081 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -16,9 +16,10 @@ profile glib-compile-schemas @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/{,*} r, - /usr/share/glib-2.0/schemas/gschemas.compiled.@{rand6} rw, - /usr/share/glib-2.0/schemas/gschemas.compiled rw, + @{system_share_dirs}/ r, + @{system_share_dirs}/glib-2.0/schemas/{,*} r, + @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled rw, + @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled.@{rand6} rw, /usr/share/gnome-shell/extensions/*/schemas/org.gnome.shell.extensions.*.gschema.xml r, diff --git a/apparmor.d/profiles-g-l/localsend b/apparmor.d/profiles-g-l/localsend index ad2e23fc63..2509b3621b 100644 --- a/apparmor.d/profiles-g-l/localsend +++ b/apparmor.d/profiles-g-l/localsend @@ -11,13 +11,19 @@ profile localsend @{exec_path} { include include include + include include include + include + include + include include -# --system-talk-name=org.freedesktop.NetworkManager -# - --system-talk-name=org.freedesktop.hostname1 -# --talk-name=org.kde.StatusNotifierWatcher + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/needrestart-dpkg-status b/apparmor.d/profiles-m-r/needrestart-dpkg-status index 3d54f896db..e596abc1d9 100644 --- a/apparmor.d/profiles-m-r/needrestart-dpkg-status +++ b/apparmor.d/profiles-m-r/needrestart-dpkg-status @@ -11,7 +11,8 @@ profile needrestart-dpkg-status @{exec_path} { include include - capability dac_read_search, + capability dac_read_search, + capability sys_admin, # optional: no audit @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 2af3f99ae8..15a9111de3 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -16,7 +16,10 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include + include + include include + include include include include @@ -31,17 +34,17 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, - owner @{desktop_config_dirs}/user-dirs.dirs r, - + @{run}/mount/utab r, @{run}/spice-vdagentd/spice-vdagent-sock rw, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pids}/task/@{tid}/comm rw, /dev/udmabuf rw, diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 7d03f14b7f..a2480f1d7b 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -34,8 +34,14 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/speech-dispatcher rPx, - @{open_path} rPx -> child-open-strict, + @{sh_path} rix, + @{bin}/gdbus rix, + @{bin}/speech-dispatcher rPx, + @{bin}/which{,.debianutils} rix, + @{open_path} rPx -> child-open-strict, + + #aa:stack X xdg-settings + @{bin}/xdg-settings rPx -> superproductivity//&xdg-settings, @{att}@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 769771b6a9..e5d6499742 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -46,6 +46,11 @@ profile terminator @{exec_path} flags=(attach_disconnected) { owner @{tmp}/#@{int} rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{PROC}/ r, @{PROC}/@{pid}/net/tcp{,6} r, @{PROC}/@{pid}/net/udp{,6} r, From 7dac74b4219d6bfb893087ddcd6a1447ba3b5835 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 22:08:56 +0200 Subject: [PATCH 0823/1736] feat(abs): deny pycache update outside of pycompile --- apparmor.d/abstractions/python.d/complete | 7 ++++++- apparmor.d/profiles-m-r/pycompile | 3 ++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index e372c312c2..e9b1f8c207 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -4,7 +4,7 @@ # SPDX-License-Identifier: GPL-2.0-only @{bin}/ r, - @{python_path} rm, + @{python_path} mr, owner @{user_lib_dirs}/@{python_name}/ r, owner @{user_lib_dirs}/@{python_name}/**.{egg,py,pyi,pth} r, @@ -12,4 +12,9 @@ owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/ r, owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/**/ r, + #aa:only apparmor>=4.1 + # Normal python run do not need to update pycache files. It is done by pycompile. + deny @{lib}/@{python_name}/{,**/}__pycache__/ w, + deny @{lib}/@{python_name}/{,**/}__pycache__/**.pyc.@{u64} w, + # vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index 348fefbc24..6c9e6b6d74 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -11,6 +11,7 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { include include include + include include capability dac_override, @@ -21,7 +22,6 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { @{bin}/dpkg rCx -> dpkg, - #aa:only apparmor4.1 priority=1 @{lib}/@{python_name}/**/__pycache__/ w, priority=1 @{lib}/@{python_name}/**/__pycache__/*.pyc w, priority=1 @{lib}/@{python_name}/**/__pycache__/*.pyc.* w, @@ -30,6 +30,7 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { / r, @{bin}/ r, + @{sbin}/ r, profile dpkg { include From 099c8a918f1cedd3cf0a417f859d6dee718b5b1e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 22:18:51 +0200 Subject: [PATCH 0824/1736] doc: recommend using earlypolicy by default. All tests VM have been using it for years Since systemd 258 it has been supported in archlinux as well. It will be **required** soon. --- docs/install.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/install.md b/docs/install.md index a56599c221..2c1ee1fcf2 100644 --- a/docs/install.md +++ b/docs/install.md @@ -42,10 +42,19 @@ The following desktop environments are supported: ## Configure AppArmor -As there are a lot of rules (~80k lines), it is recommended to enable fast caching compression of AppArmor profiles. In `/etc/apparmor/parser.conf`, add `write-cache` and `Optimize=compress-fast`: +As there are a lot of rules (~100k lines), it is recommended to enable fast caching compression of AppArmor profiles. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. +In `/etc/apparmor/parser.conf` ensure you have: +``` +write-cache +cache-loc /etc/apparmor/earlypolicy/ +Optimize=compress-fast +``` + +Or run: ```sh echo 'write-cache' | sudo tee -a /etc/apparmor/parser.conf +echo 'cache-loc /etc/apparmor/earlypolicy/' | sudo tee -a /etc/apparmor/parser.conf echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf ``` From beb0114811b304b92ba732db04e4311ae816e5d0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 22:22:52 +0200 Subject: [PATCH 0825/1736] chore(profile): document the use of "network alg" for kernel crypto API --- apparmor.d/groups/bluetooth/bluetoothd | 2 +- apparmor.d/groups/network/iwd | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index ff9b8586e4..2eb8eeeb7c 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -21,7 +21,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { network bluetooth raw, network bluetooth seqpacket, network bluetooth stream, - network alg seqpacket, + network alg seqpacket, # kernel crypto API network netlink raw, #aa:dbus own bus=system name=org.bluez path=/{,**} diff --git a/apparmor.d/groups/network/iwd b/apparmor.d/groups/network/iwd index 13edaaf161..c9aa299916 100644 --- a/apparmor.d/groups/network/iwd +++ b/apparmor.d/groups/network/iwd @@ -20,7 +20,7 @@ profile iwd @{exec_path} { network inet6 stream, network netlink raw, network netlink dgram, - network alg seqpacket, + network alg seqpacket, # kernel crypto API network packet dgram, @{exec_path} mr, From 6ec2d647ed53d6bce20be002cace97c66fb26264 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Oct 2025 23:55:14 +0200 Subject: [PATCH 0826/1736] feat(profile): apt: various profile update. --- apparmor.d/groups/apt/apt-helper | 10 ++++++++++ apparmor.d/groups/apt/apt-methods-http | 7 ++++++- apparmor.d/groups/apt/dpkg-checkbuilddeps | 1 + apparmor.d/groups/apt/dpkg-deb | 1 + apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/apt/dpkg-statoverride | 10 ++++++++++ 6 files changed, 29 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper index 18b6d72412..f73186d906 100644 --- a/apparmor.d/groups/apt/apt-helper +++ b/apparmor.d/groups/apt/apt-helper @@ -10,15 +10,25 @@ include profile apt-helper @{exec_path} { include include + include + + capability setgid, + capability setuid, + + signal send set=int peer=apt-methods-http, @{exec_path} mr, @{bin}/nm-online rPx, @{bin}/systemctl rCx -> systemctl, @{lib}/systemd/systemd-networkd-wait-online rPx, + @{lib}/apt/methods/http Px, owner @{PROC}/@{pid}/fd/ r, + /tmp/tmp@{word8}/stampdir/partial/canary-file.txt w, + /tmp/tmp@{word8}/partial/canary-file.txt w, + profile systemctl { include include diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 77a418b077..32e88c759e 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -67,10 +67,15 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) { # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, + #aa:only ubuntu + /tmp/ubuntu-release-upgrader-@{rand8}/*.tar.gz rw, + /tmp/ubuntu-release-upgrader-@{rand8}/*.tar.gz.gpg rw, + /tmp/ r, - owner @{tmp}/aptitude-root.*/aptitude-download-* rw, owner @{tmp}/apt-changelog-*/*.changelog rw, + owner @{tmp}/aptitude-root.*/aptitude-download-* rw, + #aa:only ubuntu @{run}/ubuntu-advantage/aptnews.json rw, owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw, diff --git a/apparmor.d/groups/apt/dpkg-checkbuilddeps b/apparmor.d/groups/apt/dpkg-checkbuilddeps index 297a45f843..6129499af0 100644 --- a/apparmor.d/groups/apt/dpkg-checkbuilddeps +++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps @@ -11,6 +11,7 @@ include profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { include include + include include @{exec_path} r, diff --git a/apparmor.d/groups/apt/dpkg-deb b/apparmor.d/groups/apt/dpkg-deb index 4fedbcd5f8..b71eabcb43 100644 --- a/apparmor.d/groups/apt/dpkg-deb +++ b/apparmor.d/groups/apt/dpkg-deb @@ -32,6 +32,7 @@ profile dpkg-deb @{exec_path} { owner @{tmp}/dpkg-deb.@{rand6} rw, owner @{tmp}/dpkg-deb.@{rand6}/ rw, owner @{tmp}/dpkg-deb.@{rand6}/* rw, + owner @{tmp}/tmp@{rand8}/aptroot/**.deb r, include if exists } diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 138aac66c3..abcc37e475 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -14,6 +14,7 @@ profile dpkg-scripts @{exec_path} { include capability chown, + capability dac_override, capability dac_read_search, capability fowner, capability fsetid, diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride index 804e1675b5..8522628839 100644 --- a/apparmor.d/groups/apt/dpkg-statoverride +++ b/apparmor.d/groups/apt/dpkg-statoverride @@ -12,10 +12,20 @@ profile dpkg-statoverride @{exec_path} flags=(complain) { include include + capability chown, + capability fsetid, + @{exec_path} mr, /var/lib/dpkg/statoverride r, + @{lib}/systemd-cron/crontab_setgid w, + + /var/lib/dpkg/ r, + /var/lib/dpkg/statoverride w, + /var/lib/dpkg/statoverride-new rw, + /var/lib/dpkg/statoverride-old wl, + include if exists } From b1d34d203d20b963e636cd9d08686e430d34573e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 2 Oct 2025 20:45:05 +0200 Subject: [PATCH 0827/1736] build(debian): add metadata and watch files. --- debian/copyright | 2 +- debian/upstream/metadata | 7 +++++++ debian/watch | 5 +++++ 3 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 debian/upstream/metadata create mode 100644 debian/watch diff --git a/debian/copyright b/debian/copyright index 771503801a..9dbcf97efb 100644 --- a/debian/copyright +++ b/debian/copyright @@ -4,5 +4,5 @@ Upstream-Contact: Alexandre Pujol Source: https://gitlab.com/roddhjav/apparmor.d Files: * -Copyright: 2021-2023 Alexandre Pujol +Copyright: 2021-2025 Alexandre Pujol License: GPL-2 diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000000..9e4cbb47f4 --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,7 @@ +--- +Archive: GitHub +Bug-Database: https://github.com/roddhjav/apparmor.d/issues +Bug-Submit: https://github.com/roddhjav/apparmor.d/issues/new +Changelog: https://github.com/roddhjav/apparmor.d/tags +Repository: https://github.com/roddhjav/apparmor.d.git +Repository-Browse: https://github.com/roddhjav/apparmor.d diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000000..3717d945d3 --- /dev/null +++ b/debian/watch @@ -0,0 +1,5 @@ +Version: 5 + +Template: Github +Owner: roddhjav +Project: apparmor.d From ffb48da9277608763c5eebcd80885763f7318a77 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 2 Oct 2025 20:49:04 +0200 Subject: [PATCH 0828/1736] doc: add documentation for the base-strict build task. --- docs/development/build.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/development/build.md b/docs/development/build.md index b767e4e4ed..e801553737 100644 --- a/docs/development/build.md +++ b/docs/development/build.md @@ -145,6 +145,12 @@ Resolve variables in profile attachments. It fixes issues with the userland AppA *Enabled by default. Can be disabled in `cmd/prebuild/main.go`* +### **`base-strict`** + +This task will use `base-strict` as base abstraction instead of `base`. + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + ### **`attach`** This task reattaches disconnected paths. See the [Re-attached path](internal.md#re-attached-path) page. It will: From 8ec1107ab30a982b6fcb6c3c445742f6c09129fa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Oct 2025 14:02:55 +0200 Subject: [PATCH 0829/1736] feat(abs): restric gstreamer. --- apparmor.d/abstractions/gstreamer | 42 +++++++++---------------------- 1 file changed, 12 insertions(+), 30 deletions(-) diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 5a14b6f7a8..b8b09d1e68 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -20,51 +20,33 @@ /tmp/ r, /var/tmp/ r, - owner @{HOME}/orcexec.@{rand6} rw, - owner @{HOME}/.gstreamer-@{int}.@{int}/ rw, - owner @{HOME}/.gstreamer-@{int}.@{int}/registry.*.bin{,.tmp@{rand6}} rw, + owner @{HOME}/.gstreamer-@{int}.@{int}/registry.@{arch}.bin rw, + owner @{HOME}/.gstreamer-@{int}.@{int}/registry.@{arch}.bin.tmp@{rand6} rw, owner @{user_cache_dirs}/gstreamer-@{int}.@{int}/ rw, - owner @{user_cache_dirs}/gstreamer-@{int}.@{int}/registry.*.bin{,.tmp@{rand6}} rw, + owner @{user_cache_dirs}/gstreamer-@{int}.@{int}/registry.@{arch}.bin rw, + owner @{user_cache_dirs}/gstreamer-@{int}.@{int}/registry.@{arch}.bin.tmp@{rand6} rw, # The orcexec.* file is JIT compiled code for various GStreamer elements. # If one is blocked the next is used instead. # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag. + deny owner @{HOME}/orcexec.@{rand6} rw, owner @{run}/user/@{uid}/orcexec.@{rand6} mrw, owner @{tmp}/orcexec.@{rand6} mrw, - #owner @{HOME}/orcexec.* mrw, - - @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c189:@{int} r, # For USB serial converters - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{sys}/bus/ r, - @{sys}/bus/media/devices/ r, - @{sys}/bus/usb/devices/ r, - @{sys}/class/ r, - @{sys}/class/drm/ r, - @{sys}/class/video4linux/ r, - @{sys}/devices/@{pci}/busnum r, - @{sys}/devices/@{pci}/config r, - @{sys}/devices/@{pci}/descriptors r, - @{sys}/devices/@{pci}/devnum r, - @{sys}/devices/@{pci}/numa_node r, - @{sys}/devices/@{pci}/speed r, - @{sys}/devices/@{pci}/uevent r, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/cpumap r, - @{sys}/devices/system/node/node@{int}/meminfo r, - @{PROC}/devices r, + @{sys}/class/video4linux/ r, + @{sys}/devices/**/video4linux/video@{int}/ r, + @{sys}/devices/**/video4linux/video@{int}/uevent r, - /dev/ r, - /dev/bus/usb/ r, - /dev/dri/ r, - /dev/nvidia-uvm rw, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, include if exists From ddd49e43a9b1514ef8f04405fb68e1f878834664 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Oct 2025 14:04:09 +0200 Subject: [PATCH 0830/1736] chore(abs): pgrep use pids instead of pid. --- apparmor.d/abstractions/app/pgrep | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index f563712ca8..83df22f890 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -19,11 +19,12 @@ @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, - @{PROC}/@{pid}/status r, + @{PROC}/@{pids}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/sys/kernel/osrelease r, @{PROC}/tty/drivers r, @{PROC}/uptime r, From cab9a360e30601882308ac9956409e75a5d5b087 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Oct 2025 14:05:39 +0200 Subject: [PATCH 0831/1736] feat(abs): org.freedesktop.portal Desktop: add Inhibit --- .../abstractions/bus/org.freedesktop.portal.Desktop | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 4778dd6dc4..d5a14eec2a 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -50,7 +50,15 @@ interface=org.freedesktop.portal.Inhibit member={StateChanged,CreateMonitor} peer=(name=@{busname}, label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Inhibit + member=CreateMonitor + peer=(name=@{busname}, label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop/session/** + interface=org.freedesktop.portal.Session + member=Close + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop/session/** interface=org.freedesktop.impl.portal.Session member=Close From fbeaf73a44d66ed6c0226434958ed278437ceb5f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 8 Oct 2025 11:44:26 +0100 Subject: [PATCH 0832/1736] tests(abs): add some tests only paths. --- apparmor.d/abstractions/apt | 4 ++++ apparmor.d/abstractions/base-strict | 1 - apparmor.d/abstractions/common/systemd | 3 +++ apparmor.d/abstractions/ruby.d/complete | 8 ++++++++ .../groups/systemd-generators/systemd-generator-fstab | 3 --- apparmor.d/groups/systemd/systemd-network-generator | 3 --- apparmor.d/groups/systemd/systemd-sysusers | 3 --- 7 files changed, 15 insertions(+), 10 deletions(-) create mode 100644 apparmor.d/abstractions/ruby.d/complete diff --git a/apparmor.d/abstractions/apt b/apparmor.d/abstractions/apt index 2802ac2a80..109faed573 100644 --- a/apparmor.d/abstractions/apt +++ b/apparmor.d/abstractions/apt @@ -35,6 +35,10 @@ owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, + #aa:only test + /tmp/tmp.@{word10}/ rw, + /tmp/tmp.@{word10}/** rwlkmix, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 004102db53..1fc2980b92 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -133,7 +133,6 @@ @{lib}/installed-tests/ r, @{lib}/installed-tests/** rw, /usr/share/installed-tests/{,**} r, - /usr/share/rubygems-integration/{,**} r, owner /m-a/{,**} rw, owner /test-dir/{,**} rw, owner /test-path/{,**} rw, diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index f4a10076ef..9540d98943 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -21,6 +21,9 @@ /dev/kmsg w, + #aa:only test + /tmp/test-*/{,**} rw, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/ruby.d/complete b/apparmor.d/abstractions/ruby.d/complete new file mode 100644 index 0000000000..f987925b4f --- /dev/null +++ b/apparmor.d/abstractions/ruby.d/complete @@ -0,0 +1,8 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + #aa:only test + /usr/share/rubygems-integration/{,**} r, + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-fstab b/apparmor.d/groups/systemd-generators/systemd-generator-fstab index d9b03c4b9f..44a3f8db48 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-fstab +++ b/apparmor.d/groups/systemd-generators/systemd-generator-fstab @@ -25,9 +25,6 @@ profile systemd-generator-fstab @{exec_path} { @{PROC}/@{pid}/cgroup r, - #aa:only test - /tmp/test-fstab-generator.@{rand10}/{,**} rw, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-network-generator b/apparmor.d/groups/systemd/systemd-network-generator index 75bd79ab1e..ceebbc5c2d 100644 --- a/apparmor.d/groups/systemd/systemd-network-generator +++ b/apparmor.d/groups/systemd/systemd-network-generator @@ -19,9 +19,6 @@ profile systemd-network-generator @{exec_path} flags=(attach_disconnected) { @{run}/credentials/systemd-network-generator.service/ r, - #aa:only test - /tmp/test-network-generator-conversion.@{rand6}/{,**} rw, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index 164c3045c2..2b31e4bb8c 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -58,9 +58,6 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { deny network inet6 stream, deny network inet stream, - #aa:only test - /tmp/test-sysusers.@{rand10}/{,**} rw, - include if exists } From 1da4b039bd04a7007fbc92f6adf9df99c12d9ecf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 10 Oct 2025 19:46:21 +0200 Subject: [PATCH 0833/1736] fix: glycin: allow unix stream from anyone --- apparmor.d/abstractions/app/bwrap-glycin | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/bwrap-glycin b/apparmor.d/abstractions/app/bwrap-glycin index 9cdbd8a7fd..09f91240c6 100644 --- a/apparmor.d/abstractions/app/bwrap-glycin +++ b/apparmor.d/abstractions/app/bwrap-glycin @@ -14,8 +14,7 @@ include include - unix type=stream peer=(label=glycin), - unix type=stream peer=(label=glycin//loaders), + unix type=stream, signal (send receive) set=kill peer=@{profile_name}, signal (send receive) set=kill peer=@{profile_name}//&glycin, From 3b4c6c11ff9d9c72e2de1d72833fee89e1ed8a1a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 10 Oct 2025 19:52:13 +0200 Subject: [PATCH 0834/1736] feat(abs): restrict bus/org.freedesktop.timedate1. Only allow to get time. --- apparmor.d/abstractions/bus/org.freedesktop.timedate1 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 index 8f6118355e..e5ac3b51e5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 @@ -4,7 +4,10 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.timedate1 label="@{p_systemd_timedated}" + dbus send bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=systemd-timedated), include if exists From 76d91915af4b2fcfe50f8ea7ce710b0170404405 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 10 Oct 2025 19:53:11 +0200 Subject: [PATCH 0835/1736] feat(abs): gnome app: add user_state_dirs program dir. --- apparmor.d/abstractions/common/gnome | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index 6dcb26860f..c12d021765 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -25,6 +25,9 @@ owner @{user_share_dirs}/@{profile_name}/ rw, owner @{user_share_dirs}/@{profile_name}/** rwlk -> @{user_share_dirs}/@{profile_name}/**, + owner @{user_state_dirs}/@{profile_name}/ rw, + owner @{user_state_dirs}/@{profile_name}/** rwlk, + @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, From 5cbbf8a12f73e8c0181bc628fa165b18b8404588 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 10 Oct 2025 19:55:10 +0200 Subject: [PATCH 0836/1736] doc(abs): base-strict: update documentation --- apparmor.d/abstractions/base-strict | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 1fc2980b92..e6bd29560b 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -6,10 +6,15 @@ # LOGPROF-SUGGEST: no # Do not use it manually, It automatically replaces the base abstraction in - # profiles when the re-attached mode is enabled. + # profiles when the base-strict prebuild feature is enabled (default). - # For now, it is only a restructuring of the base abstraction with awareness + # It is mostly a restructuring of the base abstraction with awareness # of the apparmor.d architecture. + # + # Changes from the base abstraction: + # - Removed access to @{run}/uuidd/request + # - owner only access to some files in @{PROC}/@{pid}/ + # - denied lttng abi , @@ -29,7 +34,7 @@ # Allow unconfined processes to send us signals by default signal receive peer=unconfined, - # Systemd: allow to receive any signal from the systemd profiles stack + # Systemd: allow to receive any signal from the systemd profiles signal receive peer=@{p_systemd}, signal receive peer=@{p_systemd_user}, @@ -45,7 +50,6 @@ signal receive peer=sudo, signal receive set=(cont,term,kill,stop) peer=gnome-shell, signal receive set=(cont,term,kill,stop) peer=login, - signal receive set=(cont,term,kill,stop) peer=openbox, signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, signal receive set=(cont,term,kill,stop) peer=xinit, From 7591f8eaf91d02fda475dfad4cff755af0ee1ff4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 10 Oct 2025 19:57:01 +0200 Subject: [PATCH 0837/1736] feat(abs): base-strict: remove uuidd/request by default. Allowed access to the uuidd daemon. Only needed by a very few profiles. Thus is is safe to not provide it by default. NB: if kept, rw is required. --- apparmor.d/abstractions/base-strict | 5 ----- 1 file changed, 5 deletions(-) diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index e6bd29560b..361a772ae3 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -93,11 +93,6 @@ # Some applications will display license information /usr/share/common-licenses/** r, - # Allow access to the uuidd daemon (this daemon is a thin wrapper around - # time and getrandom()/{,u}random and, when available, runs under an - # unprivilged, dedicated user). - @{run}/uuidd/request r, - # Transparent hugepage support @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, From d0f50f0750f46fa24b42d62e68d61e0dc0046531 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 10 Oct 2025 19:59:07 +0200 Subject: [PATCH 0838/1736] feat(profile): small update to apt profiles. --- apparmor.d/groups/apt/apt | 5 +++++ apparmor.d/groups/apt/dpkg-preconfigure | 2 ++ apparmor.d/groups/apt/dpkg-scripts | 1 + 3 files changed, 8 insertions(+) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index d401e3f28d..ee0601b6f4 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -57,6 +57,11 @@ profile apt @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name="{:*,org.freedesktop.DBus}"), + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=Inhibit + peer=(name=org.freedesktop.login1, label=systemd-logind), + @{exec_path} mr, @{python_path} mr, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 2e32af9795..a87f5371a4 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -23,10 +23,12 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/{,e}grep ix, @{bin}/{,g,m}awk ix, @{bin}/cat ix, + @{bin}/cut ix, @{bin}/debconf-escape Px, @{bin}/dialog ix, @{bin}/expr ix, @{bin}/find ix, + @{bin}/getent ix, @{bin}/head ix, @{bin}/locale ix, @{bin}/readlink ix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index abcc37e475..6d8ad4bc73 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -123,6 +123,7 @@ profile dpkg-scripts @{exec_path} { capability sys_resource, signal send set=(cont term) peer=systemd-tty-ask-password-agent, + signal send set=cont peer=child-pager, ptrace read peer=@{p_systemd}, From 64621ce5772dea8f9684b2055eda9cc4c6c01175 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 10 Oct 2025 20:03:31 +0200 Subject: [PATCH 0839/1736] feat(profile): update gnome profiles. --- apparmor.d/groups/gnome/gdm | 2 +- apparmor.d/groups/gnome/gdm-generate-config | 2 +- apparmor.d/groups/gnome/gdm-session | 13 +++++++------ apparmor.d/groups/gnome/gnome-control-center | 1 + apparmor.d/groups/gnome/gnome-extension | 11 +++++++++++ apparmor.d/groups/gnome/gnome-extension-gsconnect | 5 +++++ apparmor.d/groups/gnome/gnome-session-service | 5 ++--- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/gsd-datetime | 3 +++ apparmor.d/groups/gnome/papers | 3 +++ apparmor.d/groups/gnome/session-migration | 1 + 11 files changed, 36 insertions(+), 12 deletions(-) diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 765a2f5870..9f9c174195 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -71,7 +71,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{GDM_HOME}/ rw, @{GDM_HOME}/** rw, - @{run}/gdm/home/ rw, + @{run}/gdm{,3}/home/ rw, @{run}/gdm{,3}.pid rw, @{run}/gdm{,3}/ rw, @{run}/gdm{,3}/gdm.pid rw, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 218b96e65c..1590ec4f03 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -33,7 +33,7 @@ profile gdm-generate-config @{exec_path} { /etc/gdm{3,}/* r, /usr/share/gdm{3,}/{,**} r, - /var/lib/ r, + /var/lib/ rw, @{GDM_HOME}/ rw, owner @{GDM_HOME}/greeter-dconf-defaults rw, owner @{GDM_HOME}/greeter-dconf-defaults.@{rand6} rw, diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 1a2d96a084..35e69dc1b7 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -15,16 +15,17 @@ profile gdm-session @{exec_path} { include signal receive set=(hup term) peer=gdm-session-worker, - signal receive set=(term) peer=gdm, - signal send set=(term) peer=dbus-session, - signal send set=(term) peer=gnome-session-binary, - signal send set=(term) peer=xorg, - signal send set=term peer=gnome-session, + signal receive set=term peer=gdm, + signal send set=term peer=dbus-session, + signal send set=term peer=gnome-session-binary, + signal send set=term peer=gnome-session-init-worker, + signal send set=term peer=gnome-session, + signal send set=term peer=xorg, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index d146f576d1..3e88a7b7c0 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -147,6 +147,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/gnome-remote-desktop/ w, owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw, + owner @{user_share_dirs}/gnome-shell/session-active-history.json r, owner @{user_share_dirs}/icc/{,edid-*} r, owner @{tmp}/@{hex12}@{h} rw, diff --git a/apparmor.d/groups/gnome/gnome-extension b/apparmor.d/groups/gnome/gnome-extension index e13eca8322..174f75531f 100644 --- a/apparmor.d/groups/gnome/gnome-extension +++ b/apparmor.d/groups/gnome/gnome-extension @@ -8,6 +8,9 @@ abi , include +@{share_dirs} = /usr/share/gnome-shell/extensions/ +@{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/ + @{exec_path} = @{bin}/gjs-console profile gnome-extension { include @@ -19,6 +22,14 @@ profile gnome-extension { @{exec_path} mr, + # Used to track the extensions supported by this profile + @{share_dirs}/tilingshell@ferrarodomenico.com/*.js r, + @{share_dirs}/ubuntu-dock@ubuntu.com/*.js r, + + /usr/share/xkeyboard-config-2/{,**} r, + + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 700838ea8e..5417167978 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -44,6 +44,11 @@ profile gnome-extension-gsconnect @{exec_path} { #aa:dbus own bus=session name=org.mpris.MediaPlayer2.GSConnect.* + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Monitoring + member=BecomeMonitor + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus eavesdrop bus=session, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index 2e94eaf995..0a41cebbd8 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -42,10 +42,9 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/autostart/{,*.desktop} r, - @{run}/systemd/users/@{uid} r, - @{run}/systemd/sessions/@{int} r, @{att}@{run}/systemd/inhibit/@{int}.ref rw, - @{att}@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, + @{att}@{run}/systemd/sessions/{,@{l}}@{int}{,.ref} rw, + @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/systemd/notify w, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 328a3bb4e5..0560fb004c 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -313,7 +313,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_cache_dirs}/gnome-photos/{,**} r, owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, owner @{user_cache_dirs}/gnome-software/icons/{,**} r, - owner @{user_cache_dirs}/gsconnect/@{hex32} r, + owner @{user_cache_dirs}/gsconnect/@{hex} r, owner @{user_cache_dirs}/libgweather/{,**} rw, owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index dd538de05c..1b90028ed7 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -10,6 +10,9 @@ include profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index f01d32af5c..ad474cd282 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -35,6 +35,7 @@ profile papers @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gvfs-metadata/{,*} r, + owner @{HOME}/.pki/nssdb/pkcs11.txt r, owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db-journal rw, @@ -59,6 +60,8 @@ profile papers @{exec_path} flags=(attach_disconnected) { @{browsers_path} Px, @{help_path} Px, @{bin}/papers Px, + @{bin}/snap Px, + @{bin}/flatpak Px, include if exists } diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index b58a362063..16114c5869 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -10,6 +10,7 @@ include profile session-migration @{exec_path} { include include + include include include include From e92af30dc2e1faf365e495ed1bfe965f3e99d3ee Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 10 Oct 2025 20:08:51 +0200 Subject: [PATCH 0840/1736] feat(profile): general update. --- apparmor.d/groups/systemd/systemd-cryptsetup | 3 +++ apparmor.d/groups/systemd/systemd-sysctl | 3 +++ apparmor.d/groups/ubuntu/software-properties-gtk | 1 + apparmor.d/groups/ubuntu/ubuntu-advantage | 4 +++- apparmor.d/groups/ubuntu/update-notifier | 3 ++- apparmor.d/groups/virt/virtlockd | 6 ++++++ apparmor.d/profiles-m-r/mkinitramfs | 4 ++++ apparmor.d/profiles-m-r/nvtop | 1 + apparmor.d/profiles-m-r/protonmail-bridge-core | 7 ++++--- apparmor.d/profiles-m-r/pycompile | 5 +++++ apparmor.d/profiles-s-z/spice-vdagent | 2 ++ apparmor.d/profiles-s-z/superproductivity | 2 +- 12 files changed, 35 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup index fdddebe03f..8db69581f8 100644 --- a/apparmor.d/groups/systemd/systemd-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-cryptsetup @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/systemd-cryptsetup @{lib}/systemd/systemd-cryptsetup profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) { include + include include include @@ -17,6 +18,8 @@ profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_admin, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, /etc/fstab r, diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl index 87e0ede5c8..ea5c5048f9 100644 --- a/apparmor.d/groups/systemd/systemd-sysctl +++ b/apparmor.d/groups/systemd/systemd-sysctl @@ -29,6 +29,9 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/** rw, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + include if exists } diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 702bc47321..09a5ba9ceb 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -33,6 +33,7 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { @{bin}/aplay rPx, @{bin}/apt-key rPx, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/gpg rPx, # TODO: apt-gpg dedicated profile? @{bin}/ischroot rPx, @{bin}/lsb_release rPx, @{bin}/ubuntu-advantage rPx, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 4ede61bc80..afc8a7b2a4 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -48,9 +48,11 @@ profile ubuntu-advantage @{exec_path} { /etc/apt/trusted.gpg.d/{,**} rw, /etc/apt/sources.list.d/{,**} rw, /etc/ubuntu-advantage/{,**} r, + /etc/machine-id r, + /var/lib/ubuntu-advantage/{,**} rw, - /etc/machine-id r, + /var/log/ubuntu-advantage.log w, owner @{user_cache_dirs}/ubuntu-pro/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 06e851b451..d7676c5c69 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -27,7 +27,7 @@ profile update-notifier @{exec_path} { dbus receive bus=system path=/com/ubuntu/UnattendedUpgrade/Pending interface=com.ubuntu.UnattendedUpgrade.Pending - member=Finished + member={Started,Finished} peer=(name=@{busname}, label=unattended-upgrade), @{exec_path} mr, @@ -70,6 +70,7 @@ profile update-notifier @{exec_path} { owner @{tmp}/#@{int} rw, @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, profile pkexec { diff --git a/apparmor.d/groups/virt/virtlockd b/apparmor.d/groups/virt/virtlockd index ef28e59e99..a0ae83710c 100644 --- a/apparmor.d/groups/virt/virtlockd +++ b/apparmor.d/groups/virt/virtlockd @@ -12,6 +12,12 @@ profile virtlockd @{exec_path} { @{exec_path} mr, + /etc/libvirt/virtlockd.conf r, + + @{run}/virtlockd.pid wk, + + @{sys}/devices/system/node/ r, + include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 5d38271df8..c969cc3d0c 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -123,7 +123,11 @@ profile mkinitramfs @{exec_path} { @{sys}/class/*/ r, @{sys}/bus/platform/drivers/simple-framebuffer/ r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-2.scope/cpu.max r, + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @{PROC}/modules r, diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index 0bdd9d924a..4766c7f5a0 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -40,6 +40,7 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/hwmon/hwmon@{int}/temp@{int}_crit r, @{sys}/devices/@{pci}/max_link_{speed,width} r, @{sys}/devices/@{pci}/pcie_bw r, + @{sys}/devices/**/uevent r, @{sys}/devices/system/node/node@{int}/cpumap r, @{PROC}/ r, diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index a9bd819e3b..e8519cd5b8 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -46,9 +46,10 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { owner @{tmp}/bridge@{int} rw, - @{PROC}/ r, - @{PROC}/1/cgroup r, - @{PROC}/sys/net/core/somaxconn r, + @{PROC}/ r, + @{PROC}/1/cgroup r, + @{PROC}/sys/net/core/somaxconn r, + owner @{PROC}/@{pid}/mountinfo r, deny owner @{user_passwordstore_dirs}/** r, diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index 6c9e6b6d74..e695f2109d 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -26,6 +26,11 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { priority=1 @{lib}/@{python_name}/**/__pycache__/*.pyc w, priority=1 @{lib}/@{python_name}/**/__pycache__/*.pyc.* w, + /usr/share/glib-2.0/{,**} r, + /usr/share/glib-2.0/**/__pycache__/ w, + /usr/share/glib-2.0/**/__pycache__/*.pyc w, + /usr/share/glib-2.0/**/__pycache__/*.pyc.* w, + /usr/share/python3/{,**} r, / r, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 15a9111de3..3b022a0722 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -38,6 +38,8 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/fstab r, + @{run}/mount/utab r, @{run}/spice-vdagentd/spice-vdagent-sock rw, diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index a2480f1d7b..ca8bef2da7 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -43,7 +43,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> superproductivity//&xdg-settings, - @{att}@{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/user/@{uid}/speech-dispatcher/speechd.sock rw, From 47edb9205d91d0e88b0c9a1d5dca514cf3aa151b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 11 Oct 2025 12:15:08 +0200 Subject: [PATCH 0841/1736] chore(tests): improve images and available just command. --- Justfile | 62 ++++++++++++++++++++++++++++++-------------------------- 1 file changed, 33 insertions(+), 29 deletions(-) diff --git a/Justfile b/Justfile index 0d6a4a9780..6dd5997d00 100644 --- a/Justfile +++ b/Justfile @@ -213,13 +213,6 @@ rpm: @bash dists/build.sh rpm @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm -# Run the unit tests -[group('tests')] -tests: - @go test ./cmd/... -v -cover -coverprofile=coverage.out - @go test ./pkg/... -v -cover -coverprofile=coverage.out - @go tool cover -func=coverage.out - # Run the linters [group('linter')] lint: @@ -376,34 +369,45 @@ images: #!/usr/bin/env bash set -eu -o pipefail mkdir -p {{base_dir}} - ls -lh {{base_dir}} | awk ' - BEGIN { - printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date") - } - { - if ($9 ~ /^{{prefix}}.*\.qcow2$/) { - split($9, arr, "-|\\.") - printf("%-18s %-10s %-5s %s %s %s\n", arr[2], arr[3], $5, $6, $7, $8) - } - } - ' + ( + printf "{{BOLD}}%s %s %s %s %s{{NORMAL}}\n" "OsInfo" "Flavor" "Size" "Date" + find {{base_dir}} -iname '{{prefix}}*' -type f -printf "%f %k %Tb %Td %TH:%TM\n" | sort | awk ' + { + split($1, item, "-") + split(item[3], flavor, "\\.") + if ($2>=1048576) { + printf("%s %s %.1fGB %s %s %s\n", item[2], flavor[1], $2/1048576, $3, $4, $5) + } else { + printf("%s %s %.fMB %s %s %s\n", item[2], flavor[1], $2/1024, $3, $4, $5) + } + } + ' + ) | column -t # List the VM images that can be created [group('vm')] available: #!/usr/bin/env bash set -eu -o pipefail - ls -lh tests/cloud-init | awk ' - BEGIN { - printf("{{BOLD}}%-18s %s{{NORMAL}}\n", "Distribution", "Flavor") - } - { - if ($9 ~ /^.*\.user-data.yml$/) { - split($9, arr, "-|\\.") - printf("%-18s %s\n", arr[1], arr[2]) - } - } - ' + ( + printf "{{BOLD}}%s %s %s{{NORMAL}}\n" "Distribution" "Release" "Flavor" + find tests/cloud-init -iname '*.user-data.yml' -type f -printf "%f\n" | sort | awk ' + { + split($1, item, "-") + match(item[1], /^([a-z]+)([0-9.]*?)$/, osinfo) + release = (osinfo[2] == "" ? "-" : osinfo[2]) + split(item[2], flavor, "\\.") + printf("%s %s %s\n", osinfo[1], release, flavor[1]) + } + ' + ) | column -t + +# Run the unit tests +[group('tests')] +tests: + @go test ./cmd/... -v -cover -coverprofile=coverage.out + @go test ./pkg/... -v -cover -coverprofile=coverage.out + @go tool cover -func=coverage.out # Install dependencies for the integration tests [group('tests')] From f6bb8a1054df4b36d141f7bfbc53795db5716e46 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 11 Oct 2025 14:17:43 +0200 Subject: [PATCH 0842/1736] feat(abs): add gstreamer-registry. --- apparmor.d/abstractions/gstreamer | 10 ++------ apparmor.d/abstractions/gstreamer-registry | 27 ++++++++++++++++++++++ 2 files changed, 29 insertions(+), 8 deletions(-) create mode 100644 apparmor.d/abstractions/gstreamer-registry diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index b8b09d1e68..882cf3acec 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -5,6 +5,8 @@ abi , + include + @{lib}/@{multiarch}/libproxy/*/modules/*.so mr, @{lib}/@{multiarch}/libvisual-@{version}/*/*.so mr, @{lib}/frei0r-@{int}/*.so mr, @@ -20,14 +22,6 @@ /tmp/ r, /var/tmp/ r, - owner @{HOME}/.gstreamer-@{int}.@{int}/ rw, - owner @{HOME}/.gstreamer-@{int}.@{int}/registry.@{arch}.bin rw, - owner @{HOME}/.gstreamer-@{int}.@{int}/registry.@{arch}.bin.tmp@{rand6} rw, - - owner @{user_cache_dirs}/gstreamer-@{int}.@{int}/ rw, - owner @{user_cache_dirs}/gstreamer-@{int}.@{int}/registry.@{arch}.bin rw, - owner @{user_cache_dirs}/gstreamer-@{int}.@{int}/registry.@{arch}.bin.tmp@{rand6} rw, - # The orcexec.* file is JIT compiled code for various GStreamer elements. # If one is blocked the next is used instead. # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag. diff --git a/apparmor.d/abstractions/gstreamer-registry b/apparmor.d/abstractions/gstreamer-registry new file mode 100644 index 0000000000..9606d7e1d8 --- /dev/null +++ b/apparmor.d/abstractions/gstreamer-registry @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Plugin registry cache for the multimedia framework GStreamer. +# It stores metadata about all the GStreamer plugins available on the system, +# including their types, capabilities, and locations. + +# It is usually needed by application calling GStreamer libraries. + + abi , + + owner @{desktop_cache_dirs}/gstreamer-1.0/ w, + owner @{desktop_cache_dirs}/gstreamer-1.0/registry.@{arch}.bin rw, + owner @{desktop_cache_dirs}/gstreamer-1.0/registry.@{arch}.bin.tmp@{rand6} rw, + + owner @{HOME}/.gstreamer-1.0/ rw, + owner @{HOME}/.gstreamer-1.0/registry.@{arch}.bin rw, + owner @{HOME}/.gstreamer-1.0/registry.@{arch}.bin.tmp@{rand6} rw, + + owner @{user_cache_dirs}/gstreamer-1.0/ rw, + owner @{user_cache_dirs}/gstreamer-1.0/registry.@{arch}.bin rw, + owner @{user_cache_dirs}/gstreamer-1.0/registry.@{arch}.bin.tmp@{rand6} rw, + + include if exists + +# vim:syntax=apparmor From 93549b9afb3e694bd8f6521f9c2c09a9314ac177 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 11 Oct 2025 22:12:52 +0200 Subject: [PATCH 0843/1736] feat(abs): all apps on gnome need cpu.max information. --- apparmor.d/abstractions/common/gnome | 5 ----- apparmor.d/abstractions/gnome-base | 5 +++++ apparmor.d/groups/gnome/gnome-control-center | 3 --- apparmor.d/groups/gnome/gnome-initial-setup | 4 ---- apparmor.d/groups/gnome/gnome-shell | 5 ----- apparmor.d/groups/gnome/nautilus | 5 ----- apparmor.d/profiles-a-f/alacarte | 5 ----- apparmor.d/profiles-g-l/gimp | 5 ----- apparmor.d/profiles-m-r/mkinitramfs | 2 -- apparmor.d/profiles-s-z/terminator | 5 ----- apparmor.d/profiles-s-z/virt-manager | 2 -- 11 files changed, 5 insertions(+), 41 deletions(-) diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index c12d021765..afac0b82ab 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -28,11 +28,6 @@ owner @{user_state_dirs}/@{profile_name}/ rw, owner @{user_state_dirs}/@{profile_name}/** rwlk, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/abstractions/gnome-base b/apparmor.d/abstractions/gnome-base index 17a848de5a..575aaadaf5 100644 --- a/apparmor.d/abstractions/gnome-base +++ b/apparmor.d/abstractions/gnome-base @@ -19,6 +19,11 @@ owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 3e88a7b7c0..e934717b6d 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -180,9 +180,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/temp* r, @{sys}/firmware/acpi/pm_profile r, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 22ac95148d..8551f99b8c 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -74,10 +74,6 @@ profile gnome-initial-setup @{exec_path} { @{run}/systemd/sessions/@{int} r, @{run}/systemd/users/@{uid} r, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/gnome-initial-setup-first-login.service/memory.* r, @{sys}/devices/virtual/dmi/id/bios_vendor r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 0560fb004c..9354bddfe9 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -392,11 +392,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r, - @{PROC}/ r, @{PROC}/@{pid}/attr/current r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index b087ed2f74..04ed9f39ba 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -131,11 +131,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - @{PROC}/@{pids}/net/wireless r, @{PROC}/sys/dev/i915/perf_stream_paranoid r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index 87908dc9e5..c908946947 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -31,11 +31,6 @@ profile alacarte @{exec_path} flags=(attach_disconnected) { owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index 04860c1ded..bbf472db0b 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -76,11 +76,6 @@ profile gimp @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index c969cc3d0c..065adf1940 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -123,8 +123,6 @@ profile mkinitramfs @{exec_path} { @{sys}/class/*/ r, @{sys}/bus/platform/drivers/simple-framebuffer/ r, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-2.scope/cpu.max r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index e5d6499742..769771b6a9 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -46,11 +46,6 @@ profile terminator @{exec_path} flags=(attach_disconnected) { owner @{tmp}/#@{int} rw, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - @{PROC}/ r, @{PROC}/@{pid}/net/tcp{,6} r, @{PROC}/@{pid}/net/udp{,6} r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 92dc977d93..d268be76d0 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -91,8 +91,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, @{sys}/devices/virtual/drm/ttm/uevent r, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, @{PROC}/@{pids}/net/route r, From 1df666f4f72737202f98af6edc3eb4f50485cbb1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Oct 2025 12:19:24 +0200 Subject: [PATCH 0844/1736] feat(profile): revisit flatpak-*-helper Add flatpak-session-helper-app to confine flatpak app process outside of the sandbox. It allows ptrace as it is the main cap forbiden inside the sandbox. Support unconfined shell for IDE such as vscode. --- .../groups/flatpak/flatpak-session-helper | 17 +-- .../groups/flatpak/flatpak-session-helper-app | 108 ++++++++++++++++++ .../groups/flatpak/flatpak-system-helper | 15 ++- dists/flags/main.flags | 5 +- 4 files changed, 133 insertions(+), 12 deletions(-) create mode 100644 apparmor.d/groups/flatpak/flatpak-session-helper-app diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper b/apparmor.d/groups/flatpak/flatpak-session-helper index ed9526eb0b..cdae7e6090 100644 --- a/apparmor.d/groups/flatpak/flatpak-session-helper +++ b/apparmor.d/groups/flatpak/flatpak-session-helper @@ -6,8 +6,10 @@ abi , include +@{appid} = @{word}.@{word}.@{word}{,.@{word}} + @{exec_path} = @{lib}/flatpak-session-helper -profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { +profile flatpak-session-helper @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -16,8 +18,8 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { include signal send set=(hup int) peer=user_unconfined, - signal send set=(int) peer=@{p_systemd}, - signal send set=(int) peer=flatpak-app, + signal send set=int peer=@{p_systemd}, + signal send set=int peer=flatpak-session-helper-app, #aa:dbus own bus=session name=org.freedesktop.Flatpak @@ -29,20 +31,19 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{shells_path} rUx, + @{coreutils_path} rix, @{bin}/dbus-monitor rPUx, - @{bin}/env rix, @{bin}/flatpak rPx, @{bin}/getent rix, @{bin}/p11-kit rix, @{bin}/pkexec rCx -> pkexec, @{bin}/printenv rix, @{bin}/ps rPx, - @{bin}/test rix, - @{bin}/touch rix, @{lib}/p11-kit/p11-kit-remote rix, @{lib}/p11-kit/p11-kit-server rix, - /var/lib/flatpak/app/*/**/@{bin}/** rPx -> flatpak-app, - /var/lib/flatpak/app/*/**/@{lib}/** rPx -> flatpak-app, + + /var/lib/flatpak/app/@{appid}/**/@{bin}/** rPx -> flatpak-session-helper-app, + /var/lib/flatpak/app/@{appid}/**/@{lib}/** rPx -> flatpak-session-helper-app, owner @{user_config_dirs}/mimeapps.list w, diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper-app b/apparmor.d/groups/flatpak/flatpak-session-helper-app new file mode 100644 index 0000000000..f03b59cb53 --- /dev/null +++ b/apparmor.d/groups/flatpak/flatpak-session-helper-app @@ -0,0 +1,108 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{appid} = @{word}.@{word}.@{word}{,.@{word}} + +@{exec_path} = /var/lib/flatpak/app/@{appid}/**/@{bin}/** +@{exec_path} += /var/lib/flatpak/app/@{appid}/**/@{lib}/** +profile flatpak-session-helper-app { + include + include + include + + capability sys_ptrace, + + network netlink raw, + + signal receive set=int peer=flatpak-session-helper, + + ptrace read, + + @{exec_path} mrk, + + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{bin}/udevadm Cx -> udevadm, + + @{sys}/block/ r, + @{sys}/class/hwmon/ r, + @{sys}/devices/@{pci}/ r, + @{sys}/devices/@{pci}/speed r, + @{sys}/devices/@{pci}/stat r, + @{sys}/devices/@{pci}/statistics/rx_bytes r, + @{sys}/devices/@{pci}/statistics/tx_bytes r, + @{sys}/devices/virtual/tty/tty@{int}/active r, + + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/ r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/ r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*.service/ r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/{,**/}cgroup.procs r, + + @{PROC}/ r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/task/ r, + @{PROC}/@{pids}/cmdline r, + + # Same than in app/flatpak + @{PROC}/ r, + @{PROC}/@{pids}/cpuset r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/maps r, + @{PROC}/@{pids}/smaps r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/sys/fs/file-max r, + @{PROC}/sys/fs/file-nr r, + @{PROC}/sys/fs/inotify/max_queued_events r, + @{PROC}/sys/fs/inotify/max_user_instances r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/fs/nr_open r, + @{PROC}/sys/fs/pipe-max-size r, + @{PROC}/sys/kernel/hostname r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/ostype r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/random/entropy_avail r, + @{PROC}/sys/kernel/random/uuid r, + @{PROC}/sys/kernel/shmmax r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/version r, + @{PROC}/version_signature r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/clear_refs w, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, + owner @{PROC}/@{pid}/limits r, + owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/oom_adj r, + owner @{PROC}/@{pid}/oom_score_adj r, + owner @{PROC}/@{pid}/sessionid r, + owner @{PROC}/@{pid}/smaps_rollup r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/smaps r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/statm r, + + profile udevadm { + include + include + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 0bd74bdcba..58b38ca844 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -6,8 +6,10 @@ abi , include +@{appid} = @{word}.@{word}.@{word}{,.@{word}} + @{exec_path} = @{lib}/flatpak-system-helper -profile flatpak-system-helper @{exec_path} { +profile flatpak-system-helper @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -38,7 +40,7 @@ profile flatpak-system-helper @{exec_path} { @{exec_path} mr, - @{bin}/bwrap rPUx, + @{bin}/bwrap rCx -> bwrap, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, @@ -65,6 +67,15 @@ profile flatpak-system-helper @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, + profile bwrap flags=(attach_disconnected) { + include + include + + /tmp/#@{int} rw, + + include if exists + } + profile gpg { include include diff --git a/dists/flags/main.flags b/dists/flags/main.flags index d5f3355b12..bcba20be39 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -110,8 +110,9 @@ flameshot complain flatpak attach_disconnected,mediate_deleted,complain flatpak-app attach_disconnected,mediate_deleted,complain flatpak-oci-authenticator complain -flatpak-session-helper attach_disconnected,complain -flatpak-system-helper complain +flatpak-session-helper attach_disconnected,mediate_deleted,complain +flatpak-session-helper-app complain +flatpak-system-helper attach_disconnected,mediate_deleted,complain flatpak-validate-icon complain fuse-overlayfs complain gdk-pixbuf-thumbnailer complain From 106667dcfdf82b6809cc825a92c9b61c61558b9c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Oct 2025 12:24:41 +0200 Subject: [PATCH 0845/1736] ci: update debian container tags. --- .gitlab-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 80dc69c7b5..c041c39a6d 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -84,7 +84,7 @@ archlinux: debian: stage: build - image: registry.gitlab.com/roddhjav/builders/debian:trixie + image: registry.gitlab.com/roddhjav/builders/debian:13 script: - sudo chown -R build:build /builds/ - git config --global --add safe.directory $CI_PROJECT_DIR @@ -146,7 +146,7 @@ preprocess-archlinux: preprocess-debian: stage: preprocess - image: debian:trixie + image: debian:13 dependencies: - debian script: From 14373a7887923db70447c5f587ddade27e75c10a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Oct 2025 13:08:51 +0200 Subject: [PATCH 0846/1736] tests: update cloud-init images - Disable printk rate limiting - Remove debian 12 images --- .../cloud-init/archlinux-cosmic.user-data.yml | 40 +++---------------- .../cloud-init/archlinux-gnome.user-data.yml | 7 ++-- tests/cloud-init/archlinux-kde.user-data.yml | 7 ++-- tests/cloud-init/archlinux-lxqt.user-data.yml | 7 ++-- .../cloud-init/archlinux-server.user-data.yml | 9 +++-- tests/cloud-init/archlinux-xfce.user-data.yml | 7 ++-- tests/cloud-init/archlinux.yml | 32 +++++++++++++++ tests/cloud-init/common.yml | 8 ++++ tests/cloud-init/debian.yml | 17 ++------ tests/cloud-init/debian12-gnome.user-data.yml | 10 ----- tests/cloud-init/debian12-kde.user-data.yml | 31 -------------- .../cloud-init/debian12-server.user-data.yml | 10 ----- tests/cloud-init/debian13-gnome.user-data.yml | 7 ++-- tests/cloud-init/debian13-kde.user-data.yml | 7 ++-- .../cloud-init/debian13-server.user-data.yml | 8 ++-- tests/cloud-init/opensuse-gnome.user-data.yml | 3 +- tests/cloud-init/opensuse-kde.user-data.yml | 5 ++- .../cloud-init/opensuse-server.user-data.yml | 5 ++- tests/cloud-init/ubuntu.yml | 8 ++++ .../ubuntu24.04-desktop.user-data.yml | 3 +- .../ubuntu24.04-kubuntu.user-data.yml | 5 ++- .../ubuntu24.04-server.user-data.yml | 5 ++- .../ubuntu25.05-desktop.user-data.yml | 3 +- .../ubuntu25.05-kubuntu.user-data.yml | 5 ++- .../ubuntu25.05-server.user-data.yml | 5 ++- .../ubuntu25.10-desktop.user-data.yml | 3 +- 26 files changed, 114 insertions(+), 143 deletions(-) delete mode 100644 tests/cloud-init/debian12-gnome.user-data.yml delete mode 100644 tests/cloud-init/debian12-kde.user-data.yml delete mode 100644 tests/cloud-init/debian12-server.user-data.yml diff --git a/tests/cloud-init/archlinux-cosmic.user-data.yml b/tests/cloud-init/archlinux-cosmic.user-data.yml index 9ed6c1d926..bd04af3146 100644 --- a/tests/cloud-init/archlinux-cosmic.user-data.yml +++ b/tests/cloud-init/archlinux-cosmic.user-data.yml @@ -1,37 +1,6 @@ #cloud-config -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - just - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Applications - - firefox - - chromium - - terminator - - # Install Graphical Interface - - cosmic +packages: *cosmic-packages runcmd: # Regenerate grub.cfg @@ -52,6 +21,7 @@ runcmd: - systemctl enable systemd-timesyncd.service write_files: - - *grub-enable-apparmor # Enable AppArmor in kernel parameters - - *setup-bash-aliases # Set some bash aliases - - *shared-directory # Setup shared directory + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory + - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/archlinux-gnome.user-data.yml b/tests/cloud-init/archlinux-gnome.user-data.yml index d33f685b62..3b0fa4d337 100644 --- a/tests/cloud-init/archlinux-gnome.user-data.yml +++ b/tests/cloud-init/archlinux-gnome.user-data.yml @@ -21,6 +21,7 @@ runcmd: - systemctl enable systemd-timesyncd.service write_files: - - *grub-enable-apparmor # Enable AppArmor in kernel parameters - - *setup-bash-aliases # Set some bash aliases - - *shared-directory # Setup shared directory + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory + - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/archlinux-kde.user-data.yml b/tests/cloud-init/archlinux-kde.user-data.yml index cb4c4d3b0b..30374d8571 100644 --- a/tests/cloud-init/archlinux-kde.user-data.yml +++ b/tests/cloud-init/archlinux-kde.user-data.yml @@ -21,6 +21,7 @@ runcmd: - systemctl enable systemd-timesyncd.service write_files: - - *grub-enable-apparmor # Enable AppArmor in kernel parameters - - *setup-bash-aliases # Set some bash aliases - - *shared-directory # Setup shared directory + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory + - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/archlinux-lxqt.user-data.yml b/tests/cloud-init/archlinux-lxqt.user-data.yml index 208f7dab57..aa9eec4b58 100644 --- a/tests/cloud-init/archlinux-lxqt.user-data.yml +++ b/tests/cloud-init/archlinux-lxqt.user-data.yml @@ -23,6 +23,7 @@ runcmd: - systemctl enable systemd-timesyncd.service write_files: - - *grub-enable-apparmor # Enable AppArmor in kernel parameters - - *setup-bash-aliases # Set some bash aliases - - *shared-directory # Setup shared directory + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory + - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/archlinux-server.user-data.yml b/tests/cloud-init/archlinux-server.user-data.yml index 2b35671713..a810996ec3 100644 --- a/tests/cloud-init/archlinux-server.user-data.yml +++ b/tests/cloud-init/archlinux-server.user-data.yml @@ -18,7 +18,8 @@ runcmd: - systemctl enable systemd-timesyncd.service write_files: - - *grub-enable-apparmor # Enable AppArmor in kernel parameters - - *setup-bash-aliases # Set some bash aliases - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server + - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml index afba57519e..580754103f 100644 --- a/tests/cloud-init/archlinux-xfce.user-data.yml +++ b/tests/cloud-init/archlinux-xfce.user-data.yml @@ -21,6 +21,7 @@ runcmd: - systemctl enable systemd-timesyncd.service write_files: - - *grub-enable-apparmor # Enable AppArmor in kernel parameters - - *setup-bash-aliases # Set some bash aliases - - *shared-directory # Setup shared directory + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory + - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/archlinux.yml b/tests/cloud-init/archlinux.yml index 629de7d028..d7fe78afc2 100644 --- a/tests/cloud-init/archlinux.yml +++ b/tests/cloud-init/archlinux.yml @@ -155,6 +155,38 @@ xfce-packages: &xfce-packages - lightdm - lightdm-gtk-greeter + +cosmic-packages: &cosmic-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - cosmic + # Enable AppArmor in kernel parameters grub-enable-apparmor: &grub-enable-apparmor path: /etc/default/grub diff --git a/tests/cloud-init/common.yml b/tests/cloud-init/common.yml index 2048e53682..3290fe1c9b 100644 --- a/tests/cloud-init/common.yml +++ b/tests/cloud-init/common.yml @@ -37,3 +37,11 @@ systemd-netword: &systemd-netword [DHCPv4] RouteMetric=10 + +# Disable printk rate limiting +disable-printk-ratelimit: &ratelimit + path: /etc/sysctl.d/99-ratelimit.conf + permissions: "0644" + content: | + kernel.printk_ratelimit=0 + kernel.printk_ratelimit_burst=1000 diff --git a/tests/cloud-init/debian.yml b/tests/cloud-init/debian.yml index b96bb58804..ec9729df6b 100644 --- a/tests/cloud-init/debian.yml +++ b/tests/cloud-init/debian.yml @@ -10,6 +10,7 @@ core-packages: &core-packages - debhelper - devscripts - docker.io + - golang-go - htop - just - libpam-apparmor @@ -33,6 +34,7 @@ gnome-packages: &gnome-packages - debhelper - devscripts - docker.io + - golang-go - htop - just - libpam-apparmor @@ -63,6 +65,7 @@ kde-packages: &kde-packages - debhelper - devscripts - docker.io + - golang-go - htop - just - libpam-apparmor @@ -81,17 +84,3 @@ kde-packages: &kde-packages - task-kde-desktop - plasma-workspace-wayland - terminator - -debian12-runcmd: &debian12-runcmd - - apt-get update -y - - apt-get install -y -t bookworm-backports golang-go - -debian13-runcmd: &debian13-runcmd - - apt-get update -y - - apt-get install -y golang-go - -# Add backports repository -debian12-backports: &debian12-backports - path: /etc/apt/sources.list - append: true - content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free diff --git a/tests/cloud-init/debian12-gnome.user-data.yml b/tests/cloud-init/debian12-gnome.user-data.yml deleted file mode 100644 index fbb3d12322..0000000000 --- a/tests/cloud-init/debian12-gnome.user-data.yml +++ /dev/null @@ -1,10 +0,0 @@ -#cloud-config - -packages: *gnome-packages - -runcmd: *debian12-runcmd - -write_files: - - *debian12-backports # Add backports repository - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian12-kde.user-data.yml b/tests/cloud-init/debian12-kde.user-data.yml deleted file mode 100644 index 451068db10..0000000000 --- a/tests/cloud-init/debian12-kde.user-data.yml +++ /dev/null @@ -1,31 +0,0 @@ -#cloud-config - -packages: - - apparmor-profiles - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - htop - - qemu-guest-agent - - rsync - - spice-vdagent - - vim - - task-kde-desktop - -runcmd: - - apt-get update -y - - apt-get install -y -t bookworm-backports golang-go - -write_files: - # Add backports repository - - path: /etc/apt/sources.list - append: true - content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/cloud-init/debian12-server.user-data.yml b/tests/cloud-init/debian12-server.user-data.yml deleted file mode 100644 index cec721285e..0000000000 --- a/tests/cloud-init/debian12-server.user-data.yml +++ /dev/null @@ -1,10 +0,0 @@ -#cloud-config - -packages: *core-packages - -runcmd: *debian12-runcmd - -write_files: - - *debian12-backports # Add backports repository - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-gnome.user-data.yml b/tests/cloud-init/debian13-gnome.user-data.yml index 0d5adfe17d..6b2080c466 100644 --- a/tests/cloud-init/debian13-gnome.user-data.yml +++ b/tests/cloud-init/debian13-gnome.user-data.yml @@ -2,8 +2,7 @@ packages: *gnome-packages -runcmd: *debian13-runcmd - write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server + - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/debian13-kde.user-data.yml b/tests/cloud-init/debian13-kde.user-data.yml index 5a4d33bf5f..cf2d6a9893 100644 --- a/tests/cloud-init/debian13-kde.user-data.yml +++ b/tests/cloud-init/debian13-kde.user-data.yml @@ -2,8 +2,7 @@ packages: *kde-packages -runcmd: *debian13-runcmd - write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server + - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/debian13-server.user-data.yml b/tests/cloud-init/debian13-server.user-data.yml index 6925487707..bf95ccd18f 100644 --- a/tests/cloud-init/debian13-server.user-data.yml +++ b/tests/cloud-init/debian13-server.user-data.yml @@ -2,8 +2,8 @@ packages: *core-packages -runcmd: *debian13-runcmd - write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server + - *disable-printk-ratelimit # Disable printk rate limiting + diff --git a/tests/cloud-init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml index b59d66af38..99ce8b5a3a 100644 --- a/tests/cloud-init/opensuse-gnome.user-data.yml +++ b/tests/cloud-init/opensuse-gnome.user-data.yml @@ -13,7 +13,8 @@ runcmd: - systemctl enable systemd-journald-audit.socket write_files: - - *shared-directory # Setup shared directory + - *shared-directory # Setup shared directory + - *disable-printk-ratelimit # Disable printk rate limiting - path: /etc/sysconfig/displaymanager append: true diff --git a/tests/cloud-init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml index 2058846dd8..f43d3cd438 100644 --- a/tests/cloud-init/opensuse-kde.user-data.yml +++ b/tests/cloud-init/opensuse-kde.user-data.yml @@ -11,8 +11,11 @@ runcmd: - grub2-mkconfig -o /boot/grub2/grub.cfg write_files: - - *shared-directory # Setup shared directory + - *shared-directory # Setup shared directory + - *disable-printk-ratelimit # Disable printk rate limiting + - path: /etc/sysconfig/displaymanager append: true content: | DISPLAYMANAGER="sddm" + diff --git a/tests/cloud-init/opensuse-server.user-data.yml b/tests/cloud-init/opensuse-server.user-data.yml index b6d35cd686..4acaab83fd 100644 --- a/tests/cloud-init/opensuse-server.user-data.yml +++ b/tests/cloud-init/opensuse-server.user-data.yml @@ -10,5 +10,6 @@ runcmd: - grub2-mkconfig -o /boot/grub2/grub.cfg write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server + - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/ubuntu.yml b/tests/cloud-init/ubuntu.yml index 1f35637502..83015ead09 100644 --- a/tests/cloud-init/ubuntu.yml +++ b/tests/cloud-init/ubuntu.yml @@ -1,19 +1,24 @@ #cloud-config core-packages: &core-packages + - acpid - apparmor-profiles - apparmor-utils + - arptables - auditd - build-essential - config-package-dev - debhelper + - debian-keyring - devscripts + - dkms - docker.io - golang-go - htop - just - libpam-apparmor - lintian + - pipx - qemu-guest-agent - rsync - systemd-container @@ -38,6 +43,7 @@ desktop-packages: &desktop-packages - just - libpam-apparmor - lintian + - pipx - qemu-guest-agent - rsync - systemd-container @@ -53,6 +59,7 @@ desktop-packages: &desktop-packages - ubuntu-desktop - loupe - ptyxis + - gparted kubuntu-packages: &kubuntu-packages # Core packages for Ubuntu @@ -69,6 +76,7 @@ kubuntu-packages: &kubuntu-packages - just - libpam-apparmor - lintian + - pipx - qemu-guest-agent - rsync - systemd-container diff --git a/tests/cloud-init/ubuntu24.04-desktop.user-data.yml b/tests/cloud-init/ubuntu24.04-desktop.user-data.yml index 7f4183d494..6ce097d2c1 100644 --- a/tests/cloud-init/ubuntu24.04-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu24.04-desktop.user-data.yml @@ -5,4 +5,5 @@ packages: *desktop-packages runcmd: *desktop-runcmd write_files: - - *shared-directory # Setup shared directory + - *shared-directory # Setup shared directory + - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/ubuntu24.04-kubuntu.user-data.yml b/tests/cloud-init/ubuntu24.04-kubuntu.user-data.yml index bea74af3ac..4f78d253e2 100644 --- a/tests/cloud-init/ubuntu24.04-kubuntu.user-data.yml +++ b/tests/cloud-init/ubuntu24.04-kubuntu.user-data.yml @@ -5,5 +5,6 @@ packages: *kubuntu-packages runcmd: *desktop-runcmd write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server + - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/ubuntu24.04-server.user-data.yml b/tests/cloud-init/ubuntu24.04-server.user-data.yml index 98b78ec80b..0a4e22ba50 100644 --- a/tests/cloud-init/ubuntu24.04-server.user-data.yml +++ b/tests/cloud-init/ubuntu24.04-server.user-data.yml @@ -3,5 +3,6 @@ packages: *core-packages write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server + - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/ubuntu25.05-desktop.user-data.yml b/tests/cloud-init/ubuntu25.05-desktop.user-data.yml index 7f4183d494..6ce097d2c1 100644 --- a/tests/cloud-init/ubuntu25.05-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu25.05-desktop.user-data.yml @@ -5,4 +5,5 @@ packages: *desktop-packages runcmd: *desktop-runcmd write_files: - - *shared-directory # Setup shared directory + - *shared-directory # Setup shared directory + - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/ubuntu25.05-kubuntu.user-data.yml b/tests/cloud-init/ubuntu25.05-kubuntu.user-data.yml index bea74af3ac..4f78d253e2 100644 --- a/tests/cloud-init/ubuntu25.05-kubuntu.user-data.yml +++ b/tests/cloud-init/ubuntu25.05-kubuntu.user-data.yml @@ -5,5 +5,6 @@ packages: *kubuntu-packages runcmd: *desktop-runcmd write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server + - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/ubuntu25.05-server.user-data.yml b/tests/cloud-init/ubuntu25.05-server.user-data.yml index 98b78ec80b..0a4e22ba50 100644 --- a/tests/cloud-init/ubuntu25.05-server.user-data.yml +++ b/tests/cloud-init/ubuntu25.05-server.user-data.yml @@ -3,5 +3,6 @@ packages: *core-packages write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server + - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/ubuntu25.10-desktop.user-data.yml b/tests/cloud-init/ubuntu25.10-desktop.user-data.yml index 7f4183d494..6ce097d2c1 100644 --- a/tests/cloud-init/ubuntu25.10-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu25.10-desktop.user-data.yml @@ -5,4 +5,5 @@ packages: *desktop-packages runcmd: *desktop-runcmd write_files: - - *shared-directory # Setup shared directory + - *shared-directory # Setup shared directory + - *disable-printk-ratelimit # Disable printk rate limiting From 3d256f89f9d90afb491d0f591b42fdc14972c2af Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Oct 2025 14:34:37 +0200 Subject: [PATCH 0847/1736] tests: add debian & ubuntu test images for autopkgtest. --- Justfile | 6 +++--- dists/docker.sh | 8 ++++++-- tests/cloud-init/common.yml | 10 +++++++++- tests/cloud-init/debian13-test.user-data.yml | 13 +++++++++++++ tests/cloud-init/ubuntu25.10-test.user-data.yml | 13 +++++++++++++ tests/packer/builds.pkr.hcl | 10 +++++----- tests/packer/clean.sh | 3 +-- 7 files changed, 50 insertions(+), 13 deletions(-) create mode 100644 tests/cloud-init/debian13-test.user-data.yml create mode 100644 tests/cloud-init/ubuntu25.10-test.user-data.yml diff --git a/Justfile b/Justfile index 6dd5997d00..1628ee4934 100644 --- a/Justfile +++ b/Justfile @@ -254,8 +254,8 @@ clean: # Build the package in a clean OCI container [group('packages')] -package dist version="": - bash dists/docker.sh {{dist}} {{version}} +package dist version="" flavor="": + bash dists/docker.sh {{dist}} {{version}} {{flavor}} # Build all packages in a clean OCI container [group('packages')] @@ -277,7 +277,7 @@ packages: # Build the VM image [group('vm')] -img dist version flavor: (package dist version) +img dist version flavor: (package dist version flavor) #!/usr/bin/env bash set -eu -o pipefail VERSION="{{version}}" diff --git a/dists/docker.sh b/dists/docker.sh index bcc44b8e0a..fc6a672617 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -16,13 +16,14 @@ readonly PKGNAME=apparmor.d readonly VOLUME=/tmp/build readonly BUILDIR=/home/build/tmp readonly OUTDIR=".pkg" -readonly DISTRIBUTION="${1:-}" +readonly DISTRIBUTION="$1" RELEASE="${2:-}" +FLAVOR="${3:-}" VERSION="0.$(git rev-list --count HEAD)" PACKAGER="$(git config user.name) <$(git config user.email)>" [[ "$RELEASE" == "-" ]] && RELEASE="" readonly OUTPUT="$PWD/$OUTDIR/$DISTRIBUTION/$RELEASE" -readonly RELEASE VERSION PACKAGER +readonly RELEASE FLAVOR VERSION PACKAGER _start() { local img="$1" @@ -50,6 +51,9 @@ _exist() { sync() { mkdir -p "$VOLUME" rsync -ra --delete . "$VOLUME/$PKGNAME" + if [[ "$FLAVOR" == "test" ]]; then + sed -i -e "s/just complain/just complain-test/" "$VOLUME/$PKGNAME/debian/rules" + fi } build_in_docker_makepkg() { diff --git a/tests/cloud-init/common.yml b/tests/cloud-init/common.yml index 3290fe1c9b..28ce9f1481 100644 --- a/tests/cloud-init/common.yml +++ b/tests/cloud-init/common.yml @@ -39,9 +39,17 @@ systemd-netword: &systemd-netword RouteMetric=10 # Disable printk rate limiting -disable-printk-ratelimit: &ratelimit +disable-printk-ratelimit: &disable-printk-ratelimit path: /etc/sysctl.d/99-ratelimit.conf permissions: "0644" content: | kernel.printk_ratelimit=0 kernel.printk_ratelimit_burst=1000 + +# Autopkgtest setup-testbed script +setup-testbed: &setup-testbed + source: + uri: https://salsa.debian.org/ci-team/autopkgtest/-/raw/master/setup-commands/setup-testbed + path: /usr/bin/setup-testbed + permissions: '0755' + diff --git a/tests/cloud-init/debian13-test.user-data.yml b/tests/cloud-init/debian13-test.user-data.yml new file mode 100644 index 0000000000..e9c27de651 --- /dev/null +++ b/tests/cloud-init/debian13-test.user-data.yml @@ -0,0 +1,13 @@ +#cloud-config + +packages: *core-packages + +runcmd: + - /usr/bin/setup-testbed + - apt-get update + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server + - *disable-printk-ratelimit # Disable printk rate limiting + - *setup-testbed # Autopkgtest setup-testbed script diff --git a/tests/cloud-init/ubuntu25.10-test.user-data.yml b/tests/cloud-init/ubuntu25.10-test.user-data.yml new file mode 100644 index 0000000000..e9c27de651 --- /dev/null +++ b/tests/cloud-init/ubuntu25.10-test.user-data.yml @@ -0,0 +1,13 @@ +#cloud-config + +packages: *core-packages + +runcmd: + - /usr/bin/setup-testbed + - apt-get update + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server + - *disable-printk-ratelimit # Disable printk rate limiting + - *setup-testbed # Autopkgtest setup-testbed script diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index da8d0e53de..b4ba0c1aee 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -36,10 +36,10 @@ source "qemu" "default" { "user-data" = format("%s\n%s\n%s", templatefile("${path.cwd}/tests/cloud-init/common.yml", { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${regex_replace(local.name, ".", "")}" + username = var.username + password = var.password + ssh_key = file(var.ssh_publickey) + hostname = regex_replace(local.name, "\\.", "") } ), file("${path.cwd}/tests/cloud-init/${regex_replace(local.osinfo, "[0-9.]*$", "")}.yml"), @@ -60,7 +60,7 @@ build { "${path.cwd}/tests/packer/src/", "${path.cwd}/tests/packer/init.sh", "${path.cwd}/tests/packer/clean.sh", - "${path.cwd}/.pkg/", + "${path.cwd}/.pkg/${var.dist}/${var.version}/", ] } diff --git a/tests/packer/clean.sh b/tests/packer/clean.sh index de0d8562ab..a31e2b1878 100644 --- a/tests/packer/clean.sh +++ b/tests/packer/clean.sh @@ -51,6 +51,7 @@ clean_apt() { apt-get -y autoremove --purge apt-get -y autoclean apt-get -y clean + apt-get update } clean_pacman() { @@ -70,8 +71,6 @@ impersonalize() { # Remove remaining pkg file, docs and caches dirs=( /var/cache/ - /var/lib/apt - /var/lib/dhcp /var/tmp ) for dir in "${dirs[@]}"; do From 47923c80ac4553040b87928bcd9c7ecdfb21c645 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Oct 2025 14:50:12 +0200 Subject: [PATCH 0848/1736] tests: add autopkgtest script to run the test suite on Debian/Ubuntu vm. --- Justfile | 11 +- tests/autopkgtest/autopkgtest.sh | 90 ++++++ tests/autopkgtest/src-packages | 469 +++++++++++++++++++++++++++++++ 3 files changed, 568 insertions(+), 2 deletions(-) create mode 100644 tests/autopkgtest/autopkgtest.sh create mode 100644 tests/autopkgtest/src-packages diff --git a/Justfile b/Justfile index 1628ee4934..839638d08e 100644 --- a/Justfile +++ b/Justfile @@ -222,7 +222,7 @@ lint: shellcheck --shell=bash \ PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \ tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ - debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm + tests/autopkgtest/autopkgtest.sh debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm # Run style checks on the profiles [group('linter')] @@ -250,7 +250,7 @@ clean: debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ {{pkgdest}}/{{pkgname}}* {{pkgdest}}/ubuntu {{pkgdest}}/debian \ {{pkgdest}}/archlinux {{pkgdest}}/opensuse {{pkgdest}}/version \ - {{build}} coverage.out + {{build}} coverage.out .logs/autopkgtest/ # Build the package in a clean OCI container [group('packages')] @@ -409,6 +409,13 @@ tests: @go test ./pkg/... -v -cover -coverprofile=coverage.out @go tool cover -func=coverage.out +# Run the autopkgtest tests +[group('tests')] +autopkgtest osinfo: + @PREFIX='{{prefix}}' VM_DIR='{{vm}}' \ + USER='{{username}}' PASSWORD='{{password}}' SSH_OPT='{{sshopt}}' \ + bash tests/autopkgtest/autopkgtest.sh run {{osinfo}} + # Install dependencies for the integration tests [group('tests')] init: diff --git a/tests/autopkgtest/autopkgtest.sh b/tests/autopkgtest/autopkgtest.sh new file mode 100644 index 0000000000..8e889d8079 --- /dev/null +++ b/tests/autopkgtest/autopkgtest.sh @@ -0,0 +1,90 @@ +#!/usr/bin/env bash +# Run autopkgtest in a VM +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Ubuntu: +# just img ubuntu 25.10 test +# just create ubuntu25.10 test +# just halt ubuntu25.10 test +# just autopkgtest ubuntu25.10 +# +# Debian: +# just img debian 13 test +# just create debian13 test +# just halt debian13 test +# just autopkgtest debian13 + +set -eu -o pipefail + +readonly COMMAND="$1" +readonly OSINFO="$2" +readonly FLAVOR="test" +readonly VERBOSE=${VERBOSE:-0} + +# The maximum the host can handle +readonly CPUS=32 +readonly RAM=76800 +readonly TIMEOUT=1800 + +# As defined in Justfile +readonly PREFIX="$PREFIX" +readonly VM_DIR="$VM_DIR" +readonly USER="$USER" +readonly PASSWORD="$PASSWORD" +readonly SSH_OPT="$SSH_OPT" + +readonly OUTPUT=".logs/autopkgtest/" +readonly VM_PATH="$VM_DIR/${PREFIX}${OSINFO}-${FLAVOR}.qcow2" +readonly PACKAGES_FILE="tests/autopkgtest/src-packages" +readonly reset='\e[0m' red='\e[0;31m' magenta='\e[0;35m' +mapfile -t PACKAGES <"$PACKAGES_FILE" + +_message() { printf '%b%s%b\n' "$magenta" "$*" "$reset" >&2; } +_verbose() { printf '%b>%b %s\n' "$magenta" "$reset" "$*" >&2; } +_log() { printf '%b%s%b\n' "$red" "$*" "$reset" >&2; } + +_run() { + coproc C { unbuffer -p ./tests/autopkgtest/autopkgtest.sh test "$OSINFO" 2>&1; } + CMD_PID=$! + while IFS= read -r line <&"${C[0]}"; do + line="${line%$'\r'}" + if [[ $VERBOSE -eq 0 ]]; then + _verbose "$line" + fi + if [[ $line == "Press Enter to resume running tests." ]]; then + # shellcheck disable=SC2086 + ssh -n $SSH_OPT -p 10022 "$USER@localhost" sudo aa-log --raw | while IFS= read -r log; do + _log "$log" + echo "$log" >>"$OUTPUT/aa-log-$(date +%Y%m%d-%H%M%S)" + done + printf '\n' >&"${C[1]}" # send Enter back over the PTY + fi + done + wait $CMD_PID +} + +_autopkgtest() { + local start_from="abook" + local end_at="xfsprogs" + for pkg in "${PACKAGES[@]}"; do + [[ "$pkg" < "$start_from" ]] && continue + [[ "$pkg" > "$end_at" ]] && break + _message ">>>> Testing package $pkg <<<<" + autopkgtest "$pkg" --shell --timeout=$TIMEOUT \ + -- qemu --cpus=$CPUS --ram-size=$RAM \ + --user="$USER" --password="$PASSWORD" \ + "$VM_PATH" || true + done +} + +main() { + case "$COMMAND" in + run) _run ;; + test) _autopkgtest ;; + *) exit 1 ;; + esac +} + +mkdir -p "$OUTPUT" +main "$@" diff --git a/tests/autopkgtest/src-packages b/tests/autopkgtest/src-packages new file mode 100644 index 0000000000..1eb9d2136d --- /dev/null +++ b/tests/autopkgtest/src-packages @@ -0,0 +1,469 @@ +abook +accountsservice +acpi +acpid +adduser +adequate +akonadi +akonadi-calendar +akonadi-search +alacarte +alsa-utils +amd64-microcode +amule +anacron +android-platform-system-core +android-platform-tools +apparmor +apport +appstream +apt +apt-file +apt-forktracer +apt-listchanges +apt-show-versions +apt-xapian-index +aptdaemon +aptitude +arandr +archivemount +arduino +arduino-builder +arduino-ctags +aspell +at +at-spi2-core +atool +atril +audit +avahi +baloo-kf5 +baobab +base-files +bcron +bind9 +blueman +bluez +bmon +bolt +borgbackup +borgbackup2 +breezy +brltty +btop +btrfs-progs +busybox +calibre +ccze +cheese +cifs-utils +claws-mail +cmus +cockpit +colord +command-not-found +compton +conky +console-setup +containerd +containerd-app +convertall +coreutils +coreutils-from +cpu-checker +cpuid +cracklib2 +cron +cronie +cryptsetup +cups +cups-browsed +cups-filters +cups-pdf +cups-pk-helper +d-conf +dconf +dconf-editor +ddclient +ddcutil +debconf +debian-security-support +debianutils +deborphan +debsecan +debsums +debtags +deja-dup +desktop-file-utils +devscripts +dfc +dh-runit +dhcpcd +dictionaries-common +dino-im +dkms +dleyna +dleyna-renderer +dleyna-server +dlocate +dmidecode +docker.io +docker.io-app +dolphin +dosfstools +dpkg +dput +dput-ng +dunst +e2fsprogs +earlyoom +edid-decode +eject +elinks +engrampa +epiphany-browser +etckeeper +evince +evolution-data-server +exim4 +exo +f3 +fail2ban +fatresize +ffmpeg +ffmpegthumbnailer +file-roller +filezilla +finalrd +firefox +firejail +firewalld +flameshot +flatpak +foliate +font-manager +fontconfig +foomatic-filters +fping +fprintd +fritzing +fuse +fuse-overlayfs +fuse3 +fuseiso +fwupd +fwupd-snap +gajim +gamemode +ganyremote +gcr +gcr4 +gdisk +gdk-pixbuf +gdm3 +geoclue-2.0 +gimp +git +git-buildpackage +git-filter-repo +gitg +gjs +glib-networking +glib2.0 +glibc +gnome-boxes +gnome-browser-connector +gnome-calculator +gnome-calendar +gnome-characters +gnome-clocks +gnome-console +gnome-contacts +gnome-control-center +gnome-disk-utility +gnome-firmware +gnome-font-viewer +gnome-initial-setup +gnome-keyring +gnome-logs +gnome-maps +gnome-music +gnome-online-accounts +gnome-remote-desktop +gnome-session +gnome-settings-daemon +gnome-shell +gnome-shell-extension-desktop-icons-ng +gnome-shell-extension-gsconnect +gnome-shell-extension-manager +gnome-software +gnome-sushi +gnome-system-monitor +gnome-terminal +gnome-text-editor +gnome-tour +gnome-tweaks +gnome-user-share +gnome-weather +gnupg2 +golang-github-containernetworking-plugins +google-android-installers +gpa +gparted +gpodder +grub-legacy-ec2 +grub2 +gsimplecal +gsmartcontrol +gtk+3.0 +gtk4 +gvfs +hardinfo +haveged +hdparm +hexchat +highlight +homebank +hostname +hplip +htop +hugo +hw-probe +hwinfo +i3lock +i3lock-fancy +ibus +ibus-table +iio-sensor-proxy +im-config +imv +init-system-helpers +initramfs-tools +intel-microcode +inxi +ioping +ipcalc +iproute2 +irqbalance +iw +iwd +jackd2 +jekyll +jgmenu +jmtpfs +kanyremote +kbd +kconfig +kde-cli-tools +kded +kdepim-runtime +kdump-tools +keepassxc +kerneloops +kexec-tools +kglobalaccel +kinfocenter +klibc +kmail +kmod +knotes +kodi +konsole +kservice +kwallet-kf5 +kwalletcli +kwalletmanager +kwin +labwc +landscape-client +libcaca +libcap-ng +libebook-tools-perl +libfile-mimeinfo-perl +libgnomekbd +libhugetlbfs +libreoffice +libvirt +libvirt-dbus +light +light-locker +linux +linux-base +lm-sensors +logrotate +loupe +low-memory-monitor +lsb +lsb-release-minimal +lsscsi +lvm2 +lxappearance +lxqt-about +lxqt-config +lxqt-globalkeys +lxqt-notificationd +lxqt-panel +lxqt-powermanagement +lxqt-runner +lxqt-session +lynx +macchanger +makedumpfile +man-db +mate-notification-daemon +mdadm +mdevctl +mediainfo +merkaartor +mesa-demos +metadata-cleaner +minitube +mkcert +mkvtoolnix +modemmanager +molly-guard +monitorix +mono +mousepad +mpd +mpv +msr-tools +mtools +mtr +multipath-tools +mumble +mutt +mutter +nautilus +nautilus-dropbox +needrestart +nemo +net-tools +netplan.io +network-manager +network-manager-openvpn +networkd-dispatcher +nfs-utils +nftables +nmap +ntfs-3g +numlockx +nvidia-graphics-drivers-470 +nvidia-graphics-drivers-470-server +nvidia-graphics-drivers-535 +nvidia-graphics-drivers-535-server +nvidia-graphics-drivers-550 +nvidia-graphics-drivers-550-server +nvidia-graphics-drivers-565-server +nvidia-graphics-drivers-570 +nvidia-graphics-drivers-570-server +nvidia-graphics-drivers-575 +nvidia-graphics-drivers-575-server +nvidia-settings +nvtop +obconf +obexfs +obexftp +obexpushd +okular +open-iscsi +openbox +opensc +openssh +openvpn +orage +os-prober +packagekit +pam +parted +password-store +pavucontrol +pciutils +pcsc-lite +picom +pinentry +pipewire +pkgbinarymangler +plank +plasma-browser-integration +plasma-desktop +plasma-disks +plasma-workspace +plocate +plymouth +policykit-1 +policykit-1-gnome +pollinate +poppler +popularity-contest +power-profiles-daemon +powerdevil +powermgmt-base +procps +psi +psi-plus +psmisc +pulseaudio +pulseeffects +python3-defaults +qbittorrent +qemu +qnapi +qpdfview +qt5ct +qt6-tools +qtchooser +qtox +qttools-opensource-src +quiterss +reboot-notifier +reiserfsprogs +remmina +repo +reportbug +reprepro +ristretto +rng-tools-debian +rng-tools5 +rpcbind +rpi-imager +rsyslog +rtkit +rust-gping +s3fs-fuse +samba +scrcpy +scrot +sdcv +sddm +seahorse +session-migration +shadow +shim-signed +simple-scan +slirp4netns +smartmontools +smplayer +smtube +snapd +sysstat +system-config-printer +systemd +systemd-cron +sysvinit +telepathy-mission-control-5 +texinfo +thin-provisioning-tools +ubuntu-advantage-tools +ubuntu-drivers-common +ubuntu-fan +ubuntu-release-upgrader +unattended-upgrades +update-manager +update-notifier +usbutils +util-linux +wireless-tools +wireshark +x11-xserver-utils +xfsprogs From 9398abb5b115d3e829baa6dd00da4c70f1c30047 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Oct 2025 18:11:03 +0200 Subject: [PATCH 0849/1736] tests: remove apparmor from autopkgtest as it remove the profiles. --- tests/autopkgtest/src-packages | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/autopkgtest/src-packages b/tests/autopkgtest/src-packages index 1eb9d2136d..22963b3cfa 100644 --- a/tests/autopkgtest/src-packages +++ b/tests/autopkgtest/src-packages @@ -14,7 +14,6 @@ amule anacron android-platform-system-core android-platform-tools -apparmor apport appstream apt From 88892efee29a283a1b63aa5e08f7d8a50fe6be03 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Oct 2025 18:16:09 +0200 Subject: [PATCH 0850/1736] chore: minor cosmetic on tests structure. --- .gitignore | 5 +++++ .gitlab-ci.yml | 6 +++--- tests/packer/init.sh | 4 ++-- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 077d62cbf2..e7519a2946 100644 --- a/.gitignore +++ b/.gitignore @@ -2,10 +2,15 @@ .build .logs .pkg +.snapd +/snap +snapd.backup tests/tldr tests/tldr.tar.gz +tests/bats_dirty # mkdocs +__pycache__ .cache public site diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c041c39a6d..2ecc60425b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -25,6 +25,7 @@ bash: - shellcheck --shell=bash PKGBUILD dists/build.sh dists/docker.sh tests/check.sh tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh + tests/autopkgtest/autopkgtest.sh golangci-lint: stage: lint @@ -38,9 +39,8 @@ packer: name: hashicorp/packer:latest entrypoint: [""] script: - - cd tests && - packer fmt --check packer/ && - packer validate --syntax-only packer/ + - packer fmt tests/packer/ + - packer validate --syntax-only tests/packer/ sast: stage: lint diff --git a/tests/packer/init.sh b/tests/packer/init.sh index 8506a44178..225b1c2410 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -21,7 +21,7 @@ main() { case "$ID" in arch) - rm -f $SRC/*.sig # Ignore signature files + rm -f $SRC/*.sig # Ignore signature files rm -f $SRC/*enforced* # Ignore enforced package pacman --noconfirm -U $SRC/*.pkg.tar.zst || true ;; @@ -30,7 +30,7 @@ main() { if [[ $VERSION_ID == "24.04" || $VERSION_ID == 12 ]]; then apt-get purge -y just || true sudo -u "$SUDO_USER" pipx install rust-just - sudo -u "$SUDO_USER" pipx ensurepath + sudo -u "$SUDO_USER" pipx ensurepath fi dpkg -i $SRC/*.deb || true ;; From fb1415e5e6dd65bff5cc8c5109062cdd1654e949 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Oct 2025 18:30:55 +0200 Subject: [PATCH 0851/1736] tests: add command to report autopkgtest logs and rules. --- Justfile | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Justfile b/Justfile index 839638d08e..6f776c5720 100644 --- a/Justfile +++ b/Justfile @@ -416,6 +416,20 @@ autopkgtest osinfo: USER='{{username}}' PASSWORD='{{password}}' SSH_OPT='{{sshopt}}' \ bash tests/autopkgtest/autopkgtest.sh run {{osinfo}} +_autopkgtest-log-merge: + @mkdir -p .logs/autopkgtest + @cat .logs/autopkgtest/aa-log-* > .logs/autopkgtest/merged.log + +# Report all collected logs +[group('tests')] +autopkgtest-log: (_autopkgtest-log-merge) + @aa-log --file .logs/autopkgtest/merged.log + +# Report all generated rules +[group('tests')] +autopkgtest-rules: (_autopkgtest-log-merge) + @aa-log --rules --file .logs/autopkgtest/merged.log + # Install dependencies for the integration tests [group('tests')] init: From 9b69a0f24ca07931d747de9d296b7d1058b5781e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Oct 2025 19:06:46 +0200 Subject: [PATCH 0852/1736] feat(profile): add ldd_path and more autopkgtest integration. --- apparmor.d/groups/apt/apt-forktracer | 6 ++++-- apparmor.d/groups/apt/dpkg | 6 ++++++ apparmor.d/groups/gnome/gnome-initial-setup | 2 +- apparmor.d/groups/shadow/chpasswd | 2 ++ apparmor.d/groups/shadow/usermod | 2 ++ apparmor.d/groups/steam/steam | 3 +-- apparmor.d/profiles-a-f/adduser | 4 +++- apparmor.d/profiles-a-f/adequate | 6 ++---- apparmor.d/profiles-a-f/archivemount | 9 +++++++-- apparmor.d/profiles-a-f/atd | 5 +++++ apparmor.d/profiles-a-f/calibre | 4 ++-- apparmor.d/profiles-a-f/deluser | 7 +++++-- apparmor.d/profiles-a-f/finalrd | 6 +++--- apparmor.d/profiles-m-r/initramfs-hooks | 7 ++++--- apparmor.d/profiles-m-r/initramfs-scripts | 6 ++---- apparmor.d/profiles-m-r/mkinitramfs | 9 +++------ apparmor.d/tunables/multiarch.d/paths | 6 ++++++ 17 files changed, 58 insertions(+), 32 deletions(-) diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer index 3eec09d60b..77046ff2d2 100644 --- a/apparmor.d/groups/apt/apt-forktracer +++ b/apparmor.d/groups/apt/apt-forktracer @@ -16,8 +16,10 @@ profile apt-forktracer @{exec_path} { @{exec_path} mr, @{bin}/ r, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/apt-cache rPx, + @{sh_path} rix, + @{bin}/apt-cache rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/lsb_release rPx, /usr/share/apt-forktracer/{,**} r, /usr/share/distro-info/debian.csv r, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 986c6f1880..0f61cdc2c4 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -31,8 +31,11 @@ profile dpkg @{exec_path} { @{bin}/rm ix, @{bin}/dpkg-deb px, + @{bin}/dpkg-divert px, + @{bin}/dpkg-maintscript-helper px @{bin}/dpkg-query px, @{bin}/dpkg-split px, + @{bin}/dpkg-trigger px, @{bin}/systemctl Cx -> systemctl, @{lib}/needrestart/dpkg-status Px, @{pager_path} Px -> child-pager, @@ -66,6 +69,9 @@ profile dpkg @{exec_path} { owner /dev/tty@{int} rw, + #aa:only test + /tmp/tmp@{word8}tmp/{,**} rwlk, + profile systemctl { include include diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 8551f99b8c..83394a5e34 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -44,7 +44,7 @@ profile gnome-initial-setup @{exec_path} { @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, - @{lib}/@{multiarch}/ld-linux-*.so* rix, + @{ldd_path} rix, /usr/share/gnome-initial-setup/{,**} r, /usr/share/xml/iso-codes/{,**} r, diff --git a/apparmor.d/groups/shadow/chpasswd b/apparmor.d/groups/shadow/chpasswd index 5e84f31b47..5554f68ebb 100644 --- a/apparmor.d/groups/shadow/chpasswd +++ b/apparmor.d/groups/shadow/chpasswd @@ -23,6 +23,8 @@ profile chpasswd @{exec_path} { @{exec_path} mr, + @{bin}/cat ix, + @{etc_ro}/login.defs r, /etc/.pwd.lock wk, diff --git a/apparmor.d/groups/shadow/usermod b/apparmor.d/groups/shadow/usermod index b59260a259..aa3fc1ce8c 100644 --- a/apparmor.d/groups/shadow/usermod +++ b/apparmor.d/groups/shadow/usermod @@ -26,6 +26,8 @@ profile usermod @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sh_path} r, + @{bin}/cat rix, @{bin}/nscd rix, @{etc_ro}/login.defs r, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 36b725c549..f9fcc05291 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -76,13 +76,12 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/lsof rix, @{bin}/lspci rCx -> lspci, @{bin}/tar rix, + @{ldd_path} rix, @{bin}/which{,.debianutils} rix, @{bin}/xdg-icon-resource rPx, @{bin}/xdg-user-dir rix, @{bin}/xz rix, @{bin}/zenity rix, - @{lib}/@{multiarch}/ld-*.so* rix, - @{lib}/ld-linux.so* rix, @{lib_dirs}/** mr, @{lib_dirs}/*driverquery rix, diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index 039518b51d..f1c5ce3772 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -32,10 +32,12 @@ profile adduser @{exec_path} { @{bin}/chage rPx, @{bin}/chfn rPx, + @{bin}/ecryptfs-setup-private rPUx, @{bin}/gpasswd rPx, + @{bin}/passwd rPx, + @{bin}/umount rPx, @{sbin}/groupadd rPx, @{sbin}/groupdel rPx, - @{bin}/passwd rPx, @{sbin}/useradd rPx, @{sbin}/userdel rPx, @{sbin}/usermod rPx, diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index 7025f97877..9ff0b4f777 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -21,7 +21,7 @@ profile adequate @{exec_path} flags=(complain) { @{sbin}/ldconfig rix, # It wants to ldd all binaries/libs in packages. - @{bin}/ldd rCx -> ldd, + @{ldd_path} rCx -> ldd, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, @@ -50,7 +50,7 @@ profile adequate @{exec_path} flags=(complain) { include include - @{bin}/ldd mr, + @{ldd_path} mrix, @{bin}/* mr, /usr/games/* mr, @@ -59,8 +59,6 @@ profile adequate @{exec_path} flags=(complain) { /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} mr, - @{lib}/@{multiarch}/ld-*.so rix, - include if exists } diff --git a/apparmor.d/profiles-a-f/archivemount b/apparmor.d/profiles-a-f/archivemount index d445df0e28..9a4983c3c8 100644 --- a/apparmor.d/profiles-a-f/archivemount +++ b/apparmor.d/profiles-a-f/archivemount @@ -24,12 +24,17 @@ profile archivemount @{exec_path} { owner @{HOME}/*/ r, owner @{HOME}/*/*/ r, + #aa:only test + mount fstype=fuse.archivemount options=(rw nodev nosuid) archivemount -> /tmp/tmp.@{rand10}/{,**}, + /tmp/tmp.@{rand10}/{,**} rw, + /dev/fuse rw, + profile fusermount { include include - mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/, - mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/*/, + mount fstype={fuse,fuse.archivemount} options=(rw nodev nosuid) archivemount -> @{HOME}/*/, + mount fstype={fuse,fuse.archivemount} options=(rw nodev nosuid) archivemount -> @{HOME}/*/*/, umount @{HOME}/*/, umount @{HOME}/*/*/, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index 783d210fb1..373c39209e 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -20,6 +20,8 @@ profile atd @{exec_path} { capability setuid, capability sys_resource, + network (create receive send) netlink raw, + signal receive set=hup peer=at, ptrace read peer=unconfined, @@ -43,6 +45,9 @@ profile atd @{exec_path} { @{PROC}/1/limits r, @{PROC}/loadavg r, + #aa:only test + /tmp/tmp.@{rand10}/{,**} rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index 281d157183..bf1f8fc02a 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -49,6 +49,7 @@ profile calibre @{exec_path} { @{python_path} rix, @{bin}/env r, @{bin}/file rix, + @{bin}/jpegtran rix, @{bin}/uname rix, @{sbin}/ldconfig{,.real} rix, @{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix, @@ -92,8 +93,7 @@ profile calibre @{exec_path} { owner @{tmp}/@{rand8} rw, audit owner @{tmp}/@{int}-*/ rw, audit owner @{tmp}/@{int}-*/** rwl, - audit owner @{tmp}/calibre_@{rand8}_tmp_*/{,**} rw, - audit owner @{tmp}/calibre-@{rand8}/{,**} rw, + owner @{tmp}/calibre-@{word8}/{,**} rw, owner /dev/shm/#@{int} rw, diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 3f749a24b8..7a2df74559 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -14,12 +14,15 @@ profile deluser @{exec_path} { include include - capability dac_read_search, capability dac_override, + capability dac_read_search, + capability sys_admin, @{exec_path} r, @{sh_path} rix, + @{archive_path} rix, + @{bin}/logger rix, @{bin}/crontab rPx, @{bin}/gpasswd rPx, @{sbin}/groupdel rPx, @@ -37,7 +40,7 @@ profile deluser @{exec_path} { # for matches. This also includes files required by the "--remove-home" flag as well as the # "--backup" and --backup-to flags. / r, - /** rw, + /** rwk, profile mount { include diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index 7ce69ab643..e9960b86ae 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -37,9 +37,8 @@ profile finalrd @{exec_path} { @{bin}/touch ix, @{sbin}/ldconfig{,.real} ix, - @{bin}/ldd Cx -> ldd, + @{ldd_path} Cx -> ldd, @{bin}/systemd-tmpfiles Px, - @{lib}/@{multiarch}/ld-linux-*so* Cx -> ldd, @{lib}/systemd/systemd-shutdown Px, /usr/share/finalrd/*.finalrd ix, @@ -69,9 +68,10 @@ profile finalrd @{exec_path} { include include + @{ldd_path} mrix, + @{bin}/* mr, @{sbin}/* mr, - @{lib}/@{multiarch}/ld-linux-*so* mrix, include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index c3c2c9f4dc..ebaacb59a6 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -21,7 +21,7 @@ profile initramfs-hooks @{exec_path} { @{bin}/dpkg Px, @{bin}/fc-cache ix, @{bin}/ischroot Px, - @{bin}/ldd Cx -> ldd, + @{ldd_path} Cx -> ldd, @{bin}/plymouth Px, @{bin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @@ -83,11 +83,12 @@ profile initramfs-hooks @{exec_path} { include include + @{ldd_path} mrix, + @{bin}/* mr, @{sbin}/* mr, - @{lib}/@{multiarch}/ld-linux-*so* mrix, - @{lib}/ld-linux.so* mr, + /usr/share/brltty/initramfs/brltty.sh r, include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts index d280c145ab..1ef4336ab8 100644 --- a/apparmor.d/profiles-m-r/initramfs-scripts +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -19,7 +19,7 @@ profile initramfs-scripts @{exec_path} { @{bin}/dd ix, @{bin}/debconf-escape Px, @{bin}/ischroot Px, - @{bin}/ldd Cx -> ldd, + @{ldd_path} Cx -> ldd, @{bin}/plymouth Px, @{bin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @@ -43,9 +43,7 @@ profile initramfs-scripts @{exec_path} { include include - @{bin}/ldd mr, - @{lib}/@{multiarch}/ld-linux-*so* mrix, - @{lib}/ld-linux.so* mr, + @{ldd_path} mrix, include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 065adf1940..b216861fdc 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -62,9 +62,7 @@ profile mkinitramfs @{exec_path} { @{bin}/kmod rCx -> kmod, @{sbin}/ldconfig rCx -> ldconfig, - @{bin}/ldd rCx -> ldd, - @{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd, - @{lib}/ld-linux.so* rCx -> ldd, + @{ldd_path} rCx -> ldd, @{bin}/dpkg rPx -> child-dpkg, @{bin}/linux-version rPx, @@ -136,9 +134,8 @@ profile mkinitramfs @{exec_path} { include include - @{sh_path} rix, - @{lib}/@{multiarch}/ld-*.so* rix, - @{lib}/ld-*.so{,.2} rix, + @{ldd_path} mrix, + @{sh_path} rix, @{bin}/* mr, @{sbin}/* mr, diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index dc793e27d3..ec6c07f543 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -18,6 +18,12 @@ # Python interpreters @{python_path} = @{bin}/@{python_name} +# ldd (List Dynamic Dependencies) and dynamic linker/loader +@{ldd_path} = @{bin}/ldd +@{ldd_path} += @{lib}/ld-linux-@{arch}.so{,.*} +@{ldd_path} += @{lib}/@{multiarch}/ld-linux-@{arch}.so{,.*} + + # Browsers @{brave_path} = @{brave_lib_dirs}/@{brave_name} @{chrome_path} = @{opera_lib_dirs}/@{chrome_name} From 151e729ecbd5ec5de2a7f5d529f0beed52ff7a07 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Oct 2025 20:22:57 +0200 Subject: [PATCH 0853/1736] feat(profile): initial integration of rules raised during autopkgtest - add some tests only paths - add missing rules raised by tests preliminary work before #888 get merged. We aim to get an idea of the rules missing and raised by the tests. Despite autopkgtest tests raising thousands of logs, most of them are tests specific and we seems to be quite good in term of missing rules. --- apparmor.d/abstractions/apt | 2 ++ .../bus/org.freedesktop.PolicyKit1 | 5 +++++ apparmor.d/abstractions/common/systemd | 3 --- apparmor.d/abstractions/python.d/complete | 6 +++++- apparmor.d/groups/apt/apt-methods-file | 2 ++ apparmor.d/groups/apt/dpkg-divert | 4 ++++ apparmor.d/groups/apt/dpkg-maintscript-helper | 19 +++++++++++++++---- apparmor.d/groups/apt/dpkg-preconfigure | 7 ++++--- apparmor.d/groups/apt/dpkg-split | 3 +++ apparmor.d/groups/flatpak/flatpak | 2 -- apparmor.d/groups/gnome/gjs | 4 ++-- apparmor.d/groups/gpg/gpg | 8 ++++++++ apparmor.d/groups/gpg/gpg-connect-agent | 1 + apparmor.d/groups/shadow/chage | 2 +- apparmor.d/groups/shadow/gpasswd | 2 +- apparmor.d/groups/shadow/groupadd | 2 +- apparmor.d/groups/shadow/passwd | 2 +- apparmor.d/groups/shadow/useradd | 2 +- apparmor.d/groups/systemd/systemd-userdbd | 2 +- apparmor.d/groups/utils/sulogin | 4 ++++ apparmor.d/profiles-a-f/adb | 1 + apparmor.d/profiles-a-f/adduser | 10 +++++++--- apparmor.d/profiles-a-f/archivemount | 7 +++++++ apparmor.d/profiles-a-f/borg | 10 ++++++++++ apparmor.d/profiles-a-f/fusermount | 3 ++- apparmor.d/profiles-g-l/ip | 6 ++++-- apparmor.d/profiles-m-r/pycompile | 15 +++++++-------- 27 files changed, 99 insertions(+), 35 deletions(-) diff --git a/apparmor.d/abstractions/apt b/apparmor.d/abstractions/apt index 109faed573..7d19e2aa0c 100644 --- a/apparmor.d/abstractions/apt +++ b/apparmor.d/abstractions/apt @@ -36,6 +36,8 @@ owner @{tmp}/clearsigned.message.* rw, #aa:only test + /tmp/@{rand10}/ rw, + /tmp/@{rand10}/** rwlkmix, /tmp/tmp.@{word10}/ rw, /tmp/tmp.@{word10}/** rwlkmix, diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index 2a4e8c1e55..a37efccf33 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -13,6 +13,11 @@ member=Changed peer=(name="@{busname}", label="@{p_polkitd}"), + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=CheckAuthorization + peer=(name=org.freedesktop.PolicyKit1), + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member={CheckAuthorization,CancelCheckAuthorization} diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index 9540d98943..f4a10076ef 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -21,9 +21,6 @@ /dev/kmsg w, - #aa:only test - /tmp/test-*/{,**} rw, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index e9b1f8c207..c49b49a85b 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -6,7 +6,7 @@ @{bin}/ r, @{python_path} mr, - owner @{user_lib_dirs}/@{python_name}/ r, + @{user_lib_dirs}/@{python_name}/ r, owner @{user_lib_dirs}/@{python_name}/**.{egg,py,pyi,pth} r, owner @{user_lib_dirs}/@{python_name}/**.{pyc,so} mr, owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/ r, @@ -17,4 +17,8 @@ deny @{lib}/@{python_name}/{,**/}__pycache__/ w, deny @{lib}/@{python_name}/{,**/}__pycache__/**.pyc.@{u64} w, + #aa:only test + owner /tmp/pytest-of-user/ rw, + owner /tmp/pytest-of-user/** rwlk, + # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index 6796a75630..f4cdb684fa 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -14,6 +14,8 @@ profile apt-methods-file @{exec_path} { include include + capability dac_read_search, + # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is # used by APT to download packages, package list, and other things using APT methods as an diff --git a/apparmor.d/groups/apt/dpkg-divert b/apparmor.d/groups/apt/dpkg-divert index e2d386804f..b0c288295e 100644 --- a/apparmor.d/groups/apt/dpkg-divert +++ b/apparmor.d/groups/apt/dpkg-divert @@ -14,6 +14,10 @@ profile dpkg-divert @{exec_path} { @{exec_path} mr, + @{bin}/* rw, + @{sbin}/* rw, + @{lib}/* rw, + /var/lib/dpkg/** r, /usr/share/*/** rw, diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper index aa9232c737..ed8073bb8b 100644 --- a/apparmor.d/groups/apt/dpkg-maintscript-helper +++ b/apparmor.d/groups/apt/dpkg-maintscript-helper @@ -11,11 +11,22 @@ profile dpkg-maintscript-helper @{exec_path} { include include - @{exec_path} mr, + @{exec_path} mrix, @{sh_path} rix, - @{bin}/basename rix, - @{bin}/dpkg rCx -> dpkg, + @{bin}/basename ix, + @{bin}/dirname ix, + @{bin}/dpkg Cx -> dpkg, + @{bin}/dpkg-query Cx -> dpkg, + @{bin}/find ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/mv ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/rmdir ix, + @{bin}/touch ix, + @{bin}/xargs ix, /usr/share/dpkg/sh/* r, @@ -27,7 +38,7 @@ profile dpkg-maintscript-helper @{exec_path} { capability dac_read_search, @{bin}/dpkg mr, - @{bin}/dpkg-query rpx, + @{bin}/dpkg-query mrpx, /etc/dpkg/dpkg.cfg r, /etc/dpkg/dpkg.cfg.d/{,*} r, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index a87f5371a4..d144f28de5 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -64,10 +64,11 @@ profile dpkg-preconfigure @{exec_path} { /var/cache/debconf/tmp.ci/ w, + /var/cache/debconf/*.dat r, + /var/cache/debconf/tmp.ci/ r, /var/lib/dbus/machine-id r, owner /var/cache/debconf/ rw, owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk, - owner /var/cache/debconf/tmp.ci/ r, owner /var/cache/debconf/tmp.ci/* rix, owner /var/cache/debconf/tmp.ci/*.config.@{rand6} w, owner /var/cache/debconf/tmp.ci/*.passwords.@{rand6} w, @@ -75,8 +76,8 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/dictionaries-common/flag-wordlist-new w, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, - owner @{tmp}/*.template.* rw, - owner @{tmp}/*.config.* rwPUx, + owner @{tmp}/*.template.* rw, + priority=1 owner @{tmp}/*.config.* rwPUx, @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, @{run}/user/@{uid}/pk-debconf-socket rw, diff --git a/apparmor.d/groups/apt/dpkg-split b/apparmor.d/groups/apt/dpkg-split index e307e9867b..494b80fa62 100644 --- a/apparmor.d/groups/apt/dpkg-split +++ b/apparmor.d/groups/apt/dpkg-split @@ -29,6 +29,9 @@ profile dpkg-split @{exec_path} { @{user_pkg_dirs}/** r, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, + #aa:only test + /tmp/@{rand10}/{,**} rw, + include if exists } diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 939650d82d..88c516a150 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -153,7 +153,6 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain #aa:only test mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) revokefs-fuse -> /tmp/test-flatpak-*/**, - /tmp/test-flatpak-@{rand6}/{,**} rw, profile gpg { include @@ -192,7 +191,6 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain #aa:only test mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) revokefs-fuse -> /tmp/test-flatpak.*/**, umount /tmp/test-flatpak-@{rand6}/**, - /tmp/test-flatpak-@{rand6}/{,**} rw, include if exists } diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index 156acf9768..8fa32d2baf 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -94,8 +94,8 @@ profile gjs @{exec_path} flags=(attach_disconnected) { owner @{HOME}/ r, - owner @{user_cache_dirs}/gstreamer-@{int}.@{int}/ rw, - owner @{user_cache_dirs}/gstreamer-@{int}.@{int}/registry.@{arch}.bin{,.tmp@{rand6}} rw, + owner @{user_cache_dirs}/gjs_repl_history rw, + owner @{user_cache_dirs}/gjs_repl_history-@{int}.tmp rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, owner @{user_share_dirs}/nautilus/scripts/ r, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 40c23b6609..dac44d5dfc 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -68,15 +68,23 @@ profile gpg @{exec_path} { owner @{tmp}/ostree-gpg-@{rand6}/ r, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, + #aa:only ubuntu + /tmp/ubuntu-release-upgrader-@{rand8}/*.tar.gz rw, + /tmp/ubuntu-release-upgrader-@{rand8}/*.tar.gz.gpg rw, + owner /tmp/@{int}@{int} rw, owner @{run}/user/@{uid}/gnupg/d.*/ rw, + owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent rw, owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat rw, + #aa:only test + /tmp/gpg.*/{,**} rwlk, + include if exists } diff --git a/apparmor.d/groups/gpg/gpg-connect-agent b/apparmor.d/groups/gpg/gpg-connect-agent index ebea13b56e..29773f27dc 100644 --- a/apparmor.d/groups/gpg/gpg-connect-agent +++ b/apparmor.d/groups/gpg/gpg-connect-agent @@ -20,6 +20,7 @@ profile gpg-connect-agent @{exec_path} { owner @{run}/user/@{uid}/gnupg/ w, owner @{run}/user/@{uid}/gnupg/d.*/ rw, + owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent rw, owner @{run}/user/@{uid}/gnupg/S.dirmngr rw, owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, diff --git a/apparmor.d/groups/shadow/chage b/apparmor.d/groups/shadow/chage index 43f34a7033..7c8b834866 100644 --- a/apparmor.d/groups/shadow/chage +++ b/apparmor.d/groups/shadow/chage @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/chage -profile chage @{exec_path} { +profile chage @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/shadow/gpasswd b/apparmor.d/groups/shadow/gpasswd index ab2d21860a..149c29b559 100644 --- a/apparmor.d/groups/shadow/gpasswd +++ b/apparmor.d/groups/shadow/gpasswd @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/gpasswd -profile gpasswd @{exec_path} { +profile gpasswd @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/shadow/groupadd b/apparmor.d/groups/shadow/groupadd index 2d135007a0..5443285958 100644 --- a/apparmor.d/groups/shadow/groupadd +++ b/apparmor.d/groups/shadow/groupadd @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{sbin}/groupadd -profile groupadd @{exec_path} { +profile groupadd @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/shadow/passwd b/apparmor.d/groups/shadow/passwd index 9d81c0bea9..052ea9961a 100644 --- a/apparmor.d/groups/shadow/passwd +++ b/apparmor.d/groups/shadow/passwd @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/passwd -profile passwd @{exec_path} { +profile passwd @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/shadow/useradd b/apparmor.d/groups/shadow/useradd index b10487cf23..9fadae46df 100644 --- a/apparmor.d/groups/shadow/useradd +++ b/apparmor.d/groups/shadow/useradd @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{sbin}/useradd -profile useradd @{exec_path} { +profile useradd @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index 47c0808721..dcee5f38a4 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -37,7 +37,7 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) @{att}@{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/userdb/{,**} rw, - @{run}/userdb/ r, + @{run}/userdb/{,**} rw, @{PROC}/@{pid}/cgroup r, @{PROC}/pressure/cpu r, diff --git a/apparmor.d/groups/utils/sulogin b/apparmor.d/groups/utils/sulogin index 2af869dab0..bdd86740fe 100644 --- a/apparmor.d/groups/utils/sulogin +++ b/apparmor.d/groups/utils/sulogin @@ -25,6 +25,10 @@ profile sulogin @{exec_path} { @{PROC}/consoles r, + /dev/ r, + /dev/hvc@{int} rw, + /dev/ttyS@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/adb b/apparmor.d/profiles-a-f/adb index 3affe4e7a8..4769d4f0b3 100644 --- a/apparmor.d/profiles-a-f/adb +++ b/apparmor.d/profiles-a-f/adb @@ -31,6 +31,7 @@ profile adb @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.android/ rw, owner @{HOME}/.android/adb.@{int} rw, owner @{HOME}/.android/adbkey rw, + owner @{HOME}/.android/adbkey.pub rw, include if exists } diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index f1c5ce3772..7cc2c85ddb 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{sbin}/adduser -profile adduser @{exec_path} { +profile adduser @{exec_path} flags=(attach_disconnected) { include include include @@ -43,15 +43,19 @@ profile adduser @{exec_path} { @{sbin}/usermod rPx, /etc/{group,passwd,shadow} r, + /etc/adduser-*.conf r, + /etc/adduser-pool.d/{,**} r, /etc/adduser.conf r, - /etc/skel/{,.*} r, + /etc/skel/{,**} r, # To create user dirs and copy files from /etc/skel/ to them @{HOME}/ rw, - @{HOME}/.* w, + @{HOME}/* w, + @{HOME}/**/.Private/* rw, /var/lib/*/{,*} rw, @{run}/adduser wk, + @{run}/userdb/ r, include if exists } diff --git a/apparmor.d/profiles-a-f/archivemount b/apparmor.d/profiles-a-f/archivemount index 9a4983c3c8..003999d98b 100644 --- a/apparmor.d/profiles-a-f/archivemount +++ b/apparmor.d/profiles-a-f/archivemount @@ -33,6 +33,10 @@ profile archivemount @{exec_path} { include include + capability setuid, + + unix type=stream peer=(label=archivemount), + mount fstype={fuse,fuse.archivemount} options=(rw nodev nosuid) archivemount -> @{HOME}/*/, mount fstype={fuse,fuse.archivemount} options=(rw nodev nosuid) archivemount -> @{HOME}/*/*/, @@ -42,6 +46,9 @@ profile archivemount @{exec_path} { /**.{tar,tar.gz,zip} r, /**.{TAR,TAR.GZ,ZIP} r, + #aa:only test + mount fstype=fuse.archivemount options=(rw nodev nosuid) archivemount -> /tmp/tmp.@{rand10}/**, + include if exists } diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 171d2ce12b..e2f055abcb 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -40,6 +40,8 @@ profile borg @{exec_path} { @{bin}/pass rPx, @{bin}/ssh rPx, + /usr/share/iproute2/group r, + # Dirs that can be backed up / r, /etc/{,**} r, @@ -73,13 +75,16 @@ profile borg @{exec_path} { owner /var/tmp/tmp*/file rw, owner /var/tmp/tmp*/idx rw, + @{PROC}/sys/fs/pipe-max-size r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/stat r, /dev/fuse rw, #aa:only test + mount fstype=fuse options=(ro nosuid nodev) borgfs -> /tmp/autopkgtest.@{rand6}/**, mount fstype=fuse options=(ro nosuid nodev) borgfs -> /tmp/tmp@{word8}/**, + owner /tmp/tmp@{word8}/{,**} rwlk, profile ccache { include @@ -101,6 +106,10 @@ profile borg @{exec_path} { include include + capability setuid, + + unix type=stream peer=(label=borg), + mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/, mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/*/, @@ -111,6 +120,7 @@ profile borg @{exec_path} { @{MOUNTS}/*/ r, #aa:only test + mount fstype=fuse options=(ro nosuid nodev) borgfs -> /tmp/autopkgtest.@{rand6}/**, mount fstype=fuse options=(ro nosuid nodev) borgfs -> /tmp/tmp@{word8}/**, include if exists diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index a3eb86d143..070b4f7d79 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -49,9 +49,10 @@ profile fusermount @{exec_path} { @{run}/user/@{uid}/doc/ r, #aa:only test - mount fstype=fuse options=(nodev, nosuid, ro) borgfs -> /tmp/pytest-of-ubuntu/**, mount /tmp/tmp@{word8}/, mount fstype=(fuse fuse.*) /tmp/autopkgtest.*/** -> /tmp/autopkgtest.*/**, + mount fstype=fuse options=(ro nodev nosuid) borgfs -> /tmp/pytest-of-ubuntu/**, + mount fstype=fuse options=(ro nodev nosuid) borgfs -> /tmp/tmp@{word8}/, umount /tmp/tmp@{word8}/, umount /tmp/autopkgtest.*/**, /tmp/tmp@{word8}/ rw, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 0a27c4b593..ade5f51719 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -34,8 +34,10 @@ profile ip @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, # To run command with 'ip netns exec' - @{shells_path} rUx, - @{bin}/sudo rPx, + @{shells_path} rUx, + @{bin}/firewall-cmd rPx, + @{bin}/sudo rPx, + @{sbin}/firewalld rPx, @{att}/ r, diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index e695f2109d..47bee4997c 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -22,16 +22,15 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { @{bin}/dpkg rCx -> dpkg, - priority=1 @{lib}/@{python_name}/**/__pycache__/ w, - priority=1 @{lib}/@{python_name}/**/__pycache__/*.pyc w, - priority=1 @{lib}/@{python_name}/**/__pycache__/*.pyc.* w, + priority=1 @{lib}/**/__pycache__/ w, + priority=1 @{lib}/**/__pycache__/*.pyc w, + priority=1 @{lib}/**/__pycache__/*.pyc.* w, - /usr/share/glib-2.0/{,**} r, - /usr/share/glib-2.0/**/__pycache__/ w, - /usr/share/glib-2.0/**/__pycache__/*.pyc w, - /usr/share/glib-2.0/**/__pycache__/*.pyc.* w, + /usr/share/**/__pycache__/ w, + /usr/share/**/__pycache__/*.pyc w, + /usr/share/**/__pycache__/*.pyc.* w, - /usr/share/python3/{,**} r, + /usr/share/**.py r, / r, @{bin}/ r, From 5ea903319714c62bf832eaaf40f7f9cb9a99ffe3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Oct 2025 21:00:47 +0200 Subject: [PATCH 0854/1736] feat(abs): move all core test only path to the test abs. --- apparmor.d/abstractions/base-strict | 15 +------- apparmor.d/abstractions/gstreamer-registry | 2 +- apparmor.d/abstractions/tests | 42 ++++++++++++++++++++++ apparmor.d/groups/apt/dpkg | 2 +- apparmor.d/profiles-a-f/atd | 2 +- 5 files changed, 46 insertions(+), 17 deletions(-) create mode 100644 apparmor.d/abstractions/tests diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 361a772ae3..cfe87a0405 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -23,6 +23,7 @@ include include include + include #aa:only test # Allow us to signal ourselves signal peer=@{profile_name}, @@ -128,20 +129,6 @@ # StackGuard, FormatGuard, etc., alerts can be properly logged. /dev/log w, - #aa:only test - @{lib}/installed-tests/ r, - @{lib}/installed-tests/** rw, - /usr/share/installed-tests/{,**} r, - owner /m-a/{,**} rw, - owner /test-dir/{,**} rw, - owner /test-path/{,**} rw, - owner /test-symlink/{,**} rw, - owner /test/{,**} rw, - owner /trigger{,s}/{,**} rw, - /tmp/autopkgtest* rwlkmix, - /tmp/autopkgtest*/ rw, - /tmp/autopkgtest*/** rwlkmix, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gstreamer-registry b/apparmor.d/abstractions/gstreamer-registry index 9606d7e1d8..fe0b9955b2 100644 --- a/apparmor.d/abstractions/gstreamer-registry +++ b/apparmor.d/abstractions/gstreamer-registry @@ -3,7 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Plugin registry cache for the multimedia framework GStreamer. -# It stores metadata about all the GStreamer plugins available on the system, +# It stores metadata about all the GStreamer plugins available on the system, # including their types, capabilities, and locations. # It is usually needed by application calling GStreamer libraries. diff --git a/apparmor.d/abstractions/tests b/apparmor.d/abstractions/tests new file mode 100644 index 0000000000..257fc7e4a4 --- /dev/null +++ b/apparmor.d/abstractions/tests @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Common temporary tests directories used by autopkgtest. +# +# Do not use it manually, It is automatically included in the base abstraction +# when the 'test' prebuild flag is set. + + abi , + + # @{exec_path}.distrib mrix, + + @{lib}/installed-tests/ r, + @{lib}/installed-tests/** rw, + + /usr/share/installed-tests/{,**} r, + + owner /m-a/{,**} rwlk, + + owner /test-dir/{,**} rw, + owner /test-path/{,**} rw, + owner /test-symlink/{,**} rw, + owner /test/{,**} rw, + + owner /trigger{,s}/{,**} rw, + + /tmp/autopkgtest* rwlkmix, + /tmp/autopkgtest*/ rw, + /tmp/autopkgtest*/** rwlkmix, + + /tmp/shunit.@{rand6}/ rw, + /tmp/shunit.@{rand6}/** rwlk, + + /tmp/test*/ rw, + /tmp/test*/** rwlk, + + owner /tmp/g-r-d-tests-*/{,**} rwlk, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 0f61cdc2c4..0e46650bd7 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -32,7 +32,7 @@ profile dpkg @{exec_path} { @{bin}/dpkg-deb px, @{bin}/dpkg-divert px, - @{bin}/dpkg-maintscript-helper px + @{bin}/dpkg-maintscript-helper px, @{bin}/dpkg-query px, @{bin}/dpkg-split px, @{bin}/dpkg-trigger px, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index 373c39209e..a1c0671e49 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -20,7 +20,7 @@ profile atd @{exec_path} { capability setuid, capability sys_resource, - network (create receive send) netlink raw, + network (create receive send) netlink raw, signal receive set=hup peer=at, From 201e0c141044df2ba76a8183bcb226069829ff29 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Oct 2025 21:06:33 +0200 Subject: [PATCH 0855/1736] fix(build): add missing variable in default profile header. --- pkg/aa/apparmor.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index 94e232c810..c1d011c008 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -79,6 +79,7 @@ func DefaultTunables() *AppArmorProfileFile { &Variable{Name: "user", Values: []string{"[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}"}, Define: true}, &Variable{Name: "version", Values: []string{"@{int}{.@{int},}{.@{int},}{-@{rand},}"}, Define: true}, &Variable{Name: "w", Values: []string{"[a-zA-Z0-9_]"}, Define: true}, + &Variable{Name: "word", Values: []string{"@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}"}, Define: true}, }, } } From 5566787b60625a2c3bef9a81f58b78ddf522eb3d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Oct 2025 00:59:07 +0200 Subject: [PATCH 0856/1736] fix(profile): few issues raised by ci testing --- apparmor.d/abstractions/bus-system | 1 + apparmor.d/groups/apt/debconf-escape | 1 + apparmor.d/groups/apt/dpkg-scripts | 8 ++++---- apparmor.d/groups/snap/snapd-apparmor | 2 ++ apparmor.d/profiles-m-r/initramfs-hooks | 2 ++ apparmor.d/profiles-m-r/pycompile | 13 +++++++------ apparmor.d/tunables/multiarch.d/system | 2 +- 7 files changed, 18 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system index b68b6159df..ba71cf7a27 100644 --- a/apparmor.d/abstractions/bus-system +++ b/apparmor.d/abstractions/bus-system @@ -11,6 +11,7 @@ member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + @{run}/dbus/system_bus_socket rw, @{att}@{run}/dbus/system_bus_socket rw, include if exists diff --git a/apparmor.d/groups/apt/debconf-escape b/apparmor.d/groups/apt/debconf-escape index c64401bb07..8ec6340259 100644 --- a/apparmor.d/groups/apt/debconf-escape +++ b/apparmor.d/groups/apt/debconf-escape @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/debconf-escape profile debconf-escape @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 6d8ad4bc73..5ece130593 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -52,9 +52,9 @@ profile dpkg-scripts @{exec_path} { #aa:lint ignore=too-wide # Maintainer scripts can legitimately start/restart anything # PU is only used as a safety fallback. - @{bin}/** mPUx, - @{sbin}/** mPUx, - @{lib}/** mPUx, + @{bin}/** mrPUx, + @{sbin}/** mrPUx, + @{lib}/** mrPUx, /etc/** PUx, /usr/share/** PUx, @@ -66,7 +66,7 @@ profile dpkg-scripts @{exec_path} { @{bin}/* w, @{sbin}/ r, @{sbin}/* w, - @{lib}/ r, + @{lib}/ rw, @{lib}/** wl -> @{lib}/**, /opt/*/** rw, diff --git a/apparmor.d/groups/snap/snapd-apparmor b/apparmor.d/groups/snap/snapd-apparmor index 47b939fa0e..42bcb2b5ac 100644 --- a/apparmor.d/groups/snap/snapd-apparmor +++ b/apparmor.d/groups/snap/snapd-apparmor @@ -12,6 +12,8 @@ include profile snapd-apparmor @{exec_path} { include + capability dac_read_search, + @{exec_path} mrix, @{bin}/systemd-detect-virt rPx, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index ebaacb59a6..2bf531ef64 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -87,6 +87,8 @@ profile initramfs-hooks @{exec_path} { @{bin}/* mr, @{sbin}/* mr, + @{lib}/initramfs-tools/** mr, + @{lib}/udev/** mr, /usr/share/brltty/initramfs/brltty.sh r, diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index 47bee4997c..abcd8933f0 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -22,14 +22,15 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { @{bin}/dpkg rCx -> dpkg, - priority=1 @{lib}/**/__pycache__/ w, - priority=1 @{lib}/**/__pycache__/*.pyc w, - priority=1 @{lib}/**/__pycache__/*.pyc.* w, + priority=1 @{lib}/**/__pycache__/ rw, + priority=1 @{lib}/**/__pycache__/*.pyc rw, + priority=1 @{lib}/**/__pycache__/*.pyc.* rw, - /usr/share/**/__pycache__/ w, - /usr/share/**/__pycache__/*.pyc w, - /usr/share/**/__pycache__/*.pyc.* w, + /usr/share/**/__pycache__/ rw, + /usr/share/**/__pycache__/*.pyc rw, + /usr/share/**/__pycache__/*.pyc.* rw, + /usr/share/@{python_name}/{,**} r, /usr/share/**.py r, / r, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index c5178dcad8..e07be7f2c0 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -30,7 +30,7 @@ # ---------------- # Common architecture names -@{arch}=x86_64 x64 amd64 i386 i686 +@{arch}=x86{_,-}64 x64 amd64 i386 i686 # Dbus unique name @{busname}=:1.@{u16} :not.active.yet From fbcb95585a77491c4ffb3f0fabe05036e5f09878 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Oct 2025 01:14:54 +0200 Subject: [PATCH 0857/1736] feat(profile): multiple minor tealks across profiles. --- apparmor.d/groups/apt/apt | 18 +++++++++++++++- apparmor.d/groups/apt/apt-methods-gpgv | 1 + apparmor.d/groups/apt/deb-systemd-invoke | 1 + apparmor.d/groups/apt/dpkg-buildflags | 3 ++- apparmor.d/groups/apt/dpkg-deb | 4 ++++ apparmor.d/groups/children/glycin | 2 ++ apparmor.d/groups/cron/crontab | 7 +++++++ apparmor.d/groups/filesystem/udisksd | 5 +++++ apparmor.d/groups/flatpak/flatpak | 3 ++- apparmor.d/groups/freedesktop/fc-cache | 2 ++ apparmor.d/groups/freedesktop/pulseaudio | 4 ++-- apparmor.d/groups/gnome/gnome-extension | 1 + apparmor.d/groups/gnome/gnome-initial-setup | 3 +++ apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/grub/grub-mkdevicemap | 2 ++ apparmor.d/groups/polkit/polkitd | 2 ++ apparmor.d/groups/procps/ps | 1 + apparmor.d/groups/snap/snap-failure | 21 +++++++++++++++++-- .../systemd-generator-getty | 2 ++ apparmor.d/groups/systemd/systemd-analyze | 1 + apparmor.d/groups/systemd/systemd-binfmt | 2 ++ apparmor.d/groups/systemd/systemd-fsck | 2 ++ .../groups/systemd/systemd-machine-id-setup | 3 +++ apparmor.d/groups/systemd/systemd-makefs | 3 ++- .../groups/systemd/systemd-modules-load | 2 ++ apparmor.d/groups/systemd/systemd-networkd | 3 +++ .../systemd/systemd-networkd-wait-online | 1 + apparmor.d/groups/systemd/systemd-timedated | 2 +- .../systemd/systemd-tty-ask-password-agent | 14 ++++++++++++- apparmor.d/groups/systemd/systemd-udevd | 2 ++ apparmor.d/groups/ubuntu/release-upgrade-motd | 6 ++++++ apparmor.d/groups/ubuntu/ubuntu-advantage | 4 ++++ apparmor.d/groups/utils/agetty | 1 + apparmor.d/groups/utils/locale-gen | 3 ++- apparmor.d/groups/utils/su | 2 ++ apparmor.d/groups/utils/who | 12 ++++++++--- apparmor.d/groups/virt/libvirtd | 1 + apparmor.d/profiles-a-f/adequate | 7 ++++++- apparmor.d/profiles-a-f/dkms | 14 ++++++++----- apparmor.d/profiles-g-l/gtk-query-immodules | 5 ++++- apparmor.d/profiles-g-l/kernel-postinst-kdump | 3 +++ apparmor.d/profiles-m-r/initramfs-hooks | 13 ++++++++++++ apparmor.d/profiles-m-r/mdadm | 1 + apparmor.d/profiles-m-r/mkinitramfs | 18 ++++++++++++---- apparmor.d/profiles-m-r/remmina | 8 +++++-- apparmor.d/profiles-s-z/ucfr | 2 ++ apparmor.d/profiles-s-z/update-alternatives | 1 + apparmor.d/profiles-s-z/update-shells | 4 ++++ apparmor.d/profiles-s-z/xauth | 5 +++++ 49 files changed, 201 insertions(+), 27 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index ee0601b6f4..619018c0aa 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -71,6 +71,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/cat rix, @{bin}/echo rix, + @{bin}/false rix, @{bin}/gdbus rix, @{bin}/id rix, @{bin}/test rix, @@ -87,16 +88,17 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg rPx, @{bin}/dpkg-source rcx -> dpkg-source, @{bin}/etckeeper rPx, + @{bin}/fakeroot-sysv rCx -> fakeroot-sysv, @{bin}/ischroot rPx, @{bin}/localepurge rPx, @{bin}/ps rPx, @{bin}/snap rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/update-command-not-found rPx, - @{sbin}/dpkg-preconfigure rPx, @{lib}/cnf-update-db rPx, @{lib}/needrestart/apt-pinvoke rPx, @{lib}/zsys-system-autosnapshot rPx, + @{sbin}/dpkg-preconfigure rPx, # For building the source after the download process is finished (apt-get source --compile) @{bin}/dpkg-buildpackage rPUx, @@ -168,6 +170,17 @@ profile apt @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, + profile fakeroot-sysv { + include + + @{bin}/fakeroot-sysv mr, + + @{bin}/dpkg Px, + @{bin}/faked-sysv rix, + + include if exists + } + profile editor flags=(complain) { include include @@ -212,6 +225,9 @@ profile apt @{exec_path} flags=(attach_disconnected) { audit deny owner @{HOME}/.*/ rw, audit deny owner @{HOME}/.*/** mrwkl, + #aa:only test + /tmp/tmp.@{word10}/** rwlk, + include if exists } diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index 5f3654f6ec..031db3acc4 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -37,6 +37,7 @@ profile apt-methods-gpgv @{exec_path} { @{bin}/gpg-connect-agent rix, @{bin}/gpgconf rix, @{bin}/gpgv rix, + @{bin}/gpgv-sq rix, @{bin}/{m,g,}awk rix, @{bin}/base64 rix, diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index 824d3b4dd9..314c66ade5 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -24,6 +24,7 @@ profile deb-systemd-invoke @{exec_path} { @{sh_path} rix, @{bin}/systemctl rix, #aa:lint ignore=transition @{bin}/systemd-tty-ask-password-agent Px, + @{bin}/dpkg Px -> child-dpkg, include if exists } diff --git a/apparmor.d/groups/apt/dpkg-buildflags b/apparmor.d/groups/apt/dpkg-buildflags index 86a748f693..d6fdfacfb4 100644 --- a/apparmor.d/groups/apt/dpkg-buildflags +++ b/apparmor.d/groups/apt/dpkg-buildflags @@ -19,9 +19,10 @@ profile dpkg-buildflags @{exec_path} flags=(attach_disconnected) { /usr/share/lto-disabled-list/lto-disabled-list r, + /usr/share/dpkg/abitable r, /usr/share/dpkg/cputable r, + /usr/share/dpkg/ostable r, /usr/share/dpkg/tupletable r, - /usr/share/dpkg/abitable r, /etc/dpkg/origins/* r, diff --git a/apparmor.d/groups/apt/dpkg-deb b/apparmor.d/groups/apt/dpkg-deb index b71eabcb43..1986f8e405 100644 --- a/apparmor.d/groups/apt/dpkg-deb +++ b/apparmor.d/groups/apt/dpkg-deb @@ -34,6 +34,10 @@ profile dpkg-deb @{exec_path} { owner @{tmp}/dpkg-deb.@{rand6}/* rw, owner @{tmp}/tmp@{rand8}/aptroot/**.deb r, + #aa:only test + /tmp/@{rand10}/{,**} rw, + /tmp/tmp.@{rand10}/{,**} rw, + include if exists } diff --git a/apparmor.d/groups/children/glycin b/apparmor.d/groups/children/glycin index 083979daa8..59fc8ff794 100644 --- a/apparmor.d/groups/children/glycin +++ b/apparmor.d/groups/children/glycin @@ -41,6 +41,8 @@ profile glycin flags=(attach_disconnected,complain) { include include + unix type=stream, + @{lib}/glycin-loaders/@{d}+/glycin-* mr, @{att}/usr/share/glycin-loaders/{,**} r, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index d240454f5b..ce70bcdaa8 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -16,7 +16,9 @@ profile crontab @{exec_path} { capability audit_write, capability chown, + capability dac_override, capability dac_read_search, + capability fsetid, capability net_admin, capability setgid, capability setuid, @@ -28,6 +30,8 @@ profile crontab @{exec_path} { @{sh_path} rix, @{editor_path} rCx -> editor, + @{lib}/systemd/system-generators/systemd-crontab-generator PUx, + @{etc_ro}/environment r, @{etc_ro}/security/*.conf r, /etc/cron.{allow,deny} r, @@ -38,6 +42,9 @@ profile crontab @{exec_path} { owner @{user_cache_dirs}/crontab/crontab.bak rw, + @{run}/crond.reboot w, + + @{tmp}/#@{int} rw, @{tmp}/crontab.@{rand6} rw, @{tmp}/crontab.@{rand6}/ rw, @{tmp}/crontab.@{rand6}/crontab rwl, diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 37fe5b4b33..608c37946f 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -89,6 +89,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{bin}/systemd-escape rPx, @{bin}/xfs_* rPUx, + /usr/share/gvfs/remote-volume-monitors/{,**} r, + /etc/crypttab r, /etc/fstab r, /etc/libblockdev/{,**} r, @@ -137,6 +139,9 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/block/loop@{int}/uevent rw, @{sys}/devices/virtual/dmi/id/product_uuid r, @{sys}/devices/virtual/nvme-subsystem/{,**} r, + @{sys}/firmware/dmi/entries/ r, + @{sys}/firmware/dmi/entries/*/raw r, + @{sys}/firmware/dmi/entries/*/type r, @{sys}/fs/ r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 88c516a150..18676abfeb 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -77,6 +77,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, @{lib}/revokefs-fuse rix, + @{lib}/flatpak-validate-icon rPx, # For flatpack enter, the shell is not confined on purpose. @{bin}/@{shells} rUx, @@ -185,7 +186,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain unix type=seqpacket peer=(label=flatpak-system-helper), unix type=stream peer=(label=flatpak), - mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) revokefs-fuse -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, #aa:only test diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache index 128a4708b8..3720b369a2 100644 --- a/apparmor.d/groups/freedesktop/fc-cache +++ b/apparmor.d/groups/freedesktop/fc-cache @@ -24,6 +24,8 @@ profile fc-cache @{exec_path} { /var/cache/fontconfig/*.cache-@{int}.LCK rwl, /var/cache/fontconfig/CACHEDIR.TAG.LCK rwl, + /var/log/fontconfig.log w, + /var/tmp/mkinitramfs_*/{**,} rwl, owner @{user_cache_dirs}/ w, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 9edd71a664..60051f7777 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -31,9 +31,9 @@ profile pulseaudio @{exec_path} { include include - ptrace (trace) peer=@{profile_name}, + ptrace trace peer=@{profile_name}, - signal (receive) peer=pacmd, + signal receive peer=pacmd, network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/gnome/gnome-extension b/apparmor.d/groups/gnome/gnome-extension index 174f75531f..4793b72df2 100644 --- a/apparmor.d/groups/gnome/gnome-extension +++ b/apparmor.d/groups/gnome/gnome-extension @@ -18,6 +18,7 @@ profile gnome-extension { include include include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 83394a5e34..b38cdd98ef 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -41,6 +41,8 @@ profile gnome-initial-setup @{exec_path} { @{bin}/lsb_release rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, + @{bin}/systemd-detect-virt rPx, + @{bin}/ubuntu-advantage rPx, @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, @@ -63,6 +65,7 @@ profile gnome-initial-setup @{exec_path} { owner @{user_config_dirs}/gnome-initial-setup-done w, owner @{user_config_dirs}/gnome-initial-setup-done.@{rand6} rw, + owner @{user_config_dirs}/ubuntu-insights/{,**} rw, #aa:only ubuntu owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 9354bddfe9..b072200d9d 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -98,6 +98,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" + #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label=geoclue #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap index ca9f3ad3c1..d3ba847ede 100644 --- a/apparmor.d/groups/grub/grub-mkdevicemap +++ b/apparmor.d/groups/grub/grub-mkdevicemap @@ -16,6 +16,8 @@ profile grub-mkdevicemap @{exec_path} { @{exec_path} mr, + @{efi}/grub/device.map rw, + @{PROC}/devices r, /dev/mapper/control rw, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index f91bb57eb0..bd0b8d6b7c 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -34,6 +34,8 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { @{bin}/pkla-check-authorization rPx, @{bin}/pkla-admin-identities rPx, + /usr/share/gvfs/remote-volume-monitors/{,**} r, + /etc/machine-id r, # System rules diff --git a/apparmor.d/groups/procps/ps b/apparmor.d/groups/procps/ps index 42eb272eae..e8a3eccf26 100644 --- a/apparmor.d/groups/procps/ps +++ b/apparmor.d/groups/procps/ps @@ -24,6 +24,7 @@ profile ps @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, + @{PROC}/@{pids}/ r, @{PROC}/@{pids}/attr/current r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/groups/snap/snap-failure b/apparmor.d/groups/snap/snap-failure index bed3a2d123..5136695008 100644 --- a/apparmor.d/groups/snap/snap-failure +++ b/apparmor.d/groups/snap/snap-failure @@ -15,17 +15,34 @@ profile snap-failure @{exec_path} { @{exec_path} mr, @{lib_dirs}/**.so* mr, - @{bin}/systemctl rCx -> systemctl, - @{lib_dirs}/snapd/snapd rPx, + @{bin}/systemctl Cx -> systemctl, + @{bin}/systemd-run Cx -> run, + @{lib_dirs}/snapd/snapd Px, /var/lib/snapd/sequence/snapd.json r, + /snap/snapd/ r, + /snap/snapd/current w, + /snap/snapd/current.@{rand12}~ rw, + @{PROC}/cmdline r, + profile run { + include + + @{bin}/systemd-run mr, + + include if exists + } + profile systemctl { include include + capability net_admin, + + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-getty b/apparmor.d/groups/systemd-generators/systemd-generator-getty index 78f08c3ad3..b55268a00a 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-getty +++ b/apparmor.d/groups/systemd-generators/systemd-generator-getty @@ -17,6 +17,7 @@ profile systemd-generator-getty @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{run}/systemd/generator/getty.target.wants/ w, + @{run}/systemd/generator/getty.target.wants/serial-getty@hvc@{int}.service w, @{run}/systemd/generator/getty.target.wants/serial-getty@ttyS@{int}.service w, @{sys}/devices/virtual/tty/console/active r, @@ -24,6 +25,7 @@ profile systemd-generator-getty @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, + owner /dev/hvc@{int} rw, owner /dev/ttyS@{int} rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 3ae0a7143f..087bebb9f9 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -22,6 +22,7 @@ profile systemd-analyze @{exec_path} { signal (send) peer=child-pager, + unix bind type=stream addr=@@{udbus}/bus/systemd-analyze/, unix bind type=stream addr=@@{udbus}/bus/systemd-analyze/system, #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt index 5e3406ea9b..37cc086f1c 100644 --- a/apparmor.d/groups/systemd/systemd-binfmt +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -13,6 +13,8 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) { capability net_admin, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{bin}/* r, diff --git a/apparmor.d/groups/systemd/systemd-fsck b/apparmor.d/groups/systemd/systemd-fsck index 4836c9747e..6f35db3aca 100644 --- a/apparmor.d/groups/systemd/systemd-fsck +++ b/apparmor.d/groups/systemd/systemd-fsck @@ -17,6 +17,8 @@ profile systemd-fsck @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{sbin}/e2fsck rPx, diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index a2115a9262..64b622dc36 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -38,6 +38,9 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/setgroups r, owner @{PROC}/@{pid}/stat r, + #aa:only test + /tmp/c_busybox.@{rand8}/{,**} rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs index 74a824411a..804b03480a 100644 --- a/apparmor.d/groups/systemd/systemd-makefs +++ b/apparmor.d/groups/systemd/systemd-makefs @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-makefs -profile systemd-makefs @{exec_path} { +profile systemd-makefs @{exec_path} flags=(attach_disconnected) { include include include @@ -17,6 +17,7 @@ profile systemd-makefs @{exec_path} { @{exec_path} mr, + @{sbin}/mke2fs rPx, @{sbin}/mkfs.* rPx, @{sbin}/mkswap rPx, diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load index 3f778244b3..ec4fac6054 100644 --- a/apparmor.d/groups/systemd/systemd-modules-load +++ b/apparmor.d/groups/systemd/systemd-modules-load @@ -16,6 +16,8 @@ profile systemd-modules-load @{exec_path} flags=(attach_disconnected) { capability perfmon, capability sys_module, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, /etc/modprobe.d/ r, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 1dedb69adf..85786e8d8d 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -60,10 +60,12 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{att}@{run}/systemd/notify rw, @{run}/mount/utab r, + @{run}/systemd/network/{,**} r, @{run}/systemd/resolve/resolv.conf r, owner @{att}/var/lib/systemd/network/ r, + /var/lib/systemd/network/ r, owner /var/lib/systemd/network/ rw, owner /var/lib/systemd/network/** rwk, @@ -73,6 +75,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/n@{int} r, # For network interfaces + @{sys}/fs/cgroup/system.slice/networkd-*.service/ r, @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/rfkill@{int}/* r, @{sys}/devices/**/net/** r, diff --git a/apparmor.d/groups/systemd/systemd-networkd-wait-online b/apparmor.d/groups/systemd/systemd-networkd-wait-online index c36b5af396..d414a1a7c0 100644 --- a/apparmor.d/groups/systemd/systemd-networkd-wait-online +++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online @@ -19,6 +19,7 @@ profile systemd-networkd-wait-online @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{run}/systemd/netif/links/@{int} r, + @{run}/systemd/resolve/io.systemd.Resolve.Monitor rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index 80b4ebadfd..861f3be1c4 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -30,7 +30,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={JobRemoved,Reload,StartUnit,StopUnit} - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 24e0522a5c..6881a1ae04 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -16,6 +16,9 @@ profile systemd-tty-ask-password-agent @{exec_path} flags=(attach_disconnected) capability dac_read_search, capability net_admin, capability sys_resource, + capability sys_tty_config, + + ptrace read peer=systemd-cryptsetup, signal receive set=(term cont winch) peer=@{p_logrotate}, signal receive set=(term cont winch) peer=*//systemctl, @@ -37,12 +40,21 @@ profile systemd-tty-ask-password-agent @{exec_path} flags=(attach_disconnected) @{run}/utmp rk, - @{PROC}/@{pids}/stat r, + @{run}/systemd/sessions/ r, + @{run}/systemd/sessions/@{int} r, + @{run}/systemd/sessions/c@{int} r, @{sys}/devices/virtual/tty/console/active r, @{sys}/devices/virtual/tty/tty@{int}/active r, + @{PROC}/@{pids}/stat r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/hvc@{int} rw, /dev/tty@{int} rw, + /dev/ttyS@{int} rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index dffe20da43..98d5d45f14 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -149,6 +149,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd index b5d7d2885c..716c6e4b3b 100644 --- a/apparmor.d/groups/ubuntu/release-upgrade-motd +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -10,6 +10,10 @@ include profile release-upgrade-motd @{exec_path} { include + capability dac_read_search, + + mqueue getattr type=posix, + @{exec_path} mr, @{sh_path} rix, @@ -24,6 +28,8 @@ profile release-upgrade-motd @{exec_path} { @{run}/motd.dynamic.new w, + @{PROC}/@{pid}/mountinfo r, + /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index afc8a7b2a4..7c656cb0a7 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -54,6 +54,10 @@ profile ubuntu-advantage @{exec_path} { /var/log/ubuntu-advantage.log w, + owner /var/cache/apt/ w, + + owner @{desktop_cache_dirs}/ubuntu-pro/{,**} rw, + owner @{user_cache_dirs}/ubuntu-pro/{,**} rw, owner @{tmp}/tmp[0-9a-z]*/apt.conf r, diff --git a/apparmor.d/groups/utils/agetty b/apparmor.d/groups/utils/agetty index 9ae450196b..ec005d59bc 100644 --- a/apparmor.d/groups/utils/agetty +++ b/apparmor.d/groups/utils/agetty @@ -35,6 +35,7 @@ profile agetty @{exec_path} { /etc/inittab r, /etc/os-release r, + @{run}/credentials/serial-getty@hvc@{int}.service/ r, @{run}/credentials/getty@tty@{int}.service/ r, @{run}/credentials/serial-getty@ttyS@{int}.service/ r, owner @{run}/agetty.reload rw, diff --git a/apparmor.d/groups/utils/locale-gen b/apparmor.d/groups/utils/locale-gen index 5366f14039..b9dbe34bed 100644 --- a/apparmor.d/groups/utils/locale-gen +++ b/apparmor.d/groups/utils/locale-gen @@ -31,7 +31,8 @@ profile locale-gen @{exec_path} { /usr/share/i18n/{,**} r, - /etc/locale.gen r, + /etc/locale.gen rw, + /etc/sed@{rand6} rw, /var/lib/locales/supported.d/{,**} r, diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index e5293021c7..350a72d5dd 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -31,6 +31,8 @@ profile su @{exec_path} flags=(attach_disconnected) { @{HOME}/.xauth@{rand6} rw, + @{run}/systemd/sessions/*.ref w, + include if exists } diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who index d9ca9e164d..6abf5b9e08 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/groups/utils/who @@ -7,11 +7,9 @@ abi , include -@{exec_path} = @{bin}/{,gnu}who +@{exec_path} = @{bin}/who profile who @{exec_path} { include - include - include include capability kill, @@ -20,6 +18,14 @@ profile who @{exec_path} { @{run}/systemd/sessions/* r, + # Rotated logs from wutmp + /var/log/wtmp.@{int} r, + /var/log/btmp.@{int} r, + + # Deny the writes allowed by abstractions/wutmp + audit deny /var/** w, + audit deny @{run}/utmp w, + # file_inherit deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index bcc562fa25..20ec23e233 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -187,6 +187,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/bus/[a-z]*/devices/ r, + @{sys}/bus/*/uevent r, @{sys}/bus/pci/drivers_probe w, @{sys}/bus/pci/drivers/*/unbind w, @{sys}/class/[a-z]*/ r, diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index 9ff0b4f777..dc5cf9502d 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -38,6 +38,12 @@ profile adequate @{exec_path} flags=(complain) { /var/lib/adequate/pending rwk, + /etc/ r, + /etc/dbus-1/ r, + /etc/dbus-1/session.d/ r, + /etc/dbus-1/system.d/ r, + /etc/init.d/ r, + /etc/init.d/dhcpcd r, /etc/shadow r, /usr/share/python{,3}/debian_defaults r, @@ -45,7 +51,6 @@ profile adequate @{exec_path} flags=(complain) { /usr/share/**/__pycache__/ r, /usr/**/*.py r, - profile ldd flags=(complain) { include include diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 8d5ff99b6e..dc04f121f8 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -98,12 +98,16 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner @{HOME}/ r, - owner @{tmp}/* rw, - owner @{tmp}/cc* rw, - owner @{tmp}/dkms.*/ rw, - owner @{tmp}/sh-thd.* rw, - owner @{tmp}/tmp.* rw, + @{sys}/fs/cgroup/system.slice/cpu.max r, + @{sys}/fs/cgroup/system.slice/dkms.service/cpu.max r, + @{tmp}/GMfifo@{int} rw, + owner @{tmp}/cc@{rand6}* rw, + owner @{tmp}/tmp.@{rand10} rw, + audit owner @{tmp}/dkms.*/ rw, + audit owner @{tmp}/sh-thd.* rw, + + @{PROC}/@{pid}/cgroup r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index e6d37db446..a7cbf52ae3 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -17,7 +17,10 @@ profile gtk-query-immodules @{exec_path} { @{exec_path} mr, @{lib}/gtk-{2,3,4}.0/**/immodules.cache w, - @{lib}/gtk-{2,3,4}.0/**/immodules.cache.[0-9A-Z]* w, + @{lib}/gtk-{2,3,4}.0/**/immodules.cache.@{rand6} w, + + @{lib}/@{multiarch}/gtk-{2,3,4}.0/**/immodules.cache w, + @{lib}/@{multiarch}/gtk-{2,3,4}.0/**/immodules.cache.@{rand6} w, # Inherit silencer deny network inet6 stream, diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index eb17c5355e..01a13b0909 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -48,10 +48,13 @@ profile kernel-postinst-kdump @{exec_path} { include include + capability syslog, # optional: no audit + @{sys}/module/*/ r, @{sys}/module/*/coresize r, @{sys}/module/*/holders/ r, @{sys}/module/*/refcnt r, + @{sys}/module/compression r, include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 2bf531ef64..a5e911d2f8 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -48,8 +48,10 @@ profile initramfs-hooks @{exec_path} { /etc/default/* r, /etc/fstab r, /etc/iscsi/*.iscsi r, + /etc/kdump/sysctl.conf r, /etc/lvm/{,**} r, /etc/mdadm/mdadm.conf r, + /etc/plymouth/plymouthd.conf r, /etc/systemd/network/{,**} r, /etc/udev/{,**} r, @@ -72,8 +74,19 @@ profile initramfs-hooks @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, + @{sys}/class/ r, + @{sys}/class/drm/ r, + @{sys}/devices/ r, + @{sys}/devices/@{pci_bus}/ r, + @{sys}/devices/@{pci}/ r, + @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/devices/@{pci}/drm/renderD128/ r, + @{sys}/devices/@{pci}/drm/renderD129/ r, + @{sys}/devices/@{pci}/modalias r, + @{sys}/devices/virtual/block/dm-@{int}/slaves/ r, @{sys}/firmware/efi/efivars/ r, + @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index f53e1b11fe..d1cfd4414a 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -33,6 +33,7 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { @{run}/initctl r, @{run}/mdadm/* rwk, + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, @{sys}/bus/pci/drivers/*/ r, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index b216861fdc..09d6ba67e1 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -13,10 +13,13 @@ profile mkinitramfs @{exec_path} { include include - capability syslog, capability chown, + capability dac_read_search, capability fowner, capability fsetid, + capability syslog, + + mqueue getattr type=posix, @{exec_path} r, @{sh_path} rix, @@ -111,19 +114,22 @@ profile mkinitramfs @{exec_path} { @{sys}/bus/ r, @{sys}/bus/*/drivers/ r, + @{sys}/bus/*/drivers/*/ r, + @{sys}/class/ r, + @{sys}/class/*/ r, @{sys}/devices/ r, @{sys}/devices/**/ r, @{sys}/devices/**/modalias r, @{sys}/devices/**/uevent r, + @{sys}/module/ r, @{sys}/module/compression r, @{sys}/module/firmware_class/parameters/path r, - @{sys}/class/ r, - @{sys}/class/*/ r, @{sys}/bus/platform/drivers/simple-framebuffer/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-2.scope/cpu.max r, @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @{PROC}/modules r, @@ -171,7 +177,11 @@ profile mkinitramfs @{exec_path} { owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r, - /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/@{lib}/modules/{,**} r, + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/usr/lib/modules/*/ r, + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r, + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r, + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw, + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r, owner /tmp/tmp.@{rand10}/usr/lib/modules/*/ r, owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/{,**/} r, diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 7ea88646a1..db278f5783 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -22,6 +22,7 @@ profile remmina @{exec_path} { include include include + include include include include @@ -39,6 +40,7 @@ profile remmina @{exec_path} { @{exec_path} rm, + @{python_path} rix, @{open_path} rPx -> child-open-browsers, @{bin}/lsb_release rPx, @@ -59,14 +61,16 @@ profile remmina @{exec_path} { owner @{user_config_dirs}/remmina/{,**} rw, owner @{user_share_dirs}/remmina/{,**} rw, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/mountinfo r, + owner @{tmp}/remmina_log_file.log rw, owner @{run}/user/@{uid}/keyring/ssh rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr index 4cc149a28d..dbd1e6246b 100644 --- a/apparmor.d/profiles-s-z/ucfr +++ b/apparmor.d/profiles-s-z/ucfr @@ -17,6 +17,7 @@ profile ucfr @{exec_path} { @{bin}/{,e}grep ix, @{bin}/{m,g,}awk ix, @{bin}/basename ix, + @{bin}/cp ix, @{bin}/dirname ix, @{bin}/getopt ix, @{bin}/id ix, @@ -31,6 +32,7 @@ profile ucfr @{exec_path} { /var/lib/ucf/ r, /var/lib/ucf/registry r, + /var/lib/ucf/registry.@{int} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 8f08b74fa0..da18008b63 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -23,6 +23,7 @@ profile update-alternatives @{exec_path} { /usr/** rw, /etc/**.dpkg-tmp rw, + /etc/pam.d/gdm-smartcard w, /etc/alternatives/* rw, /var/lib/dpkg/alternatives/ r, diff --git a/apparmor.d/profiles-s-z/update-shells b/apparmor.d/profiles-s-z/update-shells index 007982632a..cbc7c1c7fb 100644 --- a/apparmor.d/profiles-s-z/update-shells +++ b/apparmor.d/profiles-s-z/update-shells @@ -9,6 +9,8 @@ include @{exec_path} = @{sbin}/update-shells profile update-shells @{exec_path} { include + include + include @{exec_path} mr, @@ -26,9 +28,11 @@ profile update-shells @{exec_path} { /usr/share/debianutils/shells.d/{,**} r, /usr/share/dpkg/sh/dpkg-error.sh r, + /etc/ r, /etc/shells rw, /etc/shells.tmp rw, + /var/lib/ r, /var/lib/shells.state rw, /var/lib/shells.state.tmp rw, diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth index e1a4199db3..c4d6f0b57e 100644 --- a/apparmor.d/profiles-s-z/xauth +++ b/apparmor.d/profiles-s-z/xauth @@ -42,6 +42,11 @@ profile xauth @{exec_path} { owner @{run}/user/@{uid}/xauth_@{rand6}-c w, owner @{run}/user/@{uid}/xauth_@{rand6}-l wl, + owner @{tmp}/xvfb-run.@{rand6}/Xauthority-c w, + owner @{tmp}/xvfb-run.@{rand6}/Xauthority-l wl -> @{tmp}/xvfb-run.@{rand6}/Xauthority-c, + owner @{tmp}/xvfb-run.@{rand6}/Xauthority-n rw, + owner @{tmp}/xvfb-run.@{rand6}/Xauthority rwl -> @{tmp}/xvfb-run.@{rand6}/Xauthority-n, + include if exists } From 9fb17ef8d20497d28d16ce7a30d3adde796a5162 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Oct 2025 18:49:47 +0200 Subject: [PATCH 0858/1736] feat(aa-log): resolve binary in gnu and rust utils paths, handle efi paths. --- pkg/logs/logs.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index b0ae587021..9dc2bfc650 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -49,7 +49,6 @@ var ( `(?m)^.*/usr/share/locale[^/]?/.*$`, ``, `(?m)^.*/usr/share/zoneinfo[^/]?/.*$`, ``, `(?m)^.*/dev/(null|zero|full|log).*$`, ``, - `(?m)^.*/dev/(u|)random.*$`, ``, }) regResolveLogs = util.ToRegexRepl([]string{ // Resolve user variables @@ -65,6 +64,8 @@ var ( // Resolve system variables `/att/[^/]+/`, `@{att}/`, + `/usr/bin/gnu`, `@{bin}/`, + `/usr/lib/cargo/bin/coreutils/`, `@{bin}/`, `/usr/lib(32|64|exec)`, `@{lib}`, `/usr/lib`, `@{lib}`, `/usr/sbin`, `@{sbin}`, @@ -72,6 +73,8 @@ var ( `(x86_64|amd64|i386|i686)`, `@{arch}`, `@{arch}-*linux-gnu[^/]?`, `@{multiarch}`, `/usr/etc/`, `@{etc_ro}/`, + `/boot/(|efi/)`, `@{efi}/`, + `/efi/`, `@{efi}/`, `/var/run/`, `@{run}/`, `/run/`, `@{run}/`, `user/[0-9]*/`, `user/@{uid}/`, From ea6602d0cc093076516097514422cfaafe6310d6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Oct 2025 18:52:42 +0200 Subject: [PATCH 0859/1736] fix(profile): add missing r in uuidd/request needed since it has been removed from the base abstraction. --- apparmor.d/groups/utils/uuidgen | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/utils/uuidgen b/apparmor.d/groups/utils/uuidgen index c056daaa0d..4cd8bdc1af 100644 --- a/apparmor.d/groups/utils/uuidgen +++ b/apparmor.d/groups/utils/uuidgen @@ -17,7 +17,7 @@ profile uuidgen @{exec_path} { owner /var/lib/libuuid/clock.txt w, - @{run}/uuidd/request w, + @{run}/uuidd/request rw, include if exists } From dea5f78e3173b714728e5399b2009dbb45a1b876 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Oct 2025 18:56:13 +0200 Subject: [PATCH 0860/1736] ci: ignore pts/0 request as file_inherit --- tests/integration/common.bash | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/integration/common.bash b/tests/integration/common.bash index 7a012191bf..8228cc7624 100644 --- a/tests/integration/common.bash +++ b/tests/integration/common.bash @@ -9,7 +9,7 @@ load "$BATS_LIB_PATH/bats-support/load" export SYSTEMD_PAGER= # Ignore the profile not managed by apparmor.d -IGNORE=(php-fpm snapd/snap-confine snap.vault.vaultd) +IGNORE=(php-fpm snapd/snap-confine snap.vault.vaultd /dev/pts/0) # User password for sudo commands export PASSWORD=${PASSWORD:-user} @@ -110,8 +110,8 @@ aa_check() { now=$(date +%s) duration=$((now - _START + 1)) logs=$(aa-log --raw --systemd --since "-${duration}s") - for profile in "${IGNORE[@]}"; do - logs=$(echo "$logs" | grep -v "$profile") + for pattern in "${IGNORE[@]}"; do + logs=$(echo "$logs" | grep -v "$pattern") done aa_start From c38024ca67529e1dcc5224332592d8f9c913fd86 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Oct 2025 18:57:26 +0200 Subject: [PATCH 0861/1736] fix(profile): remina add attach_disconnected fix #902 --- apparmor.d/profiles-m-r/remmina | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index db278f5783..c4fdb486a5 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/remmina -profile remmina @{exec_path} { +profile remmina @{exec_path} flags=(attach_disconnected) { include include include From f26016380b8baeee663e85b350bac509d297660f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Oct 2025 19:25:40 +0200 Subject: [PATCH 0862/1736] feat(tunable): add ghostty to the list of known terminal emulator. --- apparmor.d/abstractions/app-open | 2 +- apparmor.d/tunables/multiarch.d/programs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index e0c8d3d59f..c8e1942364 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -26,7 +26,7 @@ @{help_path} Px, @{image_viewers_path} PUx, @{offices_path} PUx, - @{terminal_path} Px, + @{terminal_path} PUx, @{text_editors_path} PUx, # Others diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index a7cbaf8310..565f4199da 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -91,7 +91,7 @@ @{help_names} = yelp # Terminal emulator -@{terminal_names} = kgx terminator konsole ptyxis +@{terminal_names} = kgx terminator konsole ptyxis ghostty # Backup @{backup_names} = deja-dup borg From 18877f854f0f01f8e3166249fdf9b5378084d5ad Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Oct 2025 21:44:12 +0200 Subject: [PATCH 0863/1736] tests: add the autopkgtest-update just command As the project directory is not shared with the VM for the tests, thus we update the package from the host. --- Justfile | 11 +++++++++++ tests/cloud-init/debian13-test.user-data.yml | 1 - tests/cloud-init/ubuntu25.10-test.user-data.yml | 1 - 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/Justfile b/Justfile index 6f776c5720..7c57ea77d8 100644 --- a/Justfile +++ b/Justfile @@ -416,6 +416,17 @@ autopkgtest osinfo: USER='{{username}}' PASSWORD='{{password}}' SSH_OPT='{{sshopt}}' \ bash tests/autopkgtest/autopkgtest.sh run {{osinfo}} +# Update the apparmor.d package on the test machine +[group('tests')] +autopkgtest-update dist version: + just up {{dist}}{{version}} test + just package {{dist}} {{version}} test + scp {{sshopt}} {{pkgdest}}/{{dist}}/{{version}}/{{pkgname}}_*.deb \ + {{username}}@`just _get_ip {{dist}}{{version}} test`:/home/{{username}}/Projects/ + ssh {{sshopt}} {{username}}@`just _get_ip {{dist}}{{version}} test` \ + sudo dpkg -i /home/{{username}}/Projects/{{pkgname}}_*.deb + just halt {{dist}}{{version}} test + _autopkgtest-log-merge: @mkdir -p .logs/autopkgtest @cat .logs/autopkgtest/aa-log-* > .logs/autopkgtest/merged.log diff --git a/tests/cloud-init/debian13-test.user-data.yml b/tests/cloud-init/debian13-test.user-data.yml index e9c27de651..eaeda8faee 100644 --- a/tests/cloud-init/debian13-test.user-data.yml +++ b/tests/cloud-init/debian13-test.user-data.yml @@ -7,7 +7,6 @@ runcmd: - apt-get update write_files: - - *shared-directory # Setup shared directory - *systemd-netword # Network configuration for server - *disable-printk-ratelimit # Disable printk rate limiting - *setup-testbed # Autopkgtest setup-testbed script diff --git a/tests/cloud-init/ubuntu25.10-test.user-data.yml b/tests/cloud-init/ubuntu25.10-test.user-data.yml index e9c27de651..eaeda8faee 100644 --- a/tests/cloud-init/ubuntu25.10-test.user-data.yml +++ b/tests/cloud-init/ubuntu25.10-test.user-data.yml @@ -7,7 +7,6 @@ runcmd: - apt-get update write_files: - - *shared-directory # Setup shared directory - *systemd-netword # Network configuration for server - *disable-printk-ratelimit # Disable printk rate limiting - *setup-testbed # Autopkgtest setup-testbed script From 1f526a943ef2f4f1b4fb7fe7ede8f880d3e87f3f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Oct 2025 23:58:41 +0200 Subject: [PATCH 0864/1736] feat(profile): more missing rules raised by the autopkgtest suite. - netplan is simplified - NetworkManager has now a kmod subprofile --- apparmor.d/abstractions/tests | 3 +++ apparmor.d/groups/apt/dpkg-statoverride | 7 +++--- apparmor.d/groups/firewall/nft | 2 ++ apparmor.d/groups/network/ModemManager | 1 + apparmor.d/groups/network/NetworkManager | 26 +++++++++++++------- apparmor.d/groups/network/dhcpcd | 5 +++- apparmor.d/groups/network/netplan | 28 +++++++++++----------- apparmor.d/groups/network/netplan-generate | 2 +- apparmor.d/groups/ssh/sshd-auth | 2 ++ apparmor.d/groups/ssh/sshd-session | 1 + apparmor.d/groups/systemd/systemd-networkd | 3 ++- apparmor.d/groups/systemd/systemd-udevd | 3 +++ apparmor.d/groups/utils/lsscsi | 2 ++ apparmor.d/groups/virt/libvirt-dbus | 1 + apparmor.d/groups/virt/libvirtd | 3 ++- apparmor.d/profiles-a-f/adduser | 3 ++- apparmor.d/profiles-g-l/ip | 4 +++- apparmor.d/profiles-g-l/jekyll | 3 ++- apparmor.d/profiles-m-r/initramfs-hooks | 4 +++- apparmor.d/profiles-m-r/mandb | 3 +++ apparmor.d/profiles-m-r/mediainfo-gui | 6 ++--- apparmor.d/profiles-m-r/mkinitramfs | 3 ++- apparmor.d/profiles-m-r/mpd | 5 ++++ apparmor.d/profiles-m-r/multipathd | 1 + apparmor.d/profiles-m-r/mumble | 1 + apparmor.d/profiles-s-z/sgdisk | 3 +++ apparmor.d/profiles-s-z/unmkinitramfs | 1 + dists/overwrite | 5 ++-- tests/packer/src/site.local | 1 + tests/sbin.list | 1 + 30 files changed, 93 insertions(+), 40 deletions(-) diff --git a/apparmor.d/abstractions/tests b/apparmor.d/abstractions/tests index 257fc7e4a4..b314858944 100644 --- a/apparmor.d/abstractions/tests +++ b/apparmor.d/abstractions/tests @@ -35,7 +35,10 @@ /tmp/test*/ rw, /tmp/test*/** rwlk, + /tmp/nft-test*/{,**} rwlk, + owner /tmp/dbusmock_data_*/{,**} rwlk, owner /tmp/g-r-d-tests-*/{,**} rwlk, + owner /tmp/mutter-testroot-*/{,**} rwlk, include if exists diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride index 8522628839..b094ff91d9 100644 --- a/apparmor.d/groups/apt/dpkg-statoverride +++ b/apparmor.d/groups/apt/dpkg-statoverride @@ -13,16 +13,17 @@ profile dpkg-statoverride @{exec_path} flags=(complain) { include capability chown, + capability fowner, capability fsetid, @{exec_path} mr, - /var/lib/dpkg/statoverride r, + @{lib}/** w, - @{lib}/systemd-cron/crontab_setgid w, + /var/lib/** w, /var/lib/dpkg/ r, - /var/lib/dpkg/statoverride w, + /var/lib/dpkg/statoverride rw, /var/lib/dpkg/statoverride-new rw, /var/lib/dpkg/statoverride-old wl, diff --git a/apparmor.d/groups/firewall/nft b/apparmor.d/groups/firewall/nft index 2392829c87..ceafa138d9 100644 --- a/apparmor.d/groups/firewall/nft +++ b/apparmor.d/groups/firewall/nft @@ -18,6 +18,8 @@ profile nft @{exec_path} { ptrace (read), + signal receive set=(cont term) peer=unshare, + @{exec_path} mr, /usr/share/iproute2/{,**} r, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 3e22db6c4e..34caef8550 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -37,6 +37,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c229:@{int} r, # for /dev/hvc* @{run}/udev/data/n@{int} r, # For network interfaces @{att}@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index a3a7bb61ce..e3298479d4 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -28,7 +28,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { capability setgid, capability setuid, capability sys_chroot, - capability sys_module, network inet stream, network inet6 stream, @@ -91,7 +90,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sbin}/nft rix, @{sbin}/dnsmasq rPx, - @{bin}/kmod rPx, + @{bin}/kmod rCx -> kmod, @{bin}/netconfig rPUx, @{sbin}/resolvconf rPx, @{bin}/resolvectl rPx, @@ -130,12 +129,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /var/lib/iwd/*open* rw, /var/lib/NetworkManager/{,**} rw, - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/net/ r, - @{sys}/class/net/rfkill/ r, - @{sys}/class/rfkill/ r, - @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/systemd/resolve/io.systemd.Resolve rw, @@ -150,10 +143,16 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{run}/udev/data/n@{int} r, # For network interfaces + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/net/ r, + @{sys}/class/net/rfkill/ r, + @{sys}/class/rfkill/ r, @{sys}/devices/@{pci}/net/*/{,**} r, @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r, @{sys}/devices/**/@{uuid}/net/*/{,**} r, @{sys}/devices/**/uevent r, + @{sys}/devices/virtual/**/net/{,**} r, @{sys}/devices/virtual/net/{,**} r, @{PROC}/@{pids}/stat r, @@ -170,6 +169,17 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:only test /etc/netplan/10-test.yaml rw, + profile kmod { + include + include + + capability sys_module, + + @{sys}/module/compression r, + @{sys}/module/nf_*/initstate r, + + include if exists + } profile systemctl { include diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index 7bcd9efbac..ed7fe79a0d 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -35,9 +35,10 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{bin}/chmod rix, @{bin}/cmp rix, @{bin}/mkdir rix, - @{sbin}/resolvconf rPx, + @{bin}/resolvectl rPx, @{bin}/rm rix, @{bin}/sed rix, + @{sbin}/resolvconf rPx, @{lib}/dhcpcd/dhcpcd-run-hooks rix, /usr/share/dhcpcd/{,**} r, @@ -47,6 +48,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { /var/lib/dhcpcd/** rw, + @{run}/dhcpcd/ rw, @{run}/dhcpcd/** rwk, @{run}/udev/data/n@{int} r, # For network interfaces @@ -58,6 +60,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/hostname r, @{PROC}/sys/net/ipv{4,6}/conf/** r, @{PROC}/sys/net/ipv{4,6}/conf/*/accept_ra rw, + @{PROC}/sys/net/ipv{4,6}/conf/*/autoconf w, @{PROC}/sys/net/ipv{4,6}/conf/*/hop_limit w, @{PROC}/sys/net/ipv{4,6}/neigh/*/{base_reachable_time_ms,retrans_time_ms} w, owner @{PROC}/@{pid}/net/if_inet6 r, diff --git a/apparmor.d/groups/network/netplan b/apparmor.d/groups/network/netplan index 18559ba57a..c4fe653a6b 100644 --- a/apparmor.d/groups/network/netplan +++ b/apparmor.d/groups/network/netplan @@ -17,9 +17,12 @@ profile netplan @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{lib}/netplan/generate rPx, - @{bin}/udevadm rCx -> udevadm, + @{bin}/ip rPx, + @{bin}/networkctl rPx, + @{bin}/ovs-vsctl rPUx, @{bin}/systemctl rCx -> systemctl, + @{bin}/udevadm rPx, + @{lib}/netplan/generate rPx, /usr/share/netplan/{,**} r, @@ -27,29 +30,26 @@ profile netplan @{exec_path} flags=(attach_disconnected) { @{run}/netplan/ r, - profile udevadm { - include - include - - capability net_admin, + /tmp/#@{int} rw, + /tmp/@{word8} rw, + /tmp/netplan_@{word8}/{,**} rw, - @{att}@{run}/udev/control rw, - - @{run}/udev/rules.d/90-netplan.rules rw, - @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw, - - include if exists - } + #aa:only test + /tmp/tmp@{word8}/{,**} rwlk, profile systemctl { include include capability net_admin, + capability sys_resource, ptrace read peer=@{p_systemd}, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + @{run}/udev/control rw, + @{bin}/systemd-tty-ask-password-agent rPx, include if exists } diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate index 67b8a3a17b..5ed37bf6f1 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan-generate @@ -37,7 +37,7 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) { @{run}/systemd/generator/network-online.target.wants/ w, @{run}/systemd/generator/network-online.target.wants/systemd-networkd-wait-online.service w, @{run}/systemd/network/ rw, - @{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw, + @{run}/systemd/network/@{int}-netplan{,*} rw, @{run}/systemd/system/ r, @{run}/systemd/system/netplan-* rw, @{run}/systemd/system/systemd-networkd-wait-online.service.d/ rw, diff --git a/apparmor.d/groups/ssh/sshd-auth b/apparmor.d/groups/ssh/sshd-auth index c1601b8134..74def4b44a 100644 --- a/apparmor.d/groups/ssh/sshd-auth +++ b/apparmor.d/groups/ssh/sshd-auth @@ -21,6 +21,8 @@ profile sshd-auth @{exec_path} { network inet6 stream, network netlink raw, + unix type=stream peer=(label=sshd-session), + @{exec_path} mr, @{sbin}/sshd.hmac r, diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session index 2b556041e8..2a169c32c7 100644 --- a/apparmor.d/groups/ssh/sshd-session +++ b/apparmor.d/groups/ssh/sshd-session @@ -41,6 +41,7 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) { network netlink raw, unix type=stream peer=(label=sshd), + unix type=stream peer=(label=sshd-auth), dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 85786e8d8d..513db3b810 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -75,15 +75,16 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/n@{int} r, # For network interfaces - @{sys}/fs/cgroup/system.slice/networkd-*.service/ r, @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/rfkill@{int}/* r, @{sys}/devices/**/net/** r, + @{sys}/devices/**/phy@{int}/** r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/fs/cgroup/ r, + @{sys}/fs/cgroup/system.slice/networkd-*.service/ r, @{sys}/kernel/btf/vmlinux r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 98d5d45f14..f8f20eec5e 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -45,11 +45,13 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{bin}/ls rix, @{bin}/mknod rix, @{bin}/nfsrahead rix, + @{bin}/partx rix, @{bin}/setfacl rix, @{bin}/sg_inq rix, @{bin}/systemd-run rix, # TODO: rCx -> run, @{bin}/unshare rix, @{sbin}/ethtool rix, + @{sbin}/kpartx rix, @{bin}/ddcutil rPx, @{bin}/kmod rCx -> kmod, @@ -64,6 +66,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{sbin}/kdump-config rPx, @{sbin}/lvm rPx, @{sbin}/multipath rPx, + @{sbin}/sysctl rPx, @{sbin}/u-d-c-print-pci-ids rPx, @{lib}/crda/* rPUx, diff --git a/apparmor.d/groups/utils/lsscsi b/apparmor.d/groups/utils/lsscsi index f0e7b4df29..e713b823cc 100644 --- a/apparmor.d/groups/utils/lsscsi +++ b/apparmor.d/groups/utils/lsscsi @@ -15,6 +15,8 @@ profile lsscsi @{exec_path} { / r, + @{sys}/bus/scsi/devices/ r, + /dev/ r, /dev/** r, diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index 971cdf55ee..8604dd7e77 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -39,6 +39,7 @@ profile libvirt-dbus @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node*/meminfo r, + @{sys}/kernel/iommu_groups/ r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 20ec23e233..70e2822ae1 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -122,7 +122,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sbin}/dnsmasq rPx, @{bin}/kmod rCx -> kmod, @{sbin}/lvm rPUx, - @{bin}/mdevctl rPx, + @{sbin}/mdevctl rPx, @{bin}/swtpm rPx, @{bin}/swtpm_ioctl rPx, @{bin}/swtpm_setup rPx, @@ -168,6 +168,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{user_vm_dirs}/{,**} rwk, @{user_publicshare_dirs}/{,**} rwk, + owner @{user_cache_dirs}/libvirt/{,**} rwk, owner @{user_config_dirs}/libvirt/{,**} rwk, owner @{run}/user/@{uid}/libvirt/ rw, diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index 7cc2c85ddb..323a5a6cde 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -52,7 +52,8 @@ profile adduser @{exec_path} flags=(attach_disconnected) { @{HOME}/ rw, @{HOME}/* w, @{HOME}/**/.Private/* rw, - /var/lib/*/{,*} rw, + /var/lib/*/ rw, + /var/lib/*/*/ rw, @{run}/adduser wk, @{run}/userdb/ r, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index ade5f51719..e348faffaa 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -35,9 +35,11 @@ profile ip @{exec_path} flags=(attach_disconnected) { # To run command with 'ip netns exec' @{shells_path} rUx, - @{bin}/firewall-cmd rPx, @{bin}/sudo rPx, + + @{bin}/firewall-cmd rPx, @{sbin}/firewalld rPx, + @{sbin}/nft rPx, @{att}/ r, diff --git a/apparmor.d/profiles-g-l/jekyll b/apparmor.d/profiles-g-l/jekyll index d3444fea57..1c2c1b4dc2 100644 --- a/apparmor.d/profiles-g-l/jekyll +++ b/apparmor.d/profiles-g-l/jekyll @@ -29,7 +29,8 @@ profile jekyll @{exec_path} { owner @{user_projects_dirs}/**/_site/{,**} rw, owner @{user_projects_dirs}/**/.sass-cache/** rw, - @{PROC}/version r, + @{PROC}/version r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index a5e911d2f8..eb56ac121a 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -13,11 +13,13 @@ profile initramfs-hooks @{exec_path} { include include + capability sys_admin, # optional: no audit + @{exec_path} mr, @{sh_path} rix, @{coreutils_path} rix, - @{bin}/cpio ix, + @{bin}/{,3}cpio ix, @{bin}/dpkg Px, @{bin}/fc-cache ix, @{bin}/ischroot Px, diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index 551a6fec07..9a511d7959 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -36,6 +36,9 @@ profile mandb @{exec_path} { owner @{user_share_dirs}/man/** rwk, + #aa:only test + /tmp/tmp.@{rand10}/{,**} rw, + include if exists } diff --git a/apparmor.d/profiles-m-r/mediainfo-gui b/apparmor.d/profiles-m-r/mediainfo-gui index 5a723d0024..2f81f1377e 100644 --- a/apparmor.d/profiles-m-r/mediainfo-gui +++ b/apparmor.d/profiles-m-r/mediainfo-gui @@ -11,10 +11,8 @@ include profile mediainfo-gui @{exec_path} { include include - include - include - include - include + include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 09d6ba67e1..c6dec9b87a 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -17,6 +17,7 @@ profile mkinitramfs @{exec_path} { capability dac_read_search, capability fowner, capability fsetid, + capability sys_admin, # optional: no audit capability syslog, mqueue getattr type=posix, @@ -33,7 +34,7 @@ profile mkinitramfs @{exec_path} { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cp rix, - @{bin}/cpio rix, + @{bin}/{,3}cpio rix, @{bin}/dirname rix, @{bin}/env rix, @{bin}/find rix, diff --git a/apparmor.d/profiles-m-r/mpd b/apparmor.d/profiles-m-r/mpd index 89b66253a7..f8cbcad0b7 100644 --- a/apparmor.d/profiles-m-r/mpd +++ b/apparmor.d/profiles-m-r/mpd @@ -12,7 +12,9 @@ include profile mpd @{exec_path} { include include + include include + include network inet dgram, network inet6 dgram, @@ -45,6 +47,9 @@ profile mpd @{exec_path} { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/ r, + #aa:only test + /tmp/@{rand10}/{,**} rw, + include if exists } diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd index bbb6a87a61..44fe5a3b81 100644 --- a/apparmor.d/profiles-m-r/multipathd +++ b/apparmor.d/profiles-m-r/multipathd @@ -35,6 +35,7 @@ profile multipathd @{exec_path} { @{sys}/bus/ r, @{sys}/class/ r, + @{sys}/devices/platform/**/recovery_tmo w, @{PROC}/devices r, @{PROC}/sys/fs/nr_open r, diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble index a85eb6790e..c97b285d8e 100644 --- a/apparmor.d/profiles-m-r/mumble +++ b/apparmor.d/profiles-m-r/mumble @@ -11,6 +11,7 @@ include profile mumble @{exec_path} { include include + include include include include diff --git a/apparmor.d/profiles-s-z/sgdisk b/apparmor.d/profiles-s-z/sgdisk index 4e68816d76..769f3b8ece 100644 --- a/apparmor.d/profiles-s-z/sgdisk +++ b/apparmor.d/profiles-s-z/sgdisk @@ -23,6 +23,9 @@ profile sgdisk @{exec_path} { # For disk images owner @{user_img_dirs}/{,**} rwk, + #aa:only test + /tmp/@{rand10}/{,**} rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 2d641f994f..c387049445 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -19,6 +19,7 @@ profile unmkinitramfs @{exec_path} { @{sh_path} rix, @{archive_path} rix, + @{bin}/{,3}cpio rix, @{bin}/{,e}grep rix, @{bin}/cat rix, @{bin}/dd rix, diff --git a/dists/overwrite b/dists/overwrite index 70ee1cc41c..2f2bbddd2e 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -33,12 +33,13 @@ unix-chkpwd # - Keep ours: If we/they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile # - Drop ours: when upstream profiles is better (see pkg/prebuild/prepare/configure.go) fusermount3 +hostname # Has @{bin} defined in header, would conflict with apparmor.d's @{bin} tunables lsblk lsusb openvpn remmina +systemd-detect-virt # Missing integration with @{p_systemd} transmission wg-quick -systemd-detect-virt # Missing integration with @{p_systemd} -hostname # Has @{bin} denied in header, would conflict with apparmor.d's @{bin} tunables +who diff --git a/tests/packer/src/site.local b/tests/packer/src/site.local index e154358625..da823f6588 100644 --- a/tests/packer/src/site.local +++ b/tests/packer/src/site.local @@ -1,3 +1,4 @@ @{user_build_dirs}+=@{user_projects_dirs} @{user_pkg_dirs}+=@{user_projects_dirs} +@{user_sync_dirs}+=@{user_projects_dirs} diff --git a/tests/sbin.list b/tests/sbin.list index 16073f0d2c..3bfd9f7802 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -429,6 +429,7 @@ make-ssl-cert mariadbd mcelog mdadm +mdevctl mdflush-bpfcc mdflush.bt mdmon From 8138cf9c4a9a55a4d68b67190572eb4718a1817e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Oct 2025 23:59:12 +0200 Subject: [PATCH 0865/1736] feat(profile): update flatpak-system-helper. --- .../groups/flatpak/flatpak-system-helper | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 58b38ca844..c89a88c034 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -70,6 +70,50 @@ profile flatpak-system-helper @{exec_path} flags=(attach_disconnected,mediate_de profile bwrap flags=(attach_disconnected) { include include + include + + capability dac_override, + capability dac_read_search, + capability sys_resource, + + @{bin}/bwrap mr, + + /app/bin/apply_extra ix, + + @{bin}/cp ix, + @{bin}/mv ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/tar ix, + @{bin}/xz ix, + + @{bin}/gtk{,4}-update-icon-cache Px -> flatpak-system-helper//bwrap//>k-update-icon-cache, + @{bin}/update-desktop-database Px -> flatpak-system-helper//bwrap//&update-desktop-database, + @{bin}/update-mime-database Px -> flatpak-system-helper//bwrap//&update-mime-database, + + /usr/share/flatpak/triggers/desktop-database.trigger ix, + /usr/share/flatpak/triggers/gtk-icon-cache.trigger ix, + /usr/share/flatpak/triggers/mime-database.trigger ix, + + @{system_share_dirs}/** r, + @{system_share_dirs}/*ubuntu/applications/.mimeinfo.cache.* rw, + @{system_share_dirs}/*ubuntu/applications/mimeinfo.cache w, + @{system_share_dirs}/applications/.mimeinfo.cache.* w, + @{system_share_dirs}/applications/mimeinfo.cache w, + @{system_share_dirs}/icons/**/.icon-theme.cache rw, + @{system_share_dirs}/icons/**/icon-theme.cache w, + @{system_share_dirs}/mime/{,**} w, + + @{user_share_dirs}/** r, + @{user_share_dirs}/.mimeinfo.cache.* w, + @{user_share_dirs}/**/.icon-theme.cache w, + @{user_share_dirs}/**/icon-theme.cache w, + @{user_share_dirs}/applications/.mimeinfo.cache.* w, + @{user_share_dirs}/applications/mimeinfo.cache w, + @{user_share_dirs}/mime/{,**} w, + @{user_share_dirs}/mimeinfo.cache w, + + /app/extra/** w, /tmp/#@{int} rw, From e3fd065ba83f21b355736b38405bb6189ca1aaa4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Oct 2025 00:05:29 +0200 Subject: [PATCH 0866/1736] fix: linter issues. --- apparmor.d/groups/cups/cups-backend-pdf | 17 +++++++++++++++-- apparmor.d/groups/flatpak/flatpak-system-helper | 2 +- apparmor.d/groups/systemd/systemd-udevd | 2 +- apparmor.d/groups/virt/virtnodedevd | 2 +- apparmor.d/profiles-m-r/mdevctl | 2 +- 5 files changed, 19 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/cups/cups-backend-pdf b/apparmor.d/groups/cups/cups-backend-pdf index 21da6bf93e..1e53f6db90 100644 --- a/apparmor.d/groups/cups/cups-backend-pdf +++ b/apparmor.d/groups/cups/cups-backend-pdf @@ -25,9 +25,8 @@ profile cups-backend-pdf @{exec_path} { @{sh_path} rix, @{bin}/cp rix, - @{bin}/gs{,.bin} rix, + @{bin}/gs{,.bin} rCx, @{bin}/gsc rix, - @{lib}/ghostscript/** mr, /usr/share/ghostscript/{,**} r, @@ -44,6 +43,20 @@ profile cups-backend-pdf @{exec_path} { /dev/tty rw, + profile gs { + include + + @{bin}/gs{,.bin} mr, + @{lib}/ghostscript/** mr, + + /usr/share/ghostscript/{,**} r, + /usr/share/color/icc/ghostscript/{,**} r, + + owner /tmp/gs_@{rand6} rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index c89a88c034..cd9c65a8e3 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -94,7 +94,7 @@ profile flatpak-system-helper @{exec_path} flags=(attach_disconnected,mediate_de /usr/share/flatpak/triggers/desktop-database.trigger ix, /usr/share/flatpak/triggers/gtk-icon-cache.trigger ix, /usr/share/flatpak/triggers/mime-database.trigger ix, - + @{system_share_dirs}/** r, @{system_share_dirs}/*ubuntu/applications/.mimeinfo.cache.* rw, @{system_share_dirs}/*ubuntu/applications/mimeinfo.cache w, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index f8f20eec5e..0da538b625 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -45,7 +45,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{bin}/ls rix, @{bin}/mknod rix, @{bin}/nfsrahead rix, - @{bin}/partx rix, + @{sbin}/partx rix, @{bin}/setfacl rix, @{bin}/sg_inq rix, @{bin}/systemd-run rix, # TODO: rCx -> run, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index cfa1f0f5f5..136ee94cd6 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -24,7 +24,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/mdevctl rPx, + @{sbin}/mdevctl rPx, /usr/share/hwdata/*.ids r, /usr/share/pci.ids r, diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index 408947c831..1de90fdc60 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/mdevctl +@{exec_path} = @{sbin}/mdevctl profile mdevctl @{exec_path} { include include From ca2c941325c432a9f4503b20dc256b65fca186fe Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Oct 2025 00:06:41 +0200 Subject: [PATCH 0867/1736] doc: add documentation for the autopkgtest test suite. --- docs/development/autopkgtest.md | 87 +++++++++++++++++++ docs/development/tests.md | 3 + docs/development/vm.md | 144 +++++++++++++++++--------------- mkdocs.yml | 1 + 4 files changed, 168 insertions(+), 67 deletions(-) create mode 100644 docs/development/autopkgtest.md diff --git a/docs/development/autopkgtest.md b/docs/development/autopkgtest.md new file mode 100644 index 0000000000..7fb5ccdee2 --- /dev/null +++ b/docs/development/autopkgtest.md @@ -0,0 +1,87 @@ +--- +title: Autopkgtest +--- + +**autopkgtest** is Debian's automated package testing framework that validates packages work correctly after installation in clean VM. To ensure real-world functionality, it performs integration testing by installing packages and running tests defined in `debian/tests/`. It is thus a good method to validate the apparmor profiles. + +!!! note + + The autopkgtest suite integration in apparmor.d is currently a work in progress + +**Workflow** + +1. Create a testing VM for autopkgtest +2. Run autopkgtest on a wide range of source package +3. Continuously collect AppArmor logs during the tests + + +## VM Setup and Management + +**Create the test VM** + +The test VM is a VM as defined in the [Development VM](vm.md) section, with a specific cloud-init configuration for autopkgtest. We use the same `setup-testbed` script to prepare the VM as `autopkgtest-build-qemu`. In addition, we ensure the VM is built with the lastest `apparmor.d` profiles in test mode. + +You can create the image, then the VM, and shut it down with: + +```sh +just img test +just create test +just halt test +``` + +Example: + +```sh +just img ubuntu 25.10 test +just create ubuntu25.10 test +just halt ubuntu25.10 test +``` + +**Update `apparmor.d` in the VM** + +Others VM defined in this project ships with a `aa-update` command that build and update the package. This does not apply to the `test` flavor because: + +1. We do not want to mount this project to a VM where the tests can be destructive +2. The `setup-testbed` script gets rid of most build dependencies for `apparmor.d` + +To update apparmor.d in the VM without creating a new image, use the `autopkgtest-update` command, it will build the package on the host, and install it in the VM: + +```sh +just autopkgtest-update +``` + +Example: + +```sh +just autopkgtest-update ubuntu 25.10 +``` + +## Test Execution Workflow + +The autopkgtest suite runs the tests for all source packages listed in `tests/autopkgtest/src-packages`. It installs each package in the test VM, runs its autopkgtest suite, and monitors AppArmor logs for any policy violations. It is possible to control the range of packages tested using alphabetical start and end points in the `tests/autopkgtest/autopkgtest.sh` script. + +To run the full suite for a Debian/Ubuntu system: + +```sh +just autopkgtest +``` + +Example: + +```sh +just autopkgtest ubuntu 25.10 +``` + +## Log Analysis + +The full raw logs are available in the `.logs/autopkgtest/` directory. One can run the following commands to analyze the logs and generate missing rules: + +Report all collected logs using `aa-log` +```sh +just autopkgtest-log +``` + +Generate missing rules using `aa-log --rules` +```sh +just autopkgtest-rules +``` diff --git a/docs/development/tests.md b/docs/development/tests.md index 4bf421d926..80bf903d19 100644 --- a/docs/development/tests.md +++ b/docs/development/tests.md @@ -24,6 +24,9 @@ Misconfigured AppArmor profiles is one of the most effective ways to break someo - Uses the [bats](https://github.com/bats-core/bats-core) test system. - Run in the Github Action as well as in all local [test VM](vm.md). +- [x] **[Distribution Tests:](autopkgtest.md)** `just autopkgtest ` + - Run the autopkgtest suite for Ubuntu and Debian. + **Plan** For more complex software suite, more integration tests need to be done. The plan is to run existing integration suite from these very software in an environment with `apparmor.d` profiles. diff --git a/docs/development/vm.md b/docs/development/vm.md index 871c2e93e9..cb2b50907e 100644 --- a/docs/development/vm.md +++ b/docs/development/vm.md @@ -5,7 +5,8 @@ title: Development VM To ensure compatibility across distribution, this project ships a wide range of development and tests VM images. The test VMs can be built locally using [cloud-init](https://cloud-init.io/), [packer](https://www.packer.io/) on Qemu/KVM using Libvirt. No other hypervisor will be targeted for these tests. The files that generate these images can be found in the **[tests/packer](https://github.com/roddhjav/apparmor.d/tree/main/tests/packer)** directory. -The VMs are fully managed using a [justfile](https://github.com/casey/just) that provides an integration environment helper for `apparmor.d`. + +The VMs are fully managed using a [Justfile](https://github.com/casey/just) that provides an integration environment helper for `apparmor.d`. ```sh $ just @@ -13,77 +14,82 @@ $ just ``` Available recipes: - help # Show this help message - clean # Remove all build artifacts + help # Show this help message + clean # Remove all build artifacts [build] - build # Build the go programs - enforce # Prebuild the profiles in enforced mode - enforce-test # Prebuild the profiles in enforce mode (test) - complain # Prebuild the profiles in complain mode - complain-test # Prebuild the profiles in complain mode (test) - fsp # Prebuild the profiles in FSP mode - fsp-complain # Prebuild the profiles in FSP mode (complain) - fsp-debug # Prebuild the profiles in FSP mode (debug) - server # Prebuild the profiles in server mode - server-complain # Prebuild the profiles in server mode (complain) - server-fsp # Prebuild the profiles in server FSP mode - server-fsp-complain # Prebuild the profiles in server FSP mode (complain) - server-fsp-debug # Prebuild the profiles in server FSP mode (debug) + build # Build the go programs + enforce # Prebuild the profiles in enforced mode + enforce-test # Prebuild the profiles in enforce mode (test) + complain # Prebuild the profiles in complain mode + complain-test # Prebuild the profiles in complain mode (test) + fsp # Prebuild the profiles in FSP mode + fsp-complain # Prebuild the profiles in FSP mode (complain) + fsp-debug # Prebuild the profiles in FSP mode (debug) + server # Prebuild the profiles in server mode + server-complain # Prebuild the profiles in server mode (complain) + server-fsp # Prebuild the profiles in server FSP mode + server-fsp-complain # Prebuild the profiles in server FSP mode (complain) + server-fsp-debug # Prebuild the profiles in server FSP mode (debug) [install] - install # Install prebuild profiles - local +names # Locally install prebuild profiles - dev name # Prebuild, install, and load a dev profile + install # Install prebuild profiles + local +names # Locally install prebuild profiles + dev name # Prebuild, install, and load a dev profile [packages] - pkg name="" # Build & install apparmor.d on Arch based systems - dpkg name="" # Build & install apparmor.d on Debian based systems - rpm name="" # Build & install apparmor.d on OpenSUSE based systems - package dist version="" # Build the package in a clean OCI container - packages # Build all packages in a clean OCI container + pkg name="" # Build & install apparmor.d on Arch based systems + dpkg name="" # Build & install apparmor.d on Debian based systems + rpm name="" # Build & install apparmor.d on OpenSUSE based systems + package dist version="" flavor="" # Build the package in a clean OCI container + packages # Build all packages in a clean OCI container [linter] - lint # Run the linters - check # Run style checks on the profiles - - [tests] - tests # Run the unit tests - init # Install dependencies for the integration tests - integration name="" # Run the integration tests - tests-init osinfo flavor # Install dependencies for the integration tests (machine) - tests-sync osinfo flavor # Synchronize the integration tests (machine) - tests-resync osinfo flavor # Re-synchronize the integration tests (machine) - tests-run osinfo flavor name="" # Run the integration tests (machine) + lint # Run the linters + check # Run style checks on the profiles [docs] - man # Generate the man pages - docs # Build the documentation - serve # Serve the documentation + man # Generate the man pages + docs # Build the documentation + serve # Serve the documentation [vm] - img dist version flavor # Build the VM image - create osinfo flavor # Create the machine - up osinfo flavor # Start a machine - halt osinfo flavor # Stops the machine - reboot osinfo flavor # Reboot the machine - destroy osinfo flavor # Destroy the machine - ssh osinfo flavor # Connect to the machine - mount osinfo flavor # Mount the shared directory on the machine - umount osinfo flavor # Unmout the shared directory on the machine - list # List the machines - images # List the VM images - available # List the VM images that can be created + img dist version flavor # Build the VM image + create osinfo flavor # Create the machine + up osinfo flavor # Start a machine + halt osinfo flavor # Stops the machine + reboot osinfo flavor # Reboot the machine + destroy osinfo flavor # Destroy the machine + ssh osinfo flavor # Connect to the machine + mount osinfo flavor # Mount the shared directory on the machine + umount osinfo flavor # Unmout the shared directory on the machine + list # List the machines + images # List the VM images + available # List the VM images that can be created + + [tests] + tests # Run the unit tests + autopkgtest osinfo # Run the autopkgtest tests + autopkgtest-update dist version # Update the apparmor.d package on the test machine + autopkgtest-log # Report all collected logs + autopkgtest-rules # Report all generated rules + init # Install dependencies for the integration tests + integration name="" # Run the integration tests + tests-init osinfo flavor # Install dependencies for the integration tests (machine) + tests-sync osinfo flavor # Synchronize the integration tests (machine) + tests-resync osinfo flavor # Re-synchronize the integration tests (machine) + tests-run osinfo flavor name="" # Run the integration tests (machine) [version] - version # Get the current apparmor.d release version - version-new # Create a new version number from the current release + version # Get the current apparmor.d release version + version-new # Create a new version number from the current release [release] - release # Create a new release - commit # Write the new release version to package files & commit - archive # Create a release archive - publish # Publish the new release on Github + release # Create a new release + commit # Write the new release version to package files & commit + archive # Create a release archive + publish # Publish the new release on Github + repo # Create & upload new release packages to the repositories Build variables available: build # Build directory (default: .build) @@ -123,15 +129,19 @@ $ just available ``` ``` -Distribution Flavor -archlinux gnome -archlinux kde -archlinux server -archlinux xfce -debian12 gnome -debian12 kde -debian12 server -ubuntu24 server +Distribution Release Flavor +archlinux - gnome +archlinux - kde +debian 13 gnome +debian 13 server +debian 13 test +opensuse - gnome +opensuse - kde +ubuntu 24.04 server +ubuntu 25.05 desktop +ubuntu 25.05 kubuntu +ubuntu 25.10 test + ... ``` @@ -148,8 +158,8 @@ $ just images ``` ``` -Distribution Flavor Size Date -archlinux gnome 3.3G Mar 1 14:49 +OsInfo Flavor Size Date +archlinux gnome 3.5GB Sep 25 23:25 ``` The VM can then be created with: diff --git a/mkdocs.yml b/mkdocs.yml index e5244a529c..6697caedf1 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -168,3 +168,4 @@ nav: - development/tests.md - development/vm.md - development/integration.md + - development/autopkgtest.md From f85802feeaa5f414184398b38e9916cfd5a2e25c Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Tue, 14 Oct 2025 19:26:25 +0200 Subject: [PATCH 0868/1736] Update ollama ollama needs mrix. ollama exec @{bin}/ollama -> ollama//null-@{bin}/ollama comm=ollama requested_mask=x denied_mask=x ALLOWED ollama//null-@{bin}/ollama file_mmap @{bin}/ollama comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama getattr @{lib}/ollama/ comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama open owner @{PROC}/@{pid}/maps comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama getattr owner @{PROC}/@{pid}/maps comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama open @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama open owner @{PROC}/@{pid}/mountinfo comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama open owner @{PROC}/@{pid}/cgroup comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama open @{run}/bpftune/cgroupv2/system.slice/ollama.service/cpu.max comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama open @{bin}/ollama comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama getattr @{bin}/ollama comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama getattr /usr/ comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama getattr @{bin}/ comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama open @{PROC}/sys/net/core/somaxconn comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama mknod owner /tmp/@{int10}.bin comm=ollama requested_mask=c denied_mask=c ALLOWED ollama//null-@{bin}/ollama open owner /tmp/@{int10}.bin comm=ollama requested_mask=wrc denied_mask=wrc ALLOWED ollama//null-@{bin}/ollama open owner /tmp/@{int10}.bin comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama open @{lib}/ollama/ comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama open @{lib}/ollama/libggml-cpu-alderlake.so comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama getattr @{lib}/ollama/libggml-cpu-alderlake.so comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama file_mmap @{lib}/ollama/libggml-cpu-alderlake.so comm=ollama requested_mask=rm denied_mask=rm ALLOWED ollama//null-@{bin}/ollama open @{lib}/ollama/libggml-base.so comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama getattr @{lib}/ollama/libggml-base.so comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama file_mmap @{lib}/ollama/libggml-base.so comm=ollama requested_mask=rm denied_mask=rm ALLOWED ollama//null-@{bin}/ollama open @{lib}/ollama/libggml-cpu-haswell.so comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama getattr @{lib}/ollama/libggml-cpu-haswell.so comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama file_mmap @{lib}/ollama/libggml-cpu-haswell.so comm=ollama requested_mask=rm denied_mask=rm ALLOWED ollama//null-@{bin}/ollama open @{lib}/ollama/libggml-cpu-icelake.so comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama getattr @{lib}/ollama/libggml-cpu-icelake.so comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama file_mmap @{lib}/ollama/libggml-cpu-icelake.so comm=ollama requested_mask=rm denied_mask=rm ALLOWED ollama//null-@{bin}/ollama open @{lib}/ollama/libggml-cpu-sandybridge.so comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama getattr @{lib}/ollama/libggml-cpu-sandybridge.so comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama file_mmap @{lib}/ollama/libggml-cpu-sandybridge.so comm=ollama requested_mask=rm denied_mask=rm ALLOWED ollama//null-@{bin}/ollama open @{lib}/ollama/libggml-cpu-skylakex.so comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama getattr @{lib}/ollama/libggml-cpu-skylakex.so comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama file_mmap @{lib}/ollama/libggml-cpu-skylakex.so comm=ollama requested_mask=rm denied_mask=rm ALLOWED ollama//null-@{bin}/ollama open @{lib}/ollama/libggml-cpu-sse42.so comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama getattr @{lib}/ollama/libggml-cpu-sse42.so comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama file_mmap @{lib}/ollama/libggml-cpu-sse42.so comm=ollama requested_mask=rm denied_mask=rm ALLOWED ollama//null-@{bin}/ollama open @{lib}/ollama/libggml-cpu-x64.so comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama getattr @{lib}/ollama/libggml-cpu-x64.so comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama file_mmap @{lib}/ollama/libggml-cpu-x64.so comm=ollama requested_mask=rm denied_mask=rm ALLOWED ollama//null-@{bin}/ollama open @{PROC}/cpuinfo comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama getattr @{PROC}/cpuinfo comm=ollama requested_mask=r denied_mask=r ALLOWED ollama//null-@{bin}/ollama unlink owner /tmp/@{int10}.bin comm=ollama requested_mask=d denied_mask=d --- apparmor.d/profiles-m-r/ollama | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/apparmor.d/profiles-m-r/ollama b/apparmor.d/profiles-m-r/ollama index 165e3d3adf..9fcfef987b 100644 --- a/apparmor.d/profiles-m-r/ollama +++ b/apparmor.d/profiles-m-r/ollama @@ -20,7 +20,7 @@ profile ollama @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - @{exec_path} mr, + @{exec_path} mrix, /tmp/ollama@{int}/runners/*/* mr, /tmp/ollama@{int}/runners/*/ollama_*_server rix, # TODO: rPx and remove graphics from here. @@ -29,12 +29,16 @@ profile ollama @{exec_path} flags=(attach_disconnected) { /usr/local/ r, /usr/local/lib/ r, - @{lib}/ r, + @{lib}/ollama/ r, + @{lib}/ollama/*.so mr, owner /var/lib/ollama/ rw, owner /var/lib/ollama/** rwlk, - /tmp/ r, + owner @{HOME}/.ollama/{,*} rw, + + @{tmp}/ r, + owner @{tmp}/@{int}.bin rw, owner @{tmp}/ollama@{int}/{,**} rw, owner @{tmp}/ollama@{int}/runners/{,**} mr, @@ -48,7 +52,10 @@ profile ollama @{exec_path} flags=(attach_disconnected) { @{PROC}/devices r, @{PROC}/sys/net/core/somaxconn r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/maps r, + owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/task/@{tid}/comm w, include if exists From cac75c7b781cbfed8e7d01fdcefcac099ce8a8d9 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Tue, 21 Oct 2025 14:12:51 +0200 Subject: [PATCH 0869/1736] Update okular ``` apparmor="DENIED" operation="mknod" class="file" profile="okular" name="/tmp/08bed68fe00a4" comm="okular" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 FSUID="xxx" OUID="xxx" apparmor="DENIED" operation="mknod" class="file" profile="okular" name="/tmp/08bed68fe03a2" comm="okular" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 FSUID="xxx" OUID="xxx" apparmor="DENIED" operation="mknod" class="file" profile="okular" name="/tmp/08bed68facdee" comm="okular" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 FSUID="xxx" OUID="xxx" apparmor="DENIED" operation="mknod" class="file" profile="okular" name="/tmp/08bed68fad654" comm="okular" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 FSUID="xxx" OUID="xxx" apparmor="DENIED" operation="mknod" class="file" profile="okular" name="/tmp/08bed69000b6d" comm="okular" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 FSUID="xxx" OUID="xxx" apparmor="DENIED" operation="mknod" class="file" profile="okular" name="/tmp/08bed69000e5b" comm="okular" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 FSUID="xxx" OUID="xxx" apparmor="DENIED" operation="mknod" class="file" profile="okular" name="/tmp/08bed6900af96" comm="okular" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 FSUID="xxx" OUID="xxx" apparmor="DENIED" operation="mknod" class="file" profile="okular" name="/tmp/08bed6900b935" comm="okular" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 FSUID="xxx" OUID="xxx" apparmor="DENIED" operation="mknod" class="file" profile="okular" name="/tmp/08bed6901a917" comm="okular" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 FSUID="xxx" OUID="xxx" apparmor="DENIED" operation="mknod" class="file" profile="okular" name="/tmp/08bed6901f21d" comm="okular" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 FSUID="xxx" OUID="xxx" apparmor="DENIED" operation="mknod" class="file" profile="okular" name="/tmp/08bed6901f49c" comm="okular" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 FSUID="xxx" OUID="xxx" apparmor="DENIED" operation="mknod" class="file" profile="okular" name="/tmp/08bed68fd6eb0" comm="okular" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 FSUID="xxx" OUID="xxx" apparmor="DENIED" operation="mknod" class="file" profile="okular" name="/tmp/08bed68fd7b6c" comm="okular" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 FSUID="xxx" OUID="xxx" `` --- apparmor.d/groups/kde/okular | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index a2ffad26fc..d34baccb96 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -74,6 +74,7 @@ profile okular @{exec_path} { owner @{user_state_dirs}/okularstaterc.@{rand6} rwlk -> @{user_state_dirs}/#@{int}, owner @{user_state_dirs}/okularstaterc.lock rwk, + owner @{tmp}/@{hex12}@{h} w, # when opening pdf files as attchments in Thunderbird owner @{tmp}/#@{int} rw, owner @{tmp}/okular.@{rand6} rwl -> /tmp/#@{int}, owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int}, From 37c02ef846d91b22a6f362c5a1886f4e428be744 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Oct 2025 21:31:43 +0200 Subject: [PATCH 0870/1736] feat(abs): flatpak: initial version of flatpak devices core abs. --- apparmor.d/abstractions/flatpak/devices/all | 40 +++++++++++++++++++ apparmor.d/abstractions/flatpak/devices/dri | 22 ++++++++++ apparmor.d/abstractions/flatpak/devices/input | 13 ++++++ apparmor.d/abstractions/flatpak/devices/kvm | 10 +++++ apparmor.d/abstractions/flatpak/devices/shm | 14 +++++++ apparmor.d/abstractions/flatpak/devices/usb | 13 ++++++ 6 files changed, 112 insertions(+) create mode 100644 apparmor.d/abstractions/flatpak/devices/all create mode 100644 apparmor.d/abstractions/flatpak/devices/dri create mode 100644 apparmor.d/abstractions/flatpak/devices/input create mode 100644 apparmor.d/abstractions/flatpak/devices/kvm create mode 100644 apparmor.d/abstractions/flatpak/devices/shm create mode 100644 apparmor.d/abstractions/flatpak/devices/usb diff --git a/apparmor.d/abstractions/flatpak/devices/all b/apparmor.d/abstractions/flatpak/devices/all new file mode 100644 index 0000000000..99b5d24432 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/devices/all @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Flatpack 'all' devices gives full access to the system. +# To limit this, we explicitly list the devices allowed, using the abstractions +# for common devices. +# +# As it may lead to issues, a future implementation will leverage apparmor prompts +# to request access to devices on demand. + + abi , + + include + include + include + include + + include + include + include + include + + @{sys}/class/*/ r, + + @{sys}/devices/@{pci_bus}/ r, + @{sys}/devices/@{pci}/ r, + + owner @{PROC}/@{pid}/mountinfo r, + + # Allow reading info about the physical mapping of virtual pages + owner @{PROC}/@{pid}/mem r, + owner @{PROC}/@{pids}/pagemap r, + + /dev/udmabuf rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/devices/dri b/apparmor.d/abstractions/flatpak/devices/dri new file mode 100644 index 0000000000..267791e3c3 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/devices/dri @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include + + @{sys}/devices/@{pci}/boot_vga r, + + /dev/ r, + + # Video Acceleration API + @{att}/dev/dri/renderD128 rw, + @{att}/dev/dri/renderD129 rw, + + @{PROC}/devices r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/devices/input b/apparmor.d/abstractions/flatpak/devices/input new file mode 100644 index 0000000000..46da3b9392 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/devices/input @@ -0,0 +1,13 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/devices/kvm b/apparmor.d/abstractions/flatpak/devices/kvm new file mode 100644 index 0000000000..6dce9ea516 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/devices/kvm @@ -0,0 +1,10 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/devices/shm b/apparmor.d/abstractions/flatpak/devices/shm new file mode 100644 index 0000000000..6c810a1dfb --- /dev/null +++ b/apparmor.d/abstractions/flatpak/devices/shm @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + #aa:lint ignore=too-wide + /dev/shm/ r, + owner /dev/shm/** mrwlkix -> /dev/shm/**, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/devices/usb b/apparmor.d/abstractions/flatpak/devices/usb new file mode 100644 index 0000000000..c4b92a8712 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/devices/usb @@ -0,0 +1,13 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include + include + + include if exists + +# vim:syntax=apparmor From 3bdbab41aa92fab58f1d3d5626cc70bac4748034 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Oct 2025 21:41:16 +0200 Subject: [PATCH 0871/1736] feat(abs): flatpak: initial version of flatpak shared core abs. --- apparmor.d/abstractions/flatpak/shared/ipc | 12 +++++ .../abstractions/flatpak/shared/network | 47 +++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 apparmor.d/abstractions/flatpak/shared/ipc create mode 100644 apparmor.d/abstractions/flatpak/shared/network diff --git a/apparmor.d/abstractions/flatpak/shared/ipc b/apparmor.d/abstractions/flatpak/shared/ipc new file mode 100644 index 0000000000..ef235fc096 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/shared/ipc @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + network netlink raw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/shared/network b/apparmor.d/abstractions/flatpak/shared/network new file mode 100644 index 0000000000..3749ac0d41 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/shared/network @@ -0,0 +1,47 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + @{run}/systemd/resolve/io.systemd.Resolve rw, + + owner @{run}/host/monitor/gai.conf r, + owner @{run}/host/monitor/host.conf r, + owner @{run}/host/monitor/hosts r, + owner @{run}/host/monitor/resolv.conf r, + + @{sys}/class/net/ r, + @{sys}/devices/**/net/*/ r, + @{sys}/devices/**/net/*/carrier r, + + # Leaks interface names and stats, but not in a way that is traceable + # to the user/device + @{PROC}/@{pid}/net/dev r, + @{PROC}/@{pid}/net/if_inet6 r, + @{PROC}/@{pid}/net/ipv6_route r, + @{PROC}/@{pid}/net/packet r, + @{PROC}/@{pid}/net/raw r, + @{PROC}/@{pid}/net/raw6 r, + @{PROC}/@{pid}/net/route r, + @{PROC}/@{pid}/net/sockstat r, + @{PROC}/@{pid}/net/sockstat6 r, + @{PROC}/@{pid}/net/tcp r, + @{PROC}/@{pid}/net/tcp6 r, + @{PROC}/@{pid}/net/udp r, + @{PROC}/@{pid}/net/udp6 r, + @{PROC}/@{pid}/net/udplite r, + @{PROC}/@{pid}/net/unix r, + @{PROC}/net/dev r, + + include if exists + +# vim:syntax=apparmor From 7254f438562dcf07aabfeffb701325c94662cdf3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Oct 2025 21:42:13 +0200 Subject: [PATCH 0872/1736] feat(abs): flatpak: initial version of flatpak platform core abs. --- .../flatpak/platform/org.freedesktop | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 apparmor.d/abstractions/flatpak/platform/org.freedesktop diff --git a/apparmor.d/abstractions/flatpak/platform/org.freedesktop b/apparmor.d/abstractions/flatpak/platform/org.freedesktop new file mode 100644 index 0000000000..299bbf2d4d --- /dev/null +++ b/apparmor.d/abstractions/flatpak/platform/org.freedesktop @@ -0,0 +1,58 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: appid + + abi , + + include + include + + # Base directories of the flatpak platform + /usr/ r, + /usr/share/ r, + /usr/share/** r, + + # Fonts + # We are purposely not using the fonts abstraction as it gives access to + # system-wide and user fonts out of the sandbox. + + /usr/share/fonts/{,**} rk, + /usr/cache/fontconfig/** r, + + /etc/fonts/{,**} r, + + owner /var/cache/fontconfig/@{hex32}-le{32,64}.cache-@{int} r, + owner /var/cache/fontconfig/@{hex32}-le{32,64}.cache-reindex@{int}-@{int} r, + + @{run}/host/fonts/{,**} r, + @{run}/host/fonts-cache/{,**} r, + owner @{run}/host/user-fonts-cache/@{hex32}-le{32,64}.cache-@{int} r, + owner @{run}/host/font-dirs.xml r, + + # Icons + # We are purposely not using the icons abstraction as it gives access to + # system-wide and user icon out of the sandbox. + + /var/lib/flatpak/app/@{appid}/@{arch}/stable/@{hex64}/export/share/icons/{,**} r, + /var/lib/flatpak/exports/share/icons/{,**} r, + + @{run}/host/share/icons/{,**} r, + @{run}/host/user-share/icons/{,**} r, + + # Pkcs11 + # Flatpak only pkcs11 paths + + /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem r, + /etc/pki/tls/openssl.cnf r, + + owner /etc/pkcs11/modules/ r, + owner /etc/pkcs11/modules/p11-kit-trust.module r, + owner /etc/pkcs11/pkcs11.conf r, + + owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int} rw, + + include if exists + +# vim:syntax=apparmor From edef28422d22fe065f40a6026ea382ae27f7c55a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Oct 2025 21:46:50 +0200 Subject: [PATCH 0873/1736] feat(abs): flatpak: initial version of flatpak sockets core abs. --- apparmor.d/abstractions/flatpak/sockets/cups | 10 +++++++++ .../abstractions/flatpak/sockets/fallback-x11 | 10 +++++++++ .../abstractions/flatpak/sockets/gpg-agent | 12 +++++++++++ .../flatpak/sockets/inherit-wayland-socket | 10 +++++++++ apparmor.d/abstractions/flatpak/sockets/pcsc | 12 +++++++++++ .../abstractions/flatpak/sockets/pulseaudio | 21 +++++++++++++++++++ .../abstractions/flatpak/sockets/session-bus | 10 +++++++++ .../abstractions/flatpak/sockets/ssh-auth | 12 +++++++++++ .../abstractions/flatpak/sockets/system-bus | 10 +++++++++ .../abstractions/flatpak/sockets/wayland | 15 +++++++++++++ apparmor.d/abstractions/flatpak/sockets/x11 | 18 ++++++++++++++++ 11 files changed, 140 insertions(+) create mode 100644 apparmor.d/abstractions/flatpak/sockets/cups create mode 100644 apparmor.d/abstractions/flatpak/sockets/fallback-x11 create mode 100644 apparmor.d/abstractions/flatpak/sockets/gpg-agent create mode 100644 apparmor.d/abstractions/flatpak/sockets/inherit-wayland-socket create mode 100644 apparmor.d/abstractions/flatpak/sockets/pcsc create mode 100644 apparmor.d/abstractions/flatpak/sockets/pulseaudio create mode 100644 apparmor.d/abstractions/flatpak/sockets/session-bus create mode 100644 apparmor.d/abstractions/flatpak/sockets/ssh-auth create mode 100644 apparmor.d/abstractions/flatpak/sockets/system-bus create mode 100644 apparmor.d/abstractions/flatpak/sockets/wayland create mode 100644 apparmor.d/abstractions/flatpak/sockets/x11 diff --git a/apparmor.d/abstractions/flatpak/sockets/cups b/apparmor.d/abstractions/flatpak/sockets/cups new file mode 100644 index 0000000000..2b4c6c7e0d --- /dev/null +++ b/apparmor.d/abstractions/flatpak/sockets/cups @@ -0,0 +1,10 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/sockets/fallback-x11 b/apparmor.d/abstractions/flatpak/sockets/fallback-x11 new file mode 100644 index 0000000000..55ae024d68 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/sockets/fallback-x11 @@ -0,0 +1,10 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/sockets/gpg-agent b/apparmor.d/abstractions/flatpak/sockets/gpg-agent new file mode 100644 index 0000000000..6c6d519207 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/sockets/gpg-agent @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/sockets/inherit-wayland-socket b/apparmor.d/abstractions/flatpak/sockets/inherit-wayland-socket new file mode 100644 index 0000000000..68ee9c611b --- /dev/null +++ b/apparmor.d/abstractions/flatpak/sockets/inherit-wayland-socket @@ -0,0 +1,10 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/sockets/pcsc b/apparmor.d/abstractions/flatpak/sockets/pcsc new file mode 100644 index 0000000000..a58ac52b05 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/sockets/pcsc @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + @{run}/pcscd/pcscd.comm rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/sockets/pulseaudio b/apparmor.d/abstractions/flatpak/sockets/pulseaudio new file mode 100644 index 0000000000..cb6ca777b4 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/sockets/pulseaudio @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + owner @{run}/flatpak/pulse/config r, + + @{sys}/class/ r, + @{sys}/class/sound/ r, + @{sys}/devices/virtual/sound/seq/uevent r, + @{sys}/devices/virtual/sound/timer/uevent r, + + /dev/snd/ r, + /dev/snd/* rw, + /dev/sound/* rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/sockets/session-bus b/apparmor.d/abstractions/flatpak/sockets/session-bus new file mode 100644 index 0000000000..f238af05fc --- /dev/null +++ b/apparmor.d/abstractions/flatpak/sockets/session-bus @@ -0,0 +1,10 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/sockets/ssh-auth b/apparmor.d/abstractions/flatpak/sockets/ssh-auth new file mode 100644 index 0000000000..3d05b2c654 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/sockets/ssh-auth @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + owner @{run}/flatpak/ssh-auth r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/sockets/system-bus b/apparmor.d/abstractions/flatpak/sockets/system-bus new file mode 100644 index 0000000000..eeeb913424 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/sockets/system-bus @@ -0,0 +1,10 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/sockets/wayland b/apparmor.d/abstractions/flatpak/sockets/wayland new file mode 100644 index 0000000000..18a1c7ce86 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/sockets/wayland @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + owner @{run}/flatpak/wayland-@{int} r, + + # Allow access to the Wayland compositor server socket + owner @{run}/user/@{uid}/wayland-@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/sockets/x11 b/apparmor.d/abstractions/flatpak/sockets/x11 new file mode 100644 index 0000000000..fa881121d5 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/sockets/x11 @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + unix type=stream addr=none peer=(label=xwayland, addr=@/tmp/.X11-unix/X@{int}), + unix type=stream addr=none peer=(label=gnome-shell, addr=@/tmp/.X11-unix/X@{int}), + + /usr/share/X11/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, + + owner @{run}/flatpak/Xauthority r, + + include if exists + +# vim:syntax=apparmor From 38ebe1a6c1c82502d12db3f139c985ec0b738814 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Oct 2025 21:49:14 +0200 Subject: [PATCH 0874/1736] feat(abs): flatpak: initial version of flatpak baseapp core abs. --- .../flatpak/baseapp/com.valvesoftware.Steam | 51 +++++++++++++++++++ .../flatpak/baseapp/org.chromium.Chromium | 45 ++++++++++++++++ .../flatpak/baseapp/org.winehq.Win | 12 +++++ 3 files changed, 108 insertions(+) create mode 100644 apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam create mode 100644 apparmor.d/abstractions/flatpak/baseapp/org.chromium.Chromium create mode 100644 apparmor.d/abstractions/flatpak/baseapp/org.winehq.Win diff --git a/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam b/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam new file mode 100644 index 0000000000..2cd2e1ba77 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include + + @{lib}/os-release rk, + + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/srt-fifo.@{rand6}/{,*} rw, + + owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, + + @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, + + @{sys}/devices/virtual/dmi/id/bios_date r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/bios_version rk, + @{sys}/devices/virtual/dmi/id/board_asset_tag r, + @{sys}/devices/virtual/dmi/id/board_name r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/board_version r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/devices/virtual/dmi/id/chassis_vendor r, + @{sys}/devices/virtual/dmi/id/chassis_version r, + @{sys}/devices/virtual/dmi/id/product_family r, + @{sys}/devices/virtual/dmi/id/product_name k, + @{sys}/devices/virtual/dmi/id/product_sku r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor k, + + @{PROC}/@{pid}/comm rk, + @{PROC}/locks r, + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, + @{PROC}/sys/kernel/sched_autogroup_enabled r, + @{PROC}/sys/net/core/bpf_jit_enable r, + owner @{PROC}/@{pid}/autogroup rw, + owner @{PROC}/@{pid}/cmdline rk, + + # NT synchronization driver (performance improvement for games) + # https://www.phoronix.com/news/Linux-6.14-NTSYNC-Driver-Ready + /dev/ntsync r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/baseapp/org.chromium.Chromium b/apparmor.d/abstractions/flatpak/baseapp/org.chromium.Chromium new file mode 100644 index 0000000000..dedf3c8bfc --- /dev/null +++ b/apparmor.d/abstractions/flatpak/baseapp/org.chromium.Chromium @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: appid + + abi , + + include + + # The orcexec.* file is JIT compiled code for various GStreamer elements. + owner @{run}/user/@{uid}/orcexec.@{rand6} mrw, + + /dev/shm/ r, + owner /dev/shm/.@{appid}.@{rand6} rw, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + + @{sys}/bus/ r, + @{sys}/devices/**/usb@{int}/{,*/}bConfigurationValue r, + @{sys}/devices/**/usb@{int}/{,*/}descriptors r, + @{sys}/devices/**/usb@{int}/{,*/}manufacturer r, + @{sys}/devices/**/usb@{int}/{,*/}product r, + @{sys}/devices/**/usb@{int}/{,*/}serial r, + @{sys}/devices/**/usb@{int}/{,*/}vendor r, + @{sys}/devices/system/cpu/kernel_max r, + + # Allow getting the manufacturer and model of the computer where chromium is currently running. + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + # Chromium content api unfortunately needs these for normal operation + owner @{PROC}/@{pid}/fd/@{int} w, + + # This is an information leak but disallowing it leads to developer confusion + # when using the chromium content api file chooser due to a (harmless) glib + # warning and the noisy AppArmor denial. + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, + + # This allows raising the OOM score of other processes owned by the user. + owner @{PROC}/@{pid}/oom_score_adj w, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Win b/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Win new file mode 100644 index 0000000000..32129ec21a --- /dev/null +++ b/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Win @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include + + include if exists + +# vim:syntax=apparmor From c4f0d51fdfdfc9c5429b3960a0eb3c04c1d2bf2c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Oct 2025 21:50:49 +0200 Subject: [PATCH 0875/1736] feat(abs): flatpak: initial version of flatpak filesystem core. --- apparmor.d/abstractions/flatpak/filesystem | 57 ++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 apparmor.d/abstractions/flatpak/filesystem diff --git a/apparmor.d/abstractions/flatpak/filesystem b/apparmor.d/abstractions/flatpak/filesystem new file mode 100644 index 0000000000..a71abd2866 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/filesystem @@ -0,0 +1,57 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +#aa:lint ignore=too-wide + +# Used by the generic flatpak app profile (fapp) to cover the filesystem access +# as defined in the flatpak doc. Dynamically generated flatpak profiles do +# not use this abstraction. + +# As a generic profile cannot filter filesystem for each app, the flatpak/filesystem +# abstraction gives full access to the user's home, and read only acccess to +# host system files. In the limit of what is defined by flatpak. + +# https://docs.flatpak.org/en/latest/sandbox-permissions.html#filesystem-access + + abi , + + # Access an arbitrary path except any reserved ones + owner /etc/{,**} rw, + owner @{sys}/ r, + owner /usr/{,**} r, + + # host-os + @{run}/host/bin/{,**} r, + @{run}/host/etc/alternatives r, + @{run}/host/etc/ld.so.cache r, + @{run}/host/lib{32,64}/{,**} r, + @{run}/host/sbin/{,**} r, + @{run}/host/usr/{,**} r, + + # host-etc + @{run}/host/etc/** r, + + # host + /opt/{,**} r, + /srv/{,**} r, + owner @{MOUNTS}/ r, + owner @{MOUNTS}/** rwlk -> @{MOUNTS}/**, + + # home + owner /home/ r, + owner @{HOME}/ r, + owner @{HOME}/** rwlk -> @{HOME}/**, + + # xdg-run + owner @{run}/user/@{uid}/ rw, + owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, + + /var/lib/** r, + owner /var/ r, + owner /var/tmp/ r, + + include if exists + +# vim:syntax=apparmor From 7bb3b7e172549e65d86c4a90f180b37537f82535 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Oct 2025 21:57:53 +0200 Subject: [PATCH 0876/1736] feat(abs): flatpak: initial version of flatpak app abs. --- apparmor.d/abstractions/app/flatpak | 224 ++++++++++++++++++++++++++++ 1 file changed, 224 insertions(+) create mode 100644 apparmor.d/abstractions/app/flatpak diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak new file mode 100644 index 0000000000..78886f244b --- /dev/null +++ b/apparmor.d/abstractions/app/flatpak @@ -0,0 +1,224 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: appid +# NEEDS-VARIABLE: att + +# Default rules for all flatpak applications. Ideally, they should be +# generated with settings from the flatpak metadata. + +# Security objectives: +# 1. Split the sandbox handler (bwrap) from the app profile (fapp) +# 2. Provide defence in depth, as flatpak already provides a sandbox +# 3. The main purpose of this profile is to ensure all processes are confined + +# Notable security improvements over no profile at all: +# - No capabilities (except dac_override & dac_read_search) +# - Restrict unix socket to profiles defined in apparmor.d +# - Limit dbus system communication to profiles defined in apparmor.d +# - Ensure flatpak-spawn and host-spawn are confined too +# - Filter /proc/, /sys/ access +# +# Keep in mind that the profile is still common for all apps and is therefore +# way more permissive than a per-app profile would be. + +# Abstractions in 'abstractions/flatpak' closelly follow the sandbox defined by +# flatpak, and are therefore different to they host equivalents, as flatpak apps +# do not have access to the full host filesystem. + + abi , + + include + include + include + include + include + + # The app base platform, similar to our desktop abstraction, but with flatpak paths + include + + # Base app specific rules, they are all included as it is for a generic profile + include + include + + # Flatpak devices '--device=' + include + include + + # Flatpack share (IPC, network) with the host '--share=' + include + include + + # Flatpack sockets '--socket=' + include + include + include + include + include + include + include + include + include + include + include + + # Flatpak filesystem access '--filesystem=' + # As a generic profile cannot filter filesystem for each app, this gives + # full access to the user's home, and read only acccess to host system files. + # In the limmit of what is allowed by flatpak. + include + + # System bus: all system dbus interfaces a flatpak app can access + include + include + include + include + include + include + include + include + + capability dac_override, + capability dac_read_search, + + unix type=seqpacket peer=(label=dbus-session), + unix type=seqpacket peer=(label=flatpak-portal), + unix type=seqpacket peer=(label=flatpak), + unix type=seqpacket peer=(label=xdg-dbus-proxy), + unix type=stream peer=(label=flatpak), + + signal (send receive) peer=fapp, + signal (send receive) peer=fapp//&fbwrap, + signal (send receive) peer=fbwrap, + signal receive peer=flatpak-portal, + + ptrace read peer=fapp, + ptrace read peer=fapp//&fbwrap, + ptrace read peer=fbwrap, + ptrace trace peer=fapp, + ptrace trace peer=fapp//&fbwrap, + ptrace trace peer=fbwrap, + + # As a generic profile, we cannot restrict the session bus, and we trust flatpak on this. + dbus bus=session, + + # Run in the flatpak sandbox, the app + /app/ rk, + /app/** mrkix, + + # Run in the flatpak sandbox, the app runtime + @{bin}/ r, + @{bin}/** rix, + @{lib}/ r, + @{lib}/** rix, + @{sbin}/ r, + @{sbin}/** rix, + + / r, + owner /.flatpak-info r, + + # In the sandbox, they are the same than ~/.var/app/@{appid}/{cache,config,data,cache/tmp} + #aa:lint ignore=too-wide + owner /var/cache/** rwlk, + owner /var/config/** rwlk, + owner /var/data/** rwlk, + owner /var/tmp/** rwlk, + + owner @{att}@{HOME}/.var/app/@{appid}/ r, + owner @{att}@{HOME}/.var/app/@{appid}/** rwlk -> @{att}@{HOME}/.var/app/@{appid}/**, + owner @{HOME}/.var/app/@{appid}/ r, + owner @{HOME}/.var/app/@{appid}/** mrwlk -> @{HOME}/.var/app/@{appid}/**, + owner @{HOME}/.var/app/@{appid}/** ix, + + @{run}/parent/** mrix, + @{run}/parent/usr/.ref rk, + @{run}/parent/app/.ref rk, + + owner @{run}/flatpak/app/@{appid}/ r, + owner @{run}/flatpak/app/@{appid}/** mrwlk -> @{run}/flatpak/app/@{appid}/**, + + owner @{run}/flatpak/doc/** r, + owner @{run}/flatpak/ld.so.conf.d/ r, + owner @{run}/flatpak/ld.so.conf.d/*.conf r, + + owner @{run}/user/@{uid}/app/@{appid}/ r, + owner @{run}/user/@{uid}/app/@{appid}/** rwlk -> @{run}/user/@{uid}/app/@{appid}/**, + + @{run}/host/os-release r, + owner @{run}/host/ r, + owner @{run}/host/container-manager r, + + #aa:lint ignore=too-wide + # Flatpak creates an app-specific private restricted /tmp. As such, we can + # simply allow full access to /tmp. + /tmp/ r, + owner /tmp/** mrwlkix, + + # Show the list of active tty + @{sys}/devices/virtual/tty/tty@{int}/active r, + + # This is an information leak + owner @{PROC}/@{pid}/mountinfo r, + + # Reads of oom_adj and oom_score_adj are safe + owner @{PROC}/@{pid}/oom_adj r, + owner @{PROC}/@{pid}/oom_score_adj r, + + # Per man(5) proc, the kernel enforces that a thread may only modify its comm + # value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + @{PROC}/ r, + @{PROC}/@{pid}/cpuset r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/io r, + @{PROC}/@{pid}/maps r, + @{PROC}/@{pid}/smaps r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/statm r, + @{PROC}/@{pid}/status r, + @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/loadavg r, + @{PROC}/sys/fs/file-max r, + @{PROC}/sys/fs/file-nr r, + @{PROC}/sys/fs/inotify/max_queued_events r, + @{PROC}/sys/fs/inotify/max_user_instances r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/fs/nr_open r, + @{PROC}/sys/fs/pipe-max-size r, + @{PROC}/sys/kernel/hostname r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/ostype r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/random/entropy_avail r, + @{PROC}/sys/kernel/random/uuid r, + @{PROC}/sys/kernel/shmmax r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/uptime r, + @{PROC}/version r, + @{PROC}/version_signature r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/clear_refs w, + owner @{PROC}/@{pid}/cmdline rk, + owner @{PROC}/@{pid}/comm rk, + owner @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, + owner @{PROC}/@{pid}/limits r, + owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/sessionid r, + owner @{PROC}/@{pid}/smaps_rollup r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/smaps r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/statm r, + + # Allow setting up pseudoterminal via /dev/pts system. This is safe because + # the flatpak uses a per-app devpts. + /dev/ptmx rw, + + include if exists + +# vim:syntax=apparmor From 7f464b8140531416f9e8d6f8d05a43ee67ee6256 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Oct 2025 22:02:18 +0200 Subject: [PATCH 0877/1736] feat(profile): flatpak: initial version fapp. --- apparmor.d/groups/flatpak/fapp | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 apparmor.d/groups/flatpak/fapp diff --git a/apparmor.d/groups/flatpak/fapp b/apparmor.d/groups/flatpak/fapp new file mode 100644 index 0000000000..35080bc0e7 --- /dev/null +++ b/apparmor.d/groups/flatpak/fapp @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Default profile for all flatpak applications. Ideally, this profile should be +# generated by flatpak itself with settings from the flatpak manifest. + +# See abstractions/app/flatpak for more details about the security objectives. + +abi , + +include + +@{appid} = @{word}.@{word}.@{word}{,.@{word}} + +profile fapp flags=(attach_disconnected,mediate_deleted) { + include + include + + deny @{att}/ r, + deny @{att}@{run}/.userns r, + + include if exists +} + +# vim:syntax=apparmor From e28a7c8d4fbcafe9ef22ff7ee0077e77f403663e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Oct 2025 22:04:29 +0200 Subject: [PATCH 0878/1736] feat(profile): flatpak: initial version fbwrap. --- apparmor.d/groups/flatpak/fbwrap | 76 ++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 apparmor.d/groups/flatpak/fbwrap diff --git a/apparmor.d/groups/flatpak/fbwrap b/apparmor.d/groups/flatpak/fbwrap new file mode 100644 index 0000000000..6bc45810f8 --- /dev/null +++ b/apparmor.d/groups/flatpak/fbwrap @@ -0,0 +1,76 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{appid} = @{word}.@{word}.@{word}{,.@{word}} + +@{exec_path} = @{bin}/bwrap +profile fbwrap flags=(attach_disconnected,mediate_deleted) { + include + include + include + + capability sys_resource, + + unix type=seqpacket peer=(label=fapp), + unix type=stream peer=(label=fapp), + + signal receive peer=gnome-software, + signal receive peer=flatpak, + + @{exec_path} mr, + + @{bin}/true ix, # Required by glycin, harmless + + @{sbin}/ldconfig Cx -> &fbwrap//ldconfig, + @{bin}/xdg-dbus-proxy Px -> fbwrap//&xdg-dbus-proxy, + priority=2 @{lib}/glycin-loaders/@{d}+/glycin-* Px -> fbwrap//&glycin//loaders, + + priority=1 /app/bin/** Px -> fbwrap//&fapp, + priority=1 @{lib}/** Px -> fbwrap//&fapp, + priority=1 @{HOME}/.var/app/@{appid}/** Px -> fbwrap//&fapp, + + /app/.ref rk, + /usr/.ref rk, + + /bindfile@{rand6} rw, + + owner @{run}/flatpak/.flatpak/@{int}/.ref rk, + owner @{run}/flatpak/ld.so.conf.d/ r, + owner @{run}/flatpak/ld.so.conf.d/*.conf r, + owner @{run}/flatpak/per-app-dirs-ref rk, + owner @{run}/ld-so-cache-dir/@{hex64}.@{rand6}{,~} rw, + + owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} w, + owner @{run}/user/@{uid}/.dbus-proxy/session-bus-proxy-@{rand6} w, + owner @{run}/user/@{uid}/.dbus-proxy/system-bus-proxy-@{rand6} w, + owner @{run}/user/@{uid}/.flatpak/@{int}/bwrapinfo.json rw, + owner @{run}/user/@{uid}/.flatpak/@{int}/info r, + + profile ldconfig flags=(attach_disconnected,mediate_deleted) { + include + + @{sbin}/ldconfig mr, + @{lib}/ r, + + /app/lib/{,**} r, + /app/lib{32,64}/{,**} r, + + owner /var/cache/ldconfig/aux-cache r, + + owner @{run}/flatpak/ld.so.conf.d/ r, + owner @{run}/flatpak/ld.so.conf.d/*.conf r, + owner @{run}/ld-so-cache-dir/@{hex64}.@{rand6} w, + owner @{run}/ld-so-cache-dir/@{hex64}.@{rand6}~ rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor From 41aa50de5e3b63a9c9c553526ff1791f8326929f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Oct 2025 22:09:54 +0200 Subject: [PATCH 0879/1736] feat(profile): update flatpak to the new fapp / fbrwap profiles. --- apparmor.d/abstractions/app/flatpak | 2 +- apparmor.d/groups/flatpak/flatpak | 13 ++++++++----- apparmor.d/groups/flatpak/flatpak-system-helper | 3 ++- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak index 78886f244b..4d77700276 100644 --- a/apparmor.d/abstractions/app/flatpak +++ b/apparmor.d/abstractions/app/flatpak @@ -126,7 +126,7 @@ owner /var/tmp/** rwlk, owner @{att}@{HOME}/.var/app/@{appid}/ r, - owner @{att}@{HOME}/.var/app/@{appid}/** rwlk -> @{att}@{HOME}/.var/app/@{appid}/**, + owner @{att}@{HOME}/.var/app/@{appid}/** rwlk, owner @{HOME}/.var/app/@{appid}/ r, owner @{HOME}/.var/app/@{appid}/** mrwlk -> @{HOME}/.var/app/@{appid}/**, owner @{HOME}/.var/app/@{appid}/** ix, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 18676abfeb..466a80a071 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -6,6 +6,8 @@ abi , include +@{appid} = @{word}.@{word}.@{word}{,.@{word}} + @{exec_path} = @{bin}/flatpak profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) { include @@ -43,9 +45,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, - ptrace read peer=flatpak-app, + ptrace read peer=fbwrap, # Generic bwrap for flatpak app + ptrace read peer=flatpak-app, # Deprecated generic profile ptrace read peer=flatpak.*, - ptrace read peer=bwrap.*, signal send peer=flatpak-app, @@ -71,7 +73,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{exec_path} mr, - @{bin}/bwrap rPx -> flatpak-app, + @{bin}/bwrap rPx -> flatpak-app, #aa:only apparmor<4.1 + @{bin}/bwrap rPx -> fbwrap, #aa:only apparmor>=4.1 @{bin}/fusermount{,3} rCx -> fusermount, @{bin}/gpg rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @@ -102,8 +105,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{HOME}/.var/ w, owner @{HOME}/.var/app/{,**} rw, - owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, - owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, + owner @{att}@{HOME}/.var/app/@{appid}/.local/share/*/logs/* rw, + owner @{att}@{HOME}/.var/app/@{appid}/.local/share/*/**/usr/.ref rw, # Can create dotfile directories for any app owner @{user_cache_dirs}/*/ w, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index cd9c65a8e3..0e43bd7259 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -113,7 +113,8 @@ profile flatpak-system-helper @{exec_path} flags=(attach_disconnected,mediate_de @{user_share_dirs}/mime/{,**} w, @{user_share_dirs}/mimeinfo.cache w, - /app/extra/** w, + /app/extra/** rw, + /bindfile@{rand6} rw, /tmp/#@{int} rw, From 5d1b5a1be79d877df5d8dece3cff8c4b186db618 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Oct 2025 22:11:25 +0200 Subject: [PATCH 0880/1736] feat(abs): add initial version of bluetooth-observe --- apparmor.d/abstractions/bluetooth-observe | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 apparmor.d/abstractions/bluetooth-observe diff --git a/apparmor.d/abstractions/bluetooth-observe b/apparmor.d/abstractions/bluetooth-observe new file mode 100644 index 0000000000..cd21e83767 --- /dev/null +++ b/apparmor.d/abstractions/bluetooth-observe @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows listing Bluetooth devices and their properties. + + abi , + + #aa:dbus common bus=system name=org.bluez label="@{p_bluetoothd}" + + dbus receive bus=system path=/org/bluez/hci@{int}/dev_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}/service@{hex4}/char@{hex4} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=bluetoothd), + + include if exists + +# vim:syntax=apparmor From 0f3aa1dad8e4933dd5d286327e9bf1d4d01c25f9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Oct 2025 22:11:45 +0200 Subject: [PATCH 0881/1736] feat(abs): add initial version of accounts-observe --- apparmor.d/abstractions/accounts-observe | 38 ++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 apparmor.d/abstractions/accounts-observe diff --git a/apparmor.d/abstractions/accounts-observe b/apparmor.d/abstractions/accounts-observe new file mode 100644 index 0000000000..85e6bb8c97 --- /dev/null +++ b/apparmor.d/abstractions/accounts-observe @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow communication with accounts-daemon. This is used by gnome-shell's agent +# implementation to display user information in the authorisation dialog. + + abi , + + dbus send bus=system path=/org/freedesktop/Accounts/User@{int} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},org.freedesktop.Accounts}", label="@{p_accounts_daemon}"), + + dbus receive bus=system path=/org/freedesktop/Accounts/User@{int} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label="@{p_accounts_daemon}"), + + dbus send bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(label="@{p_accounts_daemon}"), + + dbus send bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member={FindUserById,FindUserByName} + peer=(name=org.freedesktop.Accounts, label="@{p_accounts_daemon}"), + + dbus receive bus=system path=/org/freedesktop/Accounts/User@{int} + interface=org.freedesktop.Accounts.User + member=Changed + peer=(name=@{busname}, label="@{p_accounts_daemon}"), + + include if exists + +# vim:syntax=apparmor From 7ae35d76ff46a7bf0c3f7970677fc9be5f06eb57 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Oct 2025 22:12:26 +0200 Subject: [PATCH 0882/1736] feat(abs): add initial version of modem-manager-observe. --- apparmor.d/abstractions/modem-manager-observe | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 apparmor.d/abstractions/modem-manager-observe diff --git a/apparmor.d/abstractions/modem-manager-observe b/apparmor.d/abstractions/modem-manager-observe new file mode 100644 index 0000000000..d1938f4e12 --- /dev/null +++ b/apparmor.d/abstractions/modem-manager-observe @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows observing ModemManager settings. It grants access to listing +# MAC addresses, previous networks, etc but not secrets. + + abi , + + dbus send bus=system path=/org/freedesktop/ModemManager1 + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=ModemManager), + + include if exists + +# vim:syntax=apparmor From c220f176b66de55e906d6e429836f9e5f8b4272f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 18 Oct 2025 13:09:51 +0200 Subject: [PATCH 0883/1736] build: justfile: differentiate distribution release and pkg version. --- Justfile | 40 ++++++++++++++++----------------- docs/development/autopkgtest.md | 12 +++++----- docs/development/vm.md | 6 ++--- 3 files changed, 29 insertions(+), 29 deletions(-) diff --git a/Justfile b/Justfile index 7c57ea77d8..d28d56759a 100644 --- a/Justfile +++ b/Justfile @@ -254,12 +254,12 @@ clean: # Build the package in a clean OCI container [group('packages')] -package dist version="" flavor="": - bash dists/docker.sh {{dist}} {{version}} {{flavor}} +package dist release="" flavor="": + bash dists/docker.sh {{dist}} {{release}} {{flavor}} # Build all packages in a clean OCI container [group('packages')] -packages: +packages: (clean) #!/usr/bin/env bash set -eu -o pipefail declare -A matrix=( @@ -269,23 +269,23 @@ packages: ["opensuse"]="-" ) for dist in "${!matrix[@]}"; do - IFS=' ' read -r -a versions <<< "${matrix[$dist]}" - for version in "${versions[@]}"; do - echo bash dists/docker.sh $dist $version + IFS=' ' read -r -a releases <<< "${matrix[$dist]}" + for release in "${releases[@]}"; do + bash dists/docker.sh $dist $release done done # Build the VM image [group('vm')] -img dist version flavor: (package dist version flavor) +img dist release flavor: (package dist release flavor) #!/usr/bin/env bash set -eu -o pipefail - VERSION="{{version}}" - [[ "$VERSION" == "-" ]] && VERSION="" + RELEASE="{{release}}" + [[ "$RELEASE" == "-" ]] && RELEASE="" mkdir -p {{base_dir}} packer build -force \ -var dist={{dist}} \ - -var version="$VERSION" \ + -var release="$RELEASE" \ -var flavor={{flavor}} \ -var prefix={{prefix}} \ -var username={{username}} \ @@ -360,7 +360,7 @@ umount osinfo flavor: # List the machines [group('vm')] list: - @printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State" + @printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "OsInfo-Flavor" "State" @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' # List the VM images @@ -418,14 +418,14 @@ autopkgtest osinfo: # Update the apparmor.d package on the test machine [group('tests')] -autopkgtest-update dist version: - just up {{dist}}{{version}} test - just package {{dist}} {{version}} test - scp {{sshopt}} {{pkgdest}}/{{dist}}/{{version}}/{{pkgname}}_*.deb \ - {{username}}@`just _get_ip {{dist}}{{version}} test`:/home/{{username}}/Projects/ - ssh {{sshopt}} {{username}}@`just _get_ip {{dist}}{{version}} test` \ +autopkgtest-update dist release: + just up {{dist}}{{release}} test || true + just package {{dist}} {{release}} test + scp {{sshopt}} {{pkgdest}}/{{dist}}/{{release}}/{{pkgname}}_*.deb \ + {{username}}@`just _get_ip {{dist}}{{release}} test`:/home/{{username}}/Projects/ + ssh {{sshopt}} {{username}}@`just _get_ip {{dist}}{{release}} test` \ sudo dpkg -i /home/{{username}}/Projects/{{pkgname}}_*.deb - just halt {{dist}}{{version}} test + just halt {{dist}}{{release}} test _autopkgtest-log-merge: @mkdir -p .logs/autopkgtest @@ -508,8 +508,8 @@ commit: mv debian/changelog.tmp debian/changelog sed -i "s/^pkgver=.*/pkgver=$version/" PKGBUILD sed -i "s/^Version:.*/Version: $version/" "dists/{{pkgname}}.spec" - echo git add PKGBUILD "dists/{{pkgname}}.spec" debian/changelog - echo git commit -S -m "Release version $version" + git add PKGBUILD "dists/{{pkgname}}.spec" debian/changelog + git commit -S -m "Release version $version" # Create a release archive [group('release')] diff --git a/docs/development/autopkgtest.md b/docs/development/autopkgtest.md index 7fb5ccdee2..18fbf6388f 100644 --- a/docs/development/autopkgtest.md +++ b/docs/development/autopkgtest.md @@ -24,9 +24,9 @@ The test VM is a VM as defined in the [Development VM](vm.md) section, with a sp You can create the image, then the VM, and shut it down with: ```sh -just img test -just create test -just halt test +just img test +just create test +just halt test ``` Example: @@ -47,7 +47,7 @@ Others VM defined in this project ships with a `aa-update` command that build an To update apparmor.d in the VM without creating a new image, use the `autopkgtest-update` command, it will build the package on the host, and install it in the VM: ```sh -just autopkgtest-update +just autopkgtest-update ``` Example: @@ -63,13 +63,13 @@ The autopkgtest suite runs the tests for all source packages listed in `tests/au To run the full suite for a Debian/Ubuntu system: ```sh -just autopkgtest +just autopkgtest ``` Example: ```sh -just autopkgtest ubuntu 25.10 +just autopkgtest ubuntu25.10 ``` ## Log Analysis diff --git a/docs/development/vm.md b/docs/development/vm.md index cb2b50907e..e0f35a4639 100644 --- a/docs/development/vm.md +++ b/docs/development/vm.md @@ -41,7 +41,7 @@ Available recipes: pkg name="" # Build & install apparmor.d on Arch based systems dpkg name="" # Build & install apparmor.d on Debian based systems rpm name="" # Build & install apparmor.d on OpenSUSE based systems - package dist version="" flavor="" # Build the package in a clean OCI container + package dist release="" flavor="" # Build the package in a clean OCI container packages # Build all packages in a clean OCI container [linter] @@ -54,7 +54,7 @@ Available recipes: serve # Serve the documentation [vm] - img dist version flavor # Build the VM image + img dist release flavor # Build the VM image create osinfo flavor # Create the machine up osinfo flavor # Start a machine halt osinfo flavor # Stops the machine @@ -70,7 +70,7 @@ Available recipes: [tests] tests # Run the unit tests autopkgtest osinfo # Run the autopkgtest tests - autopkgtest-update dist version # Update the apparmor.d package on the test machine + autopkgtest-update dist release # Update the apparmor.d package on the test machine autopkgtest-log # Report all collected logs autopkgtest-rules # Report all generated rules init # Install dependencies for the integration tests From f04b2cc5a823229f8e0ce46e5b1fff70baa6c8e7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 18 Oct 2025 13:58:23 +0200 Subject: [PATCH 0884/1736] fix(test): missing release var in packer files. --- tests/packer/builds.pkr.hcl | 6 +++--- tests/packer/variables.pkr.hcl | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index b4ba0c1aee..1e34c6416b 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -3,8 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only locals { - name = "${var.prefix}${var.dist}${var.version}-${var.flavor}" - osinfo = "${var.dist}${var.version}" + name = "${var.prefix}${var.dist}${var.release}-${var.flavor}" + osinfo = "${var.dist}${var.release}" } source "qemu" "default" { @@ -60,7 +60,7 @@ build { "${path.cwd}/tests/packer/src/", "${path.cwd}/tests/packer/init.sh", "${path.cwd}/tests/packer/clean.sh", - "${path.cwd}/.pkg/${var.dist}/${var.version}/", + "${path.cwd}/.pkg/${var.dist}/${var.release}/", ] } diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index 7301c94b3c..e09b7266f7 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -76,8 +76,8 @@ variable "dist" { default = "ubuntu" } -variable "version" { - description = "Version to target" +variable "release" { + description = "Release to target" type = string default = "25.10" } From b1fe2199cf23030bea2fb90010da21c2d4530a15 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 18 Oct 2025 14:14:58 +0200 Subject: [PATCH 0885/1736] test(abs): also add the tests abs to the base completion. --- apparmor.d/abstractions/base.d/complete | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index d89688b70c..71ac1cd3ad 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + include #aa:only test + # Systemd: allow to receive any signal from the systemd profiles stack signal receive peer=@{p_systemd}, signal receive peer=@{p_systemd_user}, From ffd285d0edcf8b1f7788773fc3c88d7c4aaac2e4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 00:48:46 +0200 Subject: [PATCH 0886/1736] feat(profile_: various improvment from autopkgtest --- apparmor.d/abstractions/disks-read | 1 + apparmor.d/groups/apt/apt-methods-http | 4 ++++ apparmor.d/groups/apt/deb-systemd-helper | 2 ++ apparmor.d/groups/apt/dpkg-deb | 1 + apparmor.d/groups/apt/dpkg-preconfigure | 2 ++ apparmor.d/groups/apt/dpkg-scripts | 9 ++++++++- apparmor.d/groups/apt/dpkg-statoverride | 2 ++ apparmor.d/groups/apt/reportbug | 1 + apparmor.d/groups/filesystem/mount | 1 + apparmor.d/groups/filesystem/nfsdcld | 4 ++++ apparmor.d/groups/firewall/nft | 2 +- apparmor.d/groups/gpg/gpg | 2 ++ apparmor.d/groups/network/NetworkManager | 1 + apparmor.d/groups/network/netplan | 5 +++++ apparmor.d/groups/network/nm-online | 2 +- apparmor.d/groups/network/openvpn | 22 +++++++++++++--------- apparmor.d/groups/network/rpcbind | 9 +++++++++ apparmor.d/groups/procps/pgrep | 2 ++ apparmor.d/groups/procps/w | 5 +++++ apparmor.d/groups/shadow/groupadd | 11 +++++++++++ apparmor.d/groups/shadow/useradd | 2 +- apparmor.d/groups/shadow/usermod | 3 ++- apparmor.d/groups/ssh/sshd-auth | 1 + apparmor.d/groups/ssh/sshd-session | 5 +++++ apparmor.d/groups/utils/login | 1 + apparmor.d/profiles-a-f/dracut-install | 6 ++++++ apparmor.d/profiles-g-l/git | 3 +++ apparmor.d/profiles-g-l/ip | 5 +++++ apparmor.d/profiles-m-r/initramfs-hooks | 6 ++++-- apparmor.d/profiles-m-r/mkinitramfs | 5 ++++- apparmor.d/profiles-m-r/repo | 15 +-------------- apparmor.d/profiles-m-r/reprepro | 3 +++ apparmor.d/profiles-m-r/runuser | 1 + apparmor.d/profiles-s-z/sysstat-sadc | 3 +++ apparmor.d/profiles-s-z/ucfr | 3 +++ dists/flags/main.flags | 1 - 36 files changed, 119 insertions(+), 32 deletions(-) diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index ee97ff04db..6e32286091 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -90,6 +90,7 @@ @{sys}/block/ r, @{sys}/class/block/ r, + @{sys}/class/iscsi_session/ r, @{sys}/dev/block/ r, @{run}/udev/data/b2:@{int} r, # for /dev/fd* diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 32e88c759e..6fc69b4d10 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -26,6 +26,7 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) { signal receive peer=@{p_apt_news}, signal receive peer=@{p_packagekitd}, signal receive peer=apt-get, + signal receive peer=apt-helper, signal receive peer=apt, signal receive peer=aptitude, signal receive peer=role_*, @@ -86,6 +87,9 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{int} rw, + #aa;only test + owner /tmp/tmp@{word8}/{,**} rwlk, + include if exists } diff --git a/apparmor.d/groups/apt/deb-systemd-helper b/apparmor.d/groups/apt/deb-systemd-helper index d6e89f9a07..006606e3a1 100644 --- a/apparmor.d/groups/apt/deb-systemd-helper +++ b/apparmor.d/groups/apt/deb-systemd-helper @@ -33,6 +33,8 @@ profile deb-systemd-helper @{exec_path} { /etc/systemd/ r, /etc/systemd/system/ r, /etc/systemd/system/* rw, + /etc/systemd/system/*.requires/ rw, + /etc/systemd/system/*.requires/* rw, /etc/systemd/system/*.wants/ rw, /etc/systemd/system/*.wants/* rw, /etc/systemd/user/ r, diff --git a/apparmor.d/groups/apt/dpkg-deb b/apparmor.d/groups/apt/dpkg-deb index 1986f8e405..9b4e886bdc 100644 --- a/apparmor.d/groups/apt/dpkg-deb +++ b/apparmor.d/groups/apt/dpkg-deb @@ -37,6 +37,7 @@ profile dpkg-deb @{exec_path} { #aa:only test /tmp/@{rand10}/{,**} rw, /tmp/tmp.@{rand10}/{,**} rw, + /tmp/tmp@{word8}/{,**} rw, include if exists } diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index d144f28de5..a4236a8a93 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -30,6 +30,8 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/find ix, @{bin}/getent ix, @{bin}/head ix, + @{bin}/host Px, + @{bin}/hostname ix, @{bin}/locale ix, @{bin}/readlink ix, @{bin}/realpath ix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 5ece130593..5ab5c5bf6b 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -76,9 +76,12 @@ profile dpkg-scripts @{exec_path} { /usr/share/*/{,**} rw, /usr/local/share/*/{,**} rw, /var/** rw, - @{run}/** rw, + @{run}/** rwk, @{efi}/grub/* rw, + /tmp/dbconfig-common*.@{rand6} rw, + /tmp/dbconfig-common*.@{rand6}/{,**} rw, + /tmp/dbconfig-package-config.@{rand6} rw, /tmp/fmtutil.@{rand8} rw, /tmp/grub.@{rand10} rw, /tmp/sed@{rand6} rw, @@ -107,6 +110,8 @@ profile dpkg-scripts @{exec_path} { include include + @{efi}/System.map-* r, + @{lib}/modules/*/modules.* w, @{sys}/module/compression r, @@ -178,6 +183,8 @@ profile dpkg-scripts @{exec_path} { @{sbin}/ldconfig mrix, @{sbin}/ldconfig.real rix, + @{bin}/dpkg-trigger rPx, + @{lib}/ r, /usr/local/ r, /usr/local/lib/ r, diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride index b094ff91d9..5bb0aa3acb 100644 --- a/apparmor.d/groups/apt/dpkg-statoverride +++ b/apparmor.d/groups/apt/dpkg-statoverride @@ -18,6 +18,8 @@ profile dpkg-statoverride @{exec_path} flags=(complain) { @{exec_path} mr, + @{bin}/* w, + @{sbin}/* w, @{lib}/** w, /var/lib/** w, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index a6584a23d2..e31c9c69c0 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -39,6 +39,7 @@ profile reportbug @{exec_path} { @{bin}/readlink rix, @{bin}/stty rix, /usr/share/reportbug/handle_bugscript rix, + /usr/share/bug/reportbug/script rix, @{sbin}/exim4 rPx, @{bin}/apt-cache rPx, diff --git a/apparmor.d/groups/filesystem/mount b/apparmor.d/groups/filesystem/mount index f8616cd88a..a6f3a1ab38 100644 --- a/apparmor.d/groups/filesystem/mount +++ b/apparmor.d/groups/filesystem/mount @@ -37,6 +37,7 @@ profile mount @{exec_path} flags=(attach_disconnected) { @{bin}/mount.* rPx, @{bin}/ntfs-3g rPx, @{bin}/sshfs rPx, + @{sbin}/mount.* rPx, /etc/fstab r, diff --git a/apparmor.d/groups/filesystem/nfsdcld b/apparmor.d/groups/filesystem/nfsdcld index 23ecc576ef..297ee16839 100644 --- a/apparmor.d/groups/filesystem/nfsdcld +++ b/apparmor.d/groups/filesystem/nfsdcld @@ -17,10 +17,14 @@ profile nfsdcld @{exec_path} { /etc/nfs.conf r, /etc/nfs.conf rk, + /etc/nfs.conf.d/{,*} r, /var/lib/nfs/nfsdcld/{,**} rw, + /var/lib/nfs/nfsdcld/main.sqlite rk, /var/lib/nfs/rpc_pipefs/nfsd/* rw, + @{run}/rpc_pipefs/nfsd/cld rw, + include if exists } diff --git a/apparmor.d/groups/firewall/nft b/apparmor.d/groups/firewall/nft index ceafa138d9..4099e1d562 100644 --- a/apparmor.d/groups/firewall/nft +++ b/apparmor.d/groups/firewall/nft @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{sbin}/nft -profile nft @{exec_path} { +profile nft @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index dac44d5dfc..6ce9c3eab8 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -83,6 +83,8 @@ profile gpg @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/stat rw, #aa:only test + /tmp/*-test@{word8}/{,**} rwlk, + /tmp/*tests@{word8}/{,**} rwlk, /tmp/gpg.*/{,**} rwlk, include if exists diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index e3298479d4..2994d2522d 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -168,6 +168,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:only test /etc/netplan/10-test.yaml rw, + /tmp/tmp@{word8}/NetworkManager.conf r, profile kmod { include diff --git a/apparmor.d/groups/network/netplan b/apparmor.d/groups/network/netplan index c4fe653a6b..8e3274defa 100644 --- a/apparmor.d/groups/network/netplan +++ b/apparmor.d/groups/network/netplan @@ -19,6 +19,7 @@ profile netplan @{exec_path} flags=(attach_disconnected) { @{bin}/ip rPx, @{bin}/networkctl rPx, + @{bin}/nmcli rPx, @{bin}/ovs-vsctl rPUx, @{bin}/systemctl rCx -> systemctl, @{bin}/udevadm rPx, @@ -29,6 +30,10 @@ profile netplan @{exec_path} flags=(attach_disconnected) { /etc/netplan/{,*} r, @{run}/netplan/ r, + @{run}/NetworkManager/system-connections/netplan-* r, + @{run}/systemd/network/ r, + @{run}/systemd/system/ r, + @{run}/systemd/system/systemd-networkd.service.wants/ r, /tmp/#@{int} rw, /tmp/@{word8} rw, diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online index 710d3115bd..7e8eb98d39 100644 --- a/apparmor.d/groups/network/nm-online +++ b/apparmor.d/groups/network/nm-online @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/nm-online -profile nm-online @{exec_path} { +profile nm-online @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 2a513b84e0..7eed686996 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -40,13 +40,22 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal (receive) set=(term) peer=nm-openvpn-service, + signal receive set=term peer=nm-openvpn-service, + signal receive set=term peer=pgrep, @{exec_path} mr, - @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, + @{bin}/ip rix, # TODO: rCx + @{bin}/systemd-ask-password rPx, + + @{lib}/nm-openvpn-service-openvpn-helper rPx, + @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, + + /etc/openvpn/force-user-traffic-via-vpn.sh rCx -> force-user-traffic-via-vpn, + /etc/openvpn/update-resolv-conf{,.sh} rCx -> update-resolv, /etc/openvpn/{,**} r, + /etc/openvpn/static.key w, @{HOME}/.cert/{,**} r, @@ -56,13 +65,8 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{run}/openvpn/*.{pid,status} rw, @{run}/systemd/journal/dev-log r, - @{bin}/ip rix, - @{bin}/systemd-ask-password rPx, - @{lib}/nm-openvpn-service-openvpn-helper rPx, - /etc/openvpn/force-user-traffic-via-vpn.sh rCx -> force-user-traffic-via-vpn, - /etc/openvpn/update-resolv-conf{,.sh} rCx -> update-resolv, - - /dev/net/tun rw, + owner /tmp/openvpn.log w, + owner /tmp/openvpn/{,**} r, owner @{PROC}/@{pid}/net/route r, diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind index 0650470ac5..c1f15e2a59 100644 --- a/apparmor.d/groups/network/rpcbind +++ b/apparmor.d/groups/network/rpcbind @@ -10,17 +10,26 @@ include @{exec_path} = @{sbin}/rpcbind profile rpcbind @{exec_path} flags=(complain) { include + include include capability setgid, capability setuid, + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + @{exec_path} rm, /etc/netconfig r, @{run}/rpcbind.lock rwkl, + @{run}/rpcbind.sock rw, @{run}/rpcbind/*.xdr rwkl, + @{run}/systemd/notify w, include if exists } diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep index d10c1e772a..be719fae40 100644 --- a/apparmor.d/groups/procps/pgrep +++ b/apparmor.d/groups/procps/pgrep @@ -12,6 +12,8 @@ profile pgrep @{exec_path} flags=(attach_disconnected) { include include + signal send set=term, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/procps/w b/apparmor.d/groups/procps/w index 2445034e90..414721f88b 100644 --- a/apparmor.d/groups/procps/w +++ b/apparmor.d/groups/procps/w @@ -27,10 +27,15 @@ profile w @{exec_path} { @{run}/systemd/sessions/* r, @{PROC}/ r, + @{PROC}/@{pids}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, + @{PROC}/1/ r, + @{PROC}/1/status r, @{PROC}/loadavg r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, include if exists diff --git a/apparmor.d/groups/shadow/groupadd b/apparmor.d/groups/shadow/groupadd index 5443285958..f5feb079ec 100644 --- a/apparmor.d/groups/shadow/groupadd +++ b/apparmor.d/groups/shadow/groupadd @@ -15,6 +15,7 @@ profile groupadd @{exec_path} flags=(attach_disconnected) { capability audit_write, capability chown, + capability dac_override, capability fsetid, network netlink raw, @@ -35,6 +36,16 @@ profile groupadd @{exec_path} flags=(attach_disconnected) { # modify the /etc/passwd or /etc/shadow password database. /etc/.pwd.lock rwk, + /var/lib/extrausers/group w, + /var/lib/extrausers/group- w, + /var/lib/extrausers/group.@{pid} w, + /var/lib/extrausers/group.lock wl -> /var/lib/extrausers/group.@{pid}, + /var/lib/extrausers/group+ rw, + /var/lib/extrausers/gshadow rw, + /var/lib/extrausers/gshadow- w, + /var/lib/extrausers/gshadow.lock wl -> /var/lib/extrausers/gshadow.@{pid}, + /var/lib/extrausers/gshadow+ rw, + include if exists } diff --git a/apparmor.d/groups/shadow/useradd b/apparmor.d/groups/shadow/useradd index 9fadae46df..aa891465d5 100644 --- a/apparmor.d/groups/shadow/useradd +++ b/apparmor.d/groups/shadow/useradd @@ -55,7 +55,7 @@ profile useradd @{exec_path} flags=(attach_disconnected) { @{HOME}/ rw, @{HOME}/** wl, @{HOME}/**/ r, - /var/lib/*/{,*} rw, + /var/lib/*/{,*} rwl, /etc/skel/{,.**} r, profile pam_tally2 { diff --git a/apparmor.d/groups/shadow/usermod b/apparmor.d/groups/shadow/usermod index aa3fc1ce8c..96f9cfb030 100644 --- a/apparmor.d/groups/shadow/usermod +++ b/apparmor.d/groups/shadow/usermod @@ -15,6 +15,7 @@ profile usermod @{exec_path} flags=(attach_disconnected) { capability audit_write, capability chown, + capability dac_override, capability dac_read_search, capability fowner, capability fsetid, @@ -51,7 +52,7 @@ profile usermod @{exec_path} flags=(attach_disconnected) { @{HOME}/{,**} rw, /var/ r, /var/lib/ r, - /var/lib/*/{,**} rw, + /var/lib/*/{,**} rwl, @{PROC}/ r, @{PROC}/@{pids}/task/ r, diff --git a/apparmor.d/groups/ssh/sshd-auth b/apparmor.d/groups/ssh/sshd-auth index 74def4b44a..c964fcce96 100644 --- a/apparmor.d/groups/ssh/sshd-auth +++ b/apparmor.d/groups/ssh/sshd-auth @@ -11,6 +11,7 @@ profile sshd-auth @{exec_path} { include include + capability dac_override, capability setgid, capability setuid, capability sys_chroot, diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session index 2a169c32c7..beb0ea4e40 100644 --- a/apparmor.d/groups/ssh/sshd-session +++ b/apparmor.d/groups/ssh/sshd-session @@ -61,8 +61,10 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) { @{etc_rw}/motd r, @{etc_rw}/motd.d/{,**} r, + /etc/legal r, /etc/machine-id r, /etc/motd r, + /etc/ssh/moduli r, /var/lib/lastlog/ r, /var/lib/lastlog/lastlog2.db rwk, @@ -87,6 +89,9 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, + #aa:only test + owner @{tmp}/ssh-@{rand10}/{,agent.@{int}} rw, + include if exists } diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index 7b1755b20b..8e880c05bb 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -57,6 +57,7 @@ profile login @{exec_path} flags=(attach_disconnected) { /var/lib/lastlog/ r, /var/log/btmp{,.@{int}} r, + owner @{user_cache_dirs}/ w, owner @{user_cache_dirs}/motd.legal-displayed rw, @{att}@{run}/systemd/sessions/@{int}.ref w, diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install index 5137cde8c7..ff885fa708 100644 --- a/apparmor.d/profiles-a-f/dracut-install +++ b/apparmor.d/profiles-a-f/dracut-install @@ -19,6 +19,12 @@ profile dracut-install @{exec_path} { / r, + /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/ r, + /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r, + /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r, + /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw, + /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r, + @{sys}/devices/platform/{,**/} r, @{sys}/devices/platform/**/modalias r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 01b491b989..4bf1d528f1 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -105,6 +105,9 @@ profile git @{exec_path} flags=(attach_disconnected) { deny /usr/share/nvidia/nvidia-application-profiles-* r, deny /dev/shm/.org.chromium.Chromium.@{rand6} rw, + #aa:only test + owner /tmp/*tests@{word8}/{,**} rwlk, + profile gpg flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index e348faffaa..c755356204 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -17,6 +17,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_admin, capability sys_module, + capability sys_ptrace, network netlink raw, @@ -31,11 +32,14 @@ profile ip @{exec_path} flags=(attach_disconnected) { umount @{run}/netns/*, umount @{sys}, + ptrace read, + @{exec_path} mrix, # To run command with 'ip netns exec' @{shells_path} rUx, @{bin}/sudo rPx, + @{bin}/taskset rPUx, @{bin}/firewall-cmd rPx, @{sbin}/firewalld rPx, @@ -52,6 +56,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { @{run}/netns/* rw, owner @{run}/netns/ rwk, + @{PROC}/ r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/net/dev_mcast r, owner @{PROC}/@{pid}/net/igmp{,6} r, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index eb56ac121a..85844f7bb1 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -40,6 +40,7 @@ profile initramfs-hooks @{exec_path} { @{lib}/ r, @{lib}/** mr, + /usr/share/*/ r, /usr/share/*/initramfs/{,**} r, /usr/share/initramfs-tools/{,**} r, /usr/share/plymouth/{,**} r, @@ -67,6 +68,7 @@ profile initramfs-hooks @{exec_path} { owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, owner /var/tmp/mkinitramfs-@{rand6} rw, owner /var/tmp/mkinitramfs-*_@{rand6} rw, + owner /var/tmp/mkinitramfs-EFW_@{rand10} rw, owner /var/tmp/mkinitramfs-EFW_@{rand10}/{,**} rwl, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, @@ -87,6 +89,7 @@ profile initramfs-hooks @{exec_path} { @{sys}/devices/@{pci}/modalias r, @{sys}/devices/virtual/block/dm-@{int}/slaves/ r, @{sys}/firmware/efi/efivars/ r, + @{sys}/module/firmware_class/parameters/path r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mounts r, @@ -102,8 +105,7 @@ profile initramfs-hooks @{exec_path} { @{bin}/* mr, @{sbin}/* mr, - @{lib}/initramfs-tools/** mr, - @{lib}/udev/** mr, + @{lib}/** mr, /usr/share/brltty/initramfs/brltty.sh r, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index c6dec9b87a..8996ef0957 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -127,7 +127,10 @@ profile mkinitramfs @{exec_path} { @{sys}/module/firmware_class/parameters/path r, @{sys}/bus/platform/drivers/simple-framebuffer/ r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-2.scope/cpu.max r, + @{sys}/fs/cgroup/system.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-*.scope/cpu.max r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo index 5ad84fb15d..f596ee037a 100644 --- a/apparmor.d/profiles-m-r/repo +++ b/apparmor.d/profiles-m-r/repo @@ -31,7 +31,7 @@ profile repo @{exec_path} { @{bin}/uname rix, @{lib}/git{,-core}/git* rix, - @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpg{,2} rPx, @{bin}/ssh rPx, /usr/share/git-core/{,**} r, @@ -59,19 +59,6 @@ profile repo @{exec_path} { # Silencer deny /etc/.repo_gitconfig.json w, - profile gpg { - include - - @{bin}/gpg{,2} mr, - - owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{HOME}/.repoconfig/gnupg/** rwkl -> @{HOME}/.repoconfig/gnupg/**, - - owner @{tmp}/.git_vtag_tmp@{rand6} r, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-m-r/reprepro b/apparmor.d/profiles-m-r/reprepro index 16336f8047..e235e06788 100644 --- a/apparmor.d/profiles-m-r/reprepro +++ b/apparmor.d/profiles-m-r/reprepro @@ -33,6 +33,9 @@ profile reprepro @{exec_path} { owner @{PROC}/@{pid}/fd/ r, + #aa:only test + /tmp/@{rand10}/** rwlk, + profile gpg { include diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser index 4bd5699551..29665ebca1 100644 --- a/apparmor.d/profiles-m-r/runuser +++ b/apparmor.d/profiles-m-r/runuser @@ -25,6 +25,7 @@ profile runuser @{exec_path} { @{exec_path} mr, @{bin}/@{shells} rUx, + @{bin}/mkdir ix, @{etc_ro}/security/limits.d/ r, /etc/default/runuser r, diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc index 30c5e0b3c5..7423a8c38b 100644 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -21,9 +21,11 @@ profile sysstat-sadc @{exec_path} { /var/log/sysstat/{,**} rwk, @{sys}/bus/i2c/devices/ r, + @{sys}/bus/usb/devices/ r, @{sys}/class/fc_host/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, + @{sys}/class/power_supply/ r, @{sys}/devices/**/duplex r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/name r, @@ -31,6 +33,7 @@ profile sysstat-sadc @{exec_path} { @{PROC}/@{pid}/net/* r, @{PROC}/diskstats r, + @{PROC}/interrupts r, @{PROC}/loadavg r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr index dbd1e6246b..3b9a518c62 100644 --- a/apparmor.d/profiles-s-z/ucfr +++ b/apparmor.d/profiles-s-z/ucfr @@ -21,8 +21,10 @@ profile ucfr @{exec_path} { @{bin}/dirname ix, @{bin}/getopt ix, @{bin}/id ix, + @{bin}/mv ix, @{bin}/readlink ix, @{bin}/sed ix, + @{bin}/seq ix, /usr/share/ucf/{,**} r, @@ -33,6 +35,7 @@ profile ucfr @{exec_path} { /var/lib/ucf/ r, /var/lib/ucf/registry r, /var/lib/ucf/registry.@{int} rw, + /var/lib/ucf/registry.tmp rw, include if exists } diff --git a/dists/flags/main.flags b/dists/flags/main.flags index bcba20be39..f1d0e67cb0 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -250,7 +250,6 @@ needrestart-restart complain netplan attach_disconnected,complain networkctl attach_disconnected,complain networkd-dispatcher complain -nm-online complain nm-openvpn-service-openvpn-helper complain nm-priv-helper complain nmcli complain From 0ca4b124f56a2ad1421cbe3929e138d2f268b257 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 00:51:04 +0200 Subject: [PATCH 0887/1736] feat(abs): input: ensure joystick are covered. --- apparmor.d/abstractions/input | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/input b/apparmor.d/abstractions/input index 206a324457..e2b7f30f68 100644 --- a/apparmor.d/abstractions/input +++ b/apparmor.d/abstractions/input @@ -11,10 +11,12 @@ # https://www.kernel.org/doc/Documentation/input/event-codes.txt @{sys}/devices/**/input@{int}/capabilities/* r, + @{sys}/devices/**/input/ r, @{sys}/devices/**/input@{int}/ r, + @{sys}/devices/**/input@{int}/event@{int}/ r, @{sys}/devices/**/input@{int}/event@{int}/uevent r, - @{sys}/devices/**/input@{int}/properties r, - @{sys}/devices/**/input@{int}/uevent r, + @{sys}/devices/**/input@{int}/{,**/}properties r, + @{sys}/devices/**/input@{int}/{,**/}uevent r, @{sys}/devices/virtual/input/mice/uevent r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @@ -22,6 +24,7 @@ /dev/input/ r, /dev/input/event@{int} rw, + /dev/input/js@{int} rw, /dev/input/mice rw, /dev/input/mouse@{int} rw, From 410ca9e2cf8d9b1515bada972dcd62d287f52f7a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 14:36:44 +0200 Subject: [PATCH 0888/1736] feat(profile): more fixes reported by autopkgtest --- apparmor.d/abstractions/app/flatpak | 3 ++- .../abstractions/bus/org.freedesktop.timedate1 | 10 ++++++++++ apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/cron/crontab | 1 + apparmor.d/groups/gnome/gdm | 1 + apparmor.d/groups/gpg/scdaemon | 2 +- apparmor.d/groups/shadow/useradd | 4 +++- apparmor.d/groups/ssh/ssh | 7 +++++-- apparmor.d/groups/systemd/systemd-journald | 1 + apparmor.d/groups/systemd/systemd-localed | 2 +- apparmor.d/groups/systemd/systemd-networkd | 7 ++++++- apparmor.d/groups/systemd/systemd-timedated | 14 +------------- apparmor.d/profiles-m-r/qemu-ga | 1 + apparmor.d/profiles-s-z/ucf | 4 +++- apparmor.d/profiles-s-z/update-catalog | 1 + 15 files changed, 38 insertions(+), 21 deletions(-) diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak index 4d77700276..e3afeb2d8c 100644 --- a/apparmor.d/abstractions/app/flatpak +++ b/apparmor.d/abstractions/app/flatpak @@ -125,8 +125,9 @@ owner /var/data/** rwlk, owner /var/tmp/** rwlk, + owner @{att}@{HOME}/ r, owner @{att}@{HOME}/.var/app/@{appid}/ r, - owner @{att}@{HOME}/.var/app/@{appid}/** rwlk, + owner @{att}@{HOME}/.var/app/@{appid}/** mrwlk, owner @{HOME}/.var/app/@{appid}/ r, owner @{HOME}/.var/app/@{appid}/** mrwlk -> @{HOME}/.var/app/@{appid}/**, owner @{HOME}/.var/app/@{appid}/** ix, diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 index e5ac3b51e5..c673637e5d 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 @@ -9,6 +9,16 @@ member=GetAll peer=(name=@{busname}, label=systemd-timedated), + dbus send bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.timedate1 + member=SetTimezone + peer=(name=org.freedesktop.timedate1, label=systemd-timedated), + + dbus receive bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=PrepareForSleep + peer=(name=@{busname}, label=systemd-logind), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 5ab5c5bf6b..339ed3c54e 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -133,6 +133,7 @@ profile dpkg-scripts @{exec_path} { ptrace read peer=@{p_systemd}, @{bin}/systemd-tty-ask-password-agent Px, + @{lib}/systemd/systemd-sysv-install PUx, @{pager_path} Px -> child-pager, /etc/machine-id r, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index ce70bcdaa8..7663b5dafa 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -30,6 +30,7 @@ profile crontab @{exec_path} { @{sh_path} rix, @{editor_path} rCx -> editor, + @{lib}/systemd-cron/crontab_setgid PUx, @{lib}/systemd/system-generators/systemd-crontab-generator PUx, @{etc_ro}/environment r, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 9f9c174195..cc83b98f56 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -71,6 +71,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{GDM_HOME}/ rw, @{GDM_HOME}/** rw, + @{run}/gdm{,3}/@{HOME}/ rw, @{run}/gdm{,3}/home/ rw, @{run}/gdm{,3}.pid rw, @{run}/gdm{,3}/ rw, diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index 6638f3fe4e..c5d16217db 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -35,7 +35,7 @@ profile scdaemon @{exec_path} { owner /var/tmp/zypp.*/zypp-general-kr*/S.scdaemon w, owner /var/tmp/zypp.*/zypp-trusted-*/S.scdaemon w, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/shadow/useradd b/apparmor.d/groups/shadow/useradd index aa891465d5..b826fcaf73 100644 --- a/apparmor.d/groups/shadow/useradd +++ b/apparmor.d/groups/shadow/useradd @@ -44,6 +44,8 @@ profile useradd @{exec_path} flags=(attach_disconnected) { /etc/subgid.lock wl -> /etc/subgid.@{pid}, /etc/subuid.lock wl -> /etc/subuid.@{pid}, + /var/lib/extrausers/*.lock wl -> /var/lib/extrausers/*.@{pid}, + # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to # modify the /etc/passwd or /etc/shadow password database. /etc/.pwd.lock rwk, @@ -55,7 +57,7 @@ profile useradd @{exec_path} flags=(attach_disconnected) { @{HOME}/ rw, @{HOME}/** wl, @{HOME}/**/ r, - /var/lib/*/{,*} rwl, + /var/lib/*/{,*} rw, /etc/skel/{,.**} r, profile pam_tally2 { diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index dcaa416fee..bfb2cca8bc 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -37,6 +37,7 @@ profile ssh @{exec_path} { @{etc_ro}/ssh/sshd_config r, @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/machine-id r, + /etc/gss/mech.d/{,*} r, owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl, @@ -47,15 +48,17 @@ profile ssh @{exec_path} { owner @{tmp}/krb5cc_* rwk, - audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, - owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/keyring/ssh rw, + owner @{run}/user/@{uid}/openssh_agent rw, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/fd/ r, + #aa:only test + owner @{tmp}/ssh-@{rand10}/{,agent.@{int}} rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index cd51fcc169..3b9a3421fb 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -61,6 +61,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{run}/udev/data/+usb-serial:* r, # For USB to serial adapters @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/+virtio:* r, # For paravirtualized devices (network interfaces, block devices, console) + @{run}/udev/data/b43:@{int} r, # for /dev/nbd* @{run}/udev/data/b254:@{int} r, # for /dev/zram* @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c1:@{int} r, # For RAM disk diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 7a4f625651..d08becd378 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -29,7 +29,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { @{bin}/localedef ix, @{bin}/rm ix, @{bin}/sort ix, - @{sbin}/locale-gen rPx, + @{sbin}/locale-gen Px -> systemd-localed//&locale-gen, /usr/share/i18n/{,**} r, /usr/share/kbd/keymaps/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 513db3b810..a20694ff0d 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -13,12 +13,16 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { include include include + include capability bpf, capability net_admin, capability net_bind_service, capability net_broadcast, capability net_raw, + capability setgid, # FIXME: setgid, setpcap setuid are not needed when used as systemd service + capability setpcap, + capability setuid, capability sys_admin, network inet dgram, @@ -88,11 +92,12 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/btf/vmlinux r, @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/setgroups r, @{PROC}/pressure/* r, @{PROC}/sys/net/ipv{4,6}/** rw, @{PROC}/version_signature r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index 861f3be1c4..9ae0f9abd4 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -11,6 +11,7 @@ include profile systemd-timedated @{exec_path} flags=(attach_disconnected) { include include + include include capability sys_time, @@ -19,19 +20,6 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.timedate1 - dbus send bus=system path=/org/freedesktop/systemd1/unit/* - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member={DisableUnitFiles,EnableUnitFiles} - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member={JobRemoved,Reload,StartUnit,StopUnit} - peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd}"), - @{exec_path} mr, @{etc_rw}/.#adjtime* rw, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index ae8dae8559..b1389ff713 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -37,6 +37,7 @@ profile qemu-ga @{exec_path} { capability net_admin, + unix type=stream addr=@@{udbus}/bus/shutdown/, unix type=stream addr=@@{udbus}/bus/shutdown/system, #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 65ea284fa1..e5875a7947 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -51,9 +51,11 @@ profile ucf @{exec_path} { / r, /root/ r, + /var/lib/dpkg/info/ucf.templates r, + owner /var/lib/ucf/** rw, - owner /tmp/tmp.@{rand10} r, + @{PROC}/@{pid}/mountinfo r, deny capability sys_admin, # optional: no audit diff --git a/apparmor.d/profiles-s-z/update-catalog b/apparmor.d/profiles-s-z/update-catalog index feac2d3c5e..24c7681cfa 100644 --- a/apparmor.d/profiles-s-z/update-catalog +++ b/apparmor.d/profiles-s-z/update-catalog @@ -9,6 +9,7 @@ include @{exec_path} = @{sbin}/update-catalog profile update-catalog @{exec_path} { include + include include @{exec_path} mr, From 2d46af1155e47ff431aa67c05fb38a4cb3421260 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 18:22:34 +0200 Subject: [PATCH 0889/1736] fix(build): do not ignore our version of the who profile. - We had conflict as we enable it in dists/overwrite - We want our version, so we can update it. --- pkg/prebuild/prepare/configure.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index 9ca3b14d33..7486cdb5b8 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -88,7 +88,6 @@ func (p Configure) Apply() ([]string, error) { "dig", "free", "nslookup", - "who", } if err := removeFiles(remove); err != nil { return res, err From c6217b2971748401cbef603dc1e94047b3f2951d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 18:47:24 +0200 Subject: [PATCH 0890/1736] tests: autopkgtest, update test paths. --- apparmor.d/abstractions/tests | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/tests b/apparmor.d/abstractions/tests index b314858944..73d58426e5 100644 --- a/apparmor.d/abstractions/tests +++ b/apparmor.d/abstractions/tests @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no # Common temporary tests directories used by autopkgtest. # @@ -33,12 +34,11 @@ /tmp/shunit.@{rand6}/** rwlk, /tmp/test*/ rw, - /tmp/test*/** rwlk, + /tmp/test*/** rwlkmix, + /tmp/*test*/ rw, + /tmp/*test*/** rwlkmix, - /tmp/nft-test*/{,**} rwlk, owner /tmp/dbusmock_data_*/{,**} rwlk, - owner /tmp/g-r-d-tests-*/{,**} rwlk, - owner /tmp/mutter-testroot-*/{,**} rwlk, include if exists From 19f244d12b6f3df0afafb217e94b0ea92dde8136 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 19:23:05 +0200 Subject: [PATCH 0891/1736] fix: linter issues. --- apparmor.d/groups/children/glycin | 1 + apparmor.d/groups/pacman/pacdiff | 1 + apparmor.d/groups/shadow/groupadd | 4 ++-- apparmor.d/groups/shadow/useradd | 2 +- apparmor.d/profiles-a-f/acpi-powerbtn | 9 ++++++++- 5 files changed, 13 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/children/glycin b/apparmor.d/groups/children/glycin index 59fc8ff794..a650ea9aad 100644 --- a/apparmor.d/groups/children/glycin +++ b/apparmor.d/groups/children/glycin @@ -23,6 +23,7 @@ profile glycin flags=(attach_disconnected,complain) { @{lib}/glycin-loaders/@{d}+/glycin-* Cx -> &glycin//loaders, + #aa:lint ignore=too-wide # Safe deny of inherited files from parent process. deny network inet dgram, deny network inet6 dgram, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index eef9926667..3c39d7aff9 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -32,6 +32,7 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { @{bin}/tput ix, @{editor_path} Cx -> editor, + #aa:lint ignore=too-wide # packages files / r, @{efi}/{,**} r, diff --git a/apparmor.d/groups/shadow/groupadd b/apparmor.d/groups/shadow/groupadd index f5feb079ec..0e9850cd35 100644 --- a/apparmor.d/groups/shadow/groupadd +++ b/apparmor.d/groups/shadow/groupadd @@ -39,11 +39,11 @@ profile groupadd @{exec_path} flags=(attach_disconnected) { /var/lib/extrausers/group w, /var/lib/extrausers/group- w, /var/lib/extrausers/group.@{pid} w, - /var/lib/extrausers/group.lock wl -> /var/lib/extrausers/group.@{pid}, + /var/lib/extrausers/group.lock wl -> /var/lib/extrausers/group.@{pid}, /var/lib/extrausers/group+ rw, /var/lib/extrausers/gshadow rw, /var/lib/extrausers/gshadow- w, - /var/lib/extrausers/gshadow.lock wl -> /var/lib/extrausers/gshadow.@{pid}, + /var/lib/extrausers/gshadow.lock wl -> /var/lib/extrausers/gshadow.@{pid}, /var/lib/extrausers/gshadow+ rw, include if exists diff --git a/apparmor.d/groups/shadow/useradd b/apparmor.d/groups/shadow/useradd index b826fcaf73..ed15bf022c 100644 --- a/apparmor.d/groups/shadow/useradd +++ b/apparmor.d/groups/shadow/useradd @@ -44,7 +44,7 @@ profile useradd @{exec_path} flags=(attach_disconnected) { /etc/subgid.lock wl -> /etc/subgid.@{pid}, /etc/subuid.lock wl -> /etc/subuid.@{pid}, - /var/lib/extrausers/*.lock wl -> /var/lib/extrausers/*.@{pid}, + /var/lib/extrausers/*.lock wl -> /var/lib/extrausers/*.@{pid}, # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to # modify the /etc/passwd or /etc/shadow password database. diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index fd1d0af03a..db496c443b 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -14,7 +14,7 @@ profile acpi-powerbtn flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{e,}grep rix, @{sbin}/killall5 rix, - @{bin}/pgrep rix, + @{bin}/pgrep rCx -> pgrep, @{bin}/pinky rix, @{bin}/sed rix, /etc/acpi/powerbtn.sh rix, @@ -46,6 +46,13 @@ profile acpi-powerbtn flags=(attach_disconnected) { include if exists } + profile pgrep { + include + include + + include if exists + } + profile bus flags=(complain) { include include From d6e710e2fd276e4e8168a7ba859d00131149b3ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 19:56:46 +0200 Subject: [PATCH 0892/1736] tests(check): add a new transition check. --- apparmor.d/groups/display-manager/xdm-xsession | 5 ++++- tests/check.sh | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index df17e0d9f4..175cb0c687 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -56,9 +56,12 @@ profile xdm-xsession @{exec_path} { @{etc_ro}/X11/xdm/sys.xsession rix, @{etc_ro}/X11/xinit/xinitrc.d/50-systemd-user.sh rix, @{etc_ro}/X11/xinit/xinitrc.d/xdg-user-dirs.sh rix, - @{HOME}/.xinitrc rPix, # TODO: rCx @{lib}/xinit/xinitrc rix, + #aa:lint ignore=transition + # FIXME: Pix is a bad idea here, it **will** lead to breakage. + @{HOME}/.xinitrc rPix, + /usr/share/mc/mc.sh r, /usr/share/terminfo/{,**} r, diff --git a/tests/check.sh b/tests/check.sh index b54bc157a2..7e84abdb0b 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -260,6 +260,9 @@ readonly TRANSITION_MUST_C=( # Must transition to 'Cx' ) _check_transition() { _is_enabled transition || return 0 + if [[ "$line" =~ [pP]ix, ]]; then + _err transition "$file:$line_number" "'Pix' transition leads to unmaintainable profile" + fi for prgmname in "${!TRANSITION_MUST_CI[@]}"; do if [[ "$line" =~ "/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then _err transition "$file:$line_number" \ From 6571d4a244dbbeafe629c51c5ba61d53ecea9161 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 20:03:31 +0200 Subject: [PATCH 0893/1736] feat(profile): update integration with the new flatpak profile. --- apparmor.d/abstractions/app/flatpak | 2 +- apparmor.d/abstractions/flatpak/platform/org.freedesktop | 2 +- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 2 ++ apparmor.d/groups/gnome/gnome-software | 5 ++++- 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak index e3afeb2d8c..f9eb79915e 100644 --- a/apparmor.d/abstractions/app/flatpak +++ b/apparmor.d/abstractions/app/flatpak @@ -19,7 +19,7 @@ # - Limit dbus system communication to profiles defined in apparmor.d # - Ensure flatpak-spawn and host-spawn are confined too # - Filter /proc/, /sys/ access -# + # Keep in mind that the profile is still common for all apps and is therefore # way more permissive than a per-app profile would be. diff --git a/apparmor.d/abstractions/flatpak/platform/org.freedesktop b/apparmor.d/abstractions/flatpak/platform/org.freedesktop index 299bbf2d4d..3d9c4406ba 100644 --- a/apparmor.d/abstractions/flatpak/platform/org.freedesktop +++ b/apparmor.d/abstractions/flatpak/platform/org.freedesktop @@ -44,7 +44,7 @@ # Pkcs11 # Flatpak only pkcs11 paths - /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem r, + /etc/pki/ca-trust/extracted/** r, /etc/pki/tls/openssl.cnf r, owner /etc/pkcs11/modules/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index 9275cb918a..b3ed01b2a3 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -20,6 +20,8 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { network unix stream, + signal receive set=int peer=flatpak-portal, + #aa:dbus talk bus=session name=org.freedesktop.portal.Flatpak label=flatpak-portal #aa:dbus talk bus=session name=org.freedesktop.portal.Request path=/org/freedesktop/portal/desktop label=xdg-desktop-portal diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 06771b2bf2..7da7266d78 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -29,6 +29,8 @@ profile gnome-software @{exec_path} { mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, + signal send set=kill peer=fbwrap, + #aa:dbus own bus=session name=org.freedesktop.PackageKit #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application @@ -42,7 +44,8 @@ profile gnome-software @{exec_path} { @{exec_path} mr, @{bin}/baobab rPUx, - @{bin}/bwrap rPx -> flatpak-app, + @{bin}/bwrap rPx -> flatpak-app, #aa:only apparmor<4.1 + @{bin}/bwrap rPx -> fbwrap, #aa:only apparmor>=4.1 @{bin}/fusermount{,3} rCx -> fusermount, @{bin}/gnome-control-center rPx, @{bin}/gpg{,2} rCx -> gpg, From 36af909362c5933c10acff20029ebd49ae3c9a52 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 20:05:29 +0200 Subject: [PATCH 0894/1736] feat(profile): update old flatpak-app profile. The profile is kept as it is used on apparmor<4.1. Thus it is not fully deprecated. --- apparmor.d/groups/flatpak/flatpak-app | 52 +++++---------------------- 1 file changed, 8 insertions(+), 44 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index 09062fd059..0e8d150a7a 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -22,56 +22,37 @@ abi , include +@{appid} = @{word}.@{word}.@{word}{,.@{word}} + +@{exec_path} = @{bin}/bwrap profile flatpak-app flags=(attach_disconnected,mediate_deleted) { include - include - include + include include - capability dac_override, - capability dac_read_search, - capability setuid, # Needed when bwrap is setup with setuid privileges. capability sys_resource, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink dgram, - network netlink raw, - network unix stream, - - ptrace read, - ptrace trace peer=flatpak-app, + capability setuid, # Needed when bwrap is setup with setuid privileges. signal receive peer=flatpak, signal receive set=(int term) peer=flatpak-portal, signal receive set=(int term) peer=flatpak-session-helper, unix type=seqpacket peer=(label=dbus-session), - # unix type=seqpacket peer=(label=unconfined), unix type=seqpacket peer=(label=xdg-dbus-proxy), + @{exec_path} mr, + @{bin}/** rmix, @{lib}/** rmix, /app/** rmix, /usr/plugins/** rmix, /usr/share/flatpak/triggers/* rix, /usr/share/runtime/** rmix, - /var/lib/flatpak/app/*/**/@{bin}/** rmix, - /var/lib/flatpak/app/*/**/@{lib}/** rmix, - @{run}/flatpak/app/*/.org.chromium.Chromium.@{rand6} rm, - @{run}/flatpak/app/*/**so* rm, @{run}/parent/@{bin}/** rmix, @{run}/parent/@{lib}/** rmix, @{run}/parent/app/** rmix, - @{bin}/gtk{,4}-update-icon-cache rPx -> flatpak-app//>k-update-icon-cache, - @{bin}/update-desktop-database rPx -> flatpak-app//&update-desktop-database, - @{bin}/update-mime-database rPx -> flatpak-app//&update-mime-database, - @{bin}/xdg-dbus-proxy rPx -> flatpak-app//&xdg-dbus-proxy, - @{lib}/kf5/kioslave5 rPx, @{lib}/kf6/kioworker rPx, @@ -79,26 +60,9 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /etc/shells rw, /app/.ref rk, - /app/extra/** rw, - /app/lib/** rk, - /bindfile@{rand6} rw, /usr/.ref rk, - /var/lib/flatpak/app/{,**} r, - /var/lib/flatpak/exports/** rw, - - owner @{att}@{HOME}/.var/app/** rwlkmix, - - @{run}/parent/** r, - @{run}/parent/app/.ref rk, - @{run}/parent/usr/.ref rk, - owner @{run}/flatpak/{,**} rk, - owner @{run}/flatpak/app/** rw, - owner @{run}/flatpak/doc/** rw, - owner @{run}/ld-so-cache-dir/* rw, - owner @{run}/user/ r, - - /dev/ntsync r, + /bindfile@{rand6} rw, include if exists include if exists From 6eab07c995e1587908506a2ece596a0e231bacdb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 20:06:47 +0200 Subject: [PATCH 0895/1736] feat(abs): restrict sys path for usb devices. --- apparmor.d/abstractions/devices-usb-read | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read index ea3131d591..85e3fcb723 100644 --- a/apparmor.d/abstractions/devices-usb-read +++ b/apparmor.d/abstractions/devices-usb-read @@ -13,8 +13,16 @@ @{sys}/bus/ r, @{sys}/bus/usb/ r, @{sys}/bus/usb/devices/ r, + @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/@{pci_bus}/uevent r, + @{sys}/devices/**/uevent r, @{sys}/devices/**/usb@{int}/ r, - @{sys}/devices/**/usb@{int}/** r, + + @{sys}/devices/**/usb@{int}/{,*/}bConfigurationValue r, + @{sys}/devices/**/usb@{int}/{,*/}descriptors r, + @{sys}/devices/**/usb@{int}/{,*/}manufacturer r, + @{sys}/devices/**/usb@{int}/{,*/}product r, + @{sys}/devices/**/usb@{int}/{,*/}serial r, # Udev data about usb devices (~equal to content of lsusb -v) @{run}/udev/data/+usb:* r, # Identifies all USB devices From a8c0ecb44506efc04123114dca7d454fd798fd94 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 20:16:07 +0200 Subject: [PATCH 0896/1736] feat(profile): general update. --- apparmor.d/groups/apt/dpkg-preconfigure | 1 + apparmor.d/groups/browsers/epiphany | 1 + apparmor.d/groups/cups/cupsd | 19 +++++++++++++++++-- apparmor.d/groups/filesystem/udisksd | 2 +- apparmor.d/groups/freedesktop/wireplumber | 2 +- apparmor.d/groups/freedesktop/xdg-mime | 2 +- apparmor.d/groups/grub/grub-editenv | 1 + apparmor.d/profiles-a-f/file-roller | 7 ++++--- apparmor.d/profiles-m-r/nvidia-settings | 1 + apparmor.d/profiles-s-z/sudo | 1 + apparmor.d/profiles-s-z/thunderbird | 2 ++ 11 files changed, 31 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index a4236a8a93..2698e48c09 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -45,6 +45,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/apt-extracttemplates Px, @{bin}/dpkg Px -> child-dpkg, @{bin}/findmnt Px, + @{bin}/lsb_release Px, @{bin}/whiptail Px, @{lib}/apt/apt-extracttemplates Px, diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 5589c7dec7..bda5b98c24 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -35,6 +35,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, @{bin}/bwrap rix, + @{lib}/epiphany/ephy-profile-migrator PUx, @{lib}/glycin-loaders/@{d}+/glycin-* Px -> epiphany//&glycin//loaders, /usr/share/enchant*/{,**} r, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 145e43076d..bd90f84ec3 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -54,7 +54,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/chmod rix, @{bin}/cp rix, @{bin}/{,e}grep rix, - @{bin}/gs{,.bin} rix, + @{bin}/gs{,.bin} rCx, @{bin}/gsc rix, @{bin}/hostname rix, @{bin}/ippfind rix, @@ -75,7 +75,6 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{lib}/cups/notifier/* rPx, /usr/share/cups/{,**} r, - /usr/share/ghostscript/{,**} r, /usr/share/poppler/{,**} r, /usr/share/ppd/{,**} r, @@ -104,6 +103,22 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { /dev/tty rw, + profile gs { + include + include + + @{bin}/gs{,.bin} mr, + + /usr/share/ghostscript/{,**} r, + /usr/share/color/icc/ghostscript/{,**} r, + + /var/lib/ghostscript/{,**} r, + + owner /tmp/gs_@{rand6} rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 608c37946f..348b65b9fe 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -105,7 +105,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/ rw, @{MOUNTS}/*/ rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/ r, @{run}/mount/utab{,.*} rwk, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 720a294bd1..3c43947f20 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -26,7 +26,7 @@ profile wireplumber @{exec_path} { network bluetooth stream, network netlink raw, - ptrace read peer=gnome-extension-gsconnect, + ptrace read, #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int} #aa:dbus own bus=session name=org.pipewire.Telephony diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 9e6dbc2e0e..0db78f7e8d 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -51,7 +51,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{bin}/vendor_perl/mimetype Px, @{bin}/xprop Px, - owner @{user_config_dirs}/mimeapps.list{,.new} rw, + owner @{user_config_dirs}/mimeapps.list w, owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r, diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv index 29f9bf8f73..e827ff93c9 100644 --- a/apparmor.d/groups/grub/grub-editenv +++ b/apparmor.d/groups/grub/grub-editenv @@ -14,6 +14,7 @@ profile grub-editenv @{exec_path} { @{exec_path} mr, @{efi}/grub/grubenv rw, + @{efi}/grub/grubenv.new rw, include if exists } diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 3d13b813f7..da56bd6276 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -18,7 +18,8 @@ profile file-roller @{exec_path} { @{exec_path} mr, - @{open_path} rPx -> child-open-help, + @{open_path} Px -> child-open-help, + @{bin}/dpkg-deb Px, @{bin}/mv rix, @{bin}/rm rix, @@ -28,8 +29,8 @@ profile file-roller @{exec_path} { #aa:lint ignore=too-wide # Full access to user's data - @{MOUNTS}/** rw, - owner @{HOME}/** rw, + @{MOUNTS}/** rwl, + owner @{HOME}/** rwl, owner @{tmp}/** rw, @{run}/mount/utab r, diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index 893770a4b3..5513edc6bb 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -11,6 +11,7 @@ profile nvidia-settings @{exec_path} flags=(attach_disconnected) { include include include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index b2074ba046..e1da24f364 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -29,6 +29,7 @@ profile sudo @{exec_path} flags=(attach_disconnected) { @{lib}/** PUx, /opt/*/** PUx, /snap/snapd/@{int}@{bin}/snap rPUx, + @{user_share_dirs}/pipx/venvs/*/bin/* rPUx, /etc/default/locale r, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 846c802f68..c62709c909 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -20,6 +20,8 @@ profile thunderbird @{exec_path} flags=(attach_disconnected) { include include + signal (send receive) set=kill peer=glycin//&thunderbird, + #aa:dbus own bus=session name=org.mozilla.thunderbird @{exec_path} mrix, From 3d361fdff96b1a6c68334febfdf0d66d74ce046b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 20:17:20 +0200 Subject: [PATCH 0897/1736] feat(abs): cleanup gstreamer abs. --- apparmor.d/abstractions/gstreamer | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 882cf3acec..eb3c3c66f4 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -11,17 +11,11 @@ @{lib}/@{multiarch}/libvisual-@{version}/*/*.so mr, @{lib}/frei0r-@{int}/*.so mr, - @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rix, - @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rix, - @{lib}/gstreamer-1.0/gst-plugin-scanner rix, - /usr/share/gstreamer-1.0/presets/Gst*Enc.prs r, + /usr/share/xml/iso-codes/*.xml r, /etc/openni2/OpenNI.ini r, - /tmp/ r, - /var/tmp/ r, - # The orcexec.* file is JIT compiled code for various GStreamer elements. # If one is blocked the next is used instead. # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag. @@ -42,6 +36,9 @@ @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + /dev/ r, + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 + include if exists # vim:syntax=apparmor From 65d92b92e40455e63ee5cd2e84be7b6a01c15f9d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 20:24:03 +0200 Subject: [PATCH 0898/1736] fix(profile): fix remina, again. see #902 --- dists/flags/main.flags | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index f1d0e67cb0..bf4fff2749 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -276,7 +276,7 @@ ptyxis attach_disconnected,complain ptyxis-agent attach_disconnected,complain pycompile complain qdbus complain -remmina complain +remmina attach_disconnected,complain run-parts complain runuser complain sdcv complain From 69374cdd53492b16e4643d5af7863025e34c0ccc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 20:24:39 +0200 Subject: [PATCH 0899/1736] feat(abs): mime: conditional mime files. --- apparmor.d/abstractions/mime | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/mime b/apparmor.d/abstractions/mime index 9a70edaf87..90cffe9934 100644 --- a/apparmor.d/abstractions/mime +++ b/apparmor.d/abstractions/mime @@ -8,10 +8,17 @@ @{system_share_dirs}/ r, @{system_share_dirs}/mime/{,**} r, + # if @{DM} == gdm + /usr/share/gdm/greeter/applications/ r, + /usr/share/gdm/greeter/applications/mimeapps.list r, + # end + /etc/mime.types r, /etc/xdg/{,*-}mimeapps.list r, - /var/cache/gio-@{version}/{,*-}-mimeapps.list r, + # if @{DE} == gnome + /var/cache/gio-@{version}/{,*-}-mimeapps.list r, + # end owner @{user_config_dirs}/mimeapps.list r, From eb9b2b02afe7303626acc643d341ca33e2f647ab Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 20:37:26 +0200 Subject: [PATCH 0900/1736] feat(profile): various small profiles update. --- apparmor.d/groups/browsers/chromium-crashpad-handler | 2 +- apparmor.d/groups/bus/ibus-x11 | 2 ++ apparmor.d/groups/firewall/firewalld | 3 +++ apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update | 2 +- apparmor.d/groups/gnome/gsd-disk-utility-notify | 2 +- apparmor.d/profiles-g-l/gamemoded | 2 ++ dists/flags/main.flags | 1 - 7 files changed, 10 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/browsers/chromium-crashpad-handler b/apparmor.d/groups/browsers/chromium-crashpad-handler index 8d6ab24617..ed759d6837 100644 --- a/apparmor.d/groups/browsers/chromium-crashpad-handler +++ b/apparmor.d/groups/browsers/chromium-crashpad-handler @@ -10,7 +10,7 @@ include @{config_dirs} = @{user_config_dirs}/chromium @{exec_path} = @{lib}/chromium/chrome_crashpad_handler -profile chromium-crashpad-handler @{exec_path} { +profile chromium-crashpad-handler @{exec_path} flags=(attach_disconnected) { include capability sys_ptrace, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index ce1c2b1083..a2625ab4e5 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -40,6 +40,8 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, + owner @{PROC}/@{pids}/stat r, + include if exists } diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 57a0baa209..4978b5bef7 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -68,8 +68,11 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { capability sys_module, + @{run}/xtables.lock r, + @{sys}/module/compression r, @{sys}/module/nf_*/initstate r, + @{sys}/module/x_tables/initstate r, include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index feb1b9bd64..9d10eac5d3 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update -profile xdg-user-dirs-gtk-update @{exec_path} { +profile xdg-user-dirs-gtk-update @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index 00ca93f197..d5a5fd2ddf 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/gsd-disk-utility-notify -profile gsd-disk-utility-notify @{exec_path} { +profile gsd-disk-utility-notify @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-g-l/gamemoded b/apparmor.d/profiles-g-l/gamemoded index eb2d3fc1e9..346bf4f657 100644 --- a/apparmor.d/profiles-g-l/gamemoded +++ b/apparmor.d/profiles-g-l/gamemoded @@ -19,8 +19,10 @@ profile gamemoded @{exec_path} flags=(attach_disconnected) { @{bin}/pkexec Cx -> pkexec, @{lib}/gamemode/gpuclockctl Cx -> pkexec, + /etc/ r, /etc/gamemode.ini r, + owner @{HOME}/ r, owner @{user_config_dirs}/ r, @{sys}/devices/@{pci}/vendor r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index bf4fff2749..9dd685d343 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -414,7 +414,6 @@ xdg-desktop-icon complain xdg-desktop-portal-kde complain xdg-desktop-portal-rewrite-launchers complain xdg-desktop-portal-validate-icon attach_disconnected,complain -xdg-user-dirs-gtk-update complain xdm-xsession complain xembedsniproxy complain xfce-session attach_disconnected,complain From 9b8d53db2c0a937333caeacaea3f3dedbf24ecd8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 20:38:53 +0200 Subject: [PATCH 0901/1736] feat(abs): update base electron & chromium abs. --- apparmor.d/abstractions/common/chromium | 2 ++ apparmor.d/abstractions/common/electron | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 00dd5a4600..a8dc530300 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -32,8 +32,10 @@ owner @{user_share_dirs}/.@{domain}.@{rand6} rw, + @{tmp}/ r, owner @{tmp}/.@{domain}.@{rand6} rw, owner @{tmp}/.@{domain}.@{rand6}/ rw, + owner @{tmp}/.@{domain}.@{rand6}/*.@{image_ext} rw, owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie rw, owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket rw, owner @{tmp}/scoped_dir@{rand6}/ rw, diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index dd4976f5eb..49ada9425b 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -55,6 +55,8 @@ @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*-@{int}.scope/memory.high r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*-@{int}.scope/memory.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, @{PROC}/ r, @@ -62,6 +64,8 @@ @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/version r, + @{PROC}/version_signature r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, @@ -70,6 +74,7 @@ owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, deny @{user_share_dirs}/gvfs-metadata/* r, From f6c5f5241e42aa67a8c9257d838324c2800eacef Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 20:53:14 +0200 Subject: [PATCH 0902/1736] feat(abs): dbus: rewrite org.freedesktop.systemd1 and login bus abs. --- .../abstractions/bus/org.freedesktop.login1 | 26 ------- .../abstractions/bus/org.freedesktop.systemd1 | 26 ------- .../bus/session/org.freedesktop.systemd1 | 43 ++++++++--- .../bus/system/org.freedesktop.login1 | 75 +++++++++++++++++++ .../bus/system/org.freedesktop.systemd1 | 51 +++++++++++++ apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/apt/unattended-upgrade | 2 +- .../groups/apt/unattended-upgrade-shutdown | 2 +- apparmor.d/groups/freedesktop/upowerd | 2 +- apparmor.d/groups/gnome/gnome-calendar | 2 +- apparmor.d/groups/gnome/gnome-music | 2 +- .../groups/gnome/gnome-session-init-worker | 1 + apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-power | 4 +- apparmor.d/groups/gnome/gsd-usb-protection | 2 +- apparmor.d/groups/kde/kde-powerdevil | 2 +- apparmor.d/groups/kde/kscreenlocker_greet | 2 +- apparmor.d/groups/kde/plasmashell | 2 +- apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/kde/sddm-greeter | 2 +- apparmor.d/groups/network/ModemManager | 2 +- apparmor.d/groups/network/NetworkManager | 2 +- apparmor.d/groups/polkit/polkitd | 2 +- apparmor.d/groups/snap/snap | 2 +- apparmor.d/groups/systemd/coredumpctl | 2 +- apparmor.d/groups/systemd/hostnamectl | 2 +- apparmor.d/groups/systemd/loginctl | 2 +- apparmor.d/groups/systemd/systemd-cgls | 2 +- apparmor.d/groups/systemd/systemd-resolved | 2 +- apparmor.d/groups/systemd/systemd-timedated | 1 + .../groups/systemd/systemd-user-runtime-dir | 2 +- apparmor.d/groups/ubuntu/update-manager | 2 +- apparmor.d/profiles-a-f/fprintd | 2 +- .../profiles-m-r/needrestart-apt-pinvoke | 2 +- apparmor.d/profiles-m-r/packagekitd | 2 +- apparmor.d/profiles-m-r/power-profiles-daemon | 2 +- 37 files changed, 193 insertions(+), 92 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.login1 delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.systemd1 create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.login1 create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 deleted file mode 100644 index ad368ed987..0000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID} - peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), - - dbus receive bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*} - peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), - - dbus send bus=system path=/org/freedesktop/login1/session/* - interface=org.freedesktop.login1.Session - member=PauseDeviceComplete - peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 deleted file mode 100644 index 167e66d65d..0000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" - - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit} - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=ListUnitsByPatterns - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member={GetUnit,StartUnit,StartTransientUnit} - peer=(name=org.freedesktop.systemd1), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 index 0c8185be60..6b7e5b34db 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 @@ -2,24 +2,49 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , +# Allow managing systemd user units services. This allow full control over all services. +# When possible use the systemctl directive instead. - #aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" + abi , dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=GetUnit - peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"), + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), - dbus send bus=session path=/org/freedesktop/systemd1/unit/app_* + dbus send bus=session path=/org/freedesktop/systemd1/unit/* interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + peer=(label="@{p_systemd_user}"), + + dbus receive bus=session path=/org/freedesktop/systemd1/unit/* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(label="@{p_systemd_user}"), + # List units dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager - member=StartTransientUnit - peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + member={GetUnit,GetUnitByPIDFD,ListUnitsByPatterns} + peer=(label="@{p_systemd_user}"), + + # Start units + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={StartUnit,StartTransientUnit,LoadUnit} + peer=(label="@{p_systemd_user}"), + + # Stop units + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={StopUnit,KillUnit,ResetFailedUnit,Reload,JobRemoved} + peer=(label="@{p_systemd_user}"), + + # Enabled/Disable units + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={DisableUnitFiles,EnableUnitFiles} + peer=(label="@{p_systemd_user}"), include if exists diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.login1 b/apparmor.d/abstractions/bus/system/org.freedesktop.login1 new file mode 100644 index 0000000000..fdff1e09aa --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.login1 @@ -0,0 +1,75 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow seting up login session & seat. It grants privileged access to user sessions. + + abi , + + #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=Inhibit + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + + # Check login session observe & login session control + + dbus receive bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={SessionNew,UserNew,SeatNew} + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + + dbus receive bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={SessionRemoved,UserRemoved,SeatRemoved} + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + + dbus receive bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={PrepareForShutdow,PrepareForSleep} + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={ListSeats,ListSessions,ListUsers} + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={GetSeat,GetSessions,GetSessionByPID,GetUsers} + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + + # Receive shutdown & sleep notifications + + dbus receive bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={PrepareForShutdown,PrepareForShutdownWithMetadata} + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession} + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + + # Sessions + + dbus send bus=system path=/org/freedesktop/login1/session/** + interface=org.freedesktop.login1.Session + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + dbus receive bus=system path=/org/freedesktop/login1/session/** + interface=org.freedesktop.login1.Session + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + + # Seats + + dbus send bus=system path=/org/freedesktop/login1/seat/** + interface=org.freedesktop.login1.Session + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + dbus receive bus=system path=/org/freedesktop/login1/seat/** + interface=org.freedesktop.login1.Session + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 new file mode 100644 index 0000000000..ac7c5b688c --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow managing systemd units services. This allow full control over all services. +# When possible use the systemctl directive instead. + + abi , + + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + + dbus send bus=system path=/org/freedesktop/systemd1/unit/*2dservice + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(label="@{p_systemd}"), + + dbus receive bus=system path=/org/freedesktop/systemd1/unit/*2dservice + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(label="@{p_systemd}"), + + # List units + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={GetUnit,GetUnitByPIDFD,ListUnitsByPatterns} + peer=(label="@{p_systemd}"), + + # Start units + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={StartUnit,StartTransientUnit,LoadUnit} + peer=(label="@{p_systemd}"), + + # Stop units + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={StopUnit,KillUnit,ResetFailedUnit,Reload,JobRemoved} + peer=(label="@{p_systemd}"), + + # Enabled/Disable units + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={DisableUnitFiles,EnableUnitFiles} + peer=(label="@{p_systemd}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 619018c0aa..2ff50112d5 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -12,7 +12,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 11c0ca8032..345c5f9c6a 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -12,7 +12,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index 05bc97948a..b627106f0f 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -11,7 +11,7 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index ab61df1ab0..08650c9255 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -12,7 +12,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { include include include - include + include include include diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 2173e3d62c..d59182c3d6 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -10,7 +10,7 @@ include profile gnome-calendar @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 55c6006637..8e9196708f 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -11,7 +11,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-init-worker b/apparmor.d/groups/gnome/gnome-session-init-worker index a02ccc8c4a..8c68c68c08 100644 --- a/apparmor.d/groups/gnome/gnome-session-init-worker +++ b/apparmor.d/groups/gnome/gnome-session-init-worker @@ -10,6 +10,7 @@ include profile gnome-session-init-worker @{exec_path} { include include + include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b072200d9d..18000af2c6 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -25,7 +25,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 9400f8040d..b2927a9716 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -13,7 +13,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 06ce5b9fd4..ca5ba9268f 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -15,8 +15,8 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 2fbbad9b1c..5044ef9cb8 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -11,7 +11,7 @@ profile gsd-usb-protection @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 7e40a42693..ca1440df10 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -13,7 +13,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) include include include - include + include include include include diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 192d3f957d..ba1c0e2bbc 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -14,7 +14,7 @@ profile kscreenlocker_greet @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 600d1be483..6e0773517e 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -13,7 +13,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include - include + include include include include diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index bedd380e3a..f7e92b3e73 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -13,7 +13,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include + include include include include diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 49496ec15f..7e82877cbc 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -12,7 +12,7 @@ profile sddm-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include + include include include include diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 34caef8550..e6487e3268 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -10,7 +10,7 @@ include profile ModemManager @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 2994d2522d..1a25b8d6c3 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -11,7 +11,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index bd0b8d6b7c..eea86d61e5 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -11,7 +11,7 @@ include profile polkitd @{exec_path} flags=(attach_disconnected) { include include - include + include include capability setgid, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 9530b8594b..5fac7d0a61 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -185,7 +185,7 @@ profile snap @{exec_path} flags=(attach_disconnected) { profile systemctl { include include - include + include capability net_admin, diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index 06969ef47e..faa117b46b 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -11,7 +11,7 @@ include profile coredumpctl @{exec_path} flags=(complain) { include include - include + include include include diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index 6b29e260d4..7f4fe69423 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -10,7 +10,7 @@ include profile hostnamectl @{exec_path} { include include - include + include include capability net_admin, diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index f516d16dbc..efd688b810 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -10,7 +10,7 @@ include profile loginctl @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls index 33191171eb..92ebb580a3 100644 --- a/apparmor.d/groups/systemd/systemd-cgls +++ b/apparmor.d/groups/systemd/systemd-cgls @@ -10,7 +10,7 @@ include profile systemd-cgls @{exec_path} { include include - include + include include capability sys_ptrace, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index a6139cc7b4..1f46a185a9 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -10,7 +10,7 @@ include profile systemd-resolved @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index 9ae0f9abd4..2767af4cc5 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -12,6 +12,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { include include include + include include capability sys_time, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index d2b91016cb..bfdc427907 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -10,7 +10,7 @@ include profile systemd-user-runtime-dir @{exec_path} flags=(attach_disconnected) { include include - include + include include include diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index dc73291e2b..70b02475ee 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -13,7 +13,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 649457bb3b..1aeb03c1de 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -10,7 +10,7 @@ include profile fprintd @{exec_path} flags=(attach_disconnected) { include include - include + include include include diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index b70a49be86..0c36cff0a2 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -10,7 +10,7 @@ include profile needrestart-apt-pinvoke @{exec_path} flags=(attach_disconnected) { include include - include + include include capability dac_read_search, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 51a426acc9..bf3979029e 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -11,7 +11,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { include include #aa:only apt include - include + include include include include diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index e4e923159c..28ff0591e7 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -10,7 +10,7 @@ include profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include include - include + include include include include From 6a5d5cf7fe77d0e719c4960f65bc4e8b4394fd38 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 20:59:52 +0200 Subject: [PATCH 0903/1736] feat(abs): remove old org.freedesktop.Accounts abs in favor of accounts-observe. --- .../abstractions/bus/org.freedesktop.Accounts | 31 ------------------- apparmor.d/groups/gnome/gnome-initial-setup | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 2 +- 3 files changed, 2 insertions(+), 33 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.Accounts diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts deleted file mode 100644 index e77f17b88c..0000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" - - dbus send bus=system path=/org/freedesktop/Accounts - interface=org.freedesktop.Accounts - member={FindUserByName,ListCachedUsers,FindUserById} - peer=(name="{@{busname},org.freedesktop.Accounts}", label="@{p_accounts_daemon}"), - - dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} - interface=org.freedesktop.Accounts.User - member=*Changed - peer=(name="@{busname}", label="@{p_accounts_daemon}"), - - dbus receive bus=system path=/org/freedesktop/Accounts - interface=org.freedesktop.Accounts - member=UserAdded - peer=(name="@{busname}", label="@{p_accounts_daemon}"), - - dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} - interface=org.freedesktop.DBus.Properties - member=*Changed - peer=(name="@{busname}", label="@{p_accounts_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index b38cdd98ef..6a93ea1606 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -9,9 +9,9 @@ include @{exec_path} = @{lib}/gnome-initial-setup profile gnome-initial-setup @{exec_path} { include + include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 824cea2662..84950ac78c 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,9 +9,9 @@ include @{exec_path} = @{lib}/gsd-xsettings profile gsd-xsettings @{exec_path} { include + include include include - include include include include From 3898bb9cdb3b2b6092acf33bd448a81860f9b0f7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 21:22:22 +0200 Subject: [PATCH 0904/1736] feat(abs): initial version of screen-inhibit --- apparmor.d/abstractions/app/chromium | 1 + apparmor.d/abstractions/app/firefox | 1 + apparmor.d/abstractions/screen-inhibit | 36 +++++++++++++++++++ apparmor.d/groups/gnome/gsd-screensaver-proxy | 1 + apparmor.d/groups/gnome/nautilus | 1 + apparmor.d/profiles-a-f/evince | 1 + apparmor.d/profiles-a-f/filezilla | 1 + apparmor.d/profiles-a-f/freetube | 1 + apparmor.d/profiles-g-l/libreoffice | 1 + apparmor.d/profiles-s-z/signal-desktop | 1 + apparmor.d/profiles-s-z/totem | 1 + apparmor.d/profiles-s-z/transmission | 1 + 12 files changed, 47 insertions(+) create mode 100644 apparmor.d/abstractions/screen-inhibit diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index dee842ca15..70a3b8ecb2 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -42,6 +42,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 72fd1f7db3..13b4748363 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -37,6 +37,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/screen-inhibit b/apparmor.d/abstractions/screen-inhibit new file mode 100644 index 0000000000..7deba76093 --- /dev/null +++ b/apparmor.d/abstractions/screen-inhibit @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2016 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Can inhibit and uninhibit screen savers in desktop sessions. + + abi , + + # Gnome Session, not using bus/session/org.gnome.SessionManager as it allows + # full session management + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={Inhibit,Uninhibit} + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + + dbus send bus=session path=/ScreenSaver + interface=org.gnome.ScreenSaver + member=SimulateUserActivity + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + + # Generic freedesktop, not using bus/session/org.freedesktop.ScreenSaver as + # it allows too much + dbus send bus=session path=/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit,SimulateUserActivity} + peer=(name=org.freedesktop.ScreenSaver), + + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.{freedesktop,gnome}.ScreenSaver + member={Inhibit,UnInhibit,SimulateUserActivity} + peer=(name=@{busname}, label=gjs), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index b0be4f8a11..650b21a7e3 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -11,6 +11,7 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 04ed9f39ba..027a6dfad9 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -22,6 +22,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include include + include include mqueue r type=posix /, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 12d757e1b8..9cbe016db0 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -18,6 +18,7 @@ profile evince @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 16bafb8864..34792057a6 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -18,6 +18,7 @@ profile filezilla @{exec_path} { include include include + include include include diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 6ee51adbba..dd50c455b0 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -21,6 +21,7 @@ profile freetube @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 0975d2fdca..7e53b8f621 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -27,6 +27,7 @@ profile libreoffice @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index ad460ef424..54a63cacd7 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -23,6 +23,7 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index 1ec163874d..68f1e40f41 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -14,6 +14,7 @@ profile totem @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index 9c4a8e6736..05c1cc2e6b 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -16,6 +16,7 @@ profile transmission @{exec_path} flags=(attach_disconnected) { include include include + include include include include From 6fcea8b9029fe790b596900275fce99a7f4c6d6e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 21:24:49 +0200 Subject: [PATCH 0905/1736] fix(profile): use of att in xdg-desktop-portal. fix #899 --- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 5888efdbd5..09a83c4d42 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -79,7 +79,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { / r, @{att}/ r, @{att}/.flatpak-info r, - owner /att/**/ r, + /att/**/ r, /usr/share/xdg-desktop-portal/** r, From 39c9771392be0952c0b8a97a97107be955ba7d83 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 22:05:14 +0200 Subject: [PATCH 0906/1736] feat(profile): improve opensuse and kde integration. See #882 --- apparmor.d/abstractions/app/kmod | 3 +++ apparmor.d/abstractions/app/open | 2 ++ .../groups/akonadi/akonadi_archivemail_agent | 2 ++ .../groups/akonadi/akonadi_followupreminder_agent | 2 ++ apparmor.d/groups/akonadi/akonadi_indexing_agent | 2 ++ .../groups/akonadi/akonadi_maildispatcher_agent | 2 ++ .../groups/akonadi/akonadi_mailfilter_agent | 3 ++- apparmor.d/groups/akonadi/akonadi_mailmerge_agent | 2 ++ apparmor.d/groups/akonadi/akonadi_migration_agent | 2 ++ .../groups/akonadi/akonadi_newmailnotifier_agent | 2 ++ apparmor.d/groups/akonadi/akonadi_notes_agent | 2 ++ apparmor.d/groups/akonadi/akonadi_sendlater_agent | 2 ++ .../groups/akonadi/akonadi_unifiedmailbox_agent | 2 ++ apparmor.d/groups/apparmor/aa-notify | 1 + apparmor.d/groups/cron/cron | 1 + apparmor.d/groups/cups/cups-backend-pdf | 2 +- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/filesystem/udisksd | 2 +- apparmor.d/groups/firewall/firewalld | 5 +++-- .../groups/freedesktop/xdg-desktop-portal-kde | 6 +++++- apparmor.d/groups/freedesktop/xorg | 5 +---- apparmor.d/groups/kde/dolphin | 2 ++ apparmor.d/groups/kde/drkonqi | 1 + apparmor.d/groups/kde/kactivitymanagerd | 2 ++ apparmor.d/groups/kde/kde-powerdevil | 2 +- apparmor.d/groups/kde/kioworker | 15 ++++++++++++++- apparmor.d/groups/kde/konsole | 5 +++-- apparmor.d/groups/kde/kscreenlocker_greet | 13 +++++++------ apparmor.d/groups/kde/kwin_x11 | 2 +- apparmor.d/groups/kde/okular | 5 +++-- apparmor.d/groups/kde/plasmashell | 1 + apparmor.d/groups/procps/top | 1 + apparmor.d/profiles-g-l/gimp | 2 ++ apparmor.d/profiles-g-l/git | 3 +++ tests/sbin.list | 2 ++ 35 files changed, 84 insertions(+), 24 deletions(-) diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index b6beeb7f60..ab3b39234e 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -17,6 +17,9 @@ /etc/modprobe.d/ r, /etc/modprobe.d/*.conf r, + @{run}/modprobe.d/ r, + @{run}/modprobe.d/*.conf r, + @{PROC}/cmdline r, @{PROC}/modules r, diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index a7619f4380..1330d18dee 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -37,6 +37,8 @@ include include + owner @{user_config_dirs}/kioclientrc r, + owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, diff --git a/apparmor.d/groups/akonadi/akonadi_archivemail_agent b/apparmor.d/groups/akonadi/akonadi_archivemail_agent index ed72aa21b5..af2663f8e7 100644 --- a/apparmor.d/groups/akonadi/akonadi_archivemail_agent +++ b/apparmor.d/groups/akonadi/akonadi_archivemail_agent @@ -13,6 +13,8 @@ profile akonadi_archivemail_agent @{exec_path} { include include + ptrace read peer=akonadi_control, + @{exec_path} mr, /usr/share/akonadi/plugins/serializer/{,*.desktop} r, diff --git a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent index be897ee9ea..92bb61f136 100644 --- a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent +++ b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent @@ -17,6 +17,8 @@ profile akonadi_followupreminder_agent @{exec_path} { network inet6 dgram, network netlink dgram, + ptrace read peer=akonadi_control, + @{exec_path} mr, owner @{user_config_dirs}/akonadi_followupreminder_agentrc r, diff --git a/apparmor.d/groups/akonadi/akonadi_indexing_agent b/apparmor.d/groups/akonadi/akonadi_indexing_agent index 32a3327937..8e70d9ff4d 100644 --- a/apparmor.d/groups/akonadi/akonadi_indexing_agent +++ b/apparmor.d/groups/akonadi/akonadi_indexing_agent @@ -13,6 +13,8 @@ profile akonadi_indexing_agent @{exec_path} { include include + ptrace read peer=akonadi_control, + @{exec_path} mr, @{bin}/akonadi_html_to_text rix, diff --git a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent index c353ea8197..b5efb86139 100644 --- a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent +++ b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent @@ -21,6 +21,8 @@ profile akonadi_maildispatcher_agent @{exec_path} { network netlink dgram, network netlink raw, + ptrace read peer=akonadi_control, + @{exec_path} mr, /usr/share/akonadi/plugins/{,**} r, diff --git a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent index d1a2f008f8..6098d1b2bf 100644 --- a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent +++ b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent @@ -13,7 +13,8 @@ profile akonadi_mailfilter_agent @{exec_path} { include include - ptrace (read) peer=akonadi_archivemail_agent, + ptrace read peer=akonadi_archivemail_agent, + ptrace read peer=akonadi_control, @{exec_path} mr, diff --git a/apparmor.d/groups/akonadi/akonadi_mailmerge_agent b/apparmor.d/groups/akonadi/akonadi_mailmerge_agent index 2083318e7c..e0be972fc2 100644 --- a/apparmor.d/groups/akonadi/akonadi_mailmerge_agent +++ b/apparmor.d/groups/akonadi/akonadi_mailmerge_agent @@ -18,6 +18,8 @@ profile akonadi_mailmerge_agent @{exec_path} { network netlink raw, network netlink dgram, + ptrace read peer=akonadi_control, + @{exec_path} mr, owner @{user_config_dirs}/akonadi/ rw, diff --git a/apparmor.d/groups/akonadi/akonadi_migration_agent b/apparmor.d/groups/akonadi/akonadi_migration_agent index 55fedf4eaa..9653b30488 100644 --- a/apparmor.d/groups/akonadi/akonadi_migration_agent +++ b/apparmor.d/groups/akonadi/akonadi_migration_agent @@ -13,6 +13,8 @@ profile akonadi_migration_agent @{exec_path} { include include + ptrace read peer=akonadi_control, + @{exec_path} mr, owner @{user_config_dirs}/akonadi-migrationrc r, diff --git a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent index 28ce1123c9..33df7f461a 100644 --- a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent +++ b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent @@ -13,6 +13,8 @@ profile akonadi_newmailnotifier_agent @{exec_path} { include include + ptrace read peer=akonadi_control, + @{exec_path} mr, /usr/share/akonadi/plugins/serializer/{,*.desktop} r, diff --git a/apparmor.d/groups/akonadi/akonadi_notes_agent b/apparmor.d/groups/akonadi/akonadi_notes_agent index 8e8665e404..2aff713ac1 100644 --- a/apparmor.d/groups/akonadi/akonadi_notes_agent +++ b/apparmor.d/groups/akonadi/akonadi_notes_agent @@ -18,6 +18,8 @@ profile akonadi_notes_agent @{exec_path} { network netlink raw, network netlink dgram, + ptrace read peer=akonadi_control, + @{exec_path} mr, owner @{user_config_dirs}/akonadi_*_agentrc r, diff --git a/apparmor.d/groups/akonadi/akonadi_sendlater_agent b/apparmor.d/groups/akonadi/akonadi_sendlater_agent index 2053bf298c..d93ce41ea2 100644 --- a/apparmor.d/groups/akonadi/akonadi_sendlater_agent +++ b/apparmor.d/groups/akonadi/akonadi_sendlater_agent @@ -18,6 +18,8 @@ profile akonadi_sendlater_agent @{exec_path} { network netlink raw, network netlink dgram, + ptrace read peer=akonadi_control, + @{exec_path} mr, owner @{user_config_dirs}/akonadi_sendlater_agentrc r, diff --git a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent index 4e0e5820a2..38fcfbf910 100644 --- a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent +++ b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent @@ -13,6 +13,8 @@ profile akonadi_unifiedmailbox_agent @{exec_path} { include include + ptrace read peer=akonadi_control, + @{exec_path} mr, owner "@{user_config_dirs}/Unknown Organization/akonadi_unifiedmailbox_agent.conf_changes.dat" r, # see https://bugs.kde.org/show_bug.cgi?id=452565 diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 07706d0529..28bae24978 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -30,6 +30,7 @@ profile aa-notify @{exec_path} { @{open_path} Cx -> open, @{bin}/ r, + @{sbin}/ r, /usr/share/apparmor/** r, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index e91f9b4195..b45cfad9cb 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -33,6 +33,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { @{bin}/nice rix, @{bin}/run-parts rCx -> run-parts, @{lib}/sysstat/debian-sa1 rPx, + @{sbin}/sendmail rPUx, /etc/cron.d/{,*} r, /etc/crontab r, diff --git a/apparmor.d/groups/cups/cups-backend-pdf b/apparmor.d/groups/cups/cups-backend-pdf index 1e53f6db90..e8f9571966 100644 --- a/apparmor.d/groups/cups/cups-backend-pdf +++ b/apparmor.d/groups/cups/cups-backend-pdf @@ -25,7 +25,7 @@ profile cups-backend-pdf @{exec_path} { @{sh_path} rix, @{bin}/cp rix, - @{bin}/gs{,.bin} rCx, + @{bin}/gs{,.bin} rCx -> gs, @{bin}/gsc rix, /usr/share/ghostscript/{,**} r, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index bd90f84ec3..6f3e8e4e0b 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -54,7 +54,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/chmod rix, @{bin}/cp rix, @{bin}/{,e}grep rix, - @{bin}/gs{,.bin} rCx, + @{bin}/gs{,.bin} rCx -> gs, @{bin}/gsc rix, @{bin}/hostname rix, @{bin}/ippfind rix, diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 348b65b9fe..10f9c7faba 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -91,11 +91,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { /usr/share/gvfs/remote-volume-monitors/{,**} r, + @{etc_ro}/udisks2/{,**} r, /etc/crypttab r, /etc/fstab r, /etc/libblockdev/{,**} r, /etc/nvme/* r, - /etc/udisks2/{,**} r, /var/lib/udisks2/{,**} r, /var/lib/udisks2/mounted-fs{,*} rw, diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 4978b5bef7..ce6b36277d 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -35,8 +35,8 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/alts ix, @{bin}/false ix, @{bin}/kmod Cx -> kmod, - @{bin}/ebtables-legacy ix, - @{bin}/ebtables-legacy-restore ix, + @{sbin}/ebtables-legacy ix, + @{sbin}/ebtables-legacy-restore ix, @{sbin}/ipset ix, @{sbin}/xtables-legacy-multi ix, @{sbin}/xtables-nft-multi mix, @@ -57,6 +57,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{run}/firewalld/{,*} rw, @{run}/xtables.lock rwk, + @{PROC}/sys/kernel/modprobe r, @{PROC}/sys/net/ipv{4,6}/ip_forward rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 2b67cd19c5..62c11865d9 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -17,6 +17,7 @@ profile xdg-desktop-portal-kde @{exec_path} { include include include + include network inet dgram, network inet6 dgram, @@ -46,17 +47,20 @@ profile xdg-desktop-portal-kde @{exec_path} { owner @{user_config_dirs}/autostart/org.kde.*.desktop r, owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/kbookmarkrc r, owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, + owner @{user_share_dirs}/user-places.xbel r, + owner @{user_state_dirs}/#@{int} rw, owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc rw, owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.@{rand6} rwlk, owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.lock rwk, owner @{run}/user/@{uid}/#@{int} rw, - owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw, + owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rwl, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 021cd96b01..9c0a248643 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -18,6 +18,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { include include include + include include capability chown, @@ -97,7 +98,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad? @@ -107,7 +107,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features - @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{sys}/bus/ r, @@ -134,8 +133,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) { /dev/ r, /dev/fb@{int} rw, - @{att}/dev/input/event@{int} rw, - /dev/input/mouse@{int} rw, /dev/shm/#@{int} rw, /dev/shm/shmfd-* rw, /dev/tty rw, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 022c0beecc..370fb0a253 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -45,6 +45,7 @@ profile dolphin @{exec_path} { /usr/share/kf5/kmoretools/{,**} r, /usr/share/kio/{,**} r, + /usr/share/konsole/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, /usr/share/misc/termcap r, @@ -110,6 +111,7 @@ profile dolphin @{exec_path} { @{sys}/class/*/ r, @{sys}/devices/**/uevent r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index e04180ff44..43163b46b9 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -19,6 +19,7 @@ profile drkonqi @{exec_path} { signal send set=(cont, stop) peer=/usr/bin/akonadiserver, + ptrace read peer=@{p_systemd_user}, ptrace read peer=/usr/bin/akonadiserver, @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index 1cc6b41d1e..0861d52a78 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -44,6 +44,8 @@ profile kactivitymanagerd @{exec_path} { owner @{user_share_dirs}/kservices{5,6}/{,**} r, owner @{user_share_dirs}/user-places.xbel r, + owner @{tmp}/kmail2.@{rand6} r, + owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/*@{rand6}.*.socket rwl -> @{run}/user/@{uid}/#@{int}, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index ca1440df10..904abedb12 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -50,7 +50,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) owner @{HOME}/ r, - owner @{user_cache_dirs}/ddcutil/* r, + owner @{user_cache_dirs}/ddcutil/* rw, owner @{user_cache_dirs}/kcrash-metadata/{,*} rw, owner @{user_config_dirs}/#@{int} rw, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 0fc81a764d..4d2a5bf3df 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -41,13 +41,14 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, - @{bin}/gs{,.bin} rix, + @{bin}/gs{,.bin} rCx -> gs, #aa:exec kio_http_cache_cleaner /usr/share/kio_desktop/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/*.desktop r, + /usr/share/org.kde.syntax-highlighting/{,**} r, /usr/share/remoteview/* r, /usr/share/thumbnailers/{,**} r, @@ -105,6 +106,18 @@ profile kioworker @{exec_path} { /dev/tty r, + profile gs { + include + + @{bin}/gs{,.bin} mr, + @{lib}/ghostscript/** mr, + + /usr/share/ghostscript/{,**} r, + /usr/share/org.kde.syntax-highlighting/{,**} r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 446d8a08d4..6ecebddbfa 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -79,8 +79,9 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/** rw, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/cgroup r, /dev/ptmx rw, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index ba1c0e2bbc..1186f0db2e 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -101,12 +101,13 @@ profile kscreenlocker_greet @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/loginuid r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/mounts r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/loginuid r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/loginuid r, /dev/tty r, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index 8cc233ff2c..86a32c8f1f 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/kwin_x11 profile kwin_x11 @{exec_path} { include + include include include include @@ -40,7 +41,6 @@ profile kwin_x11 @{exec_path} { /usr/share/kwin-x11/{,**} r, /usr/share/kwin/{,**} r, /usr/share/plasma/desktoptheme/{,**} r, - /usr/share/sounds/*/stereo/*.oga r, /etc/machine-id r, /etc/xdg/plasmarc r, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index d34baccb96..943010734b 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -76,9 +76,10 @@ profile okular @{exec_path} { owner @{tmp}/@{hex12}@{h} w, # when opening pdf files as attchments in Thunderbird owner @{tmp}/#@{int} rw, - owner @{tmp}/okular.@{rand6} rwl -> /tmp/#@{int}, - owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int}, + owner @{tmp}/kmail2.@{rand6} r, owner @{tmp}/messageviewer_attachment_@{rand6}/{,*} r, # files opened from KMail as mail attachment, + owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int}, + owner @{tmp}/okular.@{rand6} rwl -> /tmp/#@{int}, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/okular@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 6e0773517e..46328bf0c2 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -161,6 +161,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/klipperrc r, owner @{user_config_dirs}/kmail2.notifyrc r, owner @{user_config_dirs}/knfsshare r, + owner @{user_config_dirs}/konsole.notifyrc r, owner @{user_config_dirs}/korganizerrc r, owner @{user_config_dirs}/krunnerrc r, owner @{user_config_dirs}/ksmserverrc r, diff --git a/apparmor.d/groups/procps/top b/apparmor.d/groups/procps/top index 6a5d272a3f..23cc9acf0a 100644 --- a/apparmor.d/groups/procps/top +++ b/apparmor.d/groups/procps/top @@ -34,6 +34,7 @@ profile top @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/procps/toprc rw, @{run}/systemd/sessions/ r, + @{run}/systemd/sessions/@{int} r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/cpumap r, diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index bbf472db0b..65bae81646 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/gimp{,-*} profile gimp @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -38,6 +39,7 @@ profile gimp @{exec_path} flags=(attach_disconnected) { @{lib}/gimp/@{version}/extensions/*/* rix, @{lib}/gimp/*/plug-ins/** rix, + @{bin}/darktable rPUx, @{bin}/xsane-gimp rPx, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 4bf1d528f1..48978909b2 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -97,6 +97,7 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner @{tmp}/git-commit-msg-.txt rw, # For android studio owner @{tmp}/git-difftool.*/{,**} rw, # For diffs + owner @{tmp}/git-index-private@{int} rw, deny owner @{code_config_dirs}/** rw, deny owner @{user_share_dirs}/gvfs-metadata/* r, @@ -139,6 +140,8 @@ profile git @{exec_path} flags=(attach_disconnected) { network netlink raw, @{bin}/ssh mr, + @{bin}/ssh.hmac r, + @{bin}/ksshaskpass ix, @{lib}/code/extensions/git/dist/ssh-askpass.sh Px, diff --git a/tests/sbin.list b/tests/sbin.list index 3bfd9f7802..1043ac6b3d 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -191,6 +191,8 @@ e2undo e4crypt e4defrag eapol_test +ebtables-legacy +ebtables-legacy-restore ec_access efibootdump efibootmgr From 14d2f97c0f3453d8562ba23bec2a61868fe34a18 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 22:20:24 +0200 Subject: [PATCH 0907/1736] fix(profile): mkinitcpio fix #894 --- apparmor.d/groups/pacman/mkinitcpio | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 165b42c029..edf78dba5d 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -95,6 +95,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /tmp/mkinitcpio.@{rand6}.tmp rw, owner @{tmp}/mkinitcpio.@{rand6} rw, owner @{tmp}/mkinitcpio.@{rand6}/{,**} rwl, + owner @{tmp}/staging_initramfs.img w, owner @{run}/initcpio-tmp/mkinitcpio.@{rand6}/{,**} rwl, owner @{run}/initramfs/{,**} rw, @@ -103,7 +104,12 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{sys}/class/block/ r, @{sys}/devices/{,**} r, @{sys}/firmware/efi/fw_platform_size r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r, + @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, /dev/tty@{int}* rw, From 0b110a82700a6e1cd789a7100474a61d22b9697c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 22:25:57 +0200 Subject: [PATCH 0908/1736] fix(profile): ntfsfix fix #890 --- apparmor.d/groups/filesystem/ntfsfix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/filesystem/ntfsfix b/apparmor.d/groups/filesystem/ntfsfix index e840ed6c53..a4cc93569d 100644 --- a/apparmor.d/groups/filesystem/ntfsfix +++ b/apparmor.d/groups/filesystem/ntfsfix @@ -8,10 +8,13 @@ abi , include @{exec_path} = @{bin}/ntfsfix -profile ntfsfix @{exec_path} { +profile ntfsfix @{exec_path} flags=(attach_disconnected) { include + include include + capability dac_override, + capability dac_read_search, capability sys_admin, @{exec_path} mr, From 38045d55234d86c1ca83dec78877e35f139e11b4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 22:28:47 +0200 Subject: [PATCH 0909/1736] fix: linter. --- apparmor.d/groups/kde/kioworker | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 4d2a5bf3df..077119685a 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -115,7 +115,7 @@ profile kioworker @{exec_path} { /usr/share/ghostscript/{,**} r, /usr/share/org.kde.syntax-highlighting/{,**} r, - include if exists + include if exists } include if exists From 370b8b692f70818cf49693ecf3f59fdaee8b52bb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Oct 2025 23:56:08 +0200 Subject: [PATCH 0910/1736] feat(abs): add org.freedesktop.systemd1.Manager --- .../system/org.freedesktop.systemd1.Manager | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.systemd1.Manager diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1.Manager b/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1.Manager new file mode 100644 index 0000000000..5dd7cdbbd9 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1.Manager @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# libnss-systemd (D-Bus portion from nameservice abstraction) +# Also allow lookups for systemd-exec's DynamicUsers via D-Bus +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html + + abi , + + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID} + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + + include if exists + +# vim:syntax=apparmor From 7c6034f5856afdf1a5c6c97fa52e42af35aa227f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Oct 2025 00:13:31 +0200 Subject: [PATCH 0911/1736] feat(profile): use accounts-observe instead of the talk directive. --- apparmor.d/groups/flatpak/flatpak | 2 +- apparmor.d/groups/flatpak/flatpak-system-helper | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 2 +- apparmor.d/groups/gnome/gdm | 2 +- apparmor.d/groups/gnome/gnome-software | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 466a80a071..f830becb82 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -12,6 +12,7 @@ include profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) { include include + include include include include @@ -54,7 +55,6 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain unix type=seqpacket peer=(label=flatpak-system-helper), unix type=stream peer=(label=flatpak//fusermount), - #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 0e43bd7259..ce1089c7fb 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -11,6 +11,7 @@ include @{exec_path} = @{lib}/flatpak-system-helper profile flatpak-system-helper @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include include include include @@ -36,7 +37,6 @@ profile flatpak-system-helper @{exec_path} flags=(attach_disconnected,mediate_de unix type=seqpacket peer=(label=unconfined), #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 5d05630c51..675c91f1b6 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,9 +9,9 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include + include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 440d3ade83..aa4a1395bb 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,9 +9,9 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include + include include include - include include include include diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index cc83b98f56..89994a52b3 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -9,6 +9,7 @@ include @{exec_path} = @{sbin}/gdm @{sbin}/gdm3 profile gdm @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -37,7 +38,6 @@ profile gdm @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.gnome.DisplayManager #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 7da7266d78..a6e36f21a6 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -9,8 +9,8 @@ include @{exec_path} = @{bin}/gnome-software profile gnome-software @{exec_path} { include + include include - include include include include From 28178f631a043f01d1bc2b981284b973cc04230a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Oct 2025 00:15:42 +0200 Subject: [PATCH 0912/1736] build: ensure fapp & fbwrap are not enabled on apparmor < 4.1 --- pkg/prebuild/prepare/configure.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index 7486cdb5b8..07bc27669c 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -67,6 +67,16 @@ func (p Configure) Apply() ([]string, error) { } + if prebuild.Version < 4.1 { + remove := []string{ + // Require priority support + "fbwrap", + "fapp", + } + if err := removeFiles(remove); err != nil { + return res, err + } + } if prebuild.Version >= 4.1 { remove := []string{ // Remove files upstreamed in 4.1 From b2b984c12642355442c27ccd9645fe81422e29a0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 21 Oct 2025 23:00:39 +0200 Subject: [PATCH 0913/1736] feat(abs): update flatpak devices. --- apparmor.d/abstractions/flatpak/devices/all | 1 + apparmor.d/abstractions/flatpak/devices/dri | 5 ++++- apparmor.d/abstractions/graphics | 1 + 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/flatpak/devices/all b/apparmor.d/abstractions/flatpak/devices/all index 99b5d24432..ef247342ba 100644 --- a/apparmor.d/abstractions/flatpak/devices/all +++ b/apparmor.d/abstractions/flatpak/devices/all @@ -26,6 +26,7 @@ @{sys}/devices/@{pci_bus}/ r, @{sys}/devices/@{pci}/ r, + @{sys}/devices/** k, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/abstractions/flatpak/devices/dri b/apparmor.d/abstractions/flatpak/devices/dri index 267791e3c3..a9bc5d2201 100644 --- a/apparmor.d/abstractions/flatpak/devices/dri +++ b/apparmor.d/abstractions/flatpak/devices/dri @@ -9,13 +9,16 @@ @{sys}/devices/@{pci}/boot_vga r, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/config r, + /dev/ r, # Video Acceleration API @{att}/dev/dri/renderD128 rw, @{att}/dev/dri/renderD129 rw, - @{PROC}/devices r, + /dev/nvidia-caps/nvidia-cap@{int} rw, include if exists diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index bbda70f291..de74ff8c6c 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -28,6 +28,7 @@ @{sys}/devices/system/cpu/cpu@{int}/topology/thread_siblings r, @{sys}/devices/system/cpu/cpu@{int}/topology/thread_siblings_list r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_min_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, @{sys}/devices/system/cpu/present r, From ce15ea485686a362b9f19b07cdc439484812d8a4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 21 Oct 2025 23:02:07 +0200 Subject: [PATCH 0914/1736] feat(abs): update some dbus interfaces definition. --- .../bus/com.canonical.Unity.LauncherEntry | 14 ++++++++++++++ .../org.freedesktop.impl.portal.PermissionStore | 2 +- .../bus/session/org.freedesktop.Notifications | 2 +- .../abstractions/bus/system/fi.w1.wpa_supplicant1 | 10 +++++----- 4 files changed, 21 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry index 9363bb7578..9bbcfc748a 100644 --- a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry +++ b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry @@ -6,6 +6,20 @@ abi , + # Allow to send updates to the desktop session about ongoing jobs + # (for progress display in the task list) + dbus send bus=session + interface=com.canonical.Unity.LauncherEntry + member=Update + peer=(label=gnome-shell), + + # Allow to receive updates from applications to the desktop session about ongoing jobs + # (for progress display in the task list) + dbus send bus=session + interface=com.canonical.Unity.LauncherEntry + member=Update + peer=(label=gnome-shell), + dbus send bus=session path=/com/canonical/unity/launcherentry/@{int} interface=com.canonical.Unity.LauncherEntry member=Update diff --git a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore index 22886c8a55..f65d8c9395 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore +++ b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore @@ -9,7 +9,7 @@ dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.impl.portal.PermissionStore member=Lookup - peer=(name="@{busname}", label=xdg-permission-store), + peer=(name="{@{busname},org.freedesktop.impl.portal.PermissionStore}", label=xdg-permission-store), dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.impl.portal.PermissionStore diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications index 4ebccd6904..b47b766520 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications @@ -13,7 +13,7 @@ dbus receive bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.Notifications - member={ActionInvoked,NotificationClosed,NotificationReplied} + member={ActivationToken,ActionInvoked,NotificationClosed,NotificationReplied} peer=(label="@{pp_notification}"), include if exists diff --git a/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 index 3f70b35b48..73f2f22d6c 100644 --- a/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 @@ -9,27 +9,27 @@ dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=org.freedesktop.DBus.Properties member=Set - peer=(name="@{busname}", label=wpa-supplicant), + peer=(name=@{busname}, label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1 interface=fi.w1.wpa_supplicant1.Interface member=CreateInterface - peer=(name="@{busname}", label=wpa-supplicant), + peer=(name=@{busname}, label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface member={AddNetwork,Disconnect,RemoveNetwork,Scan,SelectNetwork} - peer=(name="@{busname}", label=wpa-supplicant), + peer=(name=@{busname}, label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface.P2PDevice member=Cancel - peer=(name="@{busname}", label=wpa-supplicant), + peer=(name=@{busname}, label=wpa-supplicant), dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged} - peer=(name="@{busname}", label=wpa-supplicant), + peer=(name=@{busname}, label=wpa-supplicant), dbus receive bus=system path=/fi/w1/wpa_supplicant1 interface=fi.w1.wpa_supplicant1 From d95e4aeb97552a9526a05556b55699330df5c1ae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 22 Oct 2025 00:07:14 +0200 Subject: [PATCH 0915/1736] feat(profile): update gnome profiles. --- apparmor.d/groups/gnome/gnome-session | 2 +- apparmor.d/groups/gnome/gnome-session-service | 6 ++++++ apparmor.d/groups/gnome/gnome-shell | 3 +++ apparmor.d/groups/gnome/gsd-media-keys | 5 +++++ apparmor.d/groups/gnome/gsd-wwan | 1 + 5 files changed, 16 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index afcc16b19c..7255b61b8b 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gnome-session -profile gnome-session @{exec_path} { +profile gnome-session @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index 0a41cebbd8..1a76093bea 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -20,6 +20,11 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SessionManager #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=UpdateActivationEnvironment + peer=(name=org.freedesktop.DBus label="@{p_dbus_session}"), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -42,6 +47,7 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/autostart/{,*.desktop} r, + @{run}/systemd/sessions/{,@{l}}@{int}{,.ref} rw, @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{att}@{run}/systemd/sessions/{,@{l}}@{int}{,.ref} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 18000af2c6..e906cdd192 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -377,6 +377,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/@{pci}/net/*/statistics/collisions r, @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r, + @{sys}/devices/@{pci}/usb@{int}/**/leds/ r, @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/collisions r, @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/tx_{bytes,errors,packets} r, @@ -393,6 +394,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r, + @{PROC}/ r, @{PROC}/@{pid}/attr/current r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index b2927a9716..dfc73affa3 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -33,6 +33,11 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}), + dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=PowerOff diff --git a/apparmor.d/groups/gnome/gsd-wwan b/apparmor.d/groups/gnome/gsd-wwan index c6beba9963..6aa6145720 100644 --- a/apparmor.d/groups/gnome/gsd-wwan +++ b/apparmor.d/groups/gnome/gsd-wwan @@ -13,6 +13,7 @@ profile gsd-wwan @{exec_path} { include include include + include include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Wwan From ff25d6e57f5cb4f0e33da81bb0bd63f34bcff62d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 22 Oct 2025 00:31:13 +0200 Subject: [PATCH 0916/1736] chore: fix linter issues --- apparmor.d/groups/gnome/gnome-session-init-worker | 2 +- apparmor.d/profiles-m-r/ollama | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-session-init-worker b/apparmor.d/groups/gnome/gnome-session-init-worker index 8c68c68c08..eee2b0dd4d 100644 --- a/apparmor.d/groups/gnome/gnome-session-init-worker +++ b/apparmor.d/groups/gnome/gnome-session-init-worker @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/gnome-session-init-worker -profile gnome-session-init-worker @{exec_path} { +profile gnome-session-init-worker @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-m-r/ollama b/apparmor.d/profiles-m-r/ollama index 9fcfef987b..7c0fe46f82 100644 --- a/apparmor.d/profiles-m-r/ollama +++ b/apparmor.d/profiles-m-r/ollama @@ -36,7 +36,7 @@ profile ollama @{exec_path} flags=(attach_disconnected) { owner /var/lib/ollama/** rwlk, owner @{HOME}/.ollama/{,*} rw, - + @{tmp}/ r, owner @{tmp}/@{int}.bin rw, owner @{tmp}/ollama@{int}/{,**} rw, @@ -54,7 +54,6 @@ profile ollama @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/core/somaxconn r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/maps r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/task/@{tid}/comm w, From 5826e916d8025dbf1743beafabf5a3f8fa8060b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 22 Oct 2025 00:32:32 +0200 Subject: [PATCH 0917/1736] fix(profile): ensure thunderbird can forward documents fix #912 --- apparmor.d/profiles-s-z/thunderbird | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index c62709c909..7a955346c1 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -66,6 +66,7 @@ profile thunderbird @{exec_path} flags=(attach_disconnected) { owner @{tmp}/nscopy.tmp rw, owner @{tmp}/nsemail{,-@{int}}.eml rw, owner @{tmp}/nsma{,-@{int}} rw, + owner @{tmp}/nsmail.* rw, owner @{tmp}/pid-@{pid}/{,**} w, owner @{tmp}/remote-settings-startup-bundle- rw, From be0b307ea3d09bb97d14cc990dab0976946bb5d8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 22 Oct 2025 00:37:57 +0200 Subject: [PATCH 0918/1736] feat(abs): add hwmon --- apparmor.d/abstractions/flatpak/devices/all | 1 + apparmor.d/abstractions/hwmon | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 apparmor.d/abstractions/hwmon diff --git a/apparmor.d/abstractions/flatpak/devices/all b/apparmor.d/abstractions/flatpak/devices/all index ef247342ba..18072f1d51 100644 --- a/apparmor.d/abstractions/flatpak/devices/all +++ b/apparmor.d/abstractions/flatpak/devices/all @@ -20,6 +20,7 @@ include include include + include include @{sys}/class/*/ r, diff --git a/apparmor.d/abstractions/hwmon b/apparmor.d/abstractions/hwmon new file mode 100644 index 0000000000..e9bdb910e3 --- /dev/null +++ b/apparmor.d/abstractions/hwmon @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{sys}/class/hwmon/ r, + + @{sys}/devices/**/hwmon@{int}/name r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_input r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_label r, + @{sys}/devices/**/hwmon/hwmon@{int}/temp@{int}_input r, + + include if exists + +# vim:syntax=apparmor From 2a98a87e448ccb7575097b8227bb5351235a054c Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Thu, 23 Oct 2025 19:07:14 +0200 Subject: [PATCH 0919/1736] Update cupsd profile cupsd//gs { /etc/papersize r, /etc/paperspecs r, owner /var/spool/cups/tmp/gs_f8kvna w, } profile cupsd//gs { owner /var/spool/cups/tmp/gs_Mm8Fzt r, } --- apparmor.d/groups/cups/cupsd | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 6f3e8e4e0b..1ec2742952 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -112,7 +112,11 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { /usr/share/ghostscript/{,**} r, /usr/share/color/icc/ghostscript/{,**} r, - /var/lib/ghostscript/{,**} r, + /etc/papersize r, + /etc/paperspecs r, + + /var/lib/ghostscript/{,**} r, + owner /var/spool/cups/tmp/gs_@{rand6} rw, owner /tmp/gs_@{rand6} rw, From 9117532f28abd52cfcd5cf489c92530f7402d472 Mon Sep 17 00:00:00 2001 From: myrslint <206005528+myrslint@users.noreply.github.com> Date: Thu, 23 Oct 2025 19:30:23 +0000 Subject: [PATCH 0920/1736] Corret Tor Browser temp file name pattern Tor Browser, as of v14.5.8, creates temporary files during downloads with 8-character names including underscore (_) so the pattern @{rand8}.* does not match and allow them. This has been changed to @{word8} in this commit. --- apparmor.d/groups/browsers/torbrowser | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/browsers/torbrowser b/apparmor.d/groups/browsers/torbrowser index 5068886c32..3817c6d40e 100644 --- a/apparmor.d/groups/browsers/torbrowser +++ b/apparmor.d/groups/browsers/torbrowser @@ -42,7 +42,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { owner "@{tmp}/Tor Project*" rwk, owner "@{tmp}/Tor Project*/" rw, owner "@{tmp}/Tor Project*/**" rwk, - owner @{tmp}/@{rand8}.* rw, + owner @{tmp}/@{word8} rw, owner @{tmp}/mozilla_pc@{int}/ rw, owner @{tmp}/mozilla_pc@{int}/* rwk, From c2c3fc0d7ff4062477f4480be7a3f995fc87eb87 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 23 Oct 2025 18:28:38 +0200 Subject: [PATCH 0921/1736] feat(abs): various flatpak tweak fix #913 --- apparmor.d/abstractions/app/flatpak | 3 ++- .../abstractions/flatpak/baseapp/com.valvesoftware.Steam | 5 +++++ apparmor.d/abstractions/flatpak/devices/dri | 2 +- apparmor.d/abstractions/flatpak/devices/shm | 3 ++- apparmor.d/abstractions/flatpak/filesystem | 5 +++++ apparmor.d/abstractions/flatpak/sockets/wayland | 2 ++ 6 files changed, 17 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak index f9eb79915e..f543d04f83 100644 --- a/apparmor.d/abstractions/app/flatpak +++ b/apparmor.d/abstractions/app/flatpak @@ -139,7 +139,8 @@ owner @{run}/flatpak/app/@{appid}/ r, owner @{run}/flatpak/app/@{appid}/** mrwlk -> @{run}/flatpak/app/@{appid}/**, - owner @{run}/flatpak/doc/** r, + owner @{run}/flatpak/doc/ r, + owner @{run}/flatpak/doc/** mr, owner @{run}/flatpak/ld.so.conf.d/ r, owner @{run}/flatpak/ld.so.conf.d/*.conf r, diff --git a/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam b/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam index 2cd2e1ba77..0e9412b7d7 100644 --- a/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam +++ b/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam @@ -12,6 +12,11 @@ owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/srt-fifo.@{rand6}/{,*} rw, + owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, + owner /dev/shm/fossilize-*-@{int}-@{int} rw, + owner /dev/shm/u@{uid}-Shm_@{hex6} rw, + owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, + owner /dev/shm/u@{uid}-Shm_@{hex8} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, diff --git a/apparmor.d/abstractions/flatpak/devices/dri b/apparmor.d/abstractions/flatpak/devices/dri index a9bc5d2201..8eb17e58ff 100644 --- a/apparmor.d/abstractions/flatpak/devices/dri +++ b/apparmor.d/abstractions/flatpak/devices/dri @@ -5,7 +5,7 @@ abi , - include + include @{sys}/devices/@{pci}/boot_vga r, diff --git a/apparmor.d/abstractions/flatpak/devices/shm b/apparmor.d/abstractions/flatpak/devices/shm index 6c810a1dfb..3d78984bd4 100644 --- a/apparmor.d/abstractions/flatpak/devices/shm +++ b/apparmor.d/abstractions/flatpak/devices/shm @@ -7,7 +7,8 @@ #aa:lint ignore=too-wide /dev/shm/ r, - owner /dev/shm/** mrwlkix -> /dev/shm/**, + owner /dev/shm/** mrwlkix, + owner @{att}/dev/shm/** mrwlkix, include if exists diff --git a/apparmor.d/abstractions/flatpak/filesystem b/apparmor.d/abstractions/flatpak/filesystem index a71abd2866..90de9828ab 100644 --- a/apparmor.d/abstractions/flatpak/filesystem +++ b/apparmor.d/abstractions/flatpak/filesystem @@ -17,6 +17,9 @@ abi , + /att/ r, + /att/**/ r, + # Access an arbitrary path except any reserved ones owner /etc/{,**} rw, owner @{sys}/ r, @@ -45,6 +48,8 @@ owner @{HOME}/** rwlk -> @{HOME}/**, # xdg-run + owner @{run}/ r, + owner @{run}/user/ r, owner @{run}/user/@{uid}/ rw, owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, diff --git a/apparmor.d/abstractions/flatpak/sockets/wayland b/apparmor.d/abstractions/flatpak/sockets/wayland index 18a1c7ce86..862e7795d1 100644 --- a/apparmor.d/abstractions/flatpak/sockets/wayland +++ b/apparmor.d/abstractions/flatpak/sockets/wayland @@ -10,6 +10,8 @@ # Allow access to the Wayland compositor server socket owner @{run}/user/@{uid}/wayland-@{int} rw, + owner @{att}/dev/shm/@{uuid} rw, + include if exists # vim:syntax=apparmor From 21a943a8c6b91f63e50dfd53de38b1d7b0e395fb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 23 Oct 2025 20:11:13 +0200 Subject: [PATCH 0922/1736] fix(profile): vesktop. fix #914 --- apparmor.d/profiles-s-z/vesktop | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop index 4f44326503..dca64c8e6d 100644 --- a/apparmor.d/profiles-s-z/vesktop +++ b/apparmor.d/profiles-s-z/vesktop @@ -13,7 +13,7 @@ include @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} -@{exec_path} = @{bin}/vesktop +@{exec_path} = @{bin}/vesktop @{lib_dirs}/vesktop profile vesktop @{exec_path} flags=(attach_disconnected) { include include From 0f6e891a42b5358f7bd8ff1cecc92f9b35b961fc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 23 Oct 2025 20:19:45 +0200 Subject: [PATCH 0923/1736] fix(profile): relax what program can be opened from some selected profiles. Some profiles can start any program. Ensure we use to good opener for this. fix #793 --- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/gnome/gnome-terminal-server | 2 +- apparmor.d/groups/gnome/nautilus | 2 +- apparmor.d/groups/gnome/org.gnome.NautilusPreviewer | 2 +- apparmor.d/groups/xfce/thunar | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 09a83c4d42..fcb338f287 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -74,7 +74,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{lib}/xdg-desktop-portal-validate-icon rPx, @{lib}/browserpass/browserpass-native rPx, - @{open_path} mrPx -> child-open, + @{open_path} mrPx -> child-open-any, / r, @{att}/ r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 1a14549f7a..2aa93485af 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -47,7 +47,7 @@ profile gnome-terminal-server @{exec_path} { @{bin}/micro PUx, @{bin}/nvtop Px, - @{open_path} Px -> child-open, + @{open_path} Px -> child-open-any, /etc/shells r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 027a6dfad9..5dedb921e7 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -87,7 +87,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{bin}/* r, @{lib}/@{multiarch}/glib-2.0/gio-launch-desktop m, - @{open_path} rPx -> child-open, + @{open_path} rPx -> child-open-any, /usr/share/nautilus/{,**} r, /usr/share/poppler/{,**} r, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index 63b12165cc..21a706a529 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -26,7 +26,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { @{bin}/gjs-console r, - @{open_path} rPx -> child-open, + @{open_path} rPx -> child-open-any, /usr/share/ladspa/rdf/{,**} r, /usr/share/poppler/{,**} r, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index 10096bce25..61e8f17c1c 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -26,7 +26,7 @@ profile thunar @{exec_path} flags=(attach_disconnected) { @{bin}/thunar-volman rPx, @{bin}/dbus-launch rCx -> dbus, - @{open_path} rPx -> child-open, + @{open_path} rPx -> child-open-any, /usr/share/ r, /usr/share/anon-apps-config/share/{,**} r, #aa:only whonix From e83c880679480bbe243df5dc511c399f9876eca0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 23 Oct 2025 20:37:10 +0200 Subject: [PATCH 0924/1736] fix(profile): vesktop (2). fix #914 --- apparmor.d/profiles-s-z/vesktop | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop index dca64c8e6d..2bba24055f 100644 --- a/apparmor.d/profiles-s-z/vesktop +++ b/apparmor.d/profiles-s-z/vesktop @@ -29,7 +29,7 @@ profile vesktop @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - @{exec_path} mr, + @{exec_path} mrix, @{bin}/speech-dispatcher rPx, @{open_path} rPx -> child-open, From fb83e5c8be01febac3229c8c49fd1f28dc4c6c06 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 24 Oct 2025 12:55:37 +0200 Subject: [PATCH 0925/1736] feat(abs): minor abs improvement. --- apparmor.d/abstractions/app/bwrap-glycin | 2 ++ apparmor.d/abstractions/app/firefox | 5 +++-- apparmor.d/abstractions/common/chromium | 2 ++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/bwrap-glycin b/apparmor.d/abstractions/app/bwrap-glycin index 09f91240c6..94da17cdf3 100644 --- a/apparmor.d/abstractions/app/bwrap-glycin +++ b/apparmor.d/abstractions/app/bwrap-glycin @@ -26,6 +26,8 @@ @{bin}/bwrap mr, + # To test sandbox functionalities + # See; https://gitlab.gnome.org/GNOME/glycin/-/blob/main/glycin/src/sandbox.rs#L676 @{bin}/true ix, /usr/share/glycin-loaders/{,**} r, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 13b4748363..2682957823 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -27,6 +27,8 @@ include include include + include + include include include include @@ -38,6 +40,7 @@ include include include + include include include include @@ -165,9 +168,7 @@ owner @{PROC}/@{pid}/task/@{tid}/stat r, owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 - /dev/ r, /dev/tty rw, - /dev/video@{int} rw, owner /dev/tty@{int} rw, # File Inherit # Silencer diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index a8dc530300..f1eac939dc 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -47,6 +47,8 @@ owner /dev/shm/.@{domain}.@{rand6} rw, @{sys}/devices/system/cpu/kernel_max r, + + # Show the list of active tty @{sys}/devices/virtual/tty/tty@{int}/active r, # Allow getting the manufacturer and model of the computer where chromium is currently running. From 3aa780d4265a233d154370a66adbd4234a73240c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 24 Oct 2025 13:02:06 +0200 Subject: [PATCH 0926/1736] feat(abs): minor update. --- apparmor.d/groups/utils/lslocks | 1 + apparmor.d/groups/utils/lsns | 1 + apparmor.d/groups/virt/cockpit-bridge | 5 +++-- apparmor.d/groups/virt/libvirtd | 2 ++ apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-s-z/superproductivity | 1 + apparmor.d/profiles-s-z/thunderbird | 5 +---- apparmor.d/profiles-s-z/totem | 4 +++- 8 files changed, 13 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/utils/lslocks b/apparmor.d/groups/utils/lslocks index 44d2e1d019..e168a9890e 100644 --- a/apparmor.d/groups/utils/lslocks +++ b/apparmor.d/groups/utils/lslocks @@ -18,6 +18,7 @@ profile lslocks @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sys}/devices/**/block/** r, + @{sys}/devices/**/host@{int}/** r, @{PROC}/ r, @{PROC}/@{pid}/ r, diff --git a/apparmor.d/groups/utils/lsns b/apparmor.d/groups/utils/lsns index 7fbf568967..504679b4c4 100644 --- a/apparmor.d/groups/utils/lsns +++ b/apparmor.d/groups/utils/lsns @@ -29,6 +29,7 @@ profile lsns @{exec_path} flags=(attach_disconnected) { @{run}/*/ns/** r, @{sys}/devices/**/block/** r, + @{sys}/devices/**/host@{int}/** r, @{PROC}/ r, @{PROC}/@{pid}/ r, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 33cbc28578..559d21fc7c 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -13,6 +13,7 @@ profile cockpit-bridge @{exec_path} { include include include + include include include include @@ -89,10 +90,10 @@ profile cockpit-bridge @{exec_path} { / r, @{HOME}/ r, - owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw, + audit owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw, owner @{user_share_dirs}/ r, - @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw, + audit @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw, @{run}/utmp r, @{sys}/class/hwmon/ r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 70e2822ae1..068f9230a3 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -191,6 +191,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sys}/bus/*/uevent r, @{sys}/bus/pci/drivers_probe w, @{sys}/bus/pci/drivers/*/unbind w, + @{sys}/bus/hid/drivers/*/uevent r, + @{sys}/bus/usb/drivers/*/uevent r, @{sys}/class/[a-z]*/ r, @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/class r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 7e53b8f621..c9ebc5c734 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -15,7 +15,6 @@ profile libreoffice @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -28,6 +27,7 @@ profile libreoffice @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index ca8bef2da7..5c0e2fa330 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -16,6 +16,7 @@ include profile superproductivity @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 7a955346c1..657c3a98ce 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -63,10 +63,7 @@ profile thunderbird @{exec_path} flags=(attach_disconnected) { owner @{tmp}/MozillaMailnews/ rw, owner @{tmp}/MozillaMailnews/*.msf rw, - owner @{tmp}/nscopy.tmp rw, - owner @{tmp}/nsemail{,-@{int}}.eml rw, - owner @{tmp}/nsma{,-@{int}} rw, - owner @{tmp}/nsmail.* rw, + owner @{tmp}/ns* rw, owner @{tmp}/pid-@{pid}/{,**} w, owner @{tmp}/remote-settings-startup-bundle- rw, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index 68f1e40f41..ce82c6564b 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -10,10 +10,12 @@ include profile totem @{exec_path} flags=(attach_disconnected) { include include - include + include + include include include include + include include include include From cb72429681d5367dd563673b9a94b2f0d55beebd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 24 Oct 2025 21:25:29 +0200 Subject: [PATCH 0927/1736] feat(profile): update iio-sensor-proxy --- apparmor.d/groups/freedesktop/iio-sensor-proxy | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/freedesktop/iio-sensor-proxy b/apparmor.d/groups/freedesktop/iio-sensor-proxy index 1201e12773..4c1cb2f95b 100644 --- a/apparmor.d/groups/freedesktop/iio-sensor-proxy +++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy @@ -11,6 +11,7 @@ profile iio-sensor-proxy @{exec_path} { include capability net_admin, + capability sys_admin, network netlink raw, @@ -18,8 +19,10 @@ profile iio-sensor-proxy @{exec_path} { @{exec_path} mr, - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @@ -28,10 +31,11 @@ profile iio-sensor-proxy @{exec_path} { @{sys}/bus/platform/devices/ r, @{sys}/class/ r, @{sys}/class/input/ r, - @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/iio:*/** rw, @{sys}/devices/@{pci}/name r, + @{sys}/devices/**/input@{int}/capabilities/sw r, + @{sys}/devices/**/uevent r, /dev/iio:* r, From dee0b867910f3ab821881daddbbac74de841f849 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 24 Oct 2025 21:34:58 +0200 Subject: [PATCH 0928/1736] tests: update autopkgtests script. --- tests/autopkgtest/autopkgtest.sh | 20 +++++++++++++------- tests/autopkgtest/src-packages | 1 - 2 files changed, 13 insertions(+), 8 deletions(-) mode change 100644 => 100755 tests/autopkgtest/autopkgtest.sh diff --git a/tests/autopkgtest/autopkgtest.sh b/tests/autopkgtest/autopkgtest.sh old mode 100644 new mode 100755 index 8e889d8079..6e316f09f7 --- a/tests/autopkgtest/autopkgtest.sh +++ b/tests/autopkgtest/autopkgtest.sh @@ -23,8 +23,8 @@ readonly FLAVOR="test" readonly VERBOSE=${VERBOSE:-0} # The maximum the host can handle -readonly CPUS=32 -readonly RAM=76800 +readonly CPUS=16 +readonly RAM=16384 readonly TIMEOUT=1800 # As defined in Justfile @@ -38,13 +38,13 @@ readonly OUTPUT=".logs/autopkgtest/" readonly VM_PATH="$VM_DIR/${PREFIX}${OSINFO}-${FLAVOR}.qcow2" readonly PACKAGES_FILE="tests/autopkgtest/src-packages" readonly reset='\e[0m' red='\e[0;31m' magenta='\e[0;35m' -mapfile -t PACKAGES <"$PACKAGES_FILE" _message() { printf '%b%s%b\n' "$magenta" "$*" "$reset" >&2; } _verbose() { printf '%b>%b %s\n' "$magenta" "$reset" "$*" >&2; } _log() { printf '%b%s%b\n' "$red" "$*" "$reset" >&2; } _run() { + local pkg="" coproc C { unbuffer -p ./tests/autopkgtest/autopkgtest.sh test "$OSINFO" 2>&1; } CMD_PID=$! while IFS= read -r line <&"${C[0]}"; do @@ -52,11 +52,15 @@ _run() { if [[ $VERBOSE -eq 0 ]]; then _verbose "$line" fi + if [[ $line == *">>>> Testing package "* ]]; then + pkg="${line#*">>>> Testing package "}" + pkg="-${pkg%% <<<<*}" + fi if [[ $line == "Press Enter to resume running tests." ]]; then # shellcheck disable=SC2086 ssh -n $SSH_OPT -p 10022 "$USER@localhost" sudo aa-log --raw | while IFS= read -r log; do _log "$log" - echo "$log" >>"$OUTPUT/aa-log-$(date +%Y%m%d-%H%M%S)" + echo "$log" >>"$OUTPUT/aa-log-$(date +%Y%m%d-%H%M%S)$pkg" done printf '\n' >&"${C[1]}" # send Enter back over the PTY fi @@ -65,13 +69,15 @@ _run() { } _autopkgtest() { - local start_from="abook" + local start_from="openvpn" local end_at="xfsprogs" - for pkg in "${PACKAGES[@]}"; do + mapfile -t packages <"$PACKAGES_FILE" + + for pkg in "${packages[@]}"; do [[ "$pkg" < "$start_from" ]] && continue [[ "$pkg" > "$end_at" ]] && break _message ">>>> Testing package $pkg <<<<" - autopkgtest "$pkg" --shell --timeout=$TIMEOUT \ + autopkgtest "$pkg" --shell --timeout=$TIMEOUT --timeout-factor=4.0 \ -- qemu --cpus=$CPUS --ram-size=$RAM \ --user="$USER" --password="$PASSWORD" \ "$VM_PATH" || true diff --git a/tests/autopkgtest/src-packages b/tests/autopkgtest/src-packages index 22963b3cfa..657f7fa44f 100644 --- a/tests/autopkgtest/src-packages +++ b/tests/autopkgtest/src-packages @@ -205,7 +205,6 @@ gnome-tweaks gnome-user-share gnome-weather gnupg2 -golang-github-containernetworking-plugins google-android-installers gpa gparted From 155f88ca92243bed148bea5f1f433d87e909aad4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 24 Oct 2025 21:57:23 +0200 Subject: [PATCH 0929/1736] feat(abs): add poppler to the desktop abs. --- apparmor.d/abstractions/desktop | 1 + apparmor.d/abstractions/gnome-strict | 1 + apparmor.d/abstractions/kde-strict | 1 + apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/gnome/localsearch | 1 - apparmor.d/groups/gnome/nautilus | 1 - apparmor.d/groups/gnome/org.gnome.NautilusPreviewer | 1 - apparmor.d/groups/gnome/papers | 2 -- apparmor.d/groups/gnome/tracker-extract | 1 - apparmor.d/groups/gnome/tracker-miner | 1 - apparmor.d/groups/kde/baloo | 2 -- apparmor.d/groups/kde/okular | 1 - apparmor.d/profiles-a-f/atril | 1 - apparmor.d/profiles-a-f/evince | 1 - apparmor.d/profiles-g-l/gimp | 1 - apparmor.d/profiles-m-r/metadata-cleaner | 1 - apparmor.d/profiles-m-r/qpdfview | 1 - apparmor.d/profiles-s-z/texstudio | 1 - apparmor.d/profiles-s-z/zathura | 1 - 19 files changed, 3 insertions(+), 18 deletions(-) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index a087c43848..b5438917ce 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -41,6 +41,7 @@ /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, # FIXME: a bit too wide /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/poppler/{,**} r, include if exists diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 195f3b0c59..48fcf24070 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -26,6 +26,7 @@ /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/poppler/{,**} r, include if exists diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 42f58fa7a0..a9220026e3 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -26,6 +26,7 @@ /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/poppler/{,**} r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index e906cdd192..cb68dc30a4 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -232,7 +232,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/libgweather/Locations.xml r, /usr/share/libinput*/{,**} r, /usr/share/libwacom/{,*.stylus,*.tablet} r, - /usr/share/poppler/{,**} r, /usr/share/wallpapers/** r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/{,**} r, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index ea1566757f..1b718dd4ae 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -44,7 +44,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { /usr/share/localsearch3/{,**} r, /usr/share/osinfo/{,**} r, - /usr/share/poppler/{,**} r, /etc/fstab r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 5dedb921e7..06e9119ba7 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -90,7 +90,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-any, /usr/share/nautilus/{,**} r, - /usr/share/poppler/{,**} r, /usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/terminfo/** r, /usr/share/thumbnailers/{,**} r, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index 21a706a529..c5878afc34 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -29,7 +29,6 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-any, /usr/share/ladspa/rdf/{,**} r, - /usr/share/poppler/{,**} r, /usr/share/sushi/org.gnome.NautilusPreviewer.*.gresource r, /etc/machine-id r, diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index ad474cd282..432ac2cbfb 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -29,8 +29,6 @@ profile papers @{exec_path} flags=(attach_disconnected) { @{open_path} Cx -> open, - /usr/share/poppler/{,**} r, - /etc/passwd r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index ee2afcefca..746026fe09 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -36,7 +36,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter/applications/*.desktop r, /usr/share/ladspa/rdf/{,**} r, /usr/share/osinfo/{,**} r, - /usr/share/poppler/{,**} r, /usr/share/tracker3-miners/{,**} r, /usr/share/tracker3/{,**} r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index e6fdee6c25..7ca03ab661 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -49,7 +49,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/ladspa/rdf/{,**} r, /usr/share/osinfo/{,**} r, - /usr/share/poppler/{,**} r, /usr/share/tracker3-miners/{,**} r, /usr/share/tracker3/{,**} r, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 29447e22a6..0679374a6b 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -24,8 +24,6 @@ profile baloo @{exec_path} { @{lib}/{,kf6/}baloo_file_extractor rix, - /usr/share/poppler/{,**} r, - /etc/fstab r, /etc/machine-id r, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index 943010734b..e2074795e2 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -40,7 +40,6 @@ profile okular @{exec_path} { /usr/share/color-schemes/{,**} r, /usr/share/okular/{,**} r, - /usr/share/poppler/{,**} r, /etc/fstab r, /etc/xdg/dolphinrc r, diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index c31860cc68..a76759ab59 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -32,7 +32,6 @@ profile atril @{exec_path} { @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, /usr/share/atril/{,**} r, - /usr/share/poppler/{,**} r, /etc/fstab r, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 9cbe016db0..033bdadc82 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -40,7 +40,6 @@ profile evince @{exec_path} { /usr/share/djvu/{,**} r, /usr/share/evince/{,**} r, /usr/share/ghostscript/{,**} r, - /usr/share/poppler/{,**} r, /usr/share/thumbnailers/{,*} r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index 65bae81646..c68188acb0 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -48,7 +48,6 @@ profile gimp @{exec_path} flags=(attach_disconnected) { /usr/share/gimp/{,**} r, /usr/share/mypaint-data/{,**} r, - /usr/share/poppler/{,**} r, /usr/share/xml/iso-codes/{,**} r, /etc/fstab r, diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner index b9e2ba4523..7806e62e4e 100644 --- a/apparmor.d/profiles-m-r/metadata-cleaner +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -22,7 +22,6 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { @{open_path} Px -> child-open-help, /usr/share/metadata-cleaner/src/metadatacleaner/{,*/}__pycache__/ w, - /usr/share/poppler/{,**} r, /etc/httpd/conf/mime.types r, /etc/mime.types r, diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index f743e95b35..8593038050 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -29,7 +29,6 @@ profile qpdfview @{exec_path} { @{lib}/firefox/firefox rPUx, @{open_path} rPx -> child-open, - /usr/share/poppler/** r, /usr/share/djvu/** r, /etc/fstab r, diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio index 2f96d32b8a..710144ea9e 100644 --- a/apparmor.d/profiles-s-z/texstudio +++ b/apparmor.d/profiles-s-z/texstudio @@ -29,7 +29,6 @@ profile texstudio @{exec_path} { /usr/share/doc/texstudio/{,**} r, /usr/share/hunspell/{,**} r, /usr/share/texstudio/{,**} r, - /usr/share/poppler/{,**} r, /etc/texmf/{,**} r, /etc/machine-id r, diff --git a/apparmor.d/profiles-s-z/zathura b/apparmor.d/profiles-s-z/zathura index 5d0d1a745b..90e242658d 100644 --- a/apparmor.d/profiles-s-z/zathura +++ b/apparmor.d/profiles-s-z/zathura @@ -18,7 +18,6 @@ profile zathura @{exec_path} { @{exec_path} mr, /usr/share/file/{,**} r, - /usr/share/poppler/{,**} r, /etc/xdg/{,**} r, /etc/zathurarc r, From c4c841db9c4b33c6677584d9f74a931bfc9375a8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 24 Oct 2025 22:15:45 +0200 Subject: [PATCH 0930/1736] feat(profile): improve flatpak integration with the system. --- apparmor.d/abstractions/app/flatpak | 5 +++++ apparmor.d/groups/bus/dbus-session | 2 ++ apparmor.d/groups/flatpak/fbwrap | 1 + apparmor.d/groups/flatpak/flatpak | 7 ++----- apparmor.d/groups/flatpak/flatpak-portal | 5 +++++ apparmor.d/groups/freedesktop/xdg-dbus-proxy | 11 +++-------- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 ++ apparmor.d/groups/polkit/polkit-agent-helper | 1 + 8 files changed, 21 insertions(+), 13 deletions(-) diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak index f543d04f83..2043910e80 100644 --- a/apparmor.d/abstractions/app/flatpak +++ b/apparmor.d/abstractions/app/flatpak @@ -86,7 +86,12 @@ unix type=seqpacket peer=(label=flatpak-portal), unix type=seqpacket peer=(label=flatpak), unix type=seqpacket peer=(label=xdg-dbus-proxy), + unix type=stream peer=(label=dbus-session), unix type=stream peer=(label=flatpak), + unix type=stream peer=(label=gnome-keyring-daemon), + unix type=stream peer=(label=unconfined), + unix type=stream peer=(label=xdg-dbus-proxy), + unix type=stream peer=(label=xdg-desktop-portal), signal (send receive) peer=fapp, signal (send receive) peer=fapp//&fbwrap, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index c4af45e111..e057c3d7e6 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -24,6 +24,8 @@ profile dbus-session flags=(attach_disconnected) { network unix stream, unix (send receive) type=stream addr=none peer=(label=gnome-shell, addr=none), + unix type=stream peer=(label=fapp), + unix type=stream peer=(label=fbwrap), signal (send receive) set=kill peer=dbus-session//&unconfined, diff --git a/apparmor.d/groups/flatpak/fbwrap b/apparmor.d/groups/flatpak/fbwrap index 6bc45810f8..ec9d4c6918 100644 --- a/apparmor.d/groups/flatpak/fbwrap +++ b/apparmor.d/groups/flatpak/fbwrap @@ -53,6 +53,7 @@ profile fbwrap flags=(attach_disconnected,mediate_deleted) { profile ldconfig flags=(attach_disconnected,mediate_deleted) { include + include @{sbin}/ldconfig mr, @{lib}/ r, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index f830becb82..1637600d93 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -15,6 +15,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include include + include include include include @@ -51,6 +52,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain ptrace read peer=flatpak.*, signal send peer=flatpak-app, + signal send peer=polkit-agent-helper, unix type=seqpacket peer=(label=flatpak-system-helper), unix type=stream peer=(label=flatpak//fusermount), @@ -61,11 +63,6 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=ReloadConfig - peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), - dbus send bus=system path=/org/freedesktop/Flatpak/SystemHelper interface=org.freedesktop.Flatpak.SystemHelper member=GetRevokefsFd diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index 55b6a509f4..518ac53f1d 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -30,6 +30,11 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=@{busname}, label=gnome-shell), + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=NetworkManager), + @{exec_path} mr, @{bin}/flatpak rPx, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index b3ed01b2a3..762c20e83c 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -15,20 +15,15 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include include include - include include network unix stream, signal receive set=int peer=flatpak-portal, - #aa:dbus talk bus=session name=org.freedesktop.portal.Flatpak label=flatpak-portal - #aa:dbus talk bus=session name=org.freedesktop.portal.Request path=/org/freedesktop/portal/desktop label=xdg-desktop-portal - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Realtime - member=MakeThread* - peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + # By design xdg-dbus-proxy proxies and filters dbus communication from flatpak + # apps to the system. Thus, it can manage the full session bus. + dbus bus=session, @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index fcb338f287..08a9a3cfa6 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -38,6 +38,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { signal receive set=term peer=gdm, signal receive set=hup peer=gdm-session-worker, + unix type=stream peer=(label=fapp), + unix type=stream peer=(label=fbwrap), unix type=stream peer=(label=snap.*), #aa:dbus own bus=session name=org.freedesktop.portal interface+=org.freedesktop.impl.portal diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index f761ecf297..c97e4dfe48 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -25,6 +25,7 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { network netlink raw, + signal receive set=(term kill) peer=flatpak, signal receive set=(term kill) peer=gnome-shell, signal receive set=(term kill) peer=pkexec, signal receive set=(term kill) peer=pkttyagent, From ce40dc2215980261ce8eca8f767d499f72944c4e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 24 Oct 2025 22:17:44 +0200 Subject: [PATCH 0931/1736] feat(abs): update bus abs. --- .../bus/session/org.freedesktop.systemd1 | 5 +++++ .../abstractions/bus/session/org.gtk.Actions | 5 +++++ .../abstractions/bus/session/org.gtk.Settings | 1 + .../bus/session/org.kde.StatusNotifierItem | 15 ++++++++++----- .../bus/session/org.mpris.MediaPlayer2.Player | 6 ++++++ .../bus/system/org.freedesktop.systemd1 | 9 +++++++-- 6 files changed, 34 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 index 6b7e5b34db..0a208dc8ff 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 @@ -22,6 +22,11 @@ member=PropertiesChanged peer=(label="@{p_systemd_user}"), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=SetEnvironment + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + # List units dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Actions b/apparmor.d/abstractions/bus/session/org.gtk.Actions index 899f244a82..986c028052 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.Actions +++ b/apparmor.d/abstractions/bus/session/org.gtk.Actions @@ -13,6 +13,11 @@ interface=org.gtk.Actions member={Activate,DescribeAll,SetState}, + dbus send bus=session + interface=org.gtk.Actions + member=DescribeAll + peer=(name=org.gnome.Nautilus), + dbus send bus=session interface=org.gtk.Actions member=Changed, diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Settings b/apparmor.d/abstractions/bus/session/org.gtk.Settings index 9d2dd282a0..fd84f83c0d 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.Settings +++ b/apparmor.d/abstractions/bus/session/org.gtk.Settings @@ -8,6 +8,7 @@ interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=@{busname}, label=gsd-xsettings), + dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties member=PropertiesChanged diff --git a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem index d017d44e3c..8ddc66143d 100644 --- a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem @@ -8,17 +8,22 @@ dbus bind bus=session name=org.kde.StatusNotifierItem-@{int}, - dbus send bus=session path=/StatusNotifierWatcher - interface=org.kde.StatusNotifierWatcher - member=RegisterStatusNotifierItem - peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + dbus receive bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label="@{pp_app_indicator}"), dbus send bus=session path=/StatusNotifierItem interface=org.freedesktop.DBus.Properties member=PropertiesChanged peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), - dbus send bus=session path=/{StatusNotifierItem,org/ayatana/NotificationItem/*} + dbus send bus=session path=/StatusNotifierWatcher + interface=org.kde.StatusNotifierWatcher + member=RegisterStatusNotifierItem + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierItem interface=org.kde.StatusNotifierItem member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), diff --git a/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player index b2b9340740..7562949a47 100644 --- a/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player +++ b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player @@ -6,6 +6,12 @@ # DBus.Properties: read all properties from the interface dbus send bus=system path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},org.freedesktop.DBus}"), + + # DBus.Properties: receive all properties from the interface + dbus receive bus=session path=/org/mpris/MediaPlayer2 interface=org.freedesktop.DBus.Properties member={Get,GetAll} peer=(name=@{busname}), diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 index ac7c5b688c..2322c88797 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 @@ -12,16 +12,21 @@ member=Get peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - dbus send bus=system path=/org/freedesktop/systemd1/unit/*2dservice + dbus send bus=system path=/org/freedesktop/systemd1/unit/* interface=org.freedesktop.DBus.Properties member=GetAll peer=(label="@{p_systemd}"), - dbus receive bus=system path=/org/freedesktop/systemd1/unit/*2dservice + dbus receive bus=system path=/org/freedesktop/systemd1/unit/* interface=org.freedesktop.DBus.Properties member=PropertiesChanged peer=(label="@{p_systemd}"), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={SetEnvironment,UnsetAndSetEnvironment,ResetFailed} + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + # List units dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager From 6aaa6e79183d489c84f9baad821354e72b322c46 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Oct 2025 20:24:24 +0200 Subject: [PATCH 0932/1736] fix: linter. --- apparmor.d/groups/cups/cupsd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 1ec2742952..a58c57c5ef 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -114,7 +114,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { /etc/papersize r, /etc/paperspecs r, - + /var/lib/ghostscript/{,**} r, owner /var/spool/cups/tmp/gs_@{rand6} rw, From ba95f61324742e7cc8294600a492a5a376223d78 Mon Sep 17 00:00:00 2001 From: no-madsoul <11956072+no-madsoul@users.noreply.github.com> Date: Sun, 26 Oct 2025 20:26:40 +0300 Subject: [PATCH 0933/1736] add to mesa.d/complete new cache dir Added permissions for radv mesa shaders cache dir which is accessed by mpv proccess during video playback on system with radeon graphics --- apparmor.d/abstractions/mesa.d/complete | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index 02a48114c2..e28987e09e 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -40,6 +40,13 @@ owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk, owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, + owner @{user_cache_dirs}/radv_builtin_shaders/ w, + owner @{user_cache_dirs}/radv_builtin_shaders/index rw, + owner @{user_cache_dirs}/radv_builtin_shaders/marker rw, + owner @{user_cache_dirs}/radv_builtin_shaders/part@{int}/ rw, + owner @{user_cache_dirs}/radv_builtin_shaders/part@{int}/mesa_cache.db rwk, + owner @{user_cache_dirs}/radv_builtin_shaders/part@{int}/mesa_cache.idx rwk, + @{PROC}/sys/dev/xe/observation_paranoid r, /dev/udmabuf rw, # In upstream, but not released yet From 608c46798a9175f6221f576560b8207da6684b62 Mon Sep 17 00:00:00 2001 From: no-madsoul <11956072+no-madsoul@users.noreply.github.com> Date: Sun, 26 Oct 2025 20:35:59 +0300 Subject: [PATCH 0934/1736] update mpv profile with mesa cache dir and scripts in etc Updated mpv profile with abstractions/mesa because mpv during video playback on system with radeon graphic is trying to get access to: 1. @{user_cache_dirs}/radv_builtin_shaders/** 2. /dev/udmabuf updated rule "to /etc/mpv/** r" because aa-log complains that mpv process is trying to get access to scripts folder which is located under /etc/mpv --- apparmor.d/profiles-m-r/mpv | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index 3d044049e7..3e64c69d3e 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -18,6 +18,7 @@ profile mpv @{exec_path} { include include include + include network inet dgram, network inet6 dgram, @@ -36,7 +37,7 @@ profile mpv @{exec_path} { @{bin}/youtube-dl rPx, @{bin}/yt-dlp rPx, - /etc/mpv/* r, + /etc/mpv/** r, /etc/samba/smb.conf r, /etc/machine-id r, From ed2a8a7246e998f8e19ba7a5dad171348580d664 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 2 Nov 2025 13:57:41 +0100 Subject: [PATCH 0935/1736] fix: keep fapp and fbwrap in complain mode for now. Further fix will come with #921 fix #922 --- dists/flags/main.flags | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 9dd685d343..2863a8f52b 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -101,6 +101,8 @@ epiphany-webapp-provider complain evolution-user-prompter complain fail2ban-client attach_disconnected,complain fail2ban-server attach_disconnected,complain +fapp attach_disconnected,mediate_deleted +fbwrap attach_disconnected,mediate_deleted fdisk complain filezilla complain finalrd complain From 7db7a62703f1b57a3591bb1d484d682e91d1e0ea Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 2 Nov 2025 14:03:04 +0100 Subject: [PATCH 0936/1736] fix(profile): add support for new pid file. fix #924 --- apparmor.d/profiles-a-f/auditd | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index 0f995aebfc..4bdfea7805 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -29,6 +29,8 @@ profile auditd @{exec_path} flags=(attach_disconnected) { @{att}@{run}/systemd/userdb/io.systemd.DynamicUser rw, + owner @{run}/audit/ w, + owner @{run}/audit/auditd.pid rwl, owner @{run}/auditd.pid rwl, owner @{run}/auditd.state rw, From c42dba1b6fbade6af2bda80a51b42dd687e79245 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 2 Nov 2025 14:11:54 +0100 Subject: [PATCH 0937/1736] fix: main.flags. --- dists/flags/main.flags | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2863a8f52b..8a79f720c8 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -101,8 +101,8 @@ epiphany-webapp-provider complain evolution-user-prompter complain fail2ban-client attach_disconnected,complain fail2ban-server attach_disconnected,complain -fapp attach_disconnected,mediate_deleted -fbwrap attach_disconnected,mediate_deleted +fapp attach_disconnected,mediate_deleted,complain +fbwrap attach_disconnected,mediate_deleted,complain fdisk complain filezilla complain finalrd complain From ddc2e68275ab5413885adcfc53f4ac02a300dfd1 Mon Sep 17 00:00:00 2001 From: no-madsoul <11956072+no-madsoul@users.noreply.github.com> Date: Tue, 4 Nov 2025 23:48:27 +0300 Subject: [PATCH 0938/1736] Update hwmon --- apparmor.d/abstractions/hwmon | 137 +++++++++++++++++++++++++++++++++- 1 file changed, 133 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/hwmon b/apparmor.d/abstractions/hwmon index e9bdb910e3..557a7b5489 100644 --- a/apparmor.d/abstractions/hwmon +++ b/apparmor.d/abstractions/hwmon @@ -5,11 +5,140 @@ abi , @{sys}/class/hwmon/ r, + @{sys}/class/hwmon/hwmon@{int}/ r, + @{sys}/devices/**/hwmon/ r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/ r, - @{sys}/devices/**/hwmon@{int}/name r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_input r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_label r, - @{sys}/devices/**/hwmon/hwmon@{int}/temp@{int}_input r, + + +# hwmon nodes below are written in accordance with https://www.kernel.org/doc/Documentation/hwmon/sysfs-interface +# Global attributes + @{sys}/devices/**/{,hwmon/}hwmon@{int}/name r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/update_interval rw, + +# Voltages + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{min,max} rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{lcrit,crit} rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_input r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{average,lowest,highest} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_reset_history w, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in_reset_history w, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_label r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_enable rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/cpu@{int}_vid r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/vrm r, + +# Fans +# Fan enumeration starts from 1 not 0 + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_{min,max} rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_input r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_div rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_pulses rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_target rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_label r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_enable rw, + +# PWM +# PWM enumeration starts from 1 not 0 + @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int} rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_enable rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_mode rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_freq rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_auto_channels_temp rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_auto_point@{int}_pwm rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_auto_point@{int}_temp rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_auto_point@{int}_temp_hyst rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_auto_point@{int}_pwm rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_auto_point@{int}_temp rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_auto_point@{int}_temp_hyst rw, + +# Temperatures +# Temperatures enumeration starts from 1 not 0 + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_type rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{min,max} rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{min_hyst,max_hyst} rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_input r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{crit,crit_hyst} rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{emergency,emergency_hyst} rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{lcrit,lcrit_hyst} rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_offset rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_label r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{lowest,highest} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_reset_history w, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp_reset_history w, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_enable rw, + +# Currents +# Currents enumeration starts from 1 not 0 + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{max,min} rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{lcrit,crit} rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_input r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{average,lowest,highest} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_reset_history w, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr_reset_history w, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_enable rw, +# line below is not in kernel doc, but present in real system for CPU hwmon + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_label r, + +# Power + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average_interval rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average_interval_{max,min} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average_{highest,lowest} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average_{max,min} rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_input r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_input_{highest,lowest} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_reset_history w, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_accuracy r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_cap rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_cap_hyst rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_cap_{max,min} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_{max,crit} rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_enable rw, +# lines below is not in kernel doc, but present in real system + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_cap_default r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_label r, + +# Energy + @{sys}/devices/**/{,hwmon/}hwmon@{int}/energy@{int}_input r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/energy@{int}_enable rw, + +# Humidity + @{sys}/devices/**/{,hwmon/}hwmon@{int}/humidity@{int}_input r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/humidity@{int}_enable rw, + +# Alarms + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_alarm r, + + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{min,max}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{lcrit,crit}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{min,max}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{lcrit,crit}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_{cap,max,crit}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_{min,max}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{min,max}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{lcrit,crit}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_emergency_alarm r, + + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_fault r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_fault r, + + @{sys}/devices/**/{,hwmon/}hwmon@{int}/beep_enable rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_beep rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_beep rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_beep rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_beep rw, + + @{sys}/devices/**/{,hwmon/}hwmon@{int}/alarms r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/beep_maks rw, + +# Intrusion detection + @{sys}/devices/**/{,hwmon/}hwmon@{int}/intrusion@{int}_alarm rw, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/intrusion@{int}_beep rw, include if exists From 47e7ebc514a7058bb7ec23041827727288aee34a Mon Sep 17 00:00:00 2001 From: no-madsoul <11956072+no-madsoul@users.noreply.github.com> Date: Wed, 5 Nov 2025 00:06:40 +0300 Subject: [PATCH 0939/1736] Rename hwmon to hwmon-full Due to full rights to read and write data to hwmon-nodes --- apparmor.d/abstractions/{hwmon => hwmon-full} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename apparmor.d/abstractions/{hwmon => hwmon-full} (100%) diff --git a/apparmor.d/abstractions/hwmon b/apparmor.d/abstractions/hwmon-full similarity index 100% rename from apparmor.d/abstractions/hwmon rename to apparmor.d/abstractions/hwmon-full From 33697f0d0ae607de1848d2cf01fdc4f54ac37ee3 Mon Sep 17 00:00:00 2001 From: no-madsoul <11956072+no-madsoul@users.noreply.github.com> Date: Wed, 5 Nov 2025 00:13:17 +0300 Subject: [PATCH 0940/1736] Create hwmon recreated hwmon profile only with read permissions and remove properties that have only "write" option --- apparmor.d/abstractions/hwmon | 138 ++++++++++++++++++++++++++++++++++ 1 file changed, 138 insertions(+) create mode 100644 apparmor.d/abstractions/hwmon diff --git a/apparmor.d/abstractions/hwmon b/apparmor.d/abstractions/hwmon new file mode 100644 index 0000000000..dc7aa1d7df --- /dev/null +++ b/apparmor.d/abstractions/hwmon @@ -0,0 +1,138 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{sys}/class/hwmon/ r, + @{sys}/class/hwmon/hwmon@{int}/ r, + @{sys}/devices/**/hwmon/ r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/ r, + + + +# hwmon nodes below are written in accordance with https://www.kernel.org/doc/Documentation/hwmon/sysfs-interface +# Global attributes + @{sys}/devices/**/{,hwmon/}hwmon@{int}/name r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/update_interval r, + +# Voltages + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{min,max} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{lcrit,crit} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_input r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{average,lowest,highest} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_label r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_enable r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/cpu@{int}_vid r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/vrm r, + +# Fans +# Fan enumeration starts from 1 not 0 + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_{min,max} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_input r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_div r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_pulses r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_target r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_label r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_enable r, + +# PWM +# PWM enumeration starts from 1 not 0 + @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_enable r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_mode r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_freq r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_auto_channels_temp r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_auto_point@{int}_pwm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_auto_point@{int}_temp r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_auto_point@{int}_temp_hyst r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_auto_point@{int}_pwm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_auto_point@{int}_temp r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_auto_point@{int}_temp_hyst r, + +# Temperatures +# Temperatures enumeration starts from 1 not 0 + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_type r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{min,max} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{min_hyst,max_hyst} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_input r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{crit,crit_hyst} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{emergency,emergency_hyst} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{lcrit,lcrit_hyst} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_offset r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_label r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{lowest,highest} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_enable r, + +# Currents +# Currents enumeration starts from 1 not 0 + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{max,min} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{lcrit,crit} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_input r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{average,lowest,highest} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_enable r, +# line below is not in kernel doc, but present in real system for CPU hwmon + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_label r, + +# Power + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average_interval r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average_interval_{max,min} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average_{highest,lowest} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average_{max,min} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_input r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_input_{highest,lowest} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_accuracy r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_cap r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_cap_hyst r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_cap_{max,min} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_{max,crit} r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_enable r, +# lines below is not in kernel doc, but present in real system + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_cap_default r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_label r, + +# Energy + @{sys}/devices/**/{,hwmon/}hwmon@{int}/energy@{int}_input r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/energy@{int}_enable r, + +# Humidity + @{sys}/devices/**/{,hwmon/}hwmon@{int}/humidity@{int}_input r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/humidity@{int}_enable r, + +# Alarms + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_alarm r, + + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{min,max}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{lcrit,crit}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{min,max}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{lcrit,crit}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_{cap,max,crit}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_{min,max}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{min,max}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{lcrit,crit}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_emergency_alarm r, + + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_fault r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_fault r, + + @{sys}/devices/**/{,hwmon/}hwmon@{int}/beep_enable r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_beep r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_beep r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_beep r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_beep r, + + @{sys}/devices/**/{,hwmon/}hwmon@{int}/alarms r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/beep_maks r, + +# Intrusion detection + @{sys}/devices/**/{,hwmon/}hwmon@{int}/intrusion@{int}_alarm r, + @{sys}/devices/**/{,hwmon/}hwmon@{int}/intrusion@{int}_beep r, + + include if exists + +# vim:syntax=apparmor From efecd40f6a7d0567c7c05a7dbc1a875c0209d5ee Mon Sep 17 00:00:00 2001 From: no-madsoul <11956072+no-madsoul@users.noreply.github.com> Date: Wed, 5 Nov 2025 16:52:00 +0300 Subject: [PATCH 0941/1736] Update hwmon-full removed {,hwmon/} and expanded rules from ...{min,average, max} to ...{min} \n ...{average} \n ...{max} --- apparmor.d/abstractions/hwmon-full | 223 ++++++++++++++++------------- 1 file changed, 122 insertions(+), 101 deletions(-) diff --git a/apparmor.d/abstractions/hwmon-full b/apparmor.d/abstractions/hwmon-full index 557a7b5489..d5ca4fd596 100644 --- a/apparmor.d/abstractions/hwmon-full +++ b/apparmor.d/abstractions/hwmon-full @@ -7,138 +7,159 @@ @{sys}/class/hwmon/ r, @{sys}/class/hwmon/hwmon@{int}/ r, @{sys}/devices/**/hwmon/ r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/ r, + @{sys}/devices/**/hwmon@{int}/ r, # hwmon nodes below are written in accordance with https://www.kernel.org/doc/Documentation/hwmon/sysfs-interface # Global attributes - @{sys}/devices/**/{,hwmon/}hwmon@{int}/name r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/update_interval rw, + @{sys}/devices/**/hwmon@{int}/name r, + @{sys}/devices/**/hwmon@{int}/update_interval rw, # Voltages - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{min,max} rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{lcrit,crit} rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_input r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{average,lowest,highest} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_reset_history w, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in_reset_history w, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_label r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_enable rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/cpu@{int}_vid r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/vrm r, + @{sys}/devices/**/hwmon@{int}/in@{int}_min rw, + @{sys}/devices/**/hwmon@{int}/in@{int}_max rw, + @{sys}/devices/**/hwmon@{int}/in@{int}_lcrit rw, + @{sys}/devices/**/hwmon@{int}/in@{int}_crit rw, + @{sys}/devices/**/hwmon@{int}/in@{int}_input r, + @{sys}/devices/**/hwmon@{int}/in@{int}_average r, + @{sys}/devices/**/hwmon@{int}/in@{int}_lowest r, + @{sys}/devices/**/hwmon@{int}/in@{int}_highest r, + @{sys}/devices/**/hwmon@{int}/in@{int}_reset_history w, + @{sys}/devices/**/hwmon@{int}/in_reset_history w, + @{sys}/devices/**/hwmon@{int}/in@{int}_label r, + @{sys}/devices/**/hwmon@{int}/in@{int}_enable rw, + @{sys}/devices/**/hwmon@{int}/cpu@{int}_vid r, + @{sys}/devices/**/hwmon@{int}/vrm r, # Fans # Fan enumeration starts from 1 not 0 - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_{min,max} rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_input r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_div rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_pulses rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_target rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_label r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_enable rw, + @{sys}/devices/**/hwmon@{int}/fan@{int}_min rw, + @{sys}/devices/**/hwmon@{int}/fan@{int}_max rw, + @{sys}/devices/**/hwmon@{int}/fan@{int}_input r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_div rw, + @{sys}/devices/**/hwmon@{int}/fan@{int}_pulses rw, + @{sys}/devices/**/hwmon@{int}/fan@{int}_target rw, + @{sys}/devices/**/hwmon@{int}/fan@{int}_label r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_enable rw, # PWM # PWM enumeration starts from 1 not 0 - @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int} rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_enable rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_mode rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_freq rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_auto_channels_temp rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_auto_point@{int}_pwm rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_auto_point@{int}_temp rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_auto_point@{int}_temp_hyst rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_auto_point@{int}_pwm rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_auto_point@{int}_temp rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_auto_point@{int}_temp_hyst rw, + @{sys}/devices/**/hwmon@{int}/pwm@{int} rw, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_enable rw, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_mode rw, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_freq rw, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_channels_temp rw, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_point@{int}_pwm rw, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_point@{int}_temp rw, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_point@{int}_temp_hyst rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_auto_point@{int}_pwm rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_auto_point@{int}_temp rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_auto_point@{int}_temp_hyst rw, # Temperatures # Temperatures enumeration starts from 1 not 0 - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_type rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{min,max} rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{min_hyst,max_hyst} rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_input r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{crit,crit_hyst} rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{emergency,emergency_hyst} rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{lcrit,lcrit_hyst} rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_offset rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_label r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{lowest,highest} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_reset_history w, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp_reset_history w, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_enable rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_type rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_min rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_max rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_min_hyst rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_max_hyst rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_input r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_crit rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_crit_hyst rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_emergency rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_emergency_hyst rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_lcrit rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_lcrit_hyst rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_offset rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_label r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_lowest r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_highest r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_reset_history w, + @{sys}/devices/**/hwmon@{int}/temp_reset_history w, + @{sys}/devices/**/hwmon@{int}/temp@{int}_enable rw, # Currents # Currents enumeration starts from 1 not 0 - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{max,min} rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{lcrit,crit} rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_input r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{average,lowest,highest} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_reset_history w, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr_reset_history w, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_enable rw, + @{sys}/devices/**/hwmon@{int}/curr@{int}_max rw, + @{sys}/devices/**/hwmon@{int}/curr@{int}_min rw, + @{sys}/devices/**/hwmon@{int}/curr@{int}_lcrit rw, + @{sys}/devices/**/hwmon@{int}/curr@{int}_crit rw, + @{sys}/devices/**/hwmon@{int}/curr@{int}_input r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_average r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_lowest r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_highest r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_reset_history w, + @{sys}/devices/**/hwmon@{int}/curr_reset_history w, + @{sys}/devices/**/hwmon@{int}/curr@{int}_enable rw, # line below is not in kernel doc, but present in real system for CPU hwmon - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_label r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_label r, # Power - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average_interval rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average_interval_{max,min} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average_{highest,lowest} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average_{max,min} rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_input r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_input_{highest,lowest} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_reset_history w, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_accuracy r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_cap rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_cap_hyst rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_cap_{max,min} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_{max,crit} rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_enable rw, + @{sys}/devices/**/hwmon@{int}/power@{int}_average r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_interval rw, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_interval_max r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_interval_min r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_highest r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_lowest r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_max rw, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_min rw, + @{sys}/devices/**/hwmon@{int}/power@{int}_input r, + @{sys}/devices/**/hwmon@{int}/power@{int}_input_highest r, + @{sys}/devices/**/hwmon@{int}/power@{int}_input_lowest r, + @{sys}/devices/**/hwmon@{int}/power@{int}_reset_history w, + @{sys}/devices/**/hwmon@{int}/power@{int}_accuracy r, + @{sys}/devices/**/hwmon@{int}/power@{int}_cap rw, + @{sys}/devices/**/hwmon@{int}/power@{int}_cap_hyst rw, + @{sys}/devices/**/hwmon@{int}/power@{int}_cap_max r, + @{sys}/devices/**/hwmon@{int}/power@{int}_cap_min r, + @{sys}/devices/**/hwmon@{int}/power@{int}_max rw, + @{sys}/devices/**/hwmon@{int}/power@{int}_crit rw, + @{sys}/devices/**/hwmon@{int}/power@{int}_enable rw, # lines below is not in kernel doc, but present in real system - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_cap_default r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_label r, + @{sys}/devices/**/hwmon@{int}/power@{int}_cap_default r, + @{sys}/devices/**/hwmon@{int}/power@{int}_label r, # Energy - @{sys}/devices/**/{,hwmon/}hwmon@{int}/energy@{int}_input r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/energy@{int}_enable rw, + @{sys}/devices/**/hwmon@{int}/energy@{int}_input r, + @{sys}/devices/**/hwmon@{int}/energy@{int}_enable rw, # Humidity - @{sys}/devices/**/{,hwmon/}hwmon@{int}/humidity@{int}_input r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/humidity@{int}_enable rw, + @{sys}/devices/**/hwmon@{int}/humidity@{int}_input r, + @{sys}/devices/**/hwmon@{int}/humidity@{int}_enable rw, # Alarms - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_alarm r, - - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{min,max}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{lcrit,crit}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{min,max}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{lcrit,crit}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_{cap,max,crit}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_{min,max}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{min,max}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{lcrit,crit}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_emergency_alarm r, - - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_fault r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_fault r, - - @{sys}/devices/**/{,hwmon/}hwmon@{int}/beep_enable rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_beep rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_beep rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_beep rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_beep rw, - - @{sys}/devices/**/{,hwmon/}hwmon@{int}/alarms r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/beep_maks rw, + @{sys}/devices/**/hwmon@{int}/in@{int}_alarm r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_alarm r, + @{sys}/devices/**/hwmon@{int}/power@{int}_alarm r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_alarm r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_alarm r, + + @{sys}/devices/**/hwmon@{int}/in@{int}_{min,max}_alarm r, + @{sys}/devices/**/hwmon@{int}/in@{int}_{lcrit,crit}_alarm r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_{min,max}_alarm r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_{lcrit,crit}_alarm r, + @{sys}/devices/**/hwmon@{int}/power@{int}_{cap,max,crit}_alarm r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_{min,max}_alarm r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_{min,max}_alarm r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_{lcrit,crit}_alarm r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_emergency_alarm r, + + @{sys}/devices/**/hwmon@{int}/fan@{int}_fault r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_fault r, + + @{sys}/devices/**/hwmon@{int}/beep_enable rw, + @{sys}/devices/**/hwmon@{int}/in@{int}_beep rw, + @{sys}/devices/**/hwmon@{int}/curr@{int}_beep rw, + @{sys}/devices/**/hwmon@{int}/fan@{int}_beep rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_beep rw, + + @{sys}/devices/**/hwmon@{int}/alarms r, + @{sys}/devices/**/hwmon@{int}/beep_maks rw, # Intrusion detection - @{sys}/devices/**/{,hwmon/}hwmon@{int}/intrusion@{int}_alarm rw, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/intrusion@{int}_beep rw, + @{sys}/devices/**/hwmon@{int}/intrusion@{int}_alarm rw, + @{sys}/devices/**/hwmon@{int}/intrusion@{int}_beep rw, include if exists From ae556c14b358fab4ee27e3247913c5af04c4fbce Mon Sep 17 00:00:00 2001 From: no-madsoul <11956072+no-madsoul@users.noreply.github.com> Date: Wed, 5 Nov 2025 21:47:12 +0300 Subject: [PATCH 0942/1736] corrected include if exist statement at the end of file --- apparmor.d/abstractions/hwmon-full | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/hwmon-full b/apparmor.d/abstractions/hwmon-full index d5ca4fd596..14d7e99d1c 100644 --- a/apparmor.d/abstractions/hwmon-full +++ b/apparmor.d/abstractions/hwmon-full @@ -161,6 +161,6 @@ @{sys}/devices/**/hwmon@{int}/intrusion@{int}_alarm rw, @{sys}/devices/**/hwmon@{int}/intrusion@{int}_beep rw, - include if exists + include if exists # vim:syntax=apparmor From f26eca515c69a9121fdad8809a982f91b57c671e Mon Sep 17 00:00:00 2001 From: no-madsoul <11956072+no-madsoul@users.noreply.github.com> Date: Wed, 5 Nov 2025 22:12:00 +0300 Subject: [PATCH 0943/1736] deduplication with hwmon abstraction In preamble added include In text removed all statements crossing with hwmon with read-only permission --- apparmor.d/abstractions/hwmon-full | 64 ++---------------------------- 1 file changed, 3 insertions(+), 61 deletions(-) diff --git a/apparmor.d/abstractions/hwmon-full b/apparmor.d/abstractions/hwmon-full index 14d7e99d1c..8a0e8d0598 100644 --- a/apparmor.d/abstractions/hwmon-full +++ b/apparmor.d/abstractions/hwmon-full @@ -4,16 +4,13 @@ abi , - @{sys}/class/hwmon/ r, - @{sys}/class/hwmon/hwmon@{int}/ r, - @{sys}/devices/**/hwmon/ r, - @{sys}/devices/**/hwmon@{int}/ r, - + include +# hwmon-full abstraction includes all rules from hwmon with read permission +# and adds rules for write and write-only permission in hwmon structure # hwmon nodes below are written in accordance with https://www.kernel.org/doc/Documentation/hwmon/sysfs-interface # Global attributes - @{sys}/devices/**/hwmon@{int}/name r, @{sys}/devices/**/hwmon@{int}/update_interval rw, # Voltages @@ -21,26 +18,17 @@ @{sys}/devices/**/hwmon@{int}/in@{int}_max rw, @{sys}/devices/**/hwmon@{int}/in@{int}_lcrit rw, @{sys}/devices/**/hwmon@{int}/in@{int}_crit rw, - @{sys}/devices/**/hwmon@{int}/in@{int}_input r, - @{sys}/devices/**/hwmon@{int}/in@{int}_average r, - @{sys}/devices/**/hwmon@{int}/in@{int}_lowest r, - @{sys}/devices/**/hwmon@{int}/in@{int}_highest r, @{sys}/devices/**/hwmon@{int}/in@{int}_reset_history w, @{sys}/devices/**/hwmon@{int}/in_reset_history w, - @{sys}/devices/**/hwmon@{int}/in@{int}_label r, @{sys}/devices/**/hwmon@{int}/in@{int}_enable rw, - @{sys}/devices/**/hwmon@{int}/cpu@{int}_vid r, - @{sys}/devices/**/hwmon@{int}/vrm r, # Fans # Fan enumeration starts from 1 not 0 @{sys}/devices/**/hwmon@{int}/fan@{int}_min rw, @{sys}/devices/**/hwmon@{int}/fan@{int}_max rw, - @{sys}/devices/**/hwmon@{int}/fan@{int}_input r, @{sys}/devices/**/hwmon@{int}/fan@{int}_div rw, @{sys}/devices/**/hwmon@{int}/fan@{int}_pulses rw, @{sys}/devices/**/hwmon@{int}/fan@{int}_target rw, - @{sys}/devices/**/hwmon@{int}/fan@{int}_label r, @{sys}/devices/**/hwmon@{int}/fan@{int}_enable rw, # PWM @@ -64,7 +52,6 @@ @{sys}/devices/**/hwmon@{int}/temp@{int}_max rw, @{sys}/devices/**/hwmon@{int}/temp@{int}_min_hyst rw, @{sys}/devices/**/hwmon@{int}/temp@{int}_max_hyst rw, - @{sys}/devices/**/hwmon@{int}/temp@{int}_input r, @{sys}/devices/**/hwmon@{int}/temp@{int}_crit rw, @{sys}/devices/**/hwmon@{int}/temp@{int}_crit_hyst rw, @{sys}/devices/**/hwmon@{int}/temp@{int}_emergency rw, @@ -72,9 +59,6 @@ @{sys}/devices/**/hwmon@{int}/temp@{int}_lcrit rw, @{sys}/devices/**/hwmon@{int}/temp@{int}_lcrit_hyst rw, @{sys}/devices/**/hwmon@{int}/temp@{int}_offset rw, - @{sys}/devices/**/hwmon@{int}/temp@{int}_label r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_lowest r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_highest r, @{sys}/devices/**/hwmon@{int}/temp@{int}_reset_history w, @{sys}/devices/**/hwmon@{int}/temp_reset_history w, @{sys}/devices/**/hwmon@{int}/temp@{int}_enable rw, @@ -85,76 +69,34 @@ @{sys}/devices/**/hwmon@{int}/curr@{int}_min rw, @{sys}/devices/**/hwmon@{int}/curr@{int}_lcrit rw, @{sys}/devices/**/hwmon@{int}/curr@{int}_crit rw, - @{sys}/devices/**/hwmon@{int}/curr@{int}_input r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_average r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_lowest r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_highest r, @{sys}/devices/**/hwmon@{int}/curr@{int}_reset_history w, @{sys}/devices/**/hwmon@{int}/curr_reset_history w, @{sys}/devices/**/hwmon@{int}/curr@{int}_enable rw, -# line below is not in kernel doc, but present in real system for CPU hwmon - @{sys}/devices/**/hwmon@{int}/curr@{int}_label r, # Power - @{sys}/devices/**/hwmon@{int}/power@{int}_average r, @{sys}/devices/**/hwmon@{int}/power@{int}_average_interval rw, - @{sys}/devices/**/hwmon@{int}/power@{int}_average_interval_max r, - @{sys}/devices/**/hwmon@{int}/power@{int}_average_interval_min r, - @{sys}/devices/**/hwmon@{int}/power@{int}_average_highest r, - @{sys}/devices/**/hwmon@{int}/power@{int}_average_lowest r, @{sys}/devices/**/hwmon@{int}/power@{int}_average_max rw, @{sys}/devices/**/hwmon@{int}/power@{int}_average_min rw, - @{sys}/devices/**/hwmon@{int}/power@{int}_input r, - @{sys}/devices/**/hwmon@{int}/power@{int}_input_highest r, - @{sys}/devices/**/hwmon@{int}/power@{int}_input_lowest r, @{sys}/devices/**/hwmon@{int}/power@{int}_reset_history w, - @{sys}/devices/**/hwmon@{int}/power@{int}_accuracy r, @{sys}/devices/**/hwmon@{int}/power@{int}_cap rw, @{sys}/devices/**/hwmon@{int}/power@{int}_cap_hyst rw, - @{sys}/devices/**/hwmon@{int}/power@{int}_cap_max r, - @{sys}/devices/**/hwmon@{int}/power@{int}_cap_min r, @{sys}/devices/**/hwmon@{int}/power@{int}_max rw, @{sys}/devices/**/hwmon@{int}/power@{int}_crit rw, @{sys}/devices/**/hwmon@{int}/power@{int}_enable rw, -# lines below is not in kernel doc, but present in real system - @{sys}/devices/**/hwmon@{int}/power@{int}_cap_default r, - @{sys}/devices/**/hwmon@{int}/power@{int}_label r, # Energy - @{sys}/devices/**/hwmon@{int}/energy@{int}_input r, @{sys}/devices/**/hwmon@{int}/energy@{int}_enable rw, # Humidity - @{sys}/devices/**/hwmon@{int}/humidity@{int}_input r, @{sys}/devices/**/hwmon@{int}/humidity@{int}_enable rw, # Alarms - @{sys}/devices/**/hwmon@{int}/in@{int}_alarm r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_alarm r, - @{sys}/devices/**/hwmon@{int}/power@{int}_alarm r, - @{sys}/devices/**/hwmon@{int}/fan@{int}_alarm r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_alarm r, - - @{sys}/devices/**/hwmon@{int}/in@{int}_{min,max}_alarm r, - @{sys}/devices/**/hwmon@{int}/in@{int}_{lcrit,crit}_alarm r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_{min,max}_alarm r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_{lcrit,crit}_alarm r, - @{sys}/devices/**/hwmon@{int}/power@{int}_{cap,max,crit}_alarm r, - @{sys}/devices/**/hwmon@{int}/fan@{int}_{min,max}_alarm r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_{min,max}_alarm r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_{lcrit,crit}_alarm r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_emergency_alarm r, - - @{sys}/devices/**/hwmon@{int}/fan@{int}_fault r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_fault r, - @{sys}/devices/**/hwmon@{int}/beep_enable rw, @{sys}/devices/**/hwmon@{int}/in@{int}_beep rw, @{sys}/devices/**/hwmon@{int}/curr@{int}_beep rw, @{sys}/devices/**/hwmon@{int}/fan@{int}_beep rw, @{sys}/devices/**/hwmon@{int}/temp@{int}_beep rw, - @{sys}/devices/**/hwmon@{int}/alarms r, @{sys}/devices/**/hwmon@{int}/beep_maks rw, # Intrusion detection From 419d989da78f7ef92803daa79d4fc7d35b7599fb Mon Sep 17 00:00:00 2001 From: no-madsoul <11956072+no-madsoul@users.noreply.github.com> Date: Wed, 5 Nov 2025 22:31:37 +0300 Subject: [PATCH 0944/1736] added some verbosity removed {min,max,etc} compounds in statements and added new lines for each hwmon node --- apparmor.d/abstractions/hwmon | 218 +++++++++++++++++++--------------- 1 file changed, 124 insertions(+), 94 deletions(-) diff --git a/apparmor.d/abstractions/hwmon b/apparmor.d/abstractions/hwmon index dc7aa1d7df..6528aaee2a 100644 --- a/apparmor.d/abstractions/hwmon +++ b/apparmor.d/abstractions/hwmon @@ -7,131 +7,161 @@ @{sys}/class/hwmon/ r, @{sys}/class/hwmon/hwmon@{int}/ r, @{sys}/devices/**/hwmon/ r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/ r, + @{sys}/devices/**/hwmon@{int}/ r, # hwmon nodes below are written in accordance with https://www.kernel.org/doc/Documentation/hwmon/sysfs-interface # Global attributes - @{sys}/devices/**/{,hwmon/}hwmon@{int}/name r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/update_interval r, + @{sys}/devices/**/hwmon@{int}/name r, + @{sys}/devices/**/hwmon@{int}/update_interval r, # Voltages - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{min,max} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{lcrit,crit} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_input r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{average,lowest,highest} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_label r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_enable r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/cpu@{int}_vid r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/vrm r, + @{sys}/devices/**/hwmon@{int}/in@{int}_min r, + @{sys}/devices/**/hwmon@{int}/in@{int}_max r, + @{sys}/devices/**/hwmon@{int}/in@{int}_lcrit r, + @{sys}/devices/**/hwmon@{int}/in@{int}_crit r, + @{sys}/devices/**/hwmon@{int}/in@{int}_input r, + @{sys}/devices/**/hwmon@{int}/in@{int}_average r, + @{sys}/devices/**/hwmon@{int}/in@{int}_lowest r, + @{sys}/devices/**/hwmon@{int}/in@{int}_highest r, + @{sys}/devices/**/hwmon@{int}/in@{int}_label r, + @{sys}/devices/**/hwmon@{int}/in@{int}_enable r, + @{sys}/devices/**/hwmon@{int}/cpu@{int}_vid r, + @{sys}/devices/**/hwmon@{int}/vrm r, # Fans # Fan enumeration starts from 1 not 0 - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_{min,max} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_input r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_div r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_pulses r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_target r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_label r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_enable r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_min r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_max r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_input r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_div r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_pulses r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_target r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_label r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_enable r, # PWM # PWM enumeration starts from 1 not 0 - @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_enable r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_mode r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_freq r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_auto_channels_temp r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_auto_point@{int}_pwm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_auto_point@{int}_temp r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/pwm@{int}_auto_point@{int}_temp_hyst r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_auto_point@{int}_pwm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_auto_point@{int}_temp r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_auto_point@{int}_temp_hyst r, + @{sys}/devices/**/hwmon@{int}/pwm@{int} r, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_enable r, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_mode r, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_freq r, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_channels_temp r, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_point@{int}_pwm r, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_point@{int}_temp r, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_point@{int}_temp_hyst r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_auto_point@{int}_pwm r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_auto_point@{int}_temp r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_auto_point@{int}_temp_hyst r, # Temperatures # Temperatures enumeration starts from 1 not 0 - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_type r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{min,max} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{min_hyst,max_hyst} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_input r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{crit,crit_hyst} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{emergency,emergency_hyst} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{lcrit,lcrit_hyst} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_offset r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_label r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{lowest,highest} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_enable r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_type r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_min r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_max r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_min_hyst r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_max_hyst r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_input r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_crit r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_crit_hyst r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_emergency r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_emergency_hyst r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_lcrit r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_lcrit_hyst r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_offset r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_label r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_lowest r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_highest r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_enable r, # Currents # Currents enumeration starts from 1 not 0 - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{max,min} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{lcrit,crit} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_input r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{average,lowest,highest} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_enable r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_max r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_min r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_lcrit r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_crit r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_input r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_average r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_lowest r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_highest r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_enable r, # line below is not in kernel doc, but present in real system for CPU hwmon - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_label r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_label r, # Power - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average_interval r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average_interval_{max,min} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average_{highest,lowest} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_average_{max,min} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_input r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_input_{highest,lowest} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_accuracy r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_cap r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_cap_hyst r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_cap_{max,min} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_{max,crit} r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_enable r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_interval r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_interval_max r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_interval_min r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_highest r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_lowest r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_max r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_min r, + @{sys}/devices/**/hwmon@{int}/power@{int}_input r, + @{sys}/devices/**/hwmon@{int}/power@{int}_input_highest r, + @{sys}/devices/**/hwmon@{int}/power@{int}_input_lowest r, + @{sys}/devices/**/hwmon@{int}/power@{int}_accuracy r, + @{sys}/devices/**/hwmon@{int}/power@{int}_cap r, + @{sys}/devices/**/hwmon@{int}/power@{int}_cap_hyst r, + @{sys}/devices/**/hwmon@{int}/power@{int}_cap_max r, + @{sys}/devices/**/hwmon@{int}/power@{int}_cap_min r, + @{sys}/devices/**/hwmon@{int}/power@{int}_max r, + @{sys}/devices/**/hwmon@{int}/power@{int}_crit r, + @{sys}/devices/**/hwmon@{int}/power@{int}_enable r, # lines below is not in kernel doc, but present in real system - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_cap_default r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_label r, + @{sys}/devices/**/hwmon@{int}/power@{int}_cap_default r, + @{sys}/devices/**/hwmon@{int}/power@{int}_label r, # Energy - @{sys}/devices/**/{,hwmon/}hwmon@{int}/energy@{int}_input r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/energy@{int}_enable r, + @{sys}/devices/**/hwmon@{int}/energy@{int}_input r, + @{sys}/devices/**/hwmon@{int}/energy@{int}_enable r, # Humidity - @{sys}/devices/**/{,hwmon/}hwmon@{int}/humidity@{int}_input r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/humidity@{int}_enable r, + @{sys}/devices/**/hwmon@{int}/humidity@{int}_input r, + @{sys}/devices/**/hwmon@{int}/humidity@{int}_enable r, # Alarms - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_alarm r, - - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{min,max}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_{lcrit,crit}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{min,max}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_{lcrit,crit}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/power@{int}_{cap,max,crit}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_{min,max}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{min,max}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_{lcrit,crit}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_emergency_alarm r, - - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_fault r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_fault r, - - @{sys}/devices/**/{,hwmon/}hwmon@{int}/beep_enable r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/in@{int}_beep r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/curr@{int}_beep r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/fan@{int}_beep r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/temp@{int}_beep r, - - @{sys}/devices/**/{,hwmon/}hwmon@{int}/alarms r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/beep_maks r, + @{sys}/devices/**/hwmon@{int}/in@{int}_alarm r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_alarm r, + @{sys}/devices/**/hwmon@{int}/power@{int}_alarm r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_alarm r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_alarm r, + + @{sys}/devices/**/hwmon@{int}/in@{int}_min_alarm r, + @{sys}/devices/**/hwmon@{int}/in@{int}_max_alarm r, + @{sys}/devices/**/hwmon@{int}/in@{int}_lcrit_alarm r, + @{sys}/devices/**/hwmon@{int}/in@{int}_crit_alarm r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_min_alarm r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_max_alarm r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_lcrit_alarm r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_crit_alarm r, + @{sys}/devices/**/hwmon@{int}/power@{int}_cap_alarm r, + @{sys}/devices/**/hwmon@{int}/power@{int}_max_alarm r, + @{sys}/devices/**/hwmon@{int}/power@{int}_crit_alarm r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_min_alarm r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_max_alarm r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_min_alarm r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_max_alarm r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_lcrit_alarm r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_crit_alarm r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_emergency_alarm r, + + @{sys}/devices/**/hwmon@{int}/fan@{int}_fault r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_fault r, + + @{sys}/devices/**/hwmon@{int}/beep_enable r, + @{sys}/devices/**/hwmon@{int}/in@{int}_beep r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_beep r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_beep r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_beep r, + + @{sys}/devices/**/hwmon@{int}/alarms r, + @{sys}/devices/**/hwmon@{int}/beep_mask r, # Intrusion detection - @{sys}/devices/**/{,hwmon/}hwmon@{int}/intrusion@{int}_alarm r, - @{sys}/devices/**/{,hwmon/}hwmon@{int}/intrusion@{int}_beep r, + @{sys}/devices/**/hwmon@{int}/intrusion@{int}_alarm r, + @{sys}/devices/**/hwmon@{int}/intrusion@{int}_beep r, include if exists From dece4cfb6df17c27b1ea7eb2d30c45beb0a75bcd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Oct 2025 20:43:38 +0200 Subject: [PATCH 0945/1736] refractor(abs): move bus abs into session or systemd dir. --- .../abstractions/bus/com.canonical.dbusmenu | 14 ----- .../bus/org.freedesktop.login1.Session | 26 --------- .../abstractions/bus/org.freedesktop.secrets | 26 --------- .../bus/org.kde.StatusNotifierWatcher | 54 ------------------- .../bus/{ => session}/ca.desrt.dconf.Writer | 0 .../com.canonical.Unity.LauncherEntry | 0 .../org.freedesktop.FileManager1 | 0 .../org.freedesktop.Tracker3.Miner.Files | 0 .../org.freedesktop.background.Monitor | 0 ...rg.freedesktop.impl.portal.PermissionStore | 0 .../org.freedesktop.portal.Desktop | 0 .../org.gnome.Mutter.DisplayConfig | 0 .../{ => session}/org.gnome.Shell.Introspect | 0 .../org.gnome.Shell.SearchProvider2 | 0 .../org.gnome.keyring.internal.Prompter | 0 .../bus/{ => system}/net.hadess.PowerProfiles | 0 .../{ => system}/net.hadess.SwitcherooControl | 0 .../bus/{ => system}/net.reactivated.Fprint | 0 .../org.freedesktop.ModemManager1 | 0 .../org.freedesktop.NetworkManager | 0 .../{ => system}/org.freedesktop.PackageKit | 0 .../{ => system}/org.freedesktop.PolicyKit1 | 0 .../{ => system}/org.freedesktop.RealtimeKit1 | 0 .../bus/{ => system}/org.freedesktop.UDisks2 | 0 .../org.freedesktop.UPower.PowerProfiles | 0 .../{ => system}/org.freedesktop.hostname1 | 0 .../bus/{ => system}/org.freedesktop.network1 | 0 .../{ => system}/org.freedesktop.timedate1 | 0 28 files changed, 120 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/com.canonical.dbusmenu delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.login1.Session delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.secrets delete mode 100644 apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher rename apparmor.d/abstractions/bus/{ => session}/ca.desrt.dconf.Writer (100%) rename apparmor.d/abstractions/bus/{ => session}/com.canonical.Unity.LauncherEntry (100%) rename apparmor.d/abstractions/bus/{ => session}/org.freedesktop.FileManager1 (100%) rename apparmor.d/abstractions/bus/{ => session}/org.freedesktop.Tracker3.Miner.Files (100%) rename apparmor.d/abstractions/bus/{ => session}/org.freedesktop.background.Monitor (100%) rename apparmor.d/abstractions/bus/{ => session}/org.freedesktop.impl.portal.PermissionStore (100%) rename apparmor.d/abstractions/bus/{ => session}/org.freedesktop.portal.Desktop (100%) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.Mutter.DisplayConfig (100%) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.Shell.Introspect (100%) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.Shell.SearchProvider2 (100%) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.keyring.internal.Prompter (100%) rename apparmor.d/abstractions/bus/{ => system}/net.hadess.PowerProfiles (100%) rename apparmor.d/abstractions/bus/{ => system}/net.hadess.SwitcherooControl (100%) rename apparmor.d/abstractions/bus/{ => system}/net.reactivated.Fprint (100%) rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.ModemManager1 (100%) rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.NetworkManager (100%) rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.PackageKit (100%) rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.PolicyKit1 (100%) rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.RealtimeKit1 (100%) rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.UDisks2 (100%) rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.UPower.PowerProfiles (100%) rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.hostname1 (100%) rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.network1 (100%) rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.timedate1 (100%) diff --git a/apparmor.d/abstractions/bus/com.canonical.dbusmenu b/apparmor.d/abstractions/bus/com.canonical.dbusmenu deleted file mode 100644 index 61ce811114..0000000000 --- a/apparmor.d/abstractions/bus/com.canonical.dbusmenu +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/com/canonical/unity/launcherentry/** - interface=com.canonical.dbusmenu - member={GetGroupProperties,GetLayout} - peer=(name=@{busname}, label=nautilus), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session deleted file mode 100644 index f60c693019..0000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=GetSession - peer=(name="@{busname}", label="@{p_systemd_logind}"), - - dbus send bus=system path=/org/freedesktop/login1/session/* - interface=org.freedesktop.login1.Session - member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint} - peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), - - dbus receive bus=system path=/org/freedesktop/login1/session/* - interface=org.freedesktop.login1.Session - member={PauseDevice,Unlock} - peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.secrets b/apparmor.d/abstractions/bus/org.freedesktop.secrets deleted file mode 100644 index e30e7b1c24..0000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.secrets +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.freedesktop.secrets label=gnome-keyring-daemon - - dbus send bus=session path=/org/freedesktop/secrets - interface=org.freedesktop.Secret.Service - member={OpenSession,GetSecrets,SearchItems,Unlock,ReadAlias} - peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), - - dbus send bus=session path=/org/freedesktop/secrets/aliases/default - interface=org.freedesktop.Secret.Collection - member=CreateItem - peer=(name=org.freedesktop.secrets, label=gnome-keyring-daemon), - - dbus receive bus=session path=/org/freedesktop/secrets/collection/login - interface=org.freedesktop.Secret.Collection - member=ItemCreated - peer=(name="@{busname}", label=gnome-keyring-daemon), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher deleted file mode 100644 index 90a78d2ed4..0000000000 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher +++ /dev/null @@ -1,54 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow to display Status Notifier Items in the KDE Plasma systray - - abi , - - #aa-dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell - - dbus send bus=session path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), - - dbus send bus=session path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), - - dbus receive bus=session path=/StatusNotifierItem - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(label="@{pp_app_indicator}"), - - - dbus send bus=session path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu} - interface=com.canonical.dbusmenu - member={LayoutUpdated,ItemsPropertiesUpdated} - peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), - - dbus receive bus=session path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**} - interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu} - member={Get*,AboutTo*,Event*} - peer=(label="@{pp_app_indicator}"), - - dbus send bus=session path=/StatusNotifierWatcher - interface=org.kde.StatusNotifierWatcher - member=RegisterStatusNotifierItem - peer=(label="@{pp_app_indicator}"), - - dbus receive bus=session path=/StatusNotifierItem - interface=org.kde.StatusNotifierItem - member={ProvideXdgActivationToken,Activate} - peer=(label="@{pp_app_indicator}"), - - dbus receive bus=session path=/MenuBar - interface=com.canonical.dbusmenu - member={AboutToShow,GetLayout,Event} - peer=(label="@{pp_app_indicator}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/ca.desrt.dconf.Writer b/apparmor.d/abstractions/bus/session/ca.desrt.dconf.Writer similarity index 100% rename from apparmor.d/abstractions/bus/ca.desrt.dconf.Writer rename to apparmor.d/abstractions/bus/session/ca.desrt.dconf.Writer diff --git a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry b/apparmor.d/abstractions/bus/session/com.canonical.Unity.LauncherEntry similarity index 100% rename from apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry rename to apparmor.d/abstractions/bus/session/com.canonical.Unity.LauncherEntry diff --git a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/session/org.freedesktop.FileManager1 similarity index 100% rename from apparmor.d/abstractions/bus/org.freedesktop.FileManager1 rename to apparmor.d/abstractions/bus/session/org.freedesktop.FileManager1 diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files b/apparmor.d/abstractions/bus/session/org.freedesktop.Tracker3.Miner.Files similarity index 100% rename from apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files rename to apparmor.d/abstractions/bus/session/org.freedesktop.Tracker3.Miner.Files diff --git a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor b/apparmor.d/abstractions/bus/session/org.freedesktop.background.Monitor similarity index 100% rename from apparmor.d/abstractions/bus/org.freedesktop.background.Monitor rename to apparmor.d/abstractions/bus/session/org.freedesktop.background.Monitor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/session/org.freedesktop.impl.portal.PermissionStore similarity index 100% rename from apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore rename to apparmor.d/abstractions/bus/session/org.freedesktop.impl.portal.PermissionStore diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop similarity index 100% rename from apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop rename to apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig b/apparmor.d/abstractions/bus/session/org.gnome.Mutter.DisplayConfig similarity index 100% rename from apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig rename to apparmor.d/abstractions/bus/session/org.gnome.Mutter.DisplayConfig diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect b/apparmor.d/abstractions/bus/session/org.gnome.Shell.Introspect similarity index 100% rename from apparmor.d/abstractions/bus/org.gnome.Shell.Introspect rename to apparmor.d/abstractions/bus/session/org.gnome.Shell.Introspect diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 b/apparmor.d/abstractions/bus/session/org.gnome.Shell.SearchProvider2 similarity index 100% rename from apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 rename to apparmor.d/abstractions/bus/session/org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter b/apparmor.d/abstractions/bus/session/org.gnome.keyring.internal.Prompter similarity index 100% rename from apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter rename to apparmor.d/abstractions/bus/session/org.gnome.keyring.internal.Prompter diff --git a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/system/net.hadess.PowerProfiles similarity index 100% rename from apparmor.d/abstractions/bus/net.hadess.PowerProfiles rename to apparmor.d/abstractions/bus/system/net.hadess.PowerProfiles diff --git a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl b/apparmor.d/abstractions/bus/system/net.hadess.SwitcherooControl similarity index 100% rename from apparmor.d/abstractions/bus/net.hadess.SwitcherooControl rename to apparmor.d/abstractions/bus/system/net.hadess.SwitcherooControl diff --git a/apparmor.d/abstractions/bus/net.reactivated.Fprint b/apparmor.d/abstractions/bus/system/net.reactivated.Fprint similarity index 100% rename from apparmor.d/abstractions/bus/net.reactivated.Fprint rename to apparmor.d/abstractions/bus/system/net.reactivated.Fprint diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/system/org.freedesktop.ModemManager1 similarity index 100% rename from apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 rename to apparmor.d/abstractions/bus/system/org.freedesktop.ModemManager1 diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager similarity index 100% rename from apparmor.d/abstractions/bus/org.freedesktop.NetworkManager rename to apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/system/org.freedesktop.PackageKit similarity index 100% rename from apparmor.d/abstractions/bus/org.freedesktop.PackageKit rename to apparmor.d/abstractions/bus/system/org.freedesktop.PackageKit diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/system/org.freedesktop.PolicyKit1 similarity index 100% rename from apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 rename to apparmor.d/abstractions/bus/system/org.freedesktop.PolicyKit1 diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/system/org.freedesktop.RealtimeKit1 similarity index 100% rename from apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 rename to apparmor.d/abstractions/bus/system/org.freedesktop.RealtimeKit1 diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 similarity index 100% rename from apparmor.d/abstractions/bus/org.freedesktop.UDisks2 rename to apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower.PowerProfiles similarity index 100% rename from apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles rename to apparmor.d/abstractions/bus/system/org.freedesktop.UPower.PowerProfiles diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/system/org.freedesktop.hostname1 similarity index 100% rename from apparmor.d/abstractions/bus/org.freedesktop.hostname1 rename to apparmor.d/abstractions/bus/system/org.freedesktop.hostname1 diff --git a/apparmor.d/abstractions/bus/org.freedesktop.network1 b/apparmor.d/abstractions/bus/system/org.freedesktop.network1 similarity index 100% rename from apparmor.d/abstractions/bus/org.freedesktop.network1 rename to apparmor.d/abstractions/bus/system/org.freedesktop.network1 diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/system/org.freedesktop.timedate1 similarity index 100% rename from apparmor.d/abstractions/bus/org.freedesktop.timedate1 rename to apparmor.d/abstractions/bus/system/org.freedesktop.timedate1 From f89612e649dbe60cb39a19aff8383e6d56a95137 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Oct 2025 21:59:47 +0200 Subject: [PATCH 0946/1736] refractor(abs): update abs path to the new location. --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/abstractions/app/firefox | 10 ++-- apparmor.d/abstractions/app/flatpak | 4 +- .../bus/session/ca.desrt.dconf.Writer | 2 +- .../session/com.canonical.Unity.LauncherEntry | 2 +- .../bus/session/org.freedesktop.FileManager1 | 2 +- .../org.freedesktop.Tracker3.Miner.Files | 2 +- .../org.freedesktop.background.Monitor | 2 +- ...rg.freedesktop.impl.portal.PermissionStore | 2 +- .../session/org.freedesktop.portal.Desktop | 2 +- .../session/org.gnome.Mutter.DisplayConfig | 2 +- .../bus/session/org.gnome.Shell.Introspect | 2 +- .../session/org.gnome.Shell.SearchProvider2 | 2 +- .../org.gnome.keyring.internal.Prompter | 2 +- .../bus/system/net.hadess.PowerProfiles | 2 +- .../bus/system/net.hadess.SwitcherooControl | 2 +- .../bus/system/net.reactivated.Fprint | 2 +- .../bus/system/org.freedesktop.ModemManager1 | 2 +- .../bus/system/org.freedesktop.NetworkManager | 2 +- .../bus/system/org.freedesktop.PackageKit | 2 +- .../bus/system/org.freedesktop.PolicyKit1 | 2 +- .../bus/system/org.freedesktop.RealtimeKit1 | 2 +- .../bus/system/org.freedesktop.UDisks2 | 2 +- .../org.freedesktop.UPower.PowerProfiles | 2 +- .../bus/system/org.freedesktop.hostname1 | 2 +- .../bus/system/org.freedesktop.network1 | 2 +- .../bus/system/org.freedesktop.timedate1 | 2 +- apparmor.d/abstractions/common/gnome | 2 +- apparmor.d/abstractions/dconf-write | 2 +- apparmor.d/groups/apparmor/aa-notify | 2 +- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/apt/unattended-upgrade | 4 +- .../groups/apt/unattended-upgrade-shutdown | 2 +- apparmor.d/groups/bluetooth/bluetoothd | 2 +- apparmor.d/groups/bluetooth/obexd | 2 +- apparmor.d/groups/cups/cups-browsed | 3 +- .../groups/cups/cups-pk-helper-mechanism | 2 +- apparmor.d/groups/firewall/firewalld | 4 +- apparmor.d/groups/flatpak/flatpak-portal | 8 +-- .../groups/flatpak/flatpak-system-helper | 2 +- apparmor.d/groups/freedesktop/accounts-daemon | 2 +- apparmor.d/groups/freedesktop/boltd | 2 +- apparmor.d/groups/freedesktop/colord | 2 +- apparmor.d/groups/freedesktop/geoclue | 4 +- apparmor.d/groups/freedesktop/pipewire | 2 +- .../groups/freedesktop/pipewire-media-session | 2 +- apparmor.d/groups/freedesktop/pipewire-pulse | 2 +- apparmor.d/groups/freedesktop/pulseaudio | 4 +- apparmor.d/groups/freedesktop/upowerd | 2 +- apparmor.d/groups/freedesktop/wireplumber | 6 +-- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 4 +- .../groups/freedesktop/xdg-desktop-portal | 9 ++-- .../freedesktop/xdg-desktop-portal-gnome | 4 +- .../groups/freedesktop/xdg-desktop-portal-gtk | 6 +-- .../groups/freedesktop/xdg-document-portal | 2 +- apparmor.d/groups/freedesktop/xorg | 2 +- apparmor.d/groups/gnome/deja-dup-monitor | 4 +- .../gnome/evolution-addressbook-factory | 4 +- .../groups/gnome/evolution-calendar-factory | 2 +- apparmor.d/groups/gnome/gjs | 6 +-- apparmor.d/groups/gnome/gnome-boxes | 2 +- apparmor.d/groups/gnome/gnome-calendar | 6 +-- apparmor.d/groups/gnome/gnome-characters | 3 +- apparmor.d/groups/gnome/gnome-clocks | 2 +- apparmor.d/groups/gnome/gnome-contacts | 1 - apparmor.d/groups/gnome/gnome-control-center | 2 +- .../gnome-control-center-search-provider | 2 +- apparmor.d/groups/gnome/gnome-extension-ding | 4 +- .../groups/gnome/gnome-extension-gsconnect | 9 ++-- apparmor.d/groups/gnome/gnome-initial-setup | 2 +- apparmor.d/groups/gnome/gnome-keyring-daemon | 4 +- .../groups/gnome/gnome-remote-desktop-daemon | 2 +- apparmor.d/groups/gnome/gnome-session-binary | 2 +- apparmor.d/groups/gnome/gnome-shell | 49 ++++++++++++------- apparmor.d/groups/gnome/gnome-software | 4 +- apparmor.d/groups/gnome/gnome-system-monitor | 1 - apparmor.d/groups/gnome/gnome-terminal-server | 2 +- apparmor.d/groups/gnome/gnome-text-editor | 3 +- apparmor.d/groups/gnome/goa-daemon | 2 +- apparmor.d/groups/gnome/gsd-color | 2 +- apparmor.d/groups/gnome/gsd-datetime | 4 +- .../groups/gnome/gsd-disk-utility-notify | 2 +- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-power | 6 +-- apparmor.d/groups/gnome/gsd-rfkill | 6 +-- apparmor.d/groups/gnome/gsd-sharing | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 4 +- apparmor.d/groups/gnome/loupe | 2 +- apparmor.d/groups/gnome/mutter-x11-frames | 2 +- apparmor.d/groups/gnome/nautilus | 9 ++-- apparmor.d/groups/gnome/papers | 1 - apparmor.d/groups/gnome/seahorse | 2 +- apparmor.d/groups/kde/dolphin | 2 +- apparmor.d/groups/kde/kauth-backlighthelper | 2 +- .../groups/kde/kauth-chargethresholdhelper | 2 +- apparmor.d/groups/kde/kauth-discretegpuhelper | 2 +- apparmor.d/groups/kde/kauth-kded-smart-helper | 2 +- apparmor.d/groups/kde/kde-powerdevil | 2 +- apparmor.d/groups/kde/kded | 13 +++-- apparmor.d/groups/kde/kscreenlocker_greet | 1 - apparmor.d/groups/kde/ksmserver | 2 +- apparmor.d/groups/kde/plasmashell | 4 +- apparmor.d/groups/network/ModemManager | 2 +- apparmor.d/groups/network/NetworkManager | 6 +-- apparmor.d/groups/network/nm-online | 2 +- apparmor.d/groups/polkit/pkttyagent | 2 +- apparmor.d/groups/snap/snapd | 4 +- apparmor.d/groups/systemd/systemd-hostnamed | 2 +- apparmor.d/groups/systemd/systemd-logind | 2 +- apparmor.d/groups/systemd/systemd-networkd | 2 +- .../groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/ubuntu/update-manager | 4 +- apparmor.d/groups/virt/cockpit-bridge | 6 +-- apparmor.d/profiles-a-f/baobab | 3 +- apparmor.d/profiles-a-f/calibre | 5 +- apparmor.d/profiles-a-f/element-desktop | 4 +- apparmor.d/profiles-a-f/evince | 5 +- apparmor.d/profiles-a-f/fwupd | 7 +-- apparmor.d/profiles-a-f/fwupdmgr | 2 +- apparmor.d/profiles-g-l/gimp | 2 +- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-g-l/localsend | 2 +- apparmor.d/profiles-m-r/packagekitd | 4 +- apparmor.d/profiles-m-r/power-profiles-daemon | 2 +- apparmor.d/profiles-m-r/remmina | 4 +- apparmor.d/profiles-m-r/rtkit-daemon | 2 +- apparmor.d/profiles-s-z/spice-vdagent | 7 ++- apparmor.d/profiles-s-z/spice-vdagentd | 2 +- apparmor.d/profiles-s-z/spotify | 4 +- apparmor.d/profiles-s-z/superproductivity | 5 +- apparmor.d/profiles-s-z/system-config-printer | 4 +- apparmor.d/profiles-s-z/thermald | 2 +- apparmor.d/profiles-s-z/tlp | 2 +- apparmor.d/profiles-s-z/zsysd | 2 +- 134 files changed, 231 insertions(+), 225 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 70a3b8ecb2..4982d8a346 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -28,7 +28,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 2682957823..b28bf57524 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -22,12 +22,11 @@ include include include - include - include - include - include - include + include + include include + include + include include include include @@ -38,6 +37,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak index 2043910e80..52975983a2 100644 --- a/apparmor.d/abstractions/app/flatpak +++ b/apparmor.d/abstractions/app/flatpak @@ -72,10 +72,10 @@ # System bus: all system dbus interfaces a flatpak app can access include include - include - include + include include include + include include include diff --git a/apparmor.d/abstractions/bus/session/ca.desrt.dconf.Writer b/apparmor.d/abstractions/bus/session/ca.desrt.dconf.Writer index 9bad3655d4..356ad2b2ee 100644 --- a/apparmor.d/abstractions/bus/session/ca.desrt.dconf.Writer +++ b/apparmor.d/abstractions/bus/session/ca.desrt.dconf.Writer @@ -14,6 +14,6 @@ member=Notify peer=(name=@{busname}, label=dconf-service), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/com.canonical.Unity.LauncherEntry b/apparmor.d/abstractions/bus/session/com.canonical.Unity.LauncherEntry index 9bbcfc748a..3db751caa7 100644 --- a/apparmor.d/abstractions/bus/session/com.canonical.Unity.LauncherEntry +++ b/apparmor.d/abstractions/bus/session/com.canonical.Unity.LauncherEntry @@ -35,6 +35,6 @@ member=GetAll peer=(name="@{busname}", label=gnome-shell), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/session/org.freedesktop.FileManager1 index a08c98b26c..afef9a524b 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.FileManager1 +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.FileManager1 @@ -11,6 +11,6 @@ member=ShowItems peer=(name=org.freedesktop.FileManager1, label=nautilus), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Tracker3.Miner.Files b/apparmor.d/abstractions/bus/session/org.freedesktop.Tracker3.Miner.Files index c55736c1e4..c0b32ac658 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Tracker3.Miner.Files +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Tracker3.Miner.Files @@ -14,6 +14,6 @@ member=Query peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.background.Monitor b/apparmor.d/abstractions/bus/session/org.freedesktop.background.Monitor index 0f371f79ba..7715ddf451 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.background.Monitor +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.background.Monitor @@ -6,6 +6,6 @@ #aa:dbus common bus=session name=org.freedesktop.background.Monitor label=xdg-desktop-portal - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/session/org.freedesktop.impl.portal.PermissionStore index f65d8c9395..2b61041591 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.impl.portal.PermissionStore +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.impl.portal.PermissionStore @@ -16,6 +16,6 @@ member=Lookup peer=(name=org.freedesktop.impl.portal.PermissionStore, label=xdg-permission-store), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop index d5a14eec2a..abd818877c 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop @@ -64,6 +64,6 @@ member=Close peer=(name=@{busname}, label=xdg-desktop-portal), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.Mutter.DisplayConfig b/apparmor.d/abstractions/bus/session/org.gnome.Mutter.DisplayConfig index f275850cd1..2572a2e458 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.Mutter.DisplayConfig +++ b/apparmor.d/abstractions/bus/session/org.gnome.Mutter.DisplayConfig @@ -21,6 +21,6 @@ member=MonitorsChanged peer=(name="@{busname}", label=gnome-shell), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.Shell.Introspect b/apparmor.d/abstractions/bus/session/org.gnome.Shell.Introspect index b53acf6101..887ce10cc7 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.Shell.Introspect +++ b/apparmor.d/abstractions/bus/session/org.gnome.Shell.Introspect @@ -16,6 +16,6 @@ member={RunningApplicationsChanged,WindowsChanged} peer=(name="@{busname}", label=gnome-shell), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.Shell.SearchProvider2 b/apparmor.d/abstractions/bus/session/org.gnome.Shell.SearchProvider2 index ae8b68448b..b1868ce316 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.Shell.SearchProvider2 +++ b/apparmor.d/abstractions/bus/session/org.gnome.Shell.SearchProvider2 @@ -16,7 +16,7 @@ member=*Cancel peer=(name=@{busname}, label=gnome-shell), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.keyring.internal.Prompter b/apparmor.d/abstractions/bus/session/org.gnome.keyring.internal.Prompter index 0816b046f2..c25fb66b76 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.keyring.internal.Prompter +++ b/apparmor.d/abstractions/bus/session/org.gnome.keyring.internal.Prompter @@ -23,6 +23,6 @@ member={PromptReady,PromptDone} peer=(name=@{busname}, label=pinentry-*), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/system/net.hadess.PowerProfiles index 7e75609922..1033512ce9 100644 --- a/apparmor.d/abstractions/bus/system/net.hadess.PowerProfiles +++ b/apparmor.d/abstractions/bus/system/net.hadess.PowerProfiles @@ -6,6 +6,6 @@ #aa:dbus common bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}" - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/net.hadess.SwitcherooControl b/apparmor.d/abstractions/bus/system/net.hadess.SwitcherooControl index df65417dad..faad033200 100644 --- a/apparmor.d/abstractions/bus/system/net.hadess.SwitcherooControl +++ b/apparmor.d/abstractions/bus/system/net.hadess.SwitcherooControl @@ -6,6 +6,6 @@ #aa:dbus common bus=system name=net.hadess.SwitcherooControl label=switcheroo-control - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/net.reactivated.Fprint b/apparmor.d/abstractions/bus/system/net.reactivated.Fprint index 0241fc8897..ab410dafc8 100644 --- a/apparmor.d/abstractions/bus/system/net.reactivated.Fprint +++ b/apparmor.d/abstractions/bus/system/net.reactivated.Fprint @@ -21,6 +21,6 @@ member={GetDevices,GetDefaultDevice} peer=(name=net.reactivated.Fprint, label="@{p_fprintd}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/system/org.freedesktop.ModemManager1 index 4f53ba497b..1ef86ff588 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.ModemManager1 @@ -16,6 +16,6 @@ member=GetManagedObjects peer=(name="@{busname}", label="@{p_ModemManager}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager index a22a235fb0..8177f470f8 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager @@ -56,6 +56,6 @@ member=StateChanged peer=(name=@{busname}, label=NetworkManager), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/system/org.freedesktop.PackageKit index a4f9ba9b9f..aa9aeaab36 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.PackageKit +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.PackageKit @@ -27,6 +27,6 @@ interface=org.freedesktop.PackageKit.Transaction peer=(label=packagekitd), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/system/org.freedesktop.PolicyKit1 index a37efccf33..32edc2e637 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.PolicyKit1 @@ -28,6 +28,6 @@ member=RegisterAuthenticationAgentWithOptions peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/system/org.freedesktop.RealtimeKit1 index f66fdb20a4..0425823b49 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.RealtimeKit1 @@ -22,6 +22,6 @@ member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID} peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 index c97e83d714..9a1d0a309b 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 @@ -36,6 +36,6 @@ member=Completed peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower.PowerProfiles b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower.PowerProfiles index 45e88b1037..4f11b5aebb 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower.PowerProfiles +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower.PowerProfiles @@ -6,6 +6,6 @@ #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/system/org.freedesktop.hostname1 index 165e3ae6ec..f2c670025d 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.hostname1 @@ -11,6 +11,6 @@ member=Get peer=(name=org.freedesktop.hostname1), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.network1 b/apparmor.d/abstractions/bus/system/org.freedesktop.network1 index 7583a3e9dc..2f2a5cb594 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.network1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.network1 @@ -6,6 +6,6 @@ #aa:dbus common bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/system/org.freedesktop.timedate1 index c673637e5d..309e7618dc 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.timedate1 @@ -19,6 +19,6 @@ member=PrepareForSleep peer=(name=@{busname}, label=systemd-logind), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index afac0b82ab..48a26fe35d 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -7,7 +7,7 @@ abi , include - include + include include include include diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write index 88f94e5760..ded7fd7496 100644 --- a/apparmor.d/abstractions/dconf-write +++ b/apparmor.d/abstractions/dconf-write @@ -8,7 +8,7 @@ abi , include - include + include owner @{user_cache_dirs}/dconf/ w, owner @{user_cache_dirs}/dconf/user w, diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 28bae24978..f07126887a 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -64,7 +64,7 @@ profile aa-notify @{exec_path} { profile editor { include include - include + include include include diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 2ff50112d5..1b026a436c 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -13,7 +13,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 345c5f9c6a..357e452aca 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -13,10 +13,10 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include include + include include include diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index b627106f0f..ef5aecc8ae 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -12,8 +12,8 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include include include - include include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index 2eb8eeeb7c..e7e3496a07 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -11,7 +11,7 @@ include profile bluetoothd @{exec_path} flags=(attach_disconnected) { include include - include + include include # Needed for configuring HCI interfaces diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index ee56ba6e83..544ae9ef8c 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -12,7 +12,7 @@ profile obexd @{exec_path} { include include include - include + include include network bluetooth stream, diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index b4c0dc644f..0908ce247d 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -9,14 +9,15 @@ include @{exec_path} = @{sbin}/cups-browsed profile cups-browsed @{exec_path} flags=(attach_disconnected) { include + include include - include include include include include include include + include include capability net_admin, diff --git a/apparmor.d/groups/cups/cups-pk-helper-mechanism b/apparmor.d/groups/cups/cups-pk-helper-mechanism index 89d517631f..7c6aee8a14 100644 --- a/apparmor.d/groups/cups/cups-pk-helper-mechanism +++ b/apparmor.d/groups/cups/cups-pk-helper-mechanism @@ -11,7 +11,7 @@ include profile cups-pk-helper-mechanism @{exec_path} { include include - include + include include capability dac_read_search, diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index ce6b36277d..c56a4a70c1 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -11,9 +11,9 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include + include capability dac_read_search, capability mknod, diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index 518ac53f1d..349e50fe12 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -11,9 +11,10 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include include - include + include include include + include capability sys_ptrace, @@ -30,11 +31,6 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=@{busname}, label=gnome-shell), - dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=NetworkManager), - @{exec_path} mr, @{bin}/flatpak rPx, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index ce1089c7fb..96b92409bc 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -13,7 +13,7 @@ profile flatpak-system-helper @{exec_path} flags=(attach_disconnected,mediate_de include include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 85e2771985..abbfec94b9 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -11,7 +11,7 @@ include profile accounts-daemon @{exec_path} flags=(attach_disconnected) { include include - include + include include include diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/groups/freedesktop/boltd index 4378f584cb..d4e48d4d05 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -10,7 +10,7 @@ include profile boltd @{exec_path} flags=(attach_disconnected) { include include - include + include include capability net_admin, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 2f3d976a7a..593b6909f3 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -11,7 +11,7 @@ include profile colord @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index e5697d4c9b..7d2cd82f41 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -10,14 +10,14 @@ include profile geoclue @{exec_path} flags=(attach_disconnected) { include include - include - include include include include include include + include include + include include include diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 04b08ecc4c..9311300a0e 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -13,7 +13,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 83ee32baad..99070af2da 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -13,7 +13,7 @@ profile pipewire-media-session @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index e6e6e59c5f..fa20e82331 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -13,7 +13,7 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { include include include - include + include include capability sys_ptrace, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 60051f7777..6d3c568453 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -14,12 +14,12 @@ profile pulseaudio @{exec_path} { include include include - include - include include include include include + include + include include include include diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 08650c9255..c5a54dc28f 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -13,7 +13,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { include include include - include + include include capability net_admin, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 3c43947f20..cd599fb1d8 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -10,11 +10,11 @@ include profile wireplumber @{exec_path} { include include + include include include - include - include - include + include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index 762c20e83c..fc13c777ff 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -10,11 +10,11 @@ include profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include include - include include include include - include + include + include include network unix stream, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 08a9a3cfa6..5d98c4e456 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -13,11 +13,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include - include - include - include - include - include + include + include include include include @@ -25,6 +22,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 675c91f1b6..375cc16a86 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -12,8 +12,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index aa4a1395bb..bcb68acb1a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -12,15 +12,15 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include + include include include include include include include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 84c0fce420..d4d224b5db 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -10,7 +10,7 @@ include profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 9c0a248643..fa18883781 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -14,7 +14,7 @@ include profile xorg @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index 59b3c5d408..a6e4729078 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -11,8 +11,7 @@ profile deja-dup-monitor @{exec_path} { include include include - include - include + include include include include @@ -20,6 +19,7 @@ profile deja-dup-monitor @{exec_path} { include include include + include network netlink raw, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 1b9051a4a4..50fadf10ac 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -11,12 +11,12 @@ profile evolution-addressbook-factory @{exec_path} { include include include - include - include include + include include include include + include include include diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 87cce8fbca..a6fb8b493b 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -11,12 +11,12 @@ profile evolution-calendar-factory @{exec_path} { include include include - include include include include include include + include include include diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index 8fa32d2baf..32c1deb570 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -24,7 +24,7 @@ include profile gjs @{exec_path} flags=(attach_disconnected) { include include - include + include include include include @@ -36,8 +36,8 @@ profile gjs @{exec_path} flags=(attach_disconnected) { # Only needed by gnome-extension-ding include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index cd46dd069c..99c9e932db 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -12,7 +12,7 @@ profile gnome-boxes @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index d59182c3d6..aac5789dec 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -10,12 +10,12 @@ include profile gnome-calendar @{exec_path} { include include + include include - include - include - include + include include include + include include include diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index b5ae5672ab..a26f5919c9 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -10,8 +10,7 @@ include profile gnome-characters @{exec_path} { include include - include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index 6458d3c508..32f7db3b54 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -11,7 +11,7 @@ profile gnome-clocks @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index b6474cf55b..fe606fb10c 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/gnome-contacts profile gnome-contacts @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index e934717b6d..e80c5d21b1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -13,7 +13,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 6d24e72c10..6048d3dc73 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -10,7 +10,7 @@ include profile gnome-control-center-search-provider @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 9f848be8e6..e025511daa 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -15,8 +15,7 @@ profile gnome-extension-ding @{exec_path} { include include include - include - include + include include include include @@ -26,6 +25,7 @@ profile gnome-extension-ding @{exec_path} { include include include + include unix (send,receive) type=stream addr=none peer=(label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 5417167978..dad0e6553e 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -15,14 +15,13 @@ profile gnome-extension-gsconnect @{exec_path} { include include include - include - include - include - include + include + include + include + include include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 6a93ea1606..926cdcfd2d 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -12,12 +12,12 @@ profile gnome-initial-setup @{exec_path} { include include include - include include include include include include + include include network inet dgram, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 589919c5a8..ae2b7d5908 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -12,8 +12,8 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include include include diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index c3631ddb71..3536ea4cae 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -11,7 +11,7 @@ profile gnome-remote-desktop-daemon @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index db0cab6031..790b78e4e8 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -11,8 +11,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include - include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index cb68dc30a4..7dd4d7f90f 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -14,19 +14,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include - include - include - include - include - include - include - include - include - include - include - include - include + include + include + include include include include @@ -95,17 +85,26 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # only dbus directive is used for this. Later, some communications could be # restricted. + #aa:dbus talk bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}" + #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control + #aa:dbus talk bus=system name=net.reactivated.Fprint label="@{p_fprintd}" #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label=geoclue #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label=ModemManager #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.PackageKit label=packagekitd #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" + #aa:dbus talk bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label="@{p_power_profiles_daemon}" #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding + #aa:dbus talk bus=session name=org.freedesktop.background.Monitor label=xdg-desktop-portal + #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy #aa:dbus talk bus=session name=org.gnome.* label=gnome-* @@ -134,10 +133,21 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { member=Embed peer=(name=org.a11y.atspi.Registry), - dbus receive bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=JobRemoved - peer=(name=@{busname}, label="@{p_systemd_user}"), + # Server side of abstractions/bus/org.gnome.keyring.internal.Prompter + dbus receive bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name=@{busname}, label=pinentry-*), + dbus send bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name=@{busname}, label=pinentry-*), + + # Server side of abstractions/bus/session/org.freedesktop.Notifications + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + member={ActionInvoked,NotificationClosed,NotificationReplied} + peer=(name=org.freedesktop.DBus, label=gjs), # FIXME: I think gnome-shell is the owner of the notifications, it should then be # fully allowed to send/receive to/from anyone. @@ -184,7 +194,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { interface=org.freedesktop.DBus.ObjectManager member=InterfacesAdded peer=(name=@{busname}, label=NetworkManager), - + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=NetworkManager), dbus send bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index a6e36f21a6..cda5ee539a 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -11,11 +11,11 @@ profile gnome-software @{exec_path} { include include include - include - include + include include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 152b28ff7d..93ad3960dc 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 2aa93485af..16a3cbdd6e 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -11,7 +11,7 @@ profile gnome-terminal-server @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 4576608568..1a83eda4c3 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -9,8 +9,7 @@ include @{exec_path} = @{bin}/gnome-text-editor profile gnome-text-editor @{exec_path} flags=(attach_disconnected) { include - include - include + include include include include diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index b7c138285b..1b1c49cb77 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -11,10 +11,10 @@ profile goa-daemon @{exec_path} { include include include - include include include include + include include include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index f2504a895f..b9b0013cae 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -11,7 +11,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 1b90028ed7..9559602246 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -11,8 +11,8 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index d5a5fd2ddf..bb3b40e4ec 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -11,7 +11,7 @@ profile gsd-disk-utility-notify @{exec_path} flags=(attach_disconnected) { include include include - include + include #aa:dbus own bus=session name=org.gnome.Disks.NotificationMonitor #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index dfc73affa3..68714b7b0e 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -12,7 +12,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index ca5ba9268f..c1bf55b7d8 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -12,18 +12,16 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include include include - include include include include include include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index d77f4a3cb2..3e1fc98fef 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -11,10 +11,10 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include include + include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 2c5d55fbfd..b45e79e221 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -11,10 +11,10 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 84950ac78c..55a31f31ad 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -12,8 +12,8 @@ profile gsd-xsettings @{exec_path} { include include include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 5f58b6426d..9e7123012d 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -11,7 +11,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 289509055b..1d24c7f2c2 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -11,7 +11,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 06e9119ba7..8ed2bc00cd 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -11,12 +11,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include include - include - include - include - include - include + include + include + include include + include include include include diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 432ac2cbfb..e11f59e772 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/papers profile papers @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index c34526ee1e..88ffbf9731 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -12,7 +12,7 @@ profile seahorse @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 370fb0a253..2de2d5fb92 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -12,7 +12,7 @@ profile dolphin @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/kde/kauth-backlighthelper b/apparmor.d/groups/kde/kauth-backlighthelper index cc844ce172..22d032f476 100644 --- a/apparmor.d/groups/kde/kauth-backlighthelper +++ b/apparmor.d/groups/kde/kauth-backlighthelper @@ -10,7 +10,7 @@ include profile kauth-backlighthelper @{exec_path} { include include - include + include include include diff --git a/apparmor.d/groups/kde/kauth-chargethresholdhelper b/apparmor.d/groups/kde/kauth-chargethresholdhelper index 119b5508dc..f52bed2f2f 100644 --- a/apparmor.d/groups/kde/kauth-chargethresholdhelper +++ b/apparmor.d/groups/kde/kauth-chargethresholdhelper @@ -10,8 +10,8 @@ include profile kauth-chargethresholdhelper @{exec_path} { include include + include include - include #aa:dbus own bus=system name=org.kde.powerdevil.chargethresholdhelper #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil diff --git a/apparmor.d/groups/kde/kauth-discretegpuhelper b/apparmor.d/groups/kde/kauth-discretegpuhelper index 8fcec5a2c3..9acd2124b5 100644 --- a/apparmor.d/groups/kde/kauth-discretegpuhelper +++ b/apparmor.d/groups/kde/kauth-discretegpuhelper @@ -10,7 +10,7 @@ include profile kauth-discretegpuhelper @{exec_path} { include include - include + include include #aa:dbus own bus=system name=org.kde.powerdevil.discretegpuhelper diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index 2e60e6a0aa..bf8ddab9be 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -10,7 +10,7 @@ include profile kauth-kded-smart-helper @{exec_path} { include include - include + include include #aa:dbus own bus=system name=org.kde.kded.smart diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 904abedb12..2511cf844b 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -14,11 +14,11 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) include include include - include include include include include + include include capability wake_alarm, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index cc402bbd94..5baed5a792 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -13,10 +13,8 @@ profile kded @{exec_path} { include include include - include - include - include include + include include include include @@ -62,8 +60,15 @@ profile kded @{exec_path} { # Talk with KDE - #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + # The strategy with dbus rules in this profile is first to declare all communications + # needed on buses and to limit them only to their profiles in apparmor.d. As such, + # only dbus directive is used for this. Later, some communications could be + # restricted. + #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd + #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label=ModemManager + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" #aa:dbus talk bus=session name=org.kde.NightColor path=/ColorCorrect label="{kwin_wayland,kwin_x11}" #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label="{kglobalacceld,kwin_wayland}" diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 1186f0db2e..d57cf70d83 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -13,7 +13,6 @@ profile kscreenlocker_greet @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 250249f39a..462e52ea5a 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -13,7 +13,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include + include include include include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 46328bf0c2..b5d5f47001 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -14,8 +14,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include - include - include + include include include include @@ -24,6 +23,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include include include include diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index e6487e3268..a11df44320 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -11,7 +11,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 1a25b8d6c3..5165e3c0ca 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -10,10 +10,9 @@ include profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include - include + include include - include - include + include include include include @@ -44,6 +43,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld + #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label=ModemManager #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online index 7e8eb98d39..dad0604be9 100644 --- a/apparmor.d/groups/network/nm-online +++ b/apparmor.d/groups/network/nm-online @@ -10,8 +10,8 @@ include profile nm-online @{exec_path} flags=(attach_disconnected) { include include - include include + include dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} interface=org.freedesktop.NetworkManager.Connection.Active diff --git a/apparmor.d/groups/polkit/pkttyagent b/apparmor.d/groups/polkit/pkttyagent index 5882c6d400..67dae193e1 100644 --- a/apparmor.d/groups/polkit/pkttyagent +++ b/apparmor.d/groups/polkit/pkttyagent @@ -11,7 +11,7 @@ include profile pkttyagent @{exec_path} { include include - include + include include include diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 87e535b3f5..a224850387 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -14,8 +14,8 @@ profile snapd @{exec_path} { include include include - include - include + include + include include include include diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 764dff6c8f..e4298f97ba 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -11,7 +11,7 @@ include profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { include include - include + include include capability sys_admin, # To set a hostname diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index bae6e366f7..2ce9dae6f1 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -11,7 +11,7 @@ include profile systemd-logind @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include + include include include include diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index a20694ff0d..d1d51ad0ff 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -11,7 +11,7 @@ include profile systemd-networkd @{exec_path} flags=(attach_disconnected) { include include - include + include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 09a5ba9ceb..1bb514fad8 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -13,7 +13,7 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 70b02475ee..d0248237bf 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -13,13 +13,13 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include + include include - include - include include include include include + include include include include diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 559d21fc7c..3d01253ea8 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -11,12 +11,12 @@ profile cockpit-bridge @{exec_path} { include include include - include - include - include + include + include include include include + include include capability dac_read_search, diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab index 654e401176..185b0771be 100644 --- a/apparmor.d/profiles-a-f/baobab +++ b/apparmor.d/profiles-a-f/baobab @@ -9,7 +9,8 @@ include @{exec_path} = @{bin}/baobab profile baobab @{exec_path} { include - include + include + include include include diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index bf1f8fc02a..e4ca0288d3 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -13,8 +13,9 @@ include profile calibre @{exec_path} { include include - include - include + include + include + include include include include diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 59cfa3577a..036d78ad25 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -16,8 +16,8 @@ include profile element-desktop @{exec_path} flags=(attach_disconnected) { include include - include - include + include + include include include include diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 033bdadc82..705220d27b 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -10,9 +10,8 @@ include profile evince @{exec_path} { include include - include - include - include + include + include include include include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 20a68d90fd..3dd695a0f6 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -10,15 +10,16 @@ include @{exec_path} = @{lib}/{,fwupd/}fwupd profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include + include include - include - include - include + include include include include include + include include + include include include diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 2d781a734c..0abf729af5 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -11,9 +11,9 @@ include profile fwupdmgr @{exec_path} flags=(attach_disconnected) { include include - include include include + include include include diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index c68188acb0..2ff8f2adef 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -11,7 +11,7 @@ profile gimp @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index c9ebc5c734..86824d5e78 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -14,7 +14,7 @@ profile libreoffice @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/profiles-g-l/localsend b/apparmor.d/profiles-g-l/localsend index 2509b3621b..c6013c06e2 100644 --- a/apparmor.d/profiles-g-l/localsend +++ b/apparmor.d/profiles-g-l/localsend @@ -11,7 +11,7 @@ profile localsend @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index bf3979029e..03e4d9e475 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -12,9 +12,9 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { include #aa:only apt include include - include - include + include include + include include capability chown, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 28ff0591e7..44144a4bfd 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -11,7 +11,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include include include - include + include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index c4fdb486a5..005fb63d34 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -13,9 +13,9 @@ profile remmina @{exec_path} flags=(attach_disconnected) { include include include - include + include include - include + include include include include diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index 68837a52d2..85b97533b7 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -11,7 +11,7 @@ include profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { include include - include + include include capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 3b022a0722..aa7ccb6488 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -9,15 +9,14 @@ include @{exec_path} = @{bin}/spice-vdagent profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include - include include include include - include - include - include + include + include include include + include include include include diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index 33957504c6..9323e054d3 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -10,7 +10,7 @@ include profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include include - include + include include capability sys_nice, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index c3decdeebf..7e73328673 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -18,8 +18,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 5c0e2fa330..4a923deebe 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -18,10 +18,11 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include include include + include include include include diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index 84f6d52d32..39c4c949d9 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -13,8 +13,8 @@ profile system-config-printer @{exec_path} flags=(complain) { include include include - include - include + include + include include include include diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 4c27ee2cae..01ca79e066 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -12,7 +12,7 @@ include profile thermald @{exec_path} flags=(attach_disconnected) { include include - include + include include capability sys_boot, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index d6891c2db0..9e0366a6c1 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -11,7 +11,7 @@ include profile tlp @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd index 42181500b0..97a307b144 100644 --- a/apparmor.d/profiles-s-z/zsysd +++ b/apparmor.d/profiles-s-z/zsysd @@ -10,7 +10,7 @@ include profile zsysd @{exec_path} flags=(complain) { include include - include + include include capability sys_ptrace, From 2fb89d5ea6b93e9fde44bd6d3f308cdc40951265 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Oct 2025 22:17:51 +0200 Subject: [PATCH 0947/1736] feat(abs): add com.canonical.AppMenu.Registrar. --- .../session/com.canonical.AppMenu.Registrar | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/com.canonical.AppMenu.Registrar diff --git a/apparmor.d/abstractions/bus/session/com.canonical.AppMenu.Registrar b/apparmor.d/abstractions/bus/session/com.canonical.AppMenu.Registrar new file mode 100644 index 0000000000..7a95e0f2bf --- /dev/null +++ b/apparmor.d/abstractions/bus/session/com.canonical.AppMenu.Registrar @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2016-2017 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow access for connecting to/communication with the appmenu + + abi , + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ListNames + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + dbus send bus=session path=/com/canonical/AppMenu/Registrar + interface=com.canonical.AppMenu.Registrar + member={RegisterWindow,UnregisterWindow} + peer=(name=@{busname}, label="@{pp_dbusmenu}"), + + dbus send bus=session path=/com/canonical/AppMenu/Registrar + interface=com.canonical.dbusmenu + member=UnregisterWindow + peer=(name=@{busname}, label="@{pp_dbusmenu}"), + + dbus receive bus=session path=/com/canonical/menu/@{int} + interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu} + member={GetAll,GetLayout} + peer=(name=@{busname}, label="@{pp_dbusmenu}"), + + include if exists + +# vim:syntax=apparmor From e35f84f619721a7bd23a91b32706e416b31332f7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Oct 2025 22:18:07 +0200 Subject: [PATCH 0948/1736] feat(abs): add com.canonical.dbusmenu. --- .../bus/session/com.canonical.dbusmenu | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/com.canonical.dbusmenu diff --git a/apparmor.d/abstractions/bus/session/com.canonical.dbusmenu b/apparmor.d/abstractions/bus/session/com.canonical.dbusmenu new file mode 100644 index 0000000000..e76d0646e9 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/com.canonical.dbusmenu @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Dbus menu + + abi , + + dbus send bus=session path=/{MenuBar{,/@{hex}},com/canonical/{menu/@{hex},dbusmenu}} + interface=com.canonical.dbusmenu + member={LayoutUpdated,ItemsPropertiesUpdated} + peer=(label="@{pp_dbusmenu}"), + + dbus receive bus=session path=/{MenuBar{,/@{hex}},com/canonical/{menu/@{hex},dbusmenu}} + interface=com.canonical.dbusmenu + member=Get* + peer=(label="@{pp_dbusmenu}"), + + dbus receive bus=session path=/{MenuBar{,/@{hex}},com/canonical/{menu/@{hex},dbusmenu}} + interface=com.canonical.dbusmenu + member={AboutTo*,Event*} + peer=(label="@{pp_dbusmenu}"), + + dbus receive bus=session path=/{MenuBar{,/@{hex}},com/canonical/{menu/@{hex},dbusmenu}} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(label="@{pp_dbusmenu}"), + + include if exists + +# vim:syntax=apparmor From 5ce0d65edc26724d8d58566064f329c2be223b1c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Oct 2025 22:18:39 +0200 Subject: [PATCH 0949/1736] feat(abs): add org.ayatana.NotificationItem --- .../bus/session/org.ayatana.NotificationItem | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.ayatana.NotificationItem diff --git a/apparmor.d/abstractions/bus/session/org.ayatana.NotificationItem b/apparmor.d/abstractions/bus/session/org.ayatana.NotificationItem new file mode 100644 index 0000000000..9260abb2fd --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.ayatana.NotificationItem @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/ayatana/NotificationItem/* + interface=org.kde.StatusNotifierItem + member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} + peer=(name=@{busname}, label="@{pp_app_indicator}"), + + dbus receive bus=session path=/org/ayatana/NotificationItem/*/Menu + interface=com.canonical.dbusmenu + member={AboutToShow,Event,GetGroupProperties,GetLayout} + peer=(name=@{busname}, label="@{pp_app_indicator}"), + + include if exists + +# vim:syntax=apparmor From 9f57a7219f2a91bae2e5f3f9179a3a58f5d828f0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Oct 2025 22:19:48 +0200 Subject: [PATCH 0950/1736] feat(abs): add org.freedesktop.portal.NetworkMonitor --- .../org.freedesktop.portal.NetworkMonitor | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.portal.NetworkMonitor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.NetworkMonitor b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.NetworkMonitor new file mode 100644 index 0000000000..79e0add83b --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.NetworkMonitor @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow access to xdg-desktop-portal NetworkMonitor methods and signals + + abi , + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.NetworkMonitor + member=GetStatus + peer=(name=@{busname}, label=xdg-desktop-portal), + + include if exists + +# vim:syntax=apparmor From 544646266b552e7f8cefe13aefc5e766158f8c6e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Oct 2025 22:20:05 +0200 Subject: [PATCH 0951/1736] feat(abs): add org.kde.JobView --- .../abstractions/bus/session/org.kde.JobView | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.kde.JobView diff --git a/apparmor.d/abstractions/bus/session/org.kde.JobView b/apparmor.d/abstractions/bus/session/org.kde.JobView new file mode 100644 index 0000000000..b7c69656e6 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.kde.JobView @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # Allow to send updates to the desktop session about ongoing jobs + # (for KDE Plasma specific details) + + dbus send bus=session path=/JobViewServer + interface=org.kde.JobViewServer{,V2} + member=requestView + peer=(label=plasmashell), + + dbus send bus=session path=/org/kde/notificationmanager/jobs/* + interface=org.kde.JobView{,V2,V3} + member={update,terminate} + peer=(label=plasmashell), + + # Allow to receive updates from applications to the desktop session about ongoing jobs + # (for KDE Plasma specific details) + + dbus receive bus=session path=/JobViewServer + interface=org.kde.JobViewServer{,V2} + member=requestView + peer=(label=plasmashell), + + dbus send bus=session path=/org/kde/notificationmanager/jobs/* + interface=org.kde.JobView{,V2,V3} + member={update,terminate} + peer=(label=plasmashell), + + include if exists + +# vim:syntax=apparmor From 53f78ece8c7600deaeab12967b25be350f70aaac Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Oct 2025 22:52:26 +0200 Subject: [PATCH 0952/1736] feat(abs): rewrite org.freedesktop.NetworkManager --- .../bus/system/org.freedesktop.NetworkManager | 88 ++++++++++++------- .../abstractions/network-manager-observe | 4 +- 2 files changed, 59 insertions(+), 33 deletions(-) diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager index 8177f470f8..96dfd5cb92 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager @@ -2,58 +2,84 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , +# Allows observing NetworkManager settings. It grants access to listing +# MAC addresses, previous networks, etc but not secrets. - #aa:dbus common bus=system name=org.freedesktop.NetworkManager label=NetworkManager + abi , - dbus send bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member={GetManagedObjects,InterfacesRemoved} - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + # DBus.Properties: read properties from the interface dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member={GetDevices,GetPermissions} - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label=NetworkManager), - dbus send bus=system path=/org/freedesktop/NetworkManager/Settings - interface=org.freedesktop.NetworkManager.Settings - member=ListConnections - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + dbus send bus=system path=/org/freedesktop/NetworkManager/*/@{int} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label=NetworkManager), - dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} - interface=org.freedesktop.NetworkManager.Settings.Connection - member=GetSettings - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + # DBus.Properties: receive property changed events + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager/* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager/*/@{int} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=NetworkManager), + + # DBus.ObjectManager: allow clients to enumerate sources + + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=NetworkManager), dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member={InterfacesAdded,InterfacesRemoved} - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=CheckPermissions - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + # org.freedesktop.NetworkManager - dbus receive bus=system path=/org/freedesktop/NetworkManager + dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager - member=CheckPermissions - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + member={GetDevices,GetAllDevices,GetDeviceByIpIface} + peer=(name=@{busname}, label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged} - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager/*/@{int} + interface=org.freedesktop.NetworkManager.Connection.Active + member=StateChanged + peer=(name=@{busname}, label=NetworkManager), + + # org.freedesktop.NetworkManager.Settings + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings + interface=org.freedesktop.NetworkManager.Settings + member=ListConnections + peer=(name=@{busname}, label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} + interface=org.freedesktop.NetworkManager.Settings.Connection + member=GetSettings + peer=(name=@{busname}, label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=Updated - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), - - dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} - interface=org.freedesktop.NetworkManager.Connection.Active - member=StateChanged peer=(name=@{busname}, label=NetworkManager), include if exists diff --git a/apparmor.d/abstractions/network-manager-observe b/apparmor.d/abstractions/network-manager-observe index 21a50b0bb8..64e6951e57 100644 --- a/apparmor.d/abstractions/network-manager-observe +++ b/apparmor.d/abstractions/network-manager-observe @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019 Canonical Ltd -# Copyright (C) 2025 Alexandre Pujol +# Copyright (C) 2023-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # Allows observing NetworkManager settings. It grants access to listing @@ -8,7 +8,7 @@ abi , - include + include include if exists From a50a6f42a6b814a321191efe313efd31036e21a6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 00:09:12 +0200 Subject: [PATCH 0953/1736] feat(abs): add app-indicator. --- apparmor.d/abstractions/app-indicator | 14 ++++++ .../bus/session/org.kde.StatusNotifierItem | 9 ++++ .../bus/session/org.kde.StatusNotifierWatcher | 47 +++++++++++++++++++ 3 files changed, 70 insertions(+) create mode 100644 apparmor.d/abstractions/app-indicator create mode 100644 apparmor.d/abstractions/bus/session/org.kde.StatusNotifierWatcher diff --git a/apparmor.d/abstractions/app-indicator b/apparmor.d/abstractions/app-indicator new file mode 100644 index 0000000000..6e85a202f9 --- /dev/null +++ b/apparmor.d/abstractions/app-indicator @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# App Indicator, modern systray icons + + abi , + + include + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem index 8ddc66143d..f84526c267 100644 --- a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem @@ -2,8 +2,12 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + # Own a StatusNotifierItem name. It gives ownership on any StatusNotifierItem + # names + abi , + # Required to own 'org.kde.StatusNotifierItem-@{int}' include dbus bind bus=session name=org.kde.StatusNotifierItem-@{int}, @@ -28,6 +32,11 @@ member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + dbus receive bus=session path=/StatusNotifierItem + interface=org.kde.StatusNotifierItem + member={Activate,ContextMenu,Scroll,SecondaryActivate,ProvideXdgActivationToken,XAyatanaSecondaryActivate} + peer=(name=@{busname}, label="@{pp_app_indicator}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierWatcher new file mode 100644 index 0000000000..28983d20f1 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierWatcher @@ -0,0 +1,47 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow to display Status Notifier Items in the KDE Plasma systray (including supporting context menu) + + abi , + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_notification}"), + + dbus send bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label="@{pp_notification}"), + + dbus receive bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=@{busname}, label="@{pp_notification}"), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.kde.StatusNotifierWatcher + member=RegisterStatusNotifierItem + peer=(name="{@{busname},org.kde.StatusNotifierWatcher}", label="@{pp_notification}"), + + dbus receive bus=session path=/StatusNotifierWatcher + interface=org.kde.StatusNotifierWatcher + member=RegisterStatusNotifierItem + peer=(name=@{busname}, label="@{pp_notification}"), + + dbus send bus=session path=/StatusNotifierItem + interface=org.kde.StatusNotifierItem + member={ProvideXdgActivationToken,Activate} + peer=(name=@{busname}, label="@{pp_notification}"), + + dbus send bus=session path=/MenuBar + interface=com.canonical.dbusmenu + member={AboutToShow,GetLayout,Event} + peer=(name=@{busname}, label="@{pp_notification}"), + + include if exists + +# vim:syntax=apparmor From 6315e328696b14a0224762e334ce67e7e6cd81d9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 00:09:49 +0200 Subject: [PATCH 0954/1736] feat(tunable): update pp profiles. --- apparmor.d/tunables/multiarch.d/profiles | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index 67bf2b0ec2..82b549b036 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -70,11 +70,13 @@ @{p_xdg_desktop_portal}=xdg-desktop-portal # Profiles Patterns -# Fit to an action that can be handled by multiple profiles depending on the software installed and the distribution +# Fit to an action that can be handled by multiple profiles depending on the +# software installed and the distribution # Notification @{pp_notification}={plasmashell,gjs} @{pp_app_indicator}={plasmashell,gnome-shell} -@{pp_dbusmenu}={plasmashell,nautilus} +@{pp_dbusmenu}={plasmashell,nautilus,gnome-shell} +@{pp_mpris}={plasmashell,mpris-proxy,gnome-shell,gsd-media-keys} # vim:syntax=apparmor From c30718802f2320086cd8360f1a45103255d7063b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 00:11:04 +0200 Subject: [PATCH 0955/1736] feat(abs): basic bus profiles improvment. --- .../bus/session/com.canonical.Unity.LauncherEntry | 1 + apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 | 4 ++-- .../abstractions/bus/system/org.freedesktop.NetworkManager | 5 +++++ apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 | 4 ++-- 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/com.canonical.Unity.LauncherEntry b/apparmor.d/abstractions/bus/session/com.canonical.Unity.LauncherEntry index 3db751caa7..a612868d12 100644 --- a/apparmor.d/abstractions/bus/session/com.canonical.Unity.LauncherEntry +++ b/apparmor.d/abstractions/bus/session/com.canonical.Unity.LauncherEntry @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 index 0a208dc8ff..946594a7ed 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 @@ -22,9 +22,9 @@ member=PropertiesChanged peer=(label="@{p_systemd_user}"), - dbus send bus=session path=/org/freedesktop/systemd1 + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager - member=SetEnvironment + member={SetEnvironment,UnsetAndSetEnvironment,ResetFailed} peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), # List units diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager index 96dfd5cb92..8cb8088ce8 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager @@ -55,6 +55,11 @@ member={GetDevices,GetAllDevices,GetDeviceByIpIface} peer=(name=@{busname}, label=NetworkManager), + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=GetPermissions + peer=(name=@{busname}, label=NetworkManager), + dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged} diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 index 2322c88797..eff42d1f08 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 @@ -22,10 +22,10 @@ member=PropertiesChanged peer=(label="@{p_systemd}"), - dbus send bus=session path=/org/freedesktop/systemd1 + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={SetEnvironment,UnsetAndSetEnvironment,ResetFailed} - peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), # List units dbus send bus=system path=/org/freedesktop/systemd1 From 4a8b5da8427d699a7513089d94267d95725e472e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 00:15:54 +0200 Subject: [PATCH 0956/1736] feat(abs): improve some dbus based abs. --- apparmor.d/abstractions/accounts-observe | 17 ++++++++++++++++- apparmor.d/abstractions/screen-inhibit | 4 ++-- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/accounts-observe b/apparmor.d/abstractions/accounts-observe index 85e6bb8c97..65ba4b8a27 100644 --- a/apparmor.d/abstractions/accounts-observe +++ b/apparmor.d/abstractions/accounts-observe @@ -8,6 +8,11 @@ abi , + dbus send bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},org.freedesktop.Accounts}", label="@{p_accounts_daemon}"), + dbus send bus=system path=/org/freedesktop/Accounts/User@{int} interface=org.freedesktop.DBus.Properties member={Get,GetAll} @@ -26,13 +31,23 @@ dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member={FindUserById,FindUserByName} - peer=(name=org.freedesktop.Accounts, label="@{p_accounts_daemon}"), + peer=(name="{@{busname},org.freedesktop.Accounts}", label="@{p_accounts_daemon}"), + + dbus send bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member={ListCachedUsers,GetUsersLanguages} + peer=(name=@{busname}, label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{int} interface=org.freedesktop.Accounts.User member=Changed peer=(name=@{busname}, label="@{p_accounts_daemon}"), + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member={UserAdded,UserDeleted} + peer=(name=@{busname}, label="@{p_accounts_daemon}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/screen-inhibit b/apparmor.d/abstractions/screen-inhibit index 7deba76093..02189e1745 100644 --- a/apparmor.d/abstractions/screen-inhibit +++ b/apparmor.d/abstractions/screen-inhibit @@ -12,12 +12,12 @@ dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Inhibit,Uninhibit} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + peer=(name=@{busname}, label="@{p_gnome_session}"), dbus send bus=session path=/ScreenSaver interface=org.gnome.ScreenSaver member=SimulateUserActivity - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + peer=(name=@{busname}, label="@{p_gnome_session}"), # Generic freedesktop, not using bus/session/org.freedesktop.ScreenSaver as # it allows too much From ec986a670c79b58831fb101b7ff93c2bfa0d7d4a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 00:16:35 +0200 Subject: [PATCH 0957/1736] feat(abs): improve hwmon. --- apparmor.d/abstractions/hwmon | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/hwmon b/apparmor.d/abstractions/hwmon index e9bdb910e3..27d5d3de41 100644 --- a/apparmor.d/abstractions/hwmon +++ b/apparmor.d/abstractions/hwmon @@ -6,10 +6,12 @@ @{sys}/class/hwmon/ r, + @{sys}/devices/**/hwmon@{int}/ r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_input r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_label r, @{sys}/devices/**/hwmon@{int}/name r, @{sys}/devices/**/hwmon@{int}/temp@{int}_input r, @{sys}/devices/**/hwmon@{int}/temp@{int}_label r, - @{sys}/devices/**/hwmon/hwmon@{int}/temp@{int}_input r, include if exists From 085a55f99d15f89db665381268af102968900d6d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 00:19:28 +0200 Subject: [PATCH 0958/1736] feat(abs): graphics: give more info on gpu state. --- apparmor.d/abstractions/graphics | 2 ++ apparmor.d/abstractions/graphics-full | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index de74ff8c6c..03c653c045 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -14,6 +14,8 @@ @{sys}/bus/pci/devices/ r, + @{sys}/devices/system/ r, + @{sys}/devices/system/cpu/cpu@{int}/ r, @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/coherency_line_size r, @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/id r, @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/level r, diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index de5f865b52..ce00659752 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -8,6 +8,12 @@ include include + @{sys}/devices/@{pci}/gpu_busy_percent r, + @{sys}/devices/@{pci}/mem_info_gtt_total r, + @{sys}/devices/@{pci}/mem_info_gtt_used r, + @{sys}/devices/@{pci}/mem_info_vram_total r, + @{sys}/devices/@{pci}/mem_info_vram_used r, + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 include if exists From 6a401369c3e9fa4785d9491ae6a0b2f55ec09705 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 00:20:24 +0200 Subject: [PATCH 0959/1736] feat(abs): add fonts-strict. --- apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/fonts-strict | 36 ++++++++++++++++++++++++++++ apparmor.d/abstractions/gnome-strict | 2 +- apparmor.d/abstractions/kde-strict | 2 +- apparmor.d/abstractions/xfce | 2 +- 5 files changed, 40 insertions(+), 4 deletions(-) create mode 100644 apparmor.d/abstractions/fonts-strict diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index b5438917ce..0d19391ced 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -11,7 +11,7 @@ include include - include + include include include include diff --git a/apparmor.d/abstractions/fonts-strict b/apparmor.d/abstractions/fonts-strict new file mode 100644 index 0000000000..3736ccd7ac --- /dev/null +++ b/apparmor.d/abstractions/fonts-strict @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2024-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + + /usr/local/share/fonts/{,**} r, + /usr/share/*-fonts/conf.avail/{,**} r, + /usr/share/a2ps/fonts/{,**} r, + /usr/share/AbiSuite/fonts/** r, + /usr/share/fontconfig/conf.avail/{,**} r, + /usr/share/fonts-*/{,**} r, + /usr/share/fonts/{,**} r, + /usr/share/ghostscript/fonts/{,**} r, + /usr/share/javascript/*/fonts/{,**} r, + /usr/share/libthai/thbrk.tri r, + /usr/share/texlive/texmf-dist/fonts/{,**} r, + /usr/share/texmf/{,*/}fonts/{,**} r, + /usr/share/xfce{,4}/fonts/{,**} r, + + /etc/fonts/{,**} r, + + /var/cache/fonts/{,**} r, + + owner @{HOME}/.fonts.conf r, + owner @{HOME}/.fonts.conf.d/{,**} r, + owner @{HOME}/.fonts/{,**} r, + owner @{user_share_dirs}/fonts/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 48fcf24070..2992867f8e 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -7,7 +7,7 @@ # Common abstractions for any desktop environment include include - include + include include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index a9220026e3..a452a65138 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -7,7 +7,7 @@ # Common abstractions for any desktop environment include include - include + include include include include diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 193af858b6..71c47eef29 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -7,7 +7,7 @@ # Common abstractions for any desktop environment include include - include + include include include include From a4541db42540c71ca2d6ef3661ecdb375c774162 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 00:21:54 +0200 Subject: [PATCH 0960/1736] feat(abs): add power-profiles. --- apparmor.d/abstractions/power-profiles | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 apparmor.d/abstractions/power-profiles diff --git a/apparmor.d/abstractions/power-profiles b/apparmor.d/abstractions/power-profiles new file mode 100644 index 0000000000..60da8a3164 --- /dev/null +++ b/apparmor.d/abstractions/power-profiles @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow to read power profiles configuration. + + abi , + + include + include + + include if exists + +# vim:syntax=apparmor From 1ecb95aa6eed9e51de8701efb613787231c97fdc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 00:54:02 +0200 Subject: [PATCH 0961/1736] feat(abs): add notification, app-indicator and portal Desktop to desktop. These are systematically needed by anything on a desktop and it will simpify the profiles a lot. --- apparmor.d/abstractions/app/chromium | 1 - apparmor.d/abstractions/app/firefox | 1 - apparmor.d/abstractions/common/gnome | 4 ---- apparmor.d/abstractions/desktop | 4 ++++ apparmor.d/abstractions/gnome-strict | 4 ++++ apparmor.d/abstractions/kde-strict | 4 ++++ apparmor.d/abstractions/xfce | 4 ++++ apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 2 -- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 2 -- apparmor.d/groups/gnome/gnome-calendar | 1 - apparmor.d/groups/gnome/gnome-clocks | 1 - apparmor.d/groups/gnome/gnome-control-center | 1 - apparmor.d/groups/gnome/gnome-control-center-search-provider | 2 -- apparmor.d/groups/gnome/gnome-extension-ding | 1 - apparmor.d/groups/gnome/gnome-extension-gsconnect | 1 - apparmor.d/groups/gnome/gnome-keyring-daemon | 1 - apparmor.d/groups/gnome/gnome-shell | 2 -- apparmor.d/groups/gnome/gnome-software | 1 - apparmor.d/groups/gnome/gnome-terminal-server | 2 -- apparmor.d/groups/gnome/gsd-housekeeping | 1 - apparmor.d/groups/gnome/gsd-power | 1 - apparmor.d/groups/gnome/loupe | 1 - apparmor.d/groups/gnome/mutter-x11-frames | 2 -- apparmor.d/groups/gnome/nautilus | 1 - apparmor.d/groups/gnome/ptyxis | 1 - apparmor.d/groups/gnome/seahorse | 2 -- apparmor.d/groups/ubuntu/software-properties-gtk | 1 - apparmor.d/groups/ubuntu/update-manager | 1 - apparmor.d/groups/ubuntu/update-notifier | 2 -- apparmor.d/profiles-a-f/dropbox | 3 --- apparmor.d/profiles-a-f/evince | 1 - apparmor.d/profiles-a-f/filezilla | 1 - apparmor.d/profiles-g-l/libreoffice | 1 - apparmor.d/profiles-m-r/remmina | 1 - apparmor.d/profiles-s-z/session-desktop | 1 - apparmor.d/profiles-s-z/signal-desktop | 1 - apparmor.d/profiles-s-z/spotify | 2 -- apparmor.d/profiles-s-z/superproductivity | 4 ---- apparmor.d/profiles-s-z/transmission | 3 --- 39 files changed, 16 insertions(+), 54 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 4982d8a346..0d4239187b 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -40,7 +40,6 @@ include include include - include include include include diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index b28bf57524..8c6c7d5b41 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -23,7 +23,6 @@ include include include - include include include include diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index 48a26fe35d..8f6791bf18 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -6,16 +6,12 @@ abi , - include - include include include include /usr/share/@{profile_name}/{,**} r, - / r, - owner @{user_cache_dirs}/@{profile_name}/ rw, owner @{user_cache_dirs}/@{profile_name}/** rwlk -> @{user_cache_dirs}/@{profile_name}/**, diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 0d19391ced..b9a0f4fcae 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -10,12 +10,16 @@ abi , include + include + include + include include include include include include include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 2992867f8e..e9885e0617 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -6,12 +6,16 @@ # Common abstractions for any desktop environment include + include + include + include include include include include include include + include include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index a452a65138..5c24e58520 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -6,12 +6,16 @@ # Common abstractions for any desktop environment include + include + include + include include include include include include include + include include include include diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 71c47eef29..9e3628f3ba 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -6,12 +6,16 @@ # Common abstractions for any desktop environment include + include + include + include include include include include include include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 375cc16a86..3ee485b283 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -12,7 +12,6 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -22,7 +21,6 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include - include include network unix stream, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index bcb68acb1a..d5590d850b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -12,7 +12,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -21,7 +20,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index aac5789dec..144ad227f7 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -10,7 +10,6 @@ include profile gnome-calendar @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index 32f7db3b54..e5509a6f3c 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -11,7 +11,6 @@ profile gnome-clocks @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index e80c5d21b1..ab008c85f6 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -13,7 +13,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 6048d3dc73..c96a9aa481 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -9,8 +9,6 @@ include @{exec_path} = @{lib}/gnome-control-center-search-provider profile gnome-control-center-search-provider @{exec_path} { include - include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index e025511daa..6eb7291a08 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -24,7 +24,6 @@ profile gnome-extension-ding @{exec_path} { include include include - include include unix (send,receive) type=stream addr=none peer=(label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index dad0e6553e..33009f740d 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -26,7 +26,6 @@ profile gnome-extension-gsconnect @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index ae2b7d5908..1fdf8e4c43 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -12,7 +12,6 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 7dd4d7f90f..449c5b63d7 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -16,7 +16,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -30,7 +29,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index cda5ee539a..b10ab78220 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -16,7 +16,6 @@ profile gnome-software @{exec_path} { include include include - include include include diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 16a3cbdd6e..58ef2c5381 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -10,8 +10,6 @@ include profile gnome-terminal-server @{exec_path} { include include - include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 06beec3325..a1c029ff82 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -15,7 +15,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index c1bf55b7d8..9455c60144 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -20,7 +20,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 9e7123012d..6beb4f2171 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -11,7 +11,6 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 1d24c7f2c2..ffe1d2661f 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -10,8 +10,6 @@ include profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include include - include - include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 8ed2bc00cd..ce9fbc80ed 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -12,7 +12,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 3195d7f030..9b19a9b06e 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -11,7 +11,6 @@ profile ptyxis @{exec_path} { include include include - include unix type=stream peer=(label=ptyxis-agent), diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 88ffbf9731..3c303760e5 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -10,9 +10,7 @@ include profile seahorse @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 1bb514fad8..e08bc0577b 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -13,7 +13,6 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index d0248237bf..9f56a6d31d 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -13,7 +13,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index d7676c5c69..a9c166007b 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -13,11 +13,9 @@ profile update-notifier @{exec_path} { include include include - include include include include - include include unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index 57487b15c1..7cbb37bb36 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -15,12 +15,9 @@ include @{exec_path} = @{bin}/dropbox profile dropbox @{exec_path} { include - include - include include include include - include include include include diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 705220d27b..79d8d38135 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -11,7 +11,6 @@ profile evince @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 34792057a6..8881184e52 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -16,7 +16,6 @@ profile filezilla @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 86824d5e78..c351e163ed 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -14,7 +14,6 @@ profile libreoffice @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 005fb63d34..c225a6a17f 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -21,7 +21,6 @@ profile remmina @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index 4fd9dff69b..fcb204aef8 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -18,7 +18,6 @@ profile session-desktop @{exec_path} { include include include - include include network inet dgram, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 54a63cacd7..40f8003e27 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -22,7 +22,6 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 7e73328673..bb79032cad 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -18,7 +18,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -27,7 +26,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 4a923deebe..f796f2171c 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -19,13 +19,9 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include include - include - include include include - include include network inet stream, diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index 05c1cc2e6b..b3975bb31e 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -9,13 +9,10 @@ include @{exec_path} = @{bin}/transmission-{gtk,qt} profile transmission @{exec_path} flags=(attach_disconnected) { include - include - include include include include include - include include include include From be4ca9bc158e0135ad457c36ed9822fab2b2fd09 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 01:00:49 +0200 Subject: [PATCH 0962/1736] feat(abs): add portal.Settings to desktop. --- apparmor.d/abstractions/app/firefox | 1 - apparmor.d/abstractions/desktop | 1 + apparmor.d/abstractions/gnome-strict | 1 + apparmor.d/abstractions/kde-strict | 1 + apparmor.d/abstractions/xfce | 1 + apparmor.d/profiles-s-z/signal-desktop | 1 - apparmor.d/profiles-s-z/superproductivity | 1 - 7 files changed, 4 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 8c6c7d5b41..fbddc771bb 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -23,7 +23,6 @@ include include include - include include include include diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index b9a0f4fcae..178e581c16 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -12,6 +12,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index e9885e0617..360967331f 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -8,6 +8,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 5c24e58520..8eaff4c711 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -8,6 +8,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 9e3628f3ba..97b3ba6073 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -8,6 +8,7 @@ include include include + include include include include diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 40f8003e27..ada50fc8ee 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -18,7 +18,6 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index f796f2171c..e1a2e1cce4 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -19,7 +19,6 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include include include include From ac9c7d0f38eccc00326a241f72adfb9f3499d1b9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 19:39:32 +0100 Subject: [PATCH 0963/1736] feat(profile): remove bus-session in profile with the desktop abs Similar to accessibility, it is now included in the desktop abs. --- apparmor.d/abstractions/app/chromium | 1 - apparmor.d/abstractions/app/firefox | 1 - apparmor.d/abstractions/app/open | 2 -- apparmor.d/abstractions/common/app | 1 - apparmor.d/abstractions/common/electron | 1 - apparmor.d/groups/apparmor/aa-notify | 1 - apparmor.d/groups/bluetooth/blueman | 1 - apparmor.d/groups/bus/ibus-extension-gtk3 | 1 - apparmor.d/groups/bus/ibus-x11 | 1 - apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent | 1 - apparmor.d/groups/freedesktop/pulseaudio | 1 - apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 1 - apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 1 - apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update | 1 - apparmor.d/groups/gnome/evolution-alarm-notify | 1 - apparmor.d/groups/gnome/evolution-user-prompter | 1 - apparmor.d/groups/gnome/gio-launch-desktop | 1 - apparmor.d/groups/gnome/gjs | 2 -- apparmor.d/groups/gnome/gnome-boxes | 1 - apparmor.d/groups/gnome/gnome-calculator-search-provider | 1 - apparmor.d/groups/gnome/gnome-characters-backgroudservice | 1 - apparmor.d/groups/gnome/gnome-contacts-search-provider | 1 - apparmor.d/groups/gnome/gnome-control-center | 1 - apparmor.d/groups/gnome/gnome-control-center-goa-helper | 1 - apparmor.d/groups/gnome/gnome-control-center-print-renderer | 1 - apparmor.d/groups/gnome/gnome-disk-image-mounter | 1 - apparmor.d/groups/gnome/gnome-disks | 1 - apparmor.d/groups/gnome/gnome-extension-ding | 1 - apparmor.d/groups/gnome/gnome-extension-gsconnect | 1 - apparmor.d/groups/gnome/gnome-initial-setup | 1 - apparmor.d/groups/gnome/gnome-remote-desktop-daemon | 1 - apparmor.d/groups/gnome/gnome-session-binary | 1 - apparmor.d/groups/gnome/gnome-session-service | 1 - apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/gnome/goa-daemon | 1 - apparmor.d/groups/gnome/gsd-color | 1 - apparmor.d/groups/gnome/gsd-housekeeping | 1 - apparmor.d/groups/gnome/gsd-keyboard | 1 - apparmor.d/groups/gnome/gsd-media-keys | 1 - apparmor.d/groups/gnome/gsd-power | 1 - apparmor.d/groups/gnome/gsd-wacom | 1 - apparmor.d/groups/gnome/gsd-xsettings | 1 - apparmor.d/groups/gnome/localsearch | 1 - apparmor.d/groups/gnome/loupe | 1 - apparmor.d/groups/gnome/nautilus | 1 - apparmor.d/groups/gnome/tracker-extract | 1 - apparmor.d/groups/gnome/tracker-miner | 1 - apparmor.d/groups/gnome/tracker-writeback | 1 - apparmor.d/groups/gnome/tracker-xdg-portal | 1 - apparmor.d/groups/kde/kscreen_backend_launcher | 2 -- apparmor.d/groups/ubuntu/apport-gtk | 1 - apparmor.d/groups/ubuntu/check-new-release-gtk | 1 - apparmor.d/groups/ubuntu/livepatch-notification | 1 - apparmor.d/groups/ubuntu/software-properties-gtk | 1 - apparmor.d/groups/ubuntu/ubuntu-advantage-notification | 1 - apparmor.d/groups/ubuntu/update-manager | 1 - apparmor.d/groups/ubuntu/update-notifier | 1 - apparmor.d/groups/xfce/tumblerd | 1 - apparmor.d/groups/xfce/xfce-session | 2 -- apparmor.d/profiles-a-f/alacarte | 1 - apparmor.d/profiles-a-f/atril | 1 - apparmor.d/profiles-a-f/calibre | 1 - apparmor.d/profiles-a-f/engrampa | 1 - apparmor.d/profiles-a-f/evince | 1 - apparmor.d/profiles-a-f/filezilla | 1 - apparmor.d/profiles-g-l/gimp | 1 - apparmor.d/profiles-g-l/gitg | 1 - apparmor.d/profiles-g-l/keepassxc | 1 - apparmor.d/profiles-g-l/kerneloops-applet | 1 - apparmor.d/profiles-g-l/libreoffice | 1 - apparmor.d/profiles-g-l/localsend | 1 - apparmor.d/profiles-m-r/mumble | 1 - apparmor.d/profiles-m-r/pinentry-gtk | 1 - apparmor.d/profiles-m-r/plank | 1 - apparmor.d/profiles-m-r/qbittorrent | 1 - apparmor.d/profiles-m-r/remmina | 1 - apparmor.d/profiles-m-r/rustdesk | 1 - apparmor.d/profiles-s-z/spice-vdagent | 1 - apparmor.d/profiles-s-z/system-config-printer | 1 - apparmor.d/profiles-s-z/telegram-desktop | 1 - apparmor.d/profiles-s-z/terminator | 1 - apparmor.d/profiles-s-z/virt-manager | 1 - apparmor.d/profiles-s-z/vlc | 1 - apparmor.d/profiles-s-z/wireshark | 1 - 84 files changed, 88 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 0d4239187b..199b2ac66b 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -26,7 +26,6 @@ include include - include include include include diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index fbddc771bb..26cf7f903e 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -20,7 +20,6 @@ abi , include - include include include include diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 1330d18dee..59ccd71ccb 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -7,8 +7,6 @@ abi , - include - include include # We cannot use `@{open_path} mrix,` here because it includes: diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 688e08674e..7e0a5d3eaf 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -14,7 +14,6 @@ include include - include include include include diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 49ada9425b..f6c3fe2fdf 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -20,7 +20,6 @@ abi , - include include include include diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index f07126887a..0d9c72312f 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -9,7 +9,6 @@ include @{exec_path} = @{sbin}/aa-notify profile aa-notify @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/bluetooth/blueman b/apparmor.d/groups/bluetooth/blueman index 59c76e33a4..00047fc340 100644 --- a/apparmor.d/groups/bluetooth/blueman +++ b/apparmor.d/groups/bluetooth/blueman @@ -11,7 +11,6 @@ include profile blueman @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 5553ec2ffc..e9cb2c51e2 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-extension-gtk3 profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index a2625ab4e5..c7e04570af 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -10,7 +10,6 @@ include profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index bb48d0c5be..37cd951d8a 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -12,7 +12,6 @@ include @{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1 profile polkit-gnome-authentication-agent @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 6d3c568453..04a97e5bf3 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -12,7 +12,6 @@ include profile pulseaudio @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 3ee485b283..319ebfd539 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -10,7 +10,6 @@ include profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index d5590d850b..4f36a69ce3 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -10,7 +10,6 @@ include profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 9d10eac5d3..12cf109bd9 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 501685b224..232b8e9269 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify profile evolution-alarm-notify @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/evolution-user-prompter b/apparmor.d/groups/gnome/evolution-user-prompter index d1c095abfd..d2b46f33a7 100644 --- a/apparmor.d/groups/gnome/evolution-user-prompter +++ b/apparmor.d/groups/gnome/evolution-user-prompter @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/{,evolution-data-server/}evolution-user-prompter profile evolution-user-prompter @{exec_path} { include - include include include diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 3652dd6e94..d9a9ba8b1b 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -18,7 +18,6 @@ include profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index 32c1deb570..c823403eaf 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -23,7 +23,6 @@ include @{exec_path} = @{bin}/gjs-console profile gjs @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -130,7 +129,6 @@ profile gjs @{exec_path} flags=(attach_disconnected) { profile gstreamer { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 99c9e932db..1e2767f011 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -10,7 +10,6 @@ include profile gnome-boxes @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index 8400f03c1a..2e79369c40 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gnome-calculator-search-provider profile gnome-calculator-search-provider @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-characters-backgroudservice b/apparmor.d/groups/gnome/gnome-characters-backgroudservice index 4b70cdfa60..57bd45a509 100644 --- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice +++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice @@ -9,7 +9,6 @@ include @{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService profile gnome-characters-backgroudservice @{exec_path} { include - include include include diff --git a/apparmor.d/groups/gnome/gnome-contacts-search-provider b/apparmor.d/groups/gnome/gnome-contacts-search-provider index 0abc39acd9..3c25791ad8 100644 --- a/apparmor.d/groups/gnome/gnome-contacts-search-provider +++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gnome-contacts-search-provider profile gnome-contacts-search-provider @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index ab008c85f6..7ed7c711b3 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -11,7 +11,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 687ac4d9e1..c8542443e8 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -10,7 +10,6 @@ include profile gnome-control-center-goa-helper @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index cbd1f1a75b..f341d8d1bb 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index d9959691b8..610d33e07b 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-disks b/apparmor.d/groups/gnome/gnome-disks index 4d5301262d..129ff13d8e 100644 --- a/apparmor.d/groups/gnome/gnome-disks +++ b/apparmor.d/groups/gnome/gnome-disks @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/gnome-disks profile gnome-disks @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 6eb7291a08..bbd67c8e1d 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -13,7 +13,6 @@ include profile gnome-extension-ding @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 33009f740d..a451c20e27 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -13,7 +13,6 @@ include profile gnome-extension-gsconnect @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 926cdcfd2d..7abef62af3 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -10,7 +10,6 @@ include profile gnome-initial-setup @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 3536ea4cae..093c6ff5d5 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gnome-remote-desktop-daemon profile gnome-remote-desktop-daemon @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 790b78e4e8..9d7328fe1b 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index 1a76093bea..81131afbe6 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gnome-session-service profile gnome-session-service @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 449c5b63d7..750b422e73 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -12,7 +12,6 @@ include profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include include diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 1b1c49cb77..5aec1c3a72 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/goa-daemon profile goa-daemon @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index b9b0013cae..8f79ba974f 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index a1c029ff82..92652e760a 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -10,7 +10,6 @@ include profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 0b0c671bf4..98b339c199 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 68714b7b0e..1d010d7779 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -10,7 +10,6 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 9455c60144..30bdf62997 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -10,7 +10,6 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index e36ff1362e..f76ba7df6b 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gsd-wacom profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 55a31f31ad..cf37bfd8f0 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -10,7 +10,6 @@ include profile gsd-xsettings @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 1b718dd4ae..a010133009 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/localsearch @{lib}/localsearch-3 profile localsearch @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 6beb4f2171..370cbd1af9 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index ce9fbc80ed..495c5e8c73 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/nautilus profile nautilus @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 746026fe09..b8a59e2440 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/tracker-extract-3 profile tracker-extract @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 7ca03ab661..2855117fd7 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/tracker-miner-fs-{,control-,rss-}3 profile tracker-miner @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/tracker-writeback b/apparmor.d/groups/gnome/tracker-writeback index a5346b463e..1472ee7cef 100644 --- a/apparmor.d/groups/gnome/tracker-writeback +++ b/apparmor.d/groups/gnome/tracker-writeback @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/tracker-writeback profile tracker-writeback @{exec_path} { include - include include #aa:dbus own bus=session name=org.freedesktop.Tracker3.Writeback diff --git a/apparmor.d/groups/gnome/tracker-xdg-portal b/apparmor.d/groups/gnome/tracker-xdg-portal index 20ed6bdce0..7dd8bbb141 100644 --- a/apparmor.d/groups/gnome/tracker-xdg-portal +++ b/apparmor.d/groups/gnome/tracker-xdg-portal @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/tracker-xdg-portal-3 profile tracker-xdg-portal @{exec_path} flags=(complain) { include - include include #aa:dbus own bus=session name=org.freedesktop.portal.Tracker diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index e44ee1f834..10d342a043 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -10,8 +10,6 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher profile kscreen_backend_launcher @{exec_path} { include - include - include include #aa:dbus own bus=session name=org.kde.KScreen diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 6d90cadda2..cdd616f5e8 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -11,7 +11,6 @@ profile apport-gtk @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 588d63f084..f5c4e0ab5f 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -10,7 +10,6 @@ include profile check-new-release-gtk @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index fb8eb259e1..ef516e8d6a 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/update-notifier/livepatch-notification profile livepatch-notification @{exec_path} { include - include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index e08bc0577b..e7fe3697f8 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -11,7 +11,6 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index a44e226bc9..9e907e872f 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/update-notifier/ubuntu-advantage-notification profile ubuntu-advantage-notification @{exec_path} { include - include include include diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 9f56a6d31d..c6b31fed44 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -11,7 +11,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index a9c166007b..304cea6171 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -11,7 +11,6 @@ profile update-notifier @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/xfce/tumblerd b/apparmor.d/groups/xfce/tumblerd index 3ba81c6885..070c41129c 100644 --- a/apparmor.d/groups/xfce/tumblerd +++ b/apparmor.d/groups/xfce/tumblerd @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}tumbler-1/tumblerd profile tumblerd @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index bdb4b8d365..26960fc42e 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -10,7 +10,6 @@ include profile xfce-session @{exec_path} flags=(attach_disconnected) { include include - include include include include @@ -74,7 +73,6 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { profile dbus flags=(attach_disconnected) { include - include @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index c908946947..398e5df68d 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/alacarte profile alacarte @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index a76759ab59..70ebe59692 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/atril{,-*} profile atril @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index e4ca0288d3..3facc3cdf5 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -12,7 +12,6 @@ include @{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer @{bin}/web2disk profile calibre @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 3ced4fcc78..20608e666b 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/engrampa profile engrampa @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 79d8d38135..26087734a4 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/evince @{lib}/evinced profile evince @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 8881184e52..fda1da6f25 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/filezilla profile filezilla @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index 2ff8f2adef..2caf4950f6 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -10,7 +10,6 @@ include profile gimp @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-g-l/gitg b/apparmor.d/profiles-g-l/gitg index d668fbfd21..a4b700ded9 100644 --- a/apparmor.d/profiles-g-l/gitg +++ b/apparmor.d/profiles-g-l/gitg @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/gitg profile gitg @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index de95d3c9f7..abcb501df3 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/keepassxc profile keepassxc @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index d9d5568790..efc3d45824 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/kerneloops-applet profile kerneloops-applet @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index c351e163ed..9ebacbea6b 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -12,7 +12,6 @@ profile libreoffice @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-g-l/localsend b/apparmor.d/profiles-g-l/localsend index c6013c06e2..94142ac8bf 100644 --- a/apparmor.d/profiles-g-l/localsend +++ b/apparmor.d/profiles-g-l/localsend @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/localsend profile localsend @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble index c97b285d8e..a85eb6790e 100644 --- a/apparmor.d/profiles-m-r/mumble +++ b/apparmor.d/profiles-m-r/mumble @@ -11,7 +11,6 @@ include profile mumble @{exec_path} { include include - include include include include diff --git a/apparmor.d/profiles-m-r/pinentry-gtk b/apparmor.d/profiles-m-r/pinentry-gtk index 9cdcd432b6..73bb8c83b6 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk +++ b/apparmor.d/profiles-m-r/pinentry-gtk @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/pinentry-gtk{,-2} profile pinentry-gtk @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-m-r/plank b/apparmor.d/profiles-m-r/plank index 9619326f2e..e643e8617a 100644 --- a/apparmor.d/profiles-m-r/plank +++ b/apparmor.d/profiles-m-r/plank @@ -11,7 +11,6 @@ include profile plank @{exec_path} { include include - include include include include diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index a1ac4c3543..44905bbea1 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/qbittorrent profile qbittorrent @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index c225a6a17f..d02fb27e06 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -11,7 +11,6 @@ profile remmina @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index 3e6791ddcc..605877c898 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -10,7 +10,6 @@ include profile rustdesk @{exec_path} { include include - include include include include diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index aa7ccb6488..5eb335de86 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -10,7 +10,6 @@ include profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index 39c4c949d9..2a4f0e290d 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -11,7 +11,6 @@ include @{exec_path} += /usr/share/system-config-printer/system-config-printer.py profile system-config-printer @{exec_path} flags=(complain) { include - include include include include diff --git a/apparmor.d/profiles-s-z/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop index 79d2095f99..ab77c6ec4e 100644 --- a/apparmor.d/profiles-s-z/telegram-desktop +++ b/apparmor.d/profiles-s-z/telegram-desktop @@ -11,7 +11,6 @@ include profile telegram-desktop @{exec_path} { include include - include include include include diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 769771b6a9..50e768a368 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -10,7 +10,6 @@ include profile terminator @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index d268be76d0..c91994848c 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,7 +12,6 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 50760f8c5b..ddbe015635 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -11,7 +11,6 @@ include profile vlc @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include include diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index a07d6bad14..10441e892c 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -11,7 +11,6 @@ include @{exec_path} = @{bin}/wireshark profile wireshark @{exec_path} { include - include include include include From 9b4604dfb6e0e40ba594ff149d560f4e6c10d652 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 20:19:54 +0100 Subject: [PATCH 0964/1736] feat(abs): remove redundant abs. --- apparmor.d/profiles-s-z/spice-vdagent | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 5eb335de86..dc02419cbe 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -11,7 +11,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include - include include include include From 9e879069b8cc1753d6943584c5a7d400ae99f08a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 20:20:53 +0100 Subject: [PATCH 0965/1736] fix(abs): open: gio-launch-desktop as ix should have priority over other x rules. --- apparmor.d/abstractions/app/open | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 59ccd71ccb..541e738ad1 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -22,7 +22,7 @@ @{lib}/gio-launch-desktop mrix, #aa:only apparmor>=4.1 - priority=-1 @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix, + priority=1 @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix, @{bin}/env rix, @{sh_path} r, From 6764d6816ad469f634f4d7ed489dee3a16f374e2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 20:24:15 +0100 Subject: [PATCH 0966/1736] feat(profile): minor tweak on flatpak profiles. --- .../flatpak/platform/org.freedesktop | 1 + .../groups/flatpak/flatpak-session-helper-app | 20 +++++++++---------- .../groups/flatpak/flatpak-system-helper | 4 +++- 3 files changed, 14 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/flatpak/platform/org.freedesktop b/apparmor.d/abstractions/flatpak/platform/org.freedesktop index 3d9c4406ba..ba4b7d4300 100644 --- a/apparmor.d/abstractions/flatpak/platform/org.freedesktop +++ b/apparmor.d/abstractions/flatpak/platform/org.freedesktop @@ -38,6 +38,7 @@ /var/lib/flatpak/app/@{appid}/@{arch}/stable/@{hex64}/export/share/icons/{,**} r, /var/lib/flatpak/exports/share/icons/{,**} r, + @{run}/host/local-fonts/{,**} r, @{run}/host/share/icons/{,**} r, @{run}/host/user-share/icons/{,**} r, diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper-app b/apparmor.d/groups/flatpak/flatpak-session-helper-app index f03b59cb53..f71dfe9d15 100644 --- a/apparmor.d/groups/flatpak/flatpak-session-helper-app +++ b/apparmor.d/groups/flatpak/flatpak-session-helper-app @@ -10,10 +10,11 @@ include @{exec_path} = /var/lib/flatpak/app/@{appid}/**/@{bin}/** @{exec_path} += /var/lib/flatpak/app/@{appid}/**/@{lib}/** -profile flatpak-session-helper-app { +profile flatpak-session-helper-app flags=(attach_disconnected) { include include include + include capability sys_ptrace, @@ -31,10 +32,10 @@ profile flatpak-session-helper-app { @{sys}/block/ r, @{sys}/class/hwmon/ r, @{sys}/devices/@{pci}/ r, - @{sys}/devices/@{pci}/speed r, @{sys}/devices/@{pci}/stat r, - @{sys}/devices/@{pci}/statistics/rx_bytes r, - @{sys}/devices/@{pci}/statistics/tx_bytes r, + @{sys}/devices/**/speed r, + @{sys}/devices/**/statistics/rx_bytes r, + @{sys}/devices/**/statistics/tx_bytes r, @{sys}/devices/virtual/tty/tty@{int}/active r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/ r, @@ -42,13 +43,10 @@ profile flatpak-session-helper-app { owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*.service/ r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/{,**/}cgroup.procs r, - @{PROC}/ r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/task/ r, - @{PROC}/@{pids}/cmdline r, - - # Same than in app/flatpak @{PROC}/ r, + @{PROC}/@{pids}/ r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cpuset r, @{PROC}/@{pids}/io r, @{PROC}/@{pids}/maps r, @@ -56,6 +54,7 @@ profile flatpak-session-helper-app { @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/@{tid}/status r, @{PROC}/sys/fs/file-max r, @{PROC}/sys/fs/file-nr r, @@ -81,6 +80,7 @@ profile flatpak-session-helper-app { owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fdinfo/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 96b92409bc..70276a259b 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -78,7 +78,7 @@ profile flatpak-system-helper @{exec_path} flags=(attach_disconnected,mediate_de @{bin}/bwrap mr, - /app/bin/apply_extra ix, + /app/bin/* rix, @{bin}/cp ix, @{bin}/mv ix, @@ -102,6 +102,7 @@ profile flatpak-system-helper @{exec_path} flags=(attach_disconnected,mediate_de @{system_share_dirs}/applications/mimeinfo.cache w, @{system_share_dirs}/icons/**/.icon-theme.cache rw, @{system_share_dirs}/icons/**/icon-theme.cache w, + @{system_share_dirs}/icons/hicolor/index.theme w, @{system_share_dirs}/mime/{,**} w, @{user_share_dirs}/** r, @@ -115,6 +116,7 @@ profile flatpak-system-helper @{exec_path} flags=(attach_disconnected,mediate_de /app/extra/** rw, /bindfile@{rand6} rw, + /usr/.ref rk, /tmp/#@{int} rw, From 7959af53726a8b65b222f113891b1737b29f71e9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 20:25:31 +0100 Subject: [PATCH 0967/1736] feat(abs): improve bus abs. --- .../bus/session/org.kde.StatusNotifierWatcher | 14 +++++++------- .../bus/system/org.freedesktop.Avahi.Server | 2 +- .../bus/system/org.freedesktop.GeoClue2 | 15 +++++++++++++++ .../bus/system/org.freedesktop.UPower | 5 +++++ apparmor.d/abstractions/upower-observe | 1 + 5 files changed, 29 insertions(+), 8 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierWatcher index 28983d20f1..69724bb410 100644 --- a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierWatcher +++ b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierWatcher @@ -10,37 +10,37 @@ dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Properties member=Get - peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_notification}"), + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), dbus send bus=session path=/StatusNotifierItem interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=@{busname}, label="@{pp_notification}"), + peer=(name=@{busname}, label="@{pp_app_indicator}"), dbus receive bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Properties member=Get - peer=(name=@{busname}, label="@{pp_notification}"), + peer=(name=@{busname}, label="@{pp_app_indicator}"), dbus send bus=session path=/StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher member=RegisterStatusNotifierItem - peer=(name="{@{busname},org.kde.StatusNotifierWatcher}", label="@{pp_notification}"), + peer=(name="{@{busname},org.kde.StatusNotifierWatcher}", label="@{pp_app_indicator}"), dbus receive bus=session path=/StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher member=RegisterStatusNotifierItem - peer=(name=@{busname}, label="@{pp_notification}"), + peer=(name=@{busname}, label="@{pp_app_indicator}"), dbus send bus=session path=/StatusNotifierItem interface=org.kde.StatusNotifierItem member={ProvideXdgActivationToken,Activate} - peer=(name=@{busname}, label="@{pp_notification}"), + peer=(name=@{busname}, label="@{pp_app_indicator}"), dbus send bus=session path=/MenuBar interface=com.canonical.dbusmenu member={AboutToShow,GetLayout,Event} - peer=(name=@{busname}, label="@{pp_notification}"), + peer=(name=@{busname}, label="@{pp_app_indicator}"), include if exists diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server index bfc87b3cca..0805128208 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server @@ -7,7 +7,7 @@ dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + peer=(name=org.freedesktop.Avahi), # Allow service introspection dbus send bus=system path=/ diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 index 026194fbb0..605daccb34 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 @@ -11,6 +11,21 @@ member=AddAgent peer=(name="@{busname}", label="@{p_geoclue}"), + dbus send bus=system path=/org/freedesktop/GeoClue2/Client/@{int} + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=@{busname}, label=geoclue), + + dbus send bus=system path=/org/freedesktop/GeoClue2/Client/@{int} + interface=org.freedesktop.GeoClue2.Client + member=Start + peer=(name=@{busname}, label=geoclue), + + dbus send bus=system path=/org/freedesktop/GeoClue2/Manager + interface=org.freedesktop.GeoClue2.Manager + member={GetClient,DeleteClient} + peer=(name=@{busname}, label=geoclue), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower index aa6a613717..e8fe7221d6 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower @@ -8,6 +8,11 @@ #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + dbus send bus=system path=/org/freedesktop/UPower/devices/** + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label="@{p_upowerd}"), + # Find all devices monitored by UPower dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower diff --git a/apparmor.d/abstractions/upower-observe b/apparmor.d/abstractions/upower-observe index 67478bb6d4..a4ff029587 100644 --- a/apparmor.d/abstractions/upower-observe +++ b/apparmor.d/abstractions/upower-observe @@ -6,6 +6,7 @@ abi , + include include include if exists From c87285ddbf00702dcae4909ecdca11f3ea9714a1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 20:29:20 +0100 Subject: [PATCH 0968/1736] feat(abs): update the wine abstraction. --- .../flatpak/baseapp/com.valvesoftware.Steam | 4 ---- apparmor.d/abstractions/wine | 12 +++++++++--- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam b/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam index 0e9412b7d7..7b924660de 100644 --- a/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam +++ b/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam @@ -47,10 +47,6 @@ owner @{PROC}/@{pid}/autogroup rw, owner @{PROC}/@{pid}/cmdline rk, - # NT synchronization driver (performance improvement for games) - # https://www.phoronix.com/news/Linux-6.14-NTSYNC-Driver-Ready - /dev/ntsync r, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine index a26488ee69..99b6ddbd58 100644 --- a/apparmor.d/abstractions/wine +++ b/apparmor.d/abstractions/wine @@ -9,13 +9,19 @@ owner @{user_share_dirs}/applications/wine/ rw, owner @{user_share_dirs}/applications/wine/**/ rw, - owner @{att}@{tmp}/.wine-@{uid}/ rw, - owner @{att}@{tmp}/.wine-@{uid}/** rwk, - owner @{att}@{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, + owner @{tmp}/.wine-@{uid}/ rw, + owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex6}/ rw, + owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex6}/lock rwk, + owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex6}/tmpmap-@{hex8} m, + owner @{tmp}/protonfixes_test.log w, owner /dev/shm/wine-@{hex6}-fsync rw, owner /dev/shm/wine-@{hex6}@{h}-fsync rw, + # NT synchronization driver (performance improvement for games) + # https://www.phoronix.com/news/Linux-6.14-NTSYNC-Driver-Ready + /dev/ntsync r, + include if exists # vim:syntax=apparmor From 9d2db47b5a78a9e9f01a63b25202409bf6c47dab Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 20:31:00 +0100 Subject: [PATCH 0969/1736] chore: document the deprecation of flatpak-app. --- apparmor.d/groups/flatpak/flatpak-app | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index 0e8d150a7a..ec02e479c4 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -2,6 +2,10 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Note: This profile is **deprecated** and will be removed in future releases. +# It is only used when using apparmor < 4.1 +# See fapp and fbwrap profiles instead. + # Default profile for all flatpak applications. Ideally, this profile should be # generated by flatpak itself with settings from the flatpak manifest and # fully separated from bwrap. From b0e753025bd28e56aef3a7cd00cf7ede8576f17a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 20:40:11 +0100 Subject: [PATCH 0970/1736] feat(abs): rewrite common app It used to be used by flatpak-app that is now deprecated. Thus we can now remove flatpak Even if it is curently not used, this profile is a safe choice for a generic app. Such a confinement would not be very safe, but it is still better than nothing. --- apparmor.d/abstractions/common/app | 118 +++++++++++++++-------------- 1 file changed, 62 insertions(+), 56 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 7e0a5d3eaf..417d3d91cf 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -4,17 +4,20 @@ # LOGPROF-SUGGEST: no # NEEDS-VARIABLE: att -# Common rules for applications sandboxed using bwrap. +# Common rules for a generic UI application. -# This abstraction is wide on purpose. It is meant to be used by sandbox -# applications (bwrap) that have no way to restrict access depending on the -# application being confined. +# This abstraction is wide on purpose. It is meant to be used by a generic +# user UI aplications wich no asumption made on the access they need. abi , + include include include + include include + include + include include include include @@ -28,28 +31,20 @@ include include include - include + include + include include include + include + include include include include include + include + include - dbus bus=accessibility, - dbus bus=session, - dbus bus=system, - - /usr/** rk, - /usr/share/** rk, - - /etc/{,**} r, - - /.* r, - @{lib}/ r, - owner /_@{int}_/ w, - owner /@{uuid}/ w, - owner /var/cache/ldconfig/{,**} rw, + /usr/** r, # Full access to user's data / r, @@ -58,21 +53,17 @@ @{MOUNTS}/ r, @{MOUNTS}/** rwl, owner @{HOME}/ r, - owner @{HOME}/.var/app/** rmix, - owner @{HOME}/** rwmlk -> @{HOME}/**, + owner @{HOME}/** mrwlkix -> @{HOME}/**, owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too-wide - owner @{user_games_dirs}/** rmix, + owner @{run}/user/@{uid}/** mrwlkix -> @{run}/user/@{uid}/**, #aa:lint ignore=too-wide + owner @{user_games_dirs}/** mrwlkix, #aa:lint ignore=too-wide - owner @{tmp}/** rmwk, - owner /dev/shm/** rwlk -> /dev/shm/**, - owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, + owner @{tmp}/** mrwlkix, + owner /dev/shm/** mrwlkix -> /dev/shm/**, @{att}@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/host/{,**} r, - @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, @{sys}/ r, @@ -91,55 +82,65 @@ @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/* r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/* r, + # Show the list of active tty + @{sys}/devices/virtual/tty/tty@{int}/active r, + + # This is an information leak + owner @{PROC}/@{pid}/mountinfo r, + + # Reads of oom_adj and oom_score_adj are safe + owner @{PROC}/@{pid}/oom_adj r, + owner @{PROC}/@{pid}/oom_score_adj r, + + # Per man(5) proc, the kernel enforces that a thread may only modify its comm + # value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/ r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/comm rk, + @{PROC}/@{pid}/cpuset r, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/io r, @{PROC}/@{pid}/maps r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/net/** r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/status r, - @{PROC}/@{pid}/task/@{tid}/stat r, @{PROC}/@{pid}/task/@{tid}/status r, - @{PROC}/bus/pci/devices r, - @{PROC}/cmdline r, - @{PROC}/driver/** r, - @{PROC}/locks r, - @{PROC}/pressure/cpu r, - @{PROC}/pressure/io r, - @{PROC}/pressure/memory r, + @{PROC}/loadavg r, + @{PROC}/sys/fs/file-max r, + @{PROC}/sys/fs/file-nr r, + @{PROC}/sys/fs/inotify/max_queued_events r, + @{PROC}/sys/fs/inotify/max_user_instances r, @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/fs/nr_open r, + @{PROC}/sys/fs/pipe-max-size r, + @{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/ostype r, @{PROC}/sys/kernel/pid_max r, - @{PROC}/sys/kernel/sched_autogroup_enabled r, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/random/entropy_avail r, + @{PROC}/sys/kernel/random/uuid r, + @{PROC}/sys/kernel/shmmax r, @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/sys/net/core/bpf_jit_enable r, - @{PROC}/sys/net/core/somaxconn r, @{PROC}/uptime r, @{PROC}/version r, - @{PROC}/zoneinfo r, - owner @{PROC}/@{pid}/autogroup rw, + @{PROC}/version_signature r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/clear_refs w, - owner @{PROC}/@{pid}/comm rw, + owner @{PROC}/@{pid}/cmdline rk, + owner @{PROC}/@{pid}/comm rk, owner @{PROC}/@{pid}/environ r, - owner @{PROC}/@{pid}/fd/@{int} rw, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - owner @{PROC}/@{pid}/io r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/mem r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/net/if_inet6 r, - owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/pagemap r, + owner @{PROC}/@{pid}/sessionid r, owner @{PROC}/@{pid}/smaps_rollup r, - owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/smaps r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/statm r, @{att}/dev/dri/card@{int} rw, @{att}/dev/dri/renderD128 rw, @@ -151,6 +152,11 @@ /dev/tty rw, /dev/udmabuf rw, + deny @{user_share_dirs}/gvfs-metadata/* r, + + # This allows raising the OOM score of other processes owned by the user. + deny owner @{PROC}/@{pid}/oom_score_adj w, + include if exists # vim:syntax=apparmor From 580c35a61e1f02192b8391eb3d7a65323409304f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 21:10:31 +0100 Subject: [PATCH 0971/1736] feat(profile): update out use of bus abstractions to the last changes. --- apparmor.d/abstractions/app/chromium | 1 + apparmor.d/abstractions/app/firefox | 1 + apparmor.d/groups/bus/dbus-session | 4 +-- .../polkit-kde-authentication-agent | 1 - .../groups/freedesktop/xdg-desktop-portal-kde | 1 - apparmor.d/groups/gnome/gnome-calendar | 9 +----- apparmor.d/groups/gnome/gnome-session | 5 ++++ apparmor.d/groups/gnome/gnome-shell | 16 +++++++---- apparmor.d/groups/gnome/gnome-software | 4 ++- apparmor.d/groups/gnome/gsd-a11y-settings | 9 ++++++ apparmor.d/groups/gvfs/gvfsd-computer | 2 +- apparmor.d/groups/systemd/systemd-timedated | 2 +- apparmor.d/groups/xfce/xfsettingsd | 1 - apparmor.d/profiles-a-f/discord | 1 - apparmor.d/profiles-a-f/filezilla | 2 +- apparmor.d/profiles-m-r/mpris-proxy | 2 +- apparmor.d/profiles-m-r/qbittorrent | 28 ------------------- apparmor.d/profiles-s-z/session-desktop | 1 - apparmor.d/profiles-s-z/signal-desktop | 3 +- apparmor.d/profiles-s-z/telegram-desktop | 1 - apparmor.d/profiles-s-z/vlc | 2 -- 21 files changed, 39 insertions(+), 57 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 199b2ac66b..6f006f07b8 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -38,6 +38,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 26cf7f903e..3add542c67 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -33,6 +33,7 @@ include include include + include include include include diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index e057c3d7e6..4cb047e83e 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -37,8 +37,8 @@ profile dbus-session flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} dbus receive bus=session interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name="{@{busname},org.freedesktop.DBus}"), + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}, + @{exec_path} mrix, diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 8a08f02d0b..b044f1974e 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -11,7 +11,6 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 62c11865d9..d9720a6fa3 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -10,7 +10,6 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-kde profile xdg-desktop-portal-kde @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 144ad227f7..9c510d0382 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -24,14 +24,7 @@ profile gnome-calendar @{exec_path} { #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar path=/org/gnome/evolution/dataserver/ label=evolution-calendar-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarFactory label=evolution-calendar-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarView label=evolution-calendar-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source path=/org/gnome/evolution/dataserver/ label=evolution-source-registry - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.SourceManager label=evolution-source-registry - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Subprocess label=evolution-calendar-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver label="{evolution-*-factory,evolution-source-registry}" #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color #aa:dbus talk bus=session name=org.gnome.Shell.SearchProvider2 path=/org/gnome/Calendar/SearchProvider label=gnome-shell diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 7255b61b8b..9d6fe94ebd 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -19,6 +19,11 @@ profile gnome-session @{exec_path} flags=(attach_disconnected) { signal receive set=term peer=gdm, signal receive set=term peer=gdm-session, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=UpdateActivationEnvironment + peer=(name=org.freedesktop.DBus label="@{p_dbus_session}"), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 750b422e73..d6baa76f58 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -60,7 +60,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=com.canonical.{U,u}nity - #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/dbusmenu} + #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/{unity,dbusmenu}} #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting #aa:dbus own bus=session name=com.rastersoft.dingextension #aa:dbus own bus=session name=org.ayatana.NotificationItem @@ -104,6 +104,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy + #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" #aa:dbus talk bus=session name=org.gnome.* label=gnome-* #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=* #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus @@ -113,6 +114,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Session bus + # FIXME: too wide dbus send bus=session path=/org/gnome/** peer=(name=org.gnome.*), @@ -159,6 +161,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { member={Get,GetAll} peer=(name=@{busname}), + # Server side of abstractions/bus/session/org.gtk.Menus dbus receive bus=session interface=org.gtk.Menus member=Changed @@ -187,15 +190,18 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded - peer=(name=@{busname}, label=NetworkManager), + # Missing rules from the directive above as these one are not standard + # Part of abstractions/bus/system/org.freedesktop.NetworkManager dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=@{busname}, label=NetworkManager), + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name=@{busname}, label=NetworkManager), + # Server side of abstractions/gnome-base: introspect everything dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index b10ab78220..6914b0c8ac 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -12,12 +12,14 @@ profile gnome-software @{exec_path} { include include include + include include include include include include include + include network inet dgram, network inet6 dgram, @@ -33,7 +35,7 @@ profile gnome-software @{exec_path} { #aa:dbus own bus=session name=org.freedesktop.PackageKit #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application - #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/@{int}_@{hex8} label="@{p_packagekitd}" + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/{,**} label="@{p_packagekitd}" dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 6751837707..9424a4d953 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -19,6 +19,15 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.A11ySettings + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=DisableUnitFilesWithFlags + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StopUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index 5df7f98669..971df9e3df 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -14,7 +14,7 @@ profile gvfsd-computer @{exec_path} { include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-afc-volume-monitor + #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-*-volume-monitor @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index 2767af4cc5..acff30eca5 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -11,7 +11,7 @@ include profile systemd-timedated @{exec_path} flags=(attach_disconnected) { include include - include + include include include diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index d3f88c1962..1b54e9512d 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -10,7 +10,6 @@ include profile xfsettingsd @{exec_path} { include include - include include include include diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 0991a243ee..550dbd95bd 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -17,7 +17,6 @@ include profile discord @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index fda1da6f25..fbcc011a1c 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -10,13 +10,13 @@ include @{exec_path} = @{bin}/filezilla profile filezilla @{exec_path} { include - include include include include include include include + include include include diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy index 0bb994c04e..a91bba9933 100644 --- a/apparmor.d/profiles-m-r/mpris-proxy +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -9,9 +9,9 @@ include @{exec_path} = @{bin}/mpris-proxy profile mpris-proxy @{exec_path} { include + include include include - include #aa:dbus own bus=session name=org.mpris.MediaPlayer2 #aa:dbus own bus=system name=org.mpris.MediaPlayer2.Player path=/{,**} diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 44905bbea1..4da5383104 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -11,7 +11,6 @@ include profile qbittorrent @{exec_path} { include include - include include include include @@ -35,33 +34,6 @@ profile qbittorrent @{exec_path} { network netlink dgram, network netlink raw, - dbus send bus=session path=/StatusNotifierItem - interface=org.kde.StatusNotifierItem - member={NewToolTip,NewIcon} - peer=(name=org.freedesktop.DBus), - - dbus receive bus=session path=/StatusNotifierItem - interface=org.kde.StatusNotifierItem - member=Activate - peer=(name=:*), - - dbus receive bus=session path=/{StatusNotifierItem,MenuBar} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), - - dbus send bus=session path=/MenuBar - interface=com.canonical.dbusmenu - member=ItemsPropertiesUpdated - peer=(name=org.freedesktop.DBus), - - dbus receive bus=session path=/MenuBar - interface=com.canonical.dbusmenu - member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} - peer=(name=:*), - - dbus bind bus=session name=org.kde.StatusNotifierItem-*, - @{exec_path} mr, @{open_path} rPx -> child-open, diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index fcb204aef8..e0361b2024 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -16,7 +16,6 @@ include profile session-desktop @{exec_path} { include include - include include include diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index ada50fc8ee..cb42a5a07a 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -17,14 +17,15 @@ include profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include + include include include include include include include + include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-s-z/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop index ab77c6ec4e..8502c14ffb 100644 --- a/apparmor.d/profiles-s-z/telegram-desktop +++ b/apparmor.d/profiles-s-z/telegram-desktop @@ -11,7 +11,6 @@ include profile telegram-desktop @{exec_path} { include include - include include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index ddbe015635..8218b4affb 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -11,8 +11,6 @@ include profile vlc @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include - include include include include From 4d8d783a6f2a8165d5db30e3d6ca66dd9ab90a4f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 21:14:32 +0100 Subject: [PATCH 0972/1736] feat(abs): electron: deny and document some common proc paths. --- apparmor.d/abstractions/common/electron | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index f6c3fe2fdf..8feca89a7c 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -58,6 +58,20 @@ owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*-@{int}.scope/memory.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + # This is an information leak + owner @{PROC}/@{pid}/mountinfo r, + + # Allow reading of smaps_rollup, which is a summary of the memory use of a process + owner @{PROC}/@{pid}/smaps_rollup r, + + # Reads of oom_adj and oom_score_adj are safe + owner @{PROC}/@{pid}/oom_adj r, + owner @{PROC}/@{pid}/oom_score_adj r, + + # Per man(5) proc, the kernel enforces that a thread may only modify its comm + # value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/ r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/task/@{tid}/status r, @@ -68,16 +82,16 @@ owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, + # gvfs-metadata contains user-specific data that should not be readable by apps deny @{user_share_dirs}/gvfs-metadata/* r, + # This allows raising the OOM score of other processes owned by the user. + deny owner @{PROC}/@{pid}/oom_score_adj w, + include if exists # vim:syntax=apparmor From 38f93ceec1047712d3a8fa7ee00e9b13ed7f6e83 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 22:00:46 +0100 Subject: [PATCH 0973/1736] fix: linter issue. --- apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 index 605daccb34..32998be15a 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 @@ -15,7 +15,7 @@ interface=org.freedesktop.DBus.Properties member=Set peer=(name=@{busname}, label=geoclue), - + dbus send bus=system path=/org/freedesktop/GeoClue2/Client/@{int} interface=org.freedesktop.GeoClue2.Client member=Start From 6029274d11d489127fce12e59a1a31520db18099 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Oct 2025 22:05:03 +0100 Subject: [PATCH 0974/1736] fix(profile): ptyxis can start any program with systemd-run. As the default terminal, it can be used by gnome-shell as "backend" during execution of a desktop file. The app would then be started from ptyxis-agent. --- apparmor.d/groups/gnome/ptyxis-agent | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 154b65bf24..58e5593a77 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -49,14 +49,18 @@ profile ptyxis-agent @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/systemd-run/, @{bin}/systemd-run mr, + @{bin}/env ix, # The shell is not confined on purpose. @{bin}/@{shells} Ux, # Some CLI program can be launched directly from Gnome Shell - @{bin}/htop Px, - @{bin}/micro PUx, - @{bin}/nvtop Px, + @{lib}/** PUx, + @{bin}/** PUx, + /opt/*/** PUx, + /usr/share/*/** PUx, + /usr/local/bin/** PUx, + /usr/games/** PUx, owner @{run}/user/@{uid}/systemd/private rw, From 03e1aa615f91907e394b834b8e4c0bddd65af657 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 3 Nov 2025 19:29:51 +0100 Subject: [PATCH 0975/1736] feat(profile): improve flatpak profiles. --- apparmor.d/abstractions/app/flatpak | 9 +++++++-- apparmor.d/abstractions/flatpak/devices/dri | 2 -- apparmor.d/abstractions/flatpak/filesystem | 2 +- apparmor.d/abstractions/flatpak/platform/org.freedesktop | 5 +++-- apparmor.d/groups/flatpak/fbwrap | 8 ++++++++ apparmor.d/groups/flatpak/flatpak | 7 +++++-- apparmor.d/groups/flatpak/flatpak-system-helper | 4 ++++ 7 files changed, 28 insertions(+), 9 deletions(-) diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak index 52975983a2..1b151a3f11 100644 --- a/apparmor.d/abstractions/app/flatpak +++ b/apparmor.d/abstractions/app/flatpak @@ -83,10 +83,12 @@ capability dac_read_search, unix type=seqpacket peer=(label=dbus-session), + unix type=seqpacket peer=(label=fbwrap), unix type=seqpacket peer=(label=flatpak-portal), unix type=seqpacket peer=(label=flatpak), unix type=seqpacket peer=(label=xdg-dbus-proxy), unix type=stream peer=(label=dbus-session), + unix type=stream peer=(label=fbwrap), unix type=stream peer=(label=flatpak), unix type=stream peer=(label=gnome-keyring-daemon), unix type=stream peer=(label=unconfined), @@ -138,8 +140,8 @@ owner @{HOME}/.var/app/@{appid}/** ix, @{run}/parent/** mrix, - @{run}/parent/usr/.ref rk, - @{run}/parent/app/.ref rk, + @{run}/parent/usr/.ref k, + @{run}/parent/app/.ref k, owner @{run}/flatpak/app/@{appid}/ r, owner @{run}/flatpak/app/@{appid}/** mrwlk -> @{run}/flatpak/app/@{appid}/**, @@ -172,6 +174,9 @@ owner @{PROC}/@{pid}/oom_adj r, owner @{PROC}/@{pid}/oom_score_adj r, + # Allow reading of smaps_rollup, which is a summary of the memory use of a process + owner @{PROC}/@{pid}/smaps_rollup r, + # Per man(5) proc, the kernel enforces that a thread may only modify its comm # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/abstractions/flatpak/devices/dri b/apparmor.d/abstractions/flatpak/devices/dri index 8eb17e58ff..4a186e7d62 100644 --- a/apparmor.d/abstractions/flatpak/devices/dri +++ b/apparmor.d/abstractions/flatpak/devices/dri @@ -7,8 +7,6 @@ include - @{sys}/devices/@{pci}/boot_vga r, - @{PROC}/devices r, @{PROC}/driver/nvidia/capabilities/mig/config r, diff --git a/apparmor.d/abstractions/flatpak/filesystem b/apparmor.d/abstractions/flatpak/filesystem index 90de9828ab..aad04f64f1 100644 --- a/apparmor.d/abstractions/flatpak/filesystem +++ b/apparmor.d/abstractions/flatpak/filesystem @@ -39,7 +39,7 @@ # host /opt/{,**} r, /srv/{,**} r, - owner @{MOUNTS}/ r, + @{MOUNTS}/ r, owner @{MOUNTS}/** rwlk -> @{MOUNTS}/**, # home diff --git a/apparmor.d/abstractions/flatpak/platform/org.freedesktop b/apparmor.d/abstractions/flatpak/platform/org.freedesktop index ba4b7d4300..bedc12d164 100644 --- a/apparmor.d/abstractions/flatpak/platform/org.freedesktop +++ b/apparmor.d/abstractions/flatpak/platform/org.freedesktop @@ -26,10 +26,11 @@ owner /var/cache/fontconfig/@{hex32}-le{32,64}.cache-@{int} r, owner /var/cache/fontconfig/@{hex32}-le{32,64}.cache-reindex@{int}-@{int} r, - @{run}/host/fonts/{,**} r, @{run}/host/fonts-cache/{,**} r, - owner @{run}/host/user-fonts-cache/@{hex32}-le{32,64}.cache-@{int} r, + @{run}/host/fonts/{,**} r, owner @{run}/host/font-dirs.xml r, + owner @{run}/host/user-fonts-cache/@{hex32}-le{32,64}.cache-@{int} r, + owner @{run}/host/user-fonts/{,**} r, # Icons # We are purposely not using the icons abstraction as it gives access to diff --git a/apparmor.d/groups/flatpak/fbwrap b/apparmor.d/groups/flatpak/fbwrap index ec9d4c6918..0fbb634284 100644 --- a/apparmor.d/groups/flatpak/fbwrap +++ b/apparmor.d/groups/flatpak/fbwrap @@ -22,6 +22,11 @@ profile fbwrap flags=(attach_disconnected,mediate_deleted) { signal receive peer=gnome-software, signal receive peer=flatpak, + dbus send bus=accessibility path=/ + interface=org.freedesktop.DBus + member=ListNames + peer=(name=org.freedesktop.DBus, label=dbus-accessibility), + @{exec_path} mr, @{bin}/true ix, # Required by glycin, harmless @@ -51,6 +56,9 @@ profile fbwrap flags=(attach_disconnected,mediate_deleted) { owner @{run}/user/@{uid}/.flatpak/@{int}/bwrapinfo.json rw, owner @{run}/user/@{uid}/.flatpak/@{int}/info r, + @{PROC}/cgroups r, + owner @{PROC}/@{pid}/coredump_filter rw, + profile ldconfig flags=(attach_disconnected,mediate_deleted) { include include diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 1637600d93..54064959b8 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -26,8 +26,6 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include - userns, - capability dac_override, capability dac_read_search, capability net_admin, @@ -68,6 +66,11 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain member=GetRevokefsFd peer=(name=org.freedesktop.Flatpak.SystemHelper), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ReloadConfig + peer=(name=org.freedesktop.DBus, label="@{p_systemd_user}"), + @{exec_path} mr, @{bin}/bwrap rPx -> flatpak-app, #aa:only apparmor<4.1 diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 70276a259b..f20ee6ce56 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -80,7 +80,9 @@ profile flatpak-system-helper @{exec_path} flags=(attach_disconnected,mediate_de /app/bin/* rix, + @{bin}/bsdtar ix, @{bin}/cp ix, + @{bin}/install ix, @{bin}/mv ix, @{bin}/rm ix, @{bin}/sed ix, @@ -120,6 +122,8 @@ profile flatpak-system-helper @{exec_path} flags=(attach_disconnected,mediate_de /tmp/#@{int} rw, + /dev/tty rw, + include if exists } From 70e6c1eacef0b33dcd1ecae64f6df04cdb06ab3b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 3 Nov 2025 19:32:15 +0100 Subject: [PATCH 0976/1736] feat(abs): add org.freedesktop.Application --- .../bus/session/org.freedesktop.Application | 24 +++++++++++++++++++ apparmor.d/abstractions/desktop | 1 + apparmor.d/abstractions/gnome-strict | 1 + apparmor.d/abstractions/kde-strict | 1 + apparmor.d/abstractions/xfce | 1 + 5 files changed, 28 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.Application diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Application b/apparmor.d/abstractions/bus/session/org.freedesktop.Application new file mode 100644 index 0000000000..a16e9a34c0 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Application @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session + interface=org.freedesktop.Application + member={Activate,ActivateAction} + peer=(name=@{busname}, label=gnome-shell), + + dbus receive bus=session + interface=org.freedesktop.Application + member=Open + peer=(name=@{busname}, label=gnome-shell), + + dbus receive bus=session + interface=org.freedesktop.Application + member=Open + peer=(name=@{busname}, label=nautilus), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 178e581c16..fca62391f7 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -12,6 +12,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 360967331f..fb48fa2ea8 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -8,6 +8,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 8eaff4c711..7c021fa31f 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -8,6 +8,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 97b3ba6073..114716c84f 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -8,6 +8,7 @@ include include include + include include include include From 607cc07f45bb586014dce0faa0fd9fbbedc23e90 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 3 Nov 2025 22:31:49 +0100 Subject: [PATCH 0977/1736] feat(aa-log): add support for dbus method log. Kernel 6.17 with dbus mediation enabled log dbus member in the method item. --- pkg/aa/dbus.go | 6 +++++- pkg/logs/logs.go | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/pkg/aa/dbus.go b/pkg/aa/dbus.go index fa4ec7ec44..a4894a6cfb 100644 --- a/pkg/aa/dbus.go +++ b/pkg/aa/dbus.go @@ -60,6 +60,10 @@ func newDbusFromLog(log map[string]string) Rule { } else { peerName = log["name"] } + member, present := log["member"] + if !present { + member = log["method"] + } return &Dbus{ Base: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), @@ -68,7 +72,7 @@ func newDbusFromLog(log map[string]string) Rule { Name: name, Path: log["path"], Interface: log["interface"], - Member: log["member"], + Member: member, PeerName: peerName, PeerLabel: log["peer_label"], } diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 9dc2bfc650..aeeac7282d 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -175,7 +175,7 @@ func (aaLogs AppArmorLogs) String() string { keys := []string{ "profile", "label", // Profile name "operation", "name", "target", - "mask", "bus", "path", "interface", "member", // dbus + "mask", "bus", "path", "interface", "member", "method", // dbus "info", "comm", "laddr", "lport", "faddr", "fport", "family", "sock_type", "protocol", "requested_mask", "denied_mask", "signal", "peer", "peer_label", @@ -199,6 +199,7 @@ func (aaLogs AppArmorLogs) String() string { "denied_mask": "denied_mask=" + boldRed, "interface": "interface=" + fgWhite, "member": "member=" + fgGreen, + "method": "method=" + fgGreen, } var res strings.Builder From 99bb5a792136cdcb7653273b5e22c53a8855bafa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 3 Nov 2025 23:58:32 +0100 Subject: [PATCH 0978/1736] feat(abs): improve dbus abs. --- apparmor.d/abstractions/accounts-observe | 20 +++++++++--- .../bus/session/org.freedesktop.ScreenSaver | 4 +-- .../bus/session/org.freedesktop.systemd1 | 11 ++++++- .../bus/session/org.gnome.SessionManager | 2 +- .../bus/session/org.kde.StatusNotifierItem | 5 +++ .../bus/system/org.freedesktop.ModemManager1 | 31 ++++++++++++++++++- .../bus/system/org.freedesktop.systemd1 | 14 +++++++++ apparmor.d/abstractions/modem-manager-observe | 5 +-- 8 files changed, 78 insertions(+), 14 deletions(-) diff --git a/apparmor.d/abstractions/accounts-observe b/apparmor.d/abstractions/accounts-observe index 65ba4b8a27..41d371c832 100644 --- a/apparmor.d/abstractions/accounts-observe +++ b/apparmor.d/abstractions/accounts-observe @@ -8,6 +8,8 @@ abi , + # DBus.Properties: read properties from the interface + dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.DBus.Properties member={Get,GetAll} @@ -18,16 +20,22 @@ member={Get,GetAll} peer=(name="{@{busname},org.freedesktop.Accounts}", label="@{p_accounts_daemon}"), + # DBus.Properties: receive property changed events + dbus receive bus=system path=/org/freedesktop/Accounts/User@{int} interface=org.freedesktop.DBus.Properties member=PropertiesChanged peer=(name=@{busname}, label="@{p_accounts_daemon}"), + # DBus.Introspectable: allow clients to introspect the service + dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label="@{p_accounts_daemon}"), + # org.freedesktop.Accounts + dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member={FindUserById,FindUserByName} @@ -38,16 +46,18 @@ member={ListCachedUsers,GetUsersLanguages} peer=(name=@{busname}, label="@{p_accounts_daemon}"), - dbus receive bus=system path=/org/freedesktop/Accounts/User@{int} - interface=org.freedesktop.Accounts.User - member=Changed - peer=(name=@{busname}, label="@{p_accounts_daemon}"), - dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member={UserAdded,UserDeleted} peer=(name=@{busname}, label="@{p_accounts_daemon}"), + # org.freedesktop.Accounts.User + + dbus receive bus=system path=/org/freedesktop/Accounts/User@{int} + interface=org.freedesktop.Accounts.User + member=Changed + peer=(name=@{busname}, label="@{p_accounts_daemon}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver index ee837b886c..056b7f935e 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver @@ -11,10 +11,10 @@ member={Inhibit,UnInhibit} peer=(name=org.freedesktop.ScreenSaver), - dbus send bus=session path=/{,org/freedesktop/}ScreenSaver + dbus send bus=session path=/org/freedesktop/ScreenSaver interface=org.freedesktop.ScreenSaver member={GetActive,GetActiveTime,Lock,SetActive} - peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), + peer=(name="{@{busname},org.freedesktop.ScreenSaver}", label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), dbus receive bus=session path=/org/freedesktop/ScreenSaver interface=org.freedesktop.ScreenSaver diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 index 946594a7ed..0d9871c121 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 @@ -7,16 +7,25 @@ abi , + # DBus.Properties: read properties from the interface + dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), - dbus send bus=session path=/org/freedesktop/systemd1/unit/* + dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member=GetAll + peer=(name=@{busname}, label="@{p_systemd_user}"), + + dbus send bus=session path=/org/freedesktop/systemd1/unit/* + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} peer=(label="@{p_systemd_user}"), + # DBus.Properties: receive property changed events + dbus receive bus=session path=/org/freedesktop/systemd1/unit/* interface=org.freedesktop.DBus.Properties member=PropertiesChanged diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager index 6859b2cc14..f212c9b14e 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager @@ -35,7 +35,7 @@ member=StatusChanged peer=(name=@{busname}, label="@{p_gnome_session}"), - dbus send bus=session path=/org/gnome/SessionManager/Client8 + dbus send bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member=EndSessionResponse peer=(name=@{busname}, label="@{p_gnome_session}"), diff --git a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem index f84526c267..c1175f4150 100644 --- a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem @@ -32,6 +32,11 @@ member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + dbus send bus=session path=/org/ayatana/NotificationItem/* + interface=org.kde.StatusNotifierItem + member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + dbus receive bus=session path=/StatusNotifierItem interface=org.kde.StatusNotifierItem member={Activate,ContextMenu,Scroll,SecondaryActivate,ProvideXdgActivationToken,XAyatanaSecondaryActivate} diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/system/org.freedesktop.ModemManager1 index 1ef86ff588..0faaf1fdc9 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.ModemManager1 @@ -4,7 +4,36 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" + # DBus.Properties: read properties from the interface + + dbus send bus=system path=/org/freedesktop/ModemManager1 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label="@{p_ModemManager}"), + + dbus send bus=system path=/org/freedesktop/ModemManager1/*/@{int} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label="@{p_ModemManager}"), + + # DBus.Properties: receive property changed events + + dbus receive bus=system path=/org/freedesktop/ModemManager1 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label="@{p_ModemManager}"), + + dbus receive bus=system path=/org/freedesktop/ModemManager1/* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label="@{p_ModemManager}"), + + dbus receive bus=system path=/org/freedesktop/ModemManager1/*/@{int} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label="@{p_ModemManager}"), + + # DBus.ObjectManager: allow clients to enumerate sources dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 index eff42d1f08..156f24c796 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 @@ -7,16 +7,30 @@ abi , + # DBus.Properties: read properties from the interface + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label="@{p_systemd_user}"), + dbus send bus=system path=/org/freedesktop/systemd1/unit/* interface=org.freedesktop.DBus.Properties member=GetAll peer=(label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1/unit/* + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + + # DBus.Properties: receive property changed events + dbus receive bus=system path=/org/freedesktop/systemd1/unit/* interface=org.freedesktop.DBus.Properties member=PropertiesChanged diff --git a/apparmor.d/abstractions/modem-manager-observe b/apparmor.d/abstractions/modem-manager-observe index d1938f4e12..3c64433caf 100644 --- a/apparmor.d/abstractions/modem-manager-observe +++ b/apparmor.d/abstractions/modem-manager-observe @@ -7,10 +7,7 @@ abi , - dbus send bus=system path=/org/freedesktop/ModemManager1 - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label=ModemManager), + include include if exists From a1a14965390362abc5d77444b6cf57a69c314d1a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Nov 2025 11:26:04 +0100 Subject: [PATCH 0979/1736] build: improve the dev subcommand. - Use systemctl to reload apparmor: slower, but handle ignored profiles - Install multiple profiles at once --- Justfile | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/Justfile b/Justfile index d28d56759a..39c5a526e7 100644 --- a/Justfile +++ b/Justfile @@ -191,10 +191,12 @@ local +names: # Prebuild, install, and load a dev profile [group('install')] -dev name: - go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}` - sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}} - sudo apparmor_parser --write-cache --replace /etc/apparmor.d/{{name}} +dev +names: + go run ./cmd/prebuild --complain + for file in {{names}}; do \ + sudo install -Dm644 -v {{build}}/apparmor.d/$file /etc/apparmor.d/$file; \ + done + sudo systemctl restart apparmor.service || sudo journalctl -xeu apparmor.service # Build & install apparmor.d on Arch based systems [group('packages')] From ecaf81ffa19ca6853b318faa7b9d08a5fe88d31a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Nov 2025 11:39:23 +0100 Subject: [PATCH 0980/1736] feat(abs): restrict system/org.freedesktop.UPower --- .../bus/system/org.freedesktop.UPower | 27 ++++++++++++++----- .../org.freedesktop.UPower.PowerProfiles | 5 +++- apparmor.d/groups/gnome/deja-dup-monitor | 1 + 3 files changed, 25 insertions(+), 8 deletions(-) diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower index e8fe7221d6..b3257793bd 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower @@ -6,19 +6,37 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + # DBus.Properties: read properties from the interface + + dbus send bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label="@{p_upowerd}"), dbus send bus=system path=/org/freedesktop/UPower/devices/** interface=org.freedesktop.DBus.Properties - member=GetAll + member={Get,GetAll} peer=(name=@{busname}, label="@{p_upowerd}"), + # DBus.Properties: receive property changed events + + dbus receive bus=system path=/org/freedesktop/UPower/devices/** + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(label="@{p_upowerd}"), + # Find all devices monitored by UPower dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), + # Allow clients to enumerate devices + dbus receive bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.UPower + member={DeviceAdded,DeviceRemoved} + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), + dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.DBus.Properties member={GetDisplayDevice,GetCriticalAction} @@ -29,11 +47,6 @@ member={GetHistory,Refresh} peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), - dbus receive bus=system path=/org/freedesktop/UPower - interface=org.freedesktop.UPower - member={DeviceAdded,DeviceRemoved} - peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower.PowerProfiles b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower.PowerProfiles index 4f11b5aebb..e28dbfd3cb 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower.PowerProfiles +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower.PowerProfiles @@ -4,7 +4,10 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} + dbus send bus=system path=/org/freedesktop/UPower/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=power-profiles-daemon), include if exists diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index a6e4729078..b48849504b 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -20,6 +20,7 @@ profile deja-dup-monitor @{exec_path} { include include include + include network netlink raw, From 4a2c86f706230bbaf633e7ec3d6dabbbdd2282d7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Nov 2025 11:54:37 +0100 Subject: [PATCH 0981/1736] feat(profile): update profiles to use the newly defined bus based abstractions. --- apparmor.d/abstractions/app/chromium | 1 + apparmor.d/groups/cups/cups-browsed | 1 - apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/freedesktop/upowerd | 2 +- apparmor.d/groups/freedesktop/wireplumber | 2 +- apparmor.d/groups/gnome/deja-dup-monitor | 11 +---------- apparmor.d/groups/gnome/gnome-shell | 3 +-- apparmor.d/groups/gnome/papers | 2 +- apparmor.d/groups/gvfs/gvfsd-wsdd | 2 +- apparmor.d/profiles-a-f/freetube | 4 ++-- apparmor.d/profiles-m-r/remmina | 1 - 11 files changed, 10 insertions(+), 21 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 6f006f07b8..30efb06178 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -26,6 +26,7 @@ include include + include include include include diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 0908ce247d..3e83e4064c 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -52,7 +52,6 @@ profile cups-browsed @{exec_path} flags=(attach_disconnected) { owner @{tmp}/@{hex} rw, @{run}/cups/certs/* r, - @{run}/avahi-daemon/socket rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index a58c57c5ef..7b38b17d12 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -10,6 +10,7 @@ include profile cupsd @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -92,7 +93,6 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{run}/cups/{,**} rw, @{run}/systemd/notify w, - @{run}/avahi-daemon/socket rw, @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index c5a54dc28f..a749fc6873 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -10,8 +10,8 @@ include @{exec_path} = @{lib}/{,upower/}upowerd profile upowerd @{exec_path} flags=(attach_disconnected) { include + include include - include include include include diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index cd599fb1d8..17f9d8bbb6 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -10,7 +10,7 @@ include profile wireplumber @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index b48849504b..5a17c505c6 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -18,6 +18,7 @@ profile deja-dup-monitor @{exec_path} { include include include + include include include include @@ -32,16 +33,6 @@ profile deja-dup-monitor @{exec_path} { member=Activate peer=(name=org.gnome.DejaDup), - dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=NetworkManager), - - dbus send bus=system path=/org/freedesktop/UPower/PowerProfiles - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=power-profiles-daemon), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index d6baa76f58..b32eb29583 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -12,11 +12,11 @@ include profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + include include include include include - include include include include @@ -96,7 +96,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" #aa:dbus talk bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}" #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" - #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label="@{p_power_profiles_daemon}" #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index e11f59e772..bb6f99c798 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -19,7 +19,7 @@ profile papers @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - dbus send bus=session path=/org/freedesktop/portal/desktop/session/1_4509/gtk1155412026 + dbus send bus=session path=/org/freedesktop/portal/desktop/session/** interface=org.freedesktop.portal.Session member=Close peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 01e50cfa30..3b1a56e3de 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-wsdd profile gvfsd-wsdd @{exec_path} { include + include include include include @@ -26,7 +27,6 @@ profile gvfsd-wsdd @{exec_path} { @{bin}/env mr, @{bin}/wsdd rPx, - @{run}/avahi-daemon/socket rw, @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{run}/user/@{uid}/gvfsd/wsdd rw, diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index dd50c455b0..6a3cf69448 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -17,11 +17,11 @@ include profile freetube @{exec_path} flags=(attach_disconnected) { include include - include include include - include include + include + include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index d02fb27e06..b7605a4831 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -14,7 +14,6 @@ profile remmina @{exec_path} flags=(attach_disconnected) { include include include - include include include include From 0b3812ea531a06cde9567dcdf9d7d642c4bee83f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 8 Nov 2025 15:55:02 +0100 Subject: [PATCH 0982/1736] feat(profile): update some dbus rules in profiles. --- apparmor.d/abstractions/bluetooth-control | 23 +++++++++++++++++++ apparmor.d/abstractions/bluetooth-observe | 15 ++++++++---- .../bus/session/org.mpris.MediaPlayer2.Player | 13 +++++++---- .../bus/system/org.freedesktop.NetworkManager | 6 +++-- apparmor.d/abstractions/common/game | 1 + apparmor.d/abstractions/gnome-base | 1 + apparmor.d/abstractions/mpris | 14 +++++++++++ apparmor.d/groups/bluetooth/obexd | 2 +- apparmor.d/groups/bus/at-spi2-registryd | 2 +- apparmor.d/groups/bus/dbus-session | 2 ++ apparmor.d/groups/bus/ibus-daemon | 2 +- apparmor.d/groups/bus/ibus-dconf | 2 +- apparmor.d/groups/bus/ibus-engine-simple | 2 +- apparmor.d/groups/bus/ibus-memconf | 2 +- apparmor.d/groups/bus/ibus-x11 | 2 +- apparmor.d/groups/freedesktop/dconf-service | 2 +- apparmor.d/groups/freedesktop/pipewire | 2 +- .../groups/freedesktop/pipewire-media-session | 2 +- apparmor.d/groups/freedesktop/wireplumber | 2 +- .../groups/freedesktop/xdg-desktop-portal-gtk | 2 +- .../groups/freedesktop/xdg-document-portal | 2 +- .../groups/freedesktop/xdg-permission-store | 2 +- apparmor.d/groups/gnome/deja-dup-monitor | 2 +- .../groups/gnome/epiphany-search-provider | 2 ++ .../groups/gnome/epiphany-webapp-provider | 1 + .../groups/gnome/evolution-alarm-notify | 4 ++-- apparmor.d/groups/gnome/gjs | 2 +- apparmor.d/groups/gnome/gnome-clocks | 2 +- .../gnome/gnome-contacts-search-provider | 1 + apparmor.d/groups/gnome/gnome-control-center | 9 ++++++-- .../gnome/gnome-control-center-goa-helper | 2 +- apparmor.d/groups/gnome/gnome-extension-ding | 4 ++-- .../groups/gnome/gnome-extension-gsconnect | 2 +- apparmor.d/groups/gnome/gnome-initial-setup | 2 +- apparmor.d/groups/gnome/gnome-keyring-daemon | 2 +- apparmor.d/groups/gnome/gnome-shell | 5 ++-- apparmor.d/groups/gnome/gnome-software | 2 +- apparmor.d/groups/gnome/gnome-terminal-server | 2 +- apparmor.d/groups/gnome/loupe | 2 +- apparmor.d/groups/gnome/nautilus | 5 ++-- apparmor.d/groups/gnome/papers | 2 +- apparmor.d/groups/gnome/ptyxis | 2 +- apparmor.d/groups/gnome/yelp | 2 +- apparmor.d/groups/kde/kscreenlocker_greet | 2 +- apparmor.d/groups/network/NetworkManager | 5 ++++ apparmor.d/groups/systemd/systemd-sleep | 1 + apparmor.d/groups/systemd/systemd-udevd | 4 +++- apparmor.d/groups/virt/libvirtd | 1 + apparmor.d/profiles-m-r/pinentry-qt | 1 - apparmor.d/profiles-m-r/remmina | 2 +- apparmor.d/profiles-s-z/spotify | 6 ++--- 51 files changed, 126 insertions(+), 56 deletions(-) create mode 100644 apparmor.d/abstractions/bluetooth-control diff --git a/apparmor.d/abstractions/bluetooth-control b/apparmor.d/abstractions/bluetooth-control new file mode 100644 index 0000000000..2f5c9ae995 --- /dev/null +++ b/apparmor.d/abstractions/bluetooth-control @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows control over Bluetooth devices such as pairing, connecting, +# and managing profiles. + + abi , + + include + + include + include + include + + dbus send bus=system path=/org/bluez/hci@{int}/dev_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}{,/**} + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=org.bluez, label="@{p_bluetoothd}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bluetooth-observe b/apparmor.d/abstractions/bluetooth-observe index cd21e83767..73a60b52dd 100644 --- a/apparmor.d/abstractions/bluetooth-observe +++ b/apparmor.d/abstractions/bluetooth-observe @@ -6,12 +6,17 @@ abi , - #aa:dbus common bus=system name=org.bluez label="@{p_bluetoothd}" + include - dbus receive bus=system path=/org/bluez/hci@{int}/dev_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}/service@{hex4}/char@{hex4} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=@{busname}, label=bluetoothd), + include + include + + # Allow quering GATT (Bluetooth Generic Attribute) services + + dbus send bus=system path=/org/bluez/hci@{int}/dev_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}{,/**} + interface=org.bluez.GattCharacteristic1 + member=ReadValue + peer=(name=@{busname}, label="@{p_bluetoothd}"), include if exists diff --git a/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player index 7562949a47..0f30e208a6 100644 --- a/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player +++ b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player @@ -4,23 +4,26 @@ abi , - # DBus.Properties: read all properties from the interface + # DBus.Properties: read properties from the interface + dbus send bus=system path=/org/mpris/MediaPlayer2 interface=org.freedesktop.DBus.Properties member={Get,GetAll} peer=(name="{@{busname},org.freedesktop.DBus}"), - # DBus.Properties: receive all properties from the interface + # DBus.Properties: send properties to the mpris controlers + dbus receive bus=session path=/org/mpris/MediaPlayer2 interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=@{busname}), + peer=(name=@{busname}, label="@{pp_mpris}"), # DBus.Properties: receive property changed events + dbus receive bus=session path=/org/mpris/MediaPlayer2 interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=@{busname}), + peer=(name=@{busname}, label="@{pp_mpris}"), # DBus.Introspectable: allow clients to introspect the service dbus send bus=system path=/org/mpris/MediaPlayer2 @@ -30,7 +33,7 @@ dbus receive bus=session path=/org/mpris/MediaPlayer2 interface=org.mpris.MediaPlayer2.Player - member={Seeked,Next,PlayPause} + member={Seeked,Next,Play,PlayPause,Pause} peer=(name=@{busname}), # https://specifications.freedesktop.org/mpris-spec/latest/Player_Interface.html#Signal:Seeked diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager index 8cb8088ce8..d47b6b040e 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager @@ -48,7 +48,7 @@ member={InterfacesAdded,InterfacesRemoved} peer=(name=@{busname}, label=NetworkManager), - # org.freedesktop.NetworkManager + # NetworkManager dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager @@ -65,12 +65,14 @@ member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged} peer=(name=@{busname}, label=NetworkManager), + # NetworkManager.Connection + dbus receive bus=system path=/org/freedesktop/NetworkManager/*/@{int} interface=org.freedesktop.NetworkManager.Connection.Active member=StateChanged peer=(name=@{busname}, label=NetworkManager), - # org.freedesktop.NetworkManager.Settings + # NetworkManager.Settings dbus send bus=system path=/org/freedesktop/NetworkManager/Settings interface=org.freedesktop.NetworkManager.Settings diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 2198c8537c..97080fd748 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -12,6 +12,7 @@ abi , + include include include include diff --git a/apparmor.d/abstractions/gnome-base b/apparmor.d/abstractions/gnome-base index 575aaadaf5..26072ec50d 100644 --- a/apparmor.d/abstractions/gnome-base +++ b/apparmor.d/abstractions/gnome-base @@ -8,6 +8,7 @@ include + # DBus.Introspectable: allow introspection from gnome-shell dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/abstractions/mpris b/apparmor.d/abstractions/mpris index f06c8560e2..2f7feccb14 100644 --- a/apparmor.d/abstractions/mpris +++ b/apparmor.d/abstractions/mpris @@ -12,6 +12,20 @@ # See: https://specifications.freedesktop.org/mpris-spec/latest/ #aa:dbus own bus=session name=org.mpris.MediaPlayer2.@{profile_name} + # DBus.Properties: receive properties from any mpris controller + + dbus receive bus=system path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label="@{pp_mpris}"), + + # DBus.Properties: send property changed events to any mpris controller + + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=org.freedesktop.DBus, label="@{pp_mpris}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 544ae9ef8c..d2545e4c00 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -12,7 +12,7 @@ profile obexd @{exec_path} { include include include - include + include include network bluetooth stream, diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index 85720531f1..4783bc66a8 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -25,7 +25,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 4cb047e83e..9d10077aca 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -64,6 +64,8 @@ profile dbus-session flags=(attach_disconnected) { owner @{HOME}/.var/app/*/**/.ref rw, owner @{HOME}/.var/app/*/**/logs/* rw, + owner @{att}@{HOME}/.var/app/*/**/.ref rw, + owner @{att}@{HOME}/.var/app/*/**/logs/* rw, owner @{user_share_dirs}/dbus-1/services/{,**} r, diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index 163b9cc78f..5a264a87d3 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -36,7 +36,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mrix, diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 3a5839f71d..953c302d43 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -21,7 +21,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index c183dba481..4a67af1de3 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -21,7 +21,7 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 9cfa0e2927..b202fb324c 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -20,7 +20,7 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index c7e04570af..37fde622c3 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -26,7 +26,7 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index da950506a8..a5a7ecd307 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -22,7 +22,7 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 9311300a0e..5dd45e1907 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -29,7 +29,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mrix, diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 99070af2da..ad3459df15 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -26,7 +26,7 @@ profile pipewire-media-session @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 17f9d8bbb6..3d1579dbe3 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -34,7 +34,7 @@ profile wireplumber @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus receive bus=system path=/midi{,server@{int}} interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 4f36a69ce3..de17df1daa 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -34,7 +34,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings - peer=(name=:*), + peer=(name=@{busname}), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index d4d224b5db..1bad0eb954 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -36,7 +36,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 0ce3ff1664..3ae95c2e96 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -24,7 +24,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index 5a17c505c6..e614b517a9 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -26,7 +26,7 @@ profile deja-dup-monitor @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.DejaDup.Monitor - #aa:dbus talk bus=session name=org.gnome.DejaDup interface+=org.gtk.Actions label=deja-dup + #aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup dbus send bus=session path=/org/gnome/DejaDup interface=org.gtk.Actions diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index 2168382e0b..1642a96be6 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -9,6 +9,8 @@ include @{exec_path} = @{lib}/epiphany-search-provider profile epiphany-search-provider @{exec_path} { include + include + include include include include diff --git a/apparmor.d/groups/gnome/epiphany-webapp-provider b/apparmor.d/groups/gnome/epiphany-webapp-provider index c161a5a0cf..bfc8239678 100644 --- a/apparmor.d/groups/gnome/epiphany-webapp-provider +++ b/apparmor.d/groups/gnome/epiphany-webapp-provider @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/epiphany-webapp-provider profile epiphany-webapp-provider @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 232b8e9269..b697c69e52 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -21,11 +21,11 @@ profile evolution-alarm-notify @{exec_path} { dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.Calendar* - peer=(name=:*, label=evolution-*), + peer=(name=@{busname}, label=evolution-*), dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.{ObjectManager,Properties} - peer=(name=:*, label=evolution-*), + peer=(name=@{busname}, label=evolution-*), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index c823403eaf..e3368c211c 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -47,7 +47,7 @@ profile gjs @{exec_path} flags=(attach_disconnected) { signal receive set=(term hup) peer=gdm, - #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions + #aa:dbus own bus=session name=com.rastersoft.ding #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface+=org.gtk.Actions dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index e5509a6f3c..99248bf82c 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -18,8 +18,8 @@ profile gnome-clocks @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gnome.clocks interface+=org.gtk.Actions #aa:dbus own bus=session name=org.gnome.clocks.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.clocks @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-contacts-search-provider b/apparmor.d/groups/gnome/gnome-contacts-search-provider index 3c25791ad8..ca739ef32b 100644 --- a/apparmor.d/groups/gnome/gnome-contacts-search-provider +++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gnome-contacts-search-provider profile gnome-contacts-search-provider @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 7ed7c711b3..892827075c 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -36,19 +36,19 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Settings #aa:dbus own bus=session name=org.bluez.obex.Agent1 - #aa:dbus talk bus=session name=org.bluez.AgentManager1 label=bluetoothd #aa:dbus talk bus=session name=org.bluez.obex label=obexd #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Identity label=goa-identity-service #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon - #aa:dbus talk bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" + #aa:dbus talk bus=session name=org.gnome.SessionManager label="@{p_gnome_session}" #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*" #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}" + #aa:dbus talk bus=system name=org.bluez label=bluetoothd #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord @@ -67,6 +67,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { member=GetManagedObjects peer=(name=@{busname}, label=NetworkManager), + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name=@{busname}, label=NetworkManager), + @{exec_path} mr, @{bin}/@{shells} rUx, diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index c8542443e8..ebee0ca168 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -31,7 +31,7 @@ profile gnome-control-center-goa-helper @{exec_path} { dbus send bus=session path=/org/gnome/OnlineAccounts interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=goa-daemon), + peer=(name=@{busname}, label=goa-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index bbd67c8e1d..0dd91341a1 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -27,8 +27,8 @@ profile gnome-extension-ding @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gnome-shell), - #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions - #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface+=org.gtk.Actions + #aa:dbus own bus=session name=com.rastersoft.ding + #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index a451c20e27..d71d43bcd3 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -37,7 +37,7 @@ profile gnome-extension-gsconnect @{exec_path} { unix type=stream addr=none peer=(label=gvfsd-*, addr=none), - #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect interface+={org.freedesktop.Application,org.gtk.{Actions,Application,Menus}} + #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect #aa:dbus own bus=session name=org.mpris.MediaPlayer2.GSConnect.* diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 7abef62af3..e070ae7aab 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -25,7 +25,7 @@ profile gnome-initial-setup @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.gnome.InitialSetup interface+=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.InitialSetup dbus send bus=system path=/com/canonical/UbuntuAdvantage/Manager interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 1fdf8e4c43..309b89cd60 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -31,7 +31,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b32eb29583..1aaad5f0e8 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -105,9 +105,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" #aa:dbus talk bus=session name=org.gnome.* label=gnome-* - #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=* + #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label="*" #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs + #aa:dbus talk bus=session name=org.gnome.SessionManager label="@{p_gnome_session}" #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @@ -167,7 +168,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { peer=(name=@{busname}), dbus send bus=session interface=org.gtk.Menus - member=Start + member={Start,End} peer=(name=@{busname}), # Needed as a dbus server to administrate the mpris interface diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 6914b0c8ac..79ad8d9451 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -33,7 +33,7 @@ profile gnome-software @{exec_path} { signal send set=kill peer=fbwrap, #aa:dbus own bus=session name=org.freedesktop.PackageKit - #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application + #aa:dbus own bus=session name=org.gnome.Software #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/{,**} label="@{p_packagekitd}" diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 58ef2c5381..394a66952b 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -20,7 +20,7 @@ profile gnome-terminal-server @{exec_path} { ptrace read peer=htop, ptrace read peer=unconfined, - #aa:dbus own bus=session name=org.gnome.Terminal interface+=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.Terminal dbus receive bus=session path=/org/gnome/Terminal/SearchProvider interface=org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 370cbd1af9..975d4e4f69 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -19,7 +19,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include - #aa:dbus own bus=session name=org.gnome.Loupe interface+=org.freedesktop.Application + #aa:dbus own bus=session name=org.gnome.Loupe #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 495c5e8c73..0b85d7aab8 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -29,11 +29,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { signal send set=kill peer=gnome-desktop-thumbnailers, #aa:dbus own bus=session name=org.freedesktop.FileManager1 - #aa:dbus own bus=session name=org.gnome.Nautilus interface+=org.gtk.{Application,Actions} #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.Nautilus - #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*" #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome + #aa:dbus talk bus=session name=org.freedesktop.portal.FileTransfer label=xdg-document-portal #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell @@ -64,6 +64,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { member=NameHasOwner peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + # Server side of abstractions/bus/session/org.freedesktop.Application dbus send bus=session interface=org.freedesktop.Application member=Open, diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index bb6f99c798..e82dca7399 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -15,7 +15,7 @@ profile papers @{exec_path} flags=(attach_disconnected) { include include - #aa:dbus own bus=session name=org.gnome.Papers interface+=org.freedesktop.Application + #aa:dbus own bus=session name=org.gnome.Papers #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 9b19a9b06e..1840728cba 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -14,7 +14,7 @@ profile ptyxis @{exec_path} { unix type=stream peer=(label=ptyxis-agent), - #aa:dbus own bus=session name=org.gnome.Ptyxis interface+=org.freedesktop.Application + #aa:dbus own bus=session name=org.gnome.Ptyxis @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index 1f2fc39d3e..c698db80a1 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -16,7 +16,7 @@ profile yelp @{exec_path} flags=(attach_disconnected) { network netlink raw, #aa:dbus own bus=accessibility name=org.gnome.Yelp - #aa:dbus own bus=session name=org.gnome.Yelp interface+=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.Yelp @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index d57cf70d83..3656ad45bf 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -33,7 +33,7 @@ profile kscreenlocker_greet @{exec_path} { dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=sddm), + peer=(name=@{busname}, label=sddm), @{exec_path} mr, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 5165e3c0ca..ebb901df11 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -74,6 +74,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { member=SetServersEx peer=(name=@{busname}, label=dnsmasq), + # Server side of bus/system/org.freedesktop.NetworkManager not covered by the directive + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=NetworkManager), dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member={InterfacesAdded,InterfacesRemoved} diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index c566a8b0a0..22662f71f4 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -17,6 +17,7 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_resource, + unix bind type=stream addr=@@{udbus}/bus/systemd-sleep/, unix bind type=stream addr=@@{udbus}/bus/systemd-sleep/system, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 0da538b625..569bd96ec5 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -35,7 +35,9 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - unix type=stream addr=@@{udbus}/bus/udevadm/, + unix bind type=dgram addr=@@{udbus}, + unix bind type=stream addr=@@{udbus}/bus/udevadm/, + @{exec_path} mrix, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 068f9230a3..589f1d267c 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -20,6 +20,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index 947a57a708..1b638f65aa 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/pinentry-qt profile pinentry-qt @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index b7605a4831..be6a6f8da2 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -31,7 +31,7 @@ profile remmina @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - #aa:dbus own bus=session name=org.remmina.Remmina interface+=org.gtk.Actions + #aa:dbus own bus=session name=org.remmina.Remmina #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index bb79032cad..b867a8ff21 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -17,17 +17,17 @@ include profile spotify @{exec_path} flags=(attach_disconnected) { include include + include include - include - include - include include include include include include + include include include + include network inet dgram, network inet6 dgram, From cd9c299f9b54bdfa53a806b7f647ef7e43a1fa42 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 8 Nov 2025 22:09:51 +0100 Subject: [PATCH 0983/1736] feat(profile): minor flatpak improvement. --- apparmor.d/groups/flatpak/fapp | 3 +++ apparmor.d/groups/flatpak/fbwrap | 5 +++++ apparmor.d/groups/flatpak/flatpak-app | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/apparmor.d/groups/flatpak/fapp b/apparmor.d/groups/flatpak/fapp index 35080bc0e7..b673bdfcd6 100644 --- a/apparmor.d/groups/flatpak/fapp +++ b/apparmor.d/groups/flatpak/fapp @@ -17,6 +17,9 @@ profile fapp flags=(attach_disconnected,mediate_deleted) { include include + # apply_extra + /app/extra/* w, + deny @{att}/ r, deny @{att}@{run}/.userns r, diff --git a/apparmor.d/groups/flatpak/fbwrap b/apparmor.d/groups/flatpak/fbwrap index 0fbb634284..976e4eae9d 100644 --- a/apparmor.d/groups/flatpak/fbwrap +++ b/apparmor.d/groups/flatpak/fbwrap @@ -18,6 +18,7 @@ profile fbwrap flags=(attach_disconnected,mediate_deleted) { unix type=seqpacket peer=(label=fapp), unix type=stream peer=(label=fapp), + unix type=stream peer=(label=gnome-software), signal receive peer=gnome-software, signal receive peer=flatpak, @@ -39,6 +40,10 @@ profile fbwrap flags=(attach_disconnected,mediate_deleted) { priority=1 @{lib}/** Px -> fbwrap//&fapp, priority=1 @{HOME}/.var/app/@{appid}/** Px -> fbwrap//&fapp, + /usr/share/flatpak/triggers/desktop-database.trigger Px -> flatpak-system-helper//bwrap, + /usr/share/flatpak/triggers/gtk-icon-cache.trigger Px -> flatpak-system-helper//bwrap, + /usr/share/flatpak/triggers/mime-database.trigger Px -> flatpak-system-helper//bwrap, + /app/.ref rk, /usr/.ref rk, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index ec02e479c4..8da02b1897 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -63,11 +63,15 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /etc/**/ rw, /etc/shells rw, + /app/extra/** rw, /app/.ref rk, /usr/.ref rk, /bindfile@{rand6} rw, + /var/lib/flatpak/app/{,**} r, + /var/lib/flatpak/exports/** rw, + include if exists include if exists } From f4fe6e2f8d7d597b7c48873057bb85aced207351 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 8 Nov 2025 22:12:53 +0100 Subject: [PATCH 0984/1736] feat(abs): bus: add some bluetooth interfaces --- .../bus/system/fi.w1.wpa_supplicant1 | 4 +- apparmor.d/abstractions/bus/system/org.bluez | 50 ++++++++++--------- .../bus/system/org.bluez.AgentManager1 | 14 ++++++ .../system/org.bluez.BatteryProviderManager1 | 14 ++++++ .../bus/system/org.bluez.GattCharacteristic1 | 19 +++++++ .../bus/system/org.bluez.GattManager1 | 14 ++++++ .../abstractions/bus/system/org.bluez.Media1 | 14 ++++++ .../bus/system/org.bluez.MediaEndpoint1 | 19 +++++++ .../bus/system/org.bluez.MediaTransport1 | 14 ++++++ .../bus/system/org.bluez.ProfileManager1 | 24 +++++++++ 10 files changed, 162 insertions(+), 24 deletions(-) create mode 100644 apparmor.d/abstractions/bus/system/org.bluez.AgentManager1 create mode 100644 apparmor.d/abstractions/bus/system/org.bluez.BatteryProviderManager1 create mode 100644 apparmor.d/abstractions/bus/system/org.bluez.GattCharacteristic1 create mode 100644 apparmor.d/abstractions/bus/system/org.bluez.GattManager1 create mode 100644 apparmor.d/abstractions/bus/system/org.bluez.Media1 create mode 100644 apparmor.d/abstractions/bus/system/org.bluez.MediaEndpoint1 create mode 100644 apparmor.d/abstractions/bus/system/org.bluez.MediaTransport1 create mode 100644 apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 diff --git a/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 index 73f2f22d6c..884577b7c9 100644 --- a/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 @@ -8,7 +8,9 @@ dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=org.freedesktop.DBus.Properties - member=Set + member={Get,GetAll} + peer=(name=@{busname}, label=wpa-supplicant), + peer=(name=@{busname}, label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1 diff --git a/apparmor.d/abstractions/bus/system/org.bluez b/apparmor.d/abstractions/bus/system/org.bluez index acaa7bb36e..a3691961a4 100644 --- a/apparmor.d/abstractions/bus/system/org.bluez +++ b/apparmor.d/abstractions/bus/system/org.bluez @@ -4,37 +4,41 @@ abi , - #aa:dbus common bus=system name=org.bluez label="@{p_bluetoothd}" + # DBus.Properties: read properties from the interface - dbus receive bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member={InterfacesAdded,InterfacesRemoved} - peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), + dbus send bus=system path=/org/bluez/hci@{int}/dev_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label="@{p_bluetoothd}"), + + # DBus.Properties: receive property changed events + + dbus receive bus=system path=/org/bluez/hci@{int} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label="@{p_bluetoothd}"), + + dbus receive bus=system path=/org/bluez/hci@{int}/dev_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}{,/**} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label="@{p_bluetoothd}"), + + # DBus.ObjectManager: allow clients to enumerate sources dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), - - dbus send bus=system path=/org/bluez - interface=org.bluez.AgentManager@{int} - member={RegisterAgent,RequestDefaultAgent,UnregisterAgent} - peer=(name=org.bluez, label="@{p_bluetoothd}"), + peer=(name=@{busname}, label="@{p_bluetoothd}"), - dbus send bus=system path=/org/bluez - interface=org.bluez.ProfileManager@{int} - member=RegisterProfile - peer=(name=org.bluez, label="@{p_bluetoothd}"), - - dbus send bus=system path=/org/bluez/hci@{int} - interface=org.bluez.BatteryProviderManager@{int} - member=RegisterProfile + dbus send bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects peer=(name=org.bluez, label="@{p_bluetoothd}"), - dbus send bus=system path=/org/bluez/hci@{int} - interface=org.bluez.Media@{int} - member=RegisterApplication - peer=(name=org.bluez, label="@{p_bluetoothd}"), + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name=@{busname}, label="@{p_bluetoothd}"), include if exists diff --git a/apparmor.d/abstractions/bus/system/org.bluez.AgentManager1 b/apparmor.d/abstractions/bus/system/org.bluez.AgentManager1 new file mode 100644 index 0000000000..4af4ff80ca --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.bluez.AgentManager1 @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/org/bluez + interface=org.bluez.AgentManager1 + member={RegisterAgent,RequestDefaultAgent,UnregisterAgent} + peer=(name=org.bluez, label="@{p_bluetoothd}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.bluez.BatteryProviderManager1 b/apparmor.d/abstractions/bus/system/org.bluez.BatteryProviderManager1 new file mode 100644 index 0000000000..5999c239a1 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.bluez.BatteryProviderManager1 @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/org/bluez/hci@{int} + interface=org.bluez.BatteryProviderManager1 + member={RegisterBatteryProvider,RegisterProfile} + peer=(name=org.bluez, label="@{p_bluetoothd}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.bluez.GattCharacteristic1 b/apparmor.d/abstractions/bus/system/org.bluez.GattCharacteristic1 new file mode 100644 index 0000000000..9dc193d9a8 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.bluez.GattCharacteristic1 @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/org/bluez/hci@{int}/dev_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2} + interface=org.bluez.GattCharacteristic1 + member=ReadValue + peer=(name=@{busname}, label=bluetoothd), + + dbus send bus=system path=/org/bluez/hci@{int}/dev_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}/service@{hex4}/char@{hex4} + interface=org.bluez.GattCharacteristic1 + member=ReadValue + peer=(name=@{busname}, label=bluetoothd), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.bluez.GattManager1 b/apparmor.d/abstractions/bus/system/org.bluez.GattManager1 new file mode 100644 index 0000000000..8784dac366 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.bluez.GattManager1 @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/org/bluez/hci@{int} + interface=org.bluez.GattManager1 + member=RegisterApplication + peer=(name=@{busname}, label="@{p_bluetoothd}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.bluez.Media1 b/apparmor.d/abstractions/bus/system/org.bluez.Media1 new file mode 100644 index 0000000000..c6a66ec2ab --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.bluez.Media1 @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/org/bluez/hci@{int} + interface=org.bluez.Media1 + member={RegisterPlayer,UnregisterPlayer,RegisterApplication} + peer=(name=org.bluez, label="@{p_bluetoothd}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.bluez.MediaEndpoint1 b/apparmor.d/abstractions/bus/system/org.bluez.MediaEndpoint1 new file mode 100644 index 0000000000..b79514aab0 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.bluez.MediaEndpoint1 @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=system path=/MediaEndpoint + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label="@{p_bluetoothd}"), + + dbus receive bus=system path=/MediaEndpoint/A2DP{Sink,Source}/* + interface=org.bluez.MediaEndpoint1 + member={SetConfiguration,ClearConfiguration,Release} + peer=(name=@{busname}, label="@{p_bluetoothd}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.bluez.MediaTransport1 b/apparmor.d/abstractions/bus/system/org.bluez.MediaTransport1 new file mode 100644 index 0000000000..a103afb4af --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.bluez.MediaTransport1 @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/org/bluez/hci@{int}/dev_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}{,/**} + interface=org.bluez.MediaTransport1 + member={Acquire,Set,Release} + peer=(name=org.bluez, label="@{p_bluetoothd}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 b/apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 new file mode 100644 index 0000000000..d6b5a6a04a --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/org/bluez + interface=org.bluez.ProfileManager1 + member=RegisterProfile + peer=(name=org.bluez, label="@{p_bluetoothd}"), + + dbus receive bus=system path=/Profile/HFPAG + interface=org.bluez.Profile1 + member=NewConnection + peer=(name=@{busname}, label="@{p_bluetoothd}"), + + dbus receive bus=system path=/Profile/HFPAG + interface=org.bluez.Profile1 + member=RequestDisconnection + peer=(name=@{busname}, label="@{p_bluetoothd}"), + + include if exists + +# vim:syntax=apparmor From 09f141907bad16dc844932c5e0e66c3a374fee49 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 8 Nov 2025 22:15:05 +0100 Subject: [PATCH 0985/1736] feat(abs): improbe python core abs. --- apparmor.d/abstractions/python.d/complete | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index c49b49a85b..6d24e9b41a 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -6,11 +6,12 @@ @{bin}/ r, @{python_path} mr, - @{user_lib_dirs}/@{python_name}/ r, - owner @{user_lib_dirs}/@{python_name}/**.{egg,py,pyi,pth} r, - owner @{user_lib_dirs}/@{python_name}/**.{pyc,so} mr, - owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/ r, + @{user_lib_dirs}/@{python_name}/ r, + @{user_lib_dirs}/@{python_name}/site-packages/ r, + owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/ r, owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/**/ r, + owner @{user_lib_dirs}/@{python_name}/**.{egg,py,pyi,pth} r, + owner @{user_lib_dirs}/@{python_name}/**.{pyc,so} mr, #aa:only apparmor>=4.1 # Normal python run do not need to update pycache files. It is done by pycompile. From 4aa61f8a0d0cb01206539053fbd74c086d424008 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 8 Nov 2025 22:38:10 +0100 Subject: [PATCH 0986/1736] fix: linter issues. --- apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 | 2 +- apparmor.d/groups/flatpak/fbwrap | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 b/apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 index d6b5a6a04a..dabe078578 100644 --- a/apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 +++ b/apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 @@ -18,7 +18,7 @@ interface=org.bluez.Profile1 member=RequestDisconnection peer=(name=@{busname}, label="@{p_bluetoothd}"), - + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/flatpak/fbwrap b/apparmor.d/groups/flatpak/fbwrap index 976e4eae9d..3d798f0194 100644 --- a/apparmor.d/groups/flatpak/fbwrap +++ b/apparmor.d/groups/flatpak/fbwrap @@ -43,7 +43,7 @@ profile fbwrap flags=(attach_disconnected,mediate_deleted) { /usr/share/flatpak/triggers/desktop-database.trigger Px -> flatpak-system-helper//bwrap, /usr/share/flatpak/triggers/gtk-icon-cache.trigger Px -> flatpak-system-helper//bwrap, /usr/share/flatpak/triggers/mime-database.trigger Px -> flatpak-system-helper//bwrap, - + /app/.ref rk, /usr/.ref rk, From 4bbb4d00b10a9769f4a3fc5f28fc8bdb399bff93 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 8 Nov 2025 22:39:27 +0100 Subject: [PATCH 0987/1736] feat(profile): update snap profiles. --- apparmor.d/groups/snap/snap | 2 ++ apparmor.d/groups/snap/snap-update-ns | 3 +++ 2 files changed, 5 insertions(+) diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 5fac7d0a61..9af980d1be 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -167,6 +167,8 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{bin}/xdg-mime Px, + / r, + include if exists } diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 5d08a4240d..7f73502774 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -22,12 +22,15 @@ profile snap-update-ns @{exec_path} { mount -> /snap/**, mount -> /tmp/.snap/**, mount -> /usr/**, + mount -> /var/cache/fontconfig/, mount -> /var/lib/dhcp/, umount @{lib}/@{multiarch}/webkit2gtk-@{version}/, umount /snap/**, umount /tmp/.snap/**, + umount /usr/share/fonts/, umount /usr/share/xml/iso-codes/, + umount /var/cache/fontconfig/, umount /var/lib/dhcp/, @{exec_path} mr, From 8233c4d63a35f42ab006bf021b7173562a93f352 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 8 Nov 2025 23:03:44 +0100 Subject: [PATCH 0988/1736] fix(abs): wpa_supplicant1 bus definition. --- .../bus/system/fi.w1.wpa_supplicant1 | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 index 884577b7c9..b51c2a2607 100644 --- a/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 @@ -4,15 +4,27 @@ abi , - #aa:dbus common bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant + # DBus.Properties: read properties from the interface + + dbus send bus=system path=/fi/w1/wpa_supplicant1 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=org.freedesktop.DBus.Properties member={Get,GetAll} peer=(name=@{busname}, label=wpa-supplicant), + # wpa_supplicant1: allow clients to enumerate sources + + dbus receive bus=system path=/fi/w1/wpa_supplicant1 + interface=fi.w1.wpa_supplicant1 + member={InterfaceAdded,InterfaceRemoved} peer=(name=@{busname}, label=wpa-supplicant), + # wpa_supplicant1.interface + dbus send bus=system path=/fi/w1/wpa_supplicant1 interface=fi.w1.wpa_supplicant1.Interface member=CreateInterface @@ -33,11 +45,6 @@ member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged} peer=(name=@{busname}, label=wpa-supplicant), - dbus receive bus=system path=/fi/w1/wpa_supplicant1 - interface=fi.w1.wpa_supplicant1 - member=InterfaceRemoved - peer=(name=@{busname}, label=wpa-supplicant), - include if exists # vim:syntax=apparmor From bd6456897fcc8dd93b2534c598336d57e3ad7beb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 8 Nov 2025 23:51:39 +0100 Subject: [PATCH 0989/1736] fix: who, deny console, add att flag --- apparmor.d/groups/utils/who | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who index 6abf5b9e08..ce251ce813 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/groups/utils/who @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/who -profile who @{exec_path} { +profile who @{exec_path} flags=(attach_disconnected) { include include @@ -30,6 +30,7 @@ profile who @{exec_path} { deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/zed/**/data.mdb rw, + deny /dev/tty@{u8} rw, include if exists } From b808fb223a99201eb670383de49646887665f417 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Nov 2025 12:41:17 +0100 Subject: [PATCH 0990/1736] fix(aa-log): resolve re-attached paths before other variables. --- pkg/logs/logs.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index aeeac7282d..770326297f 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -51,6 +51,10 @@ var ( `(?m)^.*/dev/(null|zero|full|log).*$`, ``, }) regResolveLogs = util.ToRegexRepl([]string{ + // Resolve re-attached paths variable + `/att/ns/[^/]+/`, `@{att}/`, + `/att/[^/]+/`, `@{att}/`, + // Resolve user variables `/home/[^/]+/.cache`, `@{user_cache_dirs}`, `/home/[^/]+/.config`, `@{user_config_dirs}`, @@ -63,7 +67,6 @@ var ( `/home/[^/]+/`, `@{HOME}/`, // Resolve system variables - `/att/[^/]+/`, `@{att}/`, `/usr/bin/gnu`, `@{bin}/`, `/usr/lib/cargo/bin/coreutils/`, `@{bin}/`, `/usr/lib(32|64|exec)`, `@{lib}`, From 2346c1128b36d619afc875bbbb77d6bcc09101c2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Nov 2025 12:48:59 +0100 Subject: [PATCH 0991/1736] feat(abs): add systemd's notification socket to the base abs. --- apparmor.d/abstractions/attached/base | 1 + apparmor.d/abstractions/base-strict | 3 +++ apparmor.d/groups/_full/sd | 1 - apparmor.d/groups/_full/systemd-user | 1 - apparmor.d/groups/bluetooth/bluetoothd | 3 +-- apparmor.d/groups/bus/dbus-system | 1 - apparmor.d/groups/cups/cupsd | 1 - apparmor.d/groups/freedesktop/boltd | 2 -- apparmor.d/groups/network/networkd-dispatcher | 2 -- apparmor.d/groups/network/nm-dispatcher | 1 - apparmor.d/groups/network/rpcbind | 1 - apparmor.d/groups/network/tailscaled | 1 - apparmor.d/groups/polkit/polkitd | 1 - apparmor.d/groups/snap/snap | 1 - apparmor.d/groups/snap/snapd | 5 ----- apparmor.d/groups/ssh/sshd | 1 - apparmor.d/groups/systemd/journalctl | 1 - apparmor.d/groups/systemd/networkctl | 1 - apparmor.d/groups/systemd/systemd-detect-virt | 1 - apparmor.d/groups/systemd/systemd-homed | 1 - apparmor.d/groups/systemd/systemd-hostnamed | 2 -- apparmor.d/groups/systemd/systemd-initctl | 1 - apparmor.d/groups/systemd/systemd-journald | 1 - apparmor.d/groups/systemd/systemd-localed | 2 -- apparmor.d/groups/systemd/systemd-logind | 1 - apparmor.d/groups/systemd/systemd-machined | 1 - apparmor.d/groups/systemd/systemd-networkd | 1 - apparmor.d/groups/systemd/systemd-oomd | 1 - apparmor.d/groups/systemd/systemd-resolved | 2 -- apparmor.d/groups/systemd/systemd-rfkill | 1 - apparmor.d/groups/systemd/systemd-timedated | 2 -- apparmor.d/groups/systemd/systemd-timesyncd | 2 -- apparmor.d/groups/systemd/systemd-udevd | 2 -- apparmor.d/groups/systemd/systemd-userdbd | 1 - apparmor.d/groups/virt/containerd | 1 - apparmor.d/groups/virt/dockerd | 2 -- apparmor.d/groups/virt/k3s | 1 - apparmor.d/groups/virt/libvirtd | 1 - apparmor.d/profiles-m-r/multipathd | 1 - apparmor.d/profiles-m-r/rsyslogd | 1 - apparmor.d/profiles-s-z/smartd | 2 -- apparmor.d/profiles-s-z/zsysd | 1 - docs/development/directives.md | 1 - 43 files changed, 5 insertions(+), 56 deletions(-) diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 1ec3cda82b..df184b93c0 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -13,6 +13,7 @@ @{att}@{run}/systemd/journal/dev-log w, @{att}@{run}/systemd/journal/socket w, @{att}@{run}/systemd/journal/stdout rw, + @{att}@{run}/systemd/notify w, @{att}/dev/null rw, diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index cfe87a0405..92440051ac 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -97,6 +97,9 @@ # Transparent hugepage support @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + # Systemd's notification write only socket + @{run}/systemd/notify w, + # Systemd's equivalent of /dev/log @{run}/systemd/journal/dev-log w, diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index ab2eb488c5..280f753490 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -177,7 +177,6 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { @{att}@{user_share_dirs}/icc/edid-@{hex32}.icc r, @{att}@{run}/systemd/io.systemd.ManagedOOM rw, - @{att}@{run}/systemd/notify rw, @{att}@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}@{run}/systemd/userdb/io.systemd.Home rw, @{att}@{run}/systemd/userdb/io.systemd.Multiplexer rw, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index af3011e83e..9aad6f85bf 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -63,7 +63,6 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { owner @{run}/user/@{uid}/** rwkl, @{run}/mount/utab r, - @{run}/systemd/notify w, @{run}/systemd/oom/io.systemd.ManagedOOM rw, @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index e7e3496a07..67f7a18558 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -34,8 +34,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { /var/lib/bluetooth/{,**} rw, - @{run}/sdp rw, - owner @{run}/systemd/notify w, + @{run}/sdp rw, @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 0ede85b4f2..d401dea894 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -75,7 +75,6 @@ profile dbus-system flags=(attach_disconnected) { @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{att}@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, - @{run}/systemd/notify w, @{run}/systemd/users/@{int} r, @{sys}/kernel/security/apparmor/.access rw, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 7b38b17d12..38ee41c522 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -92,7 +92,6 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { /var/spool/cups/{,**} rw, @{run}/cups/{,**} rw, - @{run}/systemd/notify w, @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/groups/freedesktop/boltd index d4e48d4d05..b1737a1808 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -25,8 +25,6 @@ profile boltd @{exec_path} flags=(attach_disconnected) { owner @{run}/boltd/{,**} rw, - @{att}@{run}/systemd/notify w, - @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. @{sys}/bus/ r, diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index 8b4d53b1ce..24d746f014 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -33,8 +33,6 @@ profile networkd-dispatcher @{exec_path} { /var/spool/postfix/pid/master.pid r, - @{run}/systemd/notify rw, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 029a5e39a0..2efec02e68 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -77,7 +77,6 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{run}/chrony-dhcp/ rw, @{run}/ntp.conf.dhcp rw, @{run}/systemd/netif/leases/ r, - @{run}/systemd/notify rw, @{run}/tlp/{,*} rw, owner @{run}/ntp.conf.dhcp.@{rand6} rw, diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind index c1f15e2a59..39d33aa323 100644 --- a/apparmor.d/groups/network/rpcbind +++ b/apparmor.d/groups/network/rpcbind @@ -29,7 +29,6 @@ profile rpcbind @{exec_path} flags=(complain) { @{run}/rpcbind.lock rwkl, @{run}/rpcbind.sock rw, @{run}/rpcbind/*.xdr rwkl, - @{run}/systemd/notify w, include if exists } diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 8162dff1e3..4f3a5a532d 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -53,7 +53,6 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/tailscale/{,**} rw, - owner @{run}/systemd/notify w, owner @{run}/tailscale/{,**} rw, @{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index eea86d61e5..5a888a28f2 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -57,7 +57,6 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { /var/lib/polkit{,-1}/localauthority/{,**} r, owner /var/lib/polkit{,-1}/.cache/ rw, - @{att}@{run}/systemd/notify w, @{att}@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}@{run}/systemd/userdb/io.systemd.Home rw, @{att}@{run}/systemd/userdb/io.systemd.Multiplexer rw, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 9af980d1be..40a6763e3e 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -194,7 +194,6 @@ profile snap @{exec_path} flags=(attach_disconnected) { network unix stream, network (send receive) netlink raw, - @{run}/systemd/notify w, owner @{run}/user/@{uid}/systemd/notify rw, owner @{run}/user/@{uid}/systemd/private rw, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index a224850387..cc80146803 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -157,7 +157,6 @@ profile snapd @{exec_path} { @{run}/snapd*.socket rw, @{run}/snapd/{,**} rw, @{run}/snapd/lock/*.lock rwk, - @{run}/systemd/notify rw, @{run}/systemd/private rw, @{sys}/fs/cgroup/{,*/} r, @@ -199,8 +198,6 @@ profile snapd @{exec_path} { /etc/systemd/user/**/*snap* rw, /etc/systemd/user/*snap* rw, - @{run}/systemd/notify rw, - include if exists } @@ -223,8 +220,6 @@ profile snapd @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/{,*} r, - @{run}/systemd/notify w, - include if exists } diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 2476a4c5a1..0a5625bcf8 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -113,7 +113,6 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{run}/motd.d/{,*} r, @{run}/motd.dynamic rw, @{run}/motd.dynamic.new rw, - @{run}/systemd/notify w, owner @{run}/sshd{,.init}.pid wl, @{sys}/fs/cgroup/*/user/*/@{int}/ rw, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index c852b37566..55ca7bd212 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -55,7 +55,6 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { @{run}/host/container-manager r, @{run}/systemd/journal/io.systemd.journal rw, - @{run}/systemd/notify rw, @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index b5a8f92fb7..6dceb62e47 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -57,7 +57,6 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { @{run}/systemd/netif/leases/@{int} r, @{run}/systemd/netif/links/@{int} r, @{run}/systemd/netif/state r, - @{run}/systemd/notify w, @{run}/udev/data/n@{int} r, # For network interfaces diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 9b49c20fcb..8a7993ab25 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -21,7 +21,6 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{run}/cloud-init/ds-identify.log w, @{run}/host/container-manager r, @{run}/systemd/container r, - @{run}/systemd/notify w, @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index c4d4800b2b..3de283459c 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -74,7 +74,6 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{run}/systemd/home/{,**} rw, @{run}/systemd/userdb/io.systemd.home r, @{run}/systemd/user-home-mount/{,**} rw, - @{run}/systemd/notify w, @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index e4298f97ba..7275b6dfcb 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -32,8 +32,6 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { /etc/machine-info rw, /etc/os-release r, - @{att}@{run}/systemd/notify rw, - @{run}/systemd/default-hostname rw, @{run}/udev/data/+dmi:* r, # for motherboard info diff --git a/apparmor.d/groups/systemd/systemd-initctl b/apparmor.d/groups/systemd/systemd-initctl index 05f32a7f66..035d3d6df4 100644 --- a/apparmor.d/groups/systemd/systemd-initctl +++ b/apparmor.d/groups/systemd/systemd-initctl @@ -19,7 +19,6 @@ profile systemd-initctl @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{run}/initctl rw, - @{run}/systemd/notify rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 3b9a3421fb..c18e8a9515 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -41,7 +41,6 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted /{run,var}/log/journal/@{hex32}/* rwl -> /{run,var}/log/journal/@{hex32}/#@{int}, owner @{run}/systemd/journal/{,**} rw, - owner @{run}/systemd/notify rw, @{run}/host/container-manager r, @{run}/utmp rk, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index d08becd378..b8eff4b42f 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -53,8 +53,6 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { /etc/X11/xorg.conf.d/.#*.conf@{hex} rw, /etc/X11/xorg.conf.d/*.conf rw, - @{att}@{run}/systemd/notify rw, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 2ce9dae6f1..e65ef6c930 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -89,7 +89,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,mediate_deleted) @{run}/udev/data/c226:@{int} r, # For DRI card /dev/dri/card@{int} @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{att}@{run}/systemd/notify w, @{att}@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}@{run}/systemd/userdb/io.systemd.Multiplexer rw, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 4d8919cb04..dc999bf428 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -61,7 +61,6 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected,mediate_deleted @{run}/systemd/machine/{,**} rwl, @{run}/systemd/machines/{,**} rwl, - @{run}/systemd/notify w, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/fdinfo/@{int} r, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index d1d51ad0ff..56fcd67b63 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -61,7 +61,6 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { /etc/networkd-dispatcher/carrier.d/{,*} r, @{att}/ r, - @{att}@{run}/systemd/notify rw, @{run}/mount/utab r, @{run}/systemd/network/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 61d7112452..0d8b68be29 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -24,7 +24,6 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { /etc/systemd/oomd.conf r, /etc/systemd/oomd.conf.d/{,**} r, - @{att}@{run}/systemd/notify w, @{att}@{run}/systemd/io.systemd.ManagedOOM rw, @{run}/systemd/io.system.ManagedOOM rw, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 1f46a185a9..3fb02d674d 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -36,8 +36,6 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { /etc/systemd/resolved.conf r, /etc/systemd/resolved.conf.d/{,*} r, - @{att}@{run}/systemd/notify w, - @{run}/systemd/netif/links/* r, @{run}/systemd/resolve/{,**} rw, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index 34e7255abb..4abc5f0c27 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -22,7 +22,6 @@ profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/rfkill/* rw, - @{run}/systemd/notify rw, @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{sys}/devices/**/rfkill@{int}/{uevent,name} r, diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index acff30eca5..76a09c3dd9 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -32,8 +32,6 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { /etc/.#timezone* rw, /etc/timezone rw, - @{att}@{run}/systemd/notify rw, - /dev/rtc@{int} r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 55a76f63a2..07240f32bf 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -34,8 +34,6 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { owner /var/lib/systemd/timesync/clock rw, - @{att}@{run}/systemd/notify rw, - @{run}/resolvconf/*.conf r, @{run}/systemd/netif/state r, @{run}/systemd/timesyncd.conf.d/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 569bd96ec5..e8cc196798 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -105,11 +105,9 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{run}/modprobe.d/ r, @{run}/systemd/network/ r, @{run}/systemd/network/*.link rw, - @{run}/systemd/notify rw, @{run}/systemd/private rw, @{run}/systemd/seats/seat@{int} r, - @{att}@{run}/systemd/notify w, @{att}@{run}/udev/control rw, @{run}/udev/ rw, diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index dcee5f38a4..220376ba5d 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -31,7 +31,6 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) /etc/machine-id r, /etc/userdb/{,**} r, - @{att}@{run}/systemd/notify w, @{att}@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}@{run}/systemd/userdb/io.systemd.Home rw, @{att}@{run}/systemd/userdb/io.systemd.Machine rw, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 95d332a45b..43a7a8127f 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -85,7 +85,6 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{run}/netns/cni-@{uuid} rw, @{run}/nri/ w, @{run}/nri/nri.sock rw, - @{run}/systemd/notify w, /tmp/cri-containerd.apparmor.d@{int} rwl, /tmp/ctd-volume@{int}/{,**} rw, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index c64682cd86..84d86bbece 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -98,8 +98,6 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { /tmp/build/ w, /tmp/containerd-mount@{int}/{,**} rw, - @{run}/systemd/notify rw, - @{run}/containerd/containerd.sock rw, owner @{run}/docker.pid rw, owner @{run}/docker/ rw, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 59c4b94733..f0c9f4546c 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -90,7 +90,6 @@ profile k3s @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.kube/** rw, @{run}/containerd/containerd.sock rw, - @{run}/systemd/notify w, @{run}/systemd/private rw, @{run}/systemd/resolve/resolv.conf r, @{run}/nodeagent/ rw, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 589f1d267c..c3fdac73dc 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -181,7 +181,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/libvirt/** rwk, @{run}/libvirtd.pid wk, @{run}/lock/LCK.._pts_@{int} rw, - @{run}/systemd/notify w, @{run}/utmp rk, @{run}/udev/data/+*:* r, # Identifies all subsystems diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd index 44fe5a3b81..ed67e424fe 100644 --- a/apparmor.d/profiles-m-r/multipathd +++ b/apparmor.d/profiles-m-r/multipathd @@ -31,7 +31,6 @@ profile multipathd @{exec_path} { /etc/systemd/system/ r, @{run}/multipathd.pid rwk, - @{run}/systemd/notify w, @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index c5e5ac051d..22d5b679ce 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -37,7 +37,6 @@ profile rsyslogd @{exec_path} { /var/spool/rsyslog/ r, /var/spool/rsyslog/** rw, - @{run}/systemd/notify rw, owner @{run}/rsyslogd.pid{,.tmp} rwk, owner @{run}/systemd/journal/syslog w, diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index 60a77a782d..da181ae696 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -39,8 +39,6 @@ profile smartd @{exec_path} { /var/lib/smartmontools/smartd.*.state{,~} rw, /var/lib/smartmontools/attrlog.*.csv rw, - @{run}/systemd/notify rw, - @{sys}/class/scsi_host/ r, @{PROC}/devices r, diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd index 97a307b144..76fcdd0a1b 100644 --- a/apparmor.d/profiles-s-z/zsysd +++ b/apparmor.d/profiles-s-z/zsysd @@ -27,7 +27,6 @@ profile zsysd @{exec_path} flags=(complain) { /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, - @{run}/systemd/notify rw, @{run}/unattended-upgrades.pid r, @{run}/zsys-snapshot.unattended-upgrades rw, @{run}/zsysd.sock rw, diff --git a/docs/development/directives.md b/docs/development/directives.md index 841bc66088..53e3bbc7a9 100644 --- a/docs/development/directives.md +++ b/docs/development/directives.md @@ -146,7 +146,6 @@ The `exec` directive is useful to allow executing transitions to a profile witho /etc/systemd/oomd.conf.d/{,**} r, @{run}/systemd/io.system.ManagedOOM rw, @{run}/systemd/io.systemd.ManagedOOM rw, - @{run}/systemd/notify rw, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/memory.pressure r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r, From 8c2fce103bdf8d8d07eb29120b70c91a9df5d2e1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Nov 2025 12:50:39 +0100 Subject: [PATCH 0992/1736] feat(profile): chromium: update socket paths. --- apparmor.d/abstractions/common/chromium | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index f1eac939dc..16a23f7312 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -38,6 +38,9 @@ owner @{tmp}/.@{domain}.@{rand6}/*.@{image_ext} rw, owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie rw, owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket rw, + owner @{tmp}/.@{domain}.scoped_dir.@{rand6}/ rw, + owner @{tmp}/.@{domain}.scoped_dir.@{rand6}/SingletonCookie rw, + owner @{tmp}/.@{domain}.scoped_dir.@{rand6}/SingletonSocket rw, owner @{tmp}/scoped_dir@{rand6}/ rw, owner @{tmp}/scoped_dir@{rand6}/SingletonCookie rw, owner @{tmp}/scoped_dir@{rand6}/SingletonSocket rw, From c600d1d7706f3db7dc98a4d437a5325f8724c3aa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Nov 2025 12:52:45 +0100 Subject: [PATCH 0993/1736] feat(abs): avoid unsing transition for link in abs. We have a limited number of named transitions by profile (12). We keep them transition to other profiles. --- apparmor.d/abstractions/common/gnome | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index 8f6791bf18..7ae0f2e37b 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -13,13 +13,13 @@ /usr/share/@{profile_name}/{,**} r, owner @{user_cache_dirs}/@{profile_name}/ rw, - owner @{user_cache_dirs}/@{profile_name}/** rwlk -> @{user_cache_dirs}/@{profile_name}/**, + owner @{user_cache_dirs}/@{profile_name}/** rwlk, owner @{user_config_dirs}/@{profile_name}/ rw, - owner @{user_config_dirs}/@{profile_name}/** rwlk -> @{user_config_dirs}/@{profile_name}/**, + owner @{user_config_dirs}/@{profile_name}/** rwlk, owner @{user_share_dirs}/@{profile_name}/ rw, - owner @{user_share_dirs}/@{profile_name}/** rwlk -> @{user_share_dirs}/@{profile_name}/**, + owner @{user_share_dirs}/@{profile_name}/** rwlk, owner @{user_state_dirs}/@{profile_name}/ rw, owner @{user_state_dirs}/@{profile_name}/** rwlk, From efdcc86968e7a8342fbd03ea7f62697a6bbd93f7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Nov 2025 13:00:56 +0100 Subject: [PATCH 0994/1736] feta(abs): small improvement on core abs. --- apparmor.d/abstractions/audio-client | 2 ++ apparmor.d/abstractions/dri | 2 ++ apparmor.d/abstractions/gnome-base | 2 ++ apparmor.d/abstractions/gstreamer | 9 ++------- apparmor.d/abstractions/input | 4 ++++ apparmor.d/abstractions/kde-base | 2 +- apparmor.d/abstractions/wine | 1 + apparmor.d/groups/gnome/gnome-extension-ding | 1 - apparmor.d/groups/gnome/gnome-extension-gsconnect | 1 - apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/profiles-g-l/gimp | 1 - apparmor.d/profiles-g-l/libreoffice | 1 - apparmor.d/profiles-m-r/remmina | 1 - apparmor.d/profiles-s-z/spice-vdagent | 1 - apparmor.d/profiles-s-z/totem | 1 - apparmor.d/profiles-s-z/virt-manager | 1 - 16 files changed, 14 insertions(+), 17 deletions(-) diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index f11aa5d7d8..d4961b2958 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -7,6 +7,8 @@ abi , + include + /usr/share/alsa/{,**} r, /usr/share/openal/hrtf/{,**} r, /usr/share/pipewire/client-rt.conf r, diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index 1232e85303..a367d1ad14 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -31,6 +31,8 @@ @{sys}/devices/@{pci}/uevent r, @{sys}/devices/@{pci}/vendor r, + @{sys}/devices/@{pci}/drm/card@{int}/*/status r, + # Allow access to all cards /dev/dri/ r, /dev/dri/card@{int} rw, diff --git a/apparmor.d/abstractions/gnome-base b/apparmor.d/abstractions/gnome-base index 26072ec50d..28e4d0e7ee 100644 --- a/apparmor.d/abstractions/gnome-base +++ b/apparmor.d/abstractions/gnome-base @@ -18,8 +18,10 @@ / r, + # Allow GNOME Shell session state database owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + # Allow reading CPU limits from cgroup hierarchy for resource monitoring @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index eb3c3c66f4..7dc54fc768 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -16,16 +16,11 @@ /etc/openni2/OpenNI.ini r, - # The orcexec.* file is JIT compiled code for various GStreamer elements. - # If one is blocked the next is used instead. - # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag. - deny owner @{HOME}/orcexec.@{rand6} rw, - owner @{run}/user/@{uid}/orcexec.@{rand6} mrw, - owner @{tmp}/orcexec.@{rand6} mrw, - @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, + @{sys}/bus/media/devices/ r, @{sys}/class/video4linux/ r, @{sys}/devices/**/video4linux/video@{int}/ r, diff --git a/apparmor.d/abstractions/input b/apparmor.d/abstractions/input index e2b7f30f68..de141e099b 100644 --- a/apparmor.d/abstractions/input +++ b/apparmor.d/abstractions/input @@ -7,6 +7,8 @@ abi , + @{sys}/class/input/ r, + # Allow reading for supported event reports for all input devices. See # https://www.kernel.org/doc/Documentation/input/event-codes.txt @{sys}/devices/**/input@{int}/capabilities/* r, @@ -18,6 +20,8 @@ @{sys}/devices/**/input@{int}/{,**/}properties r, @{sys}/devices/**/input@{int}/{,**/}uevent r, @{sys}/devices/virtual/input/mice/uevent r, + @{sys}/devices/**/input@{int}/id/product r, + @{sys}/devices/**/input@{int}/id/vendor r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/abstractions/kde-base b/apparmor.d/abstractions/kde-base index 2962bd2993..9247e8647c 100644 --- a/apparmor.d/abstractions/kde-base +++ b/apparmor.d/abstractions/kde-base @@ -32,7 +32,7 @@ owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/*_* rwlk, + owner @{user_config_dirs}/session/* rwlk, owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine index 99b6ddbd58..5c5bb26b90 100644 --- a/apparmor.d/abstractions/wine +++ b/apparmor.d/abstractions/wine @@ -12,6 +12,7 @@ owner @{tmp}/.wine-@{uid}/ rw, owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex6}/ rw, owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex6}/lock rwk, + owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex6}/socket rw, owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex6}/tmpmap-@{hex8} m, owner @{tmp}/protonfixes_test.log w, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 0dd91341a1..782173eded 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -17,7 +17,6 @@ profile gnome-extension-ding @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index d71d43bcd3..359744283c 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -18,7 +18,6 @@ profile gnome-extension-gsconnect @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 1aaad5f0e8..250071207e 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -16,7 +16,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index 2caf4950f6..25a1287447 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -11,7 +11,6 @@ profile gimp @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 9ebacbea6b..46cf006049 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -13,7 +13,6 @@ profile libreoffice @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index be6a6f8da2..729032ba0c 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -13,7 +13,6 @@ profile remmina @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index dc02419cbe..bdfbdd901d 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -12,7 +12,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index ce82c6564b..92e174a222 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -11,7 +11,6 @@ profile totem @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index c91994848c..4f669ea751 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -13,7 +13,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include include From 3bd5a40e366ab131e98457711f056fd7c0b92393 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Nov 2025 13:02:01 +0100 Subject: [PATCH 0995/1736] feat(fsp): improve systemd profiles. --- apparmor.d/groups/_full/sd | 11 ++++++----- apparmor.d/groups/_full/systemd-user | 1 + 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 280f753490..f35f1e2853 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -96,10 +96,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { mqueue (read getattr) type=posix /, - signal peer=*//&sd, - signal peer=sd//&*, - signal receive peer=@{p_systemd}, - signal send, + signal (send, receive) ptrace read, @@ -167,15 +164,17 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { /var/cache/*/ rw, /var/cache/*/** rwk, /var/lib/*/ rw, - /var/lib/*/** rwk, + /var/lib/*/** rwlk, /var/lib/systemd/*/ r, /var/log/ r, /var/log/** rw, /var/log/journal/** rwl -> /var/log/journal/**, + /var/spool/cron/atjobs/ r, @{att}@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, @{att}@{user_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}@{run}/systemd/coredump rw, @{att}@{run}/systemd/io.systemd.ManagedOOM rw, @{att}@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}@{run}/systemd/userdb/io.systemd.Home rw, @@ -186,6 +185,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { @{run}/*/ rw, @{run}/*/* rw, @{run}/*/*/ rw, + @{run}/ubuntu-advantage/** rw, # stacked @{run}/systemd/{,**} rw, owner @{run}/*/** rw, @@ -231,6 +231,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { @{PROC}/sys/kernel/random/write_wakeup_threshold w, @{PROC}/sys/net/ipv{4,6}/** rw, @{PROC}/sysvipc/* r, + @{PROC}/version r, @{PROC}/version_signature r, /dev/** rwk, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 9aad6f85bf..1164c05889 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -86,6 +86,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/comm r, @{PROC}/@{pid}/stat r, + @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, From 822c8b341b21f4f36ebdfa3e44319973e30ced76 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Nov 2025 13:10:32 +0100 Subject: [PATCH 0996/1736] feat(profile): update flags for some profiles attach_disconnected tend to be required by most setup noadays. --- apparmor.d/groups/apparmor/aa-log | 2 +- apparmor.d/groups/apparmor/aa-notify | 2 +- apparmor.d/groups/freedesktop/wireplumber | 2 +- apparmor.d/groups/gnome/epiphany-search-provider | 2 +- apparmor.d/groups/gnome/gnome-calendar | 2 +- apparmor.d/groups/gnome/gnome-characters | 2 +- apparmor.d/groups/gnome/gnome-clocks | 2 +- apparmor.d/groups/gnome/gnome-extension-gsconnect | 2 +- apparmor.d/groups/gnome/gnome-software | 2 +- apparmor.d/groups/gnome/goa-daemon | 2 +- apparmor.d/groups/gnome/gsd-usb-protection | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 2 +- apparmor.d/groups/systemd/systemd-analyze | 2 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-m-r/mdadm-mkconf | 2 +- dists/flags/main.flags | 8 +------- 16 files changed, 16 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log index aed8e3163b..d8eaf5391c 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/aa-log -profile aa-log @{exec_path} { +profile aa-log @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 0d9c72312f..617ef9aa73 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{sbin}/aa-notify -profile aa-notify @{exec_path} { +profile aa-notify @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 3d1579dbe3..21a655ac2c 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/wireplumber -profile wireplumber @{exec_path} { +profile wireplumber @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index 1642a96be6..fe519d6d20 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/epiphany-search-provider -profile epiphany-search-provider @{exec_path} { +profile epiphany-search-provider @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 9c510d0382..f7bc417863 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gnome-calendar -profile gnome-calendar @{exec_path} { +profile gnome-calendar @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index a26f5919c9..aec780522e 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gnome-characters /usr/share/org.gnome.Characters/org.gnome.Characters -profile gnome-characters @{exec_path} { +profile gnome-characters @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index 99248bf82c..07598d9dd2 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gnome-clocks -profile gnome-clocks @{exec_path} { +profile gnome-clocks @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 359744283c..06b50d8ea3 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -10,7 +10,7 @@ include @{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io @{exec_path} = @{share_dirs}/service/daemon.js @{share_dirs}/gsconnect-preferences -profile gnome-extension-gsconnect @{exec_path} { +profile gnome-extension-gsconnect @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 79ad8d9451..0a42f0ecd4 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gnome-software -profile gnome-software @{exec_path} { +profile gnome-software @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 5aec1c3a72..c262f7cb02 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/goa-daemon -profile goa-daemon @{exec_path} { +profile goa-daemon @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 5044ef9cb8..5b23bf61a0 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/gsd-usb-protection -profile gsd-usb-protection @{exec_path} { +profile gsd-usb-protection @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index cf37bfd8f0..e78c1944c5 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/gsd-xsettings -profile gsd-xsettings @{exec_path} { +profile gsd-xsettings @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 087bebb9f9..787ccaa763 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/systemd-analyze -profile systemd-analyze @{exec_path} { +profile systemd-analyze @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 3dd695a0f6..4bb26a244e 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/{,fwupd/}fwupd -profile fwupd @{exec_path} flags=(attach_disconnected,complain) { +profile fwupd @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf index 1201389052..aad3d63b79 100644 --- a/apparmor.d/profiles-m-r/mdadm-mkconf +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -7,7 +7,7 @@ abi , include @{exec_path} = /usr/share/mdadm/mkconf -profile mdadm-mkconf @{exec_path} { +profile mdadm-mkconf @{exec_path} flags=(attach_disconnected) { include include diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 8a79f720c8..35e89412b7 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -96,7 +96,6 @@ drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain ephy-profile-migrator complain epiphany attach_disconnected,complain -epiphany-search-provider complain epiphany-webapp-provider complain evolution-user-prompter complain fail2ban-client attach_disconnected,complain @@ -110,7 +109,6 @@ firewall-applet attach_disconnected,complain firewall-config complain flameshot complain flatpak attach_disconnected,mediate_deleted,complain -flatpak-app attach_disconnected,mediate_deleted,complain flatpak-oci-authenticator complain flatpak-session-helper attach_disconnected,mediate_deleted,complain flatpak-session-helper-app complain @@ -127,7 +125,7 @@ gnome-browser-connector-host complain gnome-control-center attach_disconnected,complain gnome-control-center-goa-helper complain gnome-disk-image-mounter complain -gnome-extension-gsconnect complain +gnome-extension-gsconnect attach_disconnected,complain gnome-extension-manager complain gnome-initial-setup complain gnome-remote-desktop-daemon complain @@ -196,7 +194,6 @@ kdump-tools-init complain,attach_disconnected kernel complain kernel-install complain kernel-postinst-kdump complain -keyboxd complain kglobalacceld complain kinit complain kio_http_cache_cleaner complain @@ -319,7 +316,6 @@ swtpm_localca complain swtpm_setup complain sysstat-sa complain sysstat-sadc complain -systemd-analyze complain systemd-ask-password complain systemd-binfmt attach_disconnected,complain systemd-cgls complain @@ -362,8 +358,6 @@ systemd-initctl attach_disconnected,complain systemd-journald attach_disconnected,mediate_deleted systemd-mount complain systemd-network-generator attach_disconnected,complain -systemd-nsresourced attach_disconnected,complain -systemd-nsresourcework complain systemd-portabled complain systemd-shutdown complain systemd-sleep-tlp complain From b56e7e6b3febcc5075f2d4f772e5ba797a4ab570 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Nov 2025 13:28:45 +0100 Subject: [PATCH 0997/1736] feat(profile): general profile update. --- apparmor.d/groups/bluetooth/blueman | 1 + apparmor.d/groups/bluetooth/bluetoothd | 1 + apparmor.d/groups/bluetooth/obexd | 3 +-- apparmor.d/groups/browsers/ephy-profile-migrator | 2 ++ apparmor.d/groups/browsers/firefox-crashhelper | 2 ++ apparmor.d/groups/browsers/firefox-crashreporter | 12 +++++++++--- apparmor.d/groups/browsers/firefox-glxtest | 4 ++++ apparmor.d/groups/browsers/firefox-vaapitest | 2 ++ apparmor.d/groups/bus/ibus-x11 | 1 + apparmor.d/groups/firewall/firewall-applet | 1 + apparmor.d/groups/firewall/ufw | 4 +++- apparmor.d/groups/firewall/ufw-init | 1 + apparmor.d/groups/flatpak/flatpak-system-helper | 2 ++ apparmor.d/groups/freedesktop/xdg-dbus-proxy | 1 + apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 ++ apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 9 +++++++++ apparmor.d/groups/freedesktop/xwayland | 1 + apparmor.d/groups/gnome/gcr-ssh-agent | 2 ++ apparmor.d/groups/gnome/gjs | 7 ++++++- apparmor.d/groups/gnome/gnome-contacts | 1 + apparmor.d/groups/gnome/gnome-control-center | 5 +++-- apparmor.d/groups/gnome/gnome-desktop-thumbnailers | 4 +++- apparmor.d/groups/gnome/gnome-extension-gsconnect | 1 + apparmor.d/groups/gnome/gnome-keyring-daemon | 2 ++ apparmor.d/groups/gnome/gnome-session-service | 3 +++ apparmor.d/groups/gnome/gnome-shell | 3 +++ apparmor.d/groups/gnome/gnome-software | 7 +++++-- apparmor.d/groups/gnome/gnome-system-monitor | 4 ++-- apparmor.d/groups/gnome/gsd-xsettings | 4 +--- apparmor.d/groups/gnome/localsearch | 3 ++- apparmor.d/groups/gnome/mutter-x11-frames | 1 + apparmor.d/groups/gnome/papers | 1 + apparmor.d/groups/gnome/seahorse | 1 + apparmor.d/groups/gpg/gpg | 1 + apparmor.d/groups/gpg/gpgconf | 2 +- apparmor.d/groups/gpg/keyboxd | 2 +- apparmor.d/groups/kde/plasmashell | 5 +++-- apparmor.d/groups/network/mullvad-gui | 1 + apparmor.d/groups/systemd/systemd-homed | 1 + apparmor.d/groups/systemd/systemd-sleep | 2 ++ apparmor.d/groups/systemd/systemd-timesyncd | 1 + apparmor.d/groups/systemd/systemd-udevd | 1 + apparmor.d/groups/ubuntu/apport | 3 ++- apparmor.d/groups/ubuntu/check-new-release-gtk | 1 + apparmor.d/groups/utils/blkid | 2 ++ apparmor.d/groups/virt/cockpit-tls | 3 ++- apparmor.d/groups/virt/libvirtd | 3 +++ apparmor.d/profiles-a-f/auditctl | 4 ++++ apparmor.d/profiles-a-f/btop | 1 + apparmor.d/profiles-a-f/dino | 2 +- apparmor.d/profiles-a-f/dmsetup | 4 ++++ apparmor.d/profiles-a-f/dracut-install | 2 +- apparmor.d/profiles-a-f/file-roller | 2 ++ apparmor.d/profiles-a-f/foliate | 3 ++- apparmor.d/profiles-a-f/fractal | 1 + apparmor.d/profiles-g-l/git | 10 +++++++++- apparmor.d/profiles-g-l/gpartedbin | 2 +- apparmor.d/profiles-g-l/kernel-postinst-kdump | 1 + apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-g-l/lsb-release | 1 + apparmor.d/profiles-m-r/initramfs-hooks | 3 ++- apparmor.d/profiles-m-r/mpris-proxy | 1 + apparmor.d/profiles-m-r/protonmail-bridge-core | 1 + apparmor.d/profiles-s-z/spotify | 4 +--- apparmor.d/profiles-s-z/totem | 3 +-- apparmor.d/tunables/home.d/apparmor.d | 5 +++-- apparmor.d/tunables/multiarch.d/extensions | 1 + apparmor.d/tunables/multiarch.d/profiles | 2 +- apparmor.d/tunables/xdg-user-dirs.d/apparmor.d | 5 +++++ 69 files changed, 147 insertions(+), 39 deletions(-) diff --git a/apparmor.d/groups/bluetooth/blueman b/apparmor.d/groups/bluetooth/blueman index 00047fc340..91549cf892 100644 --- a/apparmor.d/groups/bluetooth/blueman +++ b/apparmor.d/groups/bluetooth/blueman @@ -11,6 +11,7 @@ include profile blueman @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index 67f7a18558..2cd032bc67 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -43,6 +43,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/platform/**/rfkill/**/name r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/misc/uhid/**/uevent r, + @{sys}/devices/virtual/vc/*/uevent r, @{PROC}/sys/kernel/hostname r, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index d2545e4c00..ef3d5b20a4 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -13,6 +13,7 @@ profile obexd @{exec_path} { include include include + include include network bluetooth stream, @@ -35,8 +36,6 @@ profile obexd @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/obexd/{,**} rw, - owner @{HOME}/bluetooth/* rw, - @{run}/systemd/users/@{uid} r, include if exists diff --git a/apparmor.d/groups/browsers/ephy-profile-migrator b/apparmor.d/groups/browsers/ephy-profile-migrator index e6f8902dd0..6fb172504b 100644 --- a/apparmor.d/groups/browsers/ephy-profile-migrator +++ b/apparmor.d/groups/browsers/ephy-profile-migrator @@ -18,6 +18,8 @@ profile ephy-profile-migrator @{exec_path} { owner @{user_config_dirs}/epiphany/{,**} rw, owner @{user_share_dirs}/epiphany/.migrated{,.@{rand6}} rw, + owner @{user_share_dirs}/xdg-desktop-portal/{,**/} rw, + include if exists } diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper index 8ffdccb677..22087c5666 100644 --- a/apparmor.d/groups/browsers/firefox-crashhelper +++ b/apparmor.d/groups/browsers/firefox-crashhelper @@ -15,6 +15,8 @@ include profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) { include + unix type=seqpacket peer=(label=firefox-crashreporter), + unix type=seqpacket peer=(label=firefox-glxtest), unix type=seqpacket peer=(label=firefox), @{exec_path} mr, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 8feccaa938..a6306752f1 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -20,22 +20,25 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(term, kill) peer=firefox, - network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, + unix type=seqpacket peer=(label=firefox), + unix type=seqpacket peer=(label=firefox-crashhelper), + + signal receive peer=firefox, + @{exec_path} mrix, @{bin}/curl rix, @{bin}/mv rix, + @{firefox_path} rPx, @{lib_dirs}/minidump-analyzer rPx, - owner "@{config_dirs}/firefox/Crash Reports/{,**}" rw, owner @{config_dirs}/firefox/*.*/crashes/{,**} rw, owner @{config_dirs}/firefox/*.*/crashes/events/@{uuid} rw, owner @{config_dirs}/firefox/*.*/extensions/*.xpi r, @@ -44,6 +47,8 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner @{config_dirs}/firefox/*.*/prefs.js r, owner @{config_dirs}/firefox/*.*/storage-sync-v2.sqlite-shm r, owner @{config_dirs}/firefox/*.*/storage/default/* r, + owner @{config_dirs}/firefox/Crash?Reports/{,**} rw, + owner @{config_dirs}/firefox/Pending?Pings/@{uuid}.json w, owner @{config_dirs}/firefox/Profile*/*.sqlite-shm r, owner @{cache_dirs}/firefox/*.*/** r, @@ -51,6 +56,7 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { /tmp/ r, /var/tmp/ r, owner @{tmp}/@{hex}.{dmp,extra} rw, + owner @{tmp}/crashreporter@{int}-request@{int}.json w, owner @{tmp}/firefox/.parentlock w, owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index f9470a59b1..89ef3a946f 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -14,11 +14,15 @@ include @{exec_path} = @{lib_dirs}/glxtest profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { include + include include include include include + unix type=seqpacket peer=(label=firefox), + unix type=seqpacket peer=(label=firefox-crashhelper), + @{exec_path} mr, / r, diff --git a/apparmor.d/groups/browsers/firefox-vaapitest b/apparmor.d/groups/browsers/firefox-vaapitest index 36069d36fa..390d0fa247 100644 --- a/apparmor.d/groups/browsers/firefox-vaapitest +++ b/apparmor.d/groups/browsers/firefox-vaapitest @@ -18,6 +18,8 @@ profile firefox-vaapitest @{exec_path} flags=(attach_disconnected) { network netlink raw, + unix type=seqpacket peer=(label=firefox), + @{exec_path} mr, owner @{tmp}/@{name}/.parentlock rw, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 37fde622c3..a26273760d 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-x11 profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/firewall/firewall-applet b/apparmor.d/groups/firewall/firewall-applet index bd144b7e28..52302b7382 100644 --- a/apparmor.d/groups/firewall/firewall-applet +++ b/apparmor.d/groups/firewall/firewall-applet @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/firewall-applet profile firewall-applet @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw index 39517ee6c8..4397495c21 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -39,6 +39,8 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, + /usr/share/ufw/{,**} r, + /etc/default/ufw rw, /etc/ufw/ rw, /etc/ufw/** rwk, @@ -54,7 +56,7 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/net/ip_tables_names r, @{PROC}/@{pid}/stat r, - @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/sys/net/ipv{4,6}/** r, @{PROC}/sys/kernel/modprobe r, profile kmod flags=(attach_disconnected) { diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init index fcb9d8b6c0..868917a049 100644 --- a/apparmor.d/groups/firewall/ufw-init +++ b/apparmor.d/groups/firewall/ufw-init @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/ufw/ufw-init profile ufw-init @{exec_path} { include + include include capability dac_override, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index f20ee6ce56..2735b81c73 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -34,6 +34,8 @@ profile flatpak-system-helper @{exec_path} flags=(attach_disconnected,mediate_de unix type=seqpacket peer=(label=dbus-system), unix type=seqpacket peer=(label=flatpak), unix type=seqpacket peer=(label=flatpak//fusermount), + unix type=seqpacket peer=(label=gnome-software), + unix type=seqpacket peer=(label=gnome-software//fusermount), unix type=seqpacket peer=(label=unconfined), #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index fc13c777ff..3965ac0622 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -32,6 +32,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { owner @{att}@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, @{att}@{run}/systemd/inhibit/@{int}.ref rw, + owner @{att}@{run}/user/@{uid}/at-spi/bus rw, owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, owner @{run}/flatpak/doc/** r, owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 5d98c4e456..2fba1dca33 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -31,6 +31,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { capability sys_ptrace, network netlink raw, + network inet dgram, + network inet6 dgram, ptrace read, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index de17df1daa..12e1ac3867 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -32,6 +32,15 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Settings label=xdg-desktop-portal + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Inhibit + member=CreateMonitor + peer=(name=@{busname}, label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Inhibit + member=StateChanged + peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings peer=(name=@{busname}), diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index a8950dbc6a..4f9fa42d61 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/Xwayland profile xwayland @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gcr-ssh-agent b/apparmor.d/groups/gnome/gcr-ssh-agent index 24e94d9cbe..e09c598b5c 100644 --- a/apparmor.d/groups/gnome/gcr-ssh-agent +++ b/apparmor.d/groups/gnome/gcr-ssh-agent @@ -17,6 +17,8 @@ profile gcr-ssh-agent @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, + owner @{run}/user/@{uid}/gcr/.ssh rw, + owner @{run}/user/@{uid}/gcr/ssh rw, owner @{run}/user/@{uid}/ssh-askpass.@{rand6}/{,*} rw, include if exists diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index e3368c211c..a8f981e695 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -129,9 +129,11 @@ profile gjs @{exec_path} flags=(attach_disconnected) { profile gstreamer { include + include include include - include + include + include include include include @@ -156,6 +158,9 @@ profile gjs @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/uevent r, + @{PROC}/devices r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index fe606fb10c..db805884e5 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/gnome-contacts profile gnome-contacts @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 892827075c..973192451d 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -99,7 +99,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-any, - /snap/*/@{int}/**.png r, + /snap/*/@{int}/**.@{icon_ext} r, /usr/share/backgrounds/{,**} r, /usr/share/cups/data/testprint r, /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, @@ -145,7 +145,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw, - owner @{user_games_dirs}/**.png r, + @{system_games_dirs}/**.@{icon_ext} r, + owner @{user_games_dirs}/**.@{icon_ext} r, owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/gnome-remote-desktop/ w, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index 6d8d91ec73..bdddf43fef 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -11,6 +11,7 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { include include include + include capability dac_override, @@ -18,7 +19,6 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { @{bin}/*-thumbnailer rix, @{lib}/glycin-loaders/@{d}+/glycin-* Px -> gnome-desktop-thumbnailers//&glycin//loaders, - /usr/share/ladspa/rdf/{,**} r, /usr/share/poppler/{,**} r, owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw, @@ -28,6 +28,8 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{tmp}/gnome-desktop-thumbnailer.png w, owner @{tmp}/gsf-thumbnailer-@{rand6} rw, + owner @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 06b50d8ea3..2ef7bc3d17 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -77,6 +77,7 @@ profile gnome-extension-gsconnect @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.org.chromium.Chromium.@{rand6} r, + owner @{run}/user/@{uid}/app/*/.org.chromium.Chromium.@{rand6} r, owner @{run}/user/@{uid}/gsconnect/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{run}/user/@{uid}/keyring/ssh rw, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 309b89cd60..1d3519af78 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -22,6 +22,8 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { signal send set=(term) peer=ssh-agent, unix type=stream peer=(label=snap.*), + unix type=stream peer=(label=fapp), + unix type=stream peer=(label=fbwrap), #aa:dbus own bus=session name=org.gnome.keyring #aa:dbus own bus=session name=org.freedesktop.{S,s}ecret{,s} diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index 81131afbe6..d303e9a412 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -79,6 +79,9 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { @{sh_path} mr, @{bin}/im-launch Px, + @{bin}/input-remapper-control PUx, + + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 250071207e..2a9f3aec64 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -262,6 +262,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/**/gnome-shell/{,**} r, /var/lib/flatpak/appstream/**/icons/** r, + /var/lib/swcatalog/icons/{,**} r, owner @{att}/ r, owner @{att}/.flatpak-info r, @@ -300,6 +301,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, + @{system_games_dirs}/**.@{image_ext} r, owner @{user_games_dirs}/**.@{image_ext} r, owner @{user_music_dirs}/**.@{image_ext} r, @@ -343,6 +345,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{run}/user/@{uid}/snap.*/wayland-cursor-shared-@{rand6} rw, owner @{run}/user/@{uid}/systemd/notify rw, + owner @{att}/dev/shm/.org.chromium.Chromium.@{rand6} rw, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, owner /dev/shm/wayland.mozilla.ipc.@{int} rw, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 0a42f0ecd4..010d3be8ee 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -110,6 +110,8 @@ profile gnome-software @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/** rwl, + owner @{user_share_dirs}/gvfs-metadata/* r, + owner @{tmp}/#@{int} rw, owner @{tmp}/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, @@ -141,8 +143,6 @@ profile gnome-software @{exec_path} flags=(attach_disconnected) { /dev/fuse rw, - deny owner @{user_share_dirs}/gvfs-metadata/* r, - profile gpg { include @@ -179,6 +179,9 @@ profile gnome-software @{exec_path} flags=(attach_disconnected) { capability setuid, + unix (send receive) type=stream peer=(label=gnome-software), + unix (send receive) type=seqpacket peer=(label=flatpak-system-helper), + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 93ad3960dc..6c88c9fb71 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -39,6 +39,8 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { / r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, owner @{run}/user/@{uid}/doc/ rw, @@ -78,8 +80,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/diskstats r, @{PROC}/vmstat r, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - /dev/tty rw, profile pkexec { diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index e78c1944c5..88c5beed30 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -15,7 +15,7 @@ profile gsd-xsettings @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -65,8 +65,6 @@ profile gsd-xsettings @{exec_path} flags=(attach_disconnected) { @{etc_ro}/xdg/Xwayland-session.d/ r, @{etc_ro}/xdg/Xwayland-session.d/* rix, - owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, - @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index a010133009..60d64fdced 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -61,7 +61,8 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{gdm_cache_dirs}/tracker3/{,**} rwk, owner @{gdm_config_dirs}/user-dirs.dirs r, - @{run}/mount/utab r, + @{run}/mount/utab r, + owner @{run}/user/@{uid}/systemd/notify w, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index ffe1d2661f..a0768f437a 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/mutter-x11-frames profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index e82dca7399..a895653de6 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -10,6 +10,7 @@ include profile papers @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 3c303760e5..7583243c05 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/seahorse profile seahorse @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 6ce9c3eab8..a255a3cd4f 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -27,6 +27,7 @@ profile gpg @{exec_path} { @{bin}/gpgconf rPx, @{bin}/gpgsm rPx, @{lib}/{,gnupg/}scdaemon rPx, + @{lib}/{,gnupg/}keyboxd rPx, /usr/share/terminfo/** r, /usr/share/keyrings/** rw, #aa:only apt diff --git a/apparmor.d/groups/gpg/gpgconf b/apparmor.d/groups/gpg/gpgconf index d7f8cb353d..23cd07845a 100644 --- a/apparmor.d/groups/gpg/gpgconf +++ b/apparmor.d/groups/gpg/gpgconf @@ -24,7 +24,7 @@ profile gpgconf @{exec_path} { @{bin}/gpgsm rPx, @{bin}/pinentry{,-*} rPx, @{bin}/scdaemon rPx, - @{lib}/{,gnupg/}keyboxd rPUx, + @{lib}/{,gnupg/}keyboxd rPx, @{lib}/{,gnupg/}scdaemon rPx, @{lib}/{,gnupg/}tpm2daemon rPUx, diff --git a/apparmor.d/groups/gpg/keyboxd b/apparmor.d/groups/gpg/keyboxd index 51ec8b134f..b5d224d85f 100644 --- a/apparmor.d/groups/gpg/keyboxd +++ b/apparmor.d/groups/gpg/keyboxd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/gnupg/keyboxd +@{exec_path} = @{lib}/{,gnupg/}keyboxd profile keyboxd @{exec_path} { include include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index b5d5f47001..c3fbc3d7f0 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -108,14 +108,15 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /var/lib/AccountsService/icons/* r, @{MOUNTS}/ r, + @{system_games_dirs}/**.@{icon_ext} r, @{HOME}/ r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, owner @{HOME}/.var/app/**.{png,jpg,svg} r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, - owner @{user_games_dirs}/**.{png,jpg,svg} r, - owner @{user_music_dirs}/**.{png,jpg,svg} r, + owner @{user_games_dirs}/**.@{icon_ext} r, + owner @{user_music_dirs}/**.@{icon_ext} r, owner @{user_pictures_dirs}/{,**} r, owner @{user_templates_dirs}/ r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index b167d59235..5b5f2e91d0 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -15,6 +15,7 @@ include @{exec_path} = @{lib_dirs}/mullvad-gui profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include + include include network inet stream, diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index 3de283459c..b96f2ae281 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -45,6 +45,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { ptrace read peer=systemd-homed//&systemd-homework, + unix bind type=dgram addr=@@{udbus}, unix bind type=stream addr=@@{udbus}/bus/systemd-homed/system, #aa:dbus own bus=system name=org.freedesktop.home1 diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index 22662f71f4..0400b18472 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -34,6 +34,8 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { /etc/systemd/sleep.conf r, /etc/systemd/sleep.conf.d/{,*} r, + @{run}/systemd/private rw, + @{sys}/power/state rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 07240f32bf..b0af937616 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -36,6 +36,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { @{run}/resolvconf/*.conf r, @{run}/systemd/netif/state r, + @{run}/systemd/resolve/io.systemd.Resolve rw, @{run}/systemd/timesyncd.conf.d/{,**} r, owner @{run}/systemd/timesync/synchronized rw, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index e8cc196798..14695e187f 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -56,6 +56,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{sbin}/kpartx rix, @{bin}/ddcutil rPx, + @{bin}/input-remapper-control rPUx, @{bin}/kmod rCx -> kmod, @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, @{bin}/snap rPx, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 010f9139c9..8c5c1a4337 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -47,7 +47,8 @@ profile apport @{exec_path} flags=(attach_disconnected) { /var/lib/dpkg/triggers/* r, /var/lib/dpkg/updates/ r, - /var/lib/systemd/coredump/*.zst r, + /var/lib/apport/coredump/{,**} r, + /var/lib/systemd/coredump/{,**} r, /var/crash/ rw, /var/crash/*.@{uid}.crash rw, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index f5c4e0ab5f..792bab11f4 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -10,6 +10,7 @@ include profile check-new-release-gtk @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/utils/blkid b/apparmor.d/groups/utils/blkid index 4105a7419a..58a4fec85d 100644 --- a/apparmor.d/groups/utils/blkid +++ b/apparmor.d/groups/utils/blkid @@ -28,6 +28,8 @@ profile blkid @{exec_path} flags=(attach_disconnected) { # Image files @{user_img_dirs}/{,**} r, + /var/tmp/mkinitramfs_@{rand6}/cryptroot/crypttab w, # file_inherit + # The standard location of the cache file # Without owner here if this tool should be used as a regular user @{run}/blkid/ rw, diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls index 45aa0fabf3..cee0715017 100644 --- a/apparmor.d/groups/virt/cockpit-tls +++ b/apparmor.d/groups/virt/cockpit-tls @@ -17,8 +17,9 @@ profile cockpit-tls @{exec_path} flags=(attach_disconnected) { /etc/cockpit/ws-certs.d/{,**} r, - @{att}@{run}/cockpit/wsinstance/https@@{hex64}.sock rw, + @{att}@{run}/cockpit/wsinstance/http.sock rw, @{att}@{run}/cockpit/wsinstance/https-factory.sock rw, + @{att}@{run}/cockpit/wsinstance/https@@{hex64}.sock rw, owner @{run}/cockpit/tls/{,**} rw, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index c3fdac73dc..16cf09df8d 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -94,6 +94,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, + #aa:dbus talk bus=system name=org.freedesktop.machine1 label=systemd-machined + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -150,6 +152,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /usr/share/iproute2/{,**} r, /usr/share/libvirt/{,**} r, /usr/share/misc/pci.ids r, + /usr/share/OVMF/{,**} rk, /usr/share/qemu/{,**} r, @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} r, diff --git a/apparmor.d/profiles-a-f/auditctl b/apparmor.d/profiles-a-f/auditctl index 762273a9f1..4083291a15 100644 --- a/apparmor.d/profiles-a-f/auditctl +++ b/apparmor.d/profiles-a-f/auditctl @@ -9,6 +9,7 @@ include @{exec_path} = @{sbin}/auditctl profile auditctl @{exec_path} flags=(attach_disconnected) { include + include capability audit_control, @@ -17,6 +18,9 @@ profile auditctl @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /etc/audit/audit.rules r, + /etc/audit/auditd.conf r, + + /var/log/audit/{,**} r, include if exists } diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index bac8aea758..8754b3879e 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -57,6 +57,7 @@ profile btop @{exec_path} { @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/@{tid}/comm rw, @{PROC}/devices r, @{PROC}/driver/nvidia/capabilities/mig/config r, diff --git a/apparmor.d/profiles-a-f/dino b/apparmor.d/profiles-a-f/dino index e2ee5e9b29..ae138a44f9 100644 --- a/apparmor.d/profiles-a-f/dino +++ b/apparmor.d/profiles-a-f/dino @@ -32,7 +32,7 @@ profile dino @{exec_path} flags=(attach_disconnected) { @{bin}/gpg{,2} rix, @{bin}/gpgconf rix, @{bin}/gpgsm rix, - @{lib}/gnupg/keyboxd rix, + @{lib}/{,gnupg/}keyboxd rix, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, diff --git a/apparmor.d/profiles-a-f/dmsetup b/apparmor.d/profiles-a-f/dmsetup index eb9d1dc193..91da67bd89 100644 --- a/apparmor.d/profiles-a-f/dmsetup +++ b/apparmor.d/profiles-a-f/dmsetup @@ -18,6 +18,10 @@ profile dmsetup @{exec_path} { @{PROC}/devices r, + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/cryptroot/crypttab w, # file_inherit + /var/tmp/mkinitramfs_@{rand6}/cryptroot/crypttab w, # file_inherit + + include if exists } diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install index ff885fa708..10499e3152 100644 --- a/apparmor.d/profiles-a-f/dracut-install +++ b/apparmor.d/profiles-a-f/dracut-install @@ -21,7 +21,7 @@ profile dracut-install @{exec_path} { /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/ r, /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r, - /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r, + /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* rw, /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw, /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index da56bd6276..a68b491fbc 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -27,6 +27,8 @@ profile file-roller @{exec_path} { # Archivers @{archive_path} rix, + owner /var/cache/fontconfig/ w, + #aa:lint ignore=too-wide # Full access to user's data @{MOUNTS}/** rwl, diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index e36f7f8da0..4445d62ef3 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/foliate profile foliate @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -33,6 +33,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) { @{bin}/gjs-console rix, @{bin}/speech-dispatcher rPx, @{open_path} rPx -> child-open-help, + @{lib}/glycin-loaders/@{d}+/glycin-* Cx -> foliate//&glycin//loaders, /usr/share/com.github.johnfactotum.Foliate/{,**} r, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index edbb8c7541..213f7e30bb 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -10,6 +10,7 @@ include profile fractal @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 48978909b2..6571f18631 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -73,7 +73,7 @@ profile git @{exec_path} flags=(attach_disconnected) { /usr/share/aurpublish/*.hook rPx, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/ssh rCx -> ssh, + @{bin}/ssh rCx -> &git//ssh, @{editor_path} rCx -> editor, /usr/share/git{,-core}/{,**} r, @@ -82,6 +82,8 @@ profile git @{exec_path} flags=(attach_disconnected) { /etc/gitconfig r, /etc/mailname r, + /etc/ssh/ssh_config r, + /etc/ssh/ssh_config.d/{,*} r, owner @{user_projects_dirs}/ rw, owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, @@ -94,11 +96,16 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.netrc r, owner @{user_config_dirs}/git/{,*} rw, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, + owner @{run}/user/@{uid}/keyring/ssh rw, + owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner @{tmp}/git-commit-msg-.txt rw, # For android studio owner @{tmp}/git-difftool.*/{,**} rw, # For diffs owner @{tmp}/git-index-private@{int} rw, + owner @{run}/user/@{uid}/gcr/ssh rw, + deny owner @{code_config_dirs}/** rw, deny owner @{user_share_dirs}/gvfs-metadata/* r, deny owner @{user_share_dirs}/vulkan/** r, @@ -156,6 +163,7 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*, owner @{tmp}/ssh-*/agent.@{int} rw, owner @{run}/user/@{uid}/keyring/ssh rw, + owner @{run}/user/@{uid}/gcr/ssh rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 35dc03584c..a30cf17abc 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/gpartedbin @{lib}/{,gparted/}gpartedbin +@{exec_path} = @{sbin}/gpartedbin profile gpartedbin @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index 01a13b0909..fa2074c2bd 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -9,6 +9,7 @@ include @{exec_path} = /etc/kernel/postinst.d/kdump-tools profile kernel-postinst-kdump @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 46cf006049..344c6cfbe4 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -35,7 +35,7 @@ profile libreoffice @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.libreoffice interface+=org.gtk.Actions + #aa:dbus own bus=session name=org.libreoffice dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release index 5214632dc8..0fcd83b536 100644 --- a/apparmor.d/profiles-g-l/lsb-release +++ b/apparmor.d/profiles-g-l/lsb-release @@ -38,6 +38,7 @@ profile lsb-release @{exec_path} flags=(attach_disconnected) { # file_inherit deny /opt/*/** r, deny owner @{user_config_dirs}/*/** r, + deny owner @{user_share_dirs}/*/ r, deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 85844f7bb1..2d703c0300 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -87,7 +87,8 @@ profile initramfs-hooks @{exec_path} { @{sys}/devices/@{pci}/drm/renderD128/ r, @{sys}/devices/@{pci}/drm/renderD129/ r, @{sys}/devices/@{pci}/modalias r, - @{sys}/devices/virtual/block/dm-@{int}/slaves/ r, + @{sys}/devices/**/block/**/dev r, + @{sys}/devices/**/block/**/slaves/ r, @{sys}/firmware/efi/efivars/ r, @{sys}/module/firmware_class/parameters/path r, diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy index a91bba9933..fcfeecb0f6 100644 --- a/apparmor.d/profiles-m-r/mpris-proxy +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -21,6 +21,7 @@ profile mpris-proxy @{exec_path} { member=ListNames peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + # DBus.Introspectable: allow introspection from gnome-shell dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index e8519cd5b8..fc6102c6f9 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -49,6 +49,7 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { @{PROC}/ r, @{PROC}/1/cgroup r, @{PROC}/sys/net/core/somaxconn r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, deny owner @{user_passwordstore_dirs}/** r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index b867a8ff21..0be0d8c508 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -69,13 +69,11 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, @{PROC}/@{pid}/net/unix r, - @{PROC}/pressure/* r, owner @{PROC}/@{pid}/clear_refs w, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/tty rw, - deny @{user_share_dirs}/gvfs-metadata/* r, + deny @{PROC}/pressure/* r, include if exists } diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index 92e174a222..e0b44d05e6 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -50,6 +50,7 @@ profile totem @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/gnome-desktop-thumbnailer/gstreamer-1.0/{,**} r, owner @{user_share_dirs}/grilo-plugins/ rw, owner @{user_share_dirs}/grilo-plugins/** rwlk, + owner @{user_share_dirs}/gvfs-metadata/* r, owner @{tmp}/flatpak-seccomp-@{rand6} rw, owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, @@ -61,8 +62,6 @@ profile totem @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mountinfo r, - deny @{user_share_dirs}/gvfs-metadata/* r, - profile bwrap flags=(attach_disconnected) { include include diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index c791f53763..dacb7228e2 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -21,8 +21,6 @@ # Define extended user directories not defined in the XDG standard but commonly # used in profiles -@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots" -@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" @{XDG_BOOKS_DIR}="Books" @{XDG_GAMES_DIR}="Games" @{XDG_PROJECTS_DIR}="Projects" @@ -74,4 +72,7 @@ @{user_passwordstore_dirs}=@{HOME}/@{XDG_PASSWORDSTORE_DIR} @{MOUNTS}/@{XDG_PASSWORDSTORE_DIR} @{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} +# Similar system-wide paths +@{system_games_dirs}=/usr/games /var/lib/games + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/extensions b/apparmor.d/tunables/multiarch.d/extensions index 4d9ea7d651..9e4cedad15 100644 --- a/apparmor.d/tunables/multiarch.d/extensions +++ b/apparmor.d/tunables/multiarch.d/extensions @@ -435,6 +435,7 @@ # Icons @{icon_ext} = [pP][nN][gG] # png @{icon_ext} += [iI][cC][oO] # ico +@{icon_ext} += [sS][vV][gG] # svg # Models @{model_ext} = [bB][aA][rR][yY] # bary diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index 82b549b036..51efc84f90 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -77,6 +77,6 @@ @{pp_notification}={plasmashell,gjs} @{pp_app_indicator}={plasmashell,gnome-shell} @{pp_dbusmenu}={plasmashell,nautilus,gnome-shell} -@{pp_mpris}={plasmashell,mpris-proxy,gnome-shell,gsd-media-keys} +@{pp_mpris}={plasmashell,mpris-proxy,gnome-shell,gsd-media-keys,gnome-extension-gsconnect} # vim:syntax=apparmor diff --git a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d index 52be8b9205..3bc4007ead 100644 --- a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d +++ b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d @@ -13,6 +13,11 @@ #aa:only whonix @{XDG_DOWNLOAD_DIR}+=".tb/tor-browser/Browser/Downloads" +# Define more extended user directories not defined in the XDG standard but commonly +# used in profiles +@{XDG_SCREENSHOTS_DIR}=@{XDG_PICTURES_DIR}/Screenshots +@{XDG_WALLPAPERS_DIR}=@{XDG_PICTURES_DIR}/Wallpapers + # Other user directories @{user_desktop_dirs}=@{HOME}/@{XDG_DESKTOP_DIR} @{MOUNTS}/@{XDG_DESKTOP_DIR} @{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR} From 68f305a8510413a98a6023e9353b0e26eb45e442 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Nov 2025 13:42:41 +0100 Subject: [PATCH 0998/1736] feat(profile): deny unix stream with pacman. pacman does not correctly close some fd, thus they are inherited in a lot of profiles linked with it. We already deny network for these profiles, with the support of unix mediation in apparmor 5, we also need to deny it. --- apparmor.d/groups/apparmor/apparmor_parser | 4 +++- apparmor.d/groups/freedesktop/update-desktop-database | 1 + apparmor.d/groups/pacman/archlinux-java | 1 + apparmor.d/groups/pacman/mkinitcpio | 1 + apparmor.d/groups/pacman/pacdiff | 3 +++ apparmor.d/groups/pacman/pacman | 9 +++++++++ apparmor.d/groups/pacman/pacman-conf | 1 + apparmor.d/groups/pacman/pacman-hook-dconf | 1 + apparmor.d/groups/pacman/pacman-hook-depmod | 1 + apparmor.d/groups/pacman/pacman-hook-dkms | 1 + apparmor.d/groups/pacman/pacman-hook-fontconfig | 1 + apparmor.d/groups/pacman/pacman-hook-gio | 1 + apparmor.d/groups/pacman/pacman-hook-gtk | 1 + apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules | 1 + apparmor.d/groups/pacman/pacman-hook-mkinitcpio | 1 + apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove | 1 + apparmor.d/groups/pacman/pacman-hook-perl | 1 + apparmor.d/groups/pacman/pacman-hook-systemd | 3 +++ apparmor.d/groups/pacman/yay | 5 ++++- apparmor.d/groups/systemd/systemd-detect-virt | 1 + apparmor.d/groups/systemd/systemd-notify | 3 +++ 21 files changed, 40 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser index f65ac2ed69..dcc93017aa 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -48,7 +48,9 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/mounts r, - deny network netlink raw, # file_inherit + # Inherit Silencer + deny network netlink raw, + deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index 90be74ecf4..75a5aaa1b9 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -40,6 +40,7 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) { deny network inet6 stream, deny network inet stream, deny network netlink raw, + deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java index 38cd95d0a6..6a247f4f46 100644 --- a/apparmor.d/groups/pacman/archlinux-java +++ b/apparmor.d/groups/pacman/archlinux-java @@ -32,6 +32,7 @@ profile archlinux-java @{exec_path} { # Inherit Silencer deny network inet6 stream, deny network inet stream, + deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index edf78dba5d..dadc0ea379 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -118,6 +118,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { deny @{HOME}/** r, deny network inet stream, deny network inet6 stream, + deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 3c39d7aff9..782b2213c5 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -45,6 +45,9 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { /dev/tty rw, /dev/pts/@{int} rw, + # Inherit Silencer + deny unix type=stream peer=(label=pacman), + profile editor { include include diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 59fd4a689c..01af68bdc2 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -204,6 +204,9 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gdbus rix, + # Inherit Silencer + deny unix type=stream peer=(label=pacman), + include if exists } @@ -212,6 +215,9 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, + capability kill, + + signal send, @{bin}/killall mr, @{bin}/pkill mr, @@ -246,6 +252,9 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /var/cache/ldconfig/ rw, owner /var/cache/ldconfig/aux-cache* rw, + # Inherit Silencer + deny unix type=stream peer=(label=pacman), + include if exists } diff --git a/apparmor.d/groups/pacman/pacman-conf b/apparmor.d/groups/pacman/pacman-conf index 4884d248ce..d17ecacb61 100644 --- a/apparmor.d/groups/pacman/pacman-conf +++ b/apparmor.d/groups/pacman/pacman-conf @@ -22,6 +22,7 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) { # Inherit Silencer deny network inet6 stream, deny network inet stream, + deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-dconf b/apparmor.d/groups/pacman/pacman-hook-dconf index c49eb08e94..bbf155494c 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dconf +++ b/apparmor.d/groups/pacman/pacman-hook-dconf @@ -25,6 +25,7 @@ profile pacman-hook-dconf @{exec_path} { # Inherit Silencer deny network inet6 stream, deny network inet stream, + deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index 0dae143513..fd6b8d8842 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -29,6 +29,7 @@ profile pacman-hook-depmod @{exec_path} { # Inherit Silencer deny network inet6 stream, deny network inet stream, + deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms index a8a54c151c..cc1d2b8fc4 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dkms +++ b/apparmor.d/groups/pacman/pacman-hook-dkms @@ -33,6 +33,7 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) { # Inherit Silencer deny network inet stream, deny network inet6 stream, + deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig index 3b29e01eac..6c87bae959 100644 --- a/apparmor.d/groups/pacman/pacman-hook-fontconfig +++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig @@ -27,6 +27,7 @@ profile pacman-hook-fontconfig @{exec_path} { # Inherit Silencer deny network inet6 stream, deny network inet stream, + deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-gio b/apparmor.d/groups/pacman/pacman-hook-gio index 17218158e1..74bbf6506a 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gio +++ b/apparmor.d/groups/pacman/pacman-hook-gio @@ -28,6 +28,7 @@ profile pacman-hook-gio @{exec_path} { # Inherit Silencer deny network inet6 stream, deny network inet stream, + deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk index e6aa28627e..5e0e242790 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk +++ b/apparmor.d/groups/pacman/pacman-hook-gtk @@ -30,6 +30,7 @@ profile pacman-hook-gtk @{exec_path} { # Inherit Silencer deny network inet6 stream, deny network inet stream, + deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules index a0be0e39bf..94bb80933e 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules +++ b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules @@ -24,6 +24,7 @@ profile pacman-hook-gtk4-querymodules @{exec_path} { # Inherit Silencer deny network inet6 stream, deny network inet stream, + deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index 48ce25ab28..7ca33b50b4 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -48,6 +48,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { # # Inherit Silencer deny network inet6 stream, deny network inet stream, + deny unix type=stream peer=(label=pacman), profile pacman { include diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove index 6378ca9918..61e3f30b96 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -33,6 +33,7 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { # Inherit Silencer deny network inet6 stream, deny network inet stream, + deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl index aa2be8b09f..5eafcbf5a6 100644 --- a/apparmor.d/groups/pacman/pacman-hook-perl +++ b/apparmor.d/groups/pacman/pacman-hook-perl @@ -29,6 +29,7 @@ profile pacman-hook-perl @{exec_path} { # Inherit silencer deny network inet6 stream, deny network inet stream, + deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 860fb34eaa..64fdae419d 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -38,6 +38,7 @@ profile pacman-hook-systemd @{exec_path} { # Inherit silencer deny network inet6 stream, deny network inet stream, + deny unix type=stream peer=(label=pacman), profile systemctl flags=(attach_disconnected) { include @@ -51,6 +52,8 @@ profile pacman-hook-systemd @{exec_path} { signal send set=(cont, term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent Px, + + deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay index 42932cc2e9..4606a0aa2e 100644 --- a/apparmor.d/groups/pacman/yay +++ b/apparmor.d/groups/pacman/yay @@ -36,6 +36,9 @@ profile yay @{exec_path} { owner @{user_config_dirs}/yay/{,**} rw, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + profile git { include include @@ -93,7 +96,7 @@ profile yay @{exec_path} { include if exists } - profile sudo { + profile sudo flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 8a7993ab25..c18511a8cf 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -45,6 +45,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { deny capability net_admin, deny capability perfmon, deny network (send receive) netlink raw, + deny unix (send receive) type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/systemd/systemd-notify b/apparmor.d/groups/systemd/systemd-notify index f62599d287..999b9dcd5a 100644 --- a/apparmor.d/groups/systemd/systemd-notify +++ b/apparmor.d/groups/systemd/systemd-notify @@ -16,6 +16,9 @@ profile systemd-notify @{exec_path} { @{exec_path} mr, + # Inherit Silencer + deny unix type=stream peer=(label=pacman), + include if exists } From 42780bfb00b4394447f71a787a1bdd59f0435f09 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Nov 2025 13:48:04 +0100 Subject: [PATCH 0999/1736] feat(profile): htop: deny some caps when run as root. --- apparmor.d/groups/procps/htop | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index 9fa77c53e2..162783317a 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -142,6 +142,10 @@ profile htop @{exec_path} flags=(attach_disconnected) { deny ptrace trace, deny ptrace read, + # Asked when run as root, but not needed + deny capability perfmon, + deny capability sys_admin, + include if exists } From efe227fa95c6237f9541cfdeae7f2241902b2861 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Nov 2025 13:51:30 +0100 Subject: [PATCH 1000/1736] feat(profile): console: use u8 or u16 instead of @{int}. --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/abstractions/app/pager | 2 +- apparmor.d/abstractions/app/pkexec | 2 +- apparmor.d/abstractions/app/sudo | 2 +- apparmor.d/abstractions/mapping/sshd | 2 +- apparmor.d/groups/_full/systemd | 2 +- apparmor.d/groups/apparmor/aa-log | 2 +- apparmor.d/groups/apparmor/aa-status | 2 +- apparmor.d/groups/apt/apt-mark | 2 +- apparmor.d/groups/apt/apt-methods-cdrom | 2 +- apparmor.d/groups/apt/apt-methods-copy | 2 +- apparmor.d/groups/apt/apt-methods-file | 2 +- apparmor.d/groups/apt/apt-methods-ftp | 2 +- apparmor.d/groups/apt/apt-methods-gpgv | 2 +- apparmor.d/groups/apt/apt-methods-http | 2 +- apparmor.d/groups/apt/apt-methods-mirror | 2 +- apparmor.d/groups/apt/apt-methods-rred | 2 +- apparmor.d/groups/apt/apt-methods-rsh | 2 +- apparmor.d/groups/apt/apt-methods-store | 2 +- apparmor.d/groups/apt/apt-show-versions | 2 +- apparmor.d/groups/apt/aptitude | 2 +- apparmor.d/groups/apt/command-not-found | 2 +- apparmor.d/groups/apt/deborphan | 2 +- apparmor.d/groups/apt/dpkg | 2 +- apparmor.d/groups/apt/dpkg-query | 2 +- apparmor.d/groups/apt/synaptic | 2 +- apparmor.d/groups/browsers/chromium-wrapper | 2 +- apparmor.d/groups/browsers/firefox-pingsender | 2 +- apparmor.d/groups/bus/dbus-session | 2 +- apparmor.d/groups/bus/ibus-daemon | 4 ++-- apparmor.d/groups/bus/ibus-dconf | 2 +- apparmor.d/groups/bus/ibus-extension-gtk3 | 2 +- apparmor.d/groups/bus/ibus-portal | 4 ++-- apparmor.d/groups/display-manager/lightdm | 2 +- apparmor.d/groups/display-manager/xdm-xsession | 2 +- apparmor.d/groups/filesystem/btrfs | 4 ++-- apparmor.d/groups/filesystem/mount-zfs | 2 +- apparmor.d/groups/filesystem/ntfs-3g | 2 +- apparmor.d/groups/flatpak/flatpak | 2 +- apparmor.d/groups/freedesktop/plymouthd | 2 +- .../groups/freedesktop/polkit-mate-authentication-agent | 2 +- apparmor.d/groups/freedesktop/pulseaudio | 2 +- apparmor.d/groups/freedesktop/update-mime-database | 4 ++-- apparmor.d/groups/freedesktop/xdg-settings | 2 +- apparmor.d/groups/freedesktop/xhost | 2 +- apparmor.d/groups/freedesktop/xorg | 2 +- apparmor.d/groups/freedesktop/xrandr | 2 +- apparmor.d/groups/freedesktop/xrdb | 4 ++-- apparmor.d/groups/freedesktop/xset | 2 +- apparmor.d/groups/freedesktop/xsetroot | 2 +- apparmor.d/groups/gnome/gdm-session | 2 +- apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/gnome/gdm-xsession | 6 +++--- apparmor.d/groups/gnome/gnome-session | 4 ++-- apparmor.d/groups/gnome/gnome-session-binary | 2 +- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 2 +- apparmor.d/groups/gnome/session-migration | 2 +- apparmor.d/groups/gnome/tracker-extract | 2 +- apparmor.d/groups/gnome/tracker-miner | 2 +- apparmor.d/groups/gpg/gpg-agent | 2 +- apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/grub/update-grub | 2 +- apparmor.d/groups/hyprland/hyprland | 2 +- apparmor.d/groups/hyprland/hyprlock | 2 +- apparmor.d/groups/hyprland/hyprpicker | 2 +- apparmor.d/groups/hyprland/pypr | 2 +- apparmor.d/groups/kde/kwin_wayland | 2 +- apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/kde/sddm-xsession | 4 ++-- apparmor.d/groups/kde/startplasma | 2 +- apparmor.d/groups/lxqt/lxqt-panel | 4 ++-- apparmor.d/groups/lxqt/startlxqt | 2 +- apparmor.d/groups/pacman/arch-audit | 2 +- apparmor.d/groups/pacman/mkinitcpio | 2 +- apparmor.d/groups/pacman/pacdiff | 2 +- apparmor.d/groups/pacman/pacman | 8 ++++---- apparmor.d/groups/pacman/pacman-conf | 2 +- apparmor.d/groups/pacman/pacman-hook-depmod | 4 ++-- apparmor.d/groups/pacman/pacman-hook-fontconfig | 2 +- apparmor.d/groups/pacman/pacman-hook-gtk | 4 ++-- apparmor.d/groups/pacman/pacman-hook-mkinitcpio | 2 +- apparmor.d/groups/pacman/pacman-hook-perl | 4 ++-- apparmor.d/groups/pacman/pacman-hook-systemd | 4 ++-- apparmor.d/groups/pacman/pacman-key | 4 ++-- apparmor.d/groups/pacman/reflector | 4 ++-- apparmor.d/groups/polkit/polkit-agent-helper | 2 +- apparmor.d/groups/procps/htop | 2 +- apparmor.d/groups/procps/ps | 2 +- apparmor.d/groups/snap/snap | 2 +- apparmor.d/groups/ssh/ssh-agent | 2 +- apparmor.d/groups/ssh/ssh-keygen | 2 +- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/systemd/systemd-binfmt | 4 ++-- apparmor.d/groups/systemd/systemd-logind | 2 +- apparmor.d/groups/systemd/systemd-machined | 2 +- apparmor.d/groups/systemd/systemd-sleep-nvidia | 2 +- apparmor.d/groups/systemd/systemd-sysusers | 4 ++-- apparmor.d/groups/systemd/systemd-tty-ask-password-agent | 2 +- apparmor.d/groups/systemd/systemd-vconsole-setup | 2 +- apparmor.d/groups/systemd/zram-generator | 2 +- apparmor.d/groups/ubuntu/release-upgrade-motd | 2 +- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot | 4 ++-- apparmor.d/groups/utils/agetty | 2 +- apparmor.d/groups/utils/blkid | 2 +- apparmor.d/groups/utils/login | 2 +- apparmor.d/groups/utils/lscpu | 2 +- apparmor.d/groups/utils/swapon | 2 +- apparmor.d/groups/utils/uname | 2 +- apparmor.d/groups/virt/k3s | 2 +- apparmor.d/groups/whonix/rads | 2 +- apparmor.d/groups/xfce/xfconfd | 2 +- apparmor.d/profiles-a-f/acpi-powerbtn | 2 +- apparmor.d/profiles-a-f/amixer | 2 +- apparmor.d/profiles-a-f/arandr | 2 +- apparmor.d/profiles-a-f/birdtray | 2 +- apparmor.d/profiles-a-f/calibre | 2 +- apparmor.d/profiles-a-f/compton | 2 +- apparmor.d/profiles-a-f/conky | 4 ++-- apparmor.d/profiles-a-f/console-setup-cached | 2 +- apparmor.d/profiles-a-f/console-setup-keyboard | 2 +- apparmor.d/profiles-a-f/dkms | 2 +- apparmor.d/profiles-a-f/dumpe2fs | 2 +- apparmor.d/profiles-a-f/dunstify | 2 +- apparmor.d/profiles-a-f/engrampa | 2 +- apparmor.d/profiles-a-f/exo-helper | 2 +- apparmor.d/profiles-a-f/filezilla | 2 +- apparmor.d/profiles-a-f/firecfg | 4 ++-- apparmor.d/profiles-a-f/fwupdmgr | 2 +- apparmor.d/profiles-g-l/globaltime | 2 +- apparmor.d/profiles-g-l/gpa | 2 +- apparmor.d/profiles-g-l/gparted | 2 +- apparmor.d/profiles-g-l/gpodder | 2 +- apparmor.d/profiles-g-l/groups | 2 +- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/hexchat | 2 +- apparmor.d/profiles-g-l/hostname | 2 +- apparmor.d/profiles-g-l/i3lock | 2 +- apparmor.d/profiles-g-l/i3lock-fancy | 4 ++-- apparmor.d/profiles-g-l/im-launch | 2 +- apparmor.d/profiles-g-l/ip | 2 +- apparmor.d/profiles-g-l/iw | 2 +- apparmor.d/profiles-g-l/jgmenu | 2 +- apparmor.d/profiles-g-l/keepassxc | 2 +- apparmor.d/profiles-g-l/kmod | 2 +- apparmor.d/profiles-g-l/landscape-sysinfo | 2 +- apparmor.d/profiles-g-l/landscape-sysinfo.wrapper | 2 +- apparmor.d/profiles-g-l/light | 2 +- apparmor.d/profiles-g-l/light-locker | 2 +- apparmor.d/profiles-g-l/lxappearance | 2 +- apparmor.d/profiles-m-r/megasync | 2 +- apparmor.d/profiles-m-r/minitube | 2 +- apparmor.d/profiles-m-r/mkvtoolnix-gui | 2 +- apparmor.d/profiles-m-r/motd | 2 +- apparmor.d/profiles-m-r/mpv | 2 +- apparmor.d/profiles-m-r/mumble | 2 +- apparmor.d/profiles-m-r/needrestart-iucode-scan-versions | 4 ++-- apparmor.d/profiles-m-r/numlockx | 2 +- apparmor.d/profiles-m-r/obconf | 2 +- apparmor.d/profiles-m-r/openbox | 4 ++-- apparmor.d/profiles-m-r/openbox-session | 2 +- apparmor.d/profiles-m-r/orage | 2 +- apparmor.d/profiles-m-r/os-prober | 2 +- apparmor.d/profiles-m-r/pactl | 2 +- apparmor.d/profiles-m-r/pam-tmpdir-helper | 2 +- apparmor.d/profiles-m-r/pass | 2 +- apparmor.d/profiles-m-r/pavucontrol | 2 +- apparmor.d/profiles-m-r/picom | 2 +- apparmor.d/profiles-m-r/pidof | 2 +- apparmor.d/profiles-m-r/pinentry-curses | 2 +- apparmor.d/profiles-m-r/pinentry-gtk | 2 +- apparmor.d/profiles-m-r/pokemmo | 2 +- apparmor.d/profiles-m-r/psi | 2 +- apparmor.d/profiles-m-r/psi-plus | 2 +- apparmor.d/profiles-m-r/pulseeffects | 2 +- apparmor.d/profiles-m-r/qbittorrent | 2 +- apparmor.d/profiles-m-r/qnapi | 2 +- apparmor.d/profiles-m-r/qpdfview | 2 +- apparmor.d/profiles-m-r/quiterss | 2 +- apparmor.d/profiles-m-r/run-parts | 2 +- apparmor.d/profiles-s-z/setvtrgb | 2 +- apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox | 2 +- apparmor.d/profiles-s-z/smplayer | 2 +- apparmor.d/profiles-s-z/smtube | 2 +- apparmor.d/profiles-s-z/startx | 2 +- apparmor.d/profiles-s-z/system-config-printer | 2 +- apparmor.d/profiles-s-z/telegram-desktop | 2 +- apparmor.d/profiles-s-z/tint2 | 2 +- apparmor.d/profiles-s-z/tint2conf | 2 +- apparmor.d/profiles-s-z/unix-chkpwd | 2 +- apparmor.d/profiles-s-z/vesktop | 2 +- apparmor.d/profiles-s-z/vidcutter | 2 +- apparmor.d/profiles-s-z/vlc | 2 +- apparmor.d/profiles-s-z/vnstat | 2 +- apparmor.d/profiles-s-z/volumeicon | 2 +- apparmor.d/profiles-s-z/waybar | 2 +- apparmor.d/profiles-s-z/which | 2 +- apparmor.d/profiles-s-z/wireshark | 2 +- apparmor.d/profiles-s-z/wpa-gui | 2 +- apparmor.d/profiles-s-z/xarchiver | 2 +- apparmor.d/profiles-s-z/xautolock | 2 +- apparmor.d/profiles-s-z/xinit | 2 +- apparmor.d/profiles-s-z/xsel | 2 +- apparmor.d/profiles-s-z/zpool | 2 +- apparmor.d/profiles-s-z/zsysd | 2 +- pkg/aa/apparmor_test.go | 2 +- 208 files changed, 235 insertions(+), 235 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 30efb06178..6d143b0d5a 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -186,7 +186,7 @@ /dev/ r, /dev/tty rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, # Silencer deny @{lib_dirs}/** w, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 3add542c67..f6b16d3551 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -167,7 +167,7 @@ owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 /dev/tty rw, - owner /dev/tty@{int} rw, # File Inherit + owner /dev/tty@{u8} rw, # File Inherit # Silencer deny dbus send bus=system path=/org/freedesktop/hostname1, diff --git a/apparmor.d/abstractions/app/pager b/apparmor.d/abstractions/app/pager index 30acc56126..12cddd5389 100644 --- a/apparmor.d/abstractions/app/pager +++ b/apparmor.d/abstractions/app/pager @@ -32,7 +32,7 @@ owner @{user_state_dirs}/ r, owner @{user_state_dirs}/lesshs* rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists diff --git a/apparmor.d/abstractions/app/pkexec b/apparmor.d/abstractions/app/pkexec index 87b3ea8425..4cba81e967 100644 --- a/apparmor.d/abstractions/app/pkexec +++ b/apparmor.d/abstractions/app/pkexec @@ -34,7 +34,7 @@ @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/loginuid r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 1c47490cd2..0b6638890a 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -68,7 +68,7 @@ /dev/ r, /dev/ptmx rwk, /dev/tty rwk, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/abstractions/mapping/sshd b/apparmor.d/abstractions/mapping/sshd index 0f75127101..b4a0be1df8 100644 --- a/apparmor.d/abstractions/mapping/sshd +++ b/apparmor.d/abstractions/mapping/sshd @@ -51,7 +51,7 @@ @{PROC}/1/limits r, /dev/ptmx rw, - /dev/pts/@{int} k, + /dev/pts/@{u16} k, include if exists diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index c557e211b6..c54285bd21 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -225,7 +225,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted,complain) { /dev/input/ r, /dev/kmsg w, /dev/tty rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, owner /dev/console rwk, owner /dev/hugepages/ rw, owner /dev/input/event@{int} rw, diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log index d8eaf5391c..f64761a0ec 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -26,7 +26,7 @@ profile aa-log @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, profile journalctl { include diff --git a/apparmor.d/groups/apparmor/aa-status b/apparmor.d/groups/apparmor/aa-status index 9badb78c11..8e82a55f4d 100644 --- a/apparmor.d/groups/apparmor/aa-status +++ b/apparmor.d/groups/apparmor/aa-status @@ -26,7 +26,7 @@ profile aa-status @{exec_path} { @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/mounts r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/apt/apt-mark b/apparmor.d/groups/apt/apt-mark index c174267f59..bff820d5ef 100644 --- a/apparmor.d/groups/apt/apt-mark +++ b/apparmor.d/groups/apt/apt-mark @@ -25,7 +25,7 @@ profile apt-mark @{exec_path} { /var/cache/apt/ r, /var/cache/apt/** rwk, - /dev/pts/@{int} rw, + /dev/pts/@{u16} rw, include if exists } diff --git a/apparmor.d/groups/apt/apt-methods-cdrom b/apparmor.d/groups/apt/apt-methods-cdrom index 96ce36a723..8dcd9d09b8 100644 --- a/apparmor.d/groups/apt/apt-methods-cdrom +++ b/apparmor.d/groups/apt/apt-methods-cdrom @@ -39,7 +39,7 @@ profile apt-methods-cdrom @{exec_path} { @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/apt/apt-methods-copy b/apparmor.d/groups/apt/apt-methods-copy index 238a2bdd9d..db7e7bfddf 100644 --- a/apparmor.d/groups/apt/apt-methods-copy +++ b/apparmor.d/groups/apt/apt-methods-copy @@ -43,7 +43,7 @@ profile apt-methods-copy @{exec_path} { @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, /var/log/cron-apt/temp w, include if exists diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index f4cdb684fa..c263a6169a 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -49,7 +49,7 @@ profile apt-methods-file @{exec_path} { # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/apt/apt-methods-ftp b/apparmor.d/groups/apt/apt-methods-ftp index e753b4cf85..33ee5517dd 100644 --- a/apparmor.d/groups/apt/apt-methods-ftp +++ b/apparmor.d/groups/apt/apt-methods-ftp @@ -39,7 +39,7 @@ profile apt-methods-ftp @{exec_path} { @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index 031db3acc4..2ce9c6bb43 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -91,7 +91,7 @@ profile apt-methods-gpgv @{exec_path} { @{PROC}/@{pid}/fd/ r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, /var/log/cron-apt/temp w, include if exists diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 6fc69b4d10..a9ce0eb6ba 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -85,7 +85,7 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) { @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, #aa;only test owner /tmp/tmp@{word8}/{,**} rwlk, diff --git a/apparmor.d/groups/apt/apt-methods-mirror b/apparmor.d/groups/apt/apt-methods-mirror index 025a1c01bc..dfe83b9d4e 100644 --- a/apparmor.d/groups/apt/apt-methods-mirror +++ b/apparmor.d/groups/apt/apt-methods-mirror @@ -44,7 +44,7 @@ profile apt-methods-mirror @{exec_path} { # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/apt/apt-methods-rred b/apparmor.d/groups/apt/apt-methods-rred index 1aadac2ec9..a5cf779ba9 100644 --- a/apparmor.d/groups/apt/apt-methods-rred +++ b/apparmor.d/groups/apt/apt-methods-rred @@ -50,7 +50,7 @@ profile apt-methods-rred @{exec_path} { @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, /var/log/cron-apt/temp w, include if exists diff --git a/apparmor.d/groups/apt/apt-methods-rsh b/apparmor.d/groups/apt/apt-methods-rsh index 1b76551b99..403271e8a4 100644 --- a/apparmor.d/groups/apt/apt-methods-rsh +++ b/apparmor.d/groups/apt/apt-methods-rsh @@ -39,7 +39,7 @@ profile apt-methods-rsh @{exec_path} { @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store index a6875a4326..079454eb3f 100644 --- a/apparmor.d/groups/apt/apt-methods-store +++ b/apparmor.d/groups/apt/apt-methods-store @@ -57,7 +57,7 @@ profile apt-methods-store @{exec_path} { owner @{tmp}/apt-changelog-*/*.changelog{,.*} rw, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, owner /var/log/cron-apt/temp w, include if exists diff --git a/apparmor.d/groups/apt/apt-show-versions b/apparmor.d/groups/apt/apt-show-versions index 514b952ff0..ccd80c60fa 100644 --- a/apparmor.d/groups/apt/apt-show-versions +++ b/apparmor.d/groups/apt/apt-show-versions @@ -37,7 +37,7 @@ profile apt-show-versions @{exec_path} { @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, owner /var/log/cron-apt/temp w, include if exists diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index b3f411c844..f6a83d9af7 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -153,7 +153,7 @@ profile aptitude @{exec_path} flags=(complain) { # aptitude[]: /dev/tty2: Permission denied # aptitude[]: *** err # aptitude[]: Oh, oh, it's an error! possibly I die! - /dev/tty@{int} rw, + /dev/tty@{u8} rw, /dev/ptmx rw, diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 6d09e34c0b..1edeca110d 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -34,7 +34,7 @@ profile command-not-found @{exec_path} { owner @{PROC}/@{pid}/fd/ r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/apt/deborphan b/apparmor.d/groups/apt/deborphan index 236069e992..ae6e0f0277 100644 --- a/apparmor.d/groups/apt/deborphan +++ b/apparmor.d/groups/apt/deborphan @@ -18,7 +18,7 @@ profile deborphan @{exec_path} { /var/lib/dpkg/status r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, owner @{HOME}/.synaptic/selections.{update,proceed} w, include if exists diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 0e46650bd7..b23e36e25a 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -67,7 +67,7 @@ profile dpkg @{exec_path} { @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/fd/ r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, #aa:only test /tmp/tmp@{word8}tmp/{,**} rwlk, diff --git a/apparmor.d/groups/apt/dpkg-query b/apparmor.d/groups/apt/dpkg-query index e0f4dbcdf9..a75ecc8dd9 100644 --- a/apparmor.d/groups/apt/dpkg-query +++ b/apparmor.d/groups/apt/dpkg-query @@ -22,7 +22,7 @@ profile dpkg-query @{exec_path} { # file_inherit /tmp/#@{int} rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index c482862998..29d056a0c7 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -103,7 +103,7 @@ profile synaptic @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, /dev/ptmx rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, deny @{bin}/dbus-launch x, deny @{bin}/dbus-send x, diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper index d29dcc6306..43482b7acf 100644 --- a/apparmor.d/groups/browsers/chromium-wrapper +++ b/apparmor.d/groups/browsers/chromium-wrapper @@ -41,7 +41,7 @@ profile chromium-wrapper @{exec_path} flags=(attach_disconnected) { owner @{tmp}/chromiumargs.@{rand6} rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/browsers/firefox-pingsender b/apparmor.d/groups/browsers/firefox-pingsender index 4c86af87af..94b8e187e5 100644 --- a/apparmor.d/groups/browsers/firefox-pingsender +++ b/apparmor.d/groups/browsers/firefox-pingsender @@ -31,7 +31,7 @@ profile firefox-pingsender @{exec_path} { owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 9d10077aca..0819052802 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -86,7 +86,7 @@ profile dbus-session flags=(attach_disconnected) { owner @{PROC}/@{pid}/oom_score_adj r, /dev/ptmx rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index 5a264a87d3..f2ddcec8c0 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -55,8 +55,8 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/fd/ r, - owner @{att}/dev/tty@{int} rw, - owner /dev/tty@{int} rw, + owner @{att}/dev/tty@{u8} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 953c302d43..6d1e89593a 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -41,7 +41,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index e9cb2c51e2..6b9b12d717 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -42,7 +42,7 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index d522539068..cd01464d9d 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -33,8 +33,8 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{att}/dev/tty@{int} rw, - owner /dev/tty@{int} rw, + owner @{att}/dev/tty@{u8} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index e0e0bd794d..17ee6a72cd 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -90,7 +90,7 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pid}/mountinfo r, - /dev/tty@{int} r, + /dev/tty@{u8} r, include if exists } diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index 175cb0c687..2d220d0a43 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -93,7 +93,7 @@ profile xdm-xsession @{exec_path} { owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, profile dbus { include diff --git a/apparmor.d/groups/filesystem/btrfs b/apparmor.d/groups/filesystem/btrfs index 40149588d0..776fc87e82 100644 --- a/apparmor.d/groups/filesystem/btrfs +++ b/apparmor.d/groups/filesystem/btrfs @@ -57,8 +57,8 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, /dev/btrfs-control rw, - /dev/pts/@{int} rw, - /dev/tty@{int} rw, + /dev/pts/@{u16} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/filesystem/mount-zfs b/apparmor.d/groups/filesystem/mount-zfs index 552f96b056..8c1848a791 100644 --- a/apparmor.d/groups/filesystem/mount-zfs +++ b/apparmor.d/groups/filesystem/mount-zfs @@ -16,7 +16,7 @@ profile mount-zfs @{exec_path} flags=(complain) { @{exec_path} mr, - /dev/pts/@{int} rw, + /dev/pts/@{u16} rw, @{MOUNTDIRS}/ r, @{MOUNTS}/ r, diff --git a/apparmor.d/groups/filesystem/ntfs-3g b/apparmor.d/groups/filesystem/ntfs-3g index e4749177ce..896f676c22 100644 --- a/apparmor.d/groups/filesystem/ntfs-3g +++ b/apparmor.d/groups/filesystem/ntfs-3g @@ -55,7 +55,7 @@ profile ntfs-3g @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, /dev/fuse rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 54064959b8..47f3562c93 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -153,7 +153,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain /dev/fuse rw, /dev/tty rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, #aa:only test mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) revokefs-fuse -> /tmp/test-flatpak-*/**, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index c740a1d6a5..0f738ee6a1 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -67,7 +67,7 @@ profile plymouthd @{exec_path} { /dev/kmsg rw, /dev/ptmx rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, /dev/ttyS@{int} rw, include if exists diff --git a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent index 0dfea75251..8445e857ba 100644 --- a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent @@ -29,7 +29,7 @@ profile polkit-mate-authentication-agent @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 04a97e5bf3..e6f5c66b0b 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -100,7 +100,7 @@ profile pulseaudio @{exec_path} { owner @{PROC}/@{pids}/cmdline r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/update-mime-database b/apparmor.d/groups/freedesktop/update-mime-database index 9efd9cccc4..1c7cf6010c 100644 --- a/apparmor.d/groups/freedesktop/update-mime-database +++ b/apparmor.d/groups/freedesktop/update-mime-database @@ -23,8 +23,8 @@ profile update-mime-database @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/mime/{,**} rw, - /dev/tty@{int} rw, - owner /dev/pts/@{int} rw, + /dev/tty@{u8} rw, + owner /dev/pts/@{u16} rw, # Inherit silencer deny network inet6 stream, diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index fd05bcee9a..fbd12945fc 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -51,7 +51,7 @@ profile xdg-settings @{exec_path} flags=(attach_disconnected) { @{PROC}/version r, - owner /dev/pts/@{int} rw, + owner /dev/pts/@{u16} rw, profile bus flags=(complain) { include diff --git a/apparmor.d/groups/freedesktop/xhost b/apparmor.d/groups/freedesktop/xhost index 6032179e48..01107b2750 100644 --- a/apparmor.d/groups/freedesktop/xhost +++ b/apparmor.d/groups/freedesktop/xhost @@ -15,7 +15,7 @@ profile xhost @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index fa18883781..f8bd54a9e2 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -136,7 +136,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { /dev/shm/#@{int} rw, /dev/shm/shmfd-* rw, /dev/tty rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, /dev/udmabuf rw, /dev/vga_arbiter rw, # Graphic card modules diff --git a/apparmor.d/groups/freedesktop/xrandr b/apparmor.d/groups/freedesktop/xrandr index ed9e7a030e..30e8293c8e 100644 --- a/apparmor.d/groups/freedesktop/xrandr +++ b/apparmor.d/groups/freedesktop/xrandr @@ -18,7 +18,7 @@ profile xrandr @{exec_path} { @{run}/sddm/xauth_@{rand6} r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 55d0698150..f06dabea6b 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -48,11 +48,11 @@ profile xrdb @{exec_path} { @{run}/sddm/xauth_@{rand6} r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, owner @{HOME}/.xsession-errors w, /dev/tty rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/xset b/apparmor.d/groups/freedesktop/xset index 20dc2b1fbd..6653d91a78 100644 --- a/apparmor.d/groups/freedesktop/xset +++ b/apparmor.d/groups/freedesktop/xset @@ -22,7 +22,7 @@ profile xset @{exec_path} { @{run}/sddm/xauth_@{rand6} r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, owner @{HOME}/.xsession-errors w, deny /dev/dri/card@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index c0ddcb359b..c17d1f2166 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -26,7 +26,7 @@ profile xsetroot @{exec_path} { @{run}/user/@{uid}/xauth_@{rand6} rl, @{run}/sddm/xauth_@{rand6} r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 35e69dc1b7..c3a705cca1 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -54,7 +54,7 @@ profile gdm-session @{exec_path} { owner @{run}/user/@{uid}/gdm/ w, owner @{run}/user/@{uid}/gdm/Xauthority rw, # only: xorg - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 6f7aca9864..63e3a4b3da 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -139,7 +139,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/uid_map r, /dev/tty rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 2882c3d9e6..885ace4461 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -61,7 +61,7 @@ profile gdm-xsession @{exec_path} { owner @{tmp}/gdm{3,}-config-err-@{rand6} rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, profile dbus { include @@ -77,7 +77,7 @@ profile gdm-xsession @{exec_path} { owner @{HOME}/.xsession-errors w, /dev/tty rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } @@ -86,7 +86,7 @@ profile gdm-xsession @{exec_path} { include include - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 9d6fe94ebd..70049450b8 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -84,7 +84,7 @@ profile gnome-session @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, profile flatpak { include @@ -92,7 +92,7 @@ profile gnome-session @{exec_path} flags=(attach_disconnected) { @{bin}/flatpak mr, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 9d7328fe1b..eae7cce2ac 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -94,7 +94,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/loginuid r, /dev/tty rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, profile open flags=(attach_disconnected) { include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 2a9f3aec64..b71dc8e4ab 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -432,7 +432,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, @{att}/dev/dri/card@{int} rw, @{att}/dev/input/event@{int} rw, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 88c5beed30..eab603beda 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -71,7 +71,7 @@ profile gsd-xsettings @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, profile run-parts { include diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index 16114c5869..5ad1f97806 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -32,7 +32,7 @@ profile session-migration @{exec_path} { owner @{gdm_share_dirs}/session_migration-* rw, owner @{user_share_dirs}/session_migration-* rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index b8a59e2440..1d73fe7f92 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -70,7 +70,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 2855117fd7..143a0dd41c 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -82,7 +82,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 708ccc5f3c..dea6df8427 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -93,7 +93,7 @@ profile gpg-agent @{exec_path} { deny @{bin}/.gnupg/ w, # file inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 5b62fa30c1..c722ef22b2 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -91,7 +91,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index d4460a3cf3..e79f310c37 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -18,7 +18,7 @@ profile update-grub @{exec_path} { @{sh_path} rix, @{sbin}/grub-mkconfig rPx, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 20c7cc514a..a9d976dd42 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -67,7 +67,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { /dev/input/event@{int} rw, /dev/tty r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/hyprland/hyprlock b/apparmor.d/groups/hyprland/hyprlock index fab1c2a2e7..73b6616f91 100644 --- a/apparmor.d/groups/hyprland/hyprlock +++ b/apparmor.d/groups/hyprland/hyprlock @@ -29,7 +29,7 @@ profile hyprlock @{exec_path} flags=(attach_disconnected) { owner @{run}/faillock/@{user} rwk, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker index 7becc5fb60..6ef564ce4f 100644 --- a/apparmor.d/groups/hyprland/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -18,7 +18,7 @@ profile hyprpicker @{exec_path} { owner /dev/shm/wlroots-@{rand6} r, owner /dev/shm/@{uuid} r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/hyprland/pypr b/apparmor.d/groups/hyprland/pypr index 2f489e055b..1c345a44e9 100644 --- a/apparmor.d/groups/hyprland/pypr +++ b/apparmor.d/groups/hyprland/pypr @@ -22,7 +22,7 @@ profile pypr @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/hypr/*/.pyprland.sock rw, - owner /dev/tty@{int} rw, # file_inherit + owner /dev/tty@{u8} rw, # file_inherit include if exists } diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 848234dead..4233dc518d 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -147,7 +147,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{att}/dev/dri/card@{int} rw, /dev/tty r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, profile at-spi { include diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index f7e92b3e73..11d73de696 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -201,7 +201,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/1/limits r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, /dev/tty rw, profile systemctl { diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index 0e9290d534..8fbba5fce8 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -140,8 +140,8 @@ profile sddm-xsession @{exec_path} { owner @{HOME}/.xsession-errors w, - /dev/tty@{int} rw, - owner /dev/pts/@{int} rw, + /dev/tty@{u8} rw, + owner /dev/pts/@{u16} rw, deny @{user_share_dirs}/sddm/* rw, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 64e332dc5b..4bdba0b63b 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -81,7 +81,7 @@ profile startplasma @{exec_path} { @{PROC}/sys/kernel/random/boot_id r, /dev/tty r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index f817be69db..12c377f48f 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -74,8 +74,8 @@ profile lxqt-panel @{exec_path} { owner @{PROC}/@{pid}/mounts r, /dev/tty rw, - /dev/tty@{int} rw, - /dev/pts/@{int} rw, + /dev/tty@{u8} rw, + /dev/pts/@{u16} rw, /dev/snd/controlC@{int} rw, profile root { diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt index 3ae9071167..e1b406a06d 100644 --- a/apparmor.d/groups/lxqt/startlxqt +++ b/apparmor.d/groups/lxqt/startlxqt @@ -54,7 +54,7 @@ profile startlxqt @{exec_path} { owner @{run}/user/@{uid}/ r, /dev/tty rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists diff --git a/apparmor.d/groups/pacman/arch-audit b/apparmor.d/groups/pacman/arch-audit index 7539c1c7f6..7432fc3490 100644 --- a/apparmor.d/groups/pacman/arch-audit +++ b/apparmor.d/groups/pacman/arch-audit @@ -34,7 +34,7 @@ profile arch-audit @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, - /dev/pts/@{int} rw, + /dev/pts/@{u16} rw, include if exists } diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index dadc0ea379..0f7334a88c 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -112,7 +112,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, - /dev/tty@{int}* rw, + /dev/tty@{u8}* rw, # Inherit silencer deny @{HOME}/** r, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 782b2213c5..b51f924712 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -43,7 +43,7 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { /var/{,**} r, /dev/tty rw, - /dev/pts/@{int} rw, + /dev/pts/@{u16} rw, # Inherit Silencer deny unix type=stream peer=(label=pacman), diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 01af68bdc2..5e3a573cc7 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -126,8 +126,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, - /dev/tty@{int} rw, - owner /dev/pts/@{int} rw, + /dev/tty@{u8} rw, + owner /dev/pts/@{u16} rw, profile gpg { include @@ -157,8 +157,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/tty@{int} rw, - owner /dev/pts/@{int} rw, + /dev/tty@{u8} rw, + owner /dev/pts/@{u16} rw, deny @{user_share_dirs}/sddm/* rw, diff --git a/apparmor.d/groups/pacman/pacman-conf b/apparmor.d/groups/pacman/pacman-conf index d17ecacb61..7042fca4c3 100644 --- a/apparmor.d/groups/pacman/pacman-conf +++ b/apparmor.d/groups/pacman/pacman-conf @@ -17,7 +17,7 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) { /etc/pacman.d/mirrorlist r, /etc/pacman.d/*-mirrorlist r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, # Inherit Silencer deny network inet6 stream, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index fd6b8d8842..add7e5ee39 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -23,8 +23,8 @@ profile pacman-hook-depmod @{exec_path} { @{lib}/modules/*/{,**} rw, /dev/tty rw, - /dev/tty@{int} rw, - owner /dev/pts/@{int} rw, + /dev/tty@{u8} rw, + owner /dev/pts/@{u16} rw, # Inherit Silencer deny network inet6 stream, diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig index 6c87bae959..471596294c 100644 --- a/apparmor.d/groups/pacman/pacman-hook-fontconfig +++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig @@ -21,7 +21,7 @@ profile pacman-hook-fontconfig @{exec_path} { /etc/fonts/conf.d/* rwl, /usr/share/fontconfig/conf.default/* r, - /dev/pts/@{int} rw, + /dev/pts/@{u16} rw, /dev/tty rw, # Inherit Silencer diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk index 5e0e242790..53e1d644a7 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk +++ b/apparmor.d/groups/pacman/pacman-hook-gtk @@ -24,8 +24,8 @@ profile pacman-hook-gtk @{exec_path} { /usr/share/icons/{,**} rw, /dev/tty rw, - /dev/tty@{int} rw, - owner /dev/pts/@{int} rw, + /dev/tty@{u8} rw, + owner /dev/pts/@{u16} rw, # Inherit Silencer deny network inet6 stream, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index 7ca33b50b4..3238902431 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -43,7 +43,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { @{efi}/vmlinuz-* rw, /dev/tty rw, - owner /dev/pts/@{int} rw, + owner /dev/pts/@{u16} rw, # # Inherit Silencer deny network inet6 stream, diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl index 5eafcbf5a6..903c524c97 100644 --- a/apparmor.d/groups/pacman/pacman-hook-perl +++ b/apparmor.d/groups/pacman/pacman-hook-perl @@ -23,8 +23,8 @@ profile pacman-hook-perl @{exec_path} { @{bin}/wc rix, /dev/tty rw, - /dev/tty@{int} rw, - owner /dev/pts/@{int} rw, + /dev/tty@{u8} rw, + owner /dev/pts/@{u16} rw, # Inherit silencer deny network inet6 stream, diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 64fdae419d..2e4bfccb96 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -32,8 +32,8 @@ profile pacman-hook-systemd @{exec_path} { /usr/ rw, /dev/tty rw, - /dev/tty@{int} rw, - owner /dev/pts/@{int} rw, + /dev/tty@{u8} rw, + owner /dev/pts/@{u16} rw, # Inherit silencer deny network inet6 stream, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 1e1204c27b..70cac6d36f 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -66,8 +66,8 @@ profile pacman-key @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat rw, - /dev/pts/@{int} rw, - /dev/tty@{int} rw, + /dev/pts/@{u16} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/pacman/reflector b/apparmor.d/groups/pacman/reflector index 119f0d2a1a..9abf675369 100644 --- a/apparmor.d/groups/pacman/reflector +++ b/apparmor.d/groups/pacman/reflector @@ -41,8 +41,8 @@ profile reflector @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, - /dev/tty@{int} rw, - owner /dev/pts/@{int} rw, + /dev/tty@{u8} rw, + owner /dev/pts/@{u16} rw, include if exists } diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index c97e4dfe48..37b4ad1a08 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -53,7 +53,7 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/loginuid r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index 162783317a..bcbb89d2b0 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -132,7 +132,7 @@ profile htop @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cpuset r, owner @{PROC}/@{pid}/smaps_rollup r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, # While commands like 'ps', 'ip netns identify ', 'ip netns pids foo', etc # trigger a 'ptrace trace' denial, they aren't actually tracing other diff --git a/apparmor.d/groups/procps/ps b/apparmor.d/groups/procps/ps index e8a3eccf26..e7aae7e38e 100644 --- a/apparmor.d/groups/procps/ps +++ b/apparmor.d/groups/procps/ps @@ -46,7 +46,7 @@ profile ps @{exec_path} flags=(attach_disconnected) { # file_inherit owner @{HOME}/.xsession-errors w, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 40a6763e3e..8d96dd114d 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -115,7 +115,7 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/mounts r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, /dev/ttyS@{int} rw, /apparmor/.null rw, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 9fc2900b4b..1aa4cb28b2 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -35,7 +35,7 @@ profile ssh-agent @{exec_path} { owner @{run}/user/@{uid}/ssh-agent.@{rand6} w, owner @{run}/user/@{uid}/gcr/.ssh w, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, /dev/tty rw, include if exists diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index 738268b0a4..4d80641e9e 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -26,7 +26,7 @@ profile ssh-keygen @{exec_path} { owner /tmp/snapd@{int}/*_*{,.pub} w, owner /tmp/snapd@{int}/*.key{,.pub} w, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, /dev/ttyS@{int} rw, include if exists diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 0a5625bcf8..7cf0cd8c1a 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -129,7 +129,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/uid_map r, /dev/ptmx rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, /dev/ttyS@{int} rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt index 37cc086f1c..bceba07260 100644 --- a/apparmor.d/groups/systemd/systemd-binfmt +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -28,8 +28,8 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/fs/binfmt_misc/register w, @{PROC}/sys/fs/binfmt_misc/status w, - /dev/tty@{int} rw, - /dev/pts/@{int} rw, + /dev/tty@{u8} rw, + /dev/pts/@{u16} rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index e65ef6c930..761f3e24cf 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -139,7 +139,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,mediate_deleted) /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, /dev/shm/{,**/} rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index dc999bf428..b5058e5bdf 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -73,7 +73,7 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/pressure/memory r, /dev/ptmx rw, - /dev/pts/@{int} rw, + /dev/pts/@{u16} rw, /dev/pts/ptmx rw, /dev/vsock r, diff --git a/apparmor.d/groups/systemd/systemd-sleep-nvidia b/apparmor.d/groups/systemd/systemd-sleep-nvidia index 2ca5d74743..4950bd0389 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-nvidia +++ b/apparmor.d/groups/systemd/systemd-sleep-nvidia @@ -28,7 +28,7 @@ profile systemd-sleep-nvidia @{exec_path} { @{PROC}/driver/nvidia/suspend w, /dev/tty rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index 2b31e4bb8c..ac0f28d5fc 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -51,8 +51,8 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, - /dev/tty@{int} rw, - owner /dev/pts/@{int} rw, + /dev/tty@{u8} rw, + owner /dev/pts/@{u16} rw, # Inherit Silencer deny network inet6 stream, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 6881a1ae04..f1b736743b 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -53,7 +53,7 @@ profile systemd-tty-ask-password-agent @{exec_path} flags=(attach_disconnected) @{PROC}/sys/kernel/osrelease r, /dev/hvc@{int} rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, /dev/ttyS@{int} rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup index 8c99d606c7..0e03c123de 100644 --- a/apparmor.d/groups/systemd/systemd-vconsole-setup +++ b/apparmor.d/groups/systemd/systemd-vconsole-setup @@ -35,7 +35,7 @@ profile systemd-vconsole-setup @{exec_path} flags=(attach_disconnected) { @{sys}/module/vt/parameters/default_utf8 w, /dev/console k, - /dev/tty@{int} rwk, + /dev/tty@{u8} rwk, include if exists } diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index 193bfc9b6b..9d86b01b77 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -29,7 +29,7 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { @{PROC}/crypto r, - owner /dev/pts/@{int} rw, + owner /dev/pts/@{u16} rw, profile kmod flags=(attach_disconnected) { include diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd index 716c6e4b3b..f6d678f7be 100644 --- a/apparmor.d/groups/ubuntu/release-upgrade-motd +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -30,7 +30,7 @@ profile release-upgrade-motd @{exec_path} { @{PROC}/@{pid}/mountinfo r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 755cd220d2..166c8463ec 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -89,7 +89,7 @@ profile subiquity-console-conf @{exec_path} { owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, /dev/ttyS@{int} rw, profile journalctl { diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index 52f3b86590..dac2252d33 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -32,7 +32,7 @@ profile update-motd-fsck-at-reboot @{exec_path} flags=(attach_disconnected) { @{PROC}/uptime r, @{PROC}/@{pid}/mountinfo r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, profile mount { include @@ -48,7 +48,7 @@ profile update-motd-fsck-at-reboot @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/mountinfo r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/utils/agetty b/apparmor.d/groups/utils/agetty index ec005d59bc..e927931b42 100644 --- a/apparmor.d/groups/utils/agetty +++ b/apparmor.d/groups/utils/agetty @@ -40,7 +40,7 @@ profile agetty @{exec_path} { @{run}/credentials/serial-getty@ttyS@{int}.service/ r, owner @{run}/agetty.reload rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, owner /dev/ttyGS@{int} rw, owner /dev/ttyS@{int} rw, diff --git a/apparmor.d/groups/utils/blkid b/apparmor.d/groups/utils/blkid index 58a4fec85d..457b2d199b 100644 --- a/apparmor.d/groups/utils/blkid +++ b/apparmor.d/groups/utils/blkid @@ -45,7 +45,7 @@ profile blkid @{exec_path} flags=(attach_disconnected) { /dev/.blkid.tab{,-@{rand6}} rw, /dev/blkid.tab.old rwl -> /dev/blkid.tab, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, # file_inherit deny @{run}/cloud-init/ds-identify.log w, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index 8e880c05bb..6d1efabb3f 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -72,7 +72,7 @@ profile login @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/utils/lscpu b/apparmor.d/groups/utils/lscpu index ae87ad10f2..88c1a60ad4 100644 --- a/apparmor.d/groups/utils/lscpu +++ b/apparmor.d/groups/utils/lscpu @@ -24,7 +24,7 @@ profile lscpu @{exec_path} flags=(attach_disconnected) { @{PROC}/bus/pci/devices r, @{PROC}/sys/kernel/osrelease r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, deny network unix stream, diff --git a/apparmor.d/groups/utils/swapon b/apparmor.d/groups/utils/swapon index dd4aec8e26..9fa038ec5e 100644 --- a/apparmor.d/groups/utils/swapon +++ b/apparmor.d/groups/utils/swapon @@ -24,7 +24,7 @@ profile swapon @{exec_path} { @{PROC}/swaps r, - /dev/pts/@{int} rw, + /dev/pts/@{u16} rw, include if exists } diff --git a/apparmor.d/groups/utils/uname b/apparmor.d/groups/utils/uname index 45a864c230..2b393e4c0a 100644 --- a/apparmor.d/groups/utils/uname +++ b/apparmor.d/groups/utils/uname @@ -14,7 +14,7 @@ profile uname @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{att}/dev/tty@{int} rw, + @{att}/dev/tty@{u8} rw, deny network, deny owner @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index f0c9f4546c..6e31b71814 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -166,7 +166,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{sys}/module/apparmor/parameters/enabled r, /dev/kmsg r, - /dev/pts/@{int} rw, + /dev/pts/@{u16} rw, include if exists } diff --git a/apparmor.d/groups/whonix/rads b/apparmor.d/groups/whonix/rads index 8bdeb2c138..0165ad55e3 100644 --- a/apparmor.d/groups/whonix/rads +++ b/apparmor.d/groups/whonix/rads @@ -41,7 +41,7 @@ profile rads @{exec_path} { owner @{run}/rads/{,**} rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, profile systemctl { include diff --git a/apparmor.d/groups/xfce/xfconfd b/apparmor.d/groups/xfce/xfconfd index 9cd2735449..941dfcc667 100644 --- a/apparmor.d/groups/xfce/xfconfd +++ b/apparmor.d/groups/xfce/xfconfd @@ -24,7 +24,7 @@ profile xfconfd @{exec_path} { owner @{user_config_dirs}/xfce4/ r, owner @{user_config_dirs}/xfce4/xfconf/{,**} rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index db496c443b..a87fd545fe 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -41,7 +41,7 @@ profile acpi-powerbtn flags=(attach_disconnected) { @{bin}/fgconsole r, /dev/tty rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-a-f/amixer b/apparmor.d/profiles-a-f/amixer index 85989a7bf5..192d13fe45 100644 --- a/apparmor.d/profiles-a-f/amixer +++ b/apparmor.d/profiles-a-f/amixer @@ -22,7 +22,7 @@ profile amixer @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-a-f/arandr b/apparmor.d/profiles-a-f/arandr index 77bf1bf96b..808ef47ece 100644 --- a/apparmor.d/profiles-a-f/arandr +++ b/apparmor.d/profiles-a-f/arandr @@ -33,7 +33,7 @@ profile arandr @{exec_path} { /etc/fstab r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index 771560c6b7..f05d5e6eb3 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -53,7 +53,7 @@ profile birdtray @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index 3facc3cdf5..c06b3b3b03 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -117,7 +117,7 @@ profile calibre @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/status r, /dev/tty r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-a-f/compton b/apparmor.d/profiles-a-f/compton index a6c7d193f4..6e09f6996f 100644 --- a/apparmor.d/profiles-a-f/compton +++ b/apparmor.d/profiles-a-f/compton @@ -20,7 +20,7 @@ profile compton @{exec_path} { owner @{HOME}/.Xauthority r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, owner @{HOME}/.xsession-errors w, include if exists diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky index 9e4372e1dc..81f8f2626d 100644 --- a/apparmor.d/profiles-a-f/conky +++ b/apparmor.d/profiles-a-f/conky @@ -146,7 +146,7 @@ profile conky @{exec_path} { /usr/share/X11/XErrorDB r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, owner @{HOME}/.xsession-errors w, @@ -186,7 +186,7 @@ profile conky @{exec_path} { /usr/share/publicsuffix/public_suffix_list.* r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, deny @{PROC}/@{pids}/net/dev r, deny @{PROC}/@{pids}/net/tcp r, deny @{PROC}/@{pids}/net/tcp6 r, diff --git a/apparmor.d/profiles-a-f/console-setup-cached b/apparmor.d/profiles-a-f/console-setup-cached index 332f05341f..07ce086139 100644 --- a/apparmor.d/profiles-a-f/console-setup-cached +++ b/apparmor.d/profiles-a-f/console-setup-cached @@ -28,7 +28,7 @@ profile console-setup-cached @{exec_path} { /dev/ r, /dev/tty rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-a-f/console-setup-keyboard b/apparmor.d/profiles-a-f/console-setup-keyboard index 1f4045e2e8..0f40d9bdf9 100644 --- a/apparmor.d/profiles-a-f/console-setup-keyboard +++ b/apparmor.d/profiles-a-f/console-setup-keyboard @@ -22,7 +22,7 @@ profile console-setup-keyboard @{exec_path} { /etc/console-setup/{,**} r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, /dev/tty rw, include if exists diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index dc04f121f8..9049e223ff 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -111,7 +111,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, - /dev/pts/@{int} rw, + /dev/pts/@{u16} rw, profile kmod { include diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index a4184a3588..15c3163a20 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -21,7 +21,7 @@ profile dumpe2fs @{exec_path} { owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-a-f/dunstify b/apparmor.d/profiles-a-f/dunstify index c62e87f660..cc1264b365 100644 --- a/apparmor.d/profiles-a-f/dunstify +++ b/apparmor.d/profiles-a-f/dunstify @@ -16,7 +16,7 @@ profile dunstify @{exec_path} { owner @{PROC}/@{pid}/cgroup r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 20608e666b..0d28914452 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -81,7 +81,7 @@ profile engrampa @{exec_path} { owner @{PROC}/@{pid}/fd/ r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/profiles-a-f/exo-helper b/apparmor.d/profiles-a-f/exo-helper index b9d7652eec..95827d1ad1 100644 --- a/apparmor.d/profiles-a-f/exo-helper +++ b/apparmor.d/profiles-a-f/exo-helper @@ -49,7 +49,7 @@ profile exo-helper @{exec_path} { /etc/fstab r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index fbcc011a1c..27fed1a5b7 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -68,7 +68,7 @@ profile filezilla @{exec_path} { owner @{PROC}/@{pid}/mounts r, /dev/tty rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index d8086715a4..18c07b5685 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -39,8 +39,8 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { @{user_config_dirs}/firejail/{,*} r, /dev/tty rw, - /dev/tty@{int} rw, - owner /dev/pts/@{int} rw, + /dev/tty@{u8} rw, + owner /dev/pts/@{u16} rw, include if exists diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 0abf729af5..66368a050f 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -56,7 +56,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { /dev/i2c-@{int} rw, /dev/tty rw, - /dev/pts/@{int} rw, + /dev/pts/@{u16} rw, profile bus flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-g-l/globaltime b/apparmor.d/profiles-g-l/globaltime index 7f349b650d..5144429245 100644 --- a/apparmor.d/profiles-g-l/globaltime +++ b/apparmor.d/profiles-g-l/globaltime @@ -21,7 +21,7 @@ profile globaltime @{exec_path} { owner @{user_config_dirs}/globaltime/globaltimerc{,.*} rw, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/gpa b/apparmor.d/profiles-g-l/gpa index 8a9c424435..cfd95143e2 100644 --- a/apparmor.d/profiles-g-l/gpa +++ b/apparmor.d/profiles-g-l/gpa @@ -49,7 +49,7 @@ profile gpa @{exec_path} { @{lib}/firefox/firefox rPUx, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index d749457774..69a93d1505 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -49,7 +49,7 @@ profile gparted @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/stat r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, profile udevadm { include diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index e60034172f..40c47e7782 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -52,7 +52,7 @@ profile gpodder @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/groups b/apparmor.d/profiles-g-l/groups index 916a73b223..f653732a40 100644 --- a/apparmor.d/profiles-g-l/groups +++ b/apparmor.d/profiles-g-l/groups @@ -15,7 +15,7 @@ profile groups @{exec_path} { @{exec_path} mr, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 5d78a90e33..f48b02ae70 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -108,7 +108,7 @@ profile hardinfo @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, deny /usr/share/gdb/python/** w, diff --git a/apparmor.d/profiles-g-l/hexchat b/apparmor.d/profiles-g-l/hexchat index 064e850c2c..1363dcbd8b 100644 --- a/apparmor.d/profiles-g-l/hexchat +++ b/apparmor.d/profiles-g-l/hexchat @@ -48,7 +48,7 @@ profile hexchat @{exec_path} { @{lib}/firefox/firefox rPUx, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index 7e87173ccf..bf5ecd9f8d 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -22,7 +22,7 @@ profile hostname @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/profiles-g-l/i3lock b/apparmor.d/profiles-g-l/i3lock index ea72704c19..e56b2007b4 100644 --- a/apparmor.d/profiles-g-l/i3lock +++ b/apparmor.d/profiles-g-l/i3lock @@ -32,7 +32,7 @@ profile i3lock @{exec_path} { owner @{tmp}/tmp.*.png r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/i3lock-fancy b/apparmor.d/profiles-g-l/i3lock-fancy index b192856d25..553758f852 100644 --- a/apparmor.d/profiles-g-l/i3lock-fancy +++ b/apparmor.d/profiles-g-l/i3lock-fancy @@ -41,7 +41,7 @@ profile i3lock-fancy @{exec_path} { owner @{tmp}/sh-thd.* rw, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, profile imagemagic { include @@ -65,7 +65,7 @@ profile i3lock-fancy @{exec_path} { owner @{tmp}/tmp.*.png rw, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch index 04abb7e0cd..388606fda8 100644 --- a/apparmor.d/profiles-g-l/im-launch +++ b/apparmor.d/profiles-g-l/im-launch @@ -37,7 +37,7 @@ profile im-launch @{exec_path} { owner @{HOME}/.xinputrc r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index c755356204..4312252fe7 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -62,7 +62,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/net/igmp{,6} r, owner @{PROC}/sys/net/ipv{4,6}/route/flush w, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/iw b/apparmor.d/profiles-g-l/iw index 631b0b9d1e..54155298cc 100644 --- a/apparmor.d/profiles-g-l/iw +++ b/apparmor.d/profiles-g-l/iw @@ -24,7 +24,7 @@ profile iw @{exec_path} { @{sys}/devices/@{pci}/ieee80211/phy@{int}/index r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/jgmenu b/apparmor.d/profiles-g-l/jgmenu index 044eda4936..85b9adff2a 100644 --- a/apparmor.d/profiles-g-l/jgmenu +++ b/apparmor.d/profiles-g-l/jgmenu @@ -53,7 +53,7 @@ profile jgmenu @{exec_path} { /usr/share/**.desktop r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index abcb501df3..c3354e03f1 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -93,7 +93,7 @@ profile keepassxc @{exec_path} { /dev/shm/#@{int} rw, /dev/tty rw, /dev/urandom w, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 1d67b56780..5a77c4cf68 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -62,7 +62,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{sys}/module/{,**} r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, deny @{user_share_dirs}/gvfs-metadata/* r, deny unix (receive) type=stream, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 47cbb22a2e..17c549595e 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -48,7 +48,7 @@ profile landscape-sysinfo @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index 056b2d83c1..5b978cc201 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -37,7 +37,7 @@ profile landscape-sysinfo.wrapper @{exec_path} { @{PROC}/loadavg r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/light b/apparmor.d/profiles-g-l/light index 6ce5f2f576..89279f6ed0 100644 --- a/apparmor.d/profiles-g-l/light +++ b/apparmor.d/profiles-g-l/light @@ -33,7 +33,7 @@ profile light @{exec_path} { @{sys}/devices/**/leds/**/brightness_hw_changed r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, owner @{HOME}/.xsession-errors w, include if exists diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index 60189d9118..e8c93ffffd 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -30,7 +30,7 @@ profile light-locker @{exec_path} { owner @{PROC}/@{pid}/cgroup r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/lxappearance b/apparmor.d/profiles-g-l/lxappearance index a7c3a21777..4651c3c69c 100644 --- a/apparmor.d/profiles-g-l/lxappearance +++ b/apparmor.d/profiles-g-l/lxappearance @@ -28,7 +28,7 @@ profile lxappearance @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, profile bus { include diff --git a/apparmor.d/profiles-m-r/megasync b/apparmor.d/profiles-m-r/megasync index 3796c2b75a..e0b22d8835 100644 --- a/apparmor.d/profiles-m-r/megasync +++ b/apparmor.d/profiles-m-r/megasync @@ -56,7 +56,7 @@ profile megasync @{exec_path} { owner @{PROC}/@{pid}/mounts r, /dev/shm/#@{int} rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index ce8380261a..fd940a3697 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -65,7 +65,7 @@ profile minitube @{exec_path} { owner @{PROC}/@{pid}/cmdline r, /dev/shm/#@{int} rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index 4e0ace19ad..c96c52bc2d 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -58,7 +58,7 @@ profile mkvtoolnix-gui @{exec_path} { @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd index de742b2c99..91f10493b5 100644 --- a/apparmor.d/profiles-m-r/motd +++ b/apparmor.d/profiles-m-r/motd @@ -60,7 +60,7 @@ profile motd @{exec_path} { @{PROC}/1/environ r, @{PROC}/cmdline r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, profile wget { include diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index 3e64c69d3e..e3ddb40fce 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -83,7 +83,7 @@ profile mpv @{exec_path} { @{sys}/devices/virtual/dmi/id/sys_vendor r, /dev/input/event@{int} r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble index a85eb6790e..3071d8ba6c 100644 --- a/apparmor.d/profiles-m-r/mumble +++ b/apparmor.d/profiles-m-r/mumble @@ -60,7 +60,7 @@ profile mumble @{exec_path} { /dev/shm/#@{int} rw, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 3c826cd746..d7cc57d1a5 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -33,8 +33,8 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{sys}/devices/system/cpu/cpu@{int}/microcode/processor_flags r, /dev/tty rw, - /dev/tty@{int} rw, - owner /dev/pts/@{int} rw, + /dev/tty@{u8} rw, + owner /dev/pts/@{u16} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/numlockx b/apparmor.d/profiles-m-r/numlockx index 5c88ec8461..84d158b9e8 100644 --- a/apparmor.d/profiles-m-r/numlockx +++ b/apparmor.d/profiles-m-r/numlockx @@ -16,7 +16,7 @@ profile numlockx @{exec_path} { owner @{HOME}/.Xauthority r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, owner @{HOME}/.xsession-errors w, include if exists diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf index d283466f5e..b35d025925 100644 --- a/apparmor.d/profiles-m-r/obconf +++ b/apparmor.d/profiles-m-r/obconf @@ -34,7 +34,7 @@ profile obconf @{exec_path} { /etc/fstab r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index 8992907929..f37fa42588 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -47,7 +47,7 @@ profile openbox @{exec_path} { owner @{PROC}/@{pid}/fd/ r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, owner @{HOME}/.xsession-errors w, @@ -80,7 +80,7 @@ profile openbox @{exec_path} { # file_inherit owner @{HOME}/.xsession-errors w, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/openbox-session b/apparmor.d/profiles-m-r/openbox-session index 5313ed948e..687cf78331 100644 --- a/apparmor.d/profiles-m-r/openbox-session +++ b/apparmor.d/profiles-m-r/openbox-session @@ -22,7 +22,7 @@ profile openbox-session @{exec_path} { # file_inherit owner @{HOME}/.xsession-errors w, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/orage b/apparmor.d/profiles-m-r/orage index f87c0fa928..1db2d22a3d 100644 --- a/apparmor.d/profiles-m-r/orage +++ b/apparmor.d/profiles-m-r/orage @@ -35,7 +35,7 @@ profile orage @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index f9e5b2058e..05ec28ae24 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -78,7 +78,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/pactl b/apparmor.d/profiles-m-r/pactl index 1e89ef3f21..e8dd535d92 100644 --- a/apparmor.d/profiles-m-r/pactl +++ b/apparmor.d/profiles-m-r/pactl @@ -23,7 +23,7 @@ profile pactl @{exec_path} { owner @{HOME}/.Xauthority r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, owner @{HOME}/.xsession-errors w, owner @{HOME}/.anyRemote/anyremote.stdout w, diff --git a/apparmor.d/profiles-m-r/pam-tmpdir-helper b/apparmor.d/profiles-m-r/pam-tmpdir-helper index fc767e5b3b..6501960fac 100644 --- a/apparmor.d/profiles-m-r/pam-tmpdir-helper +++ b/apparmor.d/profiles-m-r/pam-tmpdir-helper @@ -19,7 +19,7 @@ profile pam-tmpdir-helper @{exec_path} { owner @{tmp}/ rw, /dev/ptmx rw, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 30f92c9643..cd6dd03db0 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -148,7 +148,7 @@ profile pass @{exec_path} { owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, - owner /dev/pts/@{int} rw, + owner /dev/pts/@{u16} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/pavucontrol b/apparmor.d/profiles-m-r/pavucontrol index 596cbacbdd..0b0756a5c4 100644 --- a/apparmor.d/profiles-m-r/pavucontrol +++ b/apparmor.d/profiles-m-r/pavucontrol @@ -28,7 +28,7 @@ profile pavucontrol @{exec_path} { owner @{PROC}/@{pid}/cmdline r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/picom b/apparmor.d/profiles-m-r/picom index 7d423f1489..1d841e65b3 100644 --- a/apparmor.d/profiles-m-r/picom +++ b/apparmor.d/profiles-m-r/picom @@ -33,7 +33,7 @@ profile picom @{exec_path} { owner @{PROC}/@{pid}/fd/ r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof index 76b9942fb0..5deb13d3e6 100644 --- a/apparmor.d/profiles-m-r/pidof +++ b/apparmor.d/profiles-m-r/pidof @@ -28,7 +28,7 @@ profile pidof @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/pinentry-curses b/apparmor.d/profiles-m-r/pinentry-curses index c14b410270..193e10b557 100644 --- a/apparmor.d/profiles-m-r/pinentry-curses +++ b/apparmor.d/profiles-m-r/pinentry-curses @@ -17,7 +17,7 @@ profile pinentry-curses @{exec_path} { /usr/share/terminfo/** r, - owner /dev/tty@{int} r, + owner /dev/tty@{u8} r, include if exists } diff --git a/apparmor.d/profiles-m-r/pinentry-gtk b/apparmor.d/profiles-m-r/pinentry-gtk index 73bb8c83b6..a010c99b7d 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk +++ b/apparmor.d/profiles-m-r/pinentry-gtk @@ -28,7 +28,7 @@ profile pinentry-gtk @{exec_path} { @{PROC}/@{pid}/cmdline r, - owner /dev/tty@{int} r, + owner /dev/tty@{u8} r, include if exists } diff --git a/apparmor.d/profiles-m-r/pokemmo b/apparmor.d/profiles-m-r/pokemmo index 324b08f17f..557f87b494 100644 --- a/apparmor.d/profiles-m-r/pokemmo +++ b/apparmor.d/profiles-m-r/pokemmo @@ -90,7 +90,7 @@ profile pokemmo @{exec_path} flags=(attach_disconnected) { /dev/input/js@{int} rw, /dev/tty rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 8eec05a1b7..de4b248053 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -64,7 +64,7 @@ profile psi @{exec_path} { owner @{PROC}/@{pid}/mounts r, /dev/shm/#@{int} rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, profile aplay { include diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index 451414e724..ad1164be8f 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -64,7 +64,7 @@ profile psi-plus @{exec_path} { owner @{PROC}/@{pid}/mounts r, /dev/shm/#@{int} rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, profile aplay { include diff --git a/apparmor.d/profiles-m-r/pulseeffects b/apparmor.d/profiles-m-r/pulseeffects index e57e221dd1..95732ff5ad 100644 --- a/apparmor.d/profiles-m-r/pulseeffects +++ b/apparmor.d/profiles-m-r/pulseeffects @@ -34,7 +34,7 @@ profile pulseeffects @{exec_path} { owner @{PROC}/@{pid}/fd/ r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 4da5383104..bece92ce89 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -82,7 +82,7 @@ profile qbittorrent @{exec_path} { owner @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pids}/mounts r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, profile python { include diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index d02ff94269..b7665aaa58 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -68,7 +68,7 @@ profile qnapi @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner /dev/shm/#@{int} rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index 8593038050..d6f0a22479 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -57,7 +57,7 @@ profile qpdfview @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index 73b8f7488c..d2708871f7 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -57,7 +57,7 @@ profile quiterss @{exec_path} { /dev/shm/#@{int} rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index e5d44e13ad..aca4246774 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -138,7 +138,7 @@ profile run-parts @{exec_path} { @{run}/motd.dynamic.new w, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/setvtrgb b/apparmor.d/profiles-s-z/setvtrgb index 7fdfddcbb0..197a1ebe4e 100644 --- a/apparmor.d/profiles-s-z/setvtrgb +++ b/apparmor.d/profiles-s-z/setvtrgb @@ -17,7 +17,7 @@ profile setvtrgb @{exec_path} { /etc/console-setup/vtrgb r, - /dev/tty@{int} rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox index 51c625d53f..33afbfd20e 100644 --- a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox +++ b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox @@ -29,7 +29,7 @@ profile signal-desktop-chrome-sandbox @{exec_path} { @{PROC}/@{pid}/oom_score_adj w, # Silencer - deny /dev/pts/@{int} rw, # file_inherit + deny /dev/pts/@{u16} rw, # file_inherit include if exists } diff --git a/apparmor.d/profiles-s-z/smplayer b/apparmor.d/profiles-s-z/smplayer index 858c736373..cf603f6698 100644 --- a/apparmor.d/profiles-s-z/smplayer +++ b/apparmor.d/profiles-s-z/smplayer @@ -71,7 +71,7 @@ profile smplayer @{exec_path} { @{PROC}/@{pid}/mounts r, /dev/ r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/smtube b/apparmor.d/profiles-s-z/smtube index c318328b6d..6b2aba9fa5 100644 --- a/apparmor.d/profiles-s-z/smtube +++ b/apparmor.d/profiles-s-z/smtube @@ -71,7 +71,7 @@ profile smtube @{exec_path} { @{open_path} rPx -> child-open, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/startx b/apparmor.d/profiles-s-z/startx index 34f6d47240..2270397324 100644 --- a/apparmor.d/profiles-s-z/startx +++ b/apparmor.d/profiles-s-z/startx @@ -43,7 +43,7 @@ profile startx @{exec_path} flags=(attach_disconnected) { owner @{tmp}/serverauth.* rw, /dev/ r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index 2a4f0e290d..ac77a534e0 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -51,7 +51,7 @@ profile system-config-printer @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop index 8502c14ffb..2ef34be2cd 100644 --- a/apparmor.d/profiles-s-z/telegram-desktop +++ b/apparmor.d/profiles-s-z/telegram-desktop @@ -54,7 +54,7 @@ profile telegram-desktop @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/tint2 b/apparmor.d/profiles-s-z/tint2 index 8b6f0dc453..c7ad54d286 100644 --- a/apparmor.d/profiles-s-z/tint2 +++ b/apparmor.d/profiles-s-z/tint2 @@ -57,7 +57,7 @@ profile tint2 @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, owner @{HOME}/.xsession-errors w, include if exists diff --git a/apparmor.d/profiles-s-z/tint2conf b/apparmor.d/profiles-s-z/tint2conf index 737bc90f85..4e8519e5da 100644 --- a/apparmor.d/profiles-s-z/tint2conf +++ b/apparmor.d/profiles-s-z/tint2conf @@ -37,7 +37,7 @@ profile tint2conf @{exec_path} { /etc/fstab r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 7407a9f99c..2a6a941198 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -27,7 +27,7 @@ profile unix-chkpwd @{exec_path} { @{run}/host/userdb/*.user r, @{run}/host/userdb/*.user-privileged r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop index 2bba24055f..70696e0046 100644 --- a/apparmor.d/profiles-s-z/vesktop +++ b/apparmor.d/profiles-s-z/vesktop @@ -44,7 +44,7 @@ profile vesktop @{exec_path} flags=(attach_disconnected) { owner /dev/ r, deny /dev/tty rw, - deny owner /dev/tty@{int} rw, + deny owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 7cf741dc28..f281048c47 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -66,7 +66,7 @@ profile vidcutter @{exec_path} { /dev/shm/#@{int} rw, /dev/disk/*/ r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 8218b4affb..2616001a55 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -79,7 +79,7 @@ profile vlc @{exec_path} flags=(attach_disconnected,mediate_deleted) { /dev/shm/#@{int} rw, /dev/snd/ r, /dev/tty r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, # Silencer deny @{lib}/@{multiarch}/vlc/{,**} w, diff --git a/apparmor.d/profiles-s-z/vnstat b/apparmor.d/profiles-s-z/vnstat index edce318402..ce2ea85b11 100644 --- a/apparmor.d/profiles-s-z/vnstat +++ b/apparmor.d/profiles-s-z/vnstat @@ -44,7 +44,7 @@ profile vnstat @{exec_path} { deny @{PROC}/diskstats r, deny @{PROC}/loadavg r, deny @{sys}/devices/**/hwmon/**/temp*_input r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, deny network inet dgram, deny network inet6 dgram, diff --git a/apparmor.d/profiles-s-z/volumeicon b/apparmor.d/profiles-s-z/volumeicon index e354c3cbd4..c76dc1562f 100644 --- a/apparmor.d/profiles-s-z/volumeicon +++ b/apparmor.d/profiles-s-z/volumeicon @@ -32,7 +32,7 @@ profile volumeicon @{exec_path} { owner @{user_config_dirs}/volumeicon/ rw, owner @{user_config_dirs}/volumeicon/volumeicon* rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar index b8d1d53261..e6abca0f5c 100644 --- a/apparmor.d/profiles-s-z/waybar +++ b/apparmor.d/profiles-s-z/waybar @@ -40,7 +40,7 @@ profile waybar @{exec_path} flags=(attach_disconnected) { /dev/rfkill r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index c4de427ff8..934a91da5f 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -31,7 +31,7 @@ profile which @{exec_path} flags=(attach_disconnected) { owner @{HOME}/{.,}go/bin/ r, owner @{user_bin_dirs}/ r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, deny @{user_share_dirs}/gnome-shell/session.gvdb rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index 10441e892c..9ddc908f7c 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -57,7 +57,7 @@ profile wireshark @{exec_path} { @{PROC}/@{pid}/mounts r, owner /dev/shm/#@{int} rw, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/wpa-gui b/apparmor.d/profiles-s-z/wpa-gui index f833c812e6..8ccf972faf 100644 --- a/apparmor.d/profiles-s-z/wpa-gui +++ b/apparmor.d/profiles-s-z/wpa-gui @@ -24,7 +24,7 @@ profile wpa-gui @{exec_path} { owner @{PROC}/@{pid}/cmdline r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 4d27661010..68c9236982 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -50,7 +50,7 @@ profile xarchiver @{exec_path} { @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/fd/ r, - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/xautolock b/apparmor.d/profiles-s-z/xautolock index cb94265835..d80682bfb8 100644 --- a/apparmor.d/profiles-s-z/xautolock +++ b/apparmor.d/profiles-s-z/xautolock @@ -26,7 +26,7 @@ profile xautolock @{exec_path} { owner @{HOME}/.Xauthority r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 9abc02350a..ed6fbc2d70 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -85,7 +85,7 @@ profile xinit @{exec_path} { /etc/X11/Xresources/ r, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, owner @{HOME}/.xsession-errors w, include if exists diff --git a/apparmor.d/profiles-s-z/xsel b/apparmor.d/profiles-s-z/xsel index 05b93fed98..4b4e3f112e 100644 --- a/apparmor.d/profiles-s-z/xsel +++ b/apparmor.d/profiles-s-z/xsel @@ -20,7 +20,7 @@ profile xsel @{exec_path} { owner @{user_cache_dirs}/xsel.log rw, # file_inherit - owner /dev/tty@{int} rw, + owner /dev/tty@{u8} rw, owner @{HOME}/.xsession-errors w, include if exists diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 1e8c843c06..d9ffaed74a 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -40,7 +40,7 @@ profile zpool @{exec_path} { @{PROC}/@{pids}/mounts r, @{PROC}/sys/kernel/spl/hostid r, - /dev/pts/@{int} rw, + /dev/pts/@{u16} rw, /dev/zfs rw, include if exists diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd index 76fcdd0a1b..7a67c35964 100644 --- a/apparmor.d/profiles-s-z/zsysd +++ b/apparmor.d/profiles-s-z/zsysd @@ -36,7 +36,7 @@ profile zsysd @{exec_path} flags=(complain) { @{PROC}/cmdline r, @{PROC}/sys/kernel/spl/hostid r, - /dev/pts/@{int} rw, + /dev/pts/@{u16} rw, /dev/zfs rw, include if exists diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index 172cfc2b5f..9ee6a674c4 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -231,7 +231,7 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { &Include{IsMagic: true, Path: "abstractions/consoles"}, &File{Owner: true, Path: "@{PROC}/@{pid}/mounts", Access: []string{"r"}}, &Include{IsMagic: true, Path: "abstractions/base"}, - &File{Path: "/dev/tty@{int}", Access: []string{"r", "w"}}, + &File{Path: "/dev/tty@{u8}", Access: []string{"r", "w"}}, &Capability{Names: []string{"sys_ptrace"}}, &Ptrace{Access: []string{"read"}}, }, From 6c5aa6e7b1df54d1598e2b9ea0c592e6923a1d06 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Nov 2025 13:57:20 +0100 Subject: [PATCH 1001/1736] fix(profile): mdevctl can be in bin or sbin. --- apparmor.d/groups/virt/libvirtd | 12 +++++++----- apparmor.d/groups/virt/virtnodedevd | 1 + apparmor.d/profiles-m-r/mdevctl | 2 +- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 16cf09df8d..c0e936d785 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -121,16 +121,18 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{lib}/xen-common/bin/xen-toolstack rPUx, @{lib}/xen/bin/* rPUx, - @{sbin}/dmidecode rPx, - @{sbin}/dnsmasq rPx, @{bin}/kmod rCx -> kmod, - @{sbin}/lvm rPUx, - @{sbin}/mdevctl rPx, + @{bin}/mdevctl rPx, #aa:lint ignore=sbin + @{bin}/ssh rPx, @{bin}/swtpm rPx, @{bin}/swtpm_ioctl rPx, @{bin}/swtpm_setup rPx, @{bin}/udevadm rPx, - @{bin}/virtiofsd rux, # TODO: WIP + @{bin}/virtiofsd rPx, # TODO: WIP + @{sbin}/dmidecode rPx, + @{sbin}/dnsmasq rPx, + @{sbin}/lvm rPUx, + @{sbin}/mdevctl rPx, @{sbin}/virtlogd rPx, @{sh_path} rix, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 136ee94cd6..5d782b4a28 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -25,6 +25,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sbin}/mdevctl rPx, + @{bin}/mdevctl rPx, #aa:lint ignore=sbin /usr/share/hwdata/*.ids r, /usr/share/pci.ids r, diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index 1de90fdc60..ea0efab15e 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/mdevctl +@{exec_path} = @{sbin}/mdevctl @{bin}/mdevctl #aa:lint ignore=sbin profile mdevctl @{exec_path} { include include From 92aeaa8ba672a59e97fe524e6cfaec1df73cd63d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Nov 2025 14:01:04 +0100 Subject: [PATCH 1002/1736] fix: linter issue. --- apparmor.d/groups/pacman/pacman-hook-systemd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 2e4bfccb96..3017ae29fc 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -52,7 +52,7 @@ profile pacman-hook-systemd @{exec_path} { signal send set=(cont, term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent Px, - + deny unix type=stream peer=(label=pacman), include if exists From 3a96262ab0d1a7bc50c9974ccf4fb4e4cd4905cf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Nov 2025 14:11:07 +0100 Subject: [PATCH 1003/1736] fix(profile): syntax error. --- apparmor.d/groups/_full/sd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index f35f1e2853..bd64fdf525 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -96,7 +96,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { mqueue (read getattr) type=posix /, - signal (send, receive) + signal (send, receive), ptrace read, From 84f3f5e5c87c7fded80ab4cd9c24b182031e6308 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Nov 2025 22:50:20 +0100 Subject: [PATCH 1004/1736] feat(profile): relax a bit allowed fusermount mount points. --- apparmor.d/profiles-a-f/fusermount | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index 070b4f7d79..c2d03bd9db 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -12,21 +12,17 @@ profile fusermount @{exec_path} { include include + capability setuid, + # Be able to mount ISO images - mount fstype={fuse,fuse.*} -> @{HOME}/*/, - mount fstype={fuse,fuse.*} -> @{HOME}/*/*/, - mount fstype={fuse,fuse.*} -> @{user_cache_dirs}/**/, - mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/, - mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/*/, + mount fstype={fuse,fuse.*} -> @{HOME}/**/, + mount fstype={fuse,fuse.*} -> @{MOUNTS}/**/, mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/*/, mount fstype={fuse,fuse.*} -> /var/tmp/flatpak-cache-*/*/, mount fstype={fuse,fuse.*} -> /tmp/.mount_*@{rand6}/, - umount @{HOME}/*/, - umount @{HOME}/*/*/, - umount @{user_cache_dirs}/**/, - umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, + umount @{HOME}/**/, + umount @{MOUNTS}/**/, umount /tmp/.mount_*/, umount @{run}/user/@{uid}/*/, umount /var/tmp/flatpak-cache-*/*/, @@ -40,11 +36,9 @@ profile fusermount @{exec_path} { # Where to mount ISO files owner @{HOME}/*/ rw, - owner @{HOME}/*/*/ rw, - - owner @{user_cache_dirs}/**/ rw, + owner @{HOME}/**/ rw, - /tmp/.mount_*@{rand6}/ r, + /tmp/.mount_*@{rand6}/ rw, @{run}/user/@{uid}/doc/ r, From 6202e8017b87738b7b485f31f9f4f6471e519c35 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 11:57:26 +0100 Subject: [PATCH 1005/1736] fix(profile): archlinux-keyring-wkd-sync now needs attach_disconnected Fix #932 --- apparmor.d/groups/pacman/archlinux-keyring-wkd-sync | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync index 0140734435..ef2bb438de 100644 --- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync +++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/archlinux-keyring-wkd-sync -profile archlinux-keyring-wkd-sync @{exec_path} { +profile archlinux-keyring-wkd-sync @{exec_path} flags=(attach_disconnected) { include include include From 5a52ced8e713f319e315bb0d614ce6534dba0dcf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 11:59:22 +0100 Subject: [PATCH 1006/1736] fix(profile): plymouth integration with boot loaders. Fix #931 --- apparmor.d/groups/freedesktop/plymouthd | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 0f738ee6a1..bfdce833b6 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -46,6 +46,7 @@ profile plymouthd @{exec_path} { /var/log/plymouth-*.log w, @{run}/plymouth/{,**} rw, + @{run}/initramfs/usr/share/fonts/{,**} r, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* From c05568541be27b81cde1d209744a1fa4927da982 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 12:10:34 +0100 Subject: [PATCH 1007/1736] fix(profile): dkms zfs module fix #930 --- apparmor.d/profiles-a-f/dkms | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 9049e223ff..97800fae3c 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -4,6 +4,12 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only +# TODO: Revisit this profile: all build tasks should take place in a dedicated profile +# @{lib}/modules/*/build/ Cx. +# /var/lib/dkms/**/build/ Cx, + +# TODO: Also test the future profile with the zfs dkms module + abi , include @@ -13,6 +19,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_override, capability dac_read_search, @@ -26,12 +33,16 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{coreutils_path} rix, + @{archive_path} rix, + @{python_path} rix, @{bin}/as rix, @{bin}/bc rix, @{bin}/clang-@{version} rix, + @{bin}/file rix, @{bin}/g++ rix, @{bin}/gcc rix, @{bin}/getconf rix, + @{bin}/git rix, @{bin}/hostname rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @@ -40,13 +51,17 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/llvm-objcopy rix, @{bin}/lsb_release rPx, @{bin}/make rix, + @{bin}/msgfmt rix, + @{bin}/msgmerge rix, + @{bin}/nm rix, @{bin}/objcopy rix, + @{bin}/objdump rix, @{bin}/pahole rix, + @{bin}/pkgconf rix, @{bin}/readelf rix, @{bin}/rpm rPUx, @{bin}/strip rix, - @{bin}/xz rix, - @{bin}/zstd rix, + @{bin}/xgettext rix, @{sbin}/update-secureboot-policy rPUx, @{lib}/gcc/@{multiarch}/@{version}/* rix, @@ -100,7 +115,14 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/system.slice/cpu.max r, @{sys}/fs/cgroup/system.slice/dkms.service/cpu.max r, - + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r, + + /tmp/@{word8} rw, + /tmp/@{word8}/{,*} rw, + /tmp/conftest-@{ran6}.* rw, @{tmp}/GMfifo@{int} rw, owner @{tmp}/cc@{rand6}* rw, owner @{tmp}/tmp.@{rand10} rw, From 2ef8ed52ee796a44448f28fd13e759daca25ac44 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 12:12:49 +0100 Subject: [PATCH 1008/1736] fix(profile): systemd-tty-ask-password-agent fix #927 --- apparmor.d/groups/systemd/systemd-tty-ask-password-agent | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index f1b736743b..598e898969 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -46,12 +46,14 @@ profile systemd-tty-ask-password-agent @{exec_path} flags=(attach_disconnected) @{sys}/devices/virtual/tty/console/active r, @{sys}/devices/virtual/tty/tty@{int}/active r, + @{sys}/module/vt/parameters/default_utf8 r, @{PROC}/@{pids}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, + /dev/console k, /dev/hvc@{int} rw, /dev/tty@{u8} rw, /dev/ttyS@{int} rw, From 96807593281ca1008b321fdab4cbc5fb0901e942 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 12:14:24 +0100 Subject: [PATCH 1009/1736] feat(tunable): update the list of know programs. --- apparmor.d/tunables/multiarch.d/programs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 565f4199da..e53523b87f 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -16,6 +16,7 @@ @{shells} = sh zsh bash dash fish rbash ksh tcsh csh # Coreutils programs that should not have dedicated profile. Also includes findutils and diffutils. +# The remaining coreutils programs should have profile present in the utils group. @{coreutils} = {,g,m}awk b2sum base32 base64 basename basenc cat chcon chgrp chmod chown @{coreutils} += cksum cmp comm cp csplit cut date dd df dir dircolors dirname diff diff3 du echo env expand @{coreutils} += expr factor false find fmt fold {,e,f}grep head hostid id install join link @@ -91,12 +92,12 @@ @{help_names} = yelp # Terminal emulator -@{terminal_names} = kgx terminator konsole ptyxis ghostty +@{terminal_names} = xdg-terminal-exec kgx terminator konsole ptyxis ghostty # Backup @{backup_names} = deja-dup borg # Archives -@{archive_names} = 7z 7zz ar bzip2 cpio gzip lzip rar tar unrar-nonfree unzip xz zip zstd +@{archive_names} = 7z 7zz ar bzip2 cpio gzip lzip rar tar unrar unrar-nonfree unzip xz zip zstd # vim:syntax=apparmor From 87808f46b1b3c42404a6f5ffc51cbbc4d7930e38 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 12:19:01 +0100 Subject: [PATCH 1010/1736] feat(profile): add attached flag to some profiles More and more programs are stared/configured in such a way it is required. --- apparmor.d/groups/freedesktop/iio-sensor-proxy | 2 +- apparmor.d/groups/gvfs/gvfsd-dav | 2 +- apparmor.d/groups/gvfs/gvfsd-network | 2 +- apparmor.d/groups/gvfs/gvfsd-wsdd | 2 +- apparmor.d/groups/systemd/systemd-notify | 2 +- apparmor.d/profiles-a-f/file-roller | 2 +- apparmor.d/profiles-a-f/fusermount | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/freedesktop/iio-sensor-proxy b/apparmor.d/groups/freedesktop/iio-sensor-proxy index 4c1cb2f95b..c5729286fa 100644 --- a/apparmor.d/groups/freedesktop/iio-sensor-proxy +++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/iio-sensor-proxy -profile iio-sensor-proxy @{exec_path} { +profile iio-sensor-proxy @{exec_path} flags=(attach_disconnected) { include capability net_admin, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 85344d0d46..29b2f44694 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-dav -profile gvfsd-dav @{exec_path} { +profile gvfsd-dav @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 5b2d386dfb..a7f449c0dc 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-network -profile gvfsd-network @{exec_path} { +profile gvfsd-network @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 3b1a56e3de..c2cfc66298 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-wsdd -profile gvfsd-wsdd @{exec_path} { +profile gvfsd-wsdd @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-notify b/apparmor.d/groups/systemd/systemd-notify index 999b9dcd5a..9b2182cc30 100644 --- a/apparmor.d/groups/systemd/systemd-notify +++ b/apparmor.d/groups/systemd/systemd-notify @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/systemd-notify -profile systemd-notify @{exec_path} { +profile systemd-notify @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index a68b491fbc..083f648e49 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/file-roller -profile file-roller @{exec_path} { +profile file-roller @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index c2d03bd9db..90ab01582e 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/fusermount{,3} -profile fusermount @{exec_path} { +profile fusermount @{exec_path} flags=(attach_disconnected) { include include From 687079d20bebd64729e6b3852361fbdcf6f14fe6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 12:29:19 +0100 Subject: [PATCH 1011/1736] feat(profile): pacman: add integration with arch-update fix #795 --- apparmor.d/groups/pacman/pacman | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 5e3a573cc7..ad23ea8c4e 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -108,8 +108,9 @@ profile pacman @{exec_path} flags=(attach_disconnected) { owner /var/lib/pacman/{,**} rwl, owner @{tmp}/alpm_@{rand6}/{,**} rw, - owner @{tmp}/checkup-db-@{int}/sync/{,*.db*} rw, + owner @{tmp}/arch-update-@{uid}/checkupdates-@{rand}/sync/** w, owner @{tmp}/checkup-db-@{int}/db.lck rw, + owner @{tmp}/checkup-db-@{int}/sync/{,*.db*} rw, @{run}/utmp rk, From b5f14ba26b965a3247d4544deb95bd5856eef834 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 12:40:14 +0100 Subject: [PATCH 1012/1736] fix(profile): integration with opensure. fix #919 --- apparmor.d/groups/kde/kioworker | 2 ++ apparmor.d/profiles-g-l/libreoffice | 7 +++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 077119685a..78dad8920f 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -41,6 +41,7 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, + @{bin}/alts ix, @{bin}/gs{,.bin} rCx -> gs, #aa:exec kio_http_cache_cleaner @@ -48,6 +49,7 @@ profile kioworker @{exec_path} { /usr/share/kio_desktop/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/*.desktop r, + /usr/share/libalternatives/gs/{,**} r, /usr/share/org.kde.syntax-highlighting/{,**} r, /usr/share/remoteview/* r, /usr/share/thumbnailers/{,**} r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 344c6cfbe4..7f654e3244 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -8,7 +8,7 @@ include @{exec_path} = @{bin}/libreoffice @{bin}/soffice @{exec_path} += @{lib}/libreoffice/program/soffice -profile libreoffice @{exec_path} flags=(attach_disconnected) { +profile libreoffice @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -45,12 +45,14 @@ profile libreoffice @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, + @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/dirname rix, - @{bin}/{,e}grep rix, @{bin}/ls rix, + @{bin}/net rix, @{bin}/paperconf rix, @{bin}/sed rix, + @{bin}/testparm rix, @{bin}/uname rix, @{open_path} rPx -> child-open-browsers, @@ -58,6 +60,7 @@ profile libreoffice @{exec_path} flags=(attach_disconnected) { @{bin}/gpg rPx, @{bin}/gpgconf rPx, @{bin}/gpgsm rPx, + #aa:exec kioworker @{lib}/jvm/java*/bin/java rix, @{lib}/jvm/java*/lib/** rm, From 6574ecda153d75539bf5e28d42328dd35c53d88a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 12:43:41 +0100 Subject: [PATCH 1013/1736] feat(profile): add unix mediation to the flatpak profiles. --- apparmor.d/abstractions/app/flatpak | 4 ++++ apparmor.d/abstractions/flatpak/sockets/pulseaudio | 2 ++ apparmor.d/abstractions/flatpak/sockets/wayland | 1 + apparmor.d/abstractions/flatpak/sockets/x11 | 1 + apparmor.d/groups/flatpak/fbwrap | 3 +++ apparmor.d/groups/flatpak/flatpak | 2 ++ apparmor.d/groups/flatpak/flatpak-portal | 3 +++ apparmor.d/groups/freedesktop/xdg-dbus-proxy | 5 +++++ 8 files changed, 21 insertions(+) diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak index 1b151a3f11..cf2d067895 100644 --- a/apparmor.d/abstractions/app/flatpak +++ b/apparmor.d/abstractions/app/flatpak @@ -154,6 +154,10 @@ owner @{run}/user/@{uid}/app/@{appid}/ r, owner @{run}/user/@{uid}/app/@{appid}/** rwlk -> @{run}/user/@{uid}/app/@{appid}/**, + owner @{att}@{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} rw, + owner @{att}@{run}/user/@{uid}/.dbus-proxy/session-bus-proxy-@{rand6} rw, + owner @{att}@{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int6} rw, + @{run}/host/os-release r, owner @{run}/host/ r, owner @{run}/host/container-manager r, diff --git a/apparmor.d/abstractions/flatpak/sockets/pulseaudio b/apparmor.d/abstractions/flatpak/sockets/pulseaudio index cb6ca777b4..735d3386fc 100644 --- a/apparmor.d/abstractions/flatpak/sockets/pulseaudio +++ b/apparmor.d/abstractions/flatpak/sockets/pulseaudio @@ -5,6 +5,8 @@ abi , + owner @{att}@{run}/user/@{uid}/pulse/native rw, + owner @{run}/flatpak/pulse/config r, @{sys}/class/ r, diff --git a/apparmor.d/abstractions/flatpak/sockets/wayland b/apparmor.d/abstractions/flatpak/sockets/wayland index 862e7795d1..dc324e1d1e 100644 --- a/apparmor.d/abstractions/flatpak/sockets/wayland +++ b/apparmor.d/abstractions/flatpak/sockets/wayland @@ -9,6 +9,7 @@ # Allow access to the Wayland compositor server socket owner @{run}/user/@{uid}/wayland-@{int} rw, + owner @{att}@{run}/user/@{uid}/wayland-@{int} rw, owner @{att}/dev/shm/@{uuid} rw, diff --git a/apparmor.d/abstractions/flatpak/sockets/x11 b/apparmor.d/abstractions/flatpak/sockets/x11 index fa881121d5..53f6a3168b 100644 --- a/apparmor.d/abstractions/flatpak/sockets/x11 +++ b/apparmor.d/abstractions/flatpak/sockets/x11 @@ -7,6 +7,7 @@ unix type=stream addr=none peer=(label=xwayland, addr=@/tmp/.X11-unix/X@{int}), unix type=stream addr=none peer=(label=gnome-shell, addr=@/tmp/.X11-unix/X@{int}), + unix (send receive connect) type=stream peer=(label=xkbcomp, addr=@/tmp/.X11-unix/X@{int}), /usr/share/X11/{,**} r, /usr/share/xkeyboard-config-2/{,**} r, diff --git a/apparmor.d/groups/flatpak/fbwrap b/apparmor.d/groups/flatpak/fbwrap index 3d798f0194..9a1e07d4f6 100644 --- a/apparmor.d/groups/flatpak/fbwrap +++ b/apparmor.d/groups/flatpak/fbwrap @@ -61,6 +61,9 @@ profile fbwrap flags=(attach_disconnected,mediate_deleted) { owner @{run}/user/@{uid}/.flatpak/@{int}/bwrapinfo.json rw, owner @{run}/user/@{uid}/.flatpak/@{int}/info r, + owner @{att}@{run}/user/@{uid}/at-spi/bus rw, + owner @{att}@{run}/user/@{uid}/bus rw, + @{PROC}/cgroups r, owner @{PROC}/@{pid}/coredump_filter rw, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 47f3562c93..feea6a7362 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -54,6 +54,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain unix type=seqpacket peer=(label=flatpak-system-helper), unix type=stream peer=(label=flatpak//fusermount), + unix (send receive) type=seqpacket peer=(label=fapp, addr=@@{hex}), + unix (send receive) type=seqpacket peer=(label=fbwrap, addr=@@{hex}), #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index 349e50fe12..d99d62f64f 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -20,6 +20,9 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { network netlink raw, + unix (send receive) type=seqpacket peer=(label=fapp), + unix (send receive) type=seqpacket peer=(label=fbwrap), + ptrace read, signal send, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index 3965ac0622..f4d7f77030 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -19,6 +19,9 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { network unix stream, + unix (send receive) type=seqpacket peer=(label=fapp), + unix (send receive) type=seqpacket peer=(label=fbwrap), + signal receive set=int peer=flatpak-portal, # By design xdg-dbus-proxy proxies and filters dbus communication from flatpak @@ -33,6 +36,8 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { @{att}@{run}/systemd/inhibit/@{int}.ref rw, owner @{att}@{run}/user/@{uid}/at-spi/bus rw, + owner @{att}@{run}/user/@{uid}/bus rw, + owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, owner @{run}/flatpak/doc/** r, owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, From 07153218ddbd72623a64b0fc4ce89bac06aa9a62 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 12:44:24 +0100 Subject: [PATCH 1014/1736] feat(tunable): add gstreamer_path. --- apparmor.d/tunables/multiarch.d/paths | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index ec6c07f543..410ba3e50e 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -19,10 +19,14 @@ @{python_path} = @{bin}/@{python_name} # ldd (List Dynamic Dependencies) and dynamic linker/loader -@{ldd_path} = @{bin}/ldd +@{ldd_path} = @{bin}/ldd @{bin}/ld @{ldd_path} += @{lib}/ld-linux-@{arch}.so{,.*} @{ldd_path} += @{lib}/@{multiarch}/ld-linux-@{arch}.so{,.*} +# Gstreamer plugin scanner +@{gstreamer_path} = @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner +@{gstreamer_path} += @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner +@{gstreamer_path} += @{lib}/gstreamer-1.0/gst-plugin-scanner # Browsers @{brave_path} = @{brave_lib_dirs}/@{brave_name} From edd723d64591b4c38964de2c981f7d53b481bf97 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 12:50:57 +0100 Subject: [PATCH 1015/1736] feat(profile): add some bare access to dbus-system. --- apparmor.d/groups/gnome/gnome-calculator | 1 + apparmor.d/groups/gnome/gnome-system-monitor | 1 + apparmor.d/groups/gnome/gnome-text-editor | 1 + apparmor.d/groups/gnome/kgx | 1 + apparmor.d/groups/gnome/org.gnome.NautilusPreviewer | 1 + apparmor.d/groups/gnome/papers | 1 + apparmor.d/groups/gnome/ptyxis | 1 + apparmor.d/groups/gvfs/gvfsd-http | 1 + apparmor.d/profiles-a-f/file-roller | 1 + apparmor.d/profiles-s-z/thunderbird-glxtest | 1 + apparmor.d/profiles-s-z/transmission | 1 + 11 files changed, 11 insertions(+) diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 4ab9b165f7..3cefedce12 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/gnome-calculator profile gnome-calculator @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 6c88c9fb71..9d2afc34c7 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 1a83eda4c3..e9b87e4e80 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/gnome-text-editor profile gnome-text-editor @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index f843d6c142..621a93ebec 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/kgx profile kgx @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index c5878afc34..92042922b8 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -10,6 +10,7 @@ include profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index a895653de6..6e5860d75f 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/papers profile papers @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 1840728cba..5858c5d491 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/ptyxis profile ptyxis @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index e41ffdde4b..2d74d03fe4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-http profile gvfsd-http @{exec_path} { include + include include include include diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 083f648e49..ad52acd7e5 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/file-roller profile file-roller @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index 53fdb1ffd8..b23f882beb 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -13,6 +13,7 @@ include @{exec_path} = @{lib_dirs}/glxtest profile thunderbird-glxtest @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index b3975bb31e..881cbcf6eb 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/transmission-{gtk,qt} profile transmission @{exec_path} flags=(attach_disconnected) { include + include include include include From 331e3b6ba44d2feb280bbda5383f8e9937eb2896 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 12:52:25 +0100 Subject: [PATCH 1016/1736] feta(abs): update some abstracion. --- apparmor.d/abstractions/shells | 1 + apparmor.d/abstractions/wine | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/shells b/apparmor.d/abstractions/shells index 35d3a580a5..663513e72e 100644 --- a/apparmor.d/abstractions/shells +++ b/apparmor.d/abstractions/shells @@ -9,6 +9,7 @@ include include + include include include if exists diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine index 5c5bb26b90..6289f0c94f 100644 --- a/apparmor.d/abstractions/wine +++ b/apparmor.d/abstractions/wine @@ -13,7 +13,7 @@ owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex6}/ rw, owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex6}/lock rwk, owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex6}/socket rw, - owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex6}/tmpmap-@{hex8} m, + owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex6}/tmpmap-@{hex8} mrw, owner @{tmp}/protonfixes_test.log w, owner /dev/shm/wine-@{hex6}-fsync rw, From e0b644973f7477cb81e827153487e860c0a65178 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 12:53:39 +0100 Subject: [PATCH 1017/1736] feat(profile): improve firefox unix rules. --- apparmor.d/groups/browsers/firefox | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 288ea33db4..7461e136dd 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -24,9 +24,13 @@ profile firefox @{exec_path} flags=(attach_disconnected) { unix type=seqpacket addr=@gecko-crash-helper-pipe.@{int}, unix type=seqpacket peer=(label=firefox-crashhelper), + unix type=seqpacket peer=(label=firefox-glxtest), + + unix type=seqpacket, + unix type=seqpacket peer=(label=firefox-crashreporter), + unix type=stream, #aa:dbus own bus=session name=org.mozilla.firefox - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.firefox path=/org/mpris/MediaPlayer2 @{exec_path} mrix, From a39a7f1645f559b8223a690a17ee842013a579c7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 12:59:34 +0100 Subject: [PATCH 1018/1736] feat(profile): update unix rules on core dbus profiles. --- apparmor.d/groups/bus/dbus-accessibility | 3 ++- apparmor.d/groups/bus/dbus-session | 15 ++++++++++++--- apparmor.d/groups/bus/dbus-system | 10 ++++++---- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 270077860c..8e8f5e5911 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -28,7 +28,8 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { signal receive set=(term hup kill) peer=gdm{,-session-worker}, signal receive set=(term hup kill) peer=gnome-session-binary, - unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0), + unix bind type=stream addr=@@{udbus}/bus/dbus-broker-lau/user, + unix bind type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0), #aa:dbus own bus=accessibility name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} #aa:dbus own bus=session name=org.a11y.{B,b}us diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 0819052802..c681fa40a7 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -26,6 +26,10 @@ profile dbus-session flags=(attach_disconnected) { unix (send receive) type=stream addr=none peer=(label=gnome-shell, addr=none), unix type=stream peer=(label=fapp), unix type=stream peer=(label=fbwrap), + unix type=stream peer=(label=unconfined), + + unix bind type=stream addr=@@{udbus}/bus/dbus-broker-lau/user, + unix (send receive) type=seqpacket, signal (send receive) set=kill peer=dbus-session//&unconfined, @@ -35,10 +39,15 @@ profile dbus-session flags=(attach_disconnected) { signal send set=(term hup kill) peer=xdg-*, #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} - dbus receive bus=session - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}, + # Larger than what is allowed in the directive above, needed due to complex + # setup with stack and peer names. + dbus receive bus=session interface=org.freedesktop.DBus, + + dbus receive bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Activator + member=ActivationFailure + peer=(name=@{busname}, label="@{p_systemd_user}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index d401dea894..228d7a9c51 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -37,12 +37,14 @@ profile dbus-system flags=(attach_disconnected) { signal (send receive) set=kill peer=dbus-system//&unconfined, unix type=stream peer=(label=unconfined), + unix type=seqpacket peer=(label=flatpak-system-helper), + unix bind type=stream addr=@@{udbus}/bus/dbus-broker-lau/system, + #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} - dbus receive bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name="{@{busname},org.freedesktop.DBus}"), + # Larger than what is allowed in the directive above, needed due to complex + # setup with stack and peer names. + dbus receive bus=system interface=org.freedesktop.DBus, dbus receive bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Activator From 807790c70561b338f0642dcaee23c5633b5f1f92 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 13:07:18 +0100 Subject: [PATCH 1019/1736] feat(profile): confine gstreamer plugin in a subprofile. Move the plugin scanner to a dedicaded sub profile. --- apparmor.d/abstractions/app/firefox | 9 +++ apparmor.d/abstractions/gstreamer | 2 + apparmor.d/abstractions/gstreamer-registry | 7 +++ apparmor.d/groups/children/gstreamer | 56 +++++++++++++++++++ apparmor.d/groups/freedesktop/pulseaudio | 15 +++-- apparmor.d/groups/gnome/decibels | 10 +++- apparmor.d/groups/gnome/gjs | 28 ++++------ apparmor.d/groups/gnome/gnome-boxes | 10 +++- apparmor.d/groups/gnome/gnome-clocks | 10 +++- apparmor.d/groups/gnome/gnome-contacts | 16 +++++- apparmor.d/groups/gnome/gnome-control-center | 11 +++- .../groups/gnome/org.gnome.NautilusPreviewer | 13 +++-- 12 files changed, 156 insertions(+), 31 deletions(-) create mode 100644 apparmor.d/groups/children/gstreamer diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index f6b16d3551..de84cb3002 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -73,6 +73,8 @@ @{lib_dirs}/pingsender rPx, @{lib_dirs}/plugin-container rPx, + @{gstreamer_path} rCx -> gstreamer, + # Desktop integration @{bin}/lsb_release rPx, @@ -176,6 +178,13 @@ deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny @{run}/user/@{uid}/gnome-shell-disable-extensions w, + profile gstreamer { + include + include + + include if exists + } + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 7dc54fc768..4fbd7600f9 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -7,6 +7,8 @@ include + @{gstreamer_path} rix, + @{lib}/@{multiarch}/libproxy/*/modules/*.so mr, @{lib}/@{multiarch}/libvisual-@{version}/*/*.so mr, @{lib}/frei0r-@{int}/*.so mr, diff --git a/apparmor.d/abstractions/gstreamer-registry b/apparmor.d/abstractions/gstreamer-registry index fe0b9955b2..137cb508fa 100644 --- a/apparmor.d/abstractions/gstreamer-registry +++ b/apparmor.d/abstractions/gstreamer-registry @@ -22,6 +22,13 @@ owner @{user_cache_dirs}/gstreamer-1.0/registry.@{arch}.bin rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.@{arch}.bin.tmp@{rand6} rw, + # The orcexec.* file is JIT compiled code for various GStreamer elements. + # If one is blocked the next is used instead. + # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag. + owner @{run}/user/@{uid}/orcexec.@{rand6} mrw, + deny owner @{HOME}/orcexec.@{rand6} rw, + deny owner @{tmp}/orcexec.@{rand6} mrw, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/children/gstreamer b/apparmor.d/groups/children/gstreamer new file mode 100644 index 0000000000..5e473ed19d --- /dev/null +++ b/apparmor.d/groups/children/gstreamer @@ -0,0 +1,56 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Confine gstreamer related processes. + +# Note: This profile does not specify an attachment path because it is +# intended to be used only via "Px -> gstreamer" exec transitions from other profiles. + +abi , + +include + +profile gstreamer flags=(attach_disconnected,complain) { + include + include + include + include + include + include + include + include + include + include + include + include + + network (bind create getattr setopt getopt) netlink raw, + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + + @{gstreamer_path} mr, + + /usr/share/ladspa/rdf/{,**} r, + + owner @{DESKTOP_HOME}/.nv/ w, + owner @{DESKTOP_HOME}/.nv/ComputeCache/ w, + owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, + owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, + + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{sys}/devices/**/uevent r, + + @{PROC}/devices r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index e6f5c66b0b..97f46e5517 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -25,7 +25,7 @@ profile pulseaudio @{exec_path} { include include include - include + include include include include @@ -61,6 +61,8 @@ profile pulseaudio @{exec_path} { @{lib}/@{multiarch}/pulse/gconf-helper rix, @{lib}/pulse-*/modules/*.so mr, + @{gstreamer_path} Cx -> gstreamer, + /usr/share/ladspa/rdf/{,*} r, /usr/share/pulseaudio/{,**} r, @@ -68,8 +70,6 @@ profile pulseaudio @{exec_path} { / r, - owner @{desktop_cache_dirs}/gstreamer-1.0/ rw, - owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, owner @{desktop_config_dirs}/pulse/{,**} rw, owner @{desktop_config_dirs}/pulse/cookie k, @@ -77,8 +77,6 @@ profile pulseaudio @{exec_path} { owner @{user_config_dirs}/ w, owner @{user_config_dirs}/pulse/{,**} rw, - owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r, - owner @{run}/user/@{uid}/ rw, owner @{run}/user/@{uid}/pulse/ rw, owner @{run}/user/@{uid}/pulse/** rwk, @@ -102,6 +100,13 @@ profile pulseaudio @{exec_path} { # file_inherit owner /dev/tty@{u8} rw, + profile gstreamer { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gnome/decibels b/apparmor.d/groups/gnome/decibels index 2bb38dfd59..2b966f8f86 100644 --- a/apparmor.d/groups/gnome/decibels +++ b/apparmor.d/groups/gnome/decibels @@ -11,7 +11,7 @@ profile decibels @{exec_path} { include include include - include + include include @{exec_path} mr, @@ -19,6 +19,7 @@ profile decibels @{exec_path} { @{bin}/gjs-console rix, @{open_path} rPx -> child-open-help, + @{gstreamer_path} Cx -> gstreamer, /usr/share/org.gnome.Decibels/{,**} r, @@ -30,6 +31,13 @@ profile decibels @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/stat r, + profile gstreamer { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index a8f981e695..c9dfab7c70 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -42,6 +42,7 @@ profile gjs @{exec_path} flags=(attach_disconnected) { include include include + include unix type=stream peer=(label=gnome-shell), @@ -71,14 +72,13 @@ profile gjs @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, # gnome-extension-ding - @{sh_path} rix, - @{bin}/env rix, - @{bin}/gnome-control-center rPx, - @{bin}/nautilus rPx, + @{sh_path} rix, + @{bin}/env rix, + @{bin}/true rix, + @{bin}/gnome-control-center Px, + @{bin}/nautilus Px, - @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, - @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, - @{lib}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + @{gstreamer_path} Cx -> gstreamer, /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, @@ -87,10 +87,6 @@ profile gjs @{exec_path} flags=(attach_disconnected) { /usr/share/xkeyboard-config-2/{,**} r, /usr/share/thumbnailers/{,**} r, - owner @{gdm_cache_dirs}/gstreamer-1.0/ w, - owner @{gdm_cache_dirs}/gstreamer-@{int}.@{int}/ w, - owner @{gdm_cache_dirs}/gstreamer-@{int}.@{int}/registry.@{arch}.bin{,.tmp@{rand6}} rw, - owner @{HOME}/ r, owner @{user_cache_dirs}/gjs_repl_history rw, @@ -119,7 +115,6 @@ profile gjs @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, /dev/ r, @@ -147,14 +142,15 @@ profile gjs @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=@{busname}, label=gnome-shell), - @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mr, - @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner mr, - @{lib}/gstreamer-1.0/gst-plugin-scanner mr, + /usr/share/ladspa/rdf/{,**} r, + owner @{DESKTOP_HOME}/.nv/ w, + owner @{DESKTOP_HOME}/.nv/ComputeCache/ w, owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, + owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, @{sys}/devices/**/uevent r, diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 1e2767f011..24c91f9030 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -16,7 +16,7 @@ profile gnome-boxes @{exec_path} { include include include - include + include include include include @@ -36,6 +36,7 @@ profile gnome-boxes @{exec_path} { @{bin}/qemu-img rix, @{bin}/virsh rCx -> virsh, @{bin}/virtqemud rPUx, + @{gstreamer_path} Cx -> gstreamer, /usr/share/ladspa/rdf/{,*} r, /usr/share/osinfo/{,**} r, @@ -98,6 +99,13 @@ profile gnome-boxes @{exec_path} { include if exists } + profile gstreamer { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index 07598d9dd2..a329f5be2c 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -12,7 +12,7 @@ profile gnome-clocks @{exec_path} flags=(attach_disconnected) { include include include - include + include include include @@ -23,6 +23,14 @@ profile gnome-clocks @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{open_path} rPx -> child-open-help, + @{gstreamer_path} Cx -> gstreamer, + + profile gstreamer { + include + include + + include if exists + } include if exists } diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index db805884e5..c654001664 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -11,7 +11,7 @@ profile gnome-contacts @{exec_path} { include include include - include + include include include @@ -24,11 +24,23 @@ profile gnome-contacts @{exec_path} { #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon @{exec_path} mr, - @{open_path} rPx -> child-open-help, + @{open_path} Px -> child-open-help, + @{gstreamer_path} Cx -> gstreamer, owner @{user_cache_dirs}/evolution/addressbook/{,**} r, owner @{user_share_dirs}/folks/relationships.ini r, + profile gstreamer { + include + include + + network netlink raw, + + @{sys}/class/ r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 973192451d..c0fe12d8a2 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -17,7 +17,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include - include + include + include include include include @@ -97,6 +98,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/language-tools/language2locale rix, /usr/share/language-tools/language-options rPUx, + @{gstreamer_path} Cx -> gstreamer, @{open_path} rPx -> child-open-any, /snap/*/@{int}/**.@{icon_ext} r, @@ -220,6 +222,13 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include if exists } + profile gstreamer { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index 92042922b8..871be7331d 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -16,7 +16,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -24,10 +24,10 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { network netlink raw, @{exec_path} mr, - @{bin}/gjs-console r, @{open_path} rPx -> child-open-any, + @{gstreamer_path} Cx -> gstreamer, /usr/share/ladspa/rdf/{,**} r, /usr/share/sushi/org.gnome.NautilusPreviewer.*.gresource r, @@ -38,8 +38,6 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { owner @{MOUNTS}/{,**} r, owner @{HOME}/{,**} r, - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{sys}/devices/@{pci_bus}/uevent r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r, @@ -56,6 +54,13 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { /dev/ r, + profile gstreamer { + include + include + + include if exists + } + include if exists } From 86af2bf31806282add346ba267955496f252fa7e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 13:09:19 +0100 Subject: [PATCH 1020/1736] feat(profile): update tb tmp lock dir. --- apparmor.d/profiles-s-z/thunderbird | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 657c3a98ce..561b242981 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -64,6 +64,9 @@ profile thunderbird @{exec_path} flags=(attach_disconnected) { owner @{tmp}/MozillaMailnews/ rw, owner @{tmp}/MozillaMailnews/*.msf rw, owner @{tmp}/ns* rw, + owner @{tmp}/org.mozilla.thunderbird/ w, + owner @{tmp}/org.mozilla.thunderbird/.parentlock wk, + owner @{tmp}/org.mozilla.thunderbird/lock w, owner @{tmp}/pid-@{pid}/{,**} w, owner @{tmp}/remote-settings-startup-bundle- rw, From 5f77d46cc71a050b372b50db1a98f85055eed736 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 13:10:14 +0100 Subject: [PATCH 1021/1736] fix(profile): keepass: incorectly labelled access. --- apparmor.d/profiles-g-l/keepassxc | 4 ++-- apparmor.d/profiles-g-l/keepassxc-proxy | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index c3354e03f1..60505724b8 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -75,9 +75,9 @@ profile keepassxc @{exec_path} { owner @{tmp}/keepassxc.socket rw, owner @{tmp}/runtime-user/ w, - owner @{run}/user/@{pid}/app/ w, - owner @{run}/user/@{pid}/app/org.keepassxc.KeePassXC/{,**} rw, owner @{run}/user/@{uid}/.[a-zA-Z]*/{,s} rw, + owner @{run}/user/@{uid}/app/ w, + owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/{,**} rw, owner @{run}/user/@{uid}/kpxc_server rw, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC/ w, diff --git a/apparmor.d/profiles-g-l/keepassxc-proxy b/apparmor.d/profiles-g-l/keepassxc-proxy index 24a30c56c9..03a64a64d4 100644 --- a/apparmor.d/profiles-g-l/keepassxc-proxy +++ b/apparmor.d/profiles-g-l/keepassxc-proxy @@ -24,10 +24,10 @@ profile keepassxc-proxy @{exec_path} { /usr/share/icons/*/index.theme r, - owner @{run}/user/@{pid}/app/ w, - owner @{run}/user/@{pid}/org.keepassxc.KeePassXC.BrowserServer rw, - owner @{run}/user/@{pid}/org.keepassxc.KeePassXC/ rw, + owner @{run}/user/@{uid}/app/ w, owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/ rw, + owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw, + owner @{run}/user/@{uid}/org.keepassxc.KeePassXC/ rw, # file_inherit deny owner @{run}/user/@{uid}/.[a-zA-Z]*/{,s} rw, From c2f883cd8dde7dc78388a8078b6473dec0fd81b9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 13:11:57 +0100 Subject: [PATCH 1022/1736] feat(profile): add missing ssh socket. --- apparmor.d/groups/ssh/ssh | 1 + apparmor.d/groups/ssh/ssh-agent | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index bfb2cca8bc..c64a79af8d 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -48,6 +48,7 @@ profile ssh @{exec_path} { owner @{tmp}/krb5cc_* rwk, + owner @{run}/user/@{uid}/gcr/ssh rw, # gcr-ssh-agent socket (i.e. Gnome only) owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/keyring/ssh rw, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 1aa4cb28b2..c7814bc116 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -33,7 +33,7 @@ profile ssh-agent @{exec_path} { owner @{run}/user/@{uid}/keyring/.ssh rw, owner @{run}/user/@{uid}/openssh_agent rw, owner @{run}/user/@{uid}/ssh-agent.@{rand6} w, - owner @{run}/user/@{uid}/gcr/.ssh w, + owner @{run}/user/@{uid}/gcr/.ssh rw, /dev/tty@{u8} rw, /dev/tty rw, From e7815966290b4d9ccfdc5c2dc463450fb3f27c63 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 13:15:23 +0100 Subject: [PATCH 1023/1736] feat(profile): update some system profiles. --- .../systemd-generator-cloud-init | 2 ++ apparmor.d/groups/systemd/systemd-coredump | 3 ++- .../groups/systemd/systemd-sleep-hdparm | 19 +++++++++++++++++-- 3 files changed, 21 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init b/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init index fae2afac0c..31df5a3de9 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init +++ b/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init @@ -12,6 +12,8 @@ profile systemd-generator-cloud-init @{exec_path} flags=(attach_disconnected) { include include + capability sys_admin, # optional: no audit + ptrace read peer=@{p_systemd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 5a0ffbaa90..11c08d444d 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{lib}/systemd/systemd-coredump +@{exec_path} = @{lib}/systemd/systemd-coredump profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include @@ -51,6 +51,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted owner @{run}/user/@{uid}/snap.*/.org.chromium.Chromium.@{rand6} r, + @{run}/systemd/coredump rw, @{att}@{run}/systemd/coredump rw, @{PROC}/@{pids}/auxv r, diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 3cb15904ed..612113c12a 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -13,8 +13,23 @@ profile systemd-sleep-hdparm @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/{,e}grep ix, - @{lib}/pm-utils/power.d/*hdparm-apm ix, + @{bin}/{,e}grep rix, + @{bin}/sed ix, + @{bin}/udevadm Cx -> udevadm, + @{lib}/pm-utils/power.d/*hdparm-apm ix, + + /etc/hdparm.conf r, + + @{PROC}/cmdline r, + + /dev/ r, + + profile udevadm { + include + include + + include if exists + } include if exists } From 8c799a20cbf1b80993223ac607569ed1a75b9eed Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 13:17:31 +0100 Subject: [PATCH 1024/1736] feat(profile): fuse-overlays: relax possible mountpoint --- apparmor.d/profiles-a-f/fuse-overlayfs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apparmor.d/profiles-a-f/fuse-overlayfs b/apparmor.d/profiles-a-f/fuse-overlayfs index 91b279d200..cb0d810dff 100644 --- a/apparmor.d/profiles-a-f/fuse-overlayfs +++ b/apparmor.d/profiles-a-f/fuse-overlayfs @@ -18,14 +18,19 @@ profile fuse-overlayfs @{exec_path} { capability setuid, capability sys_admin, + unix (send receive) type=stream peer=(label=fusermount), + mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **, mount fstype=fuse.overlayfs options=(rw,nodev,noatime) fuse-overlayfs -> @{user_share_dirs}/containers/storage/overlay/**/merged/, + mount fstype=fuse.fuse-overlayfs options=(rw noatime nodev nosuid) fuse-overlayfs -> @{HOME}/**/, @{exec_path} mr, @{bin}/mount rix, @{bin}/umount rix, + @{bin}/fusermount{,3} Px, + owner @{HOME}/**/ r, owner @{user_share_dirs}/containers/storage/overlay/{,**} rwl, @{PROC}/sys/kernel/overflowgid r, From 382bbd22b23152be5fe5cf01b913486f4d22b7d8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 13:20:43 +0100 Subject: [PATCH 1025/1736] feat(profile): rewrite swtpm --- apparmor.d/profiles-s-z/swtpm | 35 ++++++++++++++++++++++------- apparmor.d/profiles-s-z/swtpm_setup | 2 ++ 2 files changed, 29 insertions(+), 8 deletions(-) diff --git a/apparmor.d/profiles-s-z/swtpm b/apparmor.d/profiles-s-z/swtpm index 369046b6bc..9981a14d38 100644 --- a/apparmor.d/profiles-s-z/swtpm +++ b/apparmor.d/profiles-s-z/swtpm @@ -9,23 +9,42 @@ include @{exec_path} = @{bin}/swtpm profile swtpm @{exec_path} { include + include - signal (receive) set=(term) peer=libvirtd, + audit capability chown, + audit capability dac_override, + audit capability dac_read_search, + audit capability fowner, + audit capability fsetid, + audit capability setgid, + audit capability setuid, + audit capability sys_admin, + + network inet stream, + network inet6 stream, + + signal receive set=term peer=libvirtd, + + unix (send receive) type=stream peer=(label=swtpm_setup), + unix (send receive) type=stream peer=(label=libvirt-*), @{exec_path} mr, - /var/log/swtpm/libvirt/qemu/*-swtpm.log w, + owner /var/lib/libvirt/swtpm/{,**} rwk, + owner /var/lib/swtpm/{,**} rwk, + owner /var/log/swtpm/libvirt/qemu/*-swtpm.log rw, - owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk, - owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/* rw, + @{run}/libvirt/qemu/swtpm/*.pid rwk, + @{run}/libvirt/qemu/swtpm/*.sock rwk, + owner @{run}/swtpm/sock rw, + owner @{run}/user/@{uid}/libvirt/qemu/run/swtpm/*.pid rwk, + owner @{run}/user/@{uid}/libvirt/qemu/run/swtpm/*.sock rwk, - /tmp/.swtpm_setup.pidfile.* rw, + /tmp/.swtpm_setup.pidfile.@{rand6} rw, /tmp/@{int}/.lock rwk, - /tmp/@{int}/TMP* rw, /tmp/@{int}/vtpm.sock rw, - @{run}/libvirt/qemu/swtpm/*.sock w, - @{run}/libvirt/qemu/swtpm/*.pid w, + owner /dev/vtpmx rw, include if exists } diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup index 5795ddfcca..c1e88fb44c 100644 --- a/apparmor.d/profiles-s-z/swtpm_setup +++ b/apparmor.d/profiles-s-z/swtpm_setup @@ -11,6 +11,8 @@ profile swtpm_setup @{exec_path} { include include + unix (send receive) type=stream peer=(label=swtpm), + @{exec_path} mr, @{bin}/swtpm rPx, From a64a9371efc340a1c8158c535f8044a62fb2fced Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 14:23:47 +0100 Subject: [PATCH 1026/1736] fix(profile): parser errors --- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/groups/bus/dbus-accessibility | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index de84cb3002..8290bbc6f2 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -32,7 +32,7 @@ include include include - include + include include include include diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 8e8f5e5911..a1e7e5934f 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -28,8 +28,9 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { signal receive set=(term hup kill) peer=gdm{,-session-worker}, signal receive set=(term hup kill) peer=gnome-session-binary, - unix bind type=stream addr=@@{udbus}/bus/dbus-broker-lau/user, - unix bind type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0), + unix type=stream addr=@@{udbus}/bus/dbus-broker-lau/user, + unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0), + unix type=stream addr=@@{udbus}/bus/dbus-broker-lau/user, #aa:dbus own bus=accessibility name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} #aa:dbus own bus=session name=org.a11y.{B,b}us From 094795cc6d628923b7454fd3a9289c44891edc62 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 14:31:48 +0100 Subject: [PATCH 1027/1736] fix(profile): parser errors (2). --- apparmor.d/profiles-a-f/dkms | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 97800fae3c..e06a67ed43 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -122,7 +122,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { /tmp/@{word8} rw, /tmp/@{word8}/{,*} rw, - /tmp/conftest-@{ran6}.* rw, + /tmp/conftest-@{rand6}.* rw, @{tmp}/GMfifo@{int} rw, owner @{tmp}/cc@{rand6}* rw, owner @{tmp}/tmp.@{rand10} rw, From 115859d6e4ecf0896a12932592687d3f8a0eac4b Mon Sep 17 00:00:00 2001 From: Ivan <15267739+nobody43@users.noreply.github.com> Date: Sat, 15 Nov 2025 15:01:16 +0000 Subject: [PATCH 1028/1736] Add `just` package for installation As per documentation --- docs/install.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/install.md b/docs/install.md index 2c1ee1fcf2..acb8a6c455 100644 --- a/docs/install.md +++ b/docs/install.md @@ -82,7 +82,7 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf Build the package from sources: ```sh - sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git + sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git just git clone https://github.com/roddhjav/apparmor.d.git cd apparmor.d dpkg-buildpackage -b -d --no-sign @@ -117,7 +117,7 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf Build the package from sources: ```sh - sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git + sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git just git clone https://github.com/roddhjav/apparmor.d.git cd apparmor.d dpkg-buildpackage -b -d --no-sign From be8f8c3dcfb488b9c6ab5980bbdaee67485f9aaf Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 20 Nov 2025 15:10:56 +0100 Subject: [PATCH 1029/1736] Minor profile fix Allow /var/empy which is used in a zathura to avoid dconf writes https://github.com/pwmt/zathura/commit/4cb24239b688b08bab72534edb4759097891c63b --- apparmor.d/profiles-s-z/zathura | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/profiles-s-z/zathura b/apparmor.d/profiles-s-z/zathura index 90e242658d..c95eb17c24 100644 --- a/apparmor.d/profiles-s-z/zathura +++ b/apparmor.d/profiles-s-z/zathura @@ -22,6 +22,8 @@ profile zathura @{exec_path} { /etc/xdg/{,**} r, /etc/zathurarc r, + /var/empty/ r, + owner @{user_config_dirs}/zathura/** r, owner @{user_share_dirs}/zathura/ r, owner @{user_share_dirs}/zathura/** rwk, From d79b31fa52e613f335c9683c90a4324128dabf96 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Mon, 24 Nov 2025 18:00:42 +0100 Subject: [PATCH 1030/1736] Libreoffice: missing flag in main.flags The libreoffice profile contains the `mediate_deleted` flag but it is missing in `main.flags`. --- dists/flags/main.flags | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 35e89412b7..9fb66518ac 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -213,7 +213,7 @@ landscape-sysinfo.wrapper complain language-validate attach_disconnected,complain last complain lastlog complain -libreoffice attach_disconnected,complain +libreoffice attach_disconnected,complain,mediate_deleted libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain From 568334fccbbe592f2539027ee9ab5697e0fc3198 Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Fri, 28 Nov 2025 09:33:14 +0100 Subject: [PATCH 1031/1736] Update fwupd I was unable to update UEFI db DENIED fwupd open @{sys}/firmware@{efi}/efivars/db-@{uuid} comm=fwupd requested_mask=a denied_mask=a I'm not sure if @{efi} var should be used here, also I don't know if it will work fine with append permission only, or just gran write since I personally just added rw to make it work --- apparmor.d/profiles-a-f/fwupd | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 4bb26a244e..5892ee40e5 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -99,6 +99,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, + @{sys}/firmware/efi/efivars/db-@{uuid} rw, @{sys}/firmware/efi/efivars/fwupd-* rw, @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/kernel/security/lockdown r, From 0b30a9d8e1f90c61cd4ce24946bc2f032feb71a2 Mon Sep 17 00:00:00 2001 From: lina-bh <36717206+lina-bh@users.noreply.github.com> Date: Thu, 4 Dec 2025 22:19:12 +0000 Subject: [PATCH 1032/1736] fix(profile): plasma: browser integration artwork --- apparmor.d/groups/kde/plasma-browser-integration-host | 3 +++ apparmor.d/groups/kde/plasmashell | 1 + 2 files changed, 4 insertions(+) diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index e17d4c5f1c..9cd74670d8 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -31,6 +31,9 @@ profile plasma-browser-integration-host @{exec_path} { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/stat r, + owner /tmp/#@{int} rw, + owner @{tmp}/plasma-browser-integration_artwork_@{rand6}.jpg rwl -> /tmp/#@{int}, + include if exists } diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index c3fbc3d7f0..3921c21266 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -204,6 +204,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /tmp/.mount_nextcl@{rand6}/{,*} r, owner @{tmp}/#@{int} rw, + owner @{tmp}/plasma-browser-integration_artwork_@{rand6}.jpg r, @{run}/mount/utab r, @{run}/user/@{uid}/gvfs/ r, From 87c0e228df23c7ae97f1aee445117c7b703548d3 Mon Sep 17 00:00:00 2001 From: lina-bh <36717206+lina-bh@users.noreply.github.com> Date: Thu, 4 Dec 2025 21:09:00 +0000 Subject: [PATCH 1033/1736] fix(profile): discord: add camera --- apparmor.d/profiles-a-f/discord | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 550dbd95bd..5c2ffb3d74 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -21,6 +21,7 @@ profile discord @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, From 893cdc8b5b1c472a53fef476d6764e14fc38f729 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Tue, 9 Dec 2025 01:03:29 +0000 Subject: [PATCH 1034/1736] KDE on Debian 13 --- apparmor.d/abstractions/common/electron | 4 +- apparmor.d/groups/apparmor/aa-log | 2 +- .../groups/browsers/firefox-crashhelper | 4 +- .../groups/browsers/firefox-minidump-analyzer | 14 +- apparmor.d/groups/freedesktop/xorg | 1 + .../groups/gnome/gnome-extension-gsconnect | 2 +- .../groups/gnome/org.gnome.NautilusPreviewer | 2 +- apparmor.d/groups/kde/dolphin | 13 +- apparmor.d/groups/kde/drkonqi | 2 + .../groups/kde/kauth-chargethresholdhelper | 2 + apparmor.d/groups/kde/kcminit | 1 + apparmor.d/groups/kde/kiod | 5 + apparmor.d/groups/kde/kioworker | 2 +- apparmor.d/groups/kde/plasmashell | 3 + apparmor.d/groups/kde/systemsettings | 29 +++- apparmor.d/groups/systemd/loginctl | 2 + .../groups/systemd/systemd-sleep-hdparm | 4 +- apparmor.d/groups/xfce/thunar | 2 +- apparmor.d/profiles-a-f/browserpass | 8 +- apparmor.d/profiles-g-l/goxray_cli | 33 +++++ apparmor.d/profiles-g-l/gtk-update-icon-cache | 2 + apparmor.d/profiles-g-l/hbbr | 3 +- apparmor.d/profiles-g-l/hbbs | 12 ++ apparmor.d/profiles-g-l/im-launch | 3 +- apparmor.d/profiles-g-l/libreoffice | 1 + apparmor.d/profiles-m-r/mkinitramfs | 2 +- apparmor.d/profiles-m-r/pkcs11-register | 4 +- apparmor.d/profiles-m-r/power-profiles-daemon | 1 + apparmor.d/profiles-m-r/rustdesk | 129 +++++++++--------- apparmor.d/profiles-m-r/rustdesk_polkit | 17 +++ apparmor.d/profiles-m-r/rustdesk_startwm | 17 +++ apparmor.d/profiles-s-z/sysstat-sa | 1 + apparmor.d/profiles-s-z/telegram-desktop | 10 +- apparmor.d/profiles-s-z/xray | 14 +- dists/flags/main.flags | 3 + 35 files changed, 244 insertions(+), 110 deletions(-) create mode 100644 apparmor.d/profiles-g-l/goxray_cli create mode 100644 apparmor.d/profiles-m-r/rustdesk_polkit create mode 100644 apparmor.d/profiles-m-r/rustdesk_startwm diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 8feca89a7c..75e1c83b40 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -51,8 +51,8 @@ @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.high r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*-@{int}.scope/memory.high r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*-@{int}.scope/memory.max r, diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log index f64761a0ec..610aa00141 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -21,7 +21,7 @@ profile aa-log @{exec_path} flags=(attach_disconnected) { /var/log/audit/* r, /var/log/syslog* r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper index 22087c5666..1a2fc842cc 100644 --- a/apparmor.d/groups/browsers/firefox-crashhelper +++ b/apparmor.d/groups/browsers/firefox-crashhelper @@ -21,8 +21,8 @@ profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner "@{config_dirs}/firefox/Crash Reports/" rw, - owner "@{config_dirs}/firefox/Crash Reports/crash_helper_server.log" rw, + owner "@{config_dirs}/firefox{,-esr}/Crash Reports/" rw, + owner "@{config_dirs}/firefox{,-esr}/Crash Reports/crash_helper_server.log" rw, # file_inherit deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, diff --git a/apparmor.d/groups/browsers/firefox-minidump-analyzer b/apparmor.d/groups/browsers/firefox-minidump-analyzer index 6e13ee8726..02b8b459e3 100644 --- a/apparmor.d/groups/browsers/firefox-minidump-analyzer +++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer @@ -24,13 +24,13 @@ profile firefox-minidump-analyzer @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.xsession-errors w, - owner "@{config_dirs}/firefox/Crash Reports/" rw, - owner "@{config_dirs}/firefox/Crash Reports/pending/" rw, - owner "@{config_dirs}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw, - owner @{config_dirs}/{,firefox/}*.*/extensions/*.xpi r, - owner @{config_dirs}/{,firefox/}*.*/minidumps/ rw, - owner @{config_dirs}/{,firefox/}*.*/minidumps/@{uuid}.{dmp,extra} rw, - owner @{config_dirs}/{,firefox/}*.*/storage/default/* r, + owner "@{config_dirs}/firefox{,-esr}/Crash Reports/" rw, + owner "@{config_dirs}/firefox{,-esr}/Crash Reports/pending/" rw, + owner "@{config_dirs}/firefox{,-esr}/Crash Reports/pending/@{hex}.{dmp,extra}" rw, + owner @{config_dirs}/{,firefox{,-esr}/}*.*/extensions/*.xpi r, + owner @{config_dirs}/{,firefox{,-esr}/}*.*/minidumps/ rw, + owner @{config_dirs}/{,firefox{,-esr}/}*.*/minidumps/@{uuid}.{dmp,extra} rw, + owner @{config_dirs}/{,firefox{,-esr}/}*.*/storage/default/* r, owner @{cache_dirs}/firefox/*.*/startupCache/*Cache* r, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index f8bd54a9e2..795cafe0e2 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -133,6 +133,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { /dev/ r, /dev/fb@{int} rw, + /dev/input/event@{int} rw, /dev/shm/#@{int} rw, /dev/shm/shmfd-* rw, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 2ef7bc3d17..04d46b618a 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -73,7 +73,7 @@ profile gnome-extension-gsconnect @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/mimeapps.list w, owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, - owner @{HOME}/.mozilla/firefox/firefox-mpris/@{word}.png r, + owner @{HOME}/.mozilla/firefox{,-esr}/firefox-mpris/@{word}.png r, owner @{tmp}/.org.chromium.Chromium.@{rand6} r, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index 871be7331d..628d150e40 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -39,7 +39,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { owner @{HOME}/{,**} r, @{sys}/devices/@{pci_bus}/uevent r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.* r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 2de2d5fb92..d5753891b3 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -49,6 +49,7 @@ profile dolphin @{exec_path} { /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, /usr/share/misc/termcap r, + /usr/share/templates/{,*.desktop} r, /usr/share/thumbnailers/{,**} r, /etc/fstab r, @@ -77,26 +78,30 @@ profile dolphin @{exec_path} { deny /tmp/.* rw, deny /tmp/.*/{,**} rw, + owner @{user_state_dirs}/#@{int} rwk, + owner @{user_state_dirs}/dolphinstaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int}, owner @{user_share_dirs}/dolphin/ rw, owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, - owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/dolphinrc rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.lock rwk, - owner @{user_config_dirs}/kde.org/#@{int} rw, + owner @{user_config_dirs}/kde.org/#@{int} rwk, owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, - owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int}, + owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.@{rand6} rwl -> @{user_config_dirs}/kde.org/#@{int}, owner @{user_config_dirs}/knfsshare.{,.@{rand6}} rwk, owner @{user_config_dirs}/knfsshare.lock rwk, + owner @{user_config_dirs}/session/#@{int} rwk, + owner @{user_config_dirs}/session/dolphin_dolphin_dolphin.@{rand6} rwl -> @{user_config_dirs}/session/#@{int}, owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int}, - owner @{tmp}/dolphin.@{rand6}{,.lock} rwlk, + owner @{tmp}/#@{int} rwk, + owner @{tmp}/dolphin.@{rand6} rwl -> @{tmp}/#@{int}, @{run}/issue r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index 43163b46b9..bcfb3c0ea4 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -11,6 +11,8 @@ include profile drkonqi @{exec_path} { include include + include + include include network inet stream, diff --git a/apparmor.d/groups/kde/kauth-chargethresholdhelper b/apparmor.d/groups/kde/kauth-chargethresholdhelper index f52bed2f2f..9c39650fb8 100644 --- a/apparmor.d/groups/kde/kauth-chargethresholdhelper +++ b/apparmor.d/groups/kde/kauth-chargethresholdhelper @@ -22,6 +22,8 @@ profile kauth-chargethresholdhelper @{exec_path} { @{sys}/class/power_supply/ r, @{sys}/devices/**/power_supply/** r, + @{sys}/devices/**/power_supply/BAT@{int}/charge_control_end_threshold w, + @{sys}/devices/**/power_supply/BAT@{int}/charge_control_start_threshold w, include if exists } diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 59f60c2853..fcf2c08698 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -28,6 +28,7 @@ profile kcminit @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/gtkrc-2.0{,.@{rand6}} rwl, owner @{user_config_dirs}/gtkrc{,.@{rand6}} rwl, + owner @{user_config_dirs}/kcmfonts r, owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl, owner @{user_config_dirs}/kcminputrc.lock rwk, owner @{user_config_dirs}/kgammarc r, diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index 571581059a..cc1554ad7c 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -24,6 +24,11 @@ profile kiod @{exec_path} { owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksslcertificatemanager.lock rwk, + /etc/fstab r, + + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, /dev/tty r, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 78dad8920f..dc97add93a 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -51,7 +51,7 @@ profile kioworker @{exec_path} { /usr/share/kservicetypes{5,6}/*.desktop r, /usr/share/libalternatives/gs/{,**} r, /usr/share/org.kde.syntax-highlighting/{,**} r, - /usr/share/remoteview/* r, + /usr/share/remoteview/{,*} r, /usr/share/thumbnailers/{,**} r, /etc/fstab r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 3921c21266..c530e3bbf6 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -106,11 +106,13 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /etc/xdg/** r, /var/lib/AccountsService/icons/* r, + /var/lib/swcatalog/icons/**.png r, @{MOUNTS}/ r, @{system_games_dirs}/**.@{icon_ext} r, @{HOME}/ r, + owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, owner @{HOME}/.var/app/**.{png,jpg,svg} r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, @@ -169,6 +171,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/kwalletrc r, owner @{user_config_dirs}/menus/{,**} r, owner @{user_config_dirs}/networkmanagement.notifyrc r, + owner @{user_config_dirs}/PlasmaUserFeedback r, owner @{user_config_dirs}/plasma* rwlk, owner @{user_share_dirs}/*/sessions/ r, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 9558a65282..8c97f03238 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -18,6 +18,7 @@ profile systemsettings @{exec_path} { include include include + include network netlink raw, @@ -34,11 +35,14 @@ profile systemsettings @{exec_path} { @{bin}/kcminit rPx, @{bin}/lspci rPx, @{bin}/openssl rix, + @{bin}/orca rPUx, + @{bin}/rsync rix, @{bin}/pactl rPx, @{bin}/plasma-discover rPx, @{bin}/plasmashell rPx, @{bin}/xdpyinfo rPUx, @{lib}/qt{5,6}/bin/qdbus rPx, + @{lib}/bup/cmd/bup rPUx, #aa:exec kioworker /usr/share/kcm_networkmanagement/{,**} r, @@ -46,32 +50,36 @@ profile systemsettings @{exec_path} { /usr/share/kcmkeys/{,*.kksrc} r, /usr/share/kglobalaccel/* r, /usr/share/kinfocenter/{,**} r, - /usr/share/solid/{,**} r, /usr/share/kpackage/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, /usr/share/kwin/{,**} r, /usr/share/kxmlgui5/systemsettings/systemsettingsui.rc r, /usr/share/plasma/{,**} r, + /usr/share/i18n/locales/{,*} r, + /usr/share/iso-codes/json/*.json r, /usr/share/sddm/themes/{,**} r, + /usr/share/solid/{,**} r, /usr/share/systemsettings/{,**} r, /usr/share/wallpapers/{,**} r, /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/machine-id r, + /etc/xdg/* r, /etc/xdg/plasmanotifyrc r, /etc/xdg/ui/ui_standards.rc r, /var/lib/dbus/machine-id r, - /etc/xdg/* r, /var/cache/cracklib/cracklib_dict.* r, /var/cache/samba/ rw, /var/lib/AccountsService/icons/* r, /var/lib/flatpak/repo/{,**} r, + owner @{HOME}/.face r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{user_cache_dirs}/#@{int} rwk, owner @{user_cache_dirs}/kcrash-metadata/*.ini rw, owner @{user_cache_dirs}/kinfocenter/{,**} rwlk, owner @{user_cache_dirs}/ksvg-elements rw, @@ -82,11 +90,19 @@ profile systemsettings @{exec_path} { owner @{user_cache_dirs}/systemsettings/ rw, owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, - owner @{user_config_dirs}/{P,p}lasma* r, - owner @{user_config_dirs}/*rc r, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/*rc r, + owner @{user_config_dirs}/autostart/ r, + owner @{user_config_dirs}/{P,p}lasma* r, + owner @{user_config_dirs}/plasma-workspace/env/ r, + owner @{user_config_dirs}/plasma-workspace/shutdown/ r, + owner @{user_config_dirs}/powerdevilrc rw, + owner @{user_config_dirs}/powerdevilrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/powerdevilrc.lock rwk, owner @{user_config_dirs}/device_automounter_kcmrc.lock rwk, owner @{user_config_dirs}/emaildefaults r, + owner @{user_config_dirs}/kcmfonts r, + owner @{user_config_dirs}/KDE/UserFeedback.conf r, owner @{user_config_dirs}/kde.org/{,**} rwlk, owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, @@ -97,8 +113,8 @@ profile systemsettings @{exec_path} { owner @{user_config_dirs}/session/** rwlk, owner @{user_config_dirs}/systemsettingsrc.lock rwk, owner @{user_config_dirs}/systemsettingsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_share_dirs}/baloo/index r, + owner @{user_share_dirs}/baloo/index r, owner @{user_share_dirs}/kactivitymanagerd/resources/database rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, @@ -111,11 +127,12 @@ profile systemsettings @{exec_path} { owner @{user_share_dirs}/systemsettings/** rwlk, owner @{user_share_dirs}/wallpapers/{,**} r, - owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/#@{int} rwk, owner @{user_state_dirs}/systemsettingsstaterc rw, owner @{user_state_dirs}/systemsettingsstaterc.@{rand6} rwlk, owner @{user_state_dirs}/systemsettingsstaterc.lock rwlk, + @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/systemsettings@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index efd688b810..2ae4440f7e 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -31,6 +31,8 @@ profile loginctl @{exec_path} flags=(attach_disconnected) { @{run}/log/journal/ r, + owner @{tmp}/xauth_@{rand6} r, + /var/lib/systemd/catalog/database r, /{run,var}/log/journal/ r, diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 612113c12a..d838962237 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -13,8 +13,8 @@ profile systemd-sleep-hdparm @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/{,e}grep rix, - @{bin}/sed ix, + @{bin}/{,e,f}grep rix, + @{bin}/sed rix, @{bin}/udevadm Cx -> udevadm, @{lib}/pm-utils/power.d/*hdparm-apm ix, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index 61e8f17c1c..8342374494 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -52,7 +52,7 @@ profile thunar @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index c896e96f8c..51e726fee6 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -18,8 +18,8 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { @{bin}/gpg{2,} rCx -> gpg, owner @{HOME}/.password-store/{,**} r, - owner @{HOME}/.mozilla/firefox/@{rand8}.*/.parentlock rw, - owner @{HOME}/.mozilla/firefox/@{rand8}.*/extensions/* r, + owner @{HOME}/.mozilla/firefox{,-esr}/@{rand8}.*/.parentlock rw, + owner @{HOME}/.mozilla/firefox{,-esr}/@{rand8}.*/extensions/* r, owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/scriptCache-*.bin r, owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/startupCache.*.little r, owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google@{d}/goog-phish-proto-@{int}.vlpset rw, @@ -30,8 +30,8 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { # Inherit Silencer deny network inet6, deny network inet, - deny owner @{HOME}/.mozilla/firefox/@{rand8}.*/features/*/*.xpi r, - deny owner @{HOME}/.mozilla/firefox/@{rand8}.*/storage/default/{,**} rw, + deny owner @{HOME}/.mozilla/firefox{,-esr}/@{rand8}.*/features/*/*.xpi r, + deny owner @{HOME}/.mozilla/firefox{,-esr}/@{rand8}.*/storage/default/{,**} rw, deny owner @{user_download_dirs}/{,**} rw, deny owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, deny owner @{user_share_dirs}/gvfs-metadata/{,**} r, diff --git a/apparmor.d/profiles-g-l/goxray_cli b/apparmor.d/profiles-g-l/goxray_cli new file mode 100644 index 0000000000..feba2858f4 --- /dev/null +++ b/apparmor.d/profiles-g-l/goxray_cli @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/goxray_cli @{bin}/goxray_cli_linux_amd64 @{bin}/goxray_cli_linux_arm64 +profile goxray_cli @{exec_path} { + include + include + include + include + include + + # Operate TUN interfaces + capability net_admin, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} r, + + @{PROC}/@{pid}/net/route r, + @{PROC}/sys/net/core/somaxconn r, + + /dev/net/tun rw, + + include if exists +} diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index b709511e27..74d684a252 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -16,6 +16,8 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /usr/share/icons/**.icon r, + @{system_share_dirs}/icons/{,**/} r, @{system_share_dirs}/icons/**/.icon-theme.cache rw, @{system_share_dirs}/icons/**/icon-theme.cache w, diff --git a/apparmor.d/profiles-g-l/hbbr b/apparmor.d/profiles-g-l/hbbr index 09b71b77fa..eece994a05 100644 --- a/apparmor.d/profiles-g-l/hbbr +++ b/apparmor.d/profiles-g-l/hbbr @@ -18,9 +18,8 @@ profile hbbr @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner /var/lib/rustdesk-server/ r, + owner /var/lib/rustdesk-server/id_ed25519 r, owner /var/lib/rustdesk-server/id_ed25519.pub r, - # Unknown non-essential purpose -# owner /var/lib/rustdesk-server/id_ed25519 r, include if exists } diff --git a/apparmor.d/profiles-g-l/hbbs b/apparmor.d/profiles-g-l/hbbs index 4e75327242..723c6f4aa3 100644 --- a/apparmor.d/profiles-g-l/hbbs +++ b/apparmor.d/profiles-g-l/hbbs @@ -9,11 +9,16 @@ include @{exec_path} = @{bin}/hbbs profile hbbs @{exec_path} { include + include + include + include + include network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, + network netlink raw, @{exec_path} mr, @@ -25,7 +30,14 @@ profile hbbs @{exec_path} { owner /var/lib/rustdesk-server/db_v2.sqlite3-wal rw, owner /var/lib/rustdesk-server/db_v2.sqlite3-shm rwk, + owner @{user_config_dirs}/ w, + owner @{user_config_dirs}/rustdesk/{,**} rw, + + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/platform/**/net/*/address r, + owner @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/net/route r, include if exists } diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch index 388606fda8..58581bd462 100644 --- a/apparmor.d/profiles-g-l/im-launch +++ b/apparmor.d/profiles-g-l/im-launch @@ -17,8 +17,10 @@ profile im-launch @{exec_path} { @{bin}/env rix, @{bin}/gettext{,.sh} rix, @{bin}/gnome-session rix, + @{lib}/gnome-session-binary rPx, @{bin}/gsettings rPx, @{bin}/locale rix, + @{bin}/ibus-daemon rPx, @{bin}/sed rix, @{bin}/sleep rix, @{bin}/startplasma-x11 rPx, @@ -26,7 +28,6 @@ profile im-launch @{exec_path} { @{bin}/true rix, @{bin}/uim-toolbar-gtk3 rPUx, @{bin}/uim-xim rPUx, - @{lib}/gnome-session-binary rPx, @{HOME}/.xsession-errors rw, /usr/share/im-config/{,**} r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 7f654e3244..7c0e2e5fa5 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -114,6 +114,7 @@ profile libreoffice @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw, owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/soffice.bin??????.{4,6}.kioworker.socket l -> @{run}/user/@{uid}/#@{int}, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 8996ef0957..b434c3b099 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -130,7 +130,7 @@ profile mkinitramfs @{exec_path} { @{sys}/fs/cgroup/system.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-*.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register index d775cafe52..618b7fc692 100644 --- a/apparmor.d/profiles-m-r/pkcs11-register +++ b/apparmor.d/profiles-m-r/pkcs11-register @@ -13,8 +13,8 @@ profile pkcs11-register @{exec_path} { @{exec_path} mr, - owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, - owner @{HOME}/.mozilla/firefox/profiles.ini r, + owner @{HOME}/.mozilla/firefox{,-esr}/*/pkcs11.txt rw, + owner @{HOME}/.mozilla/firefox{,-esr}/profiles.ini r, owner @{HOME}/.pki/nssdb/pkcs11.txt r, owner @{HOME}/.thunderbird/*/pkcs11.txt rw, owner @{HOME}/.thunderbird/profiles.ini r, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 44144a4bfd..d2a54d94f1 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -35,6 +35,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/bus/platform/devices/ r, + @{sys}/devices/platform/*/dytc_lapmode r, @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index 605877c898..79327ec55d 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -6,11 +6,14 @@ abi , include -@{exec_path} = @{bin}/rustdesk +@{exec_path} = @{bin}/rustdesk /usr/share/rustdesk/rustdesk profile rustdesk @{exec_path} { - include + include include + include include + include + include include include @@ -25,18 +28,21 @@ profile rustdesk @{exec_path} { @{exec_path} mrix, - @{bin}/w rPx, - @{bin}/ps rPx, - @{bin}/whoami rPx, - @{bin}/loginctl rPx, - @{bin}/curl rix, - @{bin}/ls rix, + @{bin}/loginctl rPx, # connection popup + @{bin}/ls rix, + @{bin}/which{,.debianutils} rix, @{bin}/sudo rCx -> sudo, - @{python_path} rCx -> python, - @{sh_path} rCx -> shell, + @{sh_path} rPx -> rustdesk_shell, /etc/gdm{,3}/custom.conf r, + /usr/share/rustdesk/{,**} r, + /usr/share/rustdesk/lib/*.so mr, + /usr/share/terminfo/** r, + /usr/share/uim/**.scm r, + /var/lib/uim/*.scm r, + /tmp/[rR]ust[dD]esk/{,**} rw, + owner /tmp/.X@{int}-unix/ r, owner @{HOME}/ r, # fails otherwise owner @{HOME}/[rR]ust[dD]esk/{,**} rw, @@ -47,82 +53,75 @@ profile rustdesk @{exec_path} { owner @{user_share_dirs}/logs/[rR]ust[dD]esk/{,**} rw, owner @{user_config_dirs}/[rR]ust[dD]esk/{,**} rw, - /tmp/[rR]ust[dD]esk/{,**} rw, + owner @{sddm_share_dirs}/logs/ w, + owner @{sddm_share_dirs}/logs/[rR]ust[dD]esk/{,**} rw, + owner @{sddm_config_dirs}/[rR]ust[dD]esk/{,**} rw, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, - + @{sys}/devices/@{pci}/net/*/address r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + @{sys}/fs/cgroup/system.slice/cpu.max r, + @{sys}/fs/cgroup/system.slice/rustdesk.service/* r, + + @{PROC}/ r, @{PROC}/uptime r, + @{PROC}/loadavg r, owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + + signal (receive) set=(kill, term) peer=rustdesk_shell, profile sudo { - include + include include - include - - @{bin}/rustdesk rPx, - @{python_path} rPx -> rustdesk//python, - - include if exists - } - - profile python { - include - include - - capability dac_read_search, - capability dac_override, - - @{python_path} r, - @{sh_path} rix, - @{bin}/chmod rix, - @{bin}/uname rix, - /usr/share/rustdesk/files/pynput_service.py rix, + capability kill, - /usr/share/[rR]ust[dD]esk/files/{,**} r, - /tmp/[rR]ust[dD]esk/ w, - /tmp/[rR]ust[dD]esk/pynput_service rw, + @{exec_path} rPx, - @{run}/user/@{uid}/gdm{,3}/Xauthority r, + signal (receive) set=(kill, term) peer=rustdesk, - owner @{PROC}/@{pid}/fd/ r, - - # X-tiny - /tmp/.X11-unix/* rw, - owner @{HOME}/.xsession-errors w, - owner @{HOME}/.Xauthority r, - - include if exists + include if exists } + include if exists +} - profile shell { - include +profile rustdesk_shell { + include + include - capability dac_override, - capability dac_read_search, - capability sys_ptrace, + capability dac_override, + capability dac_read_search, + capability kill, - ptrace read, + signal (send) set=(kill, term) peer=rustdesk, - @{sh_path} r, + @{sh_path} r, - @{bin}/tr rix, - @{bin}/{,e}grep rix, - @{bin}/tail rix, - @{bin}/xargs rix, - @{bin}/sed rix, - @{bin}/cat rix, + @{bin}/tr rix, + @{bin}/{,f,e}grep rix, + @{bin}/tail rix, + @{bin}/xargs rix, + @{bin}/sed rix, + @{bin}/cat rix, + @{bin}/getent rix, + @{bin}/whoami rix, + @{bin}/{,g,m}awk rix, + @{bin}/wc rix, + @{bin}/kill rix, - @{bin}/ps rPx, + @{bin}/ps rPx, + @{bin}/xrandr rPx, - @{PROC}/@{pid}/environ r, - owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/fd/ r, - include if exists - } + /usr/share/rustdesk/{,**} r, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rustdesk_polkit b/apparmor.d/profiles-m-r/rustdesk_polkit new file mode 100644 index 0000000000..a176c7a5ee --- /dev/null +++ b/apparmor.d/profiles-m-r/rustdesk_polkit @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/rustdesk/files/polkit +profile rustdesk_polkit @{exec_path} { + include + + @{exec_path} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rustdesk_startwm b/apparmor.d/profiles-m-r/rustdesk_startwm new file mode 100644 index 0000000000..18435f3bd5 --- /dev/null +++ b/apparmor.d/profiles-m-r/rustdesk_startwm @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/rustdesk/startwm.sh +profile rustdesk_startwm @{exec_path} { + include + + @{exec_path} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sysstat-sa b/apparmor.d/profiles-s-z/sysstat-sa index 9dcc199bcf..8bb38820a1 100644 --- a/apparmor.d/profiles-s-z/sysstat-sa +++ b/apparmor.d/profiles-s-z/sysstat-sa @@ -24,6 +24,7 @@ profile sysstat-sa @{exec_path} { @{lib}/sysstat/sadc Px, /etc/sysstat/sysstat r, + /etc/sysstat/sysstat.ioconf r, /var/log/sysstat/ r, /var/log/sysstat/** rw, diff --git a/apparmor.d/profiles-s-z/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop index 2ef34be2cd..7a68e73e72 100644 --- a/apparmor.d/profiles-s-z/telegram-desktop +++ b/apparmor.d/profiles-s-z/telegram-desktop @@ -7,11 +7,12 @@ abi , include -@{exec_path} = @{bin}/telegram-desktop @{bin}/Telegram +@{exec_path} = @{bin}/telegram-desktop @{bin}/Telegram /opt/Telegram/Telegram profile telegram-desktop @{exec_path} { - include + include include - include + include + include include include include @@ -42,6 +43,7 @@ profile telegram-desktop @{exec_path} { owner @{user_share_dirs}/TelegramDesktop/** rwlk -> @{user_share_dirs}/TelegramDesktop/**, owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw, + owner @{user_config_dirs}/autostart/org.telegram.desktop._@{hex32}.desktop{,.@{rand6}} rw, owner @{tmp}/@{hex32}-?@{uuid}? rwk, audit owner /dev/shm/#@{int} rw, @@ -54,8 +56,6 @@ profile telegram-desktop @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner /dev/tty@{u8} rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/xray b/apparmor.d/profiles-s-z/xray index 79c3104dc4..718d8902e4 100644 --- a/apparmor.d/profiles-s-z/xray +++ b/apparmor.d/profiles-s-z/xray @@ -10,11 +10,15 @@ include profile xray @{exec_path} flags=(attach_disconnected) { include include + include + include + include network inet dgram, + network inet6 dgram, network inet stream, + network inet6 stream, network inet raw, - network inet6 dgram, network inet6 raw, network netlink raw, @@ -23,8 +27,14 @@ profile xray @{exec_path} flags=(attach_disconnected) { /etc/xray/{,*} r, /usr/share/xray/**.dat r, /usr/share/v2ray/**.dat r, + /var/log/xray/*.log rw, + + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/sys/net/core/somaxconn r, + @{PROC}/sys/net/core/somaxconn r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/cgroup r, include if exists } diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 9fb66518ac..d6f4cb05ca 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -278,6 +278,9 @@ qdbus complain remmina attach_disconnected,complain run-parts complain runuser complain +rustdesk complain +rustdesk_polkit complain +rustdesk_startwm complain sdcv complain sddm attach_disconnected,mediate_deleted,complain sddm-greeter attach_disconnected,mediate_deleted,complain From 3e3350978b614c98a1841272076c60b83341efec Mon Sep 17 00:00:00 2001 From: nobody43 Date: Tue, 9 Dec 2025 01:06:37 +0000 Subject: [PATCH 1035/1736] add arm support --- apparmor.d/profiles-g-l/goxray_cli | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/goxray_cli b/apparmor.d/profiles-g-l/goxray_cli index feba2858f4..f1b0e544e4 100644 --- a/apparmor.d/profiles-g-l/goxray_cli +++ b/apparmor.d/profiles-g-l/goxray_cli @@ -22,7 +22,7 @@ profile goxray_cli @{exec_path} { network inet6 stream, network netlink raw, - @{exec_path} r, + @{exec_path} mr, @{PROC}/@{pid}/net/route r, @{PROC}/sys/net/core/somaxconn r, From 6349f62e069c19562afde0a4da9e839812ecd778 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Thu, 11 Dec 2025 16:23:34 +0000 Subject: [PATCH 1036/1736] polishing --- .../polkit-kde-authentication-agent | 1 + apparmor.d/groups/kde/DiscoverNotifier | 4 +-- apparmor.d/groups/kde/dolphin | 10 +++++++ apparmor.d/groups/kde/kaccess | 1 + apparmor.d/groups/kde/kactivitymanagerd | 1 + apparmor.d/groups/kde/kalendarac | 1 + apparmor.d/groups/kde/kcminit | 1 + apparmor.d/groups/kde/kde-powerdevil | 1 + apparmor.d/groups/kde/kscreenlocker_greet | 1 + .../groups/kde/ksmserver-logout-greeter | 1 + apparmor.d/groups/kde/systemsettings | 15 ++++++++++- apparmor.d/profiles-a-f/deno | 26 +++++++++++++++++++ apparmor.d/profiles-a-f/fprintd | 1 + apparmor.d/profiles-g-l/goxray_cli | 2 ++ apparmor.d/profiles-g-l/hbbs | 2 +- apparmor.d/profiles-s-z/unix-chkpwd | 2 ++ apparmor.d/profiles-s-z/xray | 1 - 17 files changed, 66 insertions(+), 5 deletions(-) create mode 100644 apparmor.d/profiles-a-f/deno diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index b044f1974e..f3abd4ddce 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -16,6 +16,7 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected, include include include + include include include diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index b5e1b4ae8c..e22ed4137a 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -53,10 +53,10 @@ profile DiscoverNotifier @{exec_path} { owner @{user_cache_dirs}/appstream/** rw, owner @{user_cache_dirs}/flatpak/{,**} rw, - owner @{user_config_dirs}/@{int} rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/PlasmaDiscoverUpdates rw, - owner @{user_config_dirs}/PlasmaDiscoverUpdates.@{rand6} rwl -> @{user_config_dirs}/@{int}, + owner @{user_config_dirs}/PlasmaDiscoverUpdates.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/PlasmaDiscoverUpdates.lock rwk, owner @{user_share_dirs}/flatpak/{,**} rw, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index d5753891b3..4fd5ad1120 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -90,6 +90,14 @@ profile dolphin @{exec_path} { owner @{user_config_dirs}/kde.org/#@{int} rwk, owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.@{rand6} rwl -> @{user_config_dirs}/kde.org/#@{int}, + owner @{user_config_dirs}/kdeglobals.@{rand6} l -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kdeglobals.lock k, + owner @{user_config_dirs}/kiorc l -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kiorc.lock k, + owner @{user_config_dirs}/kservicemenurc l -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kservicemenurc.lock k, + owner @{user_config_dirs}/ktrashrc l -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/ktrashrc.lock k, owner @{user_config_dirs}/knfsshare.{,.@{rand6}} rwk, owner @{user_config_dirs}/knfsshare.lock rwk, owner @{user_config_dirs}/session/#@{int} rwk, @@ -102,6 +110,8 @@ profile dolphin @{exec_path} { owner @{tmp}/#@{int} rwk, owner @{tmp}/dolphin.@{rand6} rwl -> @{tmp}/#@{int}, + owner @{tmp}/dolphin.@{rand6}.@{rand6} l -> @{tmp}/#@{int}, + owner @{tmp}/dolphin.@{rand6}.lock k, @{run}/issue r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 1fdb4b9201..a2aa64bdd5 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -13,6 +13,7 @@ profile kaccess @{exec_path} { include include include + include include #aa:dbus own bus=session name=org.kde.kaccess diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index 0861d52a78..87c4c58c88 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -14,6 +14,7 @@ profile kactivitymanagerd @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index e9ae784572..65c319ede7 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -12,6 +12,7 @@ profile kalendarac @{exec_path} { include include include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index fcf2c08698..45a554db17 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -12,6 +12,7 @@ profile kcminit @{exec_path} { include include include + include #aa:dbus own bus=session name=org.kde.{KCM,kcm}init path=/kcminit diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 2511cf844b..37669b4df5 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -17,6 +17,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) include include include + include include include include diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 3656ad45bf..e60d230aec 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -66,6 +66,7 @@ profile kscreenlocker_greet @{exec_path} { /var/lib/dbus/machine-id r, + owner @{HOME}/.face r, owner @{HOME}/.face.icon r, owner @{user_pictures_dirs}/{,**} r, diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index 711da6e9d1..99db347fc5 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -38,6 +38,7 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate /var/lib/AccountsService/icons/ r, owner @{HOME}/ r, + owner @{HOME}/.face r, owner @{user_cache_dirs}/ r, owner @{user_cache_dirs}/#@{int} rwlk, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 8c97f03238..f4e8370850 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -96,16 +96,29 @@ profile systemsettings @{exec_path} { owner @{user_config_dirs}/{P,p}lasma* r, owner @{user_config_dirs}/plasma-workspace/env/ r, owner @{user_config_dirs}/plasma-workspace/shutdown/ r, - owner @{user_config_dirs}/powerdevilrc rw, + owner @{user_config_dirs}/powerdevilrc rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/powerdevilrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/powerdevilrc.lock rwk, owner @{user_config_dirs}/device_automounter_kcmrc.lock rwk, owner @{user_config_dirs}/emaildefaults r, + owner @{user_config_dirs}/kactivitymanagerd-pluginsrc wl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kactivitymanagerd-pluginsrc.lock rwk, owner @{user_config_dirs}/kcmfonts r, owner @{user_config_dirs}/KDE/UserFeedback.conf r, owner @{user_config_dirs}/kde.org/{,**} rwlk, owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, + owner @{user_config_dirs}/kdeglobals w, + owner @{user_config_dirs}/kdeglobals.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kdeglobals.lock rwk, + owner @{user_config_dirs}/ksmserverrc w, + owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/ksmserverrc.lock rwk, + owner @{user_config_dirs}/kwinrc w, + owner @{user_config_dirs}/kwinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kwinrc.lock rwk, + owner @{user_config_dirs}/kdedefaults/ksplashrc r, + owner @{user_config_dirs}/kdedefaults/ksplashrc.lock rwk, owner @{user_config_dirs}/kinfocenterrc* rwlk, owner @{user_config_dirs}/libaccounts-glib/ rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, diff --git a/apparmor.d/profiles-a-f/deno b/apparmor.d/profiles-a-f/deno new file mode 100644 index 0000000000..b54d1a16cf --- /dev/null +++ b/apparmor.d/profiles-a-f/deno @@ -0,0 +1,26 @@ +abi , + +include + +@{name} = deno + +@{exec_path} = @{bin}/deno +@{att} = "" +profile deno /{,usr/}bin/deno { + include + + @{exec_path} mr, + + owner @{user_cache_dirs}/@{name}{,/**} rw, + owner @{user_cache_dirs}/@{name}/* k, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 1aeb03c1de..523aad4af8 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -33,6 +33,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, + @{sys}/class/spidev/ r, @{sys}/devices/**/uevent r, include if exists diff --git a/apparmor.d/profiles-g-l/goxray_cli b/apparmor.d/profiles-g-l/goxray_cli index f1b0e544e4..f2026dc502 100644 --- a/apparmor.d/profiles-g-l/goxray_cli +++ b/apparmor.d/profiles-g-l/goxray_cli @@ -31,3 +31,5 @@ profile goxray_cli @{exec_path} { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hbbs b/apparmor.d/profiles-g-l/hbbs index 723c6f4aa3..8517ed20fa 100644 --- a/apparmor.d/profiles-g-l/hbbs +++ b/apparmor.d/profiles-g-l/hbbs @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/hbbs profile hbbs @{exec_path} { include - include + include include include include diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 2a6a941198..ec88c2ded0 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -27,6 +27,8 @@ profile unix-chkpwd @{exec_path} { @{run}/host/userdb/*.user r, @{run}/host/userdb/*.user-privileged r, + owner @{PROC}/@{pid}/status r, + owner /dev/tty@{u8} rw, include if exists diff --git a/apparmor.d/profiles-s-z/xray b/apparmor.d/profiles-s-z/xray index 718d8902e4..1803bb4c1d 100644 --- a/apparmor.d/profiles-s-z/xray +++ b/apparmor.d/profiles-s-z/xray @@ -30,7 +30,6 @@ profile xray @{exec_path} flags=(attach_disconnected) { /var/log/xray/*.log rw, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{PROC}/sys/net/core/somaxconn r, owner @{PROC}/@{pid}/mountinfo r, From 2e75544737431e94a93a2450ca54df95d3c35e5d Mon Sep 17 00:00:00 2001 From: nobody43 Date: Thu, 11 Dec 2025 16:45:55 +0000 Subject: [PATCH 1037/1736] remove accidental add --- apparmor.d/profiles-a-f/deno | 26 -------------------------- 1 file changed, 26 deletions(-) delete mode 100644 apparmor.d/profiles-a-f/deno diff --git a/apparmor.d/profiles-a-f/deno b/apparmor.d/profiles-a-f/deno deleted file mode 100644 index b54d1a16cf..0000000000 --- a/apparmor.d/profiles-a-f/deno +++ /dev/null @@ -1,26 +0,0 @@ -abi , - -include - -@{name} = deno - -@{exec_path} = @{bin}/deno -@{att} = "" -profile deno /{,usr/}bin/deno { - include - - @{exec_path} mr, - - owner @{user_cache_dirs}/@{name}{,/**} rw, - owner @{user_cache_dirs}/@{name}/* k, - - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/mountinfo r, - - include if exists -} From abdac7319a833147a8ad59eadc0aed87a1dc0993 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Sat, 6 Dec 2025 16:07:54 +0100 Subject: [PATCH 1038/1736] Fix xdg_password_store variable inconsistency --- apparmor.d/tunables/home.d/apparmor.d | 4 ++-- tests/integration/common.bash | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index dacb7228e2..67c3d46574 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -42,7 +42,7 @@ # Define user personal keyrings @{XDG_GPG_DIR}=".gnupg" @{XDG_SSH_DIR}=".ssh" -@{XDG_PASSWORDSTORE_DIR}=".password-store" +@{XDG_PASSWORD_STORE_DIR}=".password-store" # Define user personal private directories @{XDG_PRIVATE_DIR}=".{p,P}rivate" "{p,P}rivate" @@ -69,7 +69,7 @@ @{user_pkg_dirs}=@{HOME}/@{XDG_PKG_DIR} @{MOUNTS}/@{XDG_PKG_DIR} @{user_gpg_dirs}=@{HOME}/@{XDG_GPG_DIR} @{MOUNTS}/@{XDG_GPG_DIR} @{user_ssh_dirs}=@{HOME}/@{XDG_SSH_DIR} @{MOUNTS}/@{XDG_SSH_DIR} -@{user_passwordstore_dirs}=@{HOME}/@{XDG_PASSWORDSTORE_DIR} @{MOUNTS}/@{XDG_PASSWORDSTORE_DIR} +@{user_passwordstore_dirs}=@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR} @{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} # Similar system-wide paths diff --git a/tests/integration/common.bash b/tests/integration/common.bash index 8228cc7624..b7a4bd24b0 100644 --- a/tests/integration/common.bash +++ b/tests/integration/common.bash @@ -46,7 +46,7 @@ export XDG_PKG_DIR=".pkg" # Define user personal keyrings export XDG_GPG_DIR=".gnupg" export XDG_SSH_DIR=".ssh" -export XDG_PASSWORDSTORE_DIR=".password-store" +export XDG_PASSWORD_STORE_DIR=".password-store" # Define user personal private directories export XDG_PRIVATE_DIR=".private" @@ -81,7 +81,7 @@ export user_build_dirs=$HOME/$XDG_BUILD_DIR export user_pkg_dirs=$HOME/$XDG_PKG_DIR export user_gpg_dirs=$HOME/$XDG_GPG_DIR export user_ssh_dirs=$HOME/$XDG_SSH_DIR -export user_passwordstore_dirs=$HOME/$XDG_PASSWORDSTORE_DIR +export user_passwordstore_dirs=$HOME/$XDG_PASSWORD_STORE_DIR export user_private_dirs=$HOME/$XDG_PRIVATE_DIR _START="$(date +%s)" From 3781d4008ec69d35441a883538da7654f8e93b3a Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Thu, 11 Dec 2025 19:16:59 +0100 Subject: [PATCH 1039/1736] Make XDG_PASSWORDSTORE_DIR and user_passwordstore_dirs consistent --- apparmor.d/tunables/home.d/apparmor.d | 4 ++-- docs/configuration.md | 8 ++++---- docs/variables.md | 4 ++-- tests/integration/common.bash | 4 ++-- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index 67c3d46574..dacb7228e2 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -42,7 +42,7 @@ # Define user personal keyrings @{XDG_GPG_DIR}=".gnupg" @{XDG_SSH_DIR}=".ssh" -@{XDG_PASSWORD_STORE_DIR}=".password-store" +@{XDG_PASSWORDSTORE_DIR}=".password-store" # Define user personal private directories @{XDG_PRIVATE_DIR}=".{p,P}rivate" "{p,P}rivate" @@ -69,7 +69,7 @@ @{user_pkg_dirs}=@{HOME}/@{XDG_PKG_DIR} @{MOUNTS}/@{XDG_PKG_DIR} @{user_gpg_dirs}=@{HOME}/@{XDG_GPG_DIR} @{MOUNTS}/@{XDG_GPG_DIR} @{user_ssh_dirs}=@{HOME}/@{XDG_SSH_DIR} @{MOUNTS}/@{XDG_SSH_DIR} -@{user_passwordstore_dirs}=@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR} +@{user_passwordstore_dirs}=@{HOME}/@{XDG_PASSWORDSTORE_DIR} @{MOUNTS}/@{XDG_PASSWORDSTORE_DIR} @{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} # Similar system-wide paths diff --git a/docs/configuration.md b/docs/configuration.md index 5e1c7992f3..645f5a1d58 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -108,7 +108,7 @@ Please ensure that all personal directories you are using are well-defined XDG d | GPG | `@{XDG_GPG_DIR}` | `.gnupg` | | SSH | `@{XDG_SSH_DIR}` | `.ssh` | | Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` | - | Passwords | `@{XDG_PASSWORD_STORE_DIR}` | `.password-store` | + | Passwords | `@{XDG_PASSWORDSTORE_DIR}` | `.password-store` | @@ -143,7 +143,7 @@ Please ensure that all personal directories you are using are well-defined XDG d | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | | Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` | | Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` | - | Passwords | `@{user_passwordstore_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | + | Passwords | `@{user_passwordstore_dirs}` | `@{HOME}/@{XDG_PASSWORDSTORE_DIR} @{MOUNTS}/@{XDG_PASSWORDSTORE_DIR}` | | Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` | | Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` | | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` | @@ -171,9 +171,9 @@ All profiles use the variables defined above. Therefore, you can personalize the @{XDG_PROJECTS_DIR}+="go" ``` -- If you use Keepass, personalize `XDG_PASSWORD_STORE_DIR` with your password directory. Eg: +- If you use Keepass, personalize `XDG_PASSWORDSTORE_DIR` with your password directory. Eg: ```sh - @{XDG_PASSWORD_STORE_DIR}+="@{HOME}/.keepass/" + @{XDG_PASSWORDSTORE_DIR}+="@{HOME}/.keepass/" ``` - Add pacman integration with your AUR helper. Eg for `yay`: diff --git a/docs/variables.md b/docs/variables.md index 1bcee8f938..9dda5c756d 100644 --- a/docs/variables.md +++ b/docs/variables.md @@ -50,7 +50,7 @@ title: Variables References | GPG | `@{XDG_GPG_DIR}` | `.gnupg` | | SSH | `@{XDG_SSH_DIR}` | `.ssh` | | Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` | -| Passwords | `@{XDG_PASSWORD_STORE_DIR}` | `.password-store` | +| Passwords | `@{XDG_PASSWORDSTORE_DIR}` | `.password-store` | @@ -85,7 +85,7 @@ title: Variables References | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | | Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` | | Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` | -| Passwords | `@{user_passwordstore_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | +| Passwords | `@{user_passwordstore_dirs}` | `@{HOME}/@{XDG_PASSWORDSTORE_DIR} @{MOUNTS}/@{XDG_PASSWORDSTORE_DIR}` | | Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` | | Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` | | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` | diff --git a/tests/integration/common.bash b/tests/integration/common.bash index b7a4bd24b0..8228cc7624 100644 --- a/tests/integration/common.bash +++ b/tests/integration/common.bash @@ -46,7 +46,7 @@ export XDG_PKG_DIR=".pkg" # Define user personal keyrings export XDG_GPG_DIR=".gnupg" export XDG_SSH_DIR=".ssh" -export XDG_PASSWORD_STORE_DIR=".password-store" +export XDG_PASSWORDSTORE_DIR=".password-store" # Define user personal private directories export XDG_PRIVATE_DIR=".private" @@ -81,7 +81,7 @@ export user_build_dirs=$HOME/$XDG_BUILD_DIR export user_pkg_dirs=$HOME/$XDG_PKG_DIR export user_gpg_dirs=$HOME/$XDG_GPG_DIR export user_ssh_dirs=$HOME/$XDG_SSH_DIR -export user_passwordstore_dirs=$HOME/$XDG_PASSWORD_STORE_DIR +export user_passwordstore_dirs=$HOME/$XDG_PASSWORDSTORE_DIR export user_private_dirs=$HOME/$XDG_PRIVATE_DIR _START="$(date +%s)" From ae4ef6dae1d6009bb3efd4f530a97b6c38af7b4d Mon Sep 17 00:00:00 2001 From: myrslint <206005528+myrslint@users.noreply.github.com> Date: Sat, 1 Nov 2025 00:55:33 +0000 Subject: [PATCH 1040/1736] Add deno profile and yt-dlp transition Due to changes in YouTube, yt-dlp now requires a JavaScript runtime to be able to work fully. The recommended runtime is deno. This commit adds a basic profile for deno and a transition to it for the existing yt-dlp profile. --- apparmor.d/profiles-a-f/deno | 26 ++++++++++++++++++++++++++ apparmor.d/profiles-s-z/yt-dlp | 2 ++ 2 files changed, 28 insertions(+) create mode 100644 apparmor.d/profiles-a-f/deno diff --git a/apparmor.d/profiles-a-f/deno b/apparmor.d/profiles-a-f/deno new file mode 100644 index 0000000000..b54d1a16cf --- /dev/null +++ b/apparmor.d/profiles-a-f/deno @@ -0,0 +1,26 @@ +abi , + +include + +@{name} = deno + +@{exec_path} = @{bin}/deno +@{att} = "" +profile deno /{,usr/}bin/deno { + include + + @{exec_path} mr, + + owner @{user_cache_dirs}/@{name}{,/**} rw, + owner @{user_cache_dirs}/@{name}/* k, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} diff --git a/apparmor.d/profiles-s-z/yt-dlp b/apparmor.d/profiles-s-z/yt-dlp index ffa78eda39..0f232f55c4 100644 --- a/apparmor.d/profiles-s-z/yt-dlp +++ b/apparmor.d/profiles-s-z/yt-dlp @@ -33,6 +33,8 @@ profile yt-dlp @{exec_path} { @{bin}/ffmpeg rPx, @{bin}/ffprobe rPx, + @{bin}/deno rPx, + /etc/magic r, owner @{user_music_dirs}/{,**} rwk, From 6704665e12e8fae286898ffc8b9ec7da8e4fa462 Mon Sep 17 00:00:00 2001 From: Alex Date: Fri, 12 Dec 2025 17:06:29 +0000 Subject: [PATCH 1041/1736] Update apparmor.d/profiles-a-f/deno Co-authored-by: Ivan <15267739+nobody43@users.noreply.github.com> --- apparmor.d/profiles-a-f/deno | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/deno b/apparmor.d/profiles-a-f/deno index b54d1a16cf..3467c2403d 100644 --- a/apparmor.d/profiles-a-f/deno +++ b/apparmor.d/profiles-a-f/deno @@ -11,7 +11,7 @@ profile deno /{,usr/}bin/deno { @{exec_path} mr, - owner @{user_cache_dirs}/@{name}{,/**} rw, + owner @{user_cache_dirs}/@{name}/{,**} rw, owner @{user_cache_dirs}/@{name}/* k, @{sys}/fs/cgroup/user.slice/cpu.max r, From 9bfbb19f967dcf534ab660fea70579cc29503621 Mon Sep 17 00:00:00 2001 From: Alex Date: Fri, 12 Dec 2025 17:06:43 +0000 Subject: [PATCH 1042/1736] Update apparmor.d/profiles-a-f/deno Co-authored-by: Ivan <15267739+nobody43@users.noreply.github.com> --- apparmor.d/profiles-a-f/deno | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/deno b/apparmor.d/profiles-a-f/deno index 3467c2403d..f078f1d65e 100644 --- a/apparmor.d/profiles-a-f/deno +++ b/apparmor.d/profiles-a-f/deno @@ -6,7 +6,7 @@ include @{exec_path} = @{bin}/deno @{att} = "" -profile deno /{,usr/}bin/deno { +profile deno @{exec_path} { include @{exec_path} mr, From 832eb00bf4da183522172008a0c4d7e46b18597c Mon Sep 17 00:00:00 2001 From: Alex Date: Fri, 12 Dec 2025 17:06:53 +0000 Subject: [PATCH 1043/1736] Update apparmor.d/profiles-a-f/deno Co-authored-by: Ivan <15267739+nobody43@users.noreply.github.com> --- apparmor.d/profiles-a-f/deno | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/deno b/apparmor.d/profiles-a-f/deno index f078f1d65e..bbb976b8a3 100644 --- a/apparmor.d/profiles-a-f/deno +++ b/apparmor.d/profiles-a-f/deno @@ -5,7 +5,6 @@ include @{name} = deno @{exec_path} = @{bin}/deno -@{att} = "" profile deno @{exec_path} { include From da23b31000dd2bea7a5e9d0627c0d2ae99993ece Mon Sep 17 00:00:00 2001 From: Alex Date: Fri, 12 Dec 2025 17:07:02 +0000 Subject: [PATCH 1044/1736] Update apparmor.d/profiles-a-f/deno Co-authored-by: Ivan <15267739+nobody43@users.noreply.github.com> --- apparmor.d/profiles-a-f/deno | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/profiles-a-f/deno b/apparmor.d/profiles-a-f/deno index bbb976b8a3..47f043c2f0 100644 --- a/apparmor.d/profiles-a-f/deno +++ b/apparmor.d/profiles-a-f/deno @@ -23,3 +23,5 @@ profile deno @{exec_path} { include if exists } + +# vim:syntax=apparmor From 7afa5083bc9c1445bf7d0130ce1871e4d5a88a88 Mon Sep 17 00:00:00 2001 From: Alex Date: Fri, 12 Dec 2025 17:07:40 +0000 Subject: [PATCH 1045/1736] Apply suggestion from @nobody43 Co-authored-by: Ivan <15267739+nobody43@users.noreply.github.com> --- apparmor.d/profiles-a-f/deno | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/deno b/apparmor.d/profiles-a-f/deno index 47f043c2f0..33d7d53ddb 100644 --- a/apparmor.d/profiles-a-f/deno +++ b/apparmor.d/profiles-a-f/deno @@ -6,7 +6,7 @@ include @{exec_path} = @{bin}/deno profile deno @{exec_path} { - include + include @{exec_path} mr, From 570fe72e14ee693af323742b615db67bbc9292f2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Nov 2025 22:50:11 +0100 Subject: [PATCH 1046/1736] feat(aa-log): show timing information in dev build. --- PKGBUILD | 2 +- cmd/aa-log/main.go | 7 +++++++ cmd/aa-log/timing_dev.go | 32 ++++++++++++++++++++++++++++++++ cmd/aa-log/timing_release.go | 10 ++++++++++ 4 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 cmd/aa-log/timing_dev.go create mode 100644 cmd/aa-log/timing_release.go diff --git a/PKGBUILD b/PKGBUILD index a68ba817df..f336a3cad4 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -36,7 +36,7 @@ build() { export CGO_CXXFLAGS="${CXXFLAGS}" export CGO_LDFLAGS="${LDFLAGS}" export GOPATH="${srcdir}" - export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw" + export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw -tags=dev" export DISTRIBUTION=arch local -A modes=( # Mapping of modes to just build target. diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index ccd6e9cca1..db80cfa23f 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -11,6 +11,7 @@ import ( "os" "slices" "strings" + "time" "github.com/roddhjav/apparmor.d/pkg/logs" ) @@ -49,6 +50,7 @@ func aaLog(logger string, path string, profile string) error { var err error var file io.Reader + start := time.Now() switch logger { case "auditd": file, err = logs.GetAuditLogs(path) @@ -60,6 +62,7 @@ func aaLog(logger string, path string, profile string) error { if err != nil { return err } + endRead := time.Now() if raw { fmt.Print(strings.Join(logs.GetApparmorLogs(file, profile), "\n") + "\n") @@ -67,6 +70,7 @@ func aaLog(logger string, path string, profile string) error { } aaLogs := logs.New(file, profile) + endParse := time.Now() if rules { profiles := aaLogs.ParseToProfiles() for _, p := range profiles { @@ -78,6 +82,9 @@ func aaLog(logger string, path string, profile string) error { } else { fmt.Print(aaLogs.String()) } + if withTime { + printTiming(start, endRead, endParse, time.Now()) + } return nil } diff --git a/cmd/aa-log/timing_dev.go b/cmd/aa-log/timing_dev.go new file mode 100644 index 0000000000..b2200ce3f7 --- /dev/null +++ b/cmd/aa-log/timing_dev.go @@ -0,0 +1,32 @@ +//go:build dev +// +build dev + +package main + +import ( + "fmt" + "time" +) + +const withTime = true + +func printTiming(start, endRead, endParse, end time.Time) { + printDuration := func(d time.Duration) string { + if d >= time.Minute { + return fmt.Sprintf("%.2fmin", d.Minutes()) + } else if d >= time.Second { + return fmt.Sprintf("%.2fs", d.Seconds()) + } else if d >= time.Millisecond { + return fmt.Sprintf("%.2fms", float64(d.Microseconds())/1000) + } + return fmt.Sprintf("%.2fµs", float64(d.Nanoseconds())/1000) + } + readDur := endRead.Sub(start) + parseDur := endParse.Sub(endRead) + printDur := end.Sub(endParse) + totalDur := end.Sub(start) + fmt.Printf("\x1b[3;97m( Read %s | Parse %s | Print %s | Total %s )\x1b[0m\n", + printDuration(readDur), printDuration(parseDur), + printDuration(printDur), printDuration(totalDur), + ) +} diff --git a/cmd/aa-log/timing_release.go b/cmd/aa-log/timing_release.go new file mode 100644 index 0000000000..d483cf5f68 --- /dev/null +++ b/cmd/aa-log/timing_release.go @@ -0,0 +1,10 @@ +//go:build !dev +// +build !dev + +package main + +import "time" + +const withTime = false + +func printTiming(start, endRead, endParse, end time.Time) {} From 9ab75a62730b1f783f83290fb9a3e53c8b865d14 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 12 Nov 2025 00:11:41 +0100 Subject: [PATCH 1047/1736] feat(aa-log): add the --load option to parse load written by aa-log itself. --- cmd/aa-log/main.go | 24 +++++++---- pkg/logs/logs.go | 83 +++++++++++++++++++++++++++++++++----- pkg/logs/logs_test.go | 80 ++++++++++++++++++++++++++++++++++++ tests/testdata/logs/aa-log | 42 +++++++++++++++++++ 4 files changed, 213 insertions(+), 16 deletions(-) create mode 100644 tests/testdata/logs/aa-log diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index db80cfa23f..9627b31dbb 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -33,17 +33,20 @@ Options: -r, --rules Convert the log into AppArmor rules. -R, --raw Print the raw log without any formatting. -S, --since DATE Show entries not older than the specified date. + -l, --load Load logs from the default aa-log output. ` // Command line options var ( - help bool - rules bool - path string - systemd bool - raw bool - since string + help bool + rules bool + path string + systemd bool + namespace string + raw bool + since string + load bool ) func aaLog(logger string, path string, profile string) error { @@ -69,7 +72,12 @@ func aaLog(logger string, path string, profile string) error { return nil } - aaLogs := logs.New(file, profile) + var aaLogs logs.AppArmorLogs + if load { + aaLogs = logs.Load(file, profile, namespace) + } else { + aaLogs = logs.New(file, profile) + } endParse := time.Now() if rules { profiles := aaLogs.ParseToProfiles() @@ -101,6 +109,8 @@ func init() { flag.BoolVar(&raw, "raw", false, "Print the raw log without any formatting.") flag.StringVar(&since, "S", "", "Display logs since the START time.") flag.StringVar(&since, "since", "", "Display logs since the START time.") + flag.BoolVar(&load, "l", false, "Load logs from the default aa-log output.") + flag.BoolVar(&load, "load", false, "Load logs from the default aa-log output.") } func main() { diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 770326297f..be7d81454a 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -5,6 +5,7 @@ package logs import ( + "bufio" "io" "regexp" "slices" @@ -34,7 +35,6 @@ const ( ) var ( - quoted bool isAppArmorLogTemplate = regexp.MustCompile(`apparmor=("DENIED"|"ALLOWED"|"AUDIT")`) regCleanLogs = util.ToRegexRepl([]string{ // Clean apparmor log file @@ -119,13 +119,6 @@ type AppArmorLog map[string]string // AppArmorLogs describes all apparmor log entries type AppArmorLogs []AppArmorLog -func splitQuoted(r rune) bool { - if r == '"' { - quoted = !quoted - } - return !quoted && r == ' ' -} - func toQuote(str string) string { if strings.Contains(str, " ") { return `"` + str + `"` @@ -140,9 +133,15 @@ func New(file io.Reader, profile string) AppArmorLogs { // Parse log into ApparmorLog struct aaLogs := make(AppArmorLogs, 0) toClean := []string{"profile", "name", "target"} + var quoted bool for _, log := range logs { quoted = false - tmp := strings.FieldsFunc(log, splitQuoted) + tmp := strings.FieldsFunc(log, func(r rune) bool { + if r == '"' { + quoted = !quoted + } + return !quoted && r == ' ' + }) aa := make(AppArmorLog) for _, item := range tmp { @@ -162,7 +161,73 @@ func New(file io.Reader, profile string) AppArmorLogs { } aaLogs = append(aaLogs, aa) } + return aaLogs +} + +// Load reads an ApparmorLogs from file written with AppArmorLogs.String. +func Load(file io.Reader, profile string, namespace string) AppArmorLogs { + var quoted bool + scanner := bufio.NewScanner(file) + aaLogs := make(AppArmorLogs, 0) + for scanner.Scan() { + log := scanner.Text() + quoted = false + tmp := strings.FieldsFunc(log, func(r rune) bool { + if r == '"' { + quoted = !quoted + } + return !quoted && r == ' ' + }) + if len(tmp) < 3 { + continue + } + if profile != "" && !strings.HasPrefix(tmp[1], profile) { + continue + } + aa := AppArmorLog{ + "apparmor": tmp[0], + "profile": tmp[1], + "operation": tmp[2], + } + tmp = slices.Delete(tmp, 0, 3) + isDbus := strings.Contains(aa["operation"], "dbus") + + for idx, item := range tmp { + if strings.Contains(item, "=") { + break + } + + switch idx { + case 0: + if item == "owner" { + aa["fsuid"], aa["ouid"] = "1000", "1000" + aa["FSUID"], aa["OUID"] = "user", "user" + aa["name"] = tmp[idx+1] + } else { + aa["name"] = item + } + + case 1: + if isDbus { + aa["mask"] = item + } + + case 2: + if item == "->" { + aa["target"] = tmp[idx+1] + } + } + } + for _, item := range tmp { + kv := strings.Split(item, "=") + if len(kv) >= 2 { + key, value := kv[0], kv[1] + aa[key] = strings.Trim(value, `"`) + } + } + aaLogs = append(aaLogs, aa) + } return aaLogs } diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go index 376b23f420..f93bf5e688 100644 --- a/pkg/logs/logs_test.go +++ b/pkg/logs/logs_test.go @@ -299,6 +299,86 @@ func TestNew(t *testing.T) { } } +func TestLoad(t *testing.T) { + tests := []struct { + name string + namespace string + path string + want AppArmorLogs + }{ + { + name: "dnsmasq", + path: filepath.Join(testdata, "aa-log"), + want: AppArmorLogs{ + { + "apparmor": "DENIED", + "profile": "dnsmasq", + "operation": "open", + "name": "@{PROC}/sys/kernel/osrelease", + "comm": "dnsmasq", + "requested_mask": "r", + "denied_mask": "r", + }, + { + "apparmor": "DENIED", + "profile": "dnsmasq", + "operation": "open", + "name": "@{PROC}/1/environ", + "comm": "dnsmasq", + "requested_mask": "r", + "denied_mask": "r", + }, + { + "apparmor": "DENIED", + "profile": "dnsmasq", + "operation": "open", + "name": "@{PROC}/cmdline", + "comm": "dnsmasq", + "requested_mask": "r", + "denied_mask": "r", + }, + }, + }, + { + name: "kmod", + path: filepath.Join(testdata, "aa-log"), + want: refKmod, + }, + { + name: "man", + path: filepath.Join(testdata, "aa-log"), + want: refMan, + }, + { + name: "power-profiles-daemon", + path: filepath.Join(testdata, "aa-log"), + want: AppArmorLogs{ + { + "addr": "?", + "apparmor": "ALLOWED", + "bus": "system", + "interface": "org.freedesktop.DBus", + "mask": "send", + "member": "AddMatch", + "name": "org.freedesktop.DBus", + "operation": "dbus_method_call", + "path": "/org/freedesktop/DBus", + "peer_label": "dbus-daemon", + "profile": "power-profiles-daemon", + }, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + file, _ := os.Open(tt.path) + if got := Load(file, tt.name, tt.namespace); !reflect.DeepEqual(got, tt.want) { + t.Errorf("Load() = %v, want %v", got, tt.want) + } + }) + } +} + func TestAppArmorLogs_String(t *testing.T) { tests := []struct { name string diff --git a/tests/testdata/logs/aa-log b/tests/testdata/logs/aa-log new file mode 100644 index 0000000000..c06f373e30 --- /dev/null +++ b/tests/testdata/logs/aa-log @@ -0,0 +1,42 @@ +ALLOWED kmod file_inherit comm=modprobe family=unix sock_type=stream protocol=0 requested_mask="send receive" +ALLOWED mkinitcpio file_inherit comm=modprobe family=unix sock_type=stream protocol=0 requested_mask=receive +ALLOWED pacman file_inherit comm=modprobe family=unix sock_type=stream protocol=0 requested_mask=receive +ALLOWED pacman-hook-mkinitcpio-install file_inherit comm=modprobe family=unix sock_type=stream protocol=0 requested_mask=receive +ALLOWED aa-log open @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size comm=remove-system.m requested_mask=r denied_mask=r +ALLOWED sysctl open @{PROC}/sys/kernel/panic_on_oops comm=sysctl requested_mask=r denied_mask=r +DENIED dbus-daemon signal comm=at-spi-bus-laun requested_mask=receive denied_mask=receive signal=term peer=at-spi-bus-launcher +DENIED dnsmasq open @{PROC}/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r +DENIED dnsmasq open @{PROC}/1/environ comm=dnsmasq requested_mask=r denied_mask=r +DENIED dnsmasq open @{PROC}/cmdline comm=dnsmasq requested_mask=r denied_mask=r +DENIED lsb_release open owner @{HOME}/ comm=find requested_mask=r denied_mask=r +DENIED lsb_release open /etc/ comm=find requested_mask=r denied_mask=r +DENIED chromium-chromium file_inherit owner @{user_share_dirs}/gvfs-metadata/root comm=chromium requested_mask=r denied_mask=r +DENIED chromium-chromium file_inherit owner @{user_share_dirs}/gvfs-metadata/root-aaabbbc0.log comm=chromium requested_mask=r denied_mask=r +ALLOWED fusermount open @{run}/user/@{uid}/doc/ comm=fusermount requested_mask=r denied_mask=r +DENIED chrome-gnome-shell open owner @{HOME}/.netrc comm=chrome-gnome-sh requested_mask=r denied_mask=r +ALLOWED man exec owner @{bin}/preconv -> man_groff info="no new privs" comm=man requested_mask=x denied_mask=x error=-1 +ALLOWED dbus-daemon dbus_method_call @{busname} receive bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=AddMatch peer_label=power-profiles-daemon addr=? +ALLOWED "foo bar" file_perm @{HOME}/.bash_history comm=bash requested_mask=rw denied_mask=rw parent=16001 +ALLOWED power-profiles-daemon dbus_method_call org.freedesktop.DBus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=AddMatch peer_label=dbus-daemon addr=? +ALLOWED dbus-daemon dbus_method_call @{busname} receive bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=AddMatch peer_label=unconfined addr=? +ALLOWED gnome-shell bind comm=gnome-shell family=unix sock_type=stream protocol=0 requested_mask=bind denied_mask=bind addr=@/tmp/.X11-unix/X1 +ALLOWED gnome-session-binary file_perm comm=gnome-session-b family=unix sock_type=stream protocol=0 requested_mask="send receive" denied_mask="send receive" peer=gnome-shell peer_addr=none addr=@/tmp/.ICE-unix/1995 +ALLOWED lightdm dbus_method_call org.freedesktop.Accounts send bus=system path=/org/freedesktop/Accounts/User1000 interface=org.freedesktop.DBus.Properties member=GetAll peer_label=accounts-daemon +ALLOWED lightdm dbus_signal @{busname} receive bus=system path=/org/freedesktop/Accounts/User1000 interface=org.freedesktop.Accounts.User member=Changed peer_label=accounts-daemon +ALLOWED akonadi_maildispatcher_agent link owner @{user_config_dirs}/akonadi/agent_config_akonadi_maildispatcher_agent.CmJRGE -> @{user_config_dirs}/akonadi/#@{int6}1 comm=akonadi_maildis requested_mask=k denied_mask=k +ALLOWED xdg-document-portal ptrace comm=pool-/usr/lib/x requested_mask=read denied_mask=read peer=nautilus +DENIED nvidia_modprobe file_inherit comm=nvidia-modprobe family=netlink sock_type=raw protocol=0 requested_mask="send receive" denied_mask="send receive" +ALLOWED gsettings open owner /var/lib/gdm3/greeter-dconf-defaults comm=gsettings requested_mask=r denied_mask=r +ALLOWED gsettings connect comm="dconf worker" family=unix sock_type=stream protocol=0 requested_mask="send receive connect" denied_mask="send receive connect" peer=dbus-daemon addr=none peer_addr=@/tmp/dbus-AaKMpxzC4k +ALLOWED gsettings file_perm comm=dbus-daemon family=unix sock_type=stream protocol=0 requested_mask="send receive" denied_mask="send receive" peer=dbus-daemon addr=none peer_addr=@/tmp/dbus-AaKMpxzC4k +ALLOWED gnome-keyring-daemon mkdir owner /var/lib/gdm3/.local/ comm=gnome-keyring-d requested_mask=c denied_mask=c +ALLOWED gnome-keyring-daemon mkdir owner /var/lib/gdm3/.local/share/ comm=gnome-keyring-d requested_mask=c denied_mask=c +DENIED snap-update-ns.firefox ptrace comm=systemd-journal requested_mask=readby denied_mask=readby peer=systemd-journald +DENIED /snap/snapd/19457@{lib}/snapd/snap-confine capable comm=snap-confine capability=12 capname=net_admin +DENIED /snap/snapd/19457@{lib}/snapd/snap-confine capable comm=snap-confine capability=38 capname=perfmon +ALLOWED firefox-vaapitest file_inherit comm=vaapitest family=netlink sock_type=raw protocol=0 requested_mask="send receive" denied_mask="send receive" +ALLOWED @{lib}/kauth/backlighthelper capable comm=backlighthelper capability=12 capname=net_admin +ALLOWED xorg capable comm=Xorg.bin capability=17 capname=sys_rawio +ALLOWED pacman capable info="optional: no audit" comm=killall capability=19 capname=sys_ptrace error=-1 +ALLOWED signal-desktop open @{sys}/devices/@{pci}/boot_vga comm=signal-desktop requested_mask=r denied_mask=r +ALLOWED startplasma link owner @{user_cache_dirs}/ksycoca5_de_LQ6f0J2qZg4vOKgw2NbXuW7iuVU=.isNSBz -> @{user_cache_dirs}/#@{int} comm=startplasma-way requested_mask=k denied_mask=k From 4222dcc4f53864517f3a02bd23bb43da367e2056 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 12 Nov 2025 00:35:58 +0100 Subject: [PATCH 1048/1736] feat(aa-log): initial support for apparmor namespace. --- cmd/aa-log/main.go | 15 ++++++++++----- cmd/aa-log/main_test.go | 34 ++++++++++++++++++++++------------ pkg/aa/profile.go | 1 + pkg/aa/templates/profile.j2 | 10 +++++++--- pkg/logs/loggers.go | 8 ++++++-- pkg/logs/logs.go | 22 +++++++++++++++++++--- 6 files changed, 65 insertions(+), 25 deletions(-) diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index 9627b31dbb..8e758d7546 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -16,7 +16,7 @@ import ( "github.com/roddhjav/apparmor.d/pkg/logs" ) -const usage = `aa-log [-h] [--systemd] [--file file] [--rules | --raw] [--since] [profile] +const usage = `aa-log [-h] [--systemd] [--file file] [--load] [--rules | --raw] [--since] [--namespace] [profile] Review AppArmor generated messages in a colorful way. It supports logs from auditd, systemd, syslog as well as dbus session events. @@ -26,10 +26,13 @@ const usage = `aa-log [-h] [--systemd] [--file file] [--rules | --raw] [--since] Default logs are read from '/var/log/audit/audit.log'. Other files in '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' + Logs written with 'aa-log' can be read again with 'aa-log -l'. + Options: -h, --help Show this help message and exit. -f, --file FILE Set a logfile or a suffix to the default log file. -s, --systemd Parse systemd logs from journalctl. + -n, --namespace NS Filter the logs to the specified namespace. -r, --rules Convert the log into AppArmor rules. -R, --raw Print the raw log without any formatting. -S, --since DATE Show entries not older than the specified date. @@ -49,7 +52,7 @@ var ( load bool ) -func aaLog(logger string, path string, profile string) error { +func aaLog(logger string, path string, profile string, namespace string) error { var err error var file io.Reader @@ -68,7 +71,7 @@ func aaLog(logger string, path string, profile string) error { endRead := time.Now() if raw { - fmt.Print(strings.Join(logs.GetApparmorLogs(file, profile), "\n") + "\n") + fmt.Print(strings.Join(logs.GetApparmorLogs(file, profile, namespace), "\n") + "\n") return nil } @@ -76,7 +79,7 @@ func aaLog(logger string, path string, profile string) error { if load { aaLogs = logs.Load(file, profile, namespace) } else { - aaLogs = logs.New(file, profile) + aaLogs = logs.New(file, profile, namespace) } endParse := time.Now() if rules { @@ -111,6 +114,8 @@ func init() { flag.StringVar(&since, "since", "", "Display logs since the START time.") flag.BoolVar(&load, "l", false, "Load logs from the default aa-log output.") flag.BoolVar(&load, "load", false, "Load logs from the default aa-log output.") + flag.StringVar(&namespace, "n", "", "Filter the logs to the specified namespace") + flag.StringVar(&namespace, "namespace", "", "Filter the logs to the specified namespace") } func main() { @@ -132,7 +137,7 @@ func main() { } path = logs.SelectLogFile(path) - err := aaLog(logger, path, profile) + err := aaLog(logger, path, profile, namespace) if err != nil { fmt.Println(err) os.Exit(1) diff --git a/cmd/aa-log/main_test.go b/cmd/aa-log/main_test.go index fb93386753..845c0b841e 100644 --- a/cmd/aa-log/main_test.go +++ b/cmd/aa-log/main_test.go @@ -15,58 +15,68 @@ var ( func Test_app(t *testing.T) { tests := []struct { - name string - logger string - path string - profile string - rules bool - wantErr bool + name string + logger string + path string + profile string + namespace string + rules bool + raw bool + load bool + wantErr bool }{ { name: "Test audit.log", logger: "auditd", path: filepath.Join(testdata, "audit.log"), - profile: "", rules: false, + raw: false, + load: false, wantErr: false, }, { name: "Test audit.log to rules", logger: "auditd", path: filepath.Join(testdata, "audit.log"), - profile: "", rules: true, + raw: false, + load: false, wantErr: false, }, { name: "Test Dbus Session", logger: "systemd", path: filepath.Join(testdata, "systemd.log"), - profile: "", rules: false, + raw: true, + load: false, wantErr: false, }, { name: "No logfile", logger: "auditd", path: filepath.Join(testdata, "log"), - profile: "", rules: false, + raw: false, + load: false, wantErr: true, }, { name: "Logger not supported", logger: "raw", path: filepath.Join(testdata, "audit.log"), - profile: "", rules: false, + raw: true, + load: false, wantErr: true, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { rules = tt.rules - if err := aaLog(tt.logger, tt.path, tt.profile); (err != nil) != tt.wantErr { + raw = tt.raw + load = tt.load + if err := aaLog(tt.logger, tt.path, tt.profile, tt.namespace); (err != nil) != tt.wantErr { t.Errorf("aaLog() error = %v, wantErr %v", err, tt.wantErr) } }) diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index 5d097cad93..07621dcdb7 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -38,6 +38,7 @@ type Profile struct { // Header represents the header of a profile. type Header struct { Name string + NameSpace string Attachments []string Attributes map[string]string Flags []string diff --git a/pkg/aa/templates/profile.j2 b/pkg/aa/templates/profile.j2 index f2df9069ce..245e25b512 100644 --- a/pkg/aa/templates/profile.j2 +++ b/pkg/aa/templates/profile.j2 @@ -5,8 +5,12 @@ {{- define "profile" -}} {{- "profile" -}} - {{- with .Name -}} - {{ " " }}{{ . }} + {{- if and .Name .NameSpace -}} + {{ " " }}:{{ .NameSpace }}:{{ .Name }} + {{- else -}} + {{- with .Name -}} + {{ " " }}{{ . }} + {{- end -}} {{- end -}} {{- with .Attachments -}} {{ " " }}{{ join . }} @@ -22,6 +26,6 @@ {{- setindent "++" -}} {{- template "rules" .Rules -}} {{- setindent "--" -}} - {{- indent "}" -}} + {{- indent "}\n" -}} {{- end -}} diff --git a/pkg/logs/loggers.go b/pkg/logs/loggers.go index 53b3fbd3a9..817b26622b 100644 --- a/pkg/logs/loggers.go +++ b/pkg/logs/loggers.go @@ -31,15 +31,19 @@ type systemdLog struct { } // GetApparmorLogs return a list of cleaned apparmor logs from a file -func GetApparmorLogs(file io.Reader, profile string) []string { +func GetApparmorLogs(file io.Reader, profile string, namespace string) []string { var logs []string isAppArmorLog := isAppArmorLogTemplate.Copy() + exp := `apparmor=("DENIED"|"ALLOWED"|"AUDIT")` if profile != "" { - exp := `apparmor=("DENIED"|"ALLOWED"|"AUDIT")` exp = fmt.Sprintf(exp+`.* (profile="%s.*"|label="%s.*")`, profile, profile) isAppArmorLog = regexp.MustCompile(exp) } + if namespace != "" { + exp = fmt.Sprintf(exp+`.* namespace="root//%s.*"`, namespace) + isAppArmorLog = regexp.MustCompile(exp) + } scanner := bufio.NewScanner(file) for scanner.Scan() { diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index be7d81454a..11f9dac0d2 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -127,8 +127,8 @@ func toQuote(str string) string { } // New returns a new ApparmorLogs list of map from a log file -func New(file io.Reader, profile string) AppArmorLogs { - logs := GetApparmorLogs(file, profile) +func New(file io.Reader, profile string, namespace string) AppArmorLogs { + logs := GetApparmorLogs(file, profile, namespace) // Parse log into ApparmorLog struct aaLogs := make(AppArmorLogs, 0) @@ -255,6 +255,7 @@ func (aaLogs AppArmorLogs) String() string { } // Color template to use template := map[string]string{ + "namespace": fgBlue, "profile": fgBlue, "label": fgBlue, "operation": fgYellow, @@ -275,8 +276,16 @@ func (aaLogs AppArmorLogs) String() string { seen := map[string]bool{"apparmor": true} res.WriteString(state[log["apparmor"]]) owner := aa.IsOwner(log) + hasNs := false + if ns, present := log["namespace"]; present { + res.WriteString(" " + fgBlue + ":" + getNameSpace(ns) + ":" + log["profile"] + reset) + hasNs = true + } for _, key := range keys { + if hasNs && key == "profile" { + continue + } if item, present := log[key]; present { if key == "name" && owner { res.WriteString(template[key] + " owner" + reset) @@ -303,6 +312,10 @@ func (aaLogs AppArmorLogs) String() string { return res.String() } +func getNameSpace(rawNamespace string) string { + return strings.TrimPrefix(rawNamespace, "root//") +} + // ParseToProfiles convert the log data into a new AppArmorProfiles func (aaLogs AppArmorLogs) ParseToProfiles() map[string]*aa.Profile { profiles := make(map[string]*aa.Profile, 0) @@ -315,7 +328,10 @@ func (aaLogs AppArmorLogs) ParseToProfiles() map[string]*aa.Profile { } if _, ok := profiles[name]; !ok { - profile := &aa.Profile{Header: aa.Header{Name: name}} + profile := &aa.Profile{Header: aa.Header{ + Name: name, + NameSpace: getNameSpace(log["namespace"]), + }} profile.AddRule(log) profiles[name] = profile } else { From b1cb503b1236984f8810ef13136cb925d5c583e7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 12 Nov 2025 00:38:57 +0100 Subject: [PATCH 1049/1736] tests(aa-log): improve units tests & small fixes. --- cmd/aa-log/main_test.go | 9 +++++++++ pkg/aa/file.go | 3 +++ pkg/aa/profile.go | 1 + pkg/logs/loggers_test.go | 11 ++++++----- pkg/logs/logs.go | 4 ++++ pkg/logs/logs_test.go | 11 ++++++----- 6 files changed, 29 insertions(+), 10 deletions(-) diff --git a/cmd/aa-log/main_test.go b/cmd/aa-log/main_test.go index 845c0b841e..ed85ee05e2 100644 --- a/cmd/aa-log/main_test.go +++ b/cmd/aa-log/main_test.go @@ -61,6 +61,15 @@ func Test_app(t *testing.T) { load: false, wantErr: true, }, + { + name: "Test loading aa-log", + logger: "auditd", + path: filepath.Join(testdata, "aa-log"), + rules: false, + raw: false, + load: true, + wantErr: false, + }, { name: "Logger not supported", logger: "raw", diff --git a/pkg/aa/file.go b/pkg/aa/file.go index 091f9436f9..e512a10104 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -88,6 +88,9 @@ func newFile(q Qualifier, rule rule) (Rule, error) { } func newFileFromLog(log map[string]string) Rule { + if log["operation"] == "link" { + log["requested_mask"] += "l" + } accesses, err := toAccess("file-log", log["requested_mask"]) if err != nil { panic(fmt.Errorf("newFileFromLog(%v): %w", log, err)) diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index 07621dcdb7..186341e0d3 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -175,6 +175,7 @@ var ( // operation "capable": newCapabilityFromLog, "chmod": newFileFromLog, + "chown": newFileFromLog, "exec": newFileFromLog, "getattr": newFileFromLog, "link": newFileFromLog, diff --git a/pkg/logs/loggers_test.go b/pkg/logs/loggers_test.go index 7e0a6002af..8fcb5d5aa0 100644 --- a/pkg/logs/loggers_test.go +++ b/pkg/logs/loggers_test.go @@ -16,10 +16,11 @@ var ( func TestGetJournalctlLogs(t *testing.T) { tests := []struct { - name string - path string - useFile bool - want AppArmorLogs + name string + namespace string + path string + useFile bool + want AppArmorLogs }{ { name: "gsd-xsettings", @@ -50,7 +51,7 @@ func TestGetJournalctlLogs(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { reader, _ := GetJournalctlLogs(tt.path, "", tt.useFile) - if got := New(reader, tt.name); !reflect.DeepEqual(got, tt.want) { + if got := New(reader, tt.name, tt.namespace); !reflect.DeepEqual(got, tt.want) { t.Errorf("New() = %v, want %v", got, tt.want) } }) diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 11f9dac0d2..5b2e317b43 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -226,6 +226,10 @@ func Load(file io.Reader, profile string, namespace string) AppArmorLogs { aa[key] = strings.Trim(value, `"`) } } + + if _, present := aa["family"]; present { + aa["class"] = "net" + } aaLogs = append(aaLogs, aa) } return aaLogs diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go index f93bf5e688..4d7d680cd4 100644 --- a/pkg/logs/logs_test.go +++ b/pkg/logs/logs_test.go @@ -174,7 +174,7 @@ func TestAppArmorEvents(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { file := strings.NewReader(tt.event) - if got := New(file, ""); !reflect.DeepEqual(got, tt.want) { + if got := New(file, "", ""); !reflect.DeepEqual(got, tt.want) { t.Errorf("New() = %v, want %v", got, tt.want) } }) @@ -183,9 +183,10 @@ func TestAppArmorEvents(t *testing.T) { func TestNew(t *testing.T) { tests := []struct { - name string - path string - want AppArmorLogs + name string + namespace string + path string + want AppArmorLogs }{ { name: "dnsmasq", @@ -292,7 +293,7 @@ func TestNew(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { file, _ := os.Open(tt.path) - if got := New(file, tt.name); !reflect.DeepEqual(got, tt.want) { + if got := New(file, tt.name, tt.namespace); !reflect.DeepEqual(got, tt.want) { t.Errorf("New() = %v, want %v", got, tt.want) } }) From a5bf44de83bced2cd02ef838b2422f63996e4845 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 12 Nov 2025 00:49:35 +0100 Subject: [PATCH 1050/1736] feat(aa): various improvement on rules generation. --- pkg/aa/file.go | 5 +---- pkg/aa/network.go | 8 ++++++++ pkg/aa/templates/rule/comment.j2 | 7 +++++-- pkg/aa/templates/rule/file.j2 | 8 ++++++-- pkg/aa/templates/rule/mount.j2 | 1 - pkg/aa/templates/rule/network.j2 | 3 +++ pkg/aa/templates/rule/unix.j2 | 20 ++++++-------------- pkg/aa/unix.go | 5 ++--- 8 files changed, 31 insertions(+), 26 deletions(-) diff --git a/pkg/aa/file.go b/pkg/aa/file.go index e512a10104..26f22521ea 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -162,10 +162,7 @@ func (r *File) Compare(other Rule) int { if res := compare(r.Access, o.Access); res != 0 { return res } - if res := compare(r.Target, o.Target); res != 0 { - return res - } - return r.Qualifier.Compare(o.Qualifier) + return compare(r.Target, o.Target) } func (r *File) Merge(other Rule) bool { diff --git a/pkg/aa/network.go b/pkg/aa/network.go index 15dd4385ef..b11362aae8 100644 --- a/pkg/aa/network.go +++ b/pkg/aa/network.go @@ -81,6 +81,7 @@ type Network struct { Qualifier LocalAddress PeerAddress + Access []string Domain string Type string Protocol string @@ -114,6 +115,7 @@ func newNetworkFromLog(log map[string]string) Rule { Qualifier: newQualifierFromLog(log), LocalAddress: newLocalAddressFromLog(log), PeerAddress: newPeerAddressFromLog(log), + Access: Must(toAccess(NETWORK, log["requested"])), Domain: log["family"], Type: log["sock_type"], Protocol: log["protocol"], @@ -133,6 +135,9 @@ func (r *Network) String() string { } func (r *Network) Validate() error { + if err := validateValues(r.Kind(), "access", r.Access); err != nil { + return fmt.Errorf("%s: %w", r, err) + } if err := validateValues(r.Kind(), "domains", []string{r.Domain}); err != nil { return fmt.Errorf("%s: %w", r, err) } @@ -150,6 +155,9 @@ func (r *Network) Compare(other Rule) int { if res := compare(r.Domain, o.Domain); res != 0 { return res } + if res := compare(r.Access, o.Access); res != 0 { + return res + } if res := compare(r.Type, o.Type); res != 0 { return res } diff --git a/pkg/aa/templates/rule/comment.j2 b/pkg/aa/templates/rule/comment.j2 index c013f89337..4663bf8d6d 100644 --- a/pkg/aa/templates/rule/comment.j2 +++ b/pkg/aa/templates/rule/comment.j2 @@ -4,7 +4,7 @@ {{- define "comment" -}} {{- if or .FileInherit .NoNewPrivs .Optional .Comment -}} - {{- if .IsLineRule }} + {{- if .IsLineRule -}} {{- "#" -}} {{- else -}} {{- " #" -}} @@ -19,7 +19,10 @@ {{- " optional:" -}} {{- end -}} {{- with .Comment -}} - {{ . }} + {{- if or $.FileInherit $.NoNewPrivs $.Optional -}} + {{- " " -}} + {{- end -}} + {{- . -}} {{- end -}} {{- end -}} {{- end -}} diff --git a/pkg/aa/templates/rule/file.j2 b/pkg/aa/templates/rule/file.j2 index 52a41a318b..4d2e148ea3 100644 --- a/pkg/aa/templates/rule/file.j2 +++ b/pkg/aa/templates/rule/file.j2 @@ -8,8 +8,12 @@ {{- "owner " -}} {{- end -}} {{- .Padding 2 -}} - {{- .Path -}} - {{- " " -}} + {{- if and (not .Path) (not .Target) (not .Access) -}} + {{- "file" -}} + {{- end -}} + {{- with .Path -}} + {{- . -}}{{- " " -}} + {{- end -}} {{- .Padding 3 -}} {{- range .Access -}} {{- . -}} diff --git a/pkg/aa/templates/rule/mount.j2 b/pkg/aa/templates/rule/mount.j2 index 31e83567f6..6f2d54c6fc 100644 --- a/pkg/aa/templates/rule/mount.j2 +++ b/pkg/aa/templates/rule/mount.j2 @@ -16,7 +16,6 @@ {{- with .Source -}} {{ " " }}{{ . }} {{- end -}} - {{- .Padding 4 -}} {{- with .MountPoint -}} {{ " -> " }}{{ . }} {{- end -}} diff --git a/pkg/aa/templates/rule/network.j2 b/pkg/aa/templates/rule/network.j2 index 3694442be4..4d029cc91d 100644 --- a/pkg/aa/templates/rule/network.j2 +++ b/pkg/aa/templates/rule/network.j2 @@ -5,6 +5,9 @@ {{- define "network" -}} {{- template "qualifier" . -}} {{ "network" }} + {{- with .Access -}} + {{ " " }}{{ cjoin . }} + {{- end -}} {{- with .Domain -}} {{ " " }}{{ . }} {{- end -}} diff --git a/pkg/aa/templates/rule/unix.j2 b/pkg/aa/templates/rule/unix.j2 index fae6a5429f..4bbab668b5 100644 --- a/pkg/aa/templates/rule/unix.j2 +++ b/pkg/aa/templates/rule/unix.j2 @@ -8,31 +8,23 @@ {{- with .Access -}} {{ " " }}{{ cjoin . }} {{- end -}} - {{- .Padding 2 -}} {{- with .Type -}} {{ " type=" }}{{ . }} {{- end -}} - {{- .Padding 3 -}} - {{- with .Protocol -}} - {{ " protocol=" }}{{ . }} + {{- if and .Address (ne .Address "none") -}} + {{ " addr=" }}{{ .Address }} {{- end -}} - {{- .Padding 4 -}} - {{- with .Address -}} - {{ " addr=" }}{{ . }} - {{- end -}} - {{- .Padding 5 -}} {{- with .Label -}} {{ " label=" }}{{ . }} {{- end -}} - {{- .Padding 6 -}} - {{- if and .PeerLabel .PeerAddr -}} - {{ " peer=(label=" }}{{ .PeerLabel }}{{ ", addr="}}{{ .PeerAddr }}{{ ")" }} + {{- if and .PeerLabel .PeerAddr .Address (ne .Address "none") -}} + {{ " peer=(label=" }}{{ .PeerLabel }}{{ ", addr=" }}{{ .PeerAddr }}{{ ")" }} {{- else -}} {{- with .PeerLabel -}} {{ overindent "peer=(label=" }}{{ . }}{{ ")" }} {{- end -}} - {{- with .PeerAddr -}} - {{ overindent "peer=(addr=" }}{{ . }}{{ ")" }} + {{- if and .PeerAddr (ne .PeerAddr "none") -}} + {{ overindent "peer=(addr=" }}{{ .PeerAddr }}{{ ")" }} {{- end -}} {{- end -}} {{- "," -}} diff --git a/pkg/aa/unix.go b/pkg/aa/unix.go index 1e8a992989..a99bc72951 100644 --- a/pkg/aa/unix.go +++ b/pkg/aa/unix.go @@ -143,7 +143,6 @@ func (r *Unix) Lengths() []int { r.getLenAccess(), length("", r.Access), length("type=", r.Type), - length("protocol=", r.Protocol), length("addr=", r.Address), length("label=", r.Label), } @@ -151,7 +150,7 @@ func (r *Unix) Lengths() []int { func (r *Unix) setPaddings(max []int) { r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( - max[2:], []string{"", "type=", "protocol=", "addr=", "label="}, - []any{r.Access, r.Type, r.Protocol, r.Address, r.Label})..., + max[2:], []string{"", "type=", "addr=", "label="}, + []any{r.Access, r.Type, r.Address, r.Label})..., ) } From 59e89be117b6905af624debcff385bc0792af5a3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 12 Nov 2025 01:16:15 +0100 Subject: [PATCH 1051/1736] fix(aa): wrong address considered in unix rule. --- pkg/aa/templates/rule/unix.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/aa/templates/rule/unix.j2 b/pkg/aa/templates/rule/unix.j2 index 4bbab668b5..110143e5ad 100644 --- a/pkg/aa/templates/rule/unix.j2 +++ b/pkg/aa/templates/rule/unix.j2 @@ -17,7 +17,7 @@ {{- with .Label -}} {{ " label=" }}{{ . }} {{- end -}} - {{- if and .PeerLabel .PeerAddr .Address (ne .Address "none") -}} + {{- if and .PeerLabel .PeerAddr (ne .PeerAddr "none") -}} {{ " peer=(label=" }}{{ .PeerLabel }}{{ ", addr=" }}{{ .PeerAddr }}{{ ")" }} {{- else -}} {{- with .PeerLabel -}} From cd5ac872f35ef679edd1fe88fe1fb7e74a994167 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 14 Nov 2025 21:57:50 +0100 Subject: [PATCH 1052/1736] build: add the ability to enforce dev profiles. --- Justfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Justfile b/Justfile index 39c5a526e7..d86cad6ad2 100644 --- a/Justfile +++ b/Justfile @@ -13,6 +13,9 @@ pkgdest := `pwd` / ".pkg" pkgname := "apparmor.d" gpgkey := "06A26D531D56C42D66805049C5469996F0DF68EC" +# Prebuild options, only used for the `dev` install target +opt := "complain" + # The following variables are only used for the development and test VM # Admin username @@ -192,7 +195,7 @@ local +names: # Prebuild, install, and load a dev profile [group('install')] dev +names: - go run ./cmd/prebuild --complain + go run ./cmd/prebuild --{{opt}} for file in {{names}}; do \ sudo install -Dm644 -v {{build}}/apparmor.d/$file /etc/apparmor.d/$file; \ done From bfd832cad590ef61a5dcbe0c3d437dfceb83ff2a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 16 Nov 2025 17:18:23 +0100 Subject: [PATCH 1053/1736] build: add aa file kind in builder options. --- pkg/prebuild/builder/attach.go | 9 +++++++-- pkg/prebuild/builder/core.go | 3 +++ pkg/prebuild/builder/stacked-dbus.go | 5 ++--- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index 1ec5e06b1c..e0326f1ba6 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -7,6 +7,7 @@ package builder import ( "strings" + "github.com/roddhjav/apparmor.d/pkg/aa" "github.com/roddhjav/apparmor.d/pkg/prebuild" ) @@ -36,7 +37,9 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { } if strings.Contains(profile, "attach_disconnected") { - insert = "@{att} = /att/" + opt.Name + "/\n" + if opt.Kind == aa.ProfileKind { + insert = "@{att} = /att/" + opt.Name + "/\n" + } profile = strings.ReplaceAll(profile, "attach_disconnected", "attach_disconnected,attach_disconnected.path=@{att}", @@ -55,7 +58,9 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { ) } else { - insert = "@{att} = \"\"\n" + if opt.Kind == aa.ProfileKind { + insert = "@{att} = \"\"\n" + } } diff --git a/pkg/prebuild/builder/core.go b/pkg/prebuild/builder/core.go index bfc1aa0256..b687dae726 100644 --- a/pkg/prebuild/builder/core.go +++ b/pkg/prebuild/builder/core.go @@ -8,6 +8,7 @@ import ( "fmt" "strings" + "github.com/roddhjav/apparmor.d/pkg/aa" "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" ) @@ -30,12 +31,14 @@ type Builder interface { type Option struct { Name string File *paths.Path + Kind aa.FileKind } func NewOption(file *paths.Path) *Option { return &Option{ Name: strings.TrimSuffix(file.Base(), ".apparmor.d"), File: file, + Kind: aa.KindFromPath(file), } } diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go index eca8122c6b..29df677139 100644 --- a/pkg/prebuild/builder/stacked-dbus.go +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -62,8 +62,7 @@ func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { } func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { - kind := aa.KindFromPath(opt.File) - if kind == aa.TunableKind { + if opt.Kind == aa.TunableKind { return profile, nil } @@ -72,7 +71,7 @@ func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { toResolve = append(toResolve, k) } - rulesByParagraph, paragraphs, err := parse(kind, profile) + rulesByParagraph, paragraphs, err := parse(opt.Kind, profile) if err != nil { return "", err } From 9b108f38b6242f5e6c63766fd2176e7b12276c02 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 16 Nov 2025 17:19:44 +0100 Subject: [PATCH 1054/1736] refractor: builder/stacked-dbus -> dbus. --- pkg/prebuild/builder/{stacked-dbus.go => dbus.go} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename pkg/prebuild/builder/{stacked-dbus.go => dbus.go} (100%) diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/dbus.go similarity index 100% rename from pkg/prebuild/builder/stacked-dbus.go rename to pkg/prebuild/builder/dbus.go From 5618432ebd856f1b4f60066125666a73c14c673b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 16 Nov 2025 17:35:45 +0100 Subject: [PATCH 1055/1736] build: cosmetic. --- pkg/prebuild/cli/cli.go | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 868bf69d8c..157af7e962 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -179,13 +179,15 @@ func Configure() { } func Prebuild() { - logging.Step("Building apparmor.d profiles for %s on ABI%d.", prebuild.Distribution, prebuild.ABI) + logging.Step("Building apparmor.d profiles for %s", prebuild.Distribution) + logging.Success("AppArmor ABI targeted: %d", prebuild.ABI) + logging.Success("AppArmor version targeted: %.1f", prebuild.Version) + if prebuild.Test { + logging.Warning("Test mode enabled") + } if full { logging.Success("Full system policy enabled") } - if prebuild.Version != nilVer { - logging.Success("AppArmor version targeted: %.1f", prebuild.Version) - } if err := Prepare(); err != nil { logging.Fatal("%s", err.Error()) } From 45e48a68c7302fc01b74182874273aef72f50642 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 16 Nov 2025 17:36:26 +0100 Subject: [PATCH 1056/1736] build: add the abi5 builder. --- pkg/prebuild/builder/abi.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index f61316390f..2d917fa6e1 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -10,6 +10,9 @@ import ( ) var ( + regAbi4To5 = util.ToRegexRepl([]string{ + `abi/4.0`, `abi/5.0`, + }) regAbi4To3 = util.ToRegexRepl([]string{ `abi/4.0`, `abi/3.0`, ` userns,`, ` # userns,`, @@ -22,6 +25,10 @@ var ( }) ) +type ABI5 struct { + prebuild.Base +} + type ABI3 struct { prebuild.Base } @@ -31,6 +38,12 @@ type APPARMOR40 struct { } func init() { + RegisterBuilder(&ABI5{ + Base: prebuild.Base{ + Keyword: "abi5", + Msg: "Build: convert all profiles from abi 4.0 to abi 5.0", + }, + }) RegisterBuilder(&ABI3{ Base: prebuild.Base{ Keyword: "abi3", @@ -45,6 +58,10 @@ func init() { }) } +func (b ABI5) Apply(opt *Option, profile string) (string, error) { + return regAbi4To5.Replace(profile), nil +} + func (b ABI3) Apply(opt *Option, profile string) (string, error) { return regAbi4To3.Replace(profile), nil } From 6143d1094898ba4c7f2b9624621dbec9916fded6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 16 Nov 2025 17:46:01 +0100 Subject: [PATCH 1057/1736] build: add the DbusBroker builder to ignore peer name in dbus rules. Hotfix for https://gitlab.com/apparmor/apparmor/-/issues/565. --- pkg/prebuild/builder/dbus.go | 27 ++++++++++++ pkg/prebuild/directive/dbus.go | 77 +++++++++++++++++++++++++--------- pkg/prebuild/directories.go | 3 ++ 3 files changed, 87 insertions(+), 20 deletions(-) diff --git a/pkg/prebuild/builder/dbus.go b/pkg/prebuild/builder/dbus.go index 29df677139..83ade83fec 100644 --- a/pkg/prebuild/builder/dbus.go +++ b/pkg/prebuild/builder/dbus.go @@ -5,6 +5,7 @@ package builder import ( + "regexp" "slices" "strings" @@ -24,6 +25,11 @@ type StackedDbus struct { prebuild.Base } +// DbusBroker is a fix for https://gitlab.com/apparmor/apparmor/-/issues/565 +type DbusBroker struct { + prebuild.Base +} + func init() { RegisterBuilder(&StackedDbus{ Base: prebuild.Base{ @@ -31,6 +37,12 @@ func init() { Msg: "Fix: resolve peer label variable in dbus rules", }, }) + RegisterBuilder(&DbusBroker{ + Base: prebuild.Base{ + Keyword: "dbus-broker", + Msg: "Fix: ignore peer name in dbus rules", + }, + }) } func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { @@ -101,3 +113,18 @@ func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { } return profile, nil } + +func (b DbusBroker) Apply(opt *Option, profile string) (string, error) { + // Remove peer name in two cases: + // 1. peer=(name=..., label=...) -> peer=(label=...) + // 2. peer=(name=...), -> (keep only the comma) + + // First, handle peer name with other attributes (has attribute after comma) + rePeerNameWithAttrs := regexp.MustCompile(`peer=\(\s*name\s*=\s*(?:"[^"]*"|'[^']*'|[^,)\s]+)\s*,\s*(\w+\s*=)`) + profile = rePeerNameWithAttrs.ReplaceAllString(profile, "peer=($1") + + // Second, handle peer name alone (followed by closing paren and comma) + rePeerNameAlone := regexp.MustCompile(`peer=\(\s*name\s*=\s*(?:"[^"]*"|'[^']*'|[^,)\s]+)\s*\)\s*,`) + profile = rePeerNameAlone.ReplaceAllString(profile, ",") + return profile, nil +} diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index 4862597bbf..3a025fe1ef 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -33,7 +33,7 @@ func init() { Help: []string{ "own bus= name= [interface=AARE] [path=AARE]", "talk bus= name= label= [interface=AARE] [path=AARE]", - "common bus= name= label=", + "see bus= name= label=", }, }}, ) @@ -51,8 +51,8 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { r = d.own(opt.ArgMap) case "talk": r = d.talk(opt.ArgMap) - case "common": - r = d.common(opt.ArgMap) + case "common", "see": + r = d.see(opt.ArgMap) } aa.IndentationLevel = strings.Count( @@ -120,27 +120,39 @@ func (d Dbus) own(rules map[string]string) aa.Rules { // Interfaces for _, iface := range interfaces { + var peerNames = make([]string, 2) + if prebuild.DbusDaemon { + peerNames[0] = `"@{busname}"` + peerNames[1] = `"{@{busname},org.freedesktop.DBus}"` + } res = append(res, &aa.Dbus{ Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: iface, - PeerName: `"@{busname}"`, + PeerName: peerNames[0], }, &aa.Dbus{ Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], Interface: iface, - PeerName: `"{@{busname},org.freedesktop.DBus}"`, + PeerName: peerNames[1], }, ) } + var peerNames = make([]string, 4) + if prebuild.DbusDaemon { + peerNames[0] = `"{@{busname},org.freedesktop.DBus}"` + peerNames[1] = `"@{busname}"` + peerNames[2] = `"{@{busname},` + rules["name"] + `}"` + peerNames[3] = `"{@{busname},org.freedesktop.DBus}"` + } res = append(res, // DBus.Properties: reply to properties request from anyone &aa.Dbus{ Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Properties", Member: "{Get,GetAll,Set,PropertiesChanged}", - PeerName: `"{@{busname},org.freedesktop.DBus}"`, + PeerName: peerNames[0], }, // DBus.Introspectable: allow clients to introspect the service @@ -148,7 +160,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Introspectable", Member: "Introspect", - PeerName: `"@{busname}"`, + PeerName: peerNames[0], }, // DBus.ObjectManager: allow clients to enumerate sources @@ -156,13 +168,13 @@ func (d Dbus) own(rules map[string]string) aa.Rules { Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", Member: "GetManagedObjects", - PeerName: `"{@{busname},` + rules["name"] + `}"`, + PeerName: peerNames[0], }, &aa.Dbus{ Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", Member: "{InterfacesAdded,InterfacesRemoved}", - PeerName: `"{@{busname},org.freedesktop.DBus}"`, + PeerName: peerNames[0], }, ) return res @@ -179,12 +191,17 @@ func (d Dbus) talk(rules map[string]string) aa.Rules { }, } + peerName := `` + if prebuild.DbusDaemon { + peerName = `"{@{busname},` + rules["name"] + `}"` + } + // Interfaces for _, iface := range interfaces { res = append(res, &aa.Dbus{ Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], Interface: iface, - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + PeerName: peerName, PeerLabel: rules["label"], }) } @@ -194,7 +211,7 @@ func (d Dbus) talk(rules map[string]string) aa.Rules { Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Properties", Member: "{Get,GetAll,Set,PropertiesChanged}", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + PeerName: peerName, PeerLabel: rules["label"], }, // DBus.Introspectable @@ -202,7 +219,7 @@ func (d Dbus) talk(rules map[string]string) aa.Rules { Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Introspectable", Member: "Introspect", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + PeerName: peerName, PeerLabel: rules["label"], }, // DBus.ObjectManager: allow clients to enumerate sources @@ -210,21 +227,41 @@ func (d Dbus) talk(rules map[string]string) aa.Rules { Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", Member: "GetManagedObjects", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + PeerName: peerName, PeerLabel: rules["label"], }, &aa.Dbus{ Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", Member: "{InterfacesAdded,InterfacesRemoved}", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + PeerName: peerName, PeerLabel: rules["label"], }, ) return res } -func (d Dbus) common(rules map[string]string) aa.Rules { +func (d Dbus) see(rules map[string]string) aa.Rules { + peerName := `` + if prebuild.DbusDaemon { + peerName = `"{@{busname},` + rules["name"] + `}"` + } + res := aa.Rules{ + // Unix: allow connection to the profile + &aa.Comment{ + Base: aa.Base{ + Comment: " Unix: allow connection to the profile", + IsLineRule: true, + }, + }, + &aa.Unix{ + Type: "stream", + Address: "none", + PeerLabel: rules["label"], + PeerAddr: "none", + }, + nil, + // DBus.Properties: read all properties from the interface &aa.Comment{ Base: aa.Base{ @@ -236,7 +273,7 @@ func (d Dbus) common(rules map[string]string) aa.Rules { Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Properties", Member: "{Get,GetAll}", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + PeerName: peerName, PeerLabel: rules["label"], }, nil, @@ -251,14 +288,14 @@ func (d Dbus) common(rules map[string]string) aa.Rules { Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Properties", Member: "PropertiesChanged", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + PeerName: peerName, PeerLabel: rules["label"], }, nil, - // DBus.Introspectable: allow clients to introspect the service + // DBus.Introspectable: allow service introspection &aa.Comment{ Base: aa.Base{ - Comment: " DBus.Introspectable: allow clients to introspect the service", + Comment: " DBus.Introspectable: allow service introspection", IsLineRule: true, }, }, @@ -266,7 +303,7 @@ func (d Dbus) common(rules map[string]string) aa.Rules { Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Introspectable", Member: "Introspect", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + PeerName: peerName, PeerLabel: rules["label"], }, } return res diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index 486a45d140..07414a1eca 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -22,6 +22,9 @@ var ( // Either or not we are in test mode Test = false + // The dbus implementation used + DbusDaemon = true + // Pkgname is the name of the package Pkgname = "apparmor.d" From 180a30a9acc690d4888c35d969ec761fd15290c9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 16 Nov 2025 17:47:11 +0100 Subject: [PATCH 1058/1736] build: add support for abi 5 build. --- pkg/prebuild/cli/cli.go | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 157af7e962..1c90de02cb 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -159,6 +159,29 @@ func Configure() { } + case 5: + builder.Register("abi5") // Convert all profiles from abi 4.0 to abi 5.0 + + // Re-attach disconnected path + if prebuild.Distribution == "ubuntu" { + // Ignored on ubuntu 25.04+ due to a memory leak that fully prevent + // profiles compilation with re-attached paths. + // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 + + // Use stacked-dbus builder to resolve dbus rules + builder.Register("stacked-dbus") + + } else { + if !prebuild.DownStream { + prepare.Register("attach") + } + builder.Register("attach") + + // Fix dbus rules for dbus-broker + builder.Register("dbus-broker") + prebuild.DbusDaemon = false + } + default: logging.Fatal("Invalid ABI version: %d", prebuild.ABI) } From 81241a44989e579873473c400036d1d7cf6b24b4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 16 Nov 2025 21:03:42 +0100 Subject: [PATCH 1059/1736] feat: add support for new systemd varlink socket. --- .../abstractions/attached/nameservice-strict | 22 +++++++++++++++++++ .../abstractions/nss-systemd.d/complete | 8 +++++++ pkg/prebuild/builder/attach.go | 4 ++++ 3 files changed, 34 insertions(+) create mode 100644 apparmor.d/abstractions/attached/nameservice-strict create mode 100644 apparmor.d/abstractions/nss-systemd.d/complete diff --git a/apparmor.d/abstractions/attached/nameservice-strict b/apparmor.d/abstractions/attached/nameservice-strict new file mode 100644 index 0000000000..a16831b642 --- /dev/null +++ b/apparmor.d/abstractions/attached/nameservice-strict @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + # Do not use it manually, It automatically replaces the consoles abstraction in a + # profile with the attach_disconnected flag set and the re-attached path enabled. + + abi , + + include + + # nss-systemd + @{att}@{run}/systemd/io.systemd.NamespaceResource rw, + @{att}@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}@{run}/systemd/userdb/io.systemd.Home rw, + @{att}@{run}/systemd/userdb/io.systemd.Multiplexer rw, + @{att}@{run}/systemd/userdb/org.gnome.DisplayManager rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nss-systemd.d/complete b/apparmor.d/abstractions/nss-systemd.d/complete new file mode 100644 index 0000000000..d277f8e637 --- /dev/null +++ b/apparmor.d/abstractions/nss-systemd.d/complete @@ -0,0 +1,8 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + @{run}/systemd/io.systemd.NamespaceResource rw, + @{run}/systemd/resolve/io.systemd.Resolve rw, + +# vim:syntax=apparmor diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index e0326f1ba6..d87c29f127 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -56,6 +56,10 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { "include ", "include ", ) + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) } else { if opt.Kind == aa.ProfileKind { From 29b2b5075c4b44c0cfd13570035a08270da6c681 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 16 Nov 2025 23:09:08 +0100 Subject: [PATCH 1060/1736] fix(build): do not re-attach twice any abs in the attached directory. --- pkg/prebuild/builder/attach.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index d87c29f127..b03fba7ce1 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -5,6 +5,7 @@ package builder import ( + "fmt" "strings" "github.com/roddhjav/apparmor.d/pkg/aa" @@ -32,7 +33,12 @@ func init() { func (b ReAttach) Apply(opt *Option, profile string) (string, error) { var insert string var origin = "profile " + opt.Name - if opt.File.HasSuffix("attached/base") { + + isInside, err := opt.File.IsInsideDir(prebuild.RootApparmord.Join("abstractions/attached")) + if err != nil { + return profile, fmt.Errorf("attach: %v", err) + } + if isInside { return profile, nil // Do not re-attach twice } From 98b04d3f073b7c3b4f41884575b1cbbf77cf9de3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 18 Nov 2025 00:31:53 +0100 Subject: [PATCH 1061/1736] tests: improve dev vm generation. --- Justfile | 12 ++++++++++++ tests/packer/variables.pkr.hcl | 24 ++++++++---------------- 2 files changed, 20 insertions(+), 16 deletions(-) diff --git a/Justfile b/Justfile index d86cad6ad2..a295ce7ba1 100644 --- a/Justfile +++ b/Justfile @@ -5,6 +5,10 @@ # Usage: `just` # See https://apparmor.pujol.io/development/ for more information. +# Globally override any variables +set allow-duplicate-variables +import? '~/.aa.just' + # Build settings destdir := "/" @@ -38,6 +42,13 @@ ssh_keyname := "id_ed25519" ssh_privatekey := home_dir() / ".ssh/" + ssh_keyname ssh_publickey := ssh_privatekey + ".pub" +# Path to the UEFI firmware +firmware := if path_exists("/usr/share/edk2/x64/OVMF.4m.fd") == "true" { + "/usr/share/edk2/x64/OVMF.4m.fd" +} else { + "/usr/share/ovmf/OVMF.fd" +} + # Where the VM are stored vm := home_dir() / ".vm" @@ -299,6 +310,7 @@ img dist release flavor: (package dist release flavor) -var disk_size={{disk_size}} \ -var cpus={{vcpus}} \ -var ram={{ram}} \ + -var firmware={{firmware}} \ -var base_dir={{base_dir}} \ -var output_dir={{output_dir}} \ tests/packer/ diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index e09b7266f7..65b4780b7c 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -25,7 +25,7 @@ variable "cpus" { variable "ram" { description = "Default RAM of the VM" type = string - default = "4096" + default = "2048" } variable "disk_size" { @@ -61,7 +61,7 @@ variable "output_dir" { variable "firmware" { description = "Path to the UEFI firmware" type = string - default = "/usr/share/edk2/x64/OVMF.4m.fd" + default = "" } variable "prefix" { @@ -73,13 +73,13 @@ variable "prefix" { variable "dist" { description = "Distribution to target" type = string - default = "ubuntu" + default = "" } variable "release" { description = "Release to target" type = string - default = "25.10" + default = "" } variable "flavor" { @@ -99,30 +99,22 @@ variable "DM" { img_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" img_checksum = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" }, - "debian12" : { - img_url = "https://cdimage.debian.org/images/cloud/bookworm/latest/debian-12-genericcloud-amd64.qcow2" - img_checksum = "https://cdimage.debian.org/images/cloud/bookworm/latest/SHA512SUMS" - } "debian13" : { img_url = "https://cdimage.debian.org/images/cloud/trixie/latest/debian-13-genericcloud-amd64.qcow2" img_checksum = "https://cdimage.debian.org/images/cloud/trixie/latest/SHA512SUMS" } - "ubuntu22.04" : { - img_url = "https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img" - img_checksum = "https://cloud-images.ubuntu.com/jammy/current/SHA256SUMS" - }, "ubuntu24.04" : { img_url = "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img" img_checksum = "https://cloud-images.ubuntu.com/noble/current/SHA256SUMS" }, - "ubuntu25.04" : { - img_url = "https://cloud-images.ubuntu.com/plucky/current/plucky-server-cloudimg-amd64.img" - img_checksum = "https://cloud-images.ubuntu.com/plucky/current/SHA256SUMS" - }, "ubuntu25.10" : { img_url = "https://cloud-images.ubuntu.com/questing/current/questing-server-cloudimg-amd64.img" img_checksum = "https://cloud-images.ubuntu.com/questing/current/SHA256SUMS" }, + "ubuntu26.04" : { + img_url = "https://cloud-images.ubuntu.com/resolute/current/questing-server-cloudimg-amd64.img" + img_checksum = "https://cloud-images.ubuntu.com/resolute/current/SHA256SUMS" + }, "opensuse" : { img_url = "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-Cloud.qcow2" img_checksum = "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-Cloud.qcow2.sha256" From 29ed239617a7346c9909c7d19c30f781ee2f6a4b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 18 Nov 2025 00:35:03 +0100 Subject: [PATCH 1062/1736] tests: update vm cloud init. --- tests/cloud-init/debian13-test.user-data.yml | 9 ++++++++- tests/cloud-init/ubuntu.yml | 1 - tests/cloud-init/ubuntu25.05-desktop.user-data.yml | 9 --------- tests/cloud-init/ubuntu25.05-kubuntu.user-data.yml | 10 ---------- tests/cloud-init/ubuntu25.05-server.user-data.yml | 8 -------- tests/cloud-init/ubuntu25.10-test.user-data.yml | 10 +++++++++- 6 files changed, 17 insertions(+), 30 deletions(-) delete mode 100644 tests/cloud-init/ubuntu25.05-desktop.user-data.yml delete mode 100644 tests/cloud-init/ubuntu25.05-kubuntu.user-data.yml delete mode 100644 tests/cloud-init/ubuntu25.05-server.user-data.yml diff --git a/tests/cloud-init/debian13-test.user-data.yml b/tests/cloud-init/debian13-test.user-data.yml index eaeda8faee..d3e088b072 100644 --- a/tests/cloud-init/debian13-test.user-data.yml +++ b/tests/cloud-init/debian13-test.user-data.yml @@ -1,6 +1,13 @@ #cloud-config -packages: *core-packages +packages: + - apparmor-profiles + - apparmor-utils + - auditd + - htop + - libpam-apparmor + - qemu-guest-agent + - vim runcmd: - /usr/bin/setup-testbed diff --git a/tests/cloud-init/ubuntu.yml b/tests/cloud-init/ubuntu.yml index 83015ead09..b433c60bc6 100644 --- a/tests/cloud-init/ubuntu.yml +++ b/tests/cloud-init/ubuntu.yml @@ -9,7 +9,6 @@ core-packages: &core-packages - build-essential - config-package-dev - debhelper - - debian-keyring - devscripts - dkms - docker.io diff --git a/tests/cloud-init/ubuntu25.05-desktop.user-data.yml b/tests/cloud-init/ubuntu25.05-desktop.user-data.yml deleted file mode 100644 index 6ce097d2c1..0000000000 --- a/tests/cloud-init/ubuntu25.05-desktop.user-data.yml +++ /dev/null @@ -1,9 +0,0 @@ -#cloud-config - -packages: *desktop-packages - -runcmd: *desktop-runcmd - -write_files: - - *shared-directory # Setup shared directory - - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/ubuntu25.05-kubuntu.user-data.yml b/tests/cloud-init/ubuntu25.05-kubuntu.user-data.yml deleted file mode 100644 index 4f78d253e2..0000000000 --- a/tests/cloud-init/ubuntu25.05-kubuntu.user-data.yml +++ /dev/null @@ -1,10 +0,0 @@ -#cloud-config - -packages: *kubuntu-packages - -runcmd: *desktop-runcmd - -write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server - - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/ubuntu25.05-server.user-data.yml b/tests/cloud-init/ubuntu25.05-server.user-data.yml deleted file mode 100644 index 0a4e22ba50..0000000000 --- a/tests/cloud-init/ubuntu25.05-server.user-data.yml +++ /dev/null @@ -1,8 +0,0 @@ -#cloud-config - -packages: *core-packages - -write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server - - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/ubuntu25.10-test.user-data.yml b/tests/cloud-init/ubuntu25.10-test.user-data.yml index eaeda8faee..1d20baf79b 100644 --- a/tests/cloud-init/ubuntu25.10-test.user-data.yml +++ b/tests/cloud-init/ubuntu25.10-test.user-data.yml @@ -1,6 +1,14 @@ #cloud-config -packages: *core-packages +packages: + - apparmor-profiles + - apparmor-utils + - auditd + - debian-keyring + - htop + - libpam-apparmor + - qemu-guest-agent + - vim runcmd: - /usr/bin/setup-testbed From d9ecbff2d6742ed21608147368b5ab4d54c7dde5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 18 Nov 2025 00:36:58 +0100 Subject: [PATCH 1063/1736] build: document the opt variable. --- Justfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Justfile b/Justfile index a295ce7ba1..71bb75c33c 100644 --- a/Justfile +++ b/Justfile @@ -72,6 +72,7 @@ Build variables available: build " + BLUE + "# Build directory (default: " + build + ")" + NORMAL + " destdir " + BLUE + "# Installation destination (default: " + destdir + ")" + NORMAL + " pkgdest " + BLUE + "# Package output directory (default: " + pkgdest + ")" + NORMAL + " + opt " + BLUE + "# Prebuild option, only used for the dev install target (default: " + opt + ")" + NORMAL + " Development variables available: username " + BLUE + "# VM username (default: " + username + ")" + NORMAL + " @@ -201,7 +202,7 @@ local +names: sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file" install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" done; - systemctl restart apparmor || sudo journalctl -xeu apparmor.service + systemctl restart apparmor.service || journalctl -xeu apparmor.service # Prebuild, install, and load a dev profile [group('install')] From 5ab3430b901376f2713b028c5db38574442b73b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 18 Nov 2025 00:38:52 +0100 Subject: [PATCH 1064/1736] tests: add the ability to snapshot the tests vm. As the current VM are mostly used as fancy container, it is not a feature we use that much. It is stil useful time to time. --- Justfile | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/Justfile b/Justfile index 71bb75c33c..19b08f3281 100644 --- a/Justfile +++ b/Justfile @@ -358,6 +358,26 @@ destroy osinfo flavor: @virsh {{c}} undefine {{prefix}}{{osinfo}}-{{flavor}} --nvram @rm -fv {{vm}}/{{prefix}}{{osinfo}}-{{flavor}}.qcow2 +# List all snapshots for a machine +[group('vm')] +snapshots osinfo flavor: + @virsh {{c}} snapshot-list {{prefix}}{{osinfo}}-{{flavor}} + +# Snapshot a machine +[group('vm')] +snapshot osinfo flavor snapname: + @virsh {{c}} snapshot-create-as {{prefix}}{{osinfo}}-{{flavor}} --name {{snapname}} + +# Restore a machine to a specified snapshot +[group('vm')] +restore osinfo flavor snapname: + @virsh {{c}} snapshot-revert {{prefix}}{{osinfo}}-{{flavor}} {{snapname}} + +# Delete a specified snapshot from a machine +[group('vm')] +delete osinfo flavor snapname: + @virsh {{c}} snapshot-delete {{prefix}}{{osinfo}}-{{flavor}} {{snapname}} + # Connect to the machine [group('vm')] ssh osinfo flavor: From cdb273d436b5fdcc260554c3ab2a4b47430a839f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 21 Nov 2025 22:04:59 +0100 Subject: [PATCH 1065/1736] feat(aa-log): add the --boot option. --- cmd/aa-log/main.go | 11 ++++++++++- pkg/logs/loggers.go | 7 +++++-- pkg/logs/loggers_test.go | 2 +- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index 8e758d7546..4dd0fde149 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -35,6 +35,7 @@ Options: -n, --namespace NS Filter the logs to the specified namespace. -r, --rules Convert the log into AppArmor rules. -R, --raw Print the raw log without any formatting. + -b, --boot NUM Show entries from the specified boot. -S, --since DATE Show entries not older than the specified date. -l, --load Load logs from the default aa-log output. @@ -48,6 +49,7 @@ var ( systemd bool namespace string raw bool + boot string since string load bool ) @@ -61,7 +63,7 @@ func aaLog(logger string, path string, profile string, namespace string) error { case "auditd": file, err = logs.GetAuditLogs(path) case "systemd": - file, err = logs.GetJournalctlLogs(path, since, !slices.Contains(logs.LogFiles, path)) + file, err = logs.GetJournalctlLogs(path, boot, since, !slices.Contains(logs.LogFiles, path)) default: err = fmt.Errorf("logger %s not supported", logger) } @@ -81,6 +83,7 @@ func aaLog(logger string, path string, profile string, namespace string) error { } else { aaLogs = logs.New(file, profile, namespace) } + endParse := time.Now() if rules { profiles := aaLogs.ParseToProfiles() @@ -110,6 +113,8 @@ func init() { flag.BoolVar(&rules, "rules", false, "Convert the log into AppArmor rules.") flag.BoolVar(&raw, "R", false, "Print the raw log without any formatting.") flag.BoolVar(&raw, "raw", false, "Print the raw log without any formatting.") + flag.StringVar(&boot, "b", "", "Show entries from the specified boot.") + flag.StringVar(&boot, "boot", "", "Show entries from the specified boot.") flag.StringVar(&since, "S", "", "Display logs since the START time.") flag.StringVar(&since, "since", "", "Display logs since the START time.") flag.BoolVar(&load, "l", false, "Load logs from the default aa-log output.") @@ -131,6 +136,10 @@ func main() { profile = flag.Args()[0] } + if boot != "" { + systemd = true + } + logger := "auditd" if systemd { logger = "systemd" diff --git a/pkg/logs/loggers.go b/pkg/logs/loggers.go index 817b26622b..9bbb2af986 100644 --- a/pkg/logs/loggers.go +++ b/pkg/logs/loggers.go @@ -86,9 +86,12 @@ func GetJournalctlLogs(path string, since string, useFile bool) (io.Reader, erro "--identifier=audit", "--identifier=dbus-daemon", "--output=json", "--output-fields=MESSAGE", } - if since == "" { + if boot != "" { + args = append(args, "--boot="+boot) + } else if since == "" { args = append(args, "--boot") - } else { + } + if since != "" { args = append(args, "--since="+since) } cmd := exec.Command("journalctl", args...) diff --git a/pkg/logs/loggers_test.go b/pkg/logs/loggers_test.go index 8fcb5d5aa0..7edfe0e7e5 100644 --- a/pkg/logs/loggers_test.go +++ b/pkg/logs/loggers_test.go @@ -50,7 +50,7 @@ func TestGetJournalctlLogs(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - reader, _ := GetJournalctlLogs(tt.path, "", tt.useFile) + reader, _ := GetJournalctlLogs(tt.path, "", "", tt.useFile) if got := New(reader, tt.name, tt.namespace); !reflect.DeepEqual(got, tt.want) { t.Errorf("New() = %v, want %v", got, tt.want) } From 5c4b849b7fad0a0ddf6b28183f6162a31ada8540 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 21 Nov 2025 22:08:46 +0100 Subject: [PATCH 1066/1736] feat(aa-log): do not fail silently if log file is on available. --- cmd/aa-log/main.go | 8 +++-- pkg/logs/loggers.go | 63 +++++++++++++++++++++++++++++++++------- pkg/logs/loggers_test.go | 27 ++++++++++++----- 3 files changed, 78 insertions(+), 20 deletions(-) diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index 4dd0fde149..f90d982e32 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -145,8 +145,12 @@ func main() { logger = "systemd" } - path = logs.SelectLogFile(path) - err := aaLog(logger, path, profile, namespace) + path, err := logs.SelectLogFile(path) + if err != nil { + fmt.Println(err) + os.Exit(1) + } + err = aaLog(logger, path, profile, namespace) if err != nil { fmt.Println(err) os.Exit(1) diff --git a/pkg/logs/loggers.go b/pkg/logs/loggers.go index 9bbb2af986..6057c61df8 100644 --- a/pkg/logs/loggers.go +++ b/pkg/logs/loggers.go @@ -67,7 +67,7 @@ func GetAuditLogs(path string) (io.Reader, error) { } // GetJournalctlLogs return a reader with the logs entries from Systemd -func GetJournalctlLogs(path string, since string, useFile bool) (io.Reader, error) { +func GetJournalctlLogs(path string, boot string, since string, useFile bool) (io.Reader, error) { var logs []systemdLog var stdout bytes.Buffer var stderr bytes.Buffer @@ -124,21 +124,62 @@ func GetJournalctlLogs(path string, since string, useFile bool) (io.Reader, erro return strings.NewReader(res.String()), nil } +// validateLogFile checks if a file exists, is readable, and is not empty. +func validateLogFile(filename string) error { + info, err := os.Stat(filename) + if err != nil { + return err + } + if !info.Mode().IsRegular() { + return fmt.Errorf("not a regular file: %s", filename) + } + if info.Size() == 0 { + return fmt.Errorf("file is empty: %s", filename) + } + file, err := os.Open(filename) + if err != nil { + return fmt.Errorf("unable to read: %s", filename) + } + file.Close() + return nil +} + // SelectLogFile return the path of the available log file to parse (audit, syslog, .1, .2) -func SelectLogFile(path string) string { - info, err := os.Stat(filepath.Clean(path)) - if err == nil && !info.IsDir() { - return path +func SelectLogFile(input string) (string, error) { + // If a specific file path is provided + if input != "" { + path := filepath.Clean(input) + + // Check if it's a full path that exists + if _, err := os.Stat(path); err == nil { + if err := validateLogFile(path); err != nil { + return "", err + } + return path, nil + } + + // Try as a suffix to default log files (e.g., "1" -> audit.log.1) + for _, logfile := range LogFiles { + suffixedFile := logfile + "." + input + if _, err := os.Stat(suffixedFile); err == nil { + if err := validateLogFile(suffixedFile); err != nil { + return "", err + } + return suffixedFile, nil + } + } + + return "", fmt.Errorf("log file not found: %s", input) } + + // No input provided, find first available default log file for _, logfile := range LogFiles { if _, err := os.Stat(logfile); err == nil { - oldLogfile := filepath.Clean(logfile + "." + path) - if _, err := os.Stat(oldLogfile); err == nil { - return oldLogfile - } else { - return logfile + if err := validateLogFile(logfile); err != nil { + return "", err } + return logfile, nil } } - return "" + return "", fmt.Errorf("no log file found") } diff --git a/pkg/logs/loggers_test.go b/pkg/logs/loggers_test.go index 7edfe0e7e5..fceeeada94 100644 --- a/pkg/logs/loggers_test.go +++ b/pkg/logs/loggers_test.go @@ -60,14 +60,16 @@ func TestGetJournalctlLogs(t *testing.T) { func TestSelectLogFile(t *testing.T) { tests := []struct { - name string - path string - want string + name string + path string + want string + wantErr bool }{ { - name: "Get audit.log", - path: filepath.Join(testdata, "audit.log"), - want: filepath.Join(testdata, "audit.log"), + name: "Get audit.log", + path: filepath.Join(testdata, "audit.log"), + want: filepath.Join(testdata, "audit.log"), + wantErr: false, }, { name: "Get /var/log/audit/audit.log.1", @@ -79,10 +81,21 @@ func TestSelectLogFile(t *testing.T) { path: "", want: "/var/log/audit/audit.log", }, + { + name: "File not found", + path: "/nonexistent/file", + want: "", + wantErr: true, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - if got := SelectLogFile(tt.path); got != tt.want { + got, err := SelectLogFile(tt.path) + if (err != nil) != tt.wantErr { + t.Errorf("SelectLogFile() error = %v, wantErr %v", err, tt.wantErr) + return + } + if got != tt.want { t.Errorf("SelectLogFile() = %v, want %v", got, tt.want) } }) From 921864427f4bfe13ecc82ed0bf9bd99830fa2f62 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 21 Nov 2025 22:09:49 +0100 Subject: [PATCH 1067/1736] fix(aa-log): unit tests. --- pkg/logs/logs.go | 4 ++++ pkg/logs/logs_test.go | 1 + 2 files changed, 5 insertions(+) diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 5b2e317b43..744fb85703 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -159,6 +159,10 @@ func New(file io.Reader, profile string, namespace string) AppArmorLogs { aa[key] = strings.Trim(value, `"`) } } + + if _, present := aa["family"]; present { + aa["class"] = "net" + } aaLogs = append(aaLogs, aa) } return aaLogs diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go index 4d7d680cd4..fade5c9ee0 100644 --- a/pkg/logs/logs_test.go +++ b/pkg/logs/logs_test.go @@ -25,6 +25,7 @@ var ( "sock_type": "stream", "protocol": "0", "requested_mask": "send receive", + "class": "net", }, } refMan = AppArmorLogs{ From e8238b730f6fbc1145370d6e5bd40aa6f5b3a4a8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Nov 2025 00:41:14 +0100 Subject: [PATCH 1068/1736] feat(profile): deprecate the freedesktop.org abstraction. --- .../abstractions/attached/nameservice-strict | 2 +- apparmor.d/abstractions/lxqt | 16 ++++++-- apparmor.d/groups/apt/apt-listbugs | 6 +-- apparmor.d/groups/apt/querybts | 9 +---- apparmor.d/groups/freedesktop/xdg-open | 17 +++++++-- apparmor.d/groups/gvfs/gvfsd-mtp | 2 +- apparmor.d/groups/network/nm-dhcp-helper | 2 - apparmor.d/groups/virt/kubernetes-pause | 2 - apparmor.d/profiles-a-f/adequate | 5 +-- apparmor.d/profiles-a-f/arandr | 5 +-- apparmor.d/profiles-a-f/arduino | 28 ++++++-------- apparmor.d/profiles-a-f/aspell-autobuildhash | 6 +-- apparmor.d/profiles-a-f/cawbird | 8 +--- .../profiles-a-f/check-support-status-hook | 6 +-- apparmor.d/profiles-a-f/claws-mail | 8 +--- apparmor.d/profiles-a-f/conky | 4 +- apparmor.d/profiles-a-f/czkawka-gui | 5 +-- apparmor.d/profiles-a-f/deltachat-desktop | 38 +++---------------- apparmor.d/profiles-a-f/dunst | 4 +- apparmor.d/profiles-a-f/exo-helper | 23 +++++------ apparmor.d/profiles-a-f/exo-open | 7 +--- apparmor.d/profiles-g-l/globaltime | 5 +-- apparmor.d/profiles-g-l/gpa | 5 +-- apparmor.d/profiles-g-l/gsimplecal | 2 +- apparmor.d/profiles-g-l/gtk-youtube-viewer | 13 +------ apparmor.d/profiles-g-l/hexchat | 22 +++++------ apparmor.d/profiles-g-l/jgmenu | 12 +----- apparmor.d/profiles-m-r/merkaartor | 26 +++---------- apparmor.d/profiles-m-r/mono-sgen | 4 +- apparmor.d/profiles-m-r/mtr | 5 +-- apparmor.d/profiles-m-r/orage | 5 +-- apparmor.d/profiles-m-r/pulseeffects | 7 +--- apparmor.d/profiles-s-z/smtube | 36 +++++++----------- apparmor.d/profiles-s-z/tint2conf | 5 +-- apparmor.d/profiles-s-z/xarchiver | 7 +--- apparmor.d/profiles-s-z/zenmap | 13 +++---- tests/check.sh | 7 ++-- 37 files changed, 119 insertions(+), 258 deletions(-) diff --git a/apparmor.d/abstractions/attached/nameservice-strict b/apparmor.d/abstractions/attached/nameservice-strict index a16831b642..bdb413d272 100644 --- a/apparmor.d/abstractions/attached/nameservice-strict +++ b/apparmor.d/abstractions/attached/nameservice-strict @@ -17,6 +17,6 @@ @{att}@{run}/systemd/userdb/io.systemd.Multiplexer rw, @{att}@{run}/systemd/userdb/org.gnome.DisplayManager rw, - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index 913ab3eb32..79051cccc2 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -5,12 +5,22 @@ abi , include - include - include - include + include + include + include + include + include + include + include + include include + include + include + include include + include include + include include include include diff --git a/apparmor.d/groups/apt/apt-listbugs b/apparmor.d/groups/apt/apt-listbugs index a60457ec85..883724961b 100644 --- a/apparmor.d/groups/apt/apt-listbugs +++ b/apparmor.d/groups/apt/apt-listbugs @@ -48,15 +48,11 @@ profile apt-listbugs @{exec_path} { @{PROC}/@{pid}/loginuid r, # The following is needed when apt-listbugs uses debcconf GUI frontends. - include - include - include - include + include capability dac_read_search, @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, include if exists } diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index 87967d164c..0a8abb2ece 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -11,10 +11,7 @@ include profile querybts @{exec_path} { include include - include - include - include - include + include include include include @@ -38,7 +35,6 @@ profile querybts @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, /etc/reportbug.conf r, - owner @{HOME}/.reportbugrc r, /etc/mime.types r, /etc/inputrc r, @@ -48,8 +44,7 @@ profile querybts @{exec_path} { /etc/fstab r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + owner @{HOME}/.reportbugrc r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open index 7893800d12..e0265bfde0 100644 --- a/apparmor.d/groups/freedesktop/xdg-open +++ b/apparmor.d/groups/freedesktop/xdg-open @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Generic profile for xdg-open utility. It is an equivalent of child-open-any. + abi , include @@ -10,12 +12,12 @@ include @{exec_path} = @{bin}/xdg-open profile xdg-open @{exec_path} flags=(attach_disconnected) { include - include - include - include + include + include @{exec_path} r, + # xdg-open internal commands @{sh_path} rix, @{bin}/{,e}grep ix, @{bin}/basename ix, @@ -35,7 +37,14 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) { @{bin}/gdbus Cx -> bus, @{bin}/xprop Px, @{bin}/xdg-mime Px, - @{open_path} Px -> child-open-any, + + # Allow to open everything (equivalent to child-open-any) + @{bin}/** PUx, + @{lib}/** PUx, + @{user_bin_dirs}/** PUx, + /opt/*/** PUx, + /usr/local/bin/** PUx, + /usr/share/** PUx, @{PROC}/version r, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 4b810f2223..a280071053 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -15,7 +15,7 @@ profile gvfsd-mtp @{exec_path} { include include include - include + include include include diff --git a/apparmor.d/groups/network/nm-dhcp-helper b/apparmor.d/groups/network/nm-dhcp-helper index 3e232154e9..625a56f9b3 100644 --- a/apparmor.d/groups/network/nm-dhcp-helper +++ b/apparmor.d/groups/network/nm-dhcp-helper @@ -14,8 +14,6 @@ profile nm-dhcp-helper @{exec_path} { network inet dgram, network inet6 dgram, - ptrace (readby) peer=NetworkManager, - signal (receive) peer=NetworkManager, signal (send) peer=dhclient, diff --git a/apparmor.d/groups/virt/kubernetes-pause b/apparmor.d/groups/virt/kubernetes-pause index c762515a41..8692655dda 100644 --- a/apparmor.d/groups/virt/kubernetes-pause +++ b/apparmor.d/groups/virt/kubernetes-pause @@ -12,8 +12,6 @@ profile kubernetes-pause @{exec_path} flags=(attach_disconnected) { signal (receive) set=kill, - ptrace (readby) peer={k3s,ps}, - @{exec_path} mr, include if exists diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index dc5cf9502d..504f2d0610 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -86,10 +86,7 @@ profile adequate @{exec_path} flags=(complain) { /usr/share/debconf/templates/adequate.templates r, # The following is needed when debconf uses GUI frontends. - include - include - include - include + include capability dac_read_search, @{bin}/lsb_release rPx, @{bin}/hostname rix, diff --git a/apparmor.d/profiles-a-f/arandr b/apparmor.d/profiles-a-f/arandr index 808ef47ece..f554cb3e8a 100644 --- a/apparmor.d/profiles-a-f/arandr +++ b/apparmor.d/profiles-a-f/arandr @@ -10,10 +10,7 @@ include @{exec_path} = @{bin}/arandr profile arandr @{exec_path} { include - include - include - include - include + include include include include diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino index cfac12d42d..dd04a5786a 100644 --- a/apparmor.d/profiles-a-f/arduino +++ b/apparmor.d/profiles-a-f/arduino @@ -12,12 +12,11 @@ profile arduino @{exec_path} { include include include - include - include - include - include - include + include include + include + include + include network inet dgram, network inet6 dgram, @@ -46,12 +45,6 @@ profile arduino @{exec_path} { @{lib}/jvm/java-[0-9]*-openjdk-*/bin/java rix, @{lib}/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr, - /usr/share/java/*.jar r, - /etc/java-[0-9]*-openjdk/** r, - /etc/ssl/certs/java/cacerts r, - owner @{HOME}/.java/fonts/*/ rw, - owner @{HOME}/.java/fonts/*/fcinfo[0-9]*.tmp rw, - owner @{HOME}/.java/fonts/*/fcinfo-*.properties rw, /usr/share/arduino/{,**} r, /usr/share/arduino-builder/{,**} r, @@ -59,13 +52,19 @@ profile arduino @{exec_path} { /usr/share/doc/arduino/{,**} r, /usr/share/doc/arduino-core/{,**} r, + /etc/fstab r, + + /etc/avrdude.conf r, + + owner @{HOME}/.java/fonts/*/ rw, + owner @{HOME}/.java/fonts/*/fcinfo[0-9]*.tmp rw, + owner @{HOME}/.java/fonts/*/fcinfo-*.properties rw, + owner @{HOME}/ r, owner @{HOME}/.arduino{,15}/{,**} rw, owner @{HOME}/Arduino/{,**} rw, owner @{HOME}/sketchbook/{,**} rw, - owner @{HOME}/.Xauthority r, - /tmp/ r, owner @{tmp}/cc*.{s,res,c,o,ld,le} rw, owner @{tmp}/hsperfdata_@{user}/ rw, @@ -95,9 +94,6 @@ profile arduino @{exec_path} { @{PROC}/@{pid}/net/if_inet6 r, @{PROC}/@{pid}/net/ipv6_route r, - /etc/fstab r, - - /etc/avrdude.conf r, @{sys}/fs/cgroup/{,**} r, @{sys}/class/tty/ r, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index 14feb75df1..9a433b204c 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -57,15 +57,11 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, # The following is needed when debconf uses GUI frontends. - include - include - include - include + include capability dac_read_search, @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, include if exists } diff --git a/apparmor.d/profiles-a-f/cawbird b/apparmor.d/profiles-a-f/cawbird index 0d8c6a0003..2128bee20f 100644 --- a/apparmor.d/profiles-a-f/cawbird +++ b/apparmor.d/profiles-a-f/cawbird @@ -12,12 +12,9 @@ profile cawbird @{exec_path} { include include include + include include - include - include - include include - include include include @@ -35,9 +32,6 @@ profile cawbird @{exec_path} { /usr/share/xml/iso-codes/{,**} r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - owner @{user_config_dirs}/cawbird/ rw, owner @{user_config_dirs}/cawbird/** rwk, diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index 8101b30083..a33fe4957c 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -79,15 +79,11 @@ profile check-support-status-hook @{exec_path} { owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, # The following is needed when debconf uses GUI frontends. - include - include - include - include + include capability dac_read_search, @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, include if exists } diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index 263bb5794e..ca89b2c1eb 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -11,14 +11,10 @@ include profile claws-mail @{exec_path} flags=(complain) { include include + include include - include - include - include - include include include - include include @{exec_path} mr, @@ -37,8 +33,6 @@ profile claws-mail @{exec_path} flags=(complain) { /usr/share/publicsuffix/*.dafsa r, /etc/fstab r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, owner /var/mail/* rwk, diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky index 81f8f2626d..0fdf804965 100644 --- a/apparmor.d/profiles-a-f/conky +++ b/apparmor.d/profiles-a-f/conky @@ -11,9 +11,7 @@ include profile conky @{exec_path} { include include - include - include - include + include include include diff --git a/apparmor.d/profiles-a-f/czkawka-gui b/apparmor.d/profiles-a-f/czkawka-gui index d7bb93f414..7bad2c44b1 100644 --- a/apparmor.d/profiles-a-f/czkawka-gui +++ b/apparmor.d/profiles-a-f/czkawka-gui @@ -11,10 +11,7 @@ include profile czkawka-gui @{exec_path} { include include - include - include - include - include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 2e7723995d..243f593bd0 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -7,19 +7,18 @@ abi , include +@{name} = deltachat-desktop @{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/deltachat-desktop @{lib}/deltachat /opt/DeltaChat/ +@{config_dirs} = @{user_config_dirs}/DeltaChat +@{cache_dirs} = @{user_cache_dirs}/DeltaChat @{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop profile deltachat-desktop @{exec_path} { include - include include include - include - include - include - include + include include include include @@ -32,45 +31,18 @@ profile deltachat-desktop @{exec_path} { @{exec_path} mrix, - @{lib_dirs}/ r, - @{lib_dirs}/** r, - @{lib_dirs}/libffmpeg.so mr, - @{lib_dirs}/{swiftshader/,}libGLESv2.so mr, - @{lib_dirs}/{swiftshader/,}libEGL.so mr, - @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.node mr, - @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so mr, - @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr, @{lib_dirs}/chrome-sandbox rPx, @{bin}/xdg-settings rPx, @{open_path} rPx -> child-open-browsers, - owner @{user_config_dirs}/DeltaChat/ rw, - owner @{user_config_dirs}/DeltaChat/** rwk, - owner @{tmp}/@{hex}/ rw, - owner @{tmp}/@{hex}/db.sqlite-blobs/ rw, owner @{tmp}/@{hex}/db.sqlite rwk, + owner @{tmp}/@{hex}/db.sqlite-blobs/ rw, owner @{tmp}/@{hex}/db.sqlite-journal rw, - @{PROC}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/ r, - @{PROC}/@{pid}/task/@{tid}/status r, - @{PROC}/sys/fs/inotify/max_user_watches r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/statm r, - /dev/ r, - # (#FIXME#) - deny @{sys}/bus/pci/devices/ r, - deny @{sys}/devices/virtual/tty/tty@{int}/active r, - include if exists } diff --git a/apparmor.d/profiles-a-f/dunst b/apparmor.d/profiles-a-f/dunst index e73e3370c3..2a1b78eaee 100644 --- a/apparmor.d/profiles-a-f/dunst +++ b/apparmor.d/profiles-a-f/dunst @@ -10,9 +10,7 @@ include @{exec_path} = @{bin}/dunst profile dunst @{exec_path} { include - include - include - include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/exo-helper b/apparmor.d/profiles-a-f/exo-helper index 95827d1ad1..f2d544c823 100644 --- a/apparmor.d/profiles-a-f/exo-helper +++ b/apparmor.d/profiles-a-f/exo-helper @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Generic profile for exo utility. It is an equivalent of child-open-any. + abi , include @@ -10,14 +12,9 @@ include @{exec_path} = @{lib}/@{multiarch}/xfce[0-9]/exo-[0-9]/exo-helper-[0-9] profile exo-helper @{exec_path} { include - include include - - # These are needed when there's no default application set in the ~/.config/xfce4/helpers.rc - include - include - include - include + include + include @{exec_path} mr, @@ -26,12 +23,15 @@ profile exo-helper @{exec_path} { /usr/share/xfce4/helpers/ r, /usr/share/xfce4/helpers/*.desktop r, /usr/local/share/ r, + + /etc/xdg/{,xdg-*/}xfce4/helpers.rc r, + + /etc/fstab r, + owner @{user_share_dirs}/ r, owner @{user_share_dirs}/xfce4/ r, owner @{user_share_dirs}/xfce4/helpers/ r, - /etc/xdg/{,xdg-*/}xfce4/helpers.rc r, - owner @{user_config_dirs}/xfce4/helpers.rc rw, owner @{user_config_dirs}/xfce4/helpers.rc.@{pid}.tmp rw, owner @{user_share_dirs}/xfce4/helpers/*.desktop rw, @@ -39,15 +39,10 @@ profile exo-helper @{exec_path} { owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, - # Some missing icons - /usr/share/**.png r, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - /etc/fstab r, - # file_inherit owner /dev/tty@{u8} rw, diff --git a/apparmor.d/profiles-a-f/exo-open b/apparmor.d/profiles-a-f/exo-open index 2c5e86e30a..88c80ed2c9 100644 --- a/apparmor.d/profiles-a-f/exo-open +++ b/apparmor.d/profiles-a-f/exo-open @@ -10,11 +10,8 @@ include @{exec_path} = @{bin}/exo-open profile exo-open @{exec_path} { include - include - include - include - include - include + include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/globaltime b/apparmor.d/profiles-g-l/globaltime index 5144429245..ce5917bd93 100644 --- a/apparmor.d/profiles-g-l/globaltime +++ b/apparmor.d/profiles-g-l/globaltime @@ -10,10 +10,7 @@ include @{exec_path} = @{bin}/globaltime profile globaltime @{exec_path} { include - include - include - include - include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/gpa b/apparmor.d/profiles-g-l/gpa index cfd95143e2..5357ae5939 100644 --- a/apparmor.d/profiles-g-l/gpa +++ b/apparmor.d/profiles-g-l/gpa @@ -10,10 +10,7 @@ include @{exec_path} = @{bin}/gpa profile gpa @{exec_path} { include - include - include - include - include + include include include diff --git a/apparmor.d/profiles-g-l/gsimplecal b/apparmor.d/profiles-g-l/gsimplecal index b0b743359b..9903e3dcf2 100644 --- a/apparmor.d/profiles-g-l/gsimplecal +++ b/apparmor.d/profiles-g-l/gsimplecal @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/gsimplecal profile gsimplecal @{exec_path} { include - include + include include include diff --git a/apparmor.d/profiles-g-l/gtk-youtube-viewer b/apparmor.d/profiles-g-l/gtk-youtube-viewer index 0b9075bc1e..7e40457f4b 100644 --- a/apparmor.d/profiles-g-l/gtk-youtube-viewer +++ b/apparmor.d/profiles-g-l/gtk-youtube-viewer @@ -10,10 +10,7 @@ include @{exec_path} = @{bin}/gtk{,2,3}-youtube-viewer profile gtk-youtube-viewer @{exec_path} { include - include - include - include - include + include include include include @@ -49,13 +46,10 @@ profile gtk-youtube-viewer @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, - profile xterm { include include - include - include - include + include include include include @@ -86,9 +80,6 @@ profile gtk-youtube-viewer @{exec_path} { owner @{HOME}/.Xauthority r, owner @{HOME}/.ICEauthority r, - # file_inherit - owner @{HOME}/.xsession-errors w, - include if exists } diff --git a/apparmor.d/profiles-g-l/hexchat b/apparmor.d/profiles-g-l/hexchat index 1363dcbd8b..5493955440 100644 --- a/apparmor.d/profiles-g-l/hexchat +++ b/apparmor.d/profiles-g-l/hexchat @@ -10,17 +10,13 @@ include @{exec_path} = @{bin}/hexchat profile hexchat @{exec_path} { include - include - include - include - include + include include - include include - include - # For python/perl plugins - include include + include + include + include network inet dgram, network inet6 dgram, @@ -34,6 +30,11 @@ profile hexchat @{exec_path} { @{lib}/@{multiarch}/hexchat/** r, @{lib}/@{multiarch}/hexchat/plugins/*.so mr, + # External apps + @{lib}/firefox/firefox rPUx, + + /etc/fstab r, + # Hexchat home files owner @{HOME}/ r, owner @{user_config_dirs}/hexchat/ rw, @@ -42,11 +43,6 @@ profile hexchat @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, - /etc/fstab r, - - # External apps - @{lib}/firefox/firefox rPUx, - # file_inherit owner /dev/tty@{u8} rw, diff --git a/apparmor.d/profiles-g-l/jgmenu b/apparmor.d/profiles-g-l/jgmenu index 85b9adff2a..caa5658088 100644 --- a/apparmor.d/profiles-g-l/jgmenu +++ b/apparmor.d/profiles-g-l/jgmenu @@ -11,10 +11,7 @@ include profile jgmenu @{exec_path} { include include - include - include - include - include + include include include @@ -37,21 +34,14 @@ profile jgmenu @{exec_path} { owner @{user_config_dirs}/jgmenu/ rw, owner @{user_config_dirs}/jgmenu/** rw, - owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/jgmenu/ rw, owner @{user_cache_dirs}/jgmenu/** rw, - owner @{HOME}/.Xauthority r, - owner @{PROC}/@{pid}/loginuid r, # For zsh shell /etc/zsh/zshenv r, - # For missing apps icon and desktop files - /usr/share/**.png r, - /usr/share/**.desktop r, - # file_inherit owner /dev/tty@{u8} rw, diff --git a/apparmor.d/profiles-m-r/merkaartor b/apparmor.d/profiles-m-r/merkaartor index e43460210e..22776543cf 100644 --- a/apparmor.d/profiles-m-r/merkaartor +++ b/apparmor.d/profiles-m-r/merkaartor @@ -10,16 +10,10 @@ include @{exec_path} = @{bin}/merkaartor profile merkaartor @{exec_path} { include - include - include - include - include - include - include - include - include - include + include + include include + include include include @@ -34,26 +28,18 @@ profile merkaartor @{exec_path} { /usr/share/merkaartor/{,**} r, - owner @{user_config_dirs}/Merkaartor/ rw, - owner @{user_config_dirs}/Merkaartor/* rwkl -> @{user_config_dirs}/Merkaartor/, - owner @{HOME}/.merkaartor/ rw, owner @{HOME}/.merkaartor/* rw, owner @{HOME}/merkaartor.log rw, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /usr/share/hwdata/pnp.ids r, - - deny owner @{PROC}/@{pid}/cmdline r, + owner @{user_config_dirs}/Merkaartor/ rw, + owner @{user_config_dirs}/Merkaartor/* rwkl -> @{user_config_dirs}/Merkaartor/, owner @{tmp}/qtsingleapp-merkaa-* rw, owner @{tmp}/qtsingleapp-merkaa-*-lockfile rwk, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, + deny owner @{PROC}/@{pid}/cmdline r, include if exists } diff --git a/apparmor.d/profiles-m-r/mono-sgen b/apparmor.d/profiles-m-r/mono-sgen index bdaafd9c8f..b4ba3db0a1 100644 --- a/apparmor.d/profiles-m-r/mono-sgen +++ b/apparmor.d/profiles-m-r/mono-sgen @@ -10,11 +10,10 @@ include profile mono-sgen @{exec_path} { include include - include + include include include include - include network inet dgram, network inet6 dgram, @@ -31,7 +30,6 @@ profile mono-sgen @{exec_path} { /usr/share/.mono/{,**} rw, /etc/mono/{,**} r, - /etc/machine-id r, owner @{user_config_dirs}/openra/{,**} rw, owner @{user_config_dirs}/.mono/{,**} r, diff --git a/apparmor.d/profiles-m-r/mtr b/apparmor.d/profiles-m-r/mtr index 4ff851662e..3c2e5c448b 100644 --- a/apparmor.d/profiles-m-r/mtr +++ b/apparmor.d/profiles-m-r/mtr @@ -10,10 +10,7 @@ include @{exec_path} = @{bin}/mtr profile mtr @{exec_path} { include - include - include - include - include + include include network inet dgram, diff --git a/apparmor.d/profiles-m-r/orage b/apparmor.d/profiles-m-r/orage index 1db2d22a3d..7b8576abfd 100644 --- a/apparmor.d/profiles-m-r/orage +++ b/apparmor.d/profiles-m-r/orage @@ -10,10 +10,7 @@ include @{exec_path} = @{bin}/orage profile orage @{exec_path} { include - include - include - include - include + include include include diff --git a/apparmor.d/profiles-m-r/pulseeffects b/apparmor.d/profiles-m-r/pulseeffects index 95732ff5ad..235a2e52d3 100644 --- a/apparmor.d/profiles-m-r/pulseeffects +++ b/apparmor.d/profiles-m-r/pulseeffects @@ -11,12 +11,9 @@ include profile pulseeffects @{exec_path} { include include - include - include - include - include - include + include include + include network netlink raw, diff --git a/apparmor.d/profiles-s-z/smtube b/apparmor.d/profiles-s-z/smtube index 6b2aba9fa5..035ffaf0be 100644 --- a/apparmor.d/profiles-s-z/smtube +++ b/apparmor.d/profiles-s-z/smtube @@ -11,17 +11,12 @@ include profile smtube @{exec_path} { include include - include - include - include - include - include - include + include + include + include include - include include include - include network inet dgram, network inet6 dgram, @@ -32,6 +27,16 @@ profile smtube @{exec_path} { @{exec_path} mr, + # Players + @{bin}/mpv rPUx, + @{bin}/smplayer rPUx, + @{bin}/vlc rPUx, + @{bin}/cvlc rPUx, + @{bin}/youtube-dl rPUx, + @{bin}/yt-dlp rPUx, + + @{open_path} rPx -> child-open, + # SMTube config files owner @{user_config_dirs}/smtube/ rw, owner @{user_config_dirs}/smtube/* rwkl -> @{user_config_dirs}/smtube/#@{int}, @@ -49,27 +54,12 @@ profile smtube @{exec_path} { owner @{user_cache_dirs}/smtube/ rw, owner @{user_cache_dirs}/smtube/* rwk, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /usr/share/hwdata/pnp.ids r, - /dev/shm/#@{int} rw, deny owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, deny @{PROC}/sys/kernel/random/boot_id r, - # Players - @{bin}/mpv rPUx, - @{bin}/smplayer rPUx, - @{bin}/vlc rPUx, - @{bin}/cvlc rPUx, - @{bin}/youtube-dl rPUx, - @{bin}/yt-dlp rPUx, - - @{open_path} rPx -> child-open, - # file_inherit owner /dev/tty@{u8} rw, diff --git a/apparmor.d/profiles-s-z/tint2conf b/apparmor.d/profiles-s-z/tint2conf index 4e8519e5da..f82d19ec11 100644 --- a/apparmor.d/profiles-s-z/tint2conf +++ b/apparmor.d/profiles-s-z/tint2conf @@ -10,10 +10,7 @@ include @{exec_path} = @{bin}/tint2conf profile tint2conf @{exec_path} { include - include - include - include - include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 68c9236982..51abaa628a 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -11,13 +11,10 @@ include profile xarchiver @{exec_path} { include include - include - include - include - include + include include - include include + include @{exec_path} mrix, diff --git a/apparmor.d/profiles-s-z/zenmap b/apparmor.d/profiles-s-z/zenmap index f4dc9fc774..fb0701fd18 100644 --- a/apparmor.d/profiles-s-z/zenmap +++ b/apparmor.d/profiles-s-z/zenmap @@ -10,10 +10,7 @@ include @{exec_path} = @{bin}/{zenmap,nmapfe} profile zenmap @{exec_path} { include - include - include - include - include + include include include @@ -24,6 +21,10 @@ profile zenmap @{exec_path} { @{bin}/nmap rPx, + /etc/fstab r, + + /usr/share/zenmap/** r, + owner @{HOME}/ r, owner @{HOME}/.zenmap/ rw, owner @{HOME}/.zenmap/** rwk, @@ -33,10 +34,6 @@ profile zenmap @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - /etc/fstab r, - - /usr/share/zenmap/** r, - owner @{tmp}/* rw, owner @{tmp}/zenmap-stdout-* rw, diff --git a/tests/check.sh b/tests/check.sh index 7e84abdb0b..acf2656d4d 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -178,8 +178,9 @@ declare -A ABS_DEPRECATED=( ["nameservice"]="nameservice-strict" ["bash"]="shell" ["X"]="X-strict" + ["gtk"]="gtk-strict" ["dbus-accessibility-strict"]="bus-accessibility" - ["dbus-network-manager-strict"]="bus/org.freedesktop.NetworkManager" + ["dbus-network-manager-strict"]="network-manager-observe" ["dbus-session-strict"]="bus-session" ["dbus-system-strict"]="bus-system" ["gnome"]="gnome-strict" @@ -261,7 +262,7 @@ readonly TRANSITION_MUST_C=( # Must transition to 'Cx' _check_transition() { _is_enabled transition || return 0 if [[ "$line" =~ [pP]ix, ]]; then - _err transition "$file:$line_number" "'Pix' transition leads to unmaintainable profile" + _err transition "$file:$line_number" "'Pix' transition leads to nondeterministic confinement" fi for prgmname in "${!TRANSITION_MUST_CI[@]}"; do if [[ "$line" =~ "/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then @@ -284,7 +285,7 @@ _check_transition() { } readonly USELESS=( - 'ptrace readby' + 'ptrace readby' 'ptrace (readby)' '/usr/share/locale/' '@{sys}/devices/system/cpu/online' '@{sys}/devices/system/cpu/possible' From 642a6b864eaa76419604bfde85748cbc819af8e2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Nov 2025 00:47:32 +0100 Subject: [PATCH 1069/1736] feat(profile): small improvement to the flatpak stack. --- apparmor.d/abstractions/app/flatpak | 16 +++++++---- .../flatpak/baseapp/org.mozilla.firefox | 16 +++++++++++ .../flatpak/platform/org.freedesktop | 2 +- apparmor.d/abstractions/flatpak/sockets/x11 | 4 +-- apparmor.d/groups/flatpak/fapp | 3 -- apparmor.d/groups/flatpak/flatpak | 4 +-- .../groups/flatpak/flatpak-session-helper | 28 +++++++++++++------ 7 files changed, 52 insertions(+), 21 deletions(-) create mode 100644 apparmor.d/abstractions/flatpak/baseapp/org.mozilla.firefox diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak index cf2d067895..4b14721697 100644 --- a/apparmor.d/abstractions/app/flatpak +++ b/apparmor.d/abstractions/app/flatpak @@ -39,8 +39,9 @@ include # Base app specific rules, they are all included as it is for a generic profile - include include + include + include # Flatpak devices '--device=' include @@ -76,8 +77,8 @@ include include include - include include + include capability dac_override, capability dac_read_search, @@ -122,6 +123,9 @@ @{sbin}/ r, @{sbin}/** rix, + # apply_extra + /app/extra/** w, + / r, owner /.flatpak-info r, @@ -156,7 +160,7 @@ owner @{att}@{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} rw, owner @{att}@{run}/user/@{uid}/.dbus-proxy/session-bus-proxy-@{rand6} rw, - owner @{att}@{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int6} rw, + owner @{att}@{run}/user/@{uid}/.dbus-proxy/system-bus-proxy-@{rand6} rw, @{run}/host/os-release r, owner @{run}/host/ r, @@ -165,8 +169,10 @@ #aa:lint ignore=too-wide # Flatpak creates an app-specific private restricted /tmp. As such, we can # simply allow full access to /tmp. - /tmp/ r, + /tmp/ r, owner /tmp/** mrwlkix, + @{att}/tmp/ r, + owner @{att}/tmp/** mrwlkix, # Show the list of active tty @{sys}/devices/virtual/tty/tty@{int}/active r, @@ -232,7 +238,7 @@ owner @{PROC}/@{pid}/task/@{tid}/statm r, # Allow setting up pseudoterminal via /dev/pts system. This is safe because - # the flatpak uses a per-app devpts. + # flatpak uses a per-app devpts. /dev/ptmx rw, include if exists diff --git a/apparmor.d/abstractions/flatpak/baseapp/org.mozilla.firefox b/apparmor.d/abstractions/flatpak/baseapp/org.mozilla.firefox new file mode 100644 index 0000000000..46a774fd11 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/baseapp/org.mozilla.firefox @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: appid + + abi , + + /dev/shm/ r, + owner /dev/shm/org.chromium.@{rand6} rw, + owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, + owner /dev/shm/wayland.mozilla.ipc.@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/platform/org.freedesktop b/apparmor.d/abstractions/flatpak/platform/org.freedesktop index bedc12d164..3d08dffd60 100644 --- a/apparmor.d/abstractions/flatpak/platform/org.freedesktop +++ b/apparmor.d/abstractions/flatpak/platform/org.freedesktop @@ -53,7 +53,7 @@ owner /etc/pkcs11/modules/p11-kit-trust.module r, owner /etc/pkcs11/pkcs11.conf r, - owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int} rw, + owner @{att}@{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int} rw, include if exists diff --git a/apparmor.d/abstractions/flatpak/sockets/x11 b/apparmor.d/abstractions/flatpak/sockets/x11 index 53f6a3168b..23f7983a15 100644 --- a/apparmor.d/abstractions/flatpak/sockets/x11 +++ b/apparmor.d/abstractions/flatpak/sockets/x11 @@ -5,9 +5,9 @@ abi , - unix type=stream addr=none peer=(label=xwayland, addr=@/tmp/.X11-unix/X@{int}), - unix type=stream addr=none peer=(label=gnome-shell, addr=@/tmp/.X11-unix/X@{int}), + unix (send receive connect) type=stream peer=(label=gnome-shell, addr=@/tmp/.X11-unix/X@{int}), unix (send receive connect) type=stream peer=(label=xkbcomp, addr=@/tmp/.X11-unix/X@{int}), + unix (send receive connect) type=stream peer=(label=xwayland, addr=@/tmp/.X11-unix/X@{int}), /usr/share/X11/{,**} r, /usr/share/xkeyboard-config-2/{,**} r, diff --git a/apparmor.d/groups/flatpak/fapp b/apparmor.d/groups/flatpak/fapp index b673bdfcd6..35080bc0e7 100644 --- a/apparmor.d/groups/flatpak/fapp +++ b/apparmor.d/groups/flatpak/fapp @@ -17,9 +17,6 @@ profile fapp flags=(attach_disconnected,mediate_deleted) { include include - # apply_extra - /app/extra/* w, - deny @{att}/ r, deny @{att}@{run}/.userns r, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index feea6a7362..cbb74600bc 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -54,8 +54,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain unix type=seqpacket peer=(label=flatpak-system-helper), unix type=stream peer=(label=flatpak//fusermount), - unix (send receive) type=seqpacket peer=(label=fapp, addr=@@{hex}), - unix (send receive) type=seqpacket peer=(label=fbwrap, addr=@@{hex}), + unix (send receive) type=seqpacket peer=(label=fapp), + unix (send receive) type=seqpacket peer=(label=fbwrap), #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper b/apparmor.d/groups/flatpak/flatpak-session-helper index cdae7e6090..1d8514dbb2 100644 --- a/apparmor.d/groups/flatpak/flatpak-session-helper +++ b/apparmor.d/groups/flatpak/flatpak-session-helper @@ -15,7 +15,6 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected,mediate_d include include include - include signal send set=(hup int) peer=user_unconfined, signal send set=int peer=@{p_systemd}, @@ -35,12 +34,10 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected,mediate_d @{bin}/dbus-monitor rPUx, @{bin}/flatpak rPx, @{bin}/getent rix, - @{bin}/p11-kit rix, + @{bin}/p11-kit rCx -> p11-kit, @{bin}/pkexec rCx -> pkexec, @{bin}/printenv rix, @{bin}/ps rPx, - @{lib}/p11-kit/p11-kit-remote rix, - @{lib}/p11-kit/p11-kit-server rix, /var/lib/flatpak/app/@{appid}/**/@{bin}/** rPx -> flatpak-session-helper-app, /var/lib/flatpak/app/@{appid}/**/@{lib}/** rPx -> flatpak-session-helper-app, @@ -48,19 +45,34 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected,mediate_d owner @{user_config_dirs}/mimeapps.list w, owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw, - owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int} rw, - - owner @{PROC}/@{pids}/fd/ r, /dev/ptmx rw, - profile pkexec { + profile pkexec flags=(attach_disconnected,mediate_deleted) { include include include if exists } + profile p11-kit flags=(attach_disconnected,mediate_deleted) { + include + include + + signal receive set=term peer=flatpak-session-helper, + + @{bin}/p11-kit mr, + + @{lib}/p11-kit/p11-kit-remote ix, + @{lib}/p11-kit/p11-kit-server ix, + + owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int} rw, + + owner @{PROC}/@{pids}/fd/ r, + + include if exists + } + include if exists } From 2b62d7effbc7160fc5f6ce7f5430f12b5fe05c3c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Nov 2025 00:51:38 +0100 Subject: [PATCH 1070/1736] feat(abs): update core bus abstractions. --- apparmor.d/abstractions/bluetooth-control | 3 +- .../session/org.freedesktop.portal.Desktop | 25 +++++++---- .../bus/session/org.freedesktop.systemd1 | 5 +++ .../bus/session/org.gnome.Shell.Introspect | 9 +++- .../bus/session/org.gtk.vfs.MountTracker | 7 +++- apparmor.d/abstractions/bus/system/org.bluez | 7 +--- .../abstractions/bus/system/org.bluez.Device1 | 14 +++++++ .../bus/system/org.bluez.GattManager1 | 5 +++ .../bus/system/org.bluez.ProfileManager1 | 7 +--- .../bus/system/org.freedesktop.NetworkManager | 7 ++++ .../bus/system/org.freedesktop.PolicyKit1 | 16 +++++++- .../bus/system/org.freedesktop.RealtimeKit1 | 10 ++++- .../bus/system/org.freedesktop.UDisks2 | 41 ++++++++++++------- .../bus/system/org.freedesktop.UPower | 11 +++-- .../org.freedesktop.UPower.PowerProfiles | 16 ++++++++ .../bus/system/org.freedesktop.hostname1 | 7 +++- .../bus/system/org.freedesktop.login1 | 23 ++++++++++- .../bus/system/org.freedesktop.systemd1 | 18 ++++++-- apparmor.d/abstractions/screen-inhibit | 24 +++++++++++ 19 files changed, 205 insertions(+), 50 deletions(-) create mode 100644 apparmor.d/abstractions/bus/system/org.bluez.Device1 diff --git a/apparmor.d/abstractions/bluetooth-control b/apparmor.d/abstractions/bluetooth-control index 2f5c9ae995..66fc5cb936 100644 --- a/apparmor.d/abstractions/bluetooth-control +++ b/apparmor.d/abstractions/bluetooth-control @@ -9,8 +9,9 @@ include - include + include include + include include dbus send bus=system path=/org/bluez/hci@{int}/dev_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}{,/**} diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop index abd818877c..557aacd183 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop @@ -4,18 +4,32 @@ abi , - #aa:dbus common bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal + # DBus.Properties: read properties from the interface dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties - member=Read - peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal), + member=Get + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=@{busname}, label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=Read + peer=(label=xdg-desktop-portal), + + # DBus.Properties: receive property changed events + + dbus receive bus=session path=/org/freedesktop/portal/desktop{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label=xdg-desktop-portal), + + # portal.Settings + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member={Read,ReadAll} @@ -26,11 +40,6 @@ member=SettingChanged peer=(name=@{busname}, label=xdg-desktop-portal), - dbus receive bus=session path=/org/freedesktop/portal/desktop{,/**} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name=@{busname}, label=xdg-desktop-portal), - dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings member={Read,ReadAll} diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 index 0d9871c121..1fad42ab0f 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 @@ -42,6 +42,11 @@ member={GetUnit,GetUnitByPIDFD,ListUnitsByPatterns} peer=(label="@{p_systemd_user}"), + dbus receive bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={UnitNew,UnitRemoved} + peer=(label="@{p_systemd_user}"), + # Start units dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/abstractions/bus/session/org.gnome.Shell.Introspect b/apparmor.d/abstractions/bus/session/org.gnome.Shell.Introspect index 887ce10cc7..852a880d57 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.Shell.Introspect +++ b/apparmor.d/abstractions/bus/session/org.gnome.Shell.Introspect @@ -4,7 +4,14 @@ abi , - #aa:dbus common bus=session name=org.gnome.Shell.Introspect label=gnome-shell + # DBus.Properties: read properties from the interface + + dbus send bus=session path=/org/gnome/Shell/Introspect + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="@{busname},org.gnome.Shell.Introspect", label=gnome-shell), + + # Shell.Introspect dbus send bus=session path=/org/gnome/Shell/Introspect interface=org.gnome.Shell.Introspect diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker index 8090039c7b..012f3cd6ab 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker @@ -22,10 +22,15 @@ member=ListMountableInfo peer=(name=@{busname}, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=MountLocation + peer=(name=@{busname}, label=gvfsd), + dbus receive bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member={Mounted,Unmounted} - peer=(name="@{busname}", label=gvfsd), + peer=(name=@{busname}, label=gvfsd), include if exists diff --git a/apparmor.d/abstractions/bus/system/org.bluez b/apparmor.d/abstractions/bus/system/org.bluez index a3691961a4..32d99816ee 100644 --- a/apparmor.d/abstractions/bus/system/org.bluez +++ b/apparmor.d/abstractions/bus/system/org.bluez @@ -28,12 +28,7 @@ dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=@{busname}, label="@{p_bluetoothd}"), - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=org.bluez, label="@{p_bluetoothd}"), + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/abstractions/bus/system/org.bluez.Device1 b/apparmor.d/abstractions/bus/system/org.bluez.Device1 new file mode 100644 index 0000000000..685ad2b3dd --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.bluez.Device1 @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=system path=/org/bluez/hci@{int}/ddev_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2} + interface=org.bluez.Device1 + member=Disconnected + peer=(name=@{busname}, label=bluetoothd), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.bluez.GattManager1 b/apparmor.d/abstractions/bus/system/org.bluez.GattManager1 index 8784dac366..b0e48a0bf2 100644 --- a/apparmor.d/abstractions/bus/system/org.bluez.GattManager1 +++ b/apparmor.d/abstractions/bus/system/org.bluez.GattManager1 @@ -9,6 +9,11 @@ member=RegisterApplication peer=(name=@{busname}, label="@{p_bluetoothd}"), + dbus receive bus=system path=/midi/profile + interface=org.bluez.GattProfile1 + member=Release + peer=(name=@{busname}, label="@{p_bluetoothd}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 b/apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 index dabe078578..a09d40a7ab 100644 --- a/apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 +++ b/apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 @@ -11,12 +11,7 @@ dbus receive bus=system path=/Profile/HFPAG interface=org.bluez.Profile1 - member=NewConnection - peer=(name=@{busname}, label="@{p_bluetoothd}"), - - dbus receive bus=system path=/Profile/HFPAG - interface=org.bluez.Profile1 - member=RequestDisconnection + member={NewConnection,RequestDisconnection,Release} peer=(name=@{busname}, label="@{p_bluetoothd}"), include if exists diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager index d47b6b040e..16961e28bc 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager @@ -48,6 +48,13 @@ member={InterfacesAdded,InterfacesRemoved} peer=(name=@{busname}, label=NetworkManager), + # DBus.Introspectable: allow clients to introspect the service + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=NetworkManager), + # NetworkManager dbus send bus=system path=/org/freedesktop/NetworkManager diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/system/org.freedesktop.PolicyKit1 index 32edc2e637..e9401e2b8a 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.PolicyKit1 @@ -6,7 +6,21 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" + # DBus.Properties: read properties from the interface + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label=polkitd), + + # DBus.Introspectable: allow clients to introspect the service + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=polkitd), + + # PolicyKit1.Authority dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/system/org.freedesktop.RealtimeKit1 index 0425823b49..9f31cd7d98 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.RealtimeKit1 @@ -6,12 +6,20 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}" + # DBus.Properties: read properties from the interface + + dbus send bus=system path=/org/freedesktop/RealtimeKit1 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label=rtkit-daemon), + dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.freedesktop.RealtimeKit1), + # RealtimeKit1 + dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 member={MakeThreadHighPriority,MakeThreadRealtime} diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 index 9a1d0a309b..2c9ceeaff9 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 @@ -4,37 +4,48 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.UDisks2 label=udisksd + # DBus.Properties: read properties from the interface + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Properties + member=Get + peer=(label=udisksd), + + dbus send bus=system path=/org/freedesktop/UDisks2/Manager + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(label=udisksd), + + # DBus.ObjectManager: allow clients to enumerate sources dbus send bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), + peer=(label=udisksd), + + dbus receive bus=system path=/org/freedesktop/UDisks2 + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(label=udisksd), + + # DBus.Introspectable: allow clients to introspect the service dbus send bus=system path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), + peer=(label=udisksd), - dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*} + dbus send bus=system path=/org/freedesktop/UDisks2{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), + peer=(label=udisksd), - dbus receive bus=system path=/org/freedesktop/UDisks2 - interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), + # UDisks2.Job dbus receive bus=system path=/org/freedesktop/UDisks2/jobs/@{int} interface=org.freedesktop.UDisks2.Job member=Completed - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), + peer=(label=udisksd), include if exists diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower index b3257793bd..78baaf1b7e 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower @@ -11,19 +11,24 @@ dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=@{busname}, label="@{p_upowerd}"), + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), dbus send bus=system path=/org/freedesktop/UPower/devices/** interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=@{busname}, label="@{p_upowerd}"), + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), # DBus.Properties: receive property changed events + dbus receive bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), + dbus receive bus=system path=/org/freedesktop/UPower/devices/** interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(label="@{p_upowerd}"), + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), # Find all devices monitored by UPower dbus send bus=system path=/org/freedesktop/UPower diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower.PowerProfiles b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower.PowerProfiles index e28dbfd3cb..3fe054efde 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower.PowerProfiles +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower.PowerProfiles @@ -4,11 +4,27 @@ abi , + # DBus.Properties: read properties from the interface + dbus send bus=system path=/org/freedesktop/UPower/PowerProfiles interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=@{busname}, label=power-profiles-daemon), + # DBus.Properties: receive property changed events + + dbus receive bus=system path=/org/freedesktop/UPower/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=power-profiles-daemon), + + # UPower.PowerProfiles + + dbus send bus=system path=/org/freedesktop/UPower/PowerProfiles + interface=org.freedesktop.UPower.PowerProfiles + member=HoldProfile + peer=(name=@{busname}, label=power-profiles-daemon), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/system/org.freedesktop.hostname1 index f2c670025d..6805e3c08b 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.hostname1 @@ -4,13 +4,16 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" - dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.freedesktop.hostname1), + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.login1 b/apparmor.d/abstractions/bus/system/org.freedesktop.login1 index fdff1e09aa..8af3efeb1a 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.login1 @@ -6,7 +6,28 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + # DBus.Properties: read properties from the interface + + dbus send bus=system path=/org/freedesktop/login1{,/session/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + + # DBus.Properties: receive property changed events + + dbus receive bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label="@{p_systemd_logind}"), + + # DBus.Introspectable: allow clients to introspect the service + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label="@{p_systemd_logind}"), + + # Inhibit system actions dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 index 156f24c796..f3bf50d2f9 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 @@ -14,20 +14,20 @@ member=Get peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - dbus send bus=session path=/org/freedesktop/systemd1 + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=@{busname}, label="@{p_systemd_user}"), + peer=(name=@{busname}, label="@{p_systemd}"), dbus send bus=system path=/org/freedesktop/systemd1/unit/* interface=org.freedesktop.DBus.Properties - member=GetAll + member={Get,GetAll} peer=(label="@{p_systemd}"), dbus send bus=system path=/org/freedesktop/systemd1/unit/* interface=org.freedesktop.DBus.Properties member=Get - peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), # DBus.Properties: receive property changed events @@ -47,6 +47,11 @@ member={GetUnit,GetUnitByPIDFD,ListUnitsByPatterns} peer=(label="@{p_systemd}"), + dbus receive bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={UnitNew,UnitRemoved} + peer=(label="@{p_systemd}"), + # Start units dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager @@ -59,6 +64,11 @@ member={StopUnit,KillUnit,ResetFailedUnit,Reload,JobRemoved} peer=(label="@{p_systemd}"), + dbus receive bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={JobNew,JobRemoved} + peer=(label="@{p_systemd}"), + # Enabled/Disable units dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/abstractions/screen-inhibit b/apparmor.d/abstractions/screen-inhibit index 02189e1745..1b7368ff4a 100644 --- a/apparmor.d/abstractions/screen-inhibit +++ b/apparmor.d/abstractions/screen-inhibit @@ -7,6 +7,12 @@ abi , + # Allow listing bus names to check for screen saver presence and implementation + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ListNames + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + # Gnome Session, not using bus/session/org.gnome.SessionManager as it allows # full session management dbus send bus=session path=/org/gnome/SessionManager @@ -31,6 +37,24 @@ member={Inhibit,UnInhibit,SimulateUserActivity} peer=(name=@{busname}, label=gjs), + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=Inhibit + peer=(name=org.freedesktop.login1, label=systemd-logind), + + # Login session manager + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=Inhibit + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + # Receive shutdown & sleep notifications + + dbus receive bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={PrepareForShutdown,PrepareForShutdownWithMetadata} + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + include if exists # vim:syntax=apparmor From 2e970fe949c06cc8e5006566953d0e8dff5dc272 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Nov 2025 00:56:39 +0100 Subject: [PATCH 1071/1736] feat(profile): ensure ubuntu release upgrade do not fail. --- apparmor.d/groups/apt/apt-config | 2 -- apparmor.d/groups/apt/apt-systemd-daily | 1 + apparmor.d/groups/apt/deb-systemd-invoke | 3 ++- apparmor.d/groups/apt/debconf-frontend | 5 +--- apparmor.d/groups/apt/dpkg-maintscript-helper | 2 ++ apparmor.d/groups/apt/dpkg-scripts | 10 ++++++- apparmor.d/groups/ubuntu/do-release-upgrade | 26 ++++++++++++++++++- apparmor.d/groups/ubuntu/fanctl | 2 ++ .../groups/ubuntu/update-motd-fsck-at-reboot | 3 +++ apparmor.d/groups/ubuntu/update-notifier | 3 +++ 10 files changed, 48 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index 834bcbd8cf..fe04c176ac 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -17,8 +17,6 @@ profile apt-config @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, - owner @{tmp}/tmp*/apt.conf r, - owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index 4f0d4e36b2..4cae22cba2 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -67,6 +67,7 @@ profile apt-systemd-daily @{exec_path} { /var/cache/apt/archives/*.deb rw, /var/cache/apt/backup/ r, + @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index 314c66ade5..244f3257c3 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -22,9 +22,10 @@ profile deb-systemd-invoke @{exec_path} { @{exec_path} mr, @{sh_path} rix, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/sed rix, @{bin}/systemctl rix, #aa:lint ignore=transition @{bin}/systemd-tty-ask-password-agent Px, - @{bin}/dpkg Px -> child-dpkg, include if exists } diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index 0a7706fe15..501e6f290c 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -11,10 +11,7 @@ include profile debconf-frontend @{exec_path} flags=(complain) { include include - include - include - include - include + include capability dac_read_search, diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper index ed8073bb8b..ed7cb08a4e 100644 --- a/apparmor.d/groups/apt/dpkg-maintscript-helper +++ b/apparmor.d/groups/apt/dpkg-maintscript-helper @@ -30,6 +30,8 @@ profile dpkg-maintscript-helper @{exec_path} { /usr/share/dpkg/sh/* r, + /etc/**.dpkg-remove w, + profile dpkg { include include diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 339ed3c54e..ae392b9fb7 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -103,6 +103,11 @@ profile dpkg-scripts @{exec_path} { member=ReloadConfig peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.PackageKit + member=SuggestDaemonQuit + peer=(name=org.freedesktop.PackageKit, label=packagekitd), + include if exists } @@ -112,9 +117,11 @@ profile dpkg-scripts @{exec_path} { @{efi}/System.map-* r, + /var/lib/dpkg/triggers/* r, + @{lib}/modules/*/modules.* w, - @{sys}/module/compression r, + @{sys}/module/** r, include if exists } @@ -122,6 +129,7 @@ profile dpkg-scripts @{exec_path} { profile systemctl { include include + include capability net_admin, capability sys_ptrace, diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index e9c4c9ab31..804f21133a 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/do-release-upgrade -profile do-release-upgrade @{exec_path} { +profile do-release-upgrade @{exec_path} flags=(attach_disconnected) { include include include @@ -15,7 +15,14 @@ profile do-release-upgrade @{exec_path} { include include + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, capability net_admin, + capability setgid, + capability setuid, network inet dgram, network inet6 dgram, @@ -28,6 +35,8 @@ profile do-release-upgrade @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/ischroot rPx, @{bin}/lsb_release rPx, + @{bin}/gpg rPx, + @{lib}/apt/methods/http{,s} rPx, /usr/share/distro-info/*.csv r, /usr/share/ubuntu-release-upgrader/{,**} r, @@ -44,9 +53,24 @@ profile do-release-upgrade @{exec_path} { /var/cache/apt/srcpkgcache.bin rw, /var/cache/apt/srcpkgcache.bin.@{rand6} rw, + /tmp/ubuntu-release-upgrader-@{rand8}/ rw, + /tmp/ubuntu-release-upgrader-@{rand8}/** rwlk, + /tmp/ubuntu-release-upgrader-@{rand8}/* Cx -> upgrader, + /tmp/@{rand8} rw, + @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, + profile upgrader flags=(attach_disconnected) { + include + + # The upgrader process is not confined on purpose. We explicitly allow + # everything to avoid transitioning to any other profile. + all, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl index ef278da63f..6f08358ee5 100644 --- a/apparmor.d/groups/ubuntu/fanctl +++ b/apparmor.d/groups/ubuntu/fanctl @@ -10,6 +10,8 @@ include profile fanctl @{exec_path} flags=(attach_disconnected) { include + capability sys_admin, # optional: no audit + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index dac2252d33..6629e65aab 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -9,9 +9,12 @@ include @{exec_path} = @{lib}/update-notifier/update-motd-fsck-at-reboot profile update-motd-fsck-at-reboot @{exec_path} flags=(attach_disconnected) { include + include capability dac_read_search, + mqueue getattr type=posix, + @{exec_path} mr, @{sbin}/dumpe2fs rPx, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 304cea6171..c6d9cbf73d 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -100,6 +100,9 @@ profile update-notifier @{exec_path} { include include + @{bin}/update-manager Px, + @{bin}/software-properties-gtk Px, + include if exists } From d70f9b285d353fffad977db65ff23ff18b399530 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Nov 2025 00:58:22 +0100 Subject: [PATCH 1072/1736] feat(profile): update some freedesktop profiles. --- apparmor.d/groups/freedesktop/accounts-daemon | 2 ++ apparmor.d/groups/freedesktop/colord | 3 +++ apparmor.d/groups/freedesktop/dconf | 1 + apparmor.d/groups/freedesktop/geoclue | 1 + apparmor.d/groups/freedesktop/iio-sensor-proxy | 2 ++ apparmor.d/groups/freedesktop/plymouthd | 4 +++- apparmor.d/groups/freedesktop/wireplumber | 4 +++- 7 files changed, 15 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index abbfec94b9..a03b557444 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -63,6 +63,8 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { owner @{tmp}/gnome-control-center-user-icon-@{rand6} rw, + @{att}@{run}/systemd/userdb/io.systemd.Machine rw, + @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/loginuid r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 593b6909f3..093260732f 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -34,6 +34,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { /etc/udev/hwdb.bin r, /usr/share/color/icc/{,**} r, + /usr/share/gvfs/remote-volume-monitors/{,**} r, /usr/share/snmp/mibs/{,*} r, owner /var/lib/colord/.cache/ rw, @@ -48,6 +49,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{att}@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, @{att}@{user_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}@{run}/systemd/userdb/io.systemd.Machine rw, + @{run}/systemd/sessions/* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf index 20b453df4c..dfe8fd51dd 100644 --- a/apparmor.d/groups/freedesktop/dconf +++ b/apparmor.d/groups/freedesktop/dconf @@ -10,6 +10,7 @@ include profile dconf @{exec_path} flags=(attach_disconnected) { include include + include include capability sys_nice, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 7d2cd82f41..bdaf2dfeb8 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -38,6 +38,7 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, @{run}/systemd/resolve/io.systemd.Resolve rw, + @{att}@{run}/systemd/resolve/io.systemd.Resolve rw, @{PROC}/@{pids}/cgroup r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, diff --git a/apparmor.d/groups/freedesktop/iio-sensor-proxy b/apparmor.d/groups/freedesktop/iio-sensor-proxy index c5729286fa..2f88aef125 100644 --- a/apparmor.d/groups/freedesktop/iio-sensor-proxy +++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy @@ -9,6 +9,8 @@ include @{exec_path} = @{lib}/iio-sensor-proxy profile iio-sensor-proxy @{exec_path} flags=(attach_disconnected) { include + include + include capability net_admin, capability sys_admin, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index bfdce833b6..5dba7d689b 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -45,8 +45,9 @@ profile plymouthd @{exec_path} { /var/lib/plymouth/{,**} rw, /var/log/plymouth-*.log w, - @{run}/plymouth/{,**} rw, @{run}/initramfs/usr/share/fonts/{,**} r, + @{run}/plymouth/{,**} rw, + @{run}/systemd/fsck.progress w, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* @@ -62,6 +63,7 @@ profile plymouthd @{exec_path} { @{PROC}/1/cmdline r, @{PROC}/cmdline r, + @{PROC}/consoles r, @{PROC}/sys/kernel/printk r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 21a655ac2c..bdf08e263b 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -50,7 +50,9 @@ profile wireplumber @{exec_path} flags=(attach_disconnected) { /usr/share/spa-*/bluez@{int}/{,*} r, /usr/share/wireplumber/{,**} r, - / r, + / r, + /att/**/ r, + owner @{att}/.flatpak-info r, owner @{desktop_local_dirs}/ w, owner @{desktop_state_dirs}/ w, From e8efe262fd689e4d7329e1bf3bcfa6604072cc40 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Nov 2025 01:01:33 +0100 Subject: [PATCH 1073/1736] feat(profile): update some gnome profiles. --- apparmor.d/groups/gnome/epiphany-search-provider | 2 ++ apparmor.d/groups/gnome/evolution-alarm-notify | 2 +- apparmor.d/groups/gnome/gdm | 1 + apparmor.d/groups/gnome/gdm-session-worker | 3 +++ apparmor.d/groups/gnome/gjs | 11 +++++++++-- apparmor.d/groups/gnome/gnome-calculator | 7 +++++++ apparmor.d/groups/gnome/gnome-characters | 4 ++++ .../groups/gnome/gnome-contacts-search-provider | 1 + apparmor.d/groups/gnome/gnome-disk-image-mounter | 2 +- apparmor.d/groups/gnome/gnome-extension-gsconnect | 2 ++ apparmor.d/groups/gnome/gnome-session-ctl | 2 +- apparmor.d/groups/gnome/gnome-session-init-worker | 2 +- apparmor.d/groups/gnome/gnome-shell | 7 ++++++- apparmor.d/groups/gnome/gnome-software | 9 ++++++++- apparmor.d/groups/gnome/gnome-system-monitor | 1 + apparmor.d/groups/gnome/gnome-text-editor | 4 ++++ apparmor.d/groups/gnome/gsd-color | 5 ----- apparmor.d/groups/gnome/gsd-media-keys | 3 ++- apparmor.d/groups/gnome/gsd-power | 6 +----- apparmor.d/groups/gnome/kgx | 2 +- apparmor.d/groups/gnome/loupe | 6 +----- apparmor.d/groups/gnome/papers | 1 + apparmor.d/groups/gnome/ptyxis-agent | 8 +++++++- apparmor.d/groups/gnome/seahorse | 2 +- 24 files changed, 66 insertions(+), 27 deletions(-) diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index fe519d6d20..9be57db646 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -16,7 +16,9 @@ profile epiphany-search-provider @{exec_path} flags=(attach_disconnected) { include include include + include include + include include network inet dgram, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index b697c69e52..7614294c2f 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify -profile evolution-alarm-notify @{exec_path} { +profile evolution-alarm-notify @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 89994a52b3..a8d6a8e5b9 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -52,6 +52,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /etc/gdm{3,}/PrimeOff/Default rix, /usr/share/gdm{3,}/gdm.schemas r, + /usr/share/gvfs/remote-volume-monitors/{,**} r, /usr/share/wayland-sessions/*.desktop r, /usr/share/xsessions/*.desktop r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 63e3a4b3da..31f8fcba30 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -109,6 +109,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/ w, + @{run}/systemd/io.systemd.Login rw, + @{run}/cockpit/active.issue r, @{run}/cockpit/inactive.motd r, owner @{run}/systemd/seats/seat@{int} r, @@ -125,6 +127,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{run}/fscrypt/ rw, @{run}/fscrypt/@{uid}.count rwk, @{run}/motd.d/{,*} r, + @{run}/systemd/io.systemd.Login rw, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, @{run}/utmp rwk, diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index c9dfab7c70..c990f03782 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -80,8 +80,8 @@ profile gjs @{exec_path} flags=(attach_disconnected) { @{gstreamer_path} Cx -> gstreamer, - /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} Px, + @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} Px, /usr/share/gnome-shell/{,**} r, /usr/share/xkeyboard-config-2/{,**} r, @@ -115,6 +115,7 @@ profile gjs @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, /dev/ r, @@ -124,6 +125,7 @@ profile gjs @{exec_path} flags=(attach_disconnected) { profile gstreamer { include + include include include include @@ -143,15 +145,20 @@ profile gjs @{exec_path} flags=(attach_disconnected) { peer=(name=@{busname}, label=gnome-shell), /usr/share/ladspa/rdf/{,**} r, + /usr/share/poppler/{,**} r, owner @{DESKTOP_HOME}/.nv/ w, owner @{DESKTOP_HOME}/.nv/ComputeCache/ w, + owner @{DESKTOP_HOME}/.nv/ComputeCache/** rwk, owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, + /tmp/ r, + /var/tmp/ r, + @{sys}/devices/**/uevent r, @{PROC}/devices r, diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 3cefedce12..f74c3480a9 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -23,10 +23,17 @@ profile gnome-calculator @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Calculator + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(label=NetworkManager), + @{exec_path} mr, @{open_path} rPx -> child-open-help, + /usr/share/p11-kit/modules/{,*} r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index aec780522e..1bda7289f5 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -16,6 +16,10 @@ profile gnome-characters @{exec_path} flags=(attach_disconnected) { include #aa:dbus own bus=session name=org.gnome.Characters + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ListNames + peer=(label=dbus-system), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-contacts-search-provider b/apparmor.d/groups/gnome/gnome-contacts-search-provider index ca739ef32b..c29f0fabaa 100644 --- a/apparmor.d/groups/gnome/gnome-contacts-search-provider +++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gnome-contacts-search-provider profile gnome-contacts-search-provider @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 610d33e07b..f8a09e1dbc 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gnome-disk-image-mounter -profile gnome-disk-image-mounter @{exec_path} { +profile gnome-disk-image-mounter @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 2ef7bc3d17..41316ae8c2 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -78,12 +78,14 @@ profile gnome-extension-gsconnect @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.org.chromium.Chromium.@{rand6} r, owner @{run}/user/@{uid}/app/*/.org.chromium.Chromium.@{rand6} r, + owner @{run}/user/@{uid}/gcr/ssh rw, owner @{run}/user/@{uid}/gsconnect/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{run}/user/@{uid}/keyring/ssh rw, @{sys}/devices/virtual/dmi/id/chassis_type r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-session-ctl b/apparmor.d/groups/gnome/gnome-session-ctl index 74b6289440..a70a360c4b 100644 --- a/apparmor.d/groups/gnome/gnome-session-ctl +++ b/apparmor.d/groups/gnome/gnome-session-ctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/gnome-session-ctl -profile gnome-session-ctl @{exec_path} { +profile gnome-session-ctl @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gnome/gnome-session-init-worker b/apparmor.d/groups/gnome/gnome-session-init-worker index eee2b0dd4d..005c60016d 100644 --- a/apparmor.d/groups/gnome/gnome-session-init-worker +++ b/apparmor.d/groups/gnome/gnome-session-init-worker @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/gnome-session-init-worker -profile gnome-session-init-worker @{exec_path} flags=(attach_disconnected) { +profile gnome-session-init-worker @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b71dc8e4ab..588efed7cb 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -144,7 +144,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Server side of abstractions/bus/session/org.freedesktop.Notifications dbus send bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.Notifications - member={ActionInvoked,NotificationClosed,NotificationReplied} + member={ActivationToken,ActionInvoked,NotificationClosed,NotificationReplied} peer=(name=org.freedesktop.DBus, label=gjs), # FIXME: I think gnome-shell is the owner of the notifications, it should then be @@ -367,6 +367,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/tags/seat/ r, @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. @{run}/udev/data/+dmi:id r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @@ -388,6 +389,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness r, + @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/drm/card@{int}/**/brightness r, @{sys}/devices/@{pci}/gpu_busy_percent r, @{sys}/devices/@{pci}/input@{int}/{properties,name} r, @{sys}/devices/@{pci}/mem_info_vram_* r, @@ -410,6 +414,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/virtual/net/*/statistics/collisions r, @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/in@{int}_input r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 010d3be8ee..9594f71209 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -7,11 +7,12 @@ abi , include @{exec_path} = @{bin}/gnome-software -profile gnome-software @{exec_path} flags=(attach_disconnected) { +profile gnome-software @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include include + include include include include @@ -35,6 +36,7 @@ profile gnome-software @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.PackageKit #aa:dbus own bus=session name=org.gnome.Software + #aa:dbus talk bus=system name=org.freedesktop.fwupd path=/ label=fwupd #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/{,**} label="@{p_packagekitd}" dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority @@ -42,6 +44,11 @@ profile gnome-software @{exec_path} flags=(attach_disconnected) { member=Changed peer=(name=@{busname}, label=polkitd), + dbus send bus=system path=/org/freedesktop/Flatpak/SystemHelper + interface=org.freedesktop.Flatpak.SystemHelper + member=DeployAppstream + peer=(label=flatpak-system-helper), + @{exec_path} mr, @{bin}/baobab rPUx, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 9d2afc34c7..b270772327 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -32,6 +32,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/lsblk rPx, @{bin}/pkexec rCx -> pkexec, + @{bin}/lscpu rPx, @{bin}/sed rix, @{bin}/tr rix, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index e9b87e4e80..6fee553228 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -24,8 +24,12 @@ profile gnome-text-editor @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-help, + owner @{HOME}/.goutputstream-@{rand6} rw, + owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + owner @{PROC}/@{pid}/mountinfo r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 8f79ba974f..7b39b6bcbb 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -26,11 +26,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" - dbus receive bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=gsd-xsettings), - @{exec_path} mr, /etc/timezone r, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 1d010d7779..dd93470fc7 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -11,9 +11,10 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include + include + include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 30bdf62997..68b6496d30 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -11,6 +11,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -39,11 +40,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { member=GetBrightness peer=(name=@{busname}, label="@{p_upowerd}"), - dbus receive bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=@{busname}, label=gsd-xsettings), - dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=Suspend diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index 621a93ebec..f11dc42e1f 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/kgx -profile kgx @{exec_path} { +profile kgx @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 975d4e4f69..ef18da6428 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -10,6 +10,7 @@ include profile loupe @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -23,11 +24,6 @@ profile loupe @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - dbus send bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=@{p_systemd_hostnamed}), - @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 6e5860d75f..69e4d4d55c 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -11,6 +11,7 @@ profile papers @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 58e5593a77..1278555f62 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -10,6 +10,7 @@ include profile ptyxis-agent @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -29,9 +30,14 @@ profile ptyxis-agent @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/podman Px, + @{bin}/podman PUx, @{bin}/systemd-run Cx -> shell, + owner @{user_config_dirs}/gnome-xdg-terminals.list rw, + owner @{user_config_dirs}/gnome-xdg-terminals.list.@{rand6} rw, + owner @{user_config_dirs}/xdg-terminals.list rw, + owner @{user_config_dirs}/xdg-terminals.list.@{rand6} rw, + owner @{user_share_dirs}/containers/ w, owner @{user_share_dirs}/containers/storage/ w, owner @{user_share_dirs}/containers/storage/overlay-containers/ w, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 7583243c05..9946290f7b 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/seahorse -profile seahorse @{exec_path} { +profile seahorse @{exec_path} flags=(attach_disconnected) { include include include From 98ae469cdb5e3166f51b4035690fdc2fc208c417 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Nov 2025 01:05:40 +0100 Subject: [PATCH 1074/1736] feat(profile): ensure system upgrade do not break. --- apparmor.d/abstractions/python.d/complete | 5 +++-- apparmor.d/profiles-a-f/dracut-install | 2 +- apparmor.d/profiles-a-f/fwupdmgr | 1 + apparmor.d/profiles-g-l/glib-compile-schemas | 1 + apparmor.d/profiles-g-l/gsettings | 2 ++ apparmor.d/profiles-g-l/install-info | 3 ++- apparmor.d/profiles-m-r/initramfs-hooks | 16 +++++++++------- apparmor.d/profiles-m-r/initramfs-scripts | 2 ++ apparmor.d/profiles-m-r/mkinitramfs | 1 + apparmor.d/profiles-m-r/pycompile | 2 ++ apparmor.d/profiles-s-z/ucf | 6 ++++++ apparmor.d/profiles-s-z/ucfq | 1 + apparmor.d/profiles-s-z/update-ca-certificates | 10 +++++++++- 13 files changed, 40 insertions(+), 12 deletions(-) diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index 6d24e9b41a..afd2303f7e 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -12,11 +12,12 @@ owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/**/ r, owner @{user_lib_dirs}/@{python_name}/**.{egg,py,pyi,pth} r, owner @{user_lib_dirs}/@{python_name}/**.{pyc,so} mr, + owner @{user_lib_dirs}/@{python_name}/**/entry_points.txt r, #aa:only apparmor>=4.1 # Normal python run do not need to update pycache files. It is done by pycompile. - deny @{lib}/@{python_name}/{,**/}__pycache__/ w, - deny @{lib}/@{python_name}/{,**/}__pycache__/**.pyc.@{u64} w, + audit @{lib}/@{python_name}/{,**/}__pycache__/ w, + audit @{lib}/@{python_name}/{,**/}__pycache__/**.pyc.@{u64} w, #aa:only test owner /tmp/pytest-of-user/ rw, diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install index 10499e3152..11a1c62efa 100644 --- a/apparmor.d/profiles-a-f/dracut-install +++ b/apparmor.d/profiles-a-f/dracut-install @@ -20,7 +20,7 @@ profile dracut-install @{exec_path} { / r, /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/ r, - /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r, + /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} rw, /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* rw, /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw, /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 66368a050f..948514f934 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -34,6 +34,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { @{bin}/dbus-launch Cx -> bus, @{bin}/pkttyagent Px, + /usr/share/gvfs/remote-volume-monitors/{,**} r, /usr/share/terminfo/** r, /etc/inputrc r, diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index 9a5f24a081..f1dfb68ce5 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -24,6 +24,7 @@ profile glib-compile-schemas @{exec_path} { /usr/share/gnome-shell/extensions/*/schemas/org.gnome.shell.extensions.*.gschema.xml r, owner @{user_share_dirs}/gnome-shell/extension{,-updates}/*/schemas/ r, + owner @{user_share_dirs}/gnome-shell/extension{,-updates}/*/schemas/*.gschema.xml r, owner @{user_share_dirs}/gnome-shell/extension{,-updates}/*/schemas/gschemas.compiled rw, owner @{user_share_dirs}/gnome-shell/extension{,-updates}/*/schemas/gschemas.compiled.@{rand6} rw, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index b60c2ff66e..1a0bd30425 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -21,6 +21,8 @@ profile gsettings @{exec_path} flags=(attach_disconnected) { # file_inherit deny network netlink raw, + deny unix (send receive) type=seqpacket, + deny unix (send receive) type=stream, deny /etc/nsswitch.conf r, deny /etc/passwd r, deny /opt/*/** r, diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info index f155339b18..98dd33470c 100644 --- a/apparmor.d/profiles-g-l/install-info +++ b/apparmor.d/profiles-g-l/install-info @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/install-info -profile install-info @{exec_path} { +profile install-info @{exec_path} flags=(attach_disconnected) { include include @@ -27,6 +27,7 @@ profile install-info @{exec_path} { # Inherit silencer deny network inet6 stream, deny network inet stream, + deny unix (send receive) type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 2d703c0300..6c79612205 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -71,13 +71,14 @@ profile initramfs-hooks @{exec_path} { owner /var/tmp/mkinitramfs-EFW_@{rand10} rw, owner /var/tmp/mkinitramfs-EFW_@{rand10}/{,**} rwl, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, - owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, - owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, - owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, - + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + /tmp/tmp.@{rand10}/modules_@{rand6} rw, + + @{sys}/bus/platform/drivers/simple-framebuffer/ r, @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/devices/ r, @@ -93,6 +94,7 @@ profile initramfs-hooks @{exec_path} { @{sys}/module/firmware_class/parameters/path r, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts index 1ef4336ab8..7db940cedf 100644 --- a/apparmor.d/profiles-m-r/initramfs-scripts +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -39,6 +39,8 @@ profile initramfs-scripts @{exec_path} { /var/tmp/modules_@{rand6} rw, owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + profile ldd { include include diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 8996ef0957..1728c75b65 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -127,6 +127,7 @@ profile mkinitramfs @{exec_path} { @{sys}/module/firmware_class/parameters/path r, @{sys}/bus/platform/drivers/simple-framebuffer/ r, + @{sys}/fs/cgroup/system.slice/*.service/cpu.max r, @{sys}/fs/cgroup/system.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index abcd8933f0..6f9607e5a2 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -26,6 +26,8 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { priority=1 @{lib}/**/__pycache__/*.pyc rw, priority=1 @{lib}/**/__pycache__/*.pyc.* rw, + /usr/share/**/ r, + /usr/share/**/__pycache__/ rw, /usr/share/**/__pycache__/*.pyc rw, /usr/share/**/__pycache__/*.pyc.* rw, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index e5875a7947..fa216a1a47 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -14,6 +14,8 @@ profile ucf @{exec_path} { include include + capability dac_read_search, + @{exec_path} rix, @{sh_path} rix, @@ -55,6 +57,10 @@ profile ucf @{exec_path} { owner /var/lib/ucf/** rw, + /tmp/@{rand10} r, + /tmp/grub.@{rand10} r, + /tmp/tmp.@{rand10} r, + @{PROC}/@{pid}/mountinfo r, deny capability sys_admin, # optional: no audit diff --git a/apparmor.d/profiles-s-z/ucfq b/apparmor.d/profiles-s-z/ucfq index b6ca3e7b1c..bf65d66d0a 100644 --- a/apparmor.d/profiles-s-z/ucfq +++ b/apparmor.d/profiles-s-z/ucfq @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/ucfq profile ucfq @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index df9c08fe44..d1cbf70a9f 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -19,21 +19,23 @@ profile update-ca-certificates @{exec_path} { @{bin}/basename rix, @{bin}/cat rix, @{bin}/chmod rix, + @{bin}/dpkg-trigger rPx, @{bin}/find rix, @{bin}/flock rix, @{bin}/install rix, @{bin}/ln rix, + @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/openssl rix, @{bin}/readlink rix, @{bin}/rm rix, + @{bin}/run-parts rix, @{bin}/sed rix, @{bin}/sort rix, @{bin}/test rix, @{bin}/trust rix, @{bin}/wc rix, - @{bin}/run-parts rix, @{lib}/ca-certificates/update.d/ r, @{lib}/ca-certificates/update.d/* rix, @@ -48,9 +50,15 @@ profile update-ca-certificates @{exec_path} { /etc/ssl/certs/*.pem rw, /etc/ssl/certs/@{hex}.@{d} rw, + /var/ r, + /var/lib/ r, + /var/lib/ca-certificates/ rwk, /var/lib/ca-certificates/** rw, + /var/lib/ca-certificates-java/ rwk, + /var/lib/ca-certificates-java/** rw, + / r, /tmp/ r, From 2c2a7e0aff947efcb7ad20d81ee4ba6df4a3c232 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Nov 2025 01:07:42 +0100 Subject: [PATCH 1075/1736] feat(abs): update apparmor.d special requirement in the base completion file. --- apparmor.d/abstractions/base.d/complete | 37 +++++++++++++++---------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 71ac1cd3ad..311d51d0e7 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -3,33 +3,40 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + # Profiles in apparmor.d now use base-strict. Therefore, these additions to + # the base abstraction are only needed for other profiles in order to integrate + # them with apparmor.d + + include + include include #aa:only test - # Systemd: allow to receive any signal from the systemd profiles stack + # Systemd: allow to receive any signal from the systemd profiles signal receive peer=@{p_systemd}, signal receive peer=@{p_systemd_user}, - # Allow to receive some signals from new well-known profiles + # Htop like programs can send any signals to any processes signal receive peer=btop, signal receive peer=htop, signal receive peer=pkill, - signal receive peer=sudo, signal receive peer=top, - signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, - signal receive set=(hup term) peer=login, - signal receive set=(hup) peer=xinit, - signal receive set=(term,kill) peer=gnome-shell, - signal receive set=(term,kill) peer=gnome-system-monitor, - signal receive set=(term,kill) peer=openbox, - signal receive set=(term,kill) peer=su, + signal receive set=(cont,term,kill,stop) peer=gnome-system-monitor, - ptrace readby peer=@{p_systemd_coredump}, - - @{etc_rw}/localtime r, - /etc/locale.conf r, + # Allow to receive termination signal from manager such as sudo, login, shutdown or systemd + signal receive peer=su, + signal receive peer=sudo, + signal receive set=(cont,term,kill,stop) peer=gnome-shell, + signal receive set=(cont,term,kill,stop) peer=login, + signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, + signal receive set=(cont,term,kill,stop) peer=xinit, - @{sys}/devices/system/cpu/possible r, + # When apparmor re-attaches disconnected path using /, + /systemd/journal/dev-log w, + /systemd/journal/socket w, + /systemd/journal/stdout rw, + /systemd/notify w, + # Controls how core dump files are named @{PROC}/sys/kernel/core_pattern r, /apparmor/.null rw, From 6044955092353ed64ac79eacc46a1c72674738ed Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Nov 2025 01:08:48 +0100 Subject: [PATCH 1076/1736] test(abs): simplify the list of allowed tests directories. --- apparmor.d/abstractions/tests | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/tests b/apparmor.d/abstractions/tests index 73d58426e5..0de2e594db 100644 --- a/apparmor.d/abstractions/tests +++ b/apparmor.d/abstractions/tests @@ -19,9 +19,7 @@ owner /m-a/{,**} rwlk, - owner /test-dir/{,**} rw, - owner /test-path/{,**} rw, - owner /test-symlink/{,**} rw, + owner /test-*/{,**} rw, owner /test/{,**} rw, owner /trigger{,s}/{,**} rw, From 91edead029676a8b8eb7da5691305845e9f5f755 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Nov 2025 01:17:41 +0100 Subject: [PATCH 1077/1736] feat(abs): add net.hadess.SensorProxy --- .../bus/system/net.hadess.SensorProxy | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 apparmor.d/abstractions/bus/system/net.hadess.SensorProxy diff --git a/apparmor.d/abstractions/bus/system/net.hadess.SensorProxy b/apparmor.d/abstractions/bus/system/net.hadess.SensorProxy new file mode 100644 index 0000000000..baf0635afa --- /dev/null +++ b/apparmor.d/abstractions/bus/system/net.hadess.SensorProxy @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # DBus.Properties: read properties from the interface + + dbus send bus=system path=/net/hadess/SensorProxy + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label=iio-sensor-proxy), + + include if exists + +# vim:syntax=apparmor From e3be2b8a07a96960015501958e54380cbca4e5ab Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Nov 2025 22:10:17 +0100 Subject: [PATCH 1078/1736] feat(profile): various improvment and fixes. --- apparmor.d/abstractions/base-strict | 9 +++---- apparmor.d/abstractions/gstreamer | 1 + apparmor.d/groups/apt/dpkg-scripts | 3 ++- apparmor.d/groups/bluetooth/blueman | 2 ++ apparmor.d/groups/bluetooth/obexd | 3 ++- apparmor.d/groups/browsers/msedge | 2 +- apparmor.d/groups/browsers/opera | 2 +- apparmor.d/groups/bus/ibus-extension-gtk3 | 10 ++------ apparmor.d/groups/gpg/gpg | 4 +++- apparmor.d/groups/gpg/gpg-agent | 1 + apparmor.d/groups/gpg/keyboxd | 2 ++ apparmor.d/groups/grub/grub-check-signatures | 24 +++++++++++++++++-- apparmor.d/groups/grub/grub-multi-install | 5 ++++ apparmor.d/groups/gvfs/gvfsd-dav | 4 +++- apparmor.d/groups/gvfs/gvfsd-http | 3 ++- apparmor.d/groups/network/ModemManager | 2 ++ apparmor.d/groups/network/NetworkManager | 6 ++--- apparmor.d/groups/network/wg-quick | 20 ++++++++++++---- apparmor.d/groups/polkit/polkitd | 2 ++ apparmor.d/groups/procps/htop | 1 + .../systemd-generator-friendly-recovery | 1 + .../systemd-generator-fstab | 2 ++ .../systemd-generator-getty | 2 ++ apparmor.d/groups/systemd/hostnamectl | 5 +--- apparmor.d/groups/systemd/networkctl | 1 + apparmor.d/groups/systemd/resolvectl | 1 - apparmor.d/groups/systemd/systemd-analyze | 3 ++- apparmor.d/groups/systemd/systemd-shutdown | 13 +++++++--- .../groups/systemd/systemd-stdio-bridge | 7 ++++++ apparmor.d/groups/systemd/systemd-udevd | 1 + apparmor.d/groups/utils/swapon | 2 ++ apparmor.d/groups/utils/who | 3 ++- apparmor.d/groups/virt/cockpit-session | 13 ++++++++++ apparmor.d/groups/virt/dockerd | 2 ++ apparmor.d/profiles-a-f/browserpass | 2 ++ 35 files changed, 126 insertions(+), 38 deletions(-) diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 92440051ac..a504d92b1d 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -71,7 +71,8 @@ # Allow us to create and use abstract and anonymous sockets unix peer=(label=@{profile_name}), - # Allow unconfined processes to us via unix sockets + #aa:exclude RBAC + # Allow unconfined processes to communicate with us via unix sockets unix receive peer=(label=unconfined), # Allow communication to children and stacked profiles @@ -94,9 +95,6 @@ # Some applications will display license information /usr/share/common-licenses/** r, - # Transparent hugepage support - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - # Systemd's notification write only socket @{run}/systemd/notify w, @@ -111,6 +109,9 @@ # anything when reading so this is ok. @{run}/systemd/journal/stdout rw, + # Transparent hugepage support + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + # Allow determining the highest valid capability of the running kernel @{PROC}/sys/kernel/cap_last_cap r, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 4fbd7600f9..93eb1dc4b3 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -18,6 +18,7 @@ /etc/openni2/OpenNI.ini r, + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index ae392b9fb7..a94fc69505 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -86,6 +86,7 @@ profile dpkg-scripts @{exec_path} { /tmp/grub.@{rand10} rw, /tmp/sed@{rand6} rw, /tmp/tmp.@{rand10} rw, + /tmp/tmp.@{rand10}/ rw, /tmp/updateppds.@{rand6} rw, @{PROC}/@{pid}/fd/ r, @@ -106,7 +107,7 @@ profile dpkg-scripts @{exec_path} { dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.PackageKit member=SuggestDaemonQuit - peer=(name=org.freedesktop.PackageKit, label=packagekitd), + peer=(name=org.freedesktop.PackageKit), include if exists } diff --git a/apparmor.d/groups/bluetooth/blueman b/apparmor.d/groups/bluetooth/blueman index 91549cf892..ccec1ec95e 100644 --- a/apparmor.d/groups/bluetooth/blueman +++ b/apparmor.d/groups/bluetooth/blueman @@ -11,7 +11,9 @@ include profile blueman @{exec_path} flags=(attach_disconnected) { include include + include include + include include include include diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index ef3d5b20a4..032394af62 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -8,10 +8,11 @@ abi , include @{exec_path} = @{lib}/bluetooth/obexd -profile obexd @{exec_path} { +profile obexd @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/browsers/msedge b/apparmor.d/groups/browsers/msedge index f616df6c69..0c9af6d42e 100644 --- a/apparmor.d/groups/browsers/msedge +++ b/apparmor.d/groups/browsers/msedge @@ -14,7 +14,7 @@ include @{cache_dirs} = @{user_cache_dirs}/microsoft-edge{,-beta,-dev} @{exec_path} = @{lib_dirs}/@{name} -profile msedge @{exec_path} { +profile msedge @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera index 54cc054817..4f17e2138d 100644 --- a/apparmor.d/groups/browsers/opera +++ b/apparmor.d/groups/browsers/opera @@ -14,7 +14,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{lib_dirs}/@{name} -profile opera @{exec_path} { +profile opera @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 6b9b12d717..f643288f76 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-extension-gtk3 profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -25,15 +26,10 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.IBus.Panel.Extension.Gtk3 - dbus receive bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=gsd-xsettings), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @@ -42,8 +38,6 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - /dev/tty@{u8} rw, - include if exists } diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index a255a3cd4f..40746cf83e 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -73,11 +73,13 @@ profile gpg @{exec_path} { /tmp/ubuntu-release-upgrader-@{rand8}/*.tar.gz rw, /tmp/ubuntu-release-upgrader-@{rand8}/*.tar.gz.gpg rw, - owner /tmp/@{int}@{int} rw, + owner @{tmp}/@{int}@{int} rw, + owner @{tmp}/.git_vtag_tmp@{rand6} rw, owner @{run}/user/@{uid}/gnupg/d.*/ rw, owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent rw, owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, + owner @{run}/user/@{uid}/gnupg/S.keyboxd rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index dea6df8427..bb1eb75cbc 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -49,6 +49,7 @@ profile gpg-agent @{exec_path} { owner @{run}/user/@{uid}/gnupg/*.conf r, owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw, owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw, owner @{run}/user/@{uid}/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, diff --git a/apparmor.d/groups/gpg/keyboxd b/apparmor.d/groups/gpg/keyboxd index b5d224d85f..3eb23ee782 100644 --- a/apparmor.d/groups/gpg/keyboxd +++ b/apparmor.d/groups/gpg/keyboxd @@ -18,6 +18,8 @@ profile keyboxd @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/public-keys.d/ rw, owner @{HOME}/@{XDG_GPG_DIR}/public-keys.d/* rwlk, + owner @{run}/user/@{uid}/gnupg/S.keyboxd rw, + owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index f09ba540dd..7a4d38e220 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -13,11 +13,31 @@ profile grub-check-signatures @{exec_path} { @{exec_path} mr, + @{bin}/{,e}grep ix, @{bin}/{m,g,}awk ix, + @{bin}/cp ix, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/find ix, + @{bin}/gzip ix, + @{bin}/ls ix, @{bin}/mktemp ix, + @{bin}/mokutil ix, @{bin}/od ix, - - owner @{tmp}/tmp.@{rand10}/ rw, + @{bin}/openssl ix, + @{bin}/rm ix, + @{bin}/sbattach ix, + @{bin}/sbverify ix, + @{bin}/sed ix, + @{bin}/sort ix, + @{bin}/uname ix, + @{bin}/wc ix, + @{bin}/zcat ix, + + / r, + @{efi}/ r, + + @{tmp}/tmp.@{rand10} rw, + @{tmp}/tmp.@{rand10}/{,**} rw, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index d900ec2f6f..68c4b07791 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -19,11 +19,16 @@ profile grub-multi-install @{exec_path} { @{bin}/cat rix, @{bin}/cut rix, @{bin}/dpkg-query rpx, + @{bin}/expr rix, + @{bin}/grub-mkrelpath rPx, @{bin}/readlink rix, @{bin}/sed rix, @{bin}/sort rix, @{bin}/touch rix, @{bin}/udevadm rPx, + @{bin}/uname rix, + @{bin}/which{,.debianutils} rix, + /usr/share/debconf/frontend rix, @{lib}/terminfo/x/xterm-256color r, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 29b2f44694..3417afae7b 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -11,14 +11,16 @@ include profile gvfsd-dav @{exec_path} flags=(attach_disconnected) { include include - include + include include include + include include include include include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 2d74d03fe4..af13058631 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -10,13 +10,14 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-http profile gvfsd-http @{exec_path} { include - include include + include include include include include include + include include include diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index a11df44320..47266983ea 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -26,6 +26,8 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /usr/share/gvfs/remote-volume-monitors/{,**} r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index ebb901df11..9b34d13437 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -78,13 +78,13 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=@{busname}, label=NetworkManager), + peer=(name=@{busname}), dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member={InterfacesAdded,InterfacesRemoved} peer=(name=org.freedesktop.DBus), - dbus receive bus=system path=/ + dbus receive bus=system path=/{,org/freedesktop} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=@{busname}, label=cockpit-bridge), @@ -135,7 +135,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /var/lib/NetworkManager/{,**} rw, @{att}@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/systemd/resolve/io.systemd.Resolve rw, + @{att}@{run}/systemd/userdb/io.systemd.Machine rw, @{run}/netplan/ r, @{run}/network/ifstate r, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index 33de681479..eaf2b3b050 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -18,33 +18,45 @@ profile wg-quick @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/resolve1 + interface=org.freedesktop.resolve1.Manager + member={SetLinkDNSEx,SetLinkDomains} + peer=(name=org.freedesktop.resolve1, label="@{p_systemd_resolved}"), + @{exec_path} mr, @{sh_path} rix, @{bin}/cat rix, @{bin}/ip rPx, @{bin}/mv rix, - @{sbin}/nft rix, @{bin}/readlink rix, - @{sbin}/resolvconf rPx, @{bin}/resolvectl rPx, @{bin}/rm rix, @{bin}/sort rix, @{bin}/stat rix, @{bin}/sync rix, - @{sbin}/sysctl rCx -> sysctl, @{bin}/wg rPx, + @{sbin}/nft rix, + @{sbin}/resolvconf rPx, + @{sbin}/sysctl rCx -> sysctl, @{sbin}/xtables-nft-multi rix, + /usr/share/iproute2/group r, + /usr/share/iproute2/rt_realms r, /usr/share/terminfo/** r, + @{etc_rw}/wireguard/{,**} rw, /etc/iproute2/group r, /etc/iproute2/rt_realms r, /etc/resolvconf/interface-order r, - /etc/wireguard/{,**} rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r, @{sys}/module/wireguard r, + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/net/ip_tables_names r, profile sysctl flags=(attach_disconnected) { diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index 5a888a28f2..8cd7964bca 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -59,7 +59,9 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { @{att}@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}@{run}/systemd/userdb/io.systemd.Home rw, + @{att}@{run}/systemd/userdb/io.systemd.Machine rw, @{att}@{run}/systemd/userdb/io.systemd.Multiplexer rw, + @{att}@{run}/systemd/userdb/org.gnome.DisplayManager rw, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index bcbb89d2b0..7b2d564cee 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -143,6 +143,7 @@ profile htop @{exec_path} flags=(attach_disconnected) { deny ptrace read, # Asked when run as root, but not needed + deny capability net_admin, deny capability perfmon, deny capability sys_admin, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery b/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery index f2f6554e6c..ad49627122 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery +++ b/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery @@ -16,6 +16,7 @@ profile systemd-generator-friendly-recovery @{exec_path} flags=(attach_disconnec @{sh_path} rix, @{bin}/cat rix, + @{bin}/ln rix, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-fstab b/apparmor.d/groups/systemd-generators/systemd-generator-fstab index 44a3f8db48..5dcc4cb5be 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-fstab +++ b/apparmor.d/groups/systemd-generators/systemd-generator-fstab @@ -25,6 +25,8 @@ profile systemd-generator-fstab @{exec_path} { @{PROC}/@{pid}/cgroup r, + priority=10 @{PROC}/1/environ r, + include if exists } diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-getty b/apparmor.d/groups/systemd-generators/systemd-generator-getty index b55268a00a..5169b3b62c 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-getty +++ b/apparmor.d/groups/systemd-generators/systemd-generator-getty @@ -28,6 +28,8 @@ profile systemd-generator-getty @{exec_path} flags=(attach_disconnected) { owner /dev/hvc@{int} rw, owner /dev/ttyS@{int} rw, + priority=10 @{PROC}/1/environ r, + include if exists } diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index 7f4fe69423..4016ecf0ed 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -10,16 +10,13 @@ include profile hostnamectl @{exec_path} { include include + include include include capability net_admin, #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" - dbus send bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=org.freedesktop.hostname1), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 6dceb62e47..d09f2a1eb5 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -51,6 +51,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/@{hex32}/system.journal* r, /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + @{run}/systemd/netif/io.systemd.Network rw, @{att}@{run}/systemd/netif/io.systemd.Network rw, @{run}/systemd/netif/links/ r, diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index 3013d8ae69..9644369ca6 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -28,7 +28,6 @@ profile resolvectl @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" dbus send bus=system path=/org/freedesktop/network1 interface=org.freedesktop.network1.Manager - member=SetLinkDNSEx peer=(name=org.freedesktop.network1), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 787ccaa763..f3a36fb6d9 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -11,8 +11,9 @@ include profile systemd-analyze @{exec_path} flags=(attach_disconnected) { include include - include + include include + include capability sys_resource, capability net_admin, diff --git a/apparmor.d/groups/systemd/systemd-shutdown b/apparmor.d/groups/systemd/systemd-shutdown index e9887c0cb4..6eb4d6256b 100644 --- a/apparmor.d/groups/systemd/systemd-shutdown +++ b/apparmor.d/groups/systemd/systemd-shutdown @@ -8,26 +8,33 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-shutdown -profile systemd-shutdown @{exec_path} { +profile systemd-shutdown @{exec_path} flags=(attach_disconnected) { include include + capability ipc_lock, capability kill, + capability sys_admin, capability sys_boot, capability sys_ptrace, capability sys_resource, mount options=(rw rprivate) -> /, + ptrace read, + signal (send) set=(stop, cont, term, kill), signal (receive) set=(rtmin+23) peer=plymouthd, @{exec_path} mr, @{PROC}/ r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/fdinfo/@{int} r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/sys/kernel/core_pattern w, owner @{PROC}/sys/kernel/printk rw, diff --git a/apparmor.d/groups/systemd/systemd-stdio-bridge b/apparmor.d/groups/systemd/systemd-stdio-bridge index 5f3bc2e364..93421eb8ad 100644 --- a/apparmor.d/groups/systemd/systemd-stdio-bridge +++ b/apparmor.d/groups/systemd/systemd-stdio-bridge @@ -9,11 +9,18 @@ include @{exec_path} = @{bin}/systemd-stdio-bridge profile systemd-stdio-bridge @{exec_path} flags=(attach_disconnected) { include + include + include include include signal send set=term peer=@{p_systemd}, + unix bind type=stream addr=@@{udbus}/bus/systemd-stdio-b/, + unix bind type=stream addr=@@{udbus}/bus/systemd-stdio-b/session, + + unix type=stream peer=(label=do-release-upgrade//upgrader), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 14695e187f..d670f5c95b 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -108,6 +108,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/network/*.link rw, @{run}/systemd/private rw, @{run}/systemd/seats/seat@{int} r, + @{run}/u-d-c-card@{int}-is-simpledrm w, @{att}@{run}/udev/control rw, diff --git a/apparmor.d/groups/utils/swapon b/apparmor.d/groups/utils/swapon index 9fa038ec5e..f741de7028 100644 --- a/apparmor.d/groups/utils/swapon +++ b/apparmor.d/groups/utils/swapon @@ -13,6 +13,7 @@ profile swapon @{exec_path} { include capability sys_admin, + capability sys_resource, @{exec_path} mr, @@ -23,6 +24,7 @@ profile swapon @{exec_path} { owner /swapfile rw, @{PROC}/swaps r, + @{PROC}/@{pid}/oom_score_adj w, /dev/pts/@{u16} rw, diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who index ce251ce813..8c1b6afaad 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/groups/utils/who @@ -30,7 +30,8 @@ profile who @{exec_path} flags=(attach_disconnected) { deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/zed/**/data.mdb rw, - deny /dev/tty@{u8} rw, + deny /dev/pts/@{u16} rw, + deny /dev/tty/@{u8} rw, include if exists } diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index d0c5d86fc1..ec85b0230c 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -24,6 +24,18 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { network netlink raw, + signal send set=term peer=ssh-agent, + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=CreateSessionWithPIDFD + peer=(name=org.freedesktop.login1, label=systemd-logind), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=ReleaseSession + peer=(name=org.freedesktop.login1, label=systemd-logind), + @{exec_path} mr, @{shells_path} rix, @@ -64,6 +76,7 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { profile ssh-add flags=(attach_disconnected) { include + include @{bin}/ssh-add mr, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 84d86bbece..a4f42d4812 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -99,6 +99,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { /tmp/containerd-mount@{int}/{,**} rw, @{run}/containerd/containerd.sock rw, + @{run}/docker.sock rw, owner @{run}/docker.pid rw, owner @{run}/docker/ rw, owner @{run}/docker/** rwlk, @@ -138,6 +139,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { profile nft flags=(attach_disconnected) { include + include capability net_admin, capability net_raw, diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index c896e96f8c..9fada32ef7 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -55,6 +55,8 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/*-store/ rw, owner @{user_config_dirs}/*-store/** rwkl -> @{user_config_dirs}/*-store/**, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, + include if exists } From 05c4c511ce3d2fcee13bcdf95c62849315a5a1b4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Nov 2025 22:11:28 +0100 Subject: [PATCH 1079/1736] feat(tunable): update ubus, add devtools. --- apparmor.d/tunables/multiarch.d/programs | 4 ++++ apparmor.d/tunables/multiarch.d/system | 3 +++ 2 files changed, 7 insertions(+) diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index e53523b87f..58239b310f 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -25,6 +25,10 @@ @{coreutils} += runcon sdiff sed seq sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf sleep @{coreutils} += sort split stat stdbuf stty sum tac tail tee test timeout touch tr true @{coreutils} += truncate tsort tty uname unexpand uniq unlink updatedb vdir wc who whoami xargs yes +@{coreutils} += which{,.debianutils} + +# Various development tools +@{devtools} = go{,-*} gem cargo npm just pip # Python interpreters @{python_version} = 3 3.[0-9] 3.1[0-9] diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index e07be7f2c0..2815eadb50 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -38,6 +38,9 @@ # Unix dbus address prefix @{udbus}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} +# dbus-broker special addresses +@{udbus}+=@{int12}@{int} + # Universally unique identifier @{uuid}=@{hex8}[-_]@{hex4}[-_]@{hex4}[-_]@{hex4}[-_]@{hex12} From e3794aa052cdcfe7acffd0aa1ca19e0ee8482fca Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Nov 2025 22:15:08 +0100 Subject: [PATCH 1080/1736] feat(profile): update arch profiles. --- apparmor.d/groups/pacman/archlinux-keyring-wkd-sync | 3 +++ apparmor.d/groups/pacman/pacman | 1 + apparmor.d/groups/pacman/pacman-hook-gtk | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync index ef2bb438de..cc452e1ed3 100644 --- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync +++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync @@ -33,6 +33,9 @@ profile archlinux-keyring-wkd-sync @{exec_path} flags=(attach_disconnected) { /etc/pacman.d/gnupg/** rwlk -> /etc/pacman.d/gnupg/**, /etc/pacman.d/mirrorlist r, + @{att}/etc/pacman.d/gnupg/S.dirmngr rw, + @{att}/etc/pacman.d/gnupg/S.gpg-agent rw, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index ad23ea8c4e..14a00b4ea0 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -202,6 +202,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include include include + include @{bin}/gdbus rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk index 53e1d644a7..d39efb3eab 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk +++ b/apparmor.d/groups/pacman/pacman-hook-gtk @@ -7,7 +7,7 @@ abi , include @{exec_path} = /usr/share/libalpm/scripts/gtk-update-icon-cache -profile pacman-hook-gtk @{exec_path} { +profile pacman-hook-gtk @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, From e7dbd7ac4a925abf07a3ad3d7666763de650ec3f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Nov 2025 22:21:48 +0100 Subject: [PATCH 1081/1736] feat(aa-log): ensure dev logic is never loaded on release build. --- cmd/aa-log/main.go | 9 ++++----- cmd/aa-log/timing_dev.go | 5 ++++- cmd/aa-log/timing_release.go | 5 ++++- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index f90d982e32..84d9e33eea 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -11,7 +11,6 @@ import ( "os" "slices" "strings" - "time" "github.com/roddhjav/apparmor.d/pkg/logs" ) @@ -58,7 +57,7 @@ func aaLog(logger string, path string, profile string, namespace string) error { var err error var file io.Reader - start := time.Now() + start := timeNow() switch logger { case "auditd": file, err = logs.GetAuditLogs(path) @@ -70,7 +69,7 @@ func aaLog(logger string, path string, profile string, namespace string) error { if err != nil { return err } - endRead := time.Now() + endRead := timeNow() if raw { fmt.Print(strings.Join(logs.GetApparmorLogs(file, profile, namespace), "\n") + "\n") @@ -84,7 +83,7 @@ func aaLog(logger string, path string, profile string, namespace string) error { aaLogs = logs.New(file, profile, namespace) } - endParse := time.Now() + endParse := timeNow() if rules { profiles := aaLogs.ParseToProfiles() for _, p := range profiles { @@ -97,7 +96,7 @@ func aaLog(logger string, path string, profile string, namespace string) error { fmt.Print(aaLogs.String()) } if withTime { - printTiming(start, endRead, endParse, time.Now()) + printTiming(start, endRead, endParse, timeNow()) } return nil } diff --git a/cmd/aa-log/timing_dev.go b/cmd/aa-log/timing_dev.go index b2200ce3f7..1e1a753860 100644 --- a/cmd/aa-log/timing_dev.go +++ b/cmd/aa-log/timing_dev.go @@ -1,5 +1,4 @@ //go:build dev -// +build dev package main @@ -10,6 +9,10 @@ import ( const withTime = true +func timeNow() time.Time { + return time.Now() +} + func printTiming(start, endRead, endParse, end time.Time) { printDuration := func(d time.Duration) string { if d >= time.Minute { diff --git a/cmd/aa-log/timing_release.go b/cmd/aa-log/timing_release.go index d483cf5f68..d768c4188a 100644 --- a/cmd/aa-log/timing_release.go +++ b/cmd/aa-log/timing_release.go @@ -1,5 +1,4 @@ //go:build !dev -// +build !dev package main @@ -7,4 +6,8 @@ import "time" const withTime = false +func timeNow() time.Time { + return time.Time{} +} + func printTiming(start, endRead, endParse, end time.Time) {} From c87f2143e3e144a9419c7baa714661e483e720a4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 26 Nov 2025 20:52:53 +0100 Subject: [PATCH 1082/1736] fix(abs): ensure attached abs get replaced in app/flatpak fix #940 --- apparmor.d/abstractions/app/flatpak | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak index 4b14721697..90ffeae76c 100644 --- a/apparmor.d/abstractions/app/flatpak +++ b/apparmor.d/abstractions/app/flatpak @@ -27,6 +27,8 @@ # flatpak, and are therefore different to they host equivalents, as flatpak apps # do not have access to the full host filesystem. +# attach_disconnected: tweak the build system to replace attached abstractiosn + abi , include From 7ce8f0fdf86d1ec8e7d2e80d8751ee1e206b17db Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 26 Nov 2025 20:55:11 +0100 Subject: [PATCH 1083/1736] build: add support for a new namespace directory of profiles. --- pkg/prebuild/builder/attach.go | 10 +++++++++- pkg/prebuild/prepare/merge.go | 24 ++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index b03fba7ce1..c44fb793ac 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -44,7 +44,15 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { if strings.Contains(profile, "attach_disconnected") { if opt.Kind == aa.ProfileKind { - insert = "@{att} = /att/" + opt.Name + "/\n" + if strings.Contains(opt.Name, ":") { + parts := strings.Split(opt.Name, ":") + if len(parts) != 3 { + return profile, fmt.Errorf("attach: invalid namespaced profile name: %s", opt.Name) + } + insert = "@{att} = /att/" + parts[1] + "/\n" + } else { + insert = "@{att} = /att/" + opt.Name + "/\n" + } } profile = strings.ReplaceAll(profile, "attach_disconnected", diff --git a/pkg/prebuild/prepare/merge.go b/pkg/prebuild/prepare/merge.go index d2c7200035..9443e500ec 100644 --- a/pkg/prebuild/prepare/merge.go +++ b/pkg/prebuild/prepare/merge.go @@ -57,5 +57,29 @@ func (p Merge) Apply() ([]string, error) { } idx = idx + 2 } + + // Namespaces directory + nsRoot := prebuild.RootApparmord.Join("namespaces") + dirs, err := nsRoot.ReadDir(paths.FilterDirectories()) + if err != nil { + return res, err + } + for _, dir := range dirs { + nsName := dir.Base() + files, err := dir.ReadDir(paths.FilterOutDirectories()) + if err != nil { + return res, err + } + for _, file := range files { + destPath := prebuild.RootApparmord.Join(":" + nsName + ":" + file.Base()) + err := os.Rename(file.String(), destPath.String()) + if err != nil { + return res, err + } + } + } + if err := nsRoot.RemoveAll(); err != nil { + return res, err + } return res, nil } From df5c90deac31737a2e8e0ca1d41229ba231d96a4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 30 Nov 2025 13:15:47 +0100 Subject: [PATCH 1084/1736] build: ensure just pkg use the build.sh script. fix #944 --- Justfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Justfile b/Justfile index 19b08f3281..39a6413bac 100644 --- a/Justfile +++ b/Justfile @@ -216,7 +216,7 @@ dev +names: # Build & install apparmor.d on Arch based systems [group('packages')] pkg: - @makepkg --syncdeps --install --cleanbuild --force --noconfirm + @bash dists/build.sh pkg # Build & install apparmor.d on Debian based systems [group('packages')] From 520f79c59cb9b49a87c9e4efe309bf325282066d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 30 Nov 2025 13:26:32 +0100 Subject: [PATCH 1085/1736] ci: fix integration tests. --- .../bus/system/org.freedesktop.hostname1 | 15 ++++++++++++--- .../bus/system/org.freedesktop.systemd1 | 8 ++++---- tests/integration/common.bash | 2 +- tests/integration/flatpak.bats | 8 ++++++++ 4 files changed, 25 insertions(+), 8 deletions(-) diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/system/org.freedesktop.hostname1 index 6805e3c08b..09df023df1 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.hostname1 @@ -4,15 +4,24 @@ abi , + # DBus.Properties: read properties from the interface + dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties - member=Get + member={Get,GetAll} peer=(name=org.freedesktop.hostname1), dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed), + member={Get,GetAll} + peer=(label=systemd-hostnamed), + + # DBus.Properties: receive property changed events + + dbus receive bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=systemd-hostnamed), include if exists diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 index f3bf50d2f9..6ff695a121 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1 @@ -11,13 +11,13 @@ dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + member={Get,GetAll} + peer=(name=org.freedesktop.systemd1), dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label="@{p_systemd}"), + member={Get,GetAll} + peer=(label="@{p_systemd}"), dbus send bus=system path=/org/freedesktop/systemd1/unit/* interface=org.freedesktop.DBus.Properties diff --git a/tests/integration/common.bash b/tests/integration/common.bash index 8228cc7624..f31988062e 100644 --- a/tests/integration/common.bash +++ b/tests/integration/common.bash @@ -9,7 +9,7 @@ load "$BATS_LIB_PATH/bats-support/load" export SYSTEMD_PAGER= # Ignore the profile not managed by apparmor.d -IGNORE=(php-fpm snapd/snap-confine snap.vault.vaultd /dev/pts/0) +IGNORE=(/usr/sbin/mysqld php-fpm snapd/snap-confine snap.vault.vaultd /dev/pts/0) # User password for sudo commands export PASSWORD=${PASSWORD:-user} diff --git a/tests/integration/flatpak.bats b/tests/integration/flatpak.bats index b61024d063..691db788b0 100644 --- a/tests/integration/flatpak.bats +++ b/tests/integration/flatpak.bats @@ -30,6 +30,14 @@ load common flatpak info org.vim.Vim } +@test "flatpak: List exported files" { + flatpak documents +} + +@test "flatpak: List dynamic permissions" { + flatpak permissions +} + # @test "flatpak: Run an installed application" { # _timeout flatpak run org.vim.Vim # } From 5a0ac24de50d74a7ecd988c3fde51c323dd931c8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 30 Nov 2025 13:31:57 +0100 Subject: [PATCH 1086/1736] feat(abs): various dbus interface improvments. --- .../bus/session/com.canonical.dbusmenu | 4 ++-- .../bus/session/org.gnome.Shell.Introspect | 7 +++++++ .../abstractions/bus/system/fi.w1.wpa_supplicant1 | 15 ++++++++++++++- apparmor.d/abstractions/bus/system/org.bluez | 5 +++++ .../bus/system/org.freedesktop.ColorManager | 13 ++++++++++++- .../bus/system/org.freedesktop.UDisks2 | 7 +++++++ apparmor.d/groups/bus/dbus-accessibility | 4 +--- apparmor.d/groups/bus/dbus-system | 9 ++++++++- 8 files changed, 56 insertions(+), 8 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/com.canonical.dbusmenu b/apparmor.d/abstractions/bus/session/com.canonical.dbusmenu index e76d0646e9..25e65270b8 100644 --- a/apparmor.d/abstractions/bus/session/com.canonical.dbusmenu +++ b/apparmor.d/abstractions/bus/session/com.canonical.dbusmenu @@ -14,12 +14,12 @@ dbus receive bus=session path=/{MenuBar{,/@{hex}},com/canonical/{menu/@{hex},dbusmenu}} interface=com.canonical.dbusmenu - member=Get* + member={GetGroupProperties,GetLayout} peer=(label="@{pp_dbusmenu}"), dbus receive bus=session path=/{MenuBar{,/@{hex}},com/canonical/{menu/@{hex},dbusmenu}} interface=com.canonical.dbusmenu - member={AboutTo*,Event*} + member={AboutToShow,Event*} peer=(label="@{pp_dbusmenu}"), dbus receive bus=session path=/{MenuBar{,/@{hex}},com/canonical/{menu/@{hex},dbusmenu}} diff --git a/apparmor.d/abstractions/bus/session/org.gnome.Shell.Introspect b/apparmor.d/abstractions/bus/session/org.gnome.Shell.Introspect index 852a880d57..c9197e769c 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.Shell.Introspect +++ b/apparmor.d/abstractions/bus/session/org.gnome.Shell.Introspect @@ -11,6 +11,13 @@ member={Get,GetAll} peer=(name="@{busname},org.gnome.Shell.Introspect", label=gnome-shell), + # DBus.Properties: receive property changed events + + dbus receive bus=session path=/org/gnome/Shell/Introspect + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="@{busname}", label=gnome-shell), + # Shell.Introspect dbus send bus=session path=/org/gnome/Shell/Introspect diff --git a/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 index b51c2a2607..10ab0da37d 100644 --- a/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 @@ -16,6 +16,19 @@ member={Get,GetAll} peer=(name=@{busname}, label=wpa-supplicant), + + # DBus.Properties: receive property changed events + + dbus receive bus=system path=/fi/w1/wpa_supplicant1 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=wpa-supplicant), + + dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=wpa-supplicant), + # wpa_supplicant1: allow clients to enumerate sources dbus receive bus=system path=/fi/w1/wpa_supplicant1 @@ -42,7 +55,7 @@ dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface - member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged} + member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone} peer=(name=@{busname}, label=wpa-supplicant), include if exists diff --git a/apparmor.d/abstractions/bus/system/org.bluez b/apparmor.d/abstractions/bus/system/org.bluez index 32d99816ee..e4300d7e5e 100644 --- a/apparmor.d/abstractions/bus/system/org.bluez +++ b/apparmor.d/abstractions/bus/system/org.bluez @@ -6,6 +6,11 @@ # DBus.Properties: read properties from the interface + dbus send bus=system path=/org/bluez + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label="@{p_bluetoothd}"), + dbus send bus=system path=/org/bluez/hci@{int}/dev_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager index 4b5dcc746e..946399561a 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager @@ -6,7 +6,8 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}" + + # ColorManager dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager @@ -18,6 +19,11 @@ member={CreateProfile,CreateDevice,DeleteDevice} peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), + dbus send bus=system path=/org/freedesktop/ColorManager/devices/* + interface=org.freedesktop.ColorManager.Device + member=AddProfile + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), + dbus receive bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={DeviceAdded,DeviceRemoved} @@ -28,6 +34,11 @@ member={FindDeviceByProperty,FindDeviceById} peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member={FindDeviceByProperty,FindDeviceById} + peer=(name=org.freedesktop.ColorManager), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 index 2c9ceeaff9..4c6ba8c590 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 @@ -16,6 +16,13 @@ member={Get,GetAll} peer=(label=udisksd), + # DBus.Properties: receive property changed events + + dbus receive bus=system path=/org/freedesktop/UDisks2{,/**} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(label=udisksd), + # DBus.ObjectManager: allow clients to enumerate sources dbus send bus=system path=/org/freedesktop/UDisks2 diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index a1e7e5934f..5af2138bce 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -28,9 +28,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { signal receive set=(term hup kill) peer=gdm{,-session-worker}, signal receive set=(term hup kill) peer=gnome-session-binary, - unix type=stream addr=@@{udbus}/bus/dbus-broker-lau/user, - unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0), - unix type=stream addr=@@{udbus}/bus/dbus-broker-lau/user, + unix bind type=stream addr=@@{udbus}/bus/dbus-broker-lau/user, #aa:dbus own bus=accessibility name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} #aa:dbus own bus=session name=org.a11y.{B,b}us diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 228d7a9c51..7dd2de43a2 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -16,6 +16,7 @@ include profile dbus-system flags=(attach_disconnected) { include include + include include include include @@ -37,7 +38,7 @@ profile dbus-system flags=(attach_disconnected) { signal (send receive) set=kill peer=dbus-system//&unconfined, unix type=stream peer=(label=unconfined), - unix type=seqpacket peer=(label=flatpak-system-helper), + unix (send receive ) type=seqpacket peer=(label=flatpak-system-helper), unix bind type=stream addr=@@{udbus}/bus/dbus-broker-lau/system, #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} @@ -50,6 +51,10 @@ profile dbus-system flags=(attach_disconnected) { interface=org.freedesktop.systemd1.Activator member=ActivationFailure peer=(name=@{busname}, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=Subscribe + peer=(name=@{busname}, label="@{p_systemd}"), @{exec_path} mrix, @@ -58,6 +63,8 @@ profile dbus-system flags=(attach_disconnected) { @{lib}/** PUx, /usr/share/*/** PUx, + @{bin}/dbus-send r, + /etc/dbus-1/{,**} r, /usr/share/dbus-1/{,**} r, /var/lib/snapd/dbus-1/{,**} r, From 2b0b96d26fe96dcceafd9f21588770b6237f9c5a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 30 Nov 2025 14:26:23 +0100 Subject: [PATCH 1087/1736] feat(aa): minor improvements to go pkg. --- pkg/aa/base.go | 9 +++++++-- pkg/aa/rules.go | 6 ++++++ pkg/logs/loggers.go | 4 +++- pkg/paths/paths.go | 8 ++++++++ pkg/prebuild/directive/filter_test.go | 14 ++++++++++++++ 5 files changed, 38 insertions(+), 3 deletions(-) diff --git a/pkg/aa/base.go b/pkg/aa/base.go index a712a58994..41549822ac 100644 --- a/pkg/aa/base.go +++ b/pkg/aa/base.go @@ -61,11 +61,16 @@ func newBaseFromLog(log map[string]string) Base { if strings.Contains(log["info"], "optional:") { optional = true comment = strings.Replace(log["info"], "optional: ", "", 1) + } else if strings.Contains(log["info"], "no new privs") { + noNewPrivs = true + comment = strings.TrimSpace(strings.Replace(log["info"], "no new privs", "", 1)) } else { noNewPrivs = true + if log["info"] != "" { + comment += " " + log["info"] + } } - } - if log["info"] != "" { + } else if log["info"] != "" { comment += " " + log["info"] } return Base{ diff --git a/pkg/aa/rules.go b/pkg/aa/rules.go index 8e8ed5d95e..d4e6cc8251 100644 --- a/pkg/aa/rules.go +++ b/pkg/aa/rules.go @@ -93,6 +93,7 @@ func (r Rules) Delete(i int) Rules { return append(r[:i], r[i+1:]...) } +// DeleteKind removes all rules of the given kind from the slice and returns the new slice. func (r Rules) DeleteKind(kind Kind) Rules { res := make(Rules, 0, len(r)) for _, rule := range r { @@ -106,6 +107,7 @@ func (r Rules) DeleteKind(kind Kind) Rules { return res } +// FilterOut removes all rules of the given kind from the slice and returns the new slice. func (r Rules) FilterOut(filter Kind) Rules { res := make(Rules, 0, len(r)) for _, rule := range r { @@ -119,6 +121,7 @@ func (r Rules) FilterOut(filter Kind) Rules { return res } +// Filter returns all rules of the given kind from the slice. func (r Rules) Filter(filter Kind) Rules { res := make(Rules, 0, len(r)) for _, rule := range r { @@ -132,6 +135,7 @@ func (r Rules) Filter(filter Kind) Rules { return res } +// GetVariables returns all Variable rules from the slice. func (r Rules) GetVariables() []*Variable { res := make([]*Variable, 0, len(r)) for _, rule := range r { @@ -143,6 +147,7 @@ func (r Rules) GetVariables() []*Variable { return res } +// GetIncludes returns all Include rules from the slice. func (r Rules) GetIncludes() []*Include { res := make([]*Include, 0, len(r)) for _, rule := range r { @@ -264,6 +269,7 @@ func (r Rules) Format() Rules { // ParaRules is a slice of Rules grouped by paragraph type ParaRules []Rules +// Flatten flattens the ParaRules into a single Rules slice func (r ParaRules) Flatten() Rules { totalLen := 0 for i := range r { diff --git a/pkg/logs/loggers.go b/pkg/logs/loggers.go index 6057c61df8..aa5ba70372 100644 --- a/pkg/logs/loggers.go +++ b/pkg/logs/loggers.go @@ -140,7 +140,9 @@ func validateLogFile(filename string) error { if err != nil { return fmt.Errorf("unable to read: %s", filename) } - file.Close() + if cerr := file.Close(); cerr != nil { + return fmt.Errorf("unable to close file %s: %w", filename, cerr) + } return nil } diff --git a/pkg/paths/paths.go b/pkg/paths/paths.go index 357b9c2f7b..1cdaeaa0f2 100644 --- a/pkg/paths/paths.go +++ b/pkg/paths/paths.go @@ -254,6 +254,14 @@ func (p *Path) MkTempDir(prefix string) (*Path, error) { return MkTempDir(p.path, prefix) } +func (p *Path) IsSymlink() (bool, error) { + info, err := p.Lstat() + if err != nil { + return false, err + } + return info.Mode()&os.ModeSymlink != 0, nil +} + // FollowSymLink transforms the current path to the path pointed by the // symlink if path is a symlink, otherwise it does nothing func (p *Path) FollowSymLink() error { diff --git a/pkg/prebuild/directive/filter_test.go b/pkg/prebuild/directive/filter_test.go index 4edfca3aaa..c340583962 100644 --- a/pkg/prebuild/directive/filter_test.go +++ b/pkg/prebuild/directive/filter_test.go @@ -251,6 +251,20 @@ func TestFilterExclude_Apply(t *testing.T) { profile: " @{bin}/dpkg rPx -> child-dpkg, #aa:exclude debian", want: " @{bin}/dpkg rPx -> child-dpkg,", }, + { + name: "inline-exclude", + dist: "ubuntu", + family: "apt", + opt: &Option{ + Name: "exclude", + ArgMap: map[string]string{"ubuntu": ""}, + ArgList: []string{"ubuntu"}, + File: nil, + Raw: " @{bin}/dpkg rPx -> child-dpkg, #aa:exclude ubuntu", + }, + profile: " @{bin}/dpkg rPx -> child-dpkg, #aa:exclude ubuntu", + want: "", + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { From 5f30c2b9b08088876ee6e80d9faa32aa511ae1fc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 30 Nov 2025 15:26:30 +0100 Subject: [PATCH 1088/1736] tests(aa): update tests to new change in the templates. --- pkg/aa/apparmor_test.go | 1 - pkg/aa/parse_test.go | 1 - pkg/aa/rule_test.go | 2 +- pkg/aa/templates/rule/unix.j2 | 4 ++-- 4 files changed, 3 insertions(+), 5 deletions(-) diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index 9ee6a674c4..51eaab5262 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -88,7 +88,6 @@ func TestAppArmorProfileFile_String(t *testing.T) { Type: "stream", Address: "@/tmp/.ICE-unix/1995", PeerLabel: "gnome-shell", - PeerAddr: "none", }, &Dbus{Access: []string{"bind"}, Bus: "session", Name: "org.gnome.*"}, &Dbus{ diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go index 71607fd325..96ae136e94 100644 --- a/pkg/aa/parse_test.go +++ b/pkg/aa/parse_test.go @@ -990,7 +990,6 @@ var ( Type: "stream", Address: "@/tmp/.ICE-unix/1995", PeerLabel: "gnome-shell", - PeerAddr: "none", }, }, { diff --git a/pkg/aa/rule_test.go b/pkg/aa/rule_test.go index ed6e7043d1..f6911083ca 100644 --- a/pkg/aa/rule_test.go +++ b/pkg/aa/rule_test.go @@ -345,7 +345,7 @@ var ( other: unix1, wCompare: 0, wMerge: true, - wString: "unix (send receive) type=stream protocol=0 addr=none peer=(label=dbus-daemon, addr=@/tmp/dbus-AaKMpxzC4k),", + wString: "unix (send receive) type=stream peer=(label=dbus-daemon, addr=@/tmp/dbus-AaKMpxzC4k),", }, { name: "dbus", diff --git a/pkg/aa/templates/rule/unix.j2 b/pkg/aa/templates/rule/unix.j2 index 110143e5ad..4aadc51dc1 100644 --- a/pkg/aa/templates/rule/unix.j2 +++ b/pkg/aa/templates/rule/unix.j2 @@ -21,10 +21,10 @@ {{ " peer=(label=" }}{{ .PeerLabel }}{{ ", addr=" }}{{ .PeerAddr }}{{ ")" }} {{- else -}} {{- with .PeerLabel -}} - {{ overindent "peer=(label=" }}{{ . }}{{ ")" }} + {{ " peer=(label=" }}{{ . }}{{ ")" }} {{- end -}} {{- if and .PeerAddr (ne .PeerAddr "none") -}} - {{ overindent "peer=(addr=" }}{{ .PeerAddr }}{{ ")" }} + {{ " peer=(addr=" }}{{ .PeerAddr }}{{ ")" }} {{- end -}} {{- end -}} {{- "," -}} From 89b6ff4adaab0ae181b5b93fc133690b89b58445 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 30 Nov 2025 22:51:14 +0100 Subject: [PATCH 1089/1736] feat(aa): add some AppArmorProfileFile helper. --- pkg/aa/apparmor.go | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index c1d011c008..46a800f5be 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -5,6 +5,7 @@ package aa import ( + "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/paths" @@ -138,3 +139,24 @@ func (f *AppArmorProfileFile) Format() { p.Format() } } + +// Merge merges two profiles together. +func (f *AppArmorProfileFile) Merge(other *AppArmorProfileFile) error { + f.Preamble = append(f.Preamble, other.Preamble...) + f.Profiles = append(f.Profiles, other.Profiles...) + return nil +} + +// Clean the profile file from comments +func (f *AppArmorProfileFile) Clean() { + delete := []int{} + for i, r := range f.Preamble { + switch r.(type) { + case *Comment: + delete = append(delete, i) + } + } + for i := len(delete) - 1; i >= 0; i-- { + f.Preamble = slices.Delete(f.Preamble, delete[i], delete[i]+1) + } +} From aba5ac2e0c8c2c2a574c8165789f57c91c954c8e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 30 Nov 2025 22:51:42 +0100 Subject: [PATCH 1090/1736] feat(aa): add FileKind to AppArmorProfileFile. --- pkg/aa/apparmor.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index 46a800f5be..91b209ea5d 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -49,6 +49,7 @@ type AppArmorProfileFiles map[string]*AppArmorProfileFile type AppArmorProfileFile struct { Preamble Rules Profiles []*Profile + Kind FileKind } func NewAppArmorProfile() *AppArmorProfileFile { From 4f5e884082c4b2de2ae05863c171c0c9a109df55 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 30 Nov 2025 22:53:27 +0100 Subject: [PATCH 1091/1736] feat(aa): add more keyworks for condition rules. --- pkg/aa/blocks.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/pkg/aa/blocks.go b/pkg/aa/blocks.go index d0826dfa28..bb3d1417d0 100644 --- a/pkg/aa/blocks.go +++ b/pkg/aa/blocks.go @@ -5,7 +5,9 @@ package aa const ( - HAT Kind = "hat" + HAT Kind = "hat" + IF Kind = "if" + ELSE Kind = "else" ) // Hat represents a single AppArmor hat. @@ -15,6 +17,14 @@ type Hat struct { Rules Rules } +func newHat(rule rule) (*Hat, error) { + name := "" + if len(rule) > 0 { + name = rule.Get(0) + } + return &Hat{Name: name}, nil +} + func (p *Hat) Kind() Kind { return HAT } From 9b6ef749bad17062dfc4f880adee4aad5ae2f5ae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 30 Nov 2025 22:55:49 +0100 Subject: [PATCH 1092/1736] tests(aa): update some tests to the last changes. --- pkg/aa/data_test.go | 8 +++++++- pkg/aa/rule_test.go | 4 ++-- pkg/aa/rules.go | 24 ++++++++++++++++++++++++ 3 files changed, 33 insertions(+), 3 deletions(-) diff --git a/pkg/aa/data_test.go b/pkg/aa/data_test.go index 28aa703d64..b96330fadd 100644 --- a/pkg/aa/data_test.go +++ b/pkg/aa/data_test.go @@ -84,12 +84,18 @@ var ( "requested": "send", "denied": "send", } - network1 = &Network{Domain: "netlink", Type: "raw", Protocol: "15"} + network1 = &Network{ + Access: []string{}, + Domain: "netlink", + Type: "raw", + Protocol: "15", + } network2 = &Network{Domain: "inet", Type: "dgram"} network3 = &Network{ Base: Base{Comment: " failed af match"}, LocalAddress: LocalAddress{IP: "127.0.0.1", Port: "57007"}, PeerAddress: PeerAddress{IP: "127.0.0.53", Port: "53", Src: "127.0.0.1"}, + Access: []string{"send"}, Type: "dgram", Protocol: "17", } diff --git a/pkg/aa/rule_test.go b/pkg/aa/rule_test.go index f6911083ca..716c1b5581 100644 --- a/pkg/aa/rule_test.go +++ b/pkg/aa/rule_test.go @@ -225,7 +225,7 @@ var ( other: network1, wCompare: -7, wMerge: false, - wString: "network dgram ip=127.0.0.1 port=57007 peer=(ip=127.0.0.53, port=53), # failed af match", + wString: "network send dgram ip=127.0.0.1 port=57007 peer=(ip=127.0.0.53, port=53), # failed af match", }, { name: "mount", @@ -460,7 +460,7 @@ var ( other: profile2, wCompare: -4, wMerge: false, - wString: "profile sudo {\n}", + wString: "profile sudo {\n}\n", }, { name: "hat", diff --git a/pkg/aa/rules.go b/pkg/aa/rules.go index d4e6cc8251..e817af44ad 100644 --- a/pkg/aa/rules.go +++ b/pkg/aa/rules.go @@ -77,6 +77,30 @@ func (r Rules) Index(item Rule) int { return -1 } +// IndexOf returns the index of the first occurrence of item in r, or -1 if not present. +func (r Rules) IndexOf(item Rule) int { + for idx, rr := range r { + if rr.Kind() == item.Kind() && rr.Compare(item) == 0 { + return idx + } + } + return -1 +} + +// Contains checks if the rule is in the slice +func (r Rules) Contains(rule Rule) bool { + return r.IndexOf(rule) != -1 +} + +// Remove removes the first occurrence of rule from the slice and returns the new slice. +func (r Rules) Remove(rule Rule) Rules { + idx := r.IndexOf(rule) + if idx == -1 { + return r + } + return append(r[:idx], r[idx+1:]...) +} + // Replace replaces the elements r[i] by the given rules, and returns the // modified slice. func (r Rules) Replace(i int, rules ...Rule) Rules { From be9008b3b6046171b10efd3b0351b9854e8086ec Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 1 Dec 2025 01:24:46 +0100 Subject: [PATCH 1093/1736] feat(aa): scanner: add the ability to parse block of rule such as profile and subprofile. --- pkg/aa/parse.go | 238 ++++++++++++++++++++++++++++++++++++++++++- pkg/aa/parse_test.go | 88 +++++++++++++++- 2 files changed, 321 insertions(+), 5 deletions(-) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 3b737abfdb..4dbdad7552 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -62,10 +62,240 @@ var ( openBlocks = []rune{tokOPENPAREN, tokOPENBRACE, tokOPENBRACKET} closeBlocks = []rune{tokCLOSEPAREN, tokCLOSEBRACE, tokCLOSEBRACKET} - inHeader = false - regParagraph = regexp.MustCompile(`(?s).*?\n\n|$`) + inHeader = false + regParagraph = regexp.MustCompile(`(?s).*?\n\n|$`) + regVariableDefinition = regexp.MustCompile(`@{(.*)}\s*[+=]+\s*(.*)`) ) +const ( + CONTENT Kind = "content" + RAW Kind = "raw" + QUALIFIER Kind = "qualifier" +) + +// Intermediate token for the representation of apparmor blocks such as +// profile, subprofile, hat, qualifier and condition. +type block struct { + kind Kind + raw string + next *block +} + +// Split a raw input block string into tokens by '{', '}', but ignore +// variables and second level blocks. +func tokenizeBlock(input string) ([]*block, error) { + if len(input) > 0 && input[0] == tokOPENBRACE { + return nil, fmt.Errorf("wrong block format: %s", input) + } + + blocks := []*block{} + blockCounter := 0 + blockStack := []rune{} + blockRecored := false + blockStart := 0 + blockEnd := 0 + blockContentStart := 0 + blockContentStartBkp := 0 + blockContentEnd := 0 + for idx, r := range input { + switch r { + case tokOPENBRACE: + blockStack = append(blockStack, r) + + // Block rules starts with ' {', ignore nested blocks and variables + if len(blockStack) == 1 { + ignore := false + + // Ignore the block if it is inside a variable definition + if input[idx-1] == '@' { + ignore = true + } else { + i := idx + for i > 0 && input[i] != '\n' { + i-- + } + j := idx + for j < len(input) && input[j] != '\n' { + j++ + } + line := input[i:j] + match := regVariableDefinition.FindStringSubmatch(line) + if len(match) > 0 { + ignore = true + } else if input[idx-1] != ' ' { + ignore = true + } + } + + if !ignore { + blockStart = idx + blockRecored = true + } + } + + case tokCLOSEBRACE: + if len(blockStack) <= 0 { + return nil, fmt.Errorf("unbalanced block, missing '{' for '} at: }%s", + input[blockContentStart:idx]) + } + + if len(blockStack) == 1 && blockRecored { + blockRecored = false + blockEnd = idx + blockContentStartBkp = blockContentStart + blockContentEnd = blockStart + blockContentRaw := input[blockContentStart:blockContentEnd] + blockContentStart = blockEnd + 1 + + // Collect the block header + i := len(blockContentRaw) - 1 + for i > 0 && blockContentRaw[i] != '\n' { + i-- + } + blockHeader := strings.Trim(blockContentRaw[i:], "\n ") + blockHeader = strings.Trim(blockHeader, "\n\t ") + + // Ignore commented block, restore previous id values + if len(blockHeader) > 0 && blockHeader[0] == '#' { + blockContentStart = blockContentStartBkp + blockStack = blockStack[:len(blockStack)-1] + continue + } + + // Collect out of block content (preamble, profile content outside of sub blocks) + blockContentRaw = blockContentRaw[:i] + if blockContentRaw != "" { + blocks = append(blocks, &block{ + kind: CONTENT, + raw: blockContentRaw, + }) + } + + // Collect the block content + blockRaw := input[blockStart+1 : blockEnd] + blockRaw = strings.Trim(blockRaw, "\n\t ") + var kind Kind + switch { + case strings.HasPrefix(blockHeader, PROFILE.Tok()), isAARE(blockHeader): + kind = PROFILE + case strings.HasPrefix(blockHeader, HAT.Tok()), + strings.HasPrefix(blockHeader, HAT.String()): + kind = HAT + case blockHeader == IF.Tok(): + kind = IF + case blockHeader == ELSE.Tok(): + kind = ELSE + default: + fmt.Printf("blockRaw: %v\n", blockRaw) + return nil, fmt.Errorf("unrecognized block type: %s", blockHeader) + } + blocks = append(blocks, &block{ + kind: kind, + raw: blockHeader, + next: &block{ + kind: RAW, + raw: blockRaw, + }, + }) + } + blockStack = blockStack[:len(blockStack)-1] + } + } + + if blockCounter != 0 { + return nil, fmt.Errorf("unbalanced block, missing '{' or '}': %s", + input[blockContentEnd:len(input)-1]) + } + if len(blocks) == 0 { + // No block found, it can be a tunable/abstraction file. + blocks = append(blocks, &block{ + kind: CONTENT, + raw: input, + }) + } + return blocks, nil +} + +func parseBlock(b *block) (Rules, error) { + var res Rules + var rrr Rules + var err error + + switch b.kind { + case CONTENT: + // Line rules + var raw string + raw, res, err = parseLineRules(false, b.raw) + if err != nil { + return nil, err + } + + // Comma rules + rules, err := parseCommaRules(raw) + if err != nil { + return nil, err + } + rrr, err = newRules(rules) + if err != nil { + return nil, err + } + + res = append(res, rrr...) + for _, r := range res { + if r.Constraint() == PreambleRule { + return nil, fmt.Errorf("Rule not allowed in block: %s", r) + } + } + + case RAW: + var blocks []*block + blocks, err = tokenizeBlock(b.raw) + if err != nil { + return nil, err + } + for _, block := range blocks { + rrr, err = parseBlock(block) + if err != nil { + return nil, err + } + res = append(res, rrr...) + } + return res, nil + + case PROFILE: + header, err := newHeader(parseRule(b.raw)) + if err != nil { + return nil, err + } + rules, err := parseBlock(b.next) + if err != nil { + return nil, err + } + profile := &Profile{ + Header: header, + Rules: rules, + } + res = append(res, profile) + + case HAT: + hat, err := newHat(parseRule(b.raw)) + if err != nil { + return nil, err + } + rules, err := parseBlock(b.next) + if err != nil { + return nil, err + } + hat.Rules = rules + res = append(res, hat) + + case IF, ELSE: + // Not implemented yet + + } + return res, nil +} + // Parse the line rule from a raw string. func parseLineRules(isPreamble bool, input string) (string, Rules, error) { var res Rules @@ -608,10 +838,10 @@ func (f *AppArmorProfileFile) parsePreamble(preamble string) error { // Parse an apparmor profile file. // -// Warning: It is purposely an uncomplete basic parser for apparmor profile, +// Warning: It is purposely an uncomplete parser for apparmor profile, // it is only aimed for internal tooling purpose. For "simplicity", it is not // using antlr / participle. It is only used for experimental feature in the -// apparmor.d project. +// apparmor.d project. Technically, it is more a scanner than a parser. // // Very basic: // - Only supports parsing of preamble and profile headers. diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go index 96ae136e94..88a09fcb23 100644 --- a/pkg/aa/parse_test.go +++ b/pkg/aa/parse_test.go @@ -6,6 +6,7 @@ package aa import ( "reflect" + "regexp" "strings" "testing" ) @@ -110,6 +111,47 @@ func Test_parseCommaRules(t *testing.T) { } } +func Test_tokenizeBlock(t *testing.T) { + for _, tt := range testBlocks { + t.Run(tt.name, func(t *testing.T) { + got, err := tokenizeBlock(tt.raw) + if (err != nil) != tt.wTokenizeErr { + t.Errorf("tokenizeBlock() error = %v, wantErr %v", err, tt.wTokenizeErr) + return + } + if !reflect.DeepEqual(got, tt.blocks) { + t.Errorf("tokenizeBlock() = %v, want %v", pp.Sprint(got), tt.blocks) + } + }) + } +} + +func Test_parseBlock(t *testing.T) { + for _, tt := range testBlocks { + t.Run(tt.name, func(t *testing.T) { + for idx, b := range tt.blocks { + var err error + var got Rules + want := tt.rules[idx] + if b.kind == CONTENT && strings.HasPrefix(b.raw, "# Simple test") { + f := &AppArmorProfileFile{} + err = f.parsePreamble(b.raw) + got = f.Preamble + } else { + got, err = parseBlock(b) + } + if (err != nil) != tt.wParseBlockErr { + t.Errorf("parseBlock() error = %v, wantErr %v", err, tt.wParseBlockErr) + return + } + if !reflect.DeepEqual(got, want) { + t.Errorf("parseBlock() = %v, want %v", pp.Sprint(got), want) + } + } + }) + } +} + func Test_newRules(t *testing.T) { for _, tt := range testParseRules { if tt.wRule == nil { @@ -153,6 +195,50 @@ func Test_AppArmorProfileFile_Parse(t *testing.T) { } }) } + for _, tt := range testParser { + t.Run(tt.name, func(t *testing.T) { + got := &AppArmorProfileFile{} + if _, err := got.Parse(tt.raw); (err != nil) != tt.wantErr { + t.Errorf("AppArmorProfileFile.Parse() error = %v, wantErr %v", err, tt.wantErr) + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("AppArmorProfileFile.Parse() = |%v|, want |%v|", got, tt.want) + } + }) + } +} + +func Test_AppArmorProfileFile_ParseAll(t *testing.T) { + for _, tt := range testBlocks { + if tt.apparmorAll == nil { + continue // skip test cases without apparmorAll defined + } + t.Run(tt.name, func(t *testing.T) { + got := &AppArmorProfileFile{} + err := got.ParseAll(tt.raw) + if (err != nil) != tt.wParseErr { + t.Errorf("AppArmorProfileFile.ParseAll() error = %v, wantErr %v", err, tt.wParseErr) + } + if !reflect.DeepEqual(got, tt.apparmorAll) { + t.Errorf("AppArmorProfileFile.ParseAll() = |%v|, want |%v|", pp.Sprint(got), pp.Sprint(tt.apparmorAll)) + } + if (err != nil) != tt.wParseRulesErr { + t.Errorf("ParseRules() error = %v, wantErr %v", err, tt.wParseRulesErr) + return + } + }) + } + for _, tt := range testParser { + t.Run(tt.name, func(t *testing.T) { + got := &AppArmorProfileFile{} + if _, err := got.Parse(tt.raw); (err != nil) != tt.wantErr { + t.Errorf("AppArmorProfileFile.Parse() error = %v, wantErr %v", err, tt.wantErr) + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("AppArmorProfileFile.Parse() = |%v|, want |%v|", got, tt.want) + } + }) + } } var ( @@ -835,7 +921,7 @@ var ( }, } - // Test cases for Parse + // Test cases for tokenizeBlock, parseBlock, and Parse testBlocks = []struct { name string raw string From 9f291fd0cd8929eacb93cc9fa8130e85e6265b7c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 1 Dec 2025 01:31:06 +0100 Subject: [PATCH 1094/1736] tests(aa): add testdata for the block parser. --- tests/testdata/parse.aa | 45 ++++++++++++++++++++++++++++++++++++++ tests/testdata/profile0.aa | 13 +++++++++++ tests/testdata/profile1.aa | 16 ++++++++++++++ tests/testdata/string.aa | 3 ++- 4 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 tests/testdata/parse.aa create mode 100644 tests/testdata/profile0.aa create mode 100644 tests/testdata/profile1.aa diff --git a/tests/testdata/parse.aa b/tests/testdata/parse.aa new file mode 100644 index 0000000000..8e3dc54c58 --- /dev/null +++ b/tests/testdata/parse.aa @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# TODO: Test rule with only ',' + +abi , + +alias /mnt/usr -> /usr, + +include # optional: A nice message +include if exists "/etc/apparmor.d/global/dummy space" + +@{name} = torbrowser "tor browser" +@{lib_dirs} = @{lib}/@{name} /opt/@{name} # This is a comment + +alias /mnt/{,usr.sbin.}mount.cifs + -> + /sbin/mount.cifs, + +@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} +profile foo @{exec_path} xattrs=(security.tagged=allowed) flags=(complain attach_disconnected) { + include + + remount /newroot/{,**}, + + unix (send receive) type=stream addr="@/tmp/.ICE[0-9]-unix/19 5" peer=(label=gnome-shell, addr=none), + + dbus bind bus=session name=org.gnome.*, # wfdwde + dbus receive bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=AddMatch + peer=(name=:1.3, label=power-profiles-daemon), + + # Oh my god, it's a comment! before a paragraph of rules + "/opt/Mullvad VPN/resources/*.so*" mr, # To be able to read the /proc/ files + /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx, + + @{bin}/zsh rix, + + owner /{var/,}tmp/#@{int} rw, + + owner @{user_config_dirs}/powerdevilrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + + include if exists +} diff --git a/tests/testdata/profile0.aa b/tests/testdata/profile0.aa new file mode 100644 index 0000000000..bcca0464eb --- /dev/null +++ b/tests/testdata/profile0.aa @@ -0,0 +1,13 @@ +profile A flags=(attach_disconnected) { + /path/to/A mr, + + profile B { + /path/to/B mr, + } + profile C { + /path/to/C mr, + } + profile D { + /path/to/D mr, + } +} \ No newline at end of file diff --git a/tests/testdata/profile1.aa b/tests/testdata/profile1.aa new file mode 100644 index 0000000000..e85f319154 --- /dev/null +++ b/tests/testdata/profile1.aa @@ -0,0 +1,16 @@ + +profile A flags=(attach_disconnected) { + /path/to/A mr, + + profile B { + /path/to/B mr, + + profile C { + /path/to/C mr, + + profile D { + /path/to/D mr, + } + } + } +} \ No newline at end of file diff --git a/tests/testdata/string.aa b/tests/testdata/string.aa index 25065ce358..2ee487892a 100644 --- a/tests/testdata/string.aa +++ b/tests/testdata/string.aa @@ -27,7 +27,7 @@ profile foo @{exec_path} xattrs=(security.tagged=allowed) flags=(complain attach ptrace read peer=nautilus, - unix (send receive) type=stream addr=@/tmp/.ICE-unix/1995 peer=(label=gnome-shell, addr=none), + unix (send receive) type=stream addr=@/tmp/.ICE-unix/1995 peer=(label=gnome-shell), dbus bind bus=session name=org.gnome.*, dbus receive bus=system path=/org/freedesktop/DBus @@ -41,3 +41,4 @@ profile foo @{exec_path} xattrs=(security.tagged=allowed) flags=(complain attach include if exists } + From a660ba5302e7c014cc99a61660625d66c8299760 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 12 Dec 2025 13:55:07 +0100 Subject: [PATCH 1095/1736] tests(check): add support for namespace in the check linter. --- tests/check.sh | 36 +++++++++++++++++++++++++++++++----- 1 file changed, 31 insertions(+), 5 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index acf2656d4d..df79bcf8d5 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -386,14 +386,28 @@ _res_include() { RES_PROFILE=false _check_profile() { _is_enabled profile || return 0 - if [[ "$line" =~ ^"profile $name" ]]; then - RES_PROFILE=true + if [[ "$file" == *"/namespaces/"* ]]; then + ns="${file#*namespaces/}" + ns="${ns%%/*}" + if [[ "$line" =~ ^"profile :$ns:$name" ]]; then + RES_PROFILE=true + fi + else + if [[ "$line" =~ ^"profile $name" ]]; then + RES_PROFILE=true + fi fi } _res_profile() { _is_enabled profile || return 0 if ! $RES_PROFILE; then - _err profile "$file" "missing profile name: 'profile $name'" + if [[ "$file" == *"/namespaces/"* ]]; then + ns="${file#*namespaces/}" + ns="${ns%%/*}" + _err profile "$file" "missing profile name: 'profile :$ns:$name'" + else + _err profile "$file" "missing profile name: 'profile $name'" + fi fi } @@ -488,7 +502,13 @@ _check_subprofiles() { indentation="${BASH_REMATCH[1]}" subprofile="${BASH_REMATCH[2]}" subprofile="${subprofile%% *}" - include="${indentation}include if exists " + if [[ "$file" == *"/namespaces/"* ]]; then + ns="${file#*namespaces/}" + ns="${ns%%/*}" + include="${indentation}include if exists " + else + include="${indentation}include if exists " + fi _RES_SUBPROFILES["$subprofile"]="$name//$subprofile does not contain '$include'" _CHEK_IN_SUBPROFILE=true elif $_CHEK_IN_SUBPROFILE; then @@ -583,7 +603,13 @@ check_profiles() { ( name="$(basename "$file")" name="${name/.apparmor.d/}" - include="include if exists " + if [[ "$file" == *"/namespaces/"* ]]; then + ns="${file#*namespaces/}" + ns="${ns%%/*}" + include="include if exists " + else + include="include if exists " + fi _check "$file" ) & _wait jobs From b4fb5676e0afc8dcfd16eee15cff520b38e62d89 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 12 Dec 2025 18:21:00 +0100 Subject: [PATCH 1096/1736] fix(build): ensure the namespaces directory exist. --- pkg/prebuild/prepare/merge.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/prebuild/prepare/merge.go b/pkg/prebuild/prepare/merge.go index 9443e500ec..528559a981 100644 --- a/pkg/prebuild/prepare/merge.go +++ b/pkg/prebuild/prepare/merge.go @@ -60,6 +60,9 @@ func (p Merge) Apply() ([]string, error) { // Namespaces directory nsRoot := prebuild.RootApparmord.Join("namespaces") + if !nsRoot.Exist() { + return res, nil + } dirs, err := nsRoot.ReadDir(paths.FilterDirectories()) if err != nil { return res, err From 59ed591f92765a4285cb7b5ea0a8229f2a264e90 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Dec 2025 00:28:45 +0100 Subject: [PATCH 1097/1736] feat(aa-log): ensure aa-log can to read logs from stdin. --- cmd/aa-log/main.go | 1 + pkg/logs/loggers.go | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index 84d9e33eea..4435818430 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -24,6 +24,7 @@ const usage = `aa-log [-h] [--systemd] [--file file] [--load] [--rules | --raw] Default logs are read from '/var/log/audit/audit.log'. Other files in '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' + Use 'aa-log -f -' to read from standard input. Logs written with 'aa-log' can be read again with 'aa-log -l'. diff --git a/pkg/logs/loggers.go b/pkg/logs/loggers.go index aa5ba70372..097634921f 100644 --- a/pkg/logs/loggers.go +++ b/pkg/logs/loggers.go @@ -59,6 +59,9 @@ func GetApparmorLogs(file io.Reader, profile string, namespace string) []string // GetAuditLogs return a reader with the logs entries from Auditd func GetAuditLogs(path string) (io.Reader, error) { + if path == "/dev/stdin" || path == "-" { + return os.Stdin, nil + } file, err := os.Open(filepath.Clean(path)) if err != nil { return nil, err @@ -148,6 +151,10 @@ func validateLogFile(filename string) error { // SelectLogFile return the path of the available log file to parse (audit, syslog, .1, .2) func SelectLogFile(input string) (string, error) { + if input == "/dev/stdin" || input == "-" { + return input, nil + } + // If a specific file path is provided if input != "" { path := filepath.Clean(input) From db6cad01d64570e16624274b3db4f8dcebf458ec Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Dec 2025 14:19:59 +0100 Subject: [PATCH 1098/1736] fix(aa): issue in tokenization. --- pkg/aa/parse.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 4dbdad7552..0e39fa653d 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -448,8 +448,8 @@ func tokenizeRule(str string) []string { } for _, r := range str { switch { - case (r == ' ' || r == '\t') && len(blockStack) == 0 && !quoted: - // Split on space/tab if not in a block or quoted + case (r == ' ' || r == '\t' || r == '\n') && len(blockStack) == 0 && !quoted: + // Split on space/tab/newline if not in a block or quoted if currentToken.Len() != 0 { tokens = append(tokens, currentToken.String()) currentToken.Reset() From c2e9c68421afc49cda15e539621864da1174c1c6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Dec 2025 14:20:50 +0100 Subject: [PATCH 1099/1736] feat(aa): add the Scan function. Like Parse, it is an internal scanner for apparmor profile. --- pkg/aa/parse.go | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 0e39fa653d..f00b862b66 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -925,3 +925,43 @@ func ParseRules(input string) (ParaRules, []string, error) { return paragraphRules, paragraphs, nil } + +// Scan an apparmor profile file with multiple profiles, hats, and nested. +// Like Parse, but process all profiles and blocks in the file. +func (f *AppArmorProfileFile) Scan(input string) error { + blocks, err := tokenizeBlock(input) + if err != nil { + return err + } + if len(blocks) == 0 { + fmt.Print("No block found in the file") + } + + for _, block := range blocks { + switch block.kind { + case CONTENT: + if err := f.parsePreamble(block.raw); err != nil { + return err + } + + case PROFILE: + header, err := newHeader(parseRule(block.raw)) + if err != nil { + return err + } + rules, err := parseBlock(block.next) + if err != nil { + return err + } + profile := &Profile{ + Header: header, + Rules: rules, + } + f.Profiles = append(f.Profiles, profile) + + default: + return fmt.Errorf("Illegal %s block in profile file", block.kind) + } + } + return nil +} From cbda1445cb6c43f1035274600de0a7edb5123d57 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Dec 2025 14:21:52 +0100 Subject: [PATCH 1100/1736] tests(aa): update tests to the last changes. --- pkg/aa/parse_test.go | 41 ++++++++++++----------------------------- 1 file changed, 12 insertions(+), 29 deletions(-) diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go index 88a09fcb23..c8acdf8915 100644 --- a/pkg/aa/parse_test.go +++ b/pkg/aa/parse_test.go @@ -6,7 +6,6 @@ package aa import ( "reflect" - "regexp" "strings" "testing" ) @@ -120,7 +119,7 @@ func Test_tokenizeBlock(t *testing.T) { return } if !reflect.DeepEqual(got, tt.blocks) { - t.Errorf("tokenizeBlock() = %v, want %v", pp.Sprint(got), tt.blocks) + t.Errorf("tokenizeBlock() = %v, want %v", got, tt.blocks) } }) } @@ -145,7 +144,7 @@ func Test_parseBlock(t *testing.T) { return } if !reflect.DeepEqual(got, want) { - t.Errorf("parseBlock() = %v, want %v", pp.Sprint(got), want) + t.Errorf("parseBlock() = %v, want %v", got, want) } } }) @@ -195,47 +194,31 @@ func Test_AppArmorProfileFile_Parse(t *testing.T) { } }) } - for _, tt := range testParser { - t.Run(tt.name, func(t *testing.T) { - got := &AppArmorProfileFile{} - if _, err := got.Parse(tt.raw); (err != nil) != tt.wantErr { - t.Errorf("AppArmorProfileFile.Parse() error = %v, wantErr %v", err, tt.wantErr) - } - if !reflect.DeepEqual(got, tt.want) { - t.Errorf("AppArmorProfileFile.Parse() = |%v|, want |%v|", got, tt.want) - } - }) - } } -func Test_AppArmorProfileFile_ParseAll(t *testing.T) { +func Test_AppArmorProfileFile_Scan(t *testing.T) { for _, tt := range testBlocks { - if tt.apparmorAll == nil { - continue // skip test cases without apparmorAll defined - } t.Run(tt.name, func(t *testing.T) { + if tt.apparmorAll == nil { + tt.apparmorAll = tt.apparmor + } got := &AppArmorProfileFile{} - err := got.ParseAll(tt.raw) - if (err != nil) != tt.wParseErr { - t.Errorf("AppArmorProfileFile.ParseAll() error = %v, wantErr %v", err, tt.wParseErr) + if err := got.Scan(tt.raw); (err != nil) != tt.wParseErr { + t.Errorf("AppArmorProfileFile.Scan() error = %v, wantErr %v", err, tt.wParseErr) } if !reflect.DeepEqual(got, tt.apparmorAll) { - t.Errorf("AppArmorProfileFile.ParseAll() = |%v|, want |%v|", pp.Sprint(got), pp.Sprint(tt.apparmorAll)) - } - if (err != nil) != tt.wParseRulesErr { - t.Errorf("ParseRules() error = %v, wantErr %v", err, tt.wParseRulesErr) - return + t.Errorf("AppArmorProfileFile.Scan() = %v, want %v", got, tt.apparmorAll) } }) } for _, tt := range testParser { t.Run(tt.name, func(t *testing.T) { got := &AppArmorProfileFile{} - if _, err := got.Parse(tt.raw); (err != nil) != tt.wantErr { - t.Errorf("AppArmorProfileFile.Parse() error = %v, wantErr %v", err, tt.wantErr) + if err := got.Scan(tt.raw); (err != nil) != tt.wantErr { + t.Errorf("AppArmorProfileFile.Scan() error = %v, wantErr %v", err, tt.wantErr) } if !reflect.DeepEqual(got, tt.want) { - t.Errorf("AppArmorProfileFile.Parse() = |%v|, want |%v|", got, tt.want) + t.Errorf("AppArmorProfileFile.Scan() = %v, want %v", got, tt.want) } }) } From f16ff5f74453c5161d15975e66da994eede0d0de Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Dec 2025 14:23:58 +0100 Subject: [PATCH 1101/1736] tests(aa): add more unit tests. --- pkg/aa/parse_test.go | 761 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 761 insertions(+) diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go index c8acdf8915..8317f7399d 100644 --- a/pkg/aa/parse_test.go +++ b/pkg/aa/parse_test.go @@ -908,7 +908,12 @@ var ( testBlocks = []struct { name string raw string + blocks []*block + wTokenizeErr bool + rules []Rules + wParseBlockErr bool apparmor *AppArmorProfileFile + apparmorAll *AppArmorProfileFile wParseErr bool wRules ParaRules wParseRulesErr bool @@ -916,6 +921,10 @@ var ( { name: "empty", raw: "", + blocks: []*block{{kind: CONTENT, raw: ""}}, + wTokenizeErr: false, + rules: []Rules{nil}, + wParseBlockErr: false, apparmor: &AppArmorProfileFile{}, wParseErr: false, wRules: ParaRules{}, @@ -927,6 +936,23 @@ var ( # IsLineRule comment include # comment included @{lib_dirs} = @{lib}/@{name} /opt/@{name} # comment in variable`, + blocks: []*block{ + { + kind: "content", + raw: "\n\t\t\t# IsLineRule comment\n\t\t\tinclude # comment included\n\t\t\t@{lib_dirs} = @{lib}/@{name} /opt/@{name} # comment in variable", + }, + }, + wTokenizeErr: false, + rules: []Rules{ + { + &Comment{Base: Base{IsLineRule: true, Comment: " IsLineRule comment"}}, + &Include{ + Base: Base{Comment: " comment included"}, + Path: "tunables/global", IsMagic: true, + }, + }, + }, + wParseBlockErr: false, apparmor: &AppArmorProfileFile{ Preamble: Rules{ &Comment{Base: Base{IsLineRule: true, Comment: " IsLineRule comment"}}, @@ -957,7 +983,46 @@ var ( alias /mnt/{,usr.sbin.}mount.cifs -> /sbin/mount.cifs, @{coreutils} += gawk {,e,f}grep head profile @{exec_path} { + } `, + blocks: []*block{ + { + kind: "content", + raw: "# Simple test\n\t\t\tinclude \n\n\t\t\t# { commented block }\n\t\t\t@{name} = {D,d}ummy\n\t\t\t@{exec_path} = @{bin}/@{name}\n\t\t\t@{exec_path} += @{lib}/@{name}\n\t\t\talias /mnt/{,usr.sbin.}mount.cifs -> /sbin/mount.cifs,\n\t\t\t@{coreutils} += gawk {,e,f}grep head", + }, + { + kind: "profile", + raw: "profile @{exec_path}", + next: &block{ + kind: "raw", + raw: "", + }, + }, + }, + wTokenizeErr: false, + rules: []Rules{ + { + &Comment{Base: Base{IsLineRule: true, Comment: " Simple test"}}, + &Include{IsMagic: true, Path: "tunables/global"}, + &Comment{Base: Base{IsLineRule: true, Comment: " { commented block }"}}, + &Variable{Name: "name", Values: []string{"{D,d}ummy"}, Define: true}, + &Variable{Name: "exec_path", Values: []string{"@{bin}/@{name}"}, Define: true}, + &Variable{Name: "exec_path", Values: []string{"@{lib}/@{name}"}, Define: false}, + &Variable{Name: "coreutils", Values: []string{"gawk", "{,e,f}grep", "head"}, Define: false}, + &Alias{Path: "/mnt/{,usr.sbin.}mount.cifs", RewrittenPath: "/sbin/mount.cifs"}, + }, + { + &Profile{ + Header: Header{ + Name: "@{exec_path}", + Attachments: []string{}, + Attributes: map[string]string{}, + Flags: []string{}, + }, + }, + }, + }, + wParseBlockErr: false, apparmor: &AppArmorProfileFile{ Preamble: Rules{ &Comment{Base: Base{IsLineRule: true, Comment: " Simple test"}}, @@ -987,6 +1052,45 @@ var ( { name: "string.aa", raw: testData.Join("string.aa").MustReadFileAsString(), + blocks: []*block{ + { + kind: CONTENT, + raw: "# Simple test profile for the AppArmorProfileFile.String() method\n\nabi ,\n\nalias /mnt/usr -> /usr,\n\ninclude \n\n@{exec_path} = @{bin}/foo @{lib}/foo", + }, + { + kind: PROFILE, + raw: "profile foo @{exec_path} xattrs=(security.tagged=allowed) flags=(complain attach_disconnected)", + next: &block{ + kind: RAW, + raw: pStringAAContentStr, + }, + }, + }, + wTokenizeErr: false, + rules: []Rules{ + { + &Comment{Base: Base{IsLineRule: true, Comment: " Simple test profile for the AppArmorProfileFile.String() method"}}, + &Include{Path: "tunables/global", IsMagic: true}, + &Variable{ + Name: "exec_path", Define: true, + Values: []string{"@{bin}/foo", "@{lib}/foo"}, + }, + &Abi{IsMagic: true, Path: "abi/4.0"}, + &Alias{Path: "/mnt/usr", RewrittenPath: "/usr"}, + }, + { + &Profile{ + Header: Header{ + Name: "foo", + Attachments: []string{"@{exec_path}"}, + Attributes: map[string]string{"security.tagged": "allowed"}, + Flags: []string{"complain", "attach_disconnected"}, + }, + Rules: rulesStringAA, + }, + }, + }, + wParseBlockErr: false, apparmor: &AppArmorProfileFile{ Preamble: Rules{ &Comment{Base: Base{Comment: " Simple test profile for the AppArmorProfileFile.String() method", IsLineRule: true}}, @@ -1009,7 +1113,116 @@ var ( }, }, }, + apparmorAll: &AppArmorProfileFile{ + Preamble: Rules{ + &Comment{Base: Base{Comment: " Simple test profile for the AppArmorProfileFile.String() method", IsLineRule: true}}, + &Include{IsMagic: true, Path: "tunables/global"}, + &Variable{ + Name: "exec_path", Define: true, + Values: []string{"@{bin}/foo", "@{lib}/foo"}, + }, + &Abi{IsMagic: true, Path: "abi/4.0"}, + &Alias{Path: "/mnt/usr", RewrittenPath: "/usr"}, + }, + Profiles: []*Profile{ + { + Header: Header{ + Name: "foo", + Attachments: []string{"@{exec_path}"}, + Attributes: map[string]string{"security.tagged": "allowed"}, + Flags: []string{"complain", "attach_disconnected"}, + }, + Rules: rulesStringAA, + }, + }, + }, wParseErr: false, + wRules: ParaRules{ + { + &Include{IsMagic: true, Path: "abstractions/base"}, + &Include{IsMagic: true, Path: "abstractions/nameservice-strict"}, + }, + { + &Rlimit{Key: "nproc", Op: "<=", Value: "200"}, + }, + { + &Capability{Names: []string{"dac_read_search"}}, + &Capability{Names: []string{"dac_override"}}, + }, + { + &Network{Domain: "inet", Type: "stream"}, + &Network{Domain: "inet6", Type: "stream"}, + }, + { + &Mount{ + Base: Base{IsLineRule: false, Comment: " failed perms check"}, + MountConditions: MountConditions{ + FsType: "fuse.portal", + Options: []string{"rw", "rbind"}, + }, + Source: "@{run}/user/@{uid}/", + MountPoint: "/", + }, + }, + { + &Umount{ + MountConditions: MountConditions{Options: []string{}}, + MountPoint: "@{run}/user/@{uid}/", + }, + }, + { + &Signal{ + Access: []string{"receive"}, + Set: []string{"term"}, + Peer: "at-spi-bus-launcher", + }, + }, + { + &Ptrace{Access: []string{"read"}, Peer: "nautilus"}, + }, + { + &Unix{ + Access: []string{"send", "receive"}, + Type: "stream", + Address: "@/tmp/.ICE-unix/1995", + PeerLabel: "gnome-shell", + }, + }, + { + &Dbus{Access: []string{"bind"}, Bus: "session", Name: "org.gnome.*"}, + &Dbus{ + Access: []string{"receive"}, + Bus: "system", + Path: "/org/freedesktop/DBus", + Interface: "org.freedesktop.DBus", + Member: "AddMatch", + PeerName: ":1.3", + PeerLabel: "power-profiles-daemon", + }, + }, + { + &File{Path: "/opt/intel/oneapi/compiler/*/linux/lib/*.so./*", Access: []string{"m", "r"}}, + &File{Path: "@{PROC}/@{pid}/task/@{tid}/comm", Access: []string{"r", "w"}}, + &File{Path: "@{sys}/devices/@{pci}/class", Access: []string{"r"}}, + }, + { + &Include{IfExists: true, IsMagic: true, Path: "local/foo"}, + }, + }, + wParseRulesErr: false, + }, + { + name: "string.aa/content", + raw: pStringAAContentStr, + blocks: []*block{{ + kind: CONTENT, + raw: pStringAAContentStr, + }}, + wTokenizeErr: false, + rules: []Rules{rulesStringAA}, + wParseBlockErr: false, + apparmor: &AppArmorProfileFile{}, + wParseErr: true, wRules: ParaRules{ { &Include{IsMagic: true, Path: "abstractions/base"}, @@ -1081,9 +1294,255 @@ var ( }, wParseRulesErr: false, }, + { + name: "profile0.aa", + raw: testData.Join("profile0.aa").MustReadFileAsString(), + blocks: []*block{ + { + kind: PROFILE, + raw: "profile A flags=(attach_disconnected)", + next: &block{ + kind: RAW, + raw: "/path/to/A mr,\n\n profile B {\n /path/to/B mr,\n }\n profile C {\n /path/to/C mr,\n }\n profile D {\n /path/to/D mr,\n }", + }, + }, + }, + wTokenizeErr: false, + rules: []Rules{ + {&Profile{ + Header: Header{ + Name: "A", Attachments: []string{}, Attributes: map[string]string{}, + Flags: []string{"attach_disconnected"}, + }, + Rules: Rules{ + &File{Path: "/path/to/A", Access: []string{"m", "r"}}, + profileB, + profileC, + profileD, + }, + }}, + }, + wParseBlockErr: false, + apparmor: &AppArmorProfileFile{ + Profiles: []*Profile{ + { + Header: Header{ + Name: "A", Attachments: []string{}, Attributes: map[string]string{}, + Flags: []string{"attach_disconnected"}, + }, + }, + }, + }, + apparmorAll: &AppArmorProfileFile{ + Profiles: []*Profile{ + { + Header: Header{ + Name: "A", Attachments: []string{}, Attributes: map[string]string{}, + Flags: []string{"attach_disconnected"}, + }, + Rules: Rules{ + &File{Path: "/path/to/A", Access: []string{"m", "r"}}, + profileB, + profileC, + profileD, + }, + }, + }, + }, + wParseErr: false, + wRules: ParaRules{ + { + &File{Path: "/path/to/A", Access: []string{"m", "r"}}, + }, + }, + wParseRulesErr: false, + }, + { + name: "profile1.aa", + raw: testData.Join("profile1.aa").MustReadFileAsString(), + blocks: []*block{ + { + kind: PROFILE, + raw: "profile A flags=(attach_disconnected)", + next: &block{ + kind: RAW, + raw: "/path/to/A mr,\n\n profile B {\n /path/to/B mr,\n\n profile C {\n /path/to/C mr,\n\n profile D {\n /path/to/D mr,\n }\n }\n }", + }, + }, + }, + wTokenizeErr: false, + rules: []Rules{ + {&Profile{ + Header: Header{ + Name: "A", Attachments: []string{}, Attributes: map[string]string{}, + Flags: []string{"attach_disconnected"}, + }, + Rules: Rules{ + &File{Path: "/path/to/A", Access: []string{"m", "r"}}, + &Profile{ + Header: Header{ + Name: "B", Attachments: []string{}, Attributes: map[string]string{}, Flags: []string{}, + }, + Rules: Rules{ + &File{Path: "/path/to/B", Access: []string{"m", "r"}}, + &Profile{ + Header: Header{ + Name: "C", Attachments: []string{}, Attributes: map[string]string{}, Flags: []string{}, + }, + Rules: Rules{ + &File{Path: "/path/to/C", Access: []string{"m", "r"}}, + &Profile{ + Header: Header{ + Name: "D", Attachments: []string{}, Attributes: map[string]string{}, Flags: []string{}, + }, + Rules: Rules{ + &File{Path: "/path/to/D", Access: []string{"m", "r"}}, + }, + }, + }, + }, + }, + }, + }, + }}, + }, + wParseBlockErr: false, + apparmor: &AppArmorProfileFile{ + Profiles: []*Profile{ + { + Header: Header{ + Name: "A", Attachments: []string{}, Attributes: map[string]string{}, + Flags: []string{"attach_disconnected"}, + }, + }, + }, + }, + apparmorAll: &AppArmorProfileFile{ + Profiles: []*Profile{ + { + Header: Header{ + Name: "A", Attachments: []string{}, Attributes: map[string]string{}, + Flags: []string{"attach_disconnected"}, + }, + Rules: Rules{ + &File{Path: "/path/to/A", Access: []string{"m", "r"}}, + &Profile{ + Header: Header{ + Name: "B", Attachments: []string{}, Attributes: map[string]string{}, Flags: []string{}, + }, + Rules: Rules{ + &File{Path: "/path/to/B", Access: []string{"m", "r"}}, + &Profile{ + Header: Header{ + Name: "C", Attachments: []string{}, Attributes: map[string]string{}, Flags: []string{}, + }, + Rules: Rules{ + &File{Path: "/path/to/C", Access: []string{"m", "r"}}, + &Profile{ + Header: Header{ + Name: "D", Attachments: []string{}, Attributes: map[string]string{}, Flags: []string{}, + }, + Rules: Rules{ + &File{Path: "/path/to/D", Access: []string{"m", "r"}}, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + wParseErr: false, + wRules: ParaRules{ + { + &File{Path: "/path/to/A", Access: []string{"m", "r"}}, + }, + { + &File{Path: "/path/to/B", Access: []string{"m", "r"}}, + }, + { + &File{Path: "/path/to/C", Access: []string{"m", "r"}}, + }, + }, + wParseRulesErr: false, + }, { name: "full.aa", raw: testData.Join("full.aa").MustReadFileAsString(), + blocks: []*block{ + { + kind: CONTENT, + raw: "# Simple test profile with all rules used\n\nabi ,\n\nalias /mnt/usr -> /usr,\n\ninclude # optional: a comment\ninclude if exists \"/etc/apparmor.d/global/dummy space\"\n\n@{name}=torbrowser \"tor browser\" \n@{lib_dirs} = @{lib}/@{name} /opt/@{name} # another comment\n@{config_dirs} = @{HOME}/.mozilla/\n@{cache_dirs}=@{user_cache_dirs}/mozilla/\n\nalias /mnt/{,usr.sbin.}mount.cifs -> /sbin/mount.cifs,\n\n@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name}", + }, + { + kind: PROFILE, + raw: "profile foo @{exec_path} xattrs=(security.tagged=allowed) flags=(complain attach_disconnected)", + next: &block{ + kind: RAW, + raw: "include \n include \n include \"/etc/apparmor.d/abstractions/dummy space\"\n\n all,\n\n set rlimit nproc <= 200,\n\n userns,\n\n capability dac_read_search,\n capability dac_override,\n\n network inet stream,\n network netlink raw,\n\n mount /{,**},\n mount options=(rw rbind) /tmp/newroot/ -> /tmp/newroot/,\n mount options=(rw silent rprivate) -> /oldroot/,\n mount fstype=devpts options=(rw nosuid noexec) devpts -> /newroot/dev/pts/,\n\n remount /newroot/{,**},\n\n umount @{run}/user/@{uid}/,\n\n pivot_root oldroot=/tmp/oldroot/ /tmp/,\n\n change_profile -> libvirt-@{uuid},\n\n mqueue r type=posix /,\n\n io_uring sqpoll label=foo,\n\n signal (receive) set=(cont,term,winch) peer=at-spi-bus-launcher,\n\n ptrace (read) peer=nautilus,\n\n unix (send receive) type=stream addr=\"@/tmp/.ICE[0-9]-unix/19 5\" peer=(label=gnome-shell, addr=none),\n\n dbus bind bus=session name=org.gnome.*,\n dbus receive bus=system path=/org/freedesktop/DBus\n interface=org.freedesktop.DBus\n member=AddMatch\n peer=(name=:1.3, label=power-profiles-daemon),\n\n # A comment! before a paragraph of rules\n \"/opt/Mullvad VPN/resources/*.so*\" mr,\n \"/opt/Mullvad VPN/resources/*\" r,\n \"/opt/Mullvad VPN/resources/openvpn\" rix,\n /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx,\n /opt/intel/oneapi/compiler/*/linux/lib/*.so./* rm,\n\n owner @{user_config_dirs}/powerdevilrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},\n link @{user_config_dirs}/kiorc -> @{user_config_dirs}/#@{int},\n\n @{run}/udev/data/+pci:* r,\n\n @{sys}/devices/@{pci}/class r,\n\n owner @{PROC}/@{pid}/task/@{tid}/comm rw,\n\n ^action {\n include \n include if exists \n }\n\n profile systemctl {\n include \n include \n\n capability net_admin,\n \n include if exists \n }\n\n profile sudo {\n include \n include \n\n @{sh_path} rix,\n\n include if exists \n }\n\n include if exists ", + }, + }, + { + kind: CONTENT, + raw: "\n", + }, + { + kind: PROFILE, + raw: "profile foo2", + next: &block{ + kind: RAW, + raw: "include \n\n include if exists ", + }, + }, + }, + wTokenizeErr: false, + rules: []Rules{ + // block 0: preamble content (parsed via parsePreamble) + { + &Comment{Base: Base{IsLineRule: true, Comment: " Simple test profile with all rules used"}}, + &Include{Base: Base{Comment: " a comment", Optional: true}, IsMagic: true, Path: "tunables/global"}, + &Include{IfExists: true, Path: "/etc/apparmor.d/global/dummy space"}, + &Variable{Name: "name", Values: []string{"torbrowser", "\"tor browser\""}, Define: true}, + &Variable{Base: Base{Comment: " another comment"}, Name: "lib_dirs", Values: []string{"@{lib}/@{name}", "/opt/@{name}"}, Define: true}, + &Variable{Name: "config_dirs", Values: []string{"@{HOME}/.mozilla/"}, Define: true}, + &Variable{Name: "cache_dirs", Values: []string{"@{user_cache_dirs}/mozilla/"}, Define: true}, + &Variable{Name: "exec_path", Values: []string{"@{bin}/@{name}", "@{lib_dirs}/@{name}"}, Define: true}, + &Abi{IsMagic: true, Path: "abi/4.0"}, + &Alias{Path: "/mnt/usr", RewrittenPath: "/usr"}, + &Alias{Path: "/mnt/{,usr.sbin.}mount.cifs", RewrittenPath: "/sbin/mount.cifs"}, + }, + // block 1: profile foo (parseBlock returns Rules{&Profile{...}}) + { + &Profile{ + Header: Header{ + Name: "foo", + Attachments: []string{"@{exec_path}"}, + Attributes: map[string]string{"security.tagged": "allowed"}, + Flags: []string{"complain", "attach_disconnected"}, + }, + Rules: rulesFullAA, + }, + }, + // block 2: empty content (newline) + nil, + // block 3: profile foo2 + { + &Profile{ + Header: Header{ + Name: "foo2", + Attachments: []string{}, + Attributes: map[string]string{}, + Flags: []string{}, + }, + Rules: Rules{ + &Include{IsMagic: true, Path: "abstractions/base"}, + &Include{IfExists: true, IsMagic: true, Path: "local/foo2"}, + }, + }, + }, + }, apparmor: &AppArmorProfileFile{ Preamble: Rules{ &Comment{Base: Base{IsLineRule: true, Comment: " Simple test profile with all rules used"}}, @@ -1115,6 +1574,50 @@ var ( }, }, }, + apparmorAll: &AppArmorProfileFile{ + Preamble: Rules{ + &Comment{Base: Base{IsLineRule: true, Comment: " Simple test profile with all rules used"}}, + &Include{ + Base: Base{Comment: " a comment", Optional: true}, + IsMagic: true, Path: "tunables/global", + }, + &Include{IfExists: true, Path: "/etc/apparmor.d/global/dummy space"}, + &Variable{Name: "name", Values: []string{"torbrowser", "\"tor browser\""}, Define: true}, + &Variable{ + Base: Base{Comment: " another comment"}, Define: true, + Name: "lib_dirs", Values: []string{"@{lib}/@{name}", "/opt/@{name}"}, + }, + &Variable{Name: "config_dirs", Values: []string{"@{HOME}/.mozilla/"}, Define: true}, + &Variable{Name: "cache_dirs", Values: []string{"@{user_cache_dirs}/mozilla/"}, Define: true}, + &Variable{Name: "exec_path", Values: []string{"@{bin}/@{name}", "@{lib_dirs}/@{name}"}, Define: true}, + &Abi{IsMagic: true, Path: "abi/4.0"}, + &Alias{Path: "/mnt/usr", RewrittenPath: "/usr"}, + &Alias{Path: "/mnt/{,usr.sbin.}mount.cifs", RewrittenPath: "/sbin/mount.cifs"}, + }, + Profiles: []*Profile{ + { + Header: Header{ + Name: "foo", + Attachments: []string{"@{exec_path}"}, + Attributes: map[string]string{"security.tagged": "allowed"}, + Flags: []string{"complain", "attach_disconnected"}, + }, + Rules: rulesFullAA, + }, + { + Header: Header{ + Name: "foo2", + Attachments: []string{}, + Attributes: map[string]string{}, + Flags: []string{}, + }, + Rules: Rules{ + &Include{IsMagic: true, Path: "abstractions/base"}, + &Include{IfExists: true, IsMagic: true, Path: "local/foo2"}, + }, + }, + }, + }, wParseErr: false, wRules: ParaRules{ { @@ -1285,4 +1788,262 @@ var ( wParseRulesErr: false, }, } + + // Additional test cases for Scan()) + testParser = []struct { + name string + raw string + want *AppArmorProfileFile + wantErr bool + }{ + { + name: "parse.aa", + raw: testData.Join("parse.aa").MustReadFileAsString(), + want: &AppArmorProfileFile{ + Preamble: Rules{ + &Comment{Base: Base{IsLineRule: true, Comment: " apparmor.d - Full set of apparmor profiles"}}, + &Comment{Base: Base{IsLineRule: true, Comment: " Copyright (C) 2024 Alexandre Pujol "}}, + &Comment{Base: Base{IsLineRule: true, Comment: " SPDX-License-Identifier: GPL-2.0-only"}}, + &Comment{Base: Base{IsLineRule: true, Comment: " TODO: Test rule with only ','"}}, + &Include{ + Base: Base{Optional: true, Comment: " A nice message"}, + IsMagic: true, Path: "tunables/global", + }, + &Include{IfExists: true, Path: "/etc/apparmor.d/global/dummy space"}, + &Variable{ + Name: "name", Define: true, + Values: []string{"torbrowser", "\"tor browser\""}, + }, + &Variable{ + Base: Base{Comment: " This is a comment"}, + Name: "lib_dirs", Define: true, + Values: []string{"@{lib}/@{name}", "/opt/@{name}"}, + }, + &Variable{ + Name: "exec_path", Define: true, + Values: []string{"@{bin}/@{name}", "@{lib_dirs}/@{name}"}, + }, + &Abi{IsMagic: true, Path: "abi/4.0"}, + &Alias{Path: "/mnt/usr", RewrittenPath: "/usr"}, + &Alias{Path: "/mnt/{,usr.sbin.}mount.cifs", RewrittenPath: "/sbin/mount.cifs"}, + }, + Profiles: []*Profile{ + { + Header: Header{ + Name: "foo", + Attachments: []string{"@{exec_path}"}, + Attributes: map[string]string{"security.tagged": "allowed"}, + Flags: []string{"complain", "attach_disconnected"}, + }, + Rules: Rules{ + &Include{IsMagic: true, Path: "abstractions/base"}, + &Comment{Base: Base{IsLineRule: true, Comment: " Oh my god, it's a comment! before a paragraph of rules"}}, + &Include{IfExists: true, IsMagic: true, Path: "local/foo"}, + &Remount{MountConditions: MountConditions{Options: []string{}}, MountPoint: "/newroot/{,**}"}, + &Unix{ + Access: []string{"send", "receive"}, + Type: "stream", + Address: "\"@/tmp/.ICE[0-9]-unix/19 5\"", + PeerLabel: "gnome-shell", + PeerAddr: "none", + }, + &Dbus{ + Base: Base{Comment: " wfdwde"}, + Access: []string{"bind"}, Bus: "session", Name: "org.gnome.*", + }, + &Dbus{ + Access: []string{"receive"}, + Bus: "system", + Path: "/org/freedesktop/DBus", + Interface: "org.freedesktop.DBus", + Member: "AddMatch", + PeerName: ":1.3", + PeerLabel: "power-profiles-daemon", + }, + &File{ + Base: Base{Comment: " To be able to read the /proc/ files"}, + Path: "\"/opt/Mullvad VPN/resources/*.so*\"", Access: []string{"m", "r"}, + }, + &File{Path: "/usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js", Access: []string{"r", "Px"}}, + &File{Path: "@{bin}/zsh", Access: []string{"r", "ix"}}, + &File{Owner: true, Path: "/{var/,}tmp/#@{int}", Access: []string{"r", "w"}}, + &File{Owner: true, Path: "@{user_config_dirs}/powerdevilrc{,.@{rand6}}", Access: []string{"r", "w", "l"}, Target: "@{user_config_dirs}/#@{int}"}, + }, + }, + }, + }, + wantErr: false, + }, + } + + // Indirect test resources + // pHeaderStr = ` apparmor.d - Full set of apparmor profiles` + pStringAAContentStr = `include + include + + set rlimit nproc <= 200, + + capability dac_read_search, + capability dac_override, + + network inet stream, + network inet6 stream, + + mount fstype=fuse.portal options=(rw rbind) @{run}/user/@{uid}/ -> /, # failed perms check + + umount @{run}/user/@{uid}/, + + signal receive set=term peer=at-spi-bus-launcher, + + ptrace read peer=nautilus, + + unix (send receive) type=stream addr=@/tmp/.ICE-unix/1995 peer=(label=gnome-shell), + + dbus bind bus=session name=org.gnome.*, + dbus receive bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=AddMatch + peer=(name=:1.3, label=power-profiles-daemon), + + /opt/intel/oneapi/compiler/*/linux/lib/*.so./* rm, + @{PROC}/@{pid}/task/@{tid}/comm rw, + @{sys}/devices/@{pci}/class r, + + include if exists ` + rulesStringAA = Rules{ + &Include{IsMagic: true, Path: "abstractions/base"}, + &Include{IsMagic: true, Path: "abstractions/nameservice-strict"}, + &Include{IfExists: true, IsMagic: true, Path: "local/foo"}, + &Rlimit{Key: "nproc", Op: "<=", Value: "200"}, + &Capability{Names: []string{"dac_read_search"}}, + &Capability{Names: []string{"dac_override"}}, + &Network{Domain: "inet", Type: "stream"}, + &Network{Domain: "inet6", Type: "stream"}, + &Mount{ + Base: Base{Comment: " failed perms check"}, + MountConditions: MountConditions{ + FsType: "fuse.portal", + Options: []string{"rw", "rbind"}, + }, + Source: "@{run}/user/@{uid}/", + MountPoint: "/", + }, + &Umount{ + MountConditions: MountConditions{Options: []string{}}, + MountPoint: "@{run}/user/@{uid}/", + }, + &Signal{ + Access: []string{"receive"}, + Set: []string{"term"}, + Peer: "at-spi-bus-launcher", + }, + &Ptrace{Access: []string{"read"}, Peer: "nautilus"}, + &Unix{ + Access: []string{"send", "receive"}, + Type: "stream", + Address: "@/tmp/.ICE-unix/1995", + PeerLabel: "gnome-shell", + }, + &Dbus{Access: []string{"bind"}, Bus: "session", Name: "org.gnome.*"}, + &Dbus{ + Access: []string{"receive"}, + Bus: "system", + Name: "", + Path: "/org/freedesktop/DBus", + Interface: "org.freedesktop.DBus", + Member: "AddMatch", + PeerName: ":1.3", + PeerLabel: "power-profiles-daemon", + }, + &File{Path: "/opt/intel/oneapi/compiler/*/linux/lib/*.so./*", Access: []string{"m", "r"}}, + &File{Path: "@{PROC}/@{pid}/task/@{tid}/comm", Access: []string{"r", "w"}}, + &File{Path: "@{sys}/devices/@{pci}/class", Access: []string{"r"}}, + } + rulesFullAA = Rules{ + &Include{IsMagic: true, Path: "abstractions/base"}, + &Include{IsMagic: true, Path: "abstractions/nameservice-strict"}, + &Include{Path: "/etc/apparmor.d/abstractions/dummy space"}, + &Comment{Base: Base{IsLineRule: true, Comment: " A comment! before a paragraph of rules"}}, + &All{}, + &Rlimit{Key: "nproc", Op: "<=", Value: "200"}, + &Userns{Create: true}, + &Capability{Names: []string{"dac_read_search"}}, + &Capability{Names: []string{"dac_override"}}, + &Network{Domain: "inet", Type: "stream"}, + &Network{Domain: "netlink", Type: "raw"}, + &Mount{MountConditions: MountConditions{Options: []string{}}, Source: "/{,**}"}, + &Mount{MountConditions: MountConditions{Options: []string{"rw", "rbind"}}, Source: "/tmp/newroot/", MountPoint: "/tmp/newroot/"}, + &Mount{MountConditions: MountConditions{Options: []string{"rw", "rprivate", "silent"}}, MountPoint: "/oldroot/"}, + &Mount{MountConditions: MountConditions{FsType: "devpts", Options: []string{"rw", "noexec", "nosuid"}}, Source: "devpts", MountPoint: "/newroot/dev/pts/"}, + &Remount{MountConditions: MountConditions{Options: []string{}}, MountPoint: "/newroot/{,**}"}, + &Umount{MountConditions: MountConditions{Options: []string{}}, MountPoint: "@{run}/user/@{uid}/"}, + &PivotRoot{OldRoot: "/tmp/oldroot/", NewRoot: "/tmp/"}, + &ChangeProfile{ProfileName: "libvirt-@{uuid}"}, + &Mqueue{Access: []string{"r"}, Type: "posix", Name: "/"}, + &IOUring{Access: []string{"sqpoll"}, Label: "foo"}, + &Signal{Access: []string{"receive"}, Set: []string{"cont", "term", "winch"}, Peer: "at-spi-bus-launcher"}, + &Ptrace{Access: []string{"read"}, Peer: "nautilus"}, + &Unix{Access: []string{"send", "receive"}, Type: "stream", Address: "\"@/tmp/.ICE[0-9]-unix/19 5\"", PeerLabel: "gnome-shell", PeerAddr: "none"}, + &Dbus{Access: []string{"bind"}, Bus: "session", Name: "org.gnome.*"}, + &Dbus{Access: []string{"receive"}, Bus: "system", Path: "/org/freedesktop/DBus", Interface: "org.freedesktop.DBus", Member: "AddMatch", PeerName: ":1.3", PeerLabel: "power-profiles-daemon"}, + &File{Path: "\"/opt/Mullvad VPN/resources/*.so*\"", Access: []string{"m", "r"}}, + &File{Path: "\"/opt/Mullvad VPN/resources/*\"", Access: []string{"r"}}, + &File{Path: "\"/opt/Mullvad VPN/resources/openvpn\"", Access: []string{"r", "ix"}}, + &File{Path: "/usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js", Access: []string{"r", "Px"}}, + &File{Path: "/opt/intel/oneapi/compiler/*/linux/lib/*.so./*", Access: []string{"m", "r"}}, + &File{Owner: true, Path: "@{user_config_dirs}/powerdevilrc{,.@{rand6}}", Access: []string{"r", "w", "l"}, Target: "@{user_config_dirs}/#@{int}"}, + &Link{Path: "@{user_config_dirs}/kiorc", Target: "@{user_config_dirs}/#@{int}"}, + &File{Path: "@{run}/udev/data/+pci:*", Access: []string{"r"}}, + &File{Path: "@{sys}/devices/@{pci}/class", Access: []string{"r"}}, + &File{Owner: true, Path: "@{PROC}/@{pid}/task/@{tid}/comm", Access: []string{"r", "w"}}, + &Hat{ + Name: "^action", + Rules: Rules{ + &Include{IsMagic: true, Path: "abstractions/base"}, + &Include{IfExists: true, IsMagic: true, Path: "local/foo_action"}, + }, + }, + &Profile{ + Header: Header{Name: "systemctl", Attachments: []string{}, Attributes: map[string]string{}, Flags: []string{}}, + Rules: Rules{ + &Include{IsMagic: true, Path: "abstractions/base"}, + &Include{IsMagic: true, Path: "abstractions/systemctl"}, + &Include{IfExists: true, IsMagic: true, Path: "local/foo_systemctl"}, + &Capability{Names: []string{"net_admin"}}, + }, + }, + &Profile{ + Header: Header{Name: "sudo", Attachments: []string{}, Attributes: map[string]string{}, Flags: []string{}}, + Rules: Rules{ + &Include{IsMagic: true, Path: "abstractions/base"}, + &Include{IsMagic: true, Path: "abstractions/app/sudo"}, + &Include{IfExists: true, IsMagic: true, Path: "local/foo_sudo"}, + &File{Path: "@{sh_path}", Access: []string{"r", "ix"}}, + }, + }, + } + profileB = &Profile{ + Header: Header{ + Name: "B", Attachments: []string{}, Attributes: map[string]string{}, Flags: []string{}, + }, + Rules: Rules{ + &File{Path: "/path/to/B", Access: []string{"m", "r"}}, + }, + } + profileC = &Profile{ + Header: Header{ + Name: "C", Attachments: []string{}, Attributes: map[string]string{}, Flags: []string{}, + }, + Rules: Rules{ + &File{Path: "/path/to/C", Access: []string{"m", "r"}}, + }, + } + profileD = &Profile{ + Header: Header{ + Name: "D", Attachments: []string{}, Attributes: map[string]string{}, Flags: []string{}, + }, + Rules: Rules{ + &File{Path: "/path/to/D", Access: []string{"m", "r"}}, + }, + } ) From ed800c69a1dea4155841d53eb0b70526df1a6463 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Dec 2025 22:33:32 +0100 Subject: [PATCH 1102/1736] fix(aa): parser: various fixes related to comment handling. --- pkg/aa/parse.go | 34 ++++++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index f00b862b66..6f7c0f6ba3 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -97,9 +97,20 @@ func tokenizeBlock(input string) ([]*block, error) { blockContentStart := 0 blockContentStartBkp := 0 blockContentEnd := 0 + inComment := false + for idx, r := range input { switch r { + case '#': + inComment = true + + case '\n': + inComment = false + case tokOPENBRACE: + if inComment { + continue + } blockStack = append(blockStack, r) // Block rules starts with ' {', ignore nested blocks and variables @@ -134,6 +145,9 @@ func tokenizeBlock(input string) ([]*block, error) { } case tokCLOSEBRACE: + if inComment { + continue + } if len(blockStack) <= 0 { return nil, fmt.Errorf("unbalanced block, missing '{' for '} at: }%s", input[blockContentStart:idx]) @@ -186,7 +200,6 @@ func tokenizeBlock(input string) ([]*block, error) { case blockHeader == ELSE.Tok(): kind = ELSE default: - fmt.Printf("blockRaw: %v\n", blockRaw) return nil, fmt.Errorf("unrecognized block type: %s", blockHeader) } blocks = append(blocks, &block{ @@ -301,9 +314,12 @@ func parseLineRules(isPreamble bool, input string) (string, Rules, error) { var res Rules var r Rule var err error + var remaining []string for _, line := range strings.Split(input, "\n") { tmp := strings.TrimLeft(line, "\t ") + processed := false + switch { case strings.HasPrefix(tmp, COMMENT.Tok()): r, err = newComment(rule{kv{comment: tmp[1:]}}) @@ -311,7 +327,7 @@ func parseLineRules(isPreamble bool, input string) (string, Rules, error) { return "", nil, err } res = append(res, r) - input = strings.Replace(input, line, "", 1) + processed = true case strings.HasPrefix(tmp, INCLUDE.Tok()): r, err = newInclude(parseRule(line)[1:]) @@ -319,7 +335,7 @@ func parseLineRules(isPreamble bool, input string) (string, Rules, error) { return "", nil, err } res = append(res, r) - input = strings.Replace(input, line, "", 1) + processed = true case strings.HasPrefix(tmp, VARIABLE.Tok()) && isPreamble: r, err = newVariable(parseRule(line)) @@ -327,10 +343,16 @@ func parseLineRules(isPreamble bool, input string) (string, Rules, error) { return "", nil, err } res = append(res, r) - input = strings.Replace(input, line, "", 1) + processed = true + } + + if processed { + remaining = append(remaining, "") + } else { + remaining = append(remaining, line) } } - return input, res, nil + return strings.Join(remaining, "\n"), res, nil } // Parse the comma rules from a raw string. It splits rules string into tokens @@ -443,7 +465,7 @@ func tokenizeRule(str string) []string { blockStack := []rune{} tokens := make([]string, 0, len(str)/2) - if inHeader && len(str) > 2 && str[0:2] == VARIABLE.Tok() { + if inHeader && len(str) > 2 && str[0:2] == VARIABLE.Tok() && strings.Contains(str, "=") { isVariable = true } for _, r := range str { From 89f0a583bba92d59eb0f2d92c12782e6a024e538 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Dec 2025 22:34:34 +0100 Subject: [PATCH 1103/1736] fix(aa): parser: change accepted values depending on file kind. --- pkg/aa/parse.go | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 6f7c0f6ba3..bcc2e9ec4b 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -829,9 +829,13 @@ func newRules(rules []rule) (Rules, error) { func (f *AppArmorProfileFile) parsePreamble(preamble string) error { var err error inHeader = true + isPreamble := false + if f.Kind == ProfileKind { + isPreamble = true + } // Line rules - preamble, lineRules, err := parseLineRules(true, preamble) + preamble, lineRules, err := parseLineRules(isPreamble, preamble) if err != nil { return err } @@ -849,9 +853,17 @@ func (f *AppArmorProfileFile) parsePreamble(preamble string) error { f.Preamble = append(f.Preamble, commaRules...) for _, r := range f.Preamble { - if r.Constraint() == BlockRule { - f.Preamble = nil - return fmt.Errorf("Rule not allowed in preamble: %s", r) + switch f.Kind { + case ProfileKind: + if r.Constraint() == BlockRule { + f.Preamble = nil + return fmt.Errorf("rule not allowed in profile preamble: %s", r) + } + + case AbstractionKind, TunableKind: + + default: + return fmt.Errorf("unknown profile file kind") } } inHeader = false From 1c4ad69d4cb7774e932bab70af65b99e023b0f82 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Dec 2025 22:36:29 +0100 Subject: [PATCH 1104/1736] feat(aa): parser: multipe addition to the rule token - add helper to check for valids keys - support non unique key in the key value rule --- pkg/aa/parse.go | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index bcc2e9ec4b..87d1f19803 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -665,7 +665,10 @@ func (r rule) GetAsMap() map[string][]string { res := map[string][]string{} for _, kv := range r { if kv.values != nil { - res[kv.key] = kv.values.GetSlice() + if res[kv.key] == nil { + res[kv.key] = []string{} + } + res[kv.key] = append(res[kv.key], kv.values.GetSlice()...) } } return res @@ -685,12 +688,13 @@ func (r rule) GetAsMap() map[string][]string { // {key: "label", values: rule{{Key: "power-profiles-daemon"}}}, // }}, func (r rule) GetValues(key string) rule { + var res rule for _, kv := range r { - if kv.key == key { - return kv.values + if kv.key == key && kv.values != nil { + res = append(res, kv.values...) } } - return nil + return res } // GetValuesAsSlice return the values from a key as a slice. @@ -720,6 +724,18 @@ func (r rule) GetValuesAsString(key string) string { return r.GetValues(key).GetString() } +// ValidateMapKeys validate that all map keys in a rule are in the validKeys slice. +func (r rule) ValidateMapKeys(validKeys []string) error { + for _, kv := range r { + if kv.values != nil { + if !slices.Contains(validKeys, kv.key) { + return fmt.Errorf("invalid modifier '%s' in rule: %s", kv.key, r) + } + } + } + return nil +} + // String return a generic representation of a rule. func (r rule) String() string { var res strings.Builder From 510227a3daa4236c772e42d410633c28f01ce9ad Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Dec 2025 22:37:29 +0100 Subject: [PATCH 1105/1736] fix(aa): parser: ensure the owner keywork is only accpeted in file and link rules. --- pkg/aa/parse.go | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 87d1f19803..c8d6ec07bb 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -814,8 +814,12 @@ func newRules(rules []rule) (Rules, error) { if err != nil { return nil, err } - if owner && r.Kind() == LINK { - r.(*Link).Owner = owner + if owner { + if r.Kind() == LINK { + r.(*Link).Owner = owner + } else { + return nil, fmt.Errorf("owner not allowed in %s rule : %s", r.Kind(), rule) + } } res = append(res, r) } else { @@ -830,8 +834,10 @@ func newRules(rules []rule) (Rules, error) { r.(*File).Owner = owner res = append(res, r) } else { - fmt.Printf("Unknown rule: %s", rule) - // return nil, fmt.Errorf("Unknown rule: %s", rule) + if owner { + return nil, fmt.Errorf("owner not allowed in %s rule : %s", r.Kind(), rule) + } + return nil, fmt.Errorf("unknown rule: %s", rule) } } else { return nil, fmt.Errorf("unrecognized rule: %s", rule) From bb7941d7e9cfdf358b9de22ed0c18be2e5d5b032 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Dec 2025 23:19:00 +0100 Subject: [PATCH 1106/1736] feat(aa): improve hat support. --- pkg/aa/apparmor.go | 1 + pkg/aa/blocks.go | 8 ++++++-- pkg/aa/parse.go | 14 ++++++++++++++ pkg/aa/parse_test.go | 3 ++- pkg/aa/templates/apparmor.j2 | 5 +++++ pkg/aa/templates/hat.j2 | 3 +++ 6 files changed, 31 insertions(+), 3 deletions(-) diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index 91b209ea5d..441bb74550 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -49,6 +49,7 @@ type AppArmorProfileFiles map[string]*AppArmorProfileFile type AppArmorProfileFile struct { Preamble Rules Profiles []*Profile + Hats []*Hat Kind FileKind } diff --git a/pkg/aa/blocks.go b/pkg/aa/blocks.go index bb3d1417d0..eef87cb620 100644 --- a/pkg/aa/blocks.go +++ b/pkg/aa/blocks.go @@ -14,15 +14,19 @@ const ( type Hat struct { Base Name string + Flags []string Rules Rules } func newHat(rule rule) (*Hat, error) { name := "" if len(rule) > 0 { - name = rule.Get(0) + name = strings.TrimPrefix(rule.Get(0), HAT.Tok()) } - return &Hat{Name: name}, nil + return &Hat{ + Name: name, + Flags: rule.GetValuesAsSlice(tokFLAGS), + }, nil } func (p *Hat) Kind() Kind { diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index c8d6ec07bb..2026bcea56 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -1015,6 +1015,20 @@ func (f *AppArmorProfileFile) Scan(input string) error { } f.Profiles = append(f.Profiles, profile) + case HAT: + inHeader = true + hat, err := newHat(parseRule(block.raw)) + inHeader = false + if err != nil { + return err + } + rules, err := parseBlock(block.next) + if err != nil { + return err + } + hat.Rules = rules + f.Hats = append(f.Hats, hat) + default: return fmt.Errorf("Illegal %s block in profile file", block.kind) } diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go index 8317f7399d..c37baef972 100644 --- a/pkg/aa/parse_test.go +++ b/pkg/aa/parse_test.go @@ -1997,7 +1997,8 @@ var ( &File{Path: "@{sys}/devices/@{pci}/class", Access: []string{"r"}}, &File{Owner: true, Path: "@{PROC}/@{pid}/task/@{tid}/comm", Access: []string{"r", "w"}}, &Hat{ - Name: "^action", + Name: "action", + Flags: []string{}, Rules: Rules{ &Include{IsMagic: true, Path: "abstractions/base"}, &Include{IfExists: true, IsMagic: true, Path: "local/foo_action"}, diff --git a/pkg/aa/templates/apparmor.j2 b/pkg/aa/templates/apparmor.j2 index 75a0026fc5..0dc49633a1 100644 --- a/pkg/aa/templates/apparmor.j2 +++ b/pkg/aa/templates/apparmor.j2 @@ -11,4 +11,9 @@ {{- "\n" -}} {{- end -}} + {{- range .Hats -}} + {{- template "hat" . -}} + {{- "\n" -}} + {{- end -}} + {{- end -}} diff --git a/pkg/aa/templates/hat.j2 b/pkg/aa/templates/hat.j2 index 694c3accc7..c2dae888a3 100644 --- a/pkg/aa/templates/hat.j2 +++ b/pkg/aa/templates/hat.j2 @@ -8,6 +8,9 @@ {{- with .Name -}} {{ " " }}{{ . }} {{- end -}} + {{- with .Flags -}} + {{ " flags=(" }}{{ join . }}{{ ")" }} + {{- end -}} {{- " {\n" -}} {{- setindent "++" -}} From a08f8a58709db2ea23b583d8255066a4c31f122e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Dec 2025 23:22:42 +0100 Subject: [PATCH 1107/1736] feat(aa): validate parser rules for extra data. --- pkg/aa/all.go | 2 +- pkg/aa/blocks.go | 2 +- pkg/aa/capability.go | 2 +- pkg/aa/change_profile.go | 2 +- pkg/aa/dbus.go | 6 ++++++ pkg/aa/io_uring.go | 2 +- pkg/aa/mount.go | 6 +++--- pkg/aa/mqueue.go | 2 +- pkg/aa/pivot_root.go | 2 +- pkg/aa/signal.go | 2 +- pkg/aa/unix.go | 6 ++++++ pkg/aa/userns.go | 2 +- 12 files changed, 24 insertions(+), 12 deletions(-) diff --git a/pkg/aa/all.go b/pkg/aa/all.go index 21368d3201..abe7dacb0b 100644 --- a/pkg/aa/all.go +++ b/pkg/aa/all.go @@ -13,7 +13,7 @@ type All struct { } func newAll(q Qualifier, rule rule) (Rule, error) { - return &All{Base: newBase(rule)}, nil + return &All{Base: newBase(rule)}, rule.ValidateMapKeys([]string{}) } func (r *All) Kind() Kind { diff --git a/pkg/aa/blocks.go b/pkg/aa/blocks.go index eef87cb620..a21ef2472d 100644 --- a/pkg/aa/blocks.go +++ b/pkg/aa/blocks.go @@ -26,7 +26,7 @@ func newHat(rule rule) (*Hat, error) { return &Hat{ Name: name, Flags: rule.GetValuesAsSlice(tokFLAGS), - }, nil + }, rule.ValidateMapKeys([]string{"flags"}) } func (p *Hat) Kind() Kind { diff --git a/pkg/aa/capability.go b/pkg/aa/capability.go index a55f8bc9ba..c11484611c 100644 --- a/pkg/aa/capability.go +++ b/pkg/aa/capability.go @@ -40,7 +40,7 @@ func newCapability(q Qualifier, rule rule) (Rule, error) { Base: newBase(rule), Qualifier: q, Names: names, - }, nil + }, rule.ValidateMapKeys([]string{}) } func newCapabilityFromLog(log map[string]string) Rule { diff --git a/pkg/aa/change_profile.go b/pkg/aa/change_profile.go index 5334b343c8..64d6dbe0ed 100644 --- a/pkg/aa/change_profile.go +++ b/pkg/aa/change_profile.go @@ -54,7 +54,7 @@ func newChangeProfile(q Qualifier, rule rule) (Rule, error) { ExecMode: mode, Exec: exec, ProfileName: target, - }, nil + }, rule.ValidateMapKeys([]string{}) } func newChangeProfileFromLog(log map[string]string) Rule { diff --git a/pkg/aa/dbus.go b/pkg/aa/dbus.go index a4894a6cfb..30196b0461 100644 --- a/pkg/aa/dbus.go +++ b/pkg/aa/dbus.go @@ -38,6 +38,12 @@ func newDbus(q Qualifier, rule rule) (Rule, error) { if err != nil { return nil, err } + if err := rule.ValidateMapKeys([]string{"bus", "name", "path", "interface", "member", "peer"}); err != nil { + return nil, err + } + if err := rule.GetValues("peer").ValidateMapKeys([]string{"name", "label"}); err != nil { + return nil, err + } return &Dbus{ Base: newBase(rule), Qualifier: q, diff --git a/pkg/aa/io_uring.go b/pkg/aa/io_uring.go index 76e9e172d2..30975a759c 100644 --- a/pkg/aa/io_uring.go +++ b/pkg/aa/io_uring.go @@ -33,7 +33,7 @@ func newIOUring(q Qualifier, rule rule) (Rule, error) { Qualifier: q, Access: accesses, Label: rule.GetValuesAsString("label"), - }, nil + }, rule.ValidateMapKeys([]string{"label"}) } func newIOUringFromLog(log map[string]string) Rule { diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go index 72719414dd..6bd5b2f415 100644 --- a/pkg/aa/mount.go +++ b/pkg/aa/mount.go @@ -131,7 +131,7 @@ func newMount(q Qualifier, rule rule) (Rule, error) { MountConditions: conditions, Source: src, MountPoint: mount, - }, nil + }, rule.ValidateMapKeys([]string{"fstype", "options", "flags"}) } func newMountFromLog(log map[string]string) Rule { @@ -232,7 +232,7 @@ func newUmount(q Qualifier, rule rule) (Rule, error) { Qualifier: q, MountConditions: conditions, MountPoint: mount, - }, nil + }, rule.ValidateMapKeys([]string{"fstype", "options", "flags"}) } func newUmountFromLog(log map[string]string) Rule { @@ -328,7 +328,7 @@ func newRemount(q Qualifier, rule rule) (Rule, error) { Qualifier: q, MountConditions: conditions, MountPoint: mount, - }, nil + }, rule.ValidateMapKeys([]string{"fstype", "options", "flags"}) } func newRemountFromLog(log map[string]string) Rule { diff --git a/pkg/aa/mqueue.go b/pkg/aa/mqueue.go index 12ae4bd599..2626100d99 100644 --- a/pkg/aa/mqueue.go +++ b/pkg/aa/mqueue.go @@ -53,7 +53,7 @@ func newMqueue(q Qualifier, rule rule) (Rule, error) { Type: rule.GetValuesAsString("type"), Label: rule.GetValuesAsString("label"), Name: name, - }, nil + }, rule.ValidateMapKeys([]string{"type", "label"}) } func newMqueueFromLog(log map[string]string) Rule { diff --git a/pkg/aa/pivot_root.go b/pkg/aa/pivot_root.go index 8632b4490b..c682ddb27f 100644 --- a/pkg/aa/pivot_root.go +++ b/pkg/aa/pivot_root.go @@ -37,7 +37,7 @@ func newPivotRoot(q Qualifier, rule rule) (Rule, error) { OldRoot: rule.GetValuesAsString("oldroot"), NewRoot: newroot, TargetProfile: target, - }, nil + }, rule.ValidateMapKeys([]string{"oldroot"}) } func newPivotRootFromLog(log map[string]string) Rule { diff --git a/pkg/aa/signal.go b/pkg/aa/signal.go index 319e165841..df558496be 100644 --- a/pkg/aa/signal.go +++ b/pkg/aa/signal.go @@ -54,7 +54,7 @@ func newSignal(q Qualifier, rule rule) (Rule, error) { Access: accesses, Set: set, Peer: rule.GetValuesAsString("peer"), - }, nil + }, rule.ValidateMapKeys([]string{"set", "peer"}) } func newSignalFromLog(log map[string]string) Rule { diff --git a/pkg/aa/unix.go b/pkg/aa/unix.go index a99bc72951..f57966ea6e 100644 --- a/pkg/aa/unix.go +++ b/pkg/aa/unix.go @@ -39,6 +39,12 @@ func newUnix(q Qualifier, rule rule) (Rule, error) { if err != nil { return nil, err } + if err := rule.ValidateMapKeys([]string{"type", "protocol", "addr", "label", "attr", "opt", "peer"}); err != nil { + return nil, err + } + if err := rule.GetValues("peer").ValidateMapKeys([]string{"label", "addr"}); err != nil { + return nil, err + } return &Unix{ Base: newBase(rule), Qualifier: q, diff --git a/pkg/aa/userns.go b/pkg/aa/userns.go index f4a9815c6e..65c4aac575 100644 --- a/pkg/aa/userns.go +++ b/pkg/aa/userns.go @@ -31,7 +31,7 @@ func newUserns(q Qualifier, rule rule) (Rule, error) { Base: newBase(rule), Qualifier: q, Create: create, - }, nil + }, rule.ValidateMapKeys([]string{}) } func newUsernsFromLog(log map[string]string) Rule { From 2a108ea4f3d94c4ab27cff92a63babb003c981d2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Dec 2025 23:23:25 +0100 Subject: [PATCH 1108/1736] feat(aa): merge all possible mount flags. --- pkg/aa/mount.go | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go index 6bd5b2f415..94cf43977b 100644 --- a/pkg/aa/mount.go +++ b/pkg/aa/mount.go @@ -16,17 +16,18 @@ const ( func init() { requirements[MOUNT] = requirement{ - "flags_bind": { + "flags": { + // flags bind "B", "bind", "R", "rbind", - }, - "flags_change": { + + // flags change "remount", "unbindable", "shared", "private", "slave", "runbindable", "rshared", "rprivate", "rslave", "make-unbindable", "make-shared", "make-private", "make-slave", "make-runbindable", "make-rshared", "make-rprivate", "make-rslave", - }, - "flags": { - "ro", "rw", "acl", "async", "atime", "bind", "dev", "diratime", + + // flags mount + "ro", "rw", "w", "acl", "async", "atime", "bind", "dev", "diratime", "dirsync", "exec", "iversion", "loud", "mand", "move", "noacl", "noatime", "nodev", "nodiratime", "noexec", "noiversion", "nomand", "norelatime", "nosuid", "nosymfollow", "nouser", "private", "rbind", "relatime", From d0f234cfe92fc25e9b0815af689aefda1b88ed75 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Dec 2025 23:25:08 +0100 Subject: [PATCH 1109/1736] feat(aa): improve the way we validate network rules. --- pkg/aa/blocks.go | 2 ++ pkg/aa/network.go | 92 +++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 80 insertions(+), 14 deletions(-) diff --git a/pkg/aa/blocks.go b/pkg/aa/blocks.go index a21ef2472d..7f89fa26eb 100644 --- a/pkg/aa/blocks.go +++ b/pkg/aa/blocks.go @@ -4,6 +4,8 @@ package aa +import "strings" + const ( HAT Kind = "hat" IF Kind = "if" diff --git a/pkg/aa/network.go b/pkg/aa/network.go index b11362aae8..33da1d09d9 100644 --- a/pkg/aa/network.go +++ b/pkg/aa/network.go @@ -6,7 +6,9 @@ package aa import ( "fmt" + "net" "slices" + "strconv" ) const NETWORK Kind = "network" @@ -38,6 +40,13 @@ type LocalAddress struct { Port string } +func newLocalAddress(rule rule) (LocalAddress, error) { + return LocalAddress{ + IP: rule.GetValuesAsString("ip"), + Port: rule.GetValuesAsString("port"), + }, nil +} + func newLocalAddressFromLog(log map[string]string) LocalAddress { return LocalAddress{ IP: log["laddr"], @@ -45,6 +54,19 @@ func newLocalAddressFromLog(log map[string]string) LocalAddress { } } +func (r LocalAddress) Validate() error { + if r.IP != "" && r.IP != "none" && net.ParseIP(r.IP) == nil { + return fmt.Errorf("invalid IP address: %s", r.IP) + } + if r.Port != "" { + port, err := strconv.Atoi(r.Port) + if err != nil || port < 0 || port > 65535 { + return fmt.Errorf("invalid port: %s", r.Port) + } + } + return nil +} + func (r LocalAddress) Compare(other LocalAddress) int { if res := compare(r.IP, other.IP); res != 0 { return res @@ -58,6 +80,13 @@ type PeerAddress struct { Src string } +func newPeerAddress(rule rule) (PeerAddress, error) { + return PeerAddress{ + IP: rule.GetValues("peer").GetValuesAsString("ip"), + Port: rule.GetValues("peer").GetValuesAsString("port"), + }, nil +} + func newPeerAddressFromLog(log map[string]string) PeerAddress { return PeerAddress{ IP: log["faddr"], @@ -66,6 +95,19 @@ func newPeerAddressFromLog(log map[string]string) PeerAddress { } } +func (r PeerAddress) Validate() error { + if r.IP != "" && r.IP != "none" && net.ParseIP(r.IP) == nil { + return fmt.Errorf("invalid IP address: %s", r.IP) + } + if r.Port != "" { + port, err := strconv.Atoi(r.Port) + if err != nil || port < 0 || port > 65535 { + return fmt.Errorf("invalid port: %s", r.Port) + } + } + return nil +} + func (r PeerAddress) Compare(other PeerAddress) int { if res := compare(r.IP, other.IP); res != 0 { return res @@ -88,24 +130,40 @@ type Network struct { } func newNetwork(q Qualifier, rule rule) (Rule, error) { + var accesses []string nType, protocol, domain := "", "", "" - r := rule.GetSlice() - if len(r) > 0 { - domain = r[0] - } - if len(r) >= 2 { - if slices.Contains(requirements[NETWORK]["type"], r[1]) { - nType = r[1] - } else if slices.Contains(requirements[NETWORK]["protocol"], r[1]) { - protocol = r[1] + + // Classify each token as access, domain, type, or protocol + for _, token := range rule.GetSlice() { + switch { + case slices.Contains(requirements[NETWORK]["access"], token): + accesses = append(accesses, token) + case slices.Contains(requirements[NETWORK]["domains"], token): + domain = token + case slices.Contains(requirements[NETWORK]["type"], token): + nType = token + case slices.Contains(requirements[NETWORK]["protocol"], token): + protocol = token } } + + localAdress, err := newLocalAddress(rule) + if err != nil { + return nil, err + } + peerAddress, err := newPeerAddress(rule) + if err != nil { + return nil, err + } return &Network{ - Base: newBase(rule), - Qualifier: q, - Domain: domain, - Type: nType, - Protocol: protocol, + Base: newBase(rule), + Qualifier: q, + LocalAddress: localAdress, + PeerAddress: peerAddress, + Access: accesses, + Domain: domain, + Type: nType, + Protocol: protocol, }, nil } @@ -147,6 +205,12 @@ func (r *Network) Validate() error { if err := validateValues(r.Kind(), "protocol", []string{r.Protocol}); err != nil { return fmt.Errorf("%s: %w", r, err) } + if err := r.LocalAddress.Validate(); err != nil { + return fmt.Errorf("%s: %w", r, err) + } + if err := r.PeerAddress.Validate(); err != nil { + return fmt.Errorf("%s: %w", r, err) + } return nil } From c763cbed6324627987fcb20f02fdc67d7bb07de4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Dec 2025 23:30:46 +0100 Subject: [PATCH 1110/1736] feat(aa): validate parser rules for extra data (2). --- pkg/aa/file.go | 4 ++-- pkg/aa/preamble.go | 6 +++--- pkg/aa/profile.go | 2 +- pkg/aa/ptrace.go | 18 ++++++++++++------ pkg/aa/rlimit.go | 2 +- 5 files changed, 19 insertions(+), 13 deletions(-) diff --git a/pkg/aa/file.go b/pkg/aa/file.go index 26f22521ea..671c1414b2 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -84,7 +84,7 @@ func newFile(q Qualifier, rule rule) (Rule, error) { Path: path, Access: accesses, Target: target, - }, nil + }, rule.ValidateMapKeys([]string{}) } func newFileFromLog(log map[string]string) Rule { @@ -255,7 +255,7 @@ func newLink(q Qualifier, rule rule) (Rule, error) { Subset: subset, Path: path, Target: target, - }, nil + }, rule.ValidateMapKeys([]string{}) } func newLinkFromLog(log map[string]string) Rule { diff --git a/pkg/aa/preamble.go b/pkg/aa/preamble.go index 50e7dbef7a..9663f5200a 100644 --- a/pkg/aa/preamble.go +++ b/pkg/aa/preamble.go @@ -84,7 +84,7 @@ func newAbi(q Qualifier, rule rule) (Rule, error) { Base: newBase(rule), Path: strings.Trim(path, "\"<>"), IsMagic: magic, - }, nil + }, rule.ValidateMapKeys([]string{}) } func (r *Abi) Kind() Kind { @@ -138,7 +138,7 @@ func newAlias(q Qualifier, rule rule) (Rule, error) { Base: newBase(rule), Path: rule.Get(0), RewrittenPath: rule.Get(2), - }, nil + }, rule.ValidateMapKeys([]string{}) } func (r *Alias) Kind() Kind { @@ -211,7 +211,7 @@ func newInclude(rule rule) (Rule, error) { IfExists: ifexists, Path: strings.Trim(path, "\"<>"), IsMagic: magic, - }, nil + }, rule.ValidateMapKeys([]string{}) } func (r *Include) Kind() Kind { diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index 186341e0d3..8261382440 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -67,7 +67,7 @@ func newHeader(rule rule) (Header, error) { Attachments: attachments, Attributes: attributes, Flags: rule.GetValuesAsSlice(tokFLAGS), - }, nil + }, rule.ValidateMapKeys([]string{tokATTRIBUTES, tokFLAGS}) } func (p *Profile) Kind() Kind { diff --git a/pkg/aa/ptrace.go b/pkg/aa/ptrace.go index 7e0990fe8c..1875d0b530 100644 --- a/pkg/aa/ptrace.go +++ b/pkg/aa/ptrace.go @@ -4,16 +4,14 @@ package aa -import ( - "fmt" -) +import "fmt" const PTRACE Kind = "ptrace" func init() { requirements[PTRACE] = requirement{ "access": []string{ - "r", "w", "rw", "read", "readby", "trace", "tracedby", + "r", "w", "rw", "read", "write", "readby", "trace", "tracedby", }, } } @@ -30,12 +28,20 @@ func newPtrace(q Qualifier, rule rule) (Rule, error) { if err != nil { return nil, err } + peers := rule.GetValuesAsSlice("peer") + if len(peers) > 1 { + return nil, fmt.Errorf("multiple 'peer' not allowed in rule: %s", rule) + } + peer := "" + if len(peers) == 1 { + peer = peers[0] + } return &Ptrace{ Base: newBase(rule), Qualifier: q, Access: accesses, - Peer: rule.GetValuesAsString("peer"), - }, nil + Peer: peer, + }, rule.ValidateMapKeys([]string{"peer"}) } func newPtraceFromLog(log map[string]string) Rule { diff --git a/pkg/aa/rlimit.go b/pkg/aa/rlimit.go index 29c617ff13..8db47f55e4 100644 --- a/pkg/aa/rlimit.go +++ b/pkg/aa/rlimit.go @@ -39,7 +39,7 @@ func newRlimit(q Qualifier, rule rule) (Rule, error) { Key: rule.Get(1), Op: rule.Get(2), Value: rule.Get(3), - }, nil + }, rule.ValidateMapKeys([]string{}) } func newRlimitFromLog(log map[string]string) Rule { From 4e3fb57a4afcf187dd432fddfc4fdb905c871b20 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Dec 2025 23:32:37 +0100 Subject: [PATCH 1111/1736] fix(aa): parser: non recognized flag when attachment is the profile name. --- pkg/aa/parse.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 2026bcea56..f7ccfc5e8d 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -276,7 +276,9 @@ func parseBlock(b *block) (Rules, error) { return res, nil case PROFILE: + inHeader = true header, err := newHeader(parseRule(b.raw)) + inHeader = false if err != nil { return nil, err } @@ -291,7 +293,9 @@ func parseBlock(b *block) (Rules, error) { res = append(res, profile) case HAT: + inHeader = true hat, err := newHat(parseRule(b.raw)) + inHeader = false if err != nil { return nil, err } @@ -540,7 +544,7 @@ func parseRule(str string) rule { res := make(rule, 0, len(str)/2) tokens := tokenizeRule(str) - inAare := len(tokens) > 0 && (isAARE(tokens[0]) || tokens[0] == tokOWNER) + inAare := len(tokens) > 0 && (tokens[0] == tokOWNER || (isAARE(tokens[0]) && !inHeader)) for idx, token := range tokens { switch { case token == tokEQUAL, token == tokPLUS+tokEQUAL, token == tokLESS+tokEQUAL: // Variable & Rlimit @@ -1001,7 +1005,9 @@ func (f *AppArmorProfileFile) Scan(input string) error { } case PROFILE: + inHeader = true header, err := newHeader(parseRule(block.raw)) + inHeader = false if err != nil { return err } From c690c88314bf5cf4294a024632be668b2653767f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 01:21:01 +0100 Subject: [PATCH 1112/1736] feat(aa): add initial support for conditions and boolean. --- pkg/aa/apparmor.go | 9 +-- pkg/aa/blocks.go | 48 ++++++++++++- pkg/aa/parse.go | 24 ++++++- pkg/aa/parse_test.go | 111 ++++++++++++++++++++++++++++++- pkg/aa/preamble.go | 73 ++++++++++++++++++++ pkg/aa/templates/apparmor.j2 | 5 ++ pkg/aa/templates/condition.j2 | 26 ++++++++ pkg/aa/templates/rule/boolean.j2 | 9 +++ pkg/aa/templates/rules.j2 | 8 +++ 9 files changed, 306 insertions(+), 7 deletions(-) create mode 100644 pkg/aa/templates/condition.j2 create mode 100644 pkg/aa/templates/rule/boolean.j2 diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index 441bb74550..1cdbafd7a3 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -47,10 +47,11 @@ type AppArmorProfileFiles map[string]*AppArmorProfileFile // - Some rules are not supported yet (subprofile, hat...) // - The structure is simplified as it only aims at writing profile, not parsing it. type AppArmorProfileFile struct { - Preamble Rules - Profiles []*Profile - Hats []*Hat - Kind FileKind + Preamble Rules + Profiles []*Profile + Hats []*Hat + Conditions []*Condition + Kind FileKind } func NewAppArmorProfile() *AppArmorProfileFile { diff --git a/pkg/aa/blocks.go b/pkg/aa/blocks.go index 7f89fa26eb..79803cfc8b 100644 --- a/pkg/aa/blocks.go +++ b/pkg/aa/blocks.go @@ -4,7 +4,9 @@ package aa -import "strings" +import ( + "strings" +) const ( HAT Kind = "hat" @@ -61,3 +63,47 @@ func (p *Hat) Lengths() []int { } func (p *Hat) setPaddings(max []int) {} // No paddings for hat + +// Condition represents a single AppArmor condition. +type Condition struct { + Base + Expression string + IfRules Rules + ElseRules Rules +} + +func newCondition(rule rule) (*Condition, error) { + expression := strings.TrimPrefix(rule.GetString(), IF.Tok()+" ") + return &Condition{Expression: expression}, nil +} + +func (p *Condition) Kind() Kind { + return IF +} + +func (p *Condition) Constraint() Constraint { + return BlockRule +} + +func (p *Condition) String() string { + return renderTemplate(p.Kind(), p) +} + +func (p *Condition) Validate() error { + return nil +} + +func (p *Condition) Compare(other Rule) int { + o, _ := other.(*Condition) + return compare(p.Expression, o.Expression) +} + +func (p *Condition) Merge(other Rule) bool { + return false // Never merge hat blocks +} + +func (p *Condition) Lengths() []int { + return []int{} // No len for hat +} + +func (p *Condition) setPaddings(max []int) {} // No paddings for hat diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index f7ccfc5e8d..5a2a8b6beb 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -57,6 +57,7 @@ var ( tok = map[Kind]string{ COMMENT: "#", VARIABLE: "@{", + BOOLEAN: "$", HAT: "^", } openBlocks = []rune{tokOPENPAREN, tokOPENBRACE, tokOPENBRACKET} @@ -307,7 +308,20 @@ func parseBlock(b *block) (Rules, error) { res = append(res, hat) case IF, ELSE: - // Not implemented yet + condition, err := newCondition(parseRule(b.raw)) + if err != nil { + return nil, err + } + rules, err := parseBlock(b.next) + if err != nil { + return nil, err + } + if b.kind == IF { + condition.IfRules = rules + } else { + condition.ElseRules = rules + } + res = append(res, condition) } return res, nil @@ -348,6 +362,14 @@ func parseLineRules(isPreamble bool, input string) (string, Rules, error) { } res = append(res, r) processed = true + + case strings.HasPrefix(tmp, BOOLEAN.Tok()) && isPreamble: + r, err = newBoolean(parseRule(line)) + if err != nil { + return "", nil, err + } + res = append(res, r) + processed = true } if processed { diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go index c37baef972..ea561fa3c2 100644 --- a/pkg/aa/parse_test.go +++ b/pkg/aa/parse_test.go @@ -132,7 +132,7 @@ func Test_parseBlock(t *testing.T) { var err error var got Rules want := tt.rules[idx] - if b.kind == CONTENT && strings.HasPrefix(b.raw, "# Simple test") { + if idx == 0 && b.kind == CONTENT && (strings.HasPrefix(b.raw, "# Simple test") || strings.Contains(b.raw, "$")) { f := &AppArmorProfileFile{} err = f.parsePreamble(b.raw) got = f.Preamble @@ -1049,6 +1049,115 @@ var ( wRules: ParaRules{}, wParseRulesErr: false, }, + { + name: "condition-1", + raw: ` + $FOO=true + $BAR = False + + /bin/true { + /bin/false rix, + if ${FOO} { + /bin/true rix, + } + /bin/true rix, + if ${BAR} { + /etc/shadow rw, + } + /bin/sh rix, + }`, + blocks: []*block{ + { + kind: CONTENT, + raw: "\n\t\t\t$FOO=true\n\t\t\t$BAR = False\n", + }, + { + kind: PROFILE, + raw: "/bin/true", + next: &block{ + kind: RAW, + raw: "/bin/false rix,\n\t\t\t if ${FOO} {\n\t\t\t /bin/true rix,\n\t\t\t }\n\t\t\t /bin/true rix,\n\t\t\t if ${BAR} {\n\t\t\t /etc/shadow rw,\n\t\t\t }\n\t\t\t /bin/sh rix,", + }, + }, + }, + wTokenizeErr: false, + rules: []Rules{ + { + &Boolean{Name: "FOO", Value: true}, + &Boolean{Name: "BAR", Value: false}, + }, + { + &Profile{ + Header: Header{ + Name: "/bin/true", + Attachments: []string{}, + Attributes: map[string]string{}, + Flags: []string{}, + }, + Rules: Rules{ + &File{Path: "/bin/false", Access: []string{"r", "ix"}}, + &Condition{ + Expression: "${FOO}", + IfRules: Rules{ + &File{Path: "/bin/true", Access: []string{"r", "ix"}}, + }, + }, + &File{Path: "/bin/true", Access: []string{"r", "ix"}}, + &Condition{ + Expression: "${BAR}", + IfRules: Rules{ + &File{Path: "/etc/shadow", Access: []string{"r", "w"}}, + }, + }, + &File{Path: "/bin/sh", Access: []string{"r", "ix"}}, + }, + }, + }, + }, + wParseBlockErr: false, + apparmor: &AppArmorProfileFile{ + Preamble: Rules{ + &Boolean{Name: "FOO", Value: true}, + &Boolean{Name: "BAR", Value: false}, + }, + }, + apparmorAll: &AppArmorProfileFile{ + Preamble: Rules{ + &Boolean{Name: "FOO", Value: true}, + &Boolean{Name: "BAR", Value: false}, + }, + Profiles: []*Profile{ + { + Header: Header{ + Name: "/bin/true", + Attachments: []string{}, + Attributes: map[string]string{}, + Flags: []string{}, + }, + Rules: Rules{ + &File{Path: "/bin/false", Access: []string{"r", "ix"}}, + &Condition{ + Expression: "${FOO}", + IfRules: Rules{ + &File{Path: "/bin/true", Access: []string{"r", "ix"}}, + }, + }, + &File{Path: "/bin/true", Access: []string{"r", "ix"}}, + &Condition{ + Expression: "${BAR}", + IfRules: Rules{ + &File{Path: "/etc/shadow", Access: []string{"r", "w"}}, + }, + }, + &File{Path: "/bin/sh", Access: []string{"r", "ix"}}, + }, + }, + }, + }, + wParseErr: false, + wRules: ParaRules{nil}, + wParseRulesErr: false, + }, { name: "string.aa", raw: testData.Join("string.aa").MustReadFileAsString(), diff --git a/pkg/aa/preamble.go b/pkg/aa/preamble.go index 9663f5200a..1df33266bb 100644 --- a/pkg/aa/preamble.go +++ b/pkg/aa/preamble.go @@ -14,6 +14,7 @@ const ( ALIAS Kind = "alias" INCLUDE Kind = "include" VARIABLE Kind = "variable" + BOOLEAN Kind = "boolean" COMMENT Kind = "comment" tokIFEXISTS = "if exists" @@ -335,3 +336,75 @@ func (r *Variable) Lengths() []int { } func (r *Variable) setPaddings(max []int) {} // No paddings for variable + +type Boolean struct { + Base + Name string + Value bool +} + +func newBoolean(rule rule) (Rule, error) { + name, value := "", false + + switch len(rule) { + case 1: + name = strings.Trim(rule.Get(0), BOOLEAN.Tok()+"{}") + value = rule.GetValuesAsString(rule.Get(0)) == "true" + + case 3: + name = strings.Trim(rule.Get(0), BOOLEAN.Tok()+"{}") + if rule.Get(1) != tokEQUAL { + return nil, fmt.Errorf("invalid boolean format, missing %s in: %s", tokEQUAL, rule) + } + value = rule.Get(2) == "true" + + default: + return nil, fmt.Errorf("invalid boolean format: %v", rule) + } + + return &Boolean{ + Base: newBase(rule), + Name: name, + Value: value, + }, nil +} + +func (r *Boolean) Kind() Kind { + return BOOLEAN +} + +func (r *Boolean) Constraint() Constraint { + return PreambleRule +} + +func (r *Boolean) String() string { + return renderTemplate(r.Kind(), r) +} + +func (r *Boolean) Validate() error { + return nil +} + +func (r *Boolean) Compare(other Rule) int { + o, _ := other.(*Boolean) + if res := compare(r.Name, o.Name); res != 0 { + return res + } + return compare(r.Value, o.Value) +} + +func (r *Boolean) Merge(other Rule) bool { + o, _ := other.(*Boolean) + + if r.Name == o.Name && r.Value == o.Value { + b := &r.Base + return b.merge(o.Base) + } + return false +} + +func (r *Boolean) Lengths() []int { + return []int{} // No len for boolean +} + +func (r *Boolean) setPaddings(max []int) {} // No paddings for boolean diff --git a/pkg/aa/templates/apparmor.j2 b/pkg/aa/templates/apparmor.j2 index 0dc49633a1..3a414e8aaf 100644 --- a/pkg/aa/templates/apparmor.j2 +++ b/pkg/aa/templates/apparmor.j2 @@ -16,4 +16,9 @@ {{- "\n" -}} {{- end -}} + {{- range .Conditions -}} + {{- template "if" . -}} + {{- "\n" -}} + {{- end -}} + {{- end -}} diff --git a/pkg/aa/templates/condition.j2 b/pkg/aa/templates/condition.j2 new file mode 100644 index 0000000000..81d462cc04 --- /dev/null +++ b/pkg/aa/templates/condition.j2 @@ -0,0 +1,26 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + +{{- define "if" -}} + + {{- "if" -}} + {{- with .Expression -}} + {{ " " }}{{ . }} + {{- end -}} + + {{- " {\n" -}} + {{- setindent "++" -}} + {{- template "rules" .IfRules -}} + {{- setindent "--" -}} + {{- indent "}" -}} + + {{- with .ElseRules -}} + {{- " {\n" -}} + {{- setindent "++" -}} + {{- template "rules" . -}} + {{- setindent "--" -}} + {{- indent "}" -}} + {{- end -}} + +{{- end -}} diff --git a/pkg/aa/templates/rule/boolean.j2 b/pkg/aa/templates/rule/boolean.j2 new file mode 100644 index 0000000000..2e756e5932 --- /dev/null +++ b/pkg/aa/templates/rule/boolean.j2 @@ -0,0 +1,9 @@ +{{- /* apparmor.d - Full set of apparmor profiles */ -}} +{{- /* Copyright (C) 2021-2024 Alexandre Pujol */ -}} +{{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} + +{{- define "boolean" -}} + {{- "$" -}}{{- .Name -}}{{- " = " -}} + {{- .Value -}} + {{- template "comment" . -}} +{{- end -}} diff --git a/pkg/aa/templates/rules.j2 b/pkg/aa/templates/rules.j2 index 9c08abfeb9..c7ae93c569 100644 --- a/pkg/aa/templates/rules.j2 +++ b/pkg/aa/templates/rules.j2 @@ -39,6 +39,10 @@ {{- template "variable" . -}} {{- end -}} + {{- if eq $kind "boolean" -}} + {{- template "boolean" . -}} + {{- end -}} + {{- if eq $kind "all" -}} {{- template "all" . -}} {{- end -}} @@ -119,6 +123,10 @@ {{- template "hat" . -}} {{- end -}} + {{- if eq $kind "if" -}} + {{- template "if" . -}} + {{- end -}} + {{- "\n" -}} {{- $oldkind = $kind -}} {{- end -}} From 99c554cb9bc54bf41d9f22b2d48c3b021b7d530b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 01:22:21 +0100 Subject: [PATCH 1113/1736] tests(aa): test the parser on our own profiles. --- pkg/aa/parse_test.go | 81 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go index ea561fa3c2..f1993567aa 100644 --- a/pkg/aa/parse_test.go +++ b/pkg/aa/parse_test.go @@ -5,9 +5,12 @@ package aa import ( + "os" "reflect" + "regexp" "strings" "testing" + "github.com/roddhjav/apparmor.d/pkg/paths" ) func Test_tokenizeRule(t *testing.T) { @@ -224,6 +227,84 @@ func Test_AppArmorProfileFile_Scan(t *testing.T) { } } +type testReport struct { + Success bool `csv:"success"` + Name string `csv:"name"` + Desc string `csv:"desc"` + Error string `csv:"error"` +} + +// Test the parser on our own profiles +func Test_Parser_ApparmorD(t *testing.T) { + datadir := paths.New("../../apparmor.d/") + files, err := datadir.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), paths.FilterOutNames("README.md")) + if err != nil { + panic(err) + } + + reports := []*testReport{} + templateFailure := "\033[0;31m[FAILED]\033[0m(\033[0;37m%s\033[0m): %v" + templateSuccess := "\033[0;32m[SUCCESS]\033[0m(\033[0;37m%s\033[0m)" + for _, parse := range []bool{true, false} { + base := "Parse/" + if !parse { + base = "Scan/" + } + + for _, file := range files { + if !file.Exist() { + panic(file.String() + " %s not found") + } + name, err := file.RelFrom(datadir) + if err != nil { + panic(err) + } + + t.Run(base+name.String(), func(t *testing.T) { + var err error + r := &testReport{Name: name.String()} + raw := file.MustReadFileAsString() + + p := &AppArmorProfileFile{} + p.Kind = KindFromPath(file) + if parse { + _, err = p.Parse(raw) + } else { + err = p.Scan(raw) + } + if err != nil { + r.Error = err.Error() + reports = append(reports, r) + t.Errorf(templateFailure, name, err) + return + } + + if err = p.Validate(); err != nil { + r.Error = err.Error() + reports = append(reports, r) + t.Errorf(templateFailure, name, err) + return + } + + r.Success = true + reports = append(reports, r) + t.Logf(templateSuccess, name) + }) + } + + success := 0 + for _, r := range reports { + if r.Success { + success++ + } + } + // [13/12/25]: 4750 tests, success: 4750, fail 0, success rate: 100% + t.Logf("[TOTAL]: %d tests, success: %d, fail %d, success rate: %v%%\n", + len(reports), success, len(reports)-success, (success*100.0)/len(reports)) + } +} + + var ( // Test cases for tokenizeRule, parseRule,rule getters, and newRules testParseRules = []struct { From 9e5311d2153fbd1ad897ad3aad5b2dba78b217a1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 01:23:29 +0100 Subject: [PATCH 1114/1736] tests(aa): add and fix tests cases to last changes. --- pkg/aa/parse_test.go | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go index f1993567aa..c8360cd9b0 100644 --- a/pkg/aa/parse_test.go +++ b/pkg/aa/parse_test.go @@ -457,6 +457,7 @@ var ( wGetSlice: []string{"include", ""}, wString: `include `, wRule: &Include{IfExists: false, IsMagic: true, Path: "tunables/global"}, + wError: true, // newRules only convert comma rules }, { name: "include-if-exists", @@ -471,6 +472,7 @@ var ( wGetSlice: []string{"include", "if", "exists", `"/etc/apparmor.d/dummy"`}, wString: `include if exists "/etc/apparmor.d/dummy"`, wRule: &Include{IfExists: true, IsMagic: false, Path: "/etc/apparmor.d/dummy"}, + wError: true, // newRules only convert comma rules }, { name: "rlimit", @@ -649,6 +651,33 @@ var ( Peer: "at-spi-bus-launcher", }, }, + { + name: "ptrace", + raw: "ptrace peer=/bin/true peer=/sbin/init peer=MY_PROFILE", + tokens: []string{"ptrace", "peer=/bin/true", "peer=/sbin/init", "peer=MY_PROFILE"}, + rule: rule{ + {key: "ptrace"}, + {key: "peer", values: rule{{key: "/bin/true"}}}, + {key: "peer", values: rule{{key: "/sbin/init"}}}, + {key: "peer", values: rule{{key: "MY_PROFILE"}}}, + }, + getIdx: 3, + getKey: "peer", + wGet: "peer", + wGetString: "ptrace", + wGetSlice: []string{"ptrace"}, + wGetAsMap: map[string][]string{ + "peer": {"/bin/true", "/sbin/init", "MY_PROFILE"}, + }, + wGetValues: rule{{key: "/bin/true"}, {key: "/sbin/init"}, {key: "MY_PROFILE"}}, + wGetValuesAsSlice: []string{"/bin/true", "/sbin/init", "MY_PROFILE"}, + wGetValuesAsString: "/bin/true /sbin/init MY_PROFILE", + wString: "ptrace peer=/bin/true peer=/sbin/init peer=MY_PROFILE", + wRule: &Ptrace{ + Peer: "/bin/true", + }, + wError: true, + }, { name: "unix-1", raw: `unix (send receive) type=stream addr="@/tmp/.ICE[0-9]*-unix/19 5" peer=(label="@{p_systemd}", addr=none)`, @@ -694,7 +723,7 @@ var ( raw: ` unix (connect, receive, send) type=stream peer=(addr="@/tmp/ibus/dbus-????????")`, - tokens: []string{"unix", "(connect, receive, send)\n", "type=stream\n", `peer=(addr="@/tmp/ibus/dbus-????????")`}, + tokens: []string{"unix", "(connect, receive, send)", "type=stream", `peer=(addr="@/tmp/ibus/dbus-????????")`}, rule: rule{ {key: "unix"}, {key: "connect"}, {key: "receive"}, {key: "send"}, {key: "type", values: rule{{key: "stream"}}}, @@ -2067,7 +2096,6 @@ var ( } // Indirect test resources - // pHeaderStr = ` apparmor.d - Full set of apparmor profiles` pStringAAContentStr = `include include @@ -2212,6 +2240,7 @@ var ( &File{Path: "@{sh_path}", Access: []string{"r", "ix"}}, }, }, + &Include{IfExists: true, IsMagic: true, Path: "local/foo"}, } profileB = &Profile{ Header: Header{ From c8d5e218c222b285cb1d089239817fc88137d069 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 01:39:58 +0100 Subject: [PATCH 1115/1736] fix(aa): parser: unbalanced and missing part of block. --- pkg/aa/parse.go | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 5a2a8b6beb..c5d5d05f2c 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -216,9 +216,9 @@ func tokenizeBlock(input string) ([]*block, error) { } } - if blockCounter != 0 { - return nil, fmt.Errorf("unbalanced block, missing '{' or '}': %s", - input[blockContentEnd:len(input)-1]) + if len(blockStack) != 0 { + return nil, fmt.Errorf("unbalanced block, missing '}': %s", + input[blockContentEnd:]) } if len(blocks) == 0 { // No block found, it can be a tunable/abstraction file. @@ -226,6 +226,16 @@ func tokenizeBlock(input string) ([]*block, error) { kind: CONTENT, raw: input, }) + } else if blockContentStart < len(input) { + // Capture any remaining content after the last block + remaining := input[blockContentStart:] + remaining = strings.Trim(remaining, "\n\t ") + if remaining != "" { + blocks = append(blocks, &block{ + kind: CONTENT, + raw: remaining, + }) + } } return blocks, nil } From 7b3724c2c3ca9975fd1438d51c861f11a92d8d28 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 01:40:23 +0100 Subject: [PATCH 1116/1736] fix(aa): paerser: detect conditions --- pkg/aa/parse.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index c5d5d05f2c..0471679220 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -196,9 +196,9 @@ func tokenizeBlock(input string) ([]*block, error) { case strings.HasPrefix(blockHeader, HAT.Tok()), strings.HasPrefix(blockHeader, HAT.String()): kind = HAT - case blockHeader == IF.Tok(): + case strings.HasPrefix(blockHeader, IF.Tok()): kind = IF - case blockHeader == ELSE.Tok(): + case strings.HasPrefix(blockHeader, ELSE.Tok()): kind = ELSE default: return nil, fmt.Errorf("unrecognized block type: %s", blockHeader) From 9130a5c43c73d7514463566b3ca885956a7d08d8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 19:08:11 +0100 Subject: [PATCH 1117/1736] tests(aa): parser: test against upstream tests suite. --- pkg/aa/parse.go | 8 ++-- pkg/aa/parse_test.go | 109 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 112 insertions(+), 5 deletions(-) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 0471679220..8e57f28e20 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -90,7 +90,6 @@ func tokenizeBlock(input string) ([]*block, error) { } blocks := []*block{} - blockCounter := 0 blockStack := []rune{} blockRecored := false blockStart := 0 @@ -504,6 +503,7 @@ func tokenizeRule(str string) []string { if inHeader && len(str) > 2 && str[0:2] == VARIABLE.Tok() && strings.Contains(str, "=") { isVariable = true } + for _, r := range str { switch { case (r == ' ' || r == '\t' || r == '\n') && len(blockStack) == 0 && !quoted: @@ -546,6 +546,7 @@ func tokenizeRule(str string) []string { currentToken.WriteRune(r) } } + if currentToken.Len() != 0 { tokens = append(tokens, currentToken.String()) } @@ -1025,9 +1026,6 @@ func (f *AppArmorProfileFile) Scan(input string) error { if err != nil { return err } - if len(blocks) == 0 { - fmt.Print("No block found in the file") - } for _, block := range blocks { switch block.kind { @@ -1068,7 +1066,7 @@ func (f *AppArmorProfileFile) Scan(input string) error { f.Hats = append(f.Hats, hat) default: - return fmt.Errorf("Illegal %s block in profile file", block.kind) + return fmt.Errorf("illegal %s block in profile file", block.kind) } } return nil diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go index c8360cd9b0..e8c4b6852f 100644 --- a/pkg/aa/parse_test.go +++ b/pkg/aa/parse_test.go @@ -304,6 +304,115 @@ func Test_Parser_ApparmorD(t *testing.T) { } } +func Test_Parser_Upstream(t *testing.T) { + // os.Setenv("WITH_UPSTREAM", "true") + if os.Getenv("WITH_UPSTREAM") == "" { + t.Skip("Skipping test in CI environment") + } + apparmorDir := os.Getenv("APPARMOR_DIR") + if apparmorDir == "" { + apparmorDir = "../../../apparmor" + } + + regTestDescription := regexp.MustCompile(`(?m)^#=(DESCRIPTION|Description) (.+)$`) + regTestResult := regexp.MustCompile(`(?m)^#=EXRESULT (.+)$`) + regTestDisabled := regexp.MustCompile(`(?m)^#=DISABLED$`) + getSettings := func(profile string) (string, bool, bool) { + desc := regTestDescription.FindStringSubmatch(profile) + result := regTestResult.FindStringSubmatch(profile) + disabled := regTestDisabled.FindStringSubmatch(profile) + if len(disabled) == 1 && disabled[0] == "#=DISABLED" { + return "", false, true + } + if len(desc) == 3 && len(result) == 2 { + return desc[2], result[1] == "FAIL", false + } + return "", false, false + } + + datadir := paths.New(apparmorDir).Join("parser/tst/simple_tests") + files, err := datadir.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), + paths.FilterOutNames("readme")) + if err != nil { + panic(err) + } + + reports := []*testReport{} + templateFailure := "\033[0;31m[FAILED]\033[0m(\033[0;37m%s\033[0m): %v" + templateSuccess := "\033[0;32m[SUCCESS]\033[0m(\033[0;37m%s\033[0m)" + for _, file := range files { + if !file.Exist() { + panic(file.String() + " %s not found") + } + name, err := file.RelFrom(datadir) + if err != nil { + panic(err) + } + + raw := file.MustReadFileAsString() + desc, wantErr, isDisabled := getSettings(raw) + if isDisabled { + t.Logf("Skipping disabled test: %s", name) + continue + } + t.Run(name.String(), func(t *testing.T) { + r := &testReport{Name: name.String()} + r.Desc = desc + + p := &AppArmorProfileFile{} + err := p.Scan(raw) + if err != nil { + if wantErr { + r.Success = true + reports = append(reports, r) + t.Logf(templateSuccess, name) + } else { + r.Error = err.Error() + reports = append(reports, r) + t.Errorf(templateFailure, name, err) + } + return + } + + err = p.Validate() + if err != nil { + if wantErr { + r.Success = true + reports = append(reports, r) + t.Logf(templateSuccess, name) + } else { + r.Error = err.Error() + reports = append(reports, r) + t.Errorf(templateFailure, name, err) + } + return + } + + // No errors occurred + if wantErr { + r.Error = "expected error but got none" + reports = append(reports, r) + t.Errorf(templateFailure, name, "expected error but got none") + } else { + r.Success = true + reports = append(reports, r) + t.Logf(templateSuccess, name) + } + }) + } + + success := 0 + for _, r := range reports { + if r.Success { + success++ + } + } + + // [01/06/24]: 1986 tests, success: 1242, fail 744, success rate: 62% + // [13/12/25]: 2148 tests, success: 1722, fail 426, success rate: 80% + t.Logf("[TOTAL]: %d tests, success: %d, fail %d, success rate: %v%%\n", + len(reports), success, len(reports)-success, (success*100.0)/len(reports)) +} var ( // Test cases for tokenizeRule, parseRule,rule getters, and newRules From 034c2e1cbc20b8ac879595ffd40c8c109415664e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 22:00:06 +0100 Subject: [PATCH 1118/1736] feat(aa): add string method for FileKind. --- pkg/aa/apparmor.go | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index 1cdbafd7a3..7f191e8797 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -23,6 +23,14 @@ const ( TunableKind ) +var ( + fileKinds = map[FileKind]string{ + ProfileKind: PROFILE.String(), + AbstractionKind: "abstraction", + TunableKind: "tunable", + } +) + func KindFromPath(file *paths.Path) FileKind { dirname := file.Parent().String() switch { @@ -39,6 +47,13 @@ func KindFromPath(file *paths.Path) FileKind { } } +func (k FileKind) String() string { + if res, ok := fileKinds[k]; ok { + return res + } + return "" +} + // AppArmorProfileFiles represents a full set of apparmor profiles type AppArmorProfileFiles map[string]*AppArmorProfileFile From b9f30d39bae2c4cbec9d15e58c0adbc1eb012b70 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 22:01:50 +0100 Subject: [PATCH 1119/1736] feat(aa): check priority value. --- pkg/aa/base.go | 9 ++++++++- pkg/aa/parse.go | 8 +++++++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/pkg/aa/base.go b/pkg/aa/base.go index 41549822ac..b5f1785290 100644 --- a/pkg/aa/base.go +++ b/pkg/aa/base.go @@ -104,7 +104,7 @@ func (r Base) addLine(other Rule) bool { } type Qualifier struct { - Priority string + Priority int Audit bool AccessType string } @@ -114,6 +114,13 @@ func newQualifierFromLog(log map[string]string) Qualifier { return Qualifier{Audit: audit} } +func (r *Qualifier) Validate() error { + if r.Priority < -100 || r.Priority > 100 { + return fmt.Errorf("invalid priority: %d", r.Priority) + } + return nil +} + func (r Qualifier) Compare(o Qualifier) int { if r := compare(r.Priority, o.Priority); r != 0 { return r diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 8e57f28e20..10bce504e6 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -8,6 +8,7 @@ import ( "fmt" "regexp" "slices" + "strconv" "strings" ) @@ -830,9 +831,14 @@ func newRules(rules []rule) (Rules, error) { owner = true rule = rule[1:] goto qualifier + // Qualifier case tokPRIORITY: - q.Priority = rule.GetValues(tokPRIORITY).GetString() + priority, err := strconv.Atoi(rule.GetValues(tokPRIORITY).GetString()) + if err != nil { + return nil, fmt.Errorf("invalid priority value in rule: %s", rule) + } + q.Priority = priority rule = rule[1:] goto qualifier case tokALLOW, tokDENY, tokPROMPT: From 79e17d1f8954f591e38170199e290bf4f9cf21d8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 22:07:54 +0100 Subject: [PATCH 1120/1736] fix(aa): better handling of validation and exctraction of token values. --- pkg/aa/util.go | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/pkg/aa/util.go b/pkg/aa/util.go index 523eb99fef..c5fef46a68 100644 --- a/pkg/aa/util.go +++ b/pkg/aa/util.go @@ -139,6 +139,8 @@ func validateValues(kind Kind, key string, values []string) error { if v == "" { continue } + + v = strings.Trim(v, "`\"") // Strip surrounding quotes for validation if !slices.Contains(requirements[kind][key], v) { return fmt.Errorf("invalid mode '%s'", v) } @@ -175,16 +177,17 @@ func toValues(kind Kind, key string, input string) ([]string, error) { return nil, fmt.Errorf("unrecognized requirement '%s' for rule %s", key, kind) } - res := tokenToSlice(input) - for idx := range res { - res[idx] = strings.Trim(res[idx], `" `) - if res[idx] == "" { - res = slices.Delete(res, idx, idx+1) + tokens := tokenToSlice(input) + res := make([]string, 0, len(tokens)) + for _, token := range tokens { + token = strings.Trim(token, `" `) + if token == "" { continue } - if !slices.Contains(req, res[idx]) { - return nil, fmt.Errorf("unrecognized %s for rule %s: %s", key, kind, res[idx]) + if !slices.Contains(req, token) { + return nil, fmt.Errorf("unrecognized %s for rule %s: %s", key, kind, token) } + res = append(res, token) } slices.SortFunc(res, func(i, j string) int { return requirementsWeights[kind][key][i] - requirementsWeights[kind][key][j] From 8f7c406c96647e6ce8cbe72cf188047de9c68bb8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 22:08:51 +0100 Subject: [PATCH 1121/1736] feat(aa): fully validate port, including port range. --- pkg/aa/network.go | 49 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 34 insertions(+), 15 deletions(-) diff --git a/pkg/aa/network.go b/pkg/aa/network.go index 33da1d09d9..a3ff71e83a 100644 --- a/pkg/aa/network.go +++ b/pkg/aa/network.go @@ -9,6 +9,7 @@ import ( "net" "slices" "strconv" + "strings" ) const NETWORK Kind = "network" @@ -54,19 +55,43 @@ func newLocalAddressFromLog(log map[string]string) LocalAddress { } } -func (r LocalAddress) Validate() error { - if r.IP != "" && r.IP != "none" && net.ParseIP(r.IP) == nil { - return fmt.Errorf("invalid IP address: %s", r.IP) +// validatePortRange validates a port or port range string. +func validatePortRange(port string) error { + if port == "" { + return nil } - if r.Port != "" { - port, err := strconv.Atoi(r.Port) - if err != nil || port < 0 || port > 65535 { - return fmt.Errorf("invalid port: %s", r.Port) + if strings.Contains(port, "-") { + parts := strings.SplitN(port, "-", 2) + if len(parts) != 2 { + return fmt.Errorf("invalid port range: %s", port) + } + start, err1 := strconv.Atoi(parts[0]) + end, err2 := strconv.Atoi(parts[1]) + if err1 != nil || err2 != nil { + return fmt.Errorf("invalid port range: %s", port) + } + if start < 0 || start > 65535 || end < 0 || end > 65535 { + return fmt.Errorf("invalid port range: %s", port) } + if start > end { + return fmt.Errorf("invalid port range: %s", port) + } + return nil + } + p, err := strconv.Atoi(port) + if err != nil || p < 0 || p > 65535 { + return fmt.Errorf("invalid port: %s", port) } return nil } +func (r LocalAddress) Validate() error { + if r.IP != "" && r.IP != "none" && net.ParseIP(r.IP) == nil { + return fmt.Errorf("invalid IP address: %s", r.IP) + } + return validatePortRange(r.Port) +} + func (r LocalAddress) Compare(other LocalAddress) int { if res := compare(r.IP, other.IP); res != 0 { return res @@ -99,13 +124,7 @@ func (r PeerAddress) Validate() error { if r.IP != "" && r.IP != "none" && net.ParseIP(r.IP) == nil { return fmt.Errorf("invalid IP address: %s", r.IP) } - if r.Port != "" { - port, err := strconv.Atoi(r.Port) - if err != nil || port < 0 || port > 65535 { - return fmt.Errorf("invalid port: %s", r.Port) - } - } - return nil + return validatePortRange(r.Port) } func (r PeerAddress) Compare(other PeerAddress) int { @@ -164,7 +183,7 @@ func newNetwork(q Qualifier, rule rule) (Rule, error) { Domain: domain, Type: nType, Protocol: protocol, - }, nil + }, rule.ValidateMapKeys([]string{"ip", "port", "peer", "type"}) } func newNetworkFromLog(log map[string]string) Rule { From ece71a10b4630a19c1f6463edba289894716fca6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 22:11:01 +0100 Subject: [PATCH 1122/1736] feat(aa): validate more keys. --- pkg/aa/dbus.go | 2 +- pkg/aa/file.go | 3 ++- pkg/aa/mount.go | 4 ++-- pkg/aa/unix.go | 5 +++++ 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/pkg/aa/dbus.go b/pkg/aa/dbus.go index 30196b0461..6208af0ad1 100644 --- a/pkg/aa/dbus.go +++ b/pkg/aa/dbus.go @@ -16,7 +16,7 @@ func init() { "send", "receive", "bind", "eavesdrop", "r", "read", "w", "write", "rw", }, - "bus": []string{"system", "session", "accessibility"}, + "bus": []string{"system", "session", "accessibility", "fcitx"}, } } diff --git a/pkg/aa/file.go b/pkg/aa/file.go index 671c1414b2..90a0723e65 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -21,10 +21,11 @@ const ( func init() { requirements[FILE] = requirement{ - "access": {"m", "r", "w", "l", "k"}, + "access": {"m", "r", "w", "a", "l", "k"}, "transition": { "ix", "ux", "Ux", "px", "Px", "cx", "Cx", "pix", "Pix", "cix", "Cix", "pux", "PUx", "cux", "CUx", "x", + "Pux", "pUx", }, } } diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go index 94cf43977b..980b110cfb 100644 --- a/pkg/aa/mount.go +++ b/pkg/aa/mount.go @@ -21,10 +21,10 @@ func init() { "B", "bind", "R", "rbind", // flags change - "remount", "unbindable", "shared", "private", "slave", "runbindable", + "shared", "slave", "nostrictatime", "lazytime", "nolazytime", "rshared", "rprivate", "rslave", "make-unbindable", "make-shared", "make-private", "make-slave", "make-runbindable", "make-rshared", - "make-rprivate", "make-rslave", + "make-rprivate", "make-rslave", "symfollow", // flags mount "ro", "rw", "w", "acl", "async", "atime", "bind", "dev", "diratime", diff --git a/pkg/aa/unix.go b/pkg/aa/unix.go index f57966ea6e..8b9c440b59 100644 --- a/pkg/aa/unix.go +++ b/pkg/aa/unix.go @@ -12,6 +12,8 @@ const UNIX Kind = "unix" func init() { requirements[UNIX] = requirement{ + "type": []string{"stream", "dgram", "seqpacket", "rdm", "raw", "packet"}, + "protocol": []string{"tcp", "udp", "icmp"}, "access": []string{ "create", "bind", "listen", "accept", "connect", "shutdown", "getattr", "setattr", "getopt", "setopt", "send", "receive", @@ -92,6 +94,9 @@ func (r *Unix) Validate() error { if err := validateValues(r.Kind(), "access", r.Access); err != nil { return fmt.Errorf("%s: %w", r, err) } + if err := validateValues(r.Kind(), "type", []string{r.Type}); err != nil { + return fmt.Errorf("%s: %w", r, err) + } return nil } From ab6d6b9349e58456c304f6c123f9efa6bdf1dd66 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 22:12:34 +0100 Subject: [PATCH 1123/1736] feat(aa): add the ability to check for conflict across keys. --- pkg/aa/profile.go | 18 ++++++++++++++++-- pkg/aa/util.go | 20 ++++++++++++++++++++ 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index 8261382440..8d21ad2c5d 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -22,8 +22,19 @@ func init() { tokFLAGS: { "attach_disconneced.path=", "attach_disconnected", "audit", "chroot_relative", "complain", "debug", "default_allow", "enforce", - "interruptible", "kill.signal=", "kill", "kill", "mediate_deleted", - "prompt", "unconfined", + "interruptible", "kill", "mediate_deleted", + "prompt", "unconfined", "namespace_relative", "delegate_deleted", "chroot_attach", + "chroot_no_attach", "no_attach_disconnected", + }, + } + conflicts[PROFILE] = map[string][][]string{ + tokFLAGS: { + {"enforce", "complain"}, + {"enforce", "unconfined"}, + {"enforce", "prompt"}, + {"complain", "unconfined"}, + {"default_allow", "kill"}, + {"default_allow", "enforce"}, }, } } @@ -86,6 +97,9 @@ func (p *Profile) Validate() error { if err := validateValues(p.Kind(), tokFLAGS, p.Flags); err != nil { return fmt.Errorf("profile %s: %w", p.Name, err) } + if err := validateConflicts(p.Kind(), tokFLAGS, p.Flags); err != nil { + return fmt.Errorf("profile %s: %w", p.Name, err) + } return p.Rules.Validate() } diff --git a/pkg/aa/util.go b/pkg/aa/util.go index c5fef46a68..7a89645e48 100644 --- a/pkg/aa/util.go +++ b/pkg/aa/util.go @@ -148,6 +148,26 @@ func validateValues(kind Kind, key string, values []string) error { return nil } +// validateConflicts checks if any values in the slice conflict with each other. +// Conflicts are defined in the conflicts map as pairs of mutually exclusive values. +func validateConflicts(kind Kind, key string, values []string) error { + conflictPairs, ok := conflicts[kind][key] + if !ok { + return nil + } + for _, pair := range conflictPairs { + if len(pair) != 2 { + continue + } + hasFirst := slices.Contains(values, pair[0]) + hasSecond := slices.Contains(values, pair[1]) + if hasFirst && hasSecond { + return fmt.Errorf("conflicting %s '%s' and '%s'", key, pair[0], pair[1]) + } + } + return nil +} + func tokenToSlice(token string) []string { res := []string{} token = strings.Trim(token, "()\n ") From 2bfd63cc3a386d29542606525ad18ec5b31dafd9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 22:14:03 +0100 Subject: [PATCH 1124/1736] feat(aa): files: add support for old files rule notation. --- pkg/aa/file.go | 8 +++++++- pkg/aa/parse.go | 38 +++++++++++++++++++------------------- 2 files changed, 26 insertions(+), 20 deletions(-) diff --git a/pkg/aa/file.go b/pkg/aa/file.go index 90a0723e65..141e575f51 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -66,7 +66,13 @@ func newFile(q Qualifier, rule rule) (Rule, error) { return nil, fmt.Errorf("missing file or access in rule: %s", rule) } - path, access = r[0], r[1] + // Determine format: "path access" vs "access path" + // Try parsing first token as access - if valid, use "access path" format + if testAccess, _ := toAccess(FILE, r[0]); len(testAccess) > 0 { + access, path = r[0], r[1] + } else { + path, access = r[0], r[1] + } if size > 2 { if r[2] != tokARROW { return nil, fmt.Errorf("missing '%s' in rule: %s", tokARROW, rule) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 10bce504e6..020e3a8ef6 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -858,33 +858,33 @@ func newRules(rules []rule) (Rules, error) { return nil, err } if owner { - if r.Kind() == LINK { - r.(*Link).Owner = owner - } else { + switch r := r.(type) { + case *File: + r.Owner = owner + case *Link: + r.Owner = owner + default: return nil, fmt.Errorf("owner not allowed in %s rule : %s", r.Kind(), rule) } } res = append(res, r) + } else { raw := rule.Get(0) - if raw != "" { - // File - if isAARE(raw) || owner { - r, err = newFile(q, rule) - if err != nil { - return nil, err - } - r.(*File).Owner = owner - res = append(res, r) - } else { - if owner { - return nil, fmt.Errorf("owner not allowed in %s rule : %s", r.Kind(), rule) - } - return nil, fmt.Errorf("unknown rule: %s", rule) - } - } else { + if raw == "" { return nil, fmt.Errorf("unrecognized rule: %s", rule) } + testAccess, _ := toAccess(FILE, raw) + if !isAARE(raw) && !owner && len(testAccess) == 0 { + return nil, fmt.Errorf("unknown rule: %s", rule) + } + r, err = newFile(q, rule) + if err != nil { + return nil, err + } + r.(*File).Owner = owner + res = append(res, r) + } } } From ea4955e2f01d2fbf57fb709da57bfd05bd408779 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 22:15:27 +0100 Subject: [PATCH 1125/1736] feat(aa): boolean: check for the boolean value. --- pkg/aa/preamble.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/pkg/aa/preamble.go b/pkg/aa/preamble.go index 1df33266bb..c097b410d6 100644 --- a/pkg/aa/preamble.go +++ b/pkg/aa/preamble.go @@ -344,28 +344,31 @@ type Boolean struct { } func newBoolean(rule rule) (Rule, error) { - name, value := "", false + name, value := "", "" switch len(rule) { case 1: name = strings.Trim(rule.Get(0), BOOLEAN.Tok()+"{}") - value = rule.GetValuesAsString(rule.Get(0)) == "true" + value = rule.GetValuesAsString(rule.Get(0)) case 3: name = strings.Trim(rule.Get(0), BOOLEAN.Tok()+"{}") if rule.Get(1) != tokEQUAL { return nil, fmt.Errorf("invalid boolean format, missing %s in: %s", tokEQUAL, rule) } - value = rule.Get(2) == "true" + value = rule.Get(2) default: return nil, fmt.Errorf("invalid boolean format: %v", rule) } + if !slices.Contains([]string{"true", "false"}, value) { + return nil, fmt.Errorf("invalid boolean value %s in rule: %s", value, rule) + } return &Boolean{ Base: newBase(rule), Name: name, - Value: value, + Value: value == "true", }, nil } From 54f32d602d4c611ce5187b8c4ed624d42538b164 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 22:16:04 +0100 Subject: [PATCH 1126/1736] fix(aa): abi, include: check for invalid paths. --- pkg/aa/preamble.go | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/pkg/aa/preamble.go b/pkg/aa/preamble.go index c097b410d6..51c2e2fef2 100644 --- a/pkg/aa/preamble.go +++ b/pkg/aa/preamble.go @@ -76,14 +76,21 @@ func newAbi(q Qualifier, rule rule) (Rule, error) { switch path[0] { case '"': magic = false + if !strings.HasSuffix(path, "\"") || len(path) < 3 { + return nil, fmt.Errorf("invalid path %s in rule: %s", path, rule) + } case '<': magic = true + if !strings.HasSuffix(path, ">") || len(path) < 3 { + return nil, fmt.Errorf("invalid path %s in rule: %s", path, rule) + } default: return nil, fmt.Errorf("invalid path %s in rule: %s", path, rule) } + path = strings.Trim(path, "\"<>") return &Abi{ Base: newBase(rule), - Path: strings.Trim(path, "\"<>"), + Path: path, IsMagic: magic, }, rule.ValidateMapKeys([]string{}) } @@ -202,15 +209,22 @@ func newInclude(rule rule) (Rule, error) { switch path[0] { case '"': magic = false + if !strings.HasSuffix(path, "\"") || len(path) < 3 { + return nil, fmt.Errorf("invalid path %s in rule: %s", path, rule) + } case '<': magic = true + if !strings.HasSuffix(path, ">") || len(path) < 3 { + return nil, fmt.Errorf("invalid path %s in rule: %s", path, rule) + } default: return nil, fmt.Errorf("invalid path format: %v", path) } + path = strings.Trim(path, "\"<>") return &Include{ Base: newBase(rule), IfExists: ifexists, - Path: strings.Trim(path, "\"<>"), + Path: path, IsMagic: magic, }, rule.ValidateMapKeys([]string{}) } From 2ae5ae7c8ad530d87014c423e423ae2d11b476b8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 22:17:49 +0100 Subject: [PATCH 1127/1736] fix(aa): parser, block: check for brace expansion. --- pkg/aa/parse.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 020e3a8ef6..b218e30a05 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -136,6 +136,13 @@ func tokenizeBlock(input string) ([]*block, error) { ignore = true } else if input[idx-1] != ' ' { ignore = true + } else { + // Check if this is a brace expansion (e.g., {a,b,c}) vs block delimiter. + // A brace expansion has a matching } on the same line. + rest := input[idx+1 : j] + if strings.Contains(rest, "}") { + ignore = true + } } } From 32e98d1777cbaae3ee4a57c5cf8233f97fe3bea6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 22:33:19 +0100 Subject: [PATCH 1128/1736] fix(aa): parser: improve the way to handle white space. --- pkg/aa/parse.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index b218e30a05..4b2560a687 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -10,6 +10,7 @@ import ( "slices" "strconv" "strings" + "unicode" ) const ( @@ -134,7 +135,7 @@ func tokenizeBlock(input string) ([]*block, error) { match := regVariableDefinition.FindStringSubmatch(line) if len(match) > 0 { ignore = true - } else if input[idx-1] != ' ' { + } else if !unicode.IsSpace(rune(input[idx-1])) { ignore = true } else { // Check if this is a brace expansion (e.g., {a,b,c}) vs block delimiter. @@ -446,7 +447,7 @@ func parseCommaRules(input string) ([]rule, error) { case tokCOLON: if blockCounter == 0 && !comment { - if idx+1 < size && !strings.ContainsRune(" \n", rune(input[idx+1])) { + if idx+1 < size && !strings.ContainsRune(" \t\n", rune(input[idx+1])) { // Colon in AARE, it is valid, not a separator aare = true } @@ -514,7 +515,7 @@ func tokenizeRule(str string) []string { for _, r := range str { switch { - case (r == ' ' || r == '\t' || r == '\n') && len(blockStack) == 0 && !quoted: + case unicode.IsSpace(r) && len(blockStack) == 0 && !quoted: // Split on space/tab/newline if not in a block or quoted if currentToken.Len() != 0 { tokens = append(tokens, currentToken.String()) From af5a0d95bfaae9a4f66d071af362c177398ed256 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 22:35:53 +0100 Subject: [PATCH 1129/1736] tests(aa): also tests against the upstream profiles. --- pkg/aa/parse_test.go | 104 ++++++++++++++++++++++++++++++------------- 1 file changed, 73 insertions(+), 31 deletions(-) diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go index e8c4b6852f..1ed950e332 100644 --- a/pkg/aa/parse_test.go +++ b/pkg/aa/parse_test.go @@ -8,6 +8,7 @@ import ( "os" "reflect" "regexp" + "slices" "strings" "testing" "github.com/roddhjav/apparmor.d/pkg/paths" @@ -234,18 +235,26 @@ type testReport struct { Error string `csv:"error"` } -// Test the parser on our own profiles -func Test_Parser_ApparmorD(t *testing.T) { - datadir := paths.New("../../apparmor.d/") - files, err := datadir.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), paths.FilterOutNames("README.md")) - if err != nil { - panic(err) +type testReports []*testReport + +func (r testReports) SumUp(t *testing.T) { + success := 0 + for _, r := range r { + if r.Success { + success++ + } } + t.Logf("[TOTAL]: %d tests, success: %d, fail %d, success rate: %v%%\n", + len(r), success, len(r)-success, (success*100.0)/len(r)) +} - reports := []*testReport{} +func testAppArmorProfileFiles(t *testing.T, rootdir *paths.Path, files []*paths.Path, parses []bool) { templateFailure := "\033[0;31m[FAILED]\033[0m(\033[0;37m%s\033[0m): %v" templateSuccess := "\033[0;32m[SUCCESS]\033[0m(\033[0;37m%s\033[0m)" - for _, parse := range []bool{true, false} { + ignorePath := []string{"abstractions/transmission-common"} + + reports := testReports{} + for _, parse := range parses { base := "Parse/" if !parse { base = "Scan/" @@ -255,10 +264,18 @@ func Test_Parser_ApparmorD(t *testing.T) { if !file.Exist() { panic(file.String() + " %s not found") } - name, err := file.RelFrom(datadir) + name, err := file.RelFrom(rootdir) if err != nil { panic(err) } + if strings.HasPrefix(name.String(), "abi/") { + t.Logf("Skipping abi file: %s", name) + continue + } + if slices.Contains(ignorePath, name.String()) { + t.Logf("Skipping ignored file: %s", name) + continue + } t.Run(base+name.String(), func(t *testing.T) { var err error @@ -292,19 +309,52 @@ func Test_Parser_ApparmorD(t *testing.T) { }) } - success := 0 - for _, r := range reports { - if r.Success { - success++ - } + reports.SumUp(t) + } +} + +// Test the parser on our own profiles +func Test_Parser_ApparmorD(t *testing.T) { + datadir := paths.New("../../apparmor.d/") + files, err := datadir.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), paths.FilterOutNames("README.md")) + if err != nil { + panic(err) + } + + // [14/12/25]: 4750 tests, success: 4750, fail 0, success rate: 100% + testAppArmorProfileFiles(t, datadir, files, []bool{true, false}) +} + +// Test the parser on apparmor default and extra profiles +func Test_Parser_UpstreamProfiles(t *testing.T) { + // os.Setenv("WITH_UPSTREAM", "true") + if os.Getenv("WITH_UPSTREAM") == "" { + t.Skip("Skipping test in CI environment") + } + apparmorDir := os.Getenv("APPARMOR_DIR") + if apparmorDir == "" { + apparmorDir = "../../../apparmor" + } + + dirnames := []string{ + // [14/12/25]: 357 tests, success: 357, fail 0, success rate: 100% + "profiles/apparmor.d", // apparmor-profiles + + // [14/12/25]: 110 tests, success: 110, fail 0, success rate: 100% + "profiles/apparmor/profiles/extras", // apparmor-profiles-extras + } + for _, dir := range dirnames { + datadir := paths.New(apparmorDir).Join(dir) + files, err := datadir.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), paths.FilterOutNames("README")) + if err != nil { + panic(err) } - // [13/12/25]: 4750 tests, success: 4750, fail 0, success rate: 100% - t.Logf("[TOTAL]: %d tests, success: %d, fail %d, success rate: %v%%\n", - len(reports), success, len(reports)-success, (success*100.0)/len(reports)) + testAppArmorProfileFiles(t, datadir, files, []bool{false}) } } -func Test_Parser_Upstream(t *testing.T) { +// Test the parser on apparmor own's test suite +func Test_Parser_UpstreamTestSuite(t *testing.T) { // os.Setenv("WITH_UPSTREAM", "true") if os.Getenv("WITH_UPSTREAM") == "" { t.Skip("Skipping test in CI environment") @@ -337,7 +387,7 @@ func Test_Parser_Upstream(t *testing.T) { panic(err) } - reports := []*testReport{} + reports := testReports{} templateFailure := "\033[0;31m[FAILED]\033[0m(\033[0;37m%s\033[0m): %v" templateSuccess := "\033[0;32m[SUCCESS]\033[0m(\033[0;37m%s\033[0m)" for _, file := range files { @@ -401,17 +451,9 @@ func Test_Parser_Upstream(t *testing.T) { }) } - success := 0 - for _, r := range reports { - if r.Success { - success++ - } - } - // [01/06/24]: 1986 tests, success: 1242, fail 744, success rate: 62% - // [13/12/25]: 2148 tests, success: 1722, fail 426, success rate: 80% - t.Logf("[TOTAL]: %d tests, success: %d, fail %d, success rate: %v%%\n", - len(reports), success, len(reports)-success, (success*100.0)/len(reports)) + // [14/12/25]: 2148 tests, success: 1722, fail 422, success rate: 80% + reports.SumUp(t) } var ( @@ -1272,7 +1314,7 @@ var ( name: "condition-1", raw: ` $FOO=true - $BAR = False + $BAR = false /bin/true { /bin/false rix, @@ -1288,7 +1330,7 @@ var ( blocks: []*block{ { kind: CONTENT, - raw: "\n\t\t\t$FOO=true\n\t\t\t$BAR = False\n", + raw: "\n\t\t\t$FOO=true\n\t\t\t$BAR = false\n", }, { kind: PROFILE, From b4cbb5b2675a9f9e6705b3fc5ccf79487bddba52 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 22:48:30 +0100 Subject: [PATCH 1130/1736] chore: linter fix. --- pkg/aa/parse.go | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 4b2560a687..a4cce093ce 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -902,10 +902,7 @@ func newRules(rules []rule) (Rules, error) { func (f *AppArmorProfileFile) parsePreamble(preamble string) error { var err error inHeader = true - isPreamble := false - if f.Kind == ProfileKind { - isPreamble = true - } + isPreamble := f.Kind == ProfileKind // Line rules preamble, lineRules, err := parseLineRules(isPreamble, preamble) From d3a983d25bdb37a296e62672afa57964d8e55ab0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 23:17:17 +0100 Subject: [PATCH 1131/1736] fix(aa): add undefined code. --- pkg/aa/base.go | 1 + pkg/aa/preamble.go | 1 + pkg/aa/template.go | 3 +++ 3 files changed, 5 insertions(+) diff --git a/pkg/aa/base.go b/pkg/aa/base.go index b5f1785290..c80527fda0 100644 --- a/pkg/aa/base.go +++ b/pkg/aa/base.go @@ -5,6 +5,7 @@ package aa import ( + "fmt" "strings" ) diff --git a/pkg/aa/preamble.go b/pkg/aa/preamble.go index 51c2e2fef2..8460f444fd 100644 --- a/pkg/aa/preamble.go +++ b/pkg/aa/preamble.go @@ -6,6 +6,7 @@ package aa import ( "fmt" + "slices" "strings" ) diff --git a/pkg/aa/template.go b/pkg/aa/template.go index cb00d2f36e..ddb58bbaad 100644 --- a/pkg/aa/template.go +++ b/pkg/aa/template.go @@ -138,6 +138,9 @@ var ( // The order the rule values (access, type, domains, etc) should be sorted requirements = map[Kind]requirement{} requirementsWeights map[Kind]map[string]map[string]int + + // Pairs of mutually exclusive values that cannot coexist + conflicts = map[Kind]map[string][][]string{} ) func init() { From d303ab66f171a2e6365ff177662e5deaffeede91 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 23:26:01 +0100 Subject: [PATCH 1132/1736] fix(aa): file target are not always aare. --- pkg/aa/file.go | 6 ------ 1 file changed, 6 deletions(-) diff --git a/pkg/aa/file.go b/pkg/aa/file.go index 141e575f51..a51f4b05dd 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -146,9 +146,6 @@ func (r *File) Validate() error { return fmt.Errorf("invalid mode '%s'", v) } } - if r.Target != "" && !isAARE(r.Target) { - return fmt.Errorf("'%s' is not a valid AARE", r.Target) - } return nil } @@ -291,9 +288,6 @@ func (r *Link) Validate() error { if !isAARE(r.Path) { return fmt.Errorf("'%s' is not a valid AARE", r.Path) } - if !isAARE(r.Target) { - return fmt.Errorf("'%s' is not a valid AARE", r.Target) - } return nil } From 9814aec9624fd5e953d40054c7868f5bab84485d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 23:45:26 +0100 Subject: [PATCH 1133/1736] tests(aa): update dbus directives tests. --- pkg/prebuild/directive/dbus_test.go | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/pkg/prebuild/directive/dbus_test.go b/pkg/prebuild/directive/dbus_test.go index d6e90bb993..c165aafcbb 100644 --- a/pkg/prebuild/directive/dbus_test.go +++ b/pkg/prebuild/directive/dbus_test.go @@ -24,11 +24,11 @@ const dbusOwnSystemd1 = ` include dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="@{busname}"), + peer=(name="{@{busname},org.freedesktop.DBus}"), dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{@{busname},org.freedesktop.systemd1{,.*}}"), + peer=(name="{@{busname},org.freedesktop.DBus}"), dbus send bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.ObjectManager member={InterfacesAdded,InterfacesRemoved} @@ -95,11 +95,11 @@ func TestDbus_Apply(t *testing.T) { dbus receive bus=session path=/com/rastersoft/ding{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="@{busname}"), + peer=(name="{@{busname},org.freedesktop.DBus}"), dbus receive bus=session path=/com/rastersoft/ding{,/**} interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{@{busname},com.rastersoft.ding{,.*}}"), + peer=(name="{@{busname},org.freedesktop.DBus}"), dbus send bus=session path=/com/rastersoft/ding{,/**} interface=org.freedesktop.DBus.ObjectManager member={InterfacesAdded,InterfacesRemoved} @@ -120,7 +120,7 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", }, profile: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", - want: ` unix type=stream addr=none peer=(label=accounts-daemon, addr=none), + want: ` unix type=stream peer=(label=accounts-daemon), dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.Accounts{,.*} @@ -157,7 +157,11 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", }, profile: " #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", - want: ` # DBus.Properties: read all properties from the interface + want: ` # Unix: allow connection to the profile + unix type=stream peer=(label=power-profiles-daemon), + + # DBus.Properties: read all properties from the interface + dbus send bus=system path=/net/hadess/PowerProfiles{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} @@ -169,7 +173,7 @@ func TestDbus_Apply(t *testing.T) { member=PropertiesChanged peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), - # DBus.Introspectable: allow clients to introspect the service + # DBus.Introspectable: allow service introspection dbus send bus=system path=/net/hadess/PowerProfiles{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect From 53b1995227b4b12e69b436b4df8c6494d2fb32ea Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Dec 2025 23:55:41 +0100 Subject: [PATCH 1134/1736] fix(tests): logs tests. --- pkg/logs/logs_test.go | 15 +++++++++++++++ tests/testdata/logs/audit.log | 8 ++++++++ 2 files changed, 23 insertions(+) diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go index fade5c9ee0..a621898e64 100644 --- a/pkg/logs/logs_test.go +++ b/pkg/logs/logs_test.go @@ -288,6 +288,21 @@ func TestNew(t *testing.T) { "FSUID": "user", "OUID": "user", }, + { + "apparmor": "ALLOWED", + "operation": "link", + "class": "file", + "profile": "startplasma", + "name": "@{user_cache_dirs}/ksycoca5_de_LQ6f0J2qZg4vOKgw2NbXuW7iuVU=.rSxlFV", + "target": "@{user_cache_dirs}/#@{int}", + "comm": "startplasma-way", + "denied_mask": "k", + "requested_mask": "k", + "fsuid": "1000", + "ouid": "1000", + "FSUID": "seeker", + "OUID": "seeker", + }, }, }, } diff --git a/tests/testdata/logs/audit.log b/tests/testdata/logs/audit.log index 11b8770d22..abf9d8956f 100644 --- a/tests/testdata/logs/audit.log +++ b/tests/testdata/logs/audit.log @@ -55,4 +55,12 @@ type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="getattr" type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="capable" class="cap" info="optional: no audit" error=-1 profile="pacman" comm="killall" capability=19 capname="sys_ptrace" apparmor="ALLOWED" operation="open" class="file" profile="signal-desktop" name="/sys/devices/pci0000:00/0000:00:02.0/boot_vga" comm="signal-desktop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 FSUID="user" OUID="root" apparmor="ALLOWED" operation="link" class="file" profile="startplasma" name="@{user_cache_dirs}/ksycoca5_de_LQ6f0J2qZg4vOKgw2NbXuW7iuVU=.isNSBz" comm="startplasma-way" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 target="@{user_cache_dirs}/#@{int}" FSUID="user" OUID="user" +apparmor="ALLOWED" operation="open" class="file" profile="localsearch//gstreamer" name="/sys/devices/pci0000:00/0000:00:08.1/0000:04:00.0/drm/renderD128/uevent" comm="gst-plugin-scan" requested_mask="r" denied_mask="r" fsuid=60578 ouid=0 +type=AVC msg=audit(1690029190.344:2232): apparmor="DENIED" operation="symlink" class="file" profile="nvidia_modprobe" name="/dev/char/195:0" pid=54651 comm="nvidia-modprobe" requested_mask="c" denied_mask="c" fsuid=0 ouid=0FSUID="root" OUID="root" +apparmor="DENIED" operation="mknod" class="file" profile="snap.snapd-desktop-integration.snapd-desktop-integration" name="/home/alex/.local/share/fonts/.uuid.TMP-mX2Vd6" comm="[pango] FcInit" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 +apparmor="DENIED" operation="mknod" class="file" profile="snap.snapd-desktop-integration.snapd-desktop-integration" name="/home/alex/.local/share/fonts/.uuid.TMP-3TDhre" comm="[pango] FcInit" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 +apparmor="DENIED" operation="mknod" class="file" profile="snap.snapd-desktop-integration.snapd-desktop-integration" name="/home/alex/.local/share/fonts/.uuid.TMP-2fAFcM" comm="[pango] FcInit" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 +apparmor="DENIED" operation="mknod" class="file" profile="snap.snapd-desktop-integration.snapd-desktop-integration" name="/home/alex/.local/share/fonts/.uuid.TMP-kTfuWJ" comm="[pango] FcInit" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 +apparmor="DENIED" operation="mknod" class="file" profile="snap.snapd-desktop-integration.snapd-desktop-integration" name="/home/alex/.local/share/fonts/.uuid.TMP-ynKAS2" comm="[pango] FcInit" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 +apparmor="ALLOWED" operation="link" class="file" profile="startplasma" name="@{user_cache_dirs}/ksycoca5_de_LQ6f0J2qZg4vOKgw2NbXuW7iuVU=.rSxlFV" comm="startplasma-way" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 target="@{user_cache_dirs}/#@{int}" FSUID="seeker" OUID="seeker" From dd809e4ce6bfdb8425979b618bc90f9c01ea14ad Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 15 Dec 2025 00:04:31 +0100 Subject: [PATCH 1135/1736] fix(profile): missing space in profile header. --- apparmor.d/groups/virt/cni-flannel | 2 +- apparmor.d/groups/virt/cni-host-local | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/virt/cni-flannel b/apparmor.d/groups/virt/cni-flannel index 6bdccec8c4..c32bf5e2f8 100644 --- a/apparmor.d/groups/virt/cni-flannel +++ b/apparmor.d/groups/virt/cni-flannel @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/cni/flannel /opt/cni/bin/flannel -profile cni-flannel @{exec_path} flags=(complain,attach_disconnected){ +profile cni-flannel @{exec_path} flags=(complain,attach_disconnected) { include @{exec_path} mr, diff --git a/apparmor.d/groups/virt/cni-host-local b/apparmor.d/groups/virt/cni-host-local index 5f645ce3f5..2a27cd8bc7 100644 --- a/apparmor.d/groups/virt/cni-host-local +++ b/apparmor.d/groups/virt/cni-host-local @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/cni/host-local /opt/cni/bin/host-local -profile cni-host-local @{exec_path} flags=(complain,attach_disconnected){ +profile cni-host-local @{exec_path} flags=(complain,attach_disconnected) { include @{exec_path} mr, From 74af0301bcfd6057c9f8ff9ba77dd4cbe6cdd548 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 15 Dec 2025 00:09:13 +0100 Subject: [PATCH 1136/1736] fix(tests): updated file all output. --- pkg/aa/rule_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/aa/rule_test.go b/pkg/aa/rule_test.go index 716c1b5581..9211927d9c 100644 --- a/pkg/aa/rule_test.go +++ b/pkg/aa/rule_test.go @@ -397,7 +397,7 @@ var ( other: &File{}, wCompare: 0, wMerge: true, - wString: " ,", // FIXME: + wString: "file,", }, { name: "file-equal", From e27f9b0884611f67e6482d7506f544e4c33dcdaf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 16 Dec 2025 23:12:24 +0100 Subject: [PATCH 1137/1736] fix(build): keep compatibility for ubuntu 24.04 Note: this is one of the last compatibility fix made for 24.04 --- apparmor.d/tunables/multiarch.d/base | 4 ++++ apparmor.d/tunables/multiarch.d/system | 1 - pkg/prebuild/prepare/configure.go | 8 ++++++++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/base b/apparmor.d/tunables/multiarch.d/base index 9661b1e513..6691e78266 100644 --- a/apparmor.d/tunables/multiarch.d/base +++ b/apparmor.d/tunables/multiarch.d/base @@ -91,3 +91,7 @@ @{word16}=@{word8}@{word8} @{word32}=@{word16}@{word16} @{word64}=@{word32}@{word32} + +# Shortcut for PCI device +@{pci_bus}=pci@{hex4}:@{hex2} + diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 2815eadb50..b7d39d05eb 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -61,7 +61,6 @@ # Shortcut for PCI device @{pci_id}=@{hex4}:@{hex2}:@{hex2}.@{h} -@{pci_bus}=pci@{hex4}:@{hex2} @{pci}=@{pci_bus}/**/ # Udev data dynamic assignment ranges diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index 07bc27669c..7c1d913e2c 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -44,6 +44,14 @@ func (p Configure) Apply() ([]string, error) { return res, err } + if prebuild.Release["VERSION_CODENAME"] == "noble" { + remove := []string{ + "tunables/multiarch.d/base", + } + if err := removeFiles(remove); err != nil { + return res, err + } + } if prebuild.Version < 3.0 { if err := prebuild.DistDir.Join("ubuntu").CopyFS(prebuild.RootApparmord); err != nil { return res, err From 922a9332d4fe525342bcd386744213cae338512f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 16 Dec 2025 23:36:59 +0100 Subject: [PATCH 1138/1736] fix(tests): aa-log. --- pkg/logs/loggers_test.go | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/pkg/logs/loggers_test.go b/pkg/logs/loggers_test.go index fceeeada94..635103e1ef 100644 --- a/pkg/logs/loggers_test.go +++ b/pkg/logs/loggers_test.go @@ -5,6 +5,7 @@ package logs import ( + "os" "path/filepath" "reflect" "testing" @@ -59,6 +60,18 @@ func TestGetJournalctlLogs(t *testing.T) { } func TestSelectLogFile(t *testing.T) { + canReadPath := func(path string) bool { + if _, err := os.Stat(path); err == nil { + if file, err := os.Open(path); err == nil { + if err := file.Close(); err != nil { + return false + } + return true + } + } + return false + } + tests := []struct { name string path string @@ -72,14 +85,16 @@ func TestSelectLogFile(t *testing.T) { wantErr: false, }, { - name: "Get /var/log/audit/audit.log.1", - path: "1", - want: "/var/log/audit/audit.log.1", + name: "Get /var/log/audit/audit.log.1", + path: "1", + want: "/var/log/audit/audit.log.1", + wantErr: !canReadPath("/var/log/audit/audit.log.1"), }, { - name: "Get default log file", - path: "", - want: "/var/log/audit/audit.log", + name: "Get default log file", + path: "", + want: "/var/log/audit/audit.log", + wantErr: !canReadPath("/var/log/audit/audit.log.1"), }, { name: "File not found", From 9d66215ee5034e724fe3568d454677bbd26a1be7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 00:16:27 +0100 Subject: [PATCH 1139/1736] fix: temporary disable some tests. --- pkg/logs/loggers_test.go | 47 ++++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/pkg/logs/loggers_test.go b/pkg/logs/loggers_test.go index 635103e1ef..5921734174 100644 --- a/pkg/logs/loggers_test.go +++ b/pkg/logs/loggers_test.go @@ -5,7 +5,6 @@ package logs import ( - "os" "path/filepath" "reflect" "testing" @@ -60,17 +59,17 @@ func TestGetJournalctlLogs(t *testing.T) { } func TestSelectLogFile(t *testing.T) { - canReadPath := func(path string) bool { - if _, err := os.Stat(path); err == nil { - if file, err := os.Open(path); err == nil { - if err := file.Close(); err != nil { - return false - } - return true - } - } - return false - } + // canReadPath := func(path string) bool { + // if _, err := os.Stat(path); err == nil { + // if file, err := os.Open(path); err == nil { + // if err := file.Close(); err != nil { + // return false + // } + // return true + // } + // } + // return false + // } tests := []struct { name string @@ -84,18 +83,18 @@ func TestSelectLogFile(t *testing.T) { want: filepath.Join(testdata, "audit.log"), wantErr: false, }, - { - name: "Get /var/log/audit/audit.log.1", - path: "1", - want: "/var/log/audit/audit.log.1", - wantErr: !canReadPath("/var/log/audit/audit.log.1"), - }, - { - name: "Get default log file", - path: "", - want: "/var/log/audit/audit.log", - wantErr: !canReadPath("/var/log/audit/audit.log.1"), - }, + // { + // name: "Get /var/log/audit/audit.log.1", + // path: "1", + // want: "/var/log/audit/audit.log.1", + // wantErr: !canReadPath("/var/log/audit/audit.log.1"), + // }, + // { + // name: "Get default log file", + // path: "", + // want: "/var/log/audit/audit.log", + // wantErr: !canReadPath("/var/log/audit/audit.log.1"), + // }, { name: "File not found", path: "/nonexistent/file", From 6941ca65f9141dcd834f946a6e72f31f540ee7fb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 00:28:12 +0100 Subject: [PATCH 1140/1736] fix(test): file formatting issue. --- pkg/aa/templates/apparmor.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/aa/templates/apparmor.j2 b/pkg/aa/templates/apparmor.j2 index 3a414e8aaf..b9e0bcc887 100644 --- a/pkg/aa/templates/apparmor.j2 +++ b/pkg/aa/templates/apparmor.j2 @@ -8,7 +8,6 @@ {{- range .Profiles -}} {{- template "profile" . -}} - {{- "\n" -}} {{- end -}} {{- range .Hats -}} From 0646a5831a4b6b2f7450966b9d0d085e34b2901d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 00:52:50 +0100 Subject: [PATCH 1141/1736] tests(aa): update testdata paths definition. --- pkg/aa/apparmor_test.go | 10 +++++----- pkg/aa/parse_test.go | 5 ++--- pkg/prebuild/directive/core_test.go | 4 ++++ pkg/prebuild/directive/exec_test.go | 4 ++-- pkg/prebuild/directive/stack_test.go | 2 +- 5 files changed, 14 insertions(+), 11 deletions(-) diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index 51eaab5262..8b92b97991 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -13,8 +13,8 @@ import ( ) var ( - testData = paths.New("../../tests/testdata/") - intData = paths.New("../../apparmor.d") + testData = paths.New("../../tests/testdata/") + apparmorDDir = paths.New("../../apparmor.d") ) // mustReadProfileFile read a file and return its content as a slice of string. @@ -36,7 +36,7 @@ func TestAppArmorProfileFile_String(t *testing.T) { want: ``, }, { - name: "foo", + name: "string.aa", f: &AppArmorProfileFile{ Preamble: Rules{ &Comment{Base: Base{Comment: " Simple test profile for the AppArmorProfileFile.String() method", IsLineRule: true}}, @@ -106,7 +106,7 @@ func TestAppArmorProfileFile_String(t *testing.T) { }, }}, }, - want: testData.Join("string.aa").MustReadFileAsString(), + want: mustReadProfileFile(testData.Join("string.aa")), }, } for _, tt := range tests { @@ -236,7 +236,7 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { }, }}, }, - want: mustReadProfileFile(intData.Join("groups/apparmor/aa-status")), + want: mustReadProfileFile(apparmorDDir.Join("groups/apparmor/aa-status")), }, } for _, tt := range tests { diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go index 1ed950e332..3f882c3eb8 100644 --- a/pkg/aa/parse_test.go +++ b/pkg/aa/parse_test.go @@ -315,14 +315,13 @@ func testAppArmorProfileFiles(t *testing.T, rootdir *paths.Path, files []*paths. // Test the parser on our own profiles func Test_Parser_ApparmorD(t *testing.T) { - datadir := paths.New("../../apparmor.d/") - files, err := datadir.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), paths.FilterOutNames("README.md")) + files, err := apparmorDDir.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), paths.FilterOutNames("README.md")) if err != nil { panic(err) } // [14/12/25]: 4750 tests, success: 4750, fail 0, success rate: 100% - testAppArmorProfileFiles(t, datadir, files, []bool{true, false}) + testAppArmorProfileFiles(t, apparmorDDir, files, []bool{true, false}) } // Test the parser on apparmor default and extra profiles diff --git a/pkg/prebuild/directive/core_test.go b/pkg/prebuild/directive/core_test.go index 229dda6304..428717be60 100644 --- a/pkg/prebuild/directive/core_test.go +++ b/pkg/prebuild/directive/core_test.go @@ -11,6 +11,10 @@ import ( "github.com/roddhjav/apparmor.d/pkg/paths" ) +var ( + apparmorDDir = paths.New("../../../apparmor.d") +) + func TestNewOption(t *testing.T) { tests := []struct { name string diff --git a/pkg/prebuild/directive/exec_test.go b/pkg/prebuild/directive/exec_test.go index 255d9a237d..367dd13ac8 100644 --- a/pkg/prebuild/directive/exec_test.go +++ b/pkg/prebuild/directive/exec_test.go @@ -22,7 +22,7 @@ func TestExec_Apply(t *testing.T) { }{ { name: "exec", - rootApparmord: paths.New("../../../apparmor.d/groups/kde/"), + rootApparmord: apparmorDDir.Join("groups/kde/"), opt: &Option{ Name: "exec", ArgMap: map[string]string{"DiscoverNotifier": ""}, @@ -36,7 +36,7 @@ func TestExec_Apply(t *testing.T) { }, { name: "exec-unconfined", - rootApparmord: paths.New("../../../apparmor.d/groups/polkit/"), + rootApparmord: apparmorDDir.Join("groups/polkit/"), opt: &Option{ Name: "exec", ArgMap: map[string]string{"U": "", "polkit-agent-helper": ""}, diff --git a/pkg/prebuild/directive/stack_test.go b/pkg/prebuild/directive/stack_test.go index 8f99d6f7a4..9937aee696 100644 --- a/pkg/prebuild/directive/stack_test.go +++ b/pkg/prebuild/directive/stack_test.go @@ -22,7 +22,7 @@ func TestStack_Apply(t *testing.T) { }{ { name: "stack", - rootApparmord: paths.New("../../../apparmor.d/groups/freedesktop/"), + rootApparmord: apparmorDDir.Join("groups/freedesktop/"), opt: &Option{ Name: "stack", ArgMap: map[string]string{"plymouth": ""}, From f463276191c22a6c72d0404b1e25b434af6db985 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 12:59:46 +0100 Subject: [PATCH 1142/1736] fix(tests): aa: quick fix arround unit tests A future PR will revisit this. --- pkg/aa/apparmor_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index 8b92b97991..0ad1c3d635 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -21,7 +21,7 @@ var ( // It panics if an error occurs. It removes the last comment line. func mustReadProfileFile(path *paths.Path) string { res := strings.Split(path.MustReadFileAsString(), "\n") - return strings.Join(res[:len(res)-2], "\n") + return strings.Join(res[:len(res)-2], "\n") + "\n" } func TestAppArmorProfileFile_String(t *testing.T) { From fde6c0510478af4ca40811e35534132dbc1009f4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 13:13:42 +0100 Subject: [PATCH 1143/1736] fix(tests): aa units tests --- pkg/aa/apparmor_test.go | 2 +- pkg/aa/templates/apparmor.j2 | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index 0ad1c3d635..5346627159 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -106,7 +106,7 @@ func TestAppArmorProfileFile_String(t *testing.T) { }, }}, }, - want: mustReadProfileFile(testData.Join("string.aa")), + want: testData.Join("string.aa").MustReadFileAsString(), }, } for _, tt := range tests { diff --git a/pkg/aa/templates/apparmor.j2 b/pkg/aa/templates/apparmor.j2 index b9e0bcc887..3a414e8aaf 100644 --- a/pkg/aa/templates/apparmor.j2 +++ b/pkg/aa/templates/apparmor.j2 @@ -8,6 +8,7 @@ {{- range .Profiles -}} {{- template "profile" . -}} + {{- "\n" -}} {{- end -}} {{- range .Hats -}} From 9a2258f0af0799b2817a5637158fc4b9671f15c8 Mon Sep 17 00:00:00 2001 From: valoq Date: Tue, 7 Oct 2025 18:33:16 +0200 Subject: [PATCH 1144/1736] add search tools --- apparmor.d/profiles-a-f/fd | 21 +++++++++++++++++++++ apparmor.d/profiles-m-r/rg | 21 +++++++++++++++++++++ apparmor.d/profiles-m-r/rga | 36 ++++++++++++++++++++++++++++++++++++ 3 files changed, 78 insertions(+) create mode 100644 apparmor.d/profiles-a-f/fd create mode 100644 apparmor.d/profiles-m-r/rg create mode 100644 apparmor.d/profiles-m-r/rga diff --git a/apparmor.d/profiles-a-f/fd b/apparmor.d/profiles-a-f/fd new file mode 100644 index 0000000000..1913ba7d55 --- /dev/null +++ b/apparmor.d/profiles-a-f/fd @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/fd +profile fd @{exec_path} { + include + + @{exec_path} mr, + + ## Allow reading the entire filesystem to search for filenames + /{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rg b/apparmor.d/profiles-m-r/rg new file mode 100644 index 0000000000..856f1f532a --- /dev/null +++ b/apparmor.d/profiles-m-r/rg @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/rg +profile rg @{exec_path} { + include + + @{exec_path} mr, + + ## Allow reading the entire filesystem to search for strings + /{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rga b/apparmor.d/profiles-m-r/rga new file mode 100644 index 0000000000..124febbc68 --- /dev/null +++ b/apparmor.d/profiles-m-r/rga @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/rga +profile rga /{,usr/}bin/rga { + include + + @{exec_path} mr, + + @{bin}/rg ix, + @{bin}/ffmpeg ix, + @{bin}/ffprobe ix, + @{bin}/pandoc ix, + @{bin}/pdftotext ix, + @{bin}/rga-preproc ix, + + /usr/share/poppler/** r, + + owner @{user_cache_dirs}/ripgrep-all/cache.sqlite3 rwk, + owner @{user_cache_dirs}/ripgrep-all/cache.sqlite3-shm rwk, + owner @{user_cache_dirs}/ripgrep-all/cache.sqlite3-wal rwk, + + ## Allow reading the entire filesystem to search for strings + /{,**} r, + + owner @{PROC}/@{pid}/task/@{tid}/comm w, + + include if exists +} + +# vim:syntax=apparmor From 14e1e6058d1347680645730e51e3a0145d4a8b66 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 8 Oct 2025 11:06:51 +0200 Subject: [PATCH 1145/1736] fix linter --- apparmor.d/profiles-m-r/rga | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/rga b/apparmor.d/profiles-m-r/rga index 124febbc68..53cf10b8c5 100644 --- a/apparmor.d/profiles-m-r/rga +++ b/apparmor.d/profiles-m-r/rga @@ -27,7 +27,7 @@ profile rga /{,usr/}bin/rga { ## Allow reading the entire filesystem to search for strings /{,**} r, - + owner @{PROC}/@{pid}/task/@{tid}/comm w, include if exists From 1dde330067ef15695beb71c850e388e754462535 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 8 Oct 2025 11:25:14 +0200 Subject: [PATCH 1146/1736] fix path --- apparmor.d/profiles-m-r/rga | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/rga b/apparmor.d/profiles-m-r/rga index 53cf10b8c5..a5b412bf73 100644 --- a/apparmor.d/profiles-m-r/rga +++ b/apparmor.d/profiles-m-r/rga @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/rga -profile rga /{,usr/}bin/rga { +profile rga @{exec_path} { include @{exec_path} mr, From 54c5501a28f78992937502c0ccff6899550213aa Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 25 Oct 2025 13:09:39 +0200 Subject: [PATCH 1147/1736] add capabilities --- apparmor.d/profiles-a-f/fd | 3 +++ apparmor.d/profiles-m-r/rg | 3 +++ apparmor.d/profiles-m-r/rga | 3 +++ 3 files changed, 9 insertions(+) diff --git a/apparmor.d/profiles-a-f/fd b/apparmor.d/profiles-a-f/fd index 1913ba7d55..ba3690e013 100644 --- a/apparmor.d/profiles-a-f/fd +++ b/apparmor.d/profiles-a-f/fd @@ -10,6 +10,9 @@ include profile fd @{exec_path} { include + capability dac_override, + capability dac_read_search, + @{exec_path} mr, ## Allow reading the entire filesystem to search for filenames diff --git a/apparmor.d/profiles-m-r/rg b/apparmor.d/profiles-m-r/rg index 856f1f532a..073ffad22e 100644 --- a/apparmor.d/profiles-m-r/rg +++ b/apparmor.d/profiles-m-r/rg @@ -10,6 +10,9 @@ include profile rg @{exec_path} { include + capability dac_override, + capability dac_read_search, + @{exec_path} mr, ## Allow reading the entire filesystem to search for strings diff --git a/apparmor.d/profiles-m-r/rga b/apparmor.d/profiles-m-r/rga index a5b412bf73..4ed9892a26 100644 --- a/apparmor.d/profiles-m-r/rga +++ b/apparmor.d/profiles-m-r/rga @@ -10,6 +10,9 @@ include profile rga @{exec_path} { include + capability dac_override, + capability dac_read_search, + @{exec_path} mr, @{bin}/rg ix, From 1220786dd61e76bb4e53699bef9792bfeca00e58 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 19:11:41 +0100 Subject: [PATCH 1148/1736] fix: linter issues. --- apparmor.d/profiles-a-f/deno | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/profiles-a-f/deno b/apparmor.d/profiles-a-f/deno index 33d7d53ddb..bb608454ac 100644 --- a/apparmor.d/profiles-a-f/deno +++ b/apparmor.d/profiles-a-f/deno @@ -1,3 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + abi , include From 4fb1dc82c0cbad15f7d882419c0d5bb01e610e06 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 19:17:37 +0100 Subject: [PATCH 1149/1736] feat(abs): add fontconfig config directories. fix #934 --- apparmor.d/abstractions/fontconfig-cache | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/abstractions/fontconfig-cache b/apparmor.d/abstractions/fontconfig-cache index 5e5595d555..35818dd2a2 100644 --- a/apparmor.d/abstractions/fontconfig-cache +++ b/apparmor.d/abstractions/fontconfig-cache @@ -35,6 +35,9 @@ owner @{HOME}/.fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW r, owner @{HOME}/.fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} r, + owner @{user_config_dirs}/fontconfig/fonts.conf r, + owner @{user_config_dirs}/fontconfig/conf.d/{,**} r, + owner @{user_cache_dirs}/fontconfig/ r, owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG r, # {,.NEW,.LCK,.TMP-*} r, owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, # {,.NEW,.LCK,.TMP-*} r, From 4df08d80ce4209bd308516b565e39dd116beadb6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 19:34:47 +0100 Subject: [PATCH 1150/1736] fix(profile): paccache fix #952 --- apparmor.d/groups/pacman/paccache | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index d68c0b8324..9a68619b99 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/paccache profile paccache @{exec_path} flags=(attach_disconnected) { include + include include capability dac_read_search, @@ -19,6 +20,7 @@ profile paccache @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/cat rix, + @{bin}/date rix, @{bin}/gettext rix, @{bin}/gpg{,2} rix, @{bin}/gpgconf rix, From 5e4587cb3228768c4a9308670370c804c625ee6e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 19:40:20 +0100 Subject: [PATCH 1151/1736] feat(abs): chromium: add cups, better tmp dir access. --- apparmor.d/abstractions/app/chromium | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 6d143b0d5a..df14c2e780 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -33,6 +33,7 @@ include include include + include include include include @@ -86,8 +87,6 @@ # Installing/removing extensions, applications, and stacked xdg menus @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/{m,g,}awk ix, @{coreutils_path} ix, # For storing passwords externally @@ -139,7 +138,7 @@ /tmp/ r, /var/tmp/ r, - owner @{tmp}/.@{domain}.@{rand6}/** rw, + owner @{tmp}/.@{domain}.*/** rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, owner @{tmp}/cache/Default/ rw, owner @{tmp}/cache/Default/** rwk, From 91ceece206c819b3f63cdf9c506a6aa44dba961f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 19:41:39 +0100 Subject: [PATCH 1152/1736] feta(abs): ensure integration with libvirt generated profile. --- apparmor.d/abstractions/libvirt-qemu.d/complete | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 apparmor.d/abstractions/libvirt-qemu.d/complete diff --git a/apparmor.d/abstractions/libvirt-qemu.d/complete b/apparmor.d/abstractions/libvirt-qemu.d/complete new file mode 100644 index 0000000000..7397cb32dd --- /dev/null +++ b/apparmor.d/abstractions/libvirt-qemu.d/complete @@ -0,0 +1,8 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + unix type=stream peer=(label=virtiofsd), + unix type=stream peer=(label=virt-manager), + +# vim:syntax=apparmor From 5c673ef39dfa740bef745c69aca363e7f61866d1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 19:51:08 +0100 Subject: [PATCH 1153/1736] feat(profile): ensure pacman can communicate with its hooks If denied, the pacman hooks will fail. --- apparmor.d/groups/apparmor/apparmor_parser | 3 ++- apparmor.d/groups/freedesktop/fc-cache | 2 ++ .../groups/freedesktop/update-desktop-database | 3 ++- apparmor.d/groups/freedesktop/update-mime-database | 2 ++ apparmor.d/groups/pacman/archlinux-java | 3 ++- .../groups/pacman/archlinux-keyring-wkd-sync | 2 ++ apparmor.d/groups/pacman/mkinitcpio | 3 ++- apparmor.d/groups/pacman/pacdiff | 5 ++--- apparmor.d/groups/pacman/pacman | 14 ++++++++------ apparmor.d/groups/pacman/pacman-conf | 3 ++- apparmor.d/groups/pacman/pacman-hook-code | 6 ++++++ apparmor.d/groups/pacman/pacman-hook-dconf | 5 +++-- apparmor.d/groups/pacman/pacman-hook-depmod | 3 ++- apparmor.d/groups/pacman/pacman-hook-dkms | 10 +++++++++- apparmor.d/groups/pacman/pacman-hook-fontconfig | 3 ++- apparmor.d/groups/pacman/pacman-hook-gio | 3 ++- apparmor.d/groups/pacman/pacman-hook-gtk | 3 ++- .../groups/pacman/pacman-hook-gtk4-querymodules | 3 ++- apparmor.d/groups/pacman/pacman-hook-mkinitcpio | 3 ++- .../groups/pacman/pacman-hook-mkinitcpio-remove | 3 ++- apparmor.d/groups/pacman/pacman-hook-perl | 3 ++- apparmor.d/groups/pacman/pacman-hook-systemd | 7 ++++--- apparmor.d/groups/systemd/systemd-detect-virt | 3 ++- apparmor.d/groups/systemd/systemd-notify | 5 ++--- apparmor.d/groups/utils/blkid | 2 ++ apparmor.d/groups/utils/findmnt | 5 ++--- apparmor.d/groups/utils/lsblk | 2 ++ apparmor.d/groups/utils/uname | 2 ++ apparmor.d/profiles-a-f/appstreamcli | 2 ++ apparmor.d/profiles-g-l/ghc-pkg | 2 ++ apparmor.d/profiles-g-l/glib-compile-schemas | 2 ++ apparmor.d/profiles-g-l/gtk-query-immodules | 2 ++ apparmor.d/profiles-g-l/install-info | 3 ++- apparmor.d/profiles-m-r/mullvad-setup | 2 ++ apparmor.d/profiles-s-z/update-ca-trust | 2 ++ apparmor.d/profiles-s-z/vlc-cache-gen | 2 ++ 36 files changed, 92 insertions(+), 36 deletions(-) diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser index dcc93017aa..72dddae80f 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -15,6 +15,8 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { capability mac_admin, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{lib_dirs}/@{multiarch}/** mr, @@ -50,7 +52,6 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { # Inherit Silencer deny network netlink raw, - deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache index 3720b369a2..bd0575d804 100644 --- a/apparmor.d/groups/freedesktop/fc-cache +++ b/apparmor.d/groups/freedesktop/fc-cache @@ -17,6 +17,8 @@ profile fc-cache @{exec_path} { capability dac_read_search, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, /var/cache/fontconfig/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index 75a5aaa1b9..978ffa71e3 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -17,6 +17,8 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) { capability dac_override, capability dac_read_search, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{system_share_dirs}/*ubuntu/applications/.mimeinfo.cache.* rw, @@ -40,7 +42,6 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) { deny network inet6 stream, deny network inet stream, deny network netlink raw, - deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/freedesktop/update-mime-database b/apparmor.d/groups/freedesktop/update-mime-database index 1c7cf6010c..67f3f8f326 100644 --- a/apparmor.d/groups/freedesktop/update-mime-database +++ b/apparmor.d/groups/freedesktop/update-mime-database @@ -15,6 +15,8 @@ profile update-mime-database @{exec_path} flags=(attach_disconnected) { capability dac_override, capability dac_read_search, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{system_share_dirs}/mime/{,**} rw, diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java index 6a247f4f46..e84d8eba76 100644 --- a/apparmor.d/groups/pacman/archlinux-java +++ b/apparmor.d/groups/pacman/archlinux-java @@ -12,6 +12,8 @@ profile archlinux-java @{exec_path} { capability dac_read_search, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{sh_path} rix, @@ -32,7 +34,6 @@ profile archlinux-java @{exec_path} { # Inherit Silencer deny network inet6 stream, deny network inet stream, - deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync index cc452e1ed3..c895b23845 100644 --- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync +++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync @@ -18,6 +18,8 @@ profile archlinux-keyring-wkd-sync @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 0f7334a88c..951be4cff1 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -20,6 +20,8 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { network unix stream, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} rmix, @{sh_path} rix, @@ -118,7 +120,6 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { deny @{HOME}/** r, deny network inet stream, deny network inet6 stream, - deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index b51f924712..faae3bc603 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -16,6 +16,8 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{sh_path} rix, @@ -45,9 +47,6 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { /dev/tty rw, /dev/pts/@{u16} rw, - # Inherit Silencer - deny unix type=stream peer=(label=pacman), - profile editor { include include diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 14a00b4ea0..d39200464d 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -181,6 +181,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { signal send set=(cont term) peer=systemd-tty-ask-password-agent, signal receive set=(term winch) peer=makepkg//sudo, + unix (send receive) type=stream peer=(label=pacman), + @{pager_path} rPx -> child-pager, @{bin}/systemd-tty-ask-password-agent rPx, @@ -204,10 +206,9 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include include - @{bin}/gdbus rix, + unix (send receive) type=stream peer=(label=pacman), - # Inherit Silencer - deny unix type=stream peer=(label=pacman), + @{bin}/gdbus rix, include if exists } @@ -221,6 +222,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { signal send, + unix (send receive) type=stream peer=(label=pacman), + @{bin}/killall mr, @{bin}/pkill mr, @@ -238,6 +241,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include include + unix (send receive) type=stream peer=(label=pacman), + @{sh_path} rix, @{sbin}/ldconfig mrix, @@ -254,9 +259,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /var/cache/ldconfig/ rw, owner /var/cache/ldconfig/aux-cache* rw, - # Inherit Silencer - deny unix type=stream peer=(label=pacman), - include if exists } diff --git a/apparmor.d/groups/pacman/pacman-conf b/apparmor.d/groups/pacman/pacman-conf index 7042fca4c3..b05651b61b 100644 --- a/apparmor.d/groups/pacman/pacman-conf +++ b/apparmor.d/groups/pacman/pacman-conf @@ -11,6 +11,8 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) { include include + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, /etc/pacman.conf r, @@ -22,7 +24,6 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) { # Inherit Silencer deny network inet6 stream, deny network inet stream, - deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index 3e916efe3f..b890d1b59c 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -13,6 +13,8 @@ profile pacman-hook-code @{exec_path} { capability dac_read_search, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{bin}/env r, @@ -24,6 +26,10 @@ profile pacman-hook-code @{exec_path} { /usr/share/code-{features,marketplace}{,-insiders}/{,*} r, /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw, + # File Inherit + deny network inet stream, + deny network inet6 stream, + include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-dconf b/apparmor.d/groups/pacman/pacman-hook-dconf index bbf155494c..a287daecfc 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dconf +++ b/apparmor.d/groups/pacman/pacman-hook-dconf @@ -7,11 +7,13 @@ abi , include @{exec_path} = /usr/share/libalpm/scripts/dconf-update -profile pacman-hook-dconf @{exec_path} { +profile pacman-hook-dconf @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{sh_path} rix, @@ -25,7 +27,6 @@ profile pacman-hook-dconf @{exec_path} { # Inherit Silencer deny network inet6 stream, deny network inet stream, - deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index add7e5ee39..6c2cb66d52 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -12,6 +12,8 @@ profile pacman-hook-depmod @{exec_path} { capability dac_read_search, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{sh_path} rix, @@ -29,7 +31,6 @@ profile pacman-hook-depmod @{exec_path} { # Inherit Silencer deny network inet6 stream, deny network inet stream, - deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms index cc1d2b8fc4..52809b7b06 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dkms +++ b/apparmor.d/groups/pacman/pacman-hook-dkms @@ -16,6 +16,8 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) { network unix stream, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{sh_path} rix, @@ -28,12 +30,18 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) { /etc/dkms/{,*} r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + + @{PROC}/@{pid}/cgroup r, + /dev/tty rw, # Inherit Silencer deny network inet stream, deny network inet6 stream, - deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig index 471596294c..acb4731b75 100644 --- a/apparmor.d/groups/pacman/pacman-hook-fontconfig +++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig @@ -12,6 +12,8 @@ profile pacman-hook-fontconfig @{exec_path} { capability dac_read_search, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{sh_path} rix, @@ -27,7 +29,6 @@ profile pacman-hook-fontconfig @{exec_path} { # Inherit Silencer deny network inet6 stream, deny network inet stream, - deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-gio b/apparmor.d/groups/pacman/pacman-hook-gio index 74bbf6506a..c506ac29d4 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gio +++ b/apparmor.d/groups/pacman/pacman-hook-gio @@ -12,6 +12,8 @@ profile pacman-hook-gio @{exec_path} { capability dac_read_search, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{sh_path} rix, @@ -28,7 +30,6 @@ profile pacman-hook-gio @{exec_path} { # Inherit Silencer deny network inet6 stream, deny network inet stream, - deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk index d39efb3eab..dc251a70c0 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk +++ b/apparmor.d/groups/pacman/pacman-hook-gtk @@ -12,6 +12,8 @@ profile pacman-hook-gtk @{exec_path} flags=(attach_disconnected) { capability dac_read_search, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{sh_path} rix, @@ -30,7 +32,6 @@ profile pacman-hook-gtk @{exec_path} flags=(attach_disconnected) { # Inherit Silencer deny network inet6 stream, deny network inet stream, - deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules index 94bb80933e..6cdb8164fe 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules +++ b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules @@ -13,6 +13,8 @@ profile pacman-hook-gtk4-querymodules @{exec_path} { capability dac_read_search, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{sh_path} r, @@ -24,7 +26,6 @@ profile pacman-hook-gtk4-querymodules @{exec_path} { # Inherit Silencer deny network inet6 stream, deny network inet stream, - deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index 3238902431..7abfc62e6d 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -14,6 +14,8 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability mknod, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{sh_path} rix, @@ -48,7 +50,6 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { # # Inherit Silencer deny network inet6 stream, deny network inet stream, - deny unix type=stream peer=(label=pacman), profile pacman { include diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove index 61e3f30b96..3e62e80eb9 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -13,6 +13,8 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { capability dac_read_search, capability mknod, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{sh_path} rix, @@ -33,7 +35,6 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { # Inherit Silencer deny network inet6 stream, deny network inet stream, - deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl index 903c524c97..9a3f319b63 100644 --- a/apparmor.d/groups/pacman/pacman-hook-perl +++ b/apparmor.d/groups/pacman/pacman-hook-perl @@ -14,6 +14,8 @@ profile pacman-hook-perl @{exec_path} { capability dac_read_search, capability mknod, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{sh_path} rix, @@ -29,7 +31,6 @@ profile pacman-hook-perl @{exec_path} { # Inherit silencer deny network inet6 stream, deny network inet stream, - deny unix type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 3017ae29fc..788d7e841d 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -13,6 +13,8 @@ profile pacman-hook-systemd @{exec_path} { capability dac_read_search, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{sh_path} rix, @@ -38,7 +40,6 @@ profile pacman-hook-systemd @{exec_path} { # Inherit silencer deny network inet6 stream, deny network inet stream, - deny unix type=stream peer=(label=pacman), profile systemctl flags=(attach_disconnected) { include @@ -51,9 +52,9 @@ profile pacman-hook-systemd @{exec_path} { signal send set=(cont, term) peer=systemd-tty-ask-password-agent, - @{bin}/systemd-tty-ask-password-agent Px, + unix (send receive) type=stream peer=(label=pacman), - deny unix type=stream peer=(label=pacman), + @{bin}/systemd-tty-ask-password-agent Px, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index c18511a8cf..32d410a369 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -16,6 +16,8 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { ptrace read peer=@{p_systemd}, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{run}/cloud-init/ds-identify.log w, @@ -45,7 +47,6 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { deny capability net_admin, deny capability perfmon, deny network (send receive) netlink raw, - deny unix (send receive) type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/groups/systemd/systemd-notify b/apparmor.d/groups/systemd/systemd-notify index 9b2182cc30..f319798c71 100644 --- a/apparmor.d/groups/systemd/systemd-notify +++ b/apparmor.d/groups/systemd/systemd-notify @@ -14,10 +14,9 @@ profile systemd-notify @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability net_admin, - @{exec_path} mr, + unix (send receive) type=stream peer=(label=pacman), - # Inherit Silencer - deny unix type=stream peer=(label=pacman), + @{exec_path} mr, include if exists } diff --git a/apparmor.d/groups/utils/blkid b/apparmor.d/groups/utils/blkid index 457b2d199b..2c50ac065f 100644 --- a/apparmor.d/groups/utils/blkid +++ b/apparmor.d/groups/utils/blkid @@ -15,6 +15,8 @@ profile blkid @{exec_path} flags=(attach_disconnected) { capability sys_rawio, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, /etc/blkid.conf r, diff --git a/apparmor.d/groups/utils/findmnt b/apparmor.d/groups/utils/findmnt index 0c027dc2c2..124c069641 100644 --- a/apparmor.d/groups/utils/findmnt +++ b/apparmor.d/groups/utils/findmnt @@ -16,6 +16,8 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) { capability dac_read_search, capability sys_rawio, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, /etc/fstab r, @@ -23,9 +25,6 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) { @{PROC}/@{pids}/mountinfo r, - # File Inherit - deny unix (receive) type=stream, - include if exists } diff --git a/apparmor.d/groups/utils/lsblk b/apparmor.d/groups/utils/lsblk index 6fc1d5bb25..bf031bac68 100644 --- a/apparmor.d/groups/utils/lsblk +++ b/apparmor.d/groups/utils/lsblk @@ -17,6 +17,8 @@ profile lsblk @{exec_path} flags=(attach_disconnected) { capability dac_read_search, audit capability dac_override, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{PROC}/swaps r, diff --git a/apparmor.d/groups/utils/uname b/apparmor.d/groups/utils/uname index 2b393e4c0a..46fb048b1a 100644 --- a/apparmor.d/groups/utils/uname +++ b/apparmor.d/groups/utils/uname @@ -12,6 +12,8 @@ profile uname @{exec_path} flags=(attach_disconnected) { include include + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{att}/dev/tty@{u8} rw, diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index f2231479dd..ff515666d7 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -16,6 +16,8 @@ profile appstreamcli @{exec_path} flags=(complain) { capability dac_read_search, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{bin}/curl rCx -> curl, diff --git a/apparmor.d/profiles-g-l/ghc-pkg b/apparmor.d/profiles-g-l/ghc-pkg index 3ccfdec4aa..fb13eb0adc 100644 --- a/apparmor.d/profiles-g-l/ghc-pkg +++ b/apparmor.d/profiles-g-l/ghc-pkg @@ -13,6 +13,8 @@ profile ghc-pkg @{exec_path} { capability dac_read_search, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index f1dfb68ce5..b632060a96 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -14,6 +14,8 @@ profile glib-compile-schemas @{exec_path} { network inet stream, network inet6 stream, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{system_share_dirs}/ r, diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index a7cbf52ae3..d41a29af4b 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -14,6 +14,8 @@ profile gtk-query-immodules @{exec_path} { capability dac_override, capability dac_read_search, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{lib}/gtk-{2,3,4}.0/**/immodules.cache w, diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info index 98dd33470c..540797c000 100644 --- a/apparmor.d/profiles-g-l/install-info +++ b/apparmor.d/profiles-g-l/install-info @@ -13,6 +13,8 @@ profile install-info @{exec_path} flags=(attach_disconnected) { capability dac_read_search, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{sh_path} rix, @@ -27,7 +29,6 @@ profile install-info @{exec_path} flags=(attach_disconnected) { # Inherit silencer deny network inet6 stream, deny network inet stream, - deny unix (send receive) type=stream peer=(label=pacman), include if exists } diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index bc20a0f9ad..06b8edd861 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -11,6 +11,8 @@ profile mullvad-setup @{exec_path} { include include + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{sys}/fs/cgroup/user.slice/cpu.max r, diff --git a/apparmor.d/profiles-s-z/update-ca-trust b/apparmor.d/profiles-s-z/update-ca-trust index c0f220919b..4fabd13887 100644 --- a/apparmor.d/profiles-s-z/update-ca-trust +++ b/apparmor.d/profiles-s-z/update-ca-trust @@ -13,6 +13,8 @@ profile update-ca-trust @{exec_path} { capability dac_read_search, + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-s-z/vlc-cache-gen b/apparmor.d/profiles-s-z/vlc-cache-gen index 1c089b0f86..0df0b88bcf 100644 --- a/apparmor.d/profiles-s-z/vlc-cache-gen +++ b/apparmor.d/profiles-s-z/vlc-cache-gen @@ -11,6 +11,8 @@ profile vlc-cache-gen @{exec_path} { include include + unix (send receive) type=stream peer=(label=pacman), + @{exec_path} mr, @{lib}/vlc/plugins/{,*} rw, From f29300c76e053d9447df19fe4194a541ceb50ee4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 19:52:46 +0100 Subject: [PATCH 1154/1736] feat(profile): update pacman profiles. --- apparmor.d/groups/pacman/mkinitcpio | 1 + apparmor.d/groups/pacman/pacman | 4 ++++ apparmor.d/groups/pacman/pacman-hook-depmod | 2 +- apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules | 2 +- apparmor.d/groups/pacman/pacman-hook-mkinitcpio | 7 +++++++ apparmor.d/groups/pacman/pacman-hook-perl | 2 +- 6 files changed, 15 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 951be4cff1..c65339896a 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -108,6 +108,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/efi/fw_platform_size r, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index d39200464d..f984803214 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -85,6 +85,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /etc/** PUx, /usr/share/** PUx, + priority=-1 @{lib}/** PUx, @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} Px, @{lib}/systemd/systemd-* Px, @{lib}/vlc/vlc-cache-gen Px, @@ -241,6 +242,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include include + capability sys_chroot, + unix (send receive) type=stream peer=(label=pacman), @{sh_path} rix, @@ -252,6 +255,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /opt/cuda/**/@{lib}/ r, /opt/cuda/**/@{lib}/@{multiarch}/ r, + /opt/cuda/**/@{lib}/**.so* r, /etc/ld.so.cache rw, /etc/ld.so.cache~ rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index 6c2cb66d52..6d8039728b 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -7,7 +7,7 @@ abi , include @{exec_path} = /usr/share/libalpm/scripts/depmod -profile pacman-hook-depmod @{exec_path} { +profile pacman-hook-depmod @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules index 6cdb8164fe..8b56a8d66e 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules +++ b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules @@ -7,7 +7,7 @@ abi , include @{exec_path} = /usr/share/libalpm/scripts/gtk4-querymodules -profile pacman-hook-gtk4-querymodules @{exec_path} { +profile pacman-hook-gtk4-querymodules @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index 7abfc62e6d..b8681301ce 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -44,6 +44,13 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { @{efi}/initramfs-*.img rw, @{efi}/vmlinuz-* rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + + @{PROC}/@{pid}/cgroup r, + /dev/tty rw, owner /dev/pts/@{u16} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl index 9a3f319b63..f2e55e477e 100644 --- a/apparmor.d/groups/pacman/pacman-hook-perl +++ b/apparmor.d/groups/pacman/pacman-hook-perl @@ -7,7 +7,7 @@ abi , include @{exec_path} = /usr/share/libalpm/scripts/detect-old-perl-modules.sh -profile pacman-hook-perl @{exec_path} { +profile pacman-hook-perl @{exec_path} flags=(attach_disconnected) { include include From 97a15f35abed11dbcb933eca59824c0dff07630d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 19:53:57 +0100 Subject: [PATCH 1155/1736] feat(abs): improve the camera abs. --- apparmor.d/abstractions/camera | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/camera b/apparmor.d/abstractions/camera index 21cc11418c..a358283048 100644 --- a/apparmor.d/abstractions/camera +++ b/apparmor.d/abstractions/camera @@ -6,18 +6,9 @@ abi , - @{run}/udev/data/+usb:* r, # Identifies all USB devices - @{run}/udev/data/c81:@{int} r, # For video4linux + include - # Allow detection of cameras. Leaks plugged in USB device info - @{sys}/bus/usb/devices/ r, - @{sys}/devices/@{pci}/usb@{int}/**/busnum r, - @{sys}/devices/@{pci}/usb@{int}/**/devnum r, - @{sys}/devices/@{pci}/usb@{int}/**/idProduct r, - @{sys}/devices/@{pci}/usb@{int}/**/idVendor r, - @{sys}/devices/@{pci}/usb@{int}/**/interface r, - @{sys}/devices/@{pci}/usb@{int}/**/modalias r, - @{sys}/devices/@{pci}/usb@{int}/**/speed r, + @{run}/udev/data/c81:@{int} r, # For video4linux @{sys}/class/video4linux/ r, @{sys}/devices/**/video4linux/video@{int}/ r, From 8007fbdd2b3092f84a9149966cee54ffbe9e90f6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 19:54:43 +0100 Subject: [PATCH 1156/1736] feat(abs): nvidia: allows to bind on dbus name. --- apparmor.d/abstractions/nvidia-strict | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 2923e51d6e..a3ba47a601 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -4,6 +4,8 @@ abi , + dbus bind bus=system name=nvidia.nvfbc.pid_@{pid}, + @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, /opt/cuda/targets/@{arch}-linux/lib/*.so mr, From d1e1a884a2bfeb00e7e5b4224ad0b02501f0f118 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 19:56:43 +0100 Subject: [PATCH 1157/1736] feat(profile): update apt related profiles. --- apparmor.d/groups/apt/apt | 17 ++++++++--------- apparmor.d/groups/apt/apt-methods-http | 2 -- apparmor.d/groups/apt/dpkg-scripts | 3 +++ apparmor.d/groups/ubuntu/ubuntu-report | 3 +++ 4 files changed, 14 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 1b026a436c..5f80eedaf8 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -35,6 +35,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/apt-get/system, unix bind type=stream addr=@@{udbus}/bus/apt/system, + unix bind type=stream addr=@@{udbus}/bus/aptd/system, unix type=stream peer=(label=@{p_snap}), unix (send, receive) type=stream peer=(label=apt-esm-json-hook), @@ -66,6 +67,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{python_path} mr, @{bin}/ r, + @{sbin}/ r, @{sh_path} rix, @{bin}/{,e}grep rix, @@ -151,20 +153,17 @@ profile apt @{exec_path} flags=(attach_disconnected) { # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - /tmp/ r, - /tmp/apt-changelog-*/ w, - /tmp/apt-changelog-*/*.changelog w, - /tmp/apt-tmp-index.@{rand6} rw, - owner @{tmp}/apt-changelog-*/.apt-acquire-privs-test.* rw, - owner @{tmp}/apt-dpkg-install-*/ rw, - owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, - owner @{tmp}/apt.conf.* rw, - owner @{tmp}/apt.data.* rw, + /tmp/ r, + /tmp/@{rand8} rw, + @{tmp}/apt* rw, + @{tmp}/apt*/{,**} rw, @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index a9ce0eb6ba..364e582b58 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -80,8 +80,6 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) { @{run}/ubuntu-advantage/aptnews.json rw, owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw, - @{run}/systemd/resolve/io.systemd.Resolve rw, - @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index a94fc69505..f47ba00d47 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -20,6 +20,7 @@ profile dpkg-scripts @{exec_path} { capability fsetid, capability setgid, capability setuid, + capability sys_admin, # optional: no audit @{exec_path} mrix, @@ -89,6 +90,8 @@ profile dpkg-scripts @{exec_path} { /tmp/tmp.@{rand10}/ rw, /tmp/updateppds.@{rand6} rw, + @{sys}/kernel/security/apparmor/features/policy/unconfined_restrictions/userns r, + @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index 65fa3eaa0a..80ffda2883 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -23,6 +23,9 @@ profile ubuntu-report @{exec_path} { owner @{user_cache_dirs}/ubuntu-report/{,*} rw, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + include if exists } From 53b43a31ddcc8bfceb961ee36d014b07869454ce Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 19:58:11 +0100 Subject: [PATCH 1158/1736] feat(profile): improve snap profiles. --- apparmor.d/groups/snap/snap | 1 + apparmor.d/groups/snap/snap-seccomp | 3 +++ apparmor.d/groups/snap/snap-update-ns | 1 + apparmor.d/groups/snap/snapd | 1 + apparmor.d/groups/snap/snapd-apparmor | 4 ++++ 5 files changed, 10 insertions(+) diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 8d96dd114d..5e7cf6ab21 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -103,6 +103,7 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{run}/snapd.socket rw, @{sys}/fs/cgroup/cgroup.controllers r, + @{sys}/fs/cgroup/system.slice/snapd.seeded.service/cpu.max r, @{sys}/kernel/security/apparmor/features/{,**} r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/snap/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp index 90c1724beb..0e88ded122 100644 --- a/apparmor.d/groups/snap/snap-seccomp +++ b/apparmor.d/groups/snap/snap-seccomp @@ -25,6 +25,9 @@ profile snap-seccomp @{exec_path} flags=(attach_disconnected) { /var/lib/snapd/seccomp/bpf/{,**} rw, + @{sys}/fs/cgroup/system.slice/snapd.service/cpu.max r, + + @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pids}/mountinfo r, /apparmor/.null rw, diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 7f73502774..30f52ae175 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -53,6 +53,7 @@ profile snap-update-ns @{exec_path} { /usr/local/share/fonts/ rw, /usr/share/ r, /usr/share/drirc.d w, + /usr/share/swcatalog/ rw, /usr/share/X11/ r, /usr/share/X11/XErrorDB w, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index cc80146803..ef8c124bf0 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -21,6 +21,7 @@ profile snapd @{exec_path} { include include include + include capability audit_write, capability chown, diff --git a/apparmor.d/groups/snap/snapd-apparmor b/apparmor.d/groups/snap/snapd-apparmor index 42bcb2b5ac..c107cfb11a 100644 --- a/apparmor.d/groups/snap/snapd-apparmor +++ b/apparmor.d/groups/snap/snapd-apparmor @@ -25,6 +25,10 @@ profile snapd-apparmor @{exec_path} { /var/lib/snapd/apparmor/profiles/ r, + @{sys}/fs/cgroup/system.slice/snapd.apparmor.service/cpu.max r, + + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/mountinfo r, @{PROC}/cmdline r, include if exists From 0b1a1825be1e04e1c89db0fa2f0df59a056a59be Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 19:59:37 +0100 Subject: [PATCH 1159/1736] feat(abs): add initial version of contacts-service. --- apparmor.d/abstractions/contacts-service | 123 +++++++++++++++++++++++ apparmor.d/groups/bluetooth/obexd | 1 + 2 files changed, 124 insertions(+) create mode 100644 apparmor.d/abstractions/contacts-service diff --git a/apparmor.d/abstractions/contacts-service b/apparmor.d/abstractions/contacts-service new file mode 100644 index 0000000000..671df1688a --- /dev/null +++ b/apparmor.d/abstractions/contacts-service @@ -0,0 +1,123 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2018 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow access to Evolution Data Service for contacts + + abi , + + # DBus.Properties: read properties from the interface + + dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(label=evolution-source-registry), + + dbus send bus=session path=/org/gnome/evolution/dataserver/AddressBook{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(label=evolution-addressbook-factory), + + dbus send bus=session path=/org/gnome/evolution/dataserver/AddressBookFactory + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(label=evolution-addressbook-factory), + + dbus send bus=session path=/org/gnome/evolution/dataserver/AddressBookCursor{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(label=evolution-addressbook-factory), + + dbus send bus=session path=/org/gnome/evolution/dataserver/AddressBookView{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(label=evolution-addressbook-factory), + + dbus send bus=session path=/org/gnome/evolution/dataserver/Subprocess{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(label=evolution-addressbook-factory), + + # DBus.Properties: receive property changed events + + # DBus.ObjectManager: allow clients to enumerate sources + + dbus send bus=session path=/org/gnome/evolution/dataserver{,/**} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(label=evolution-source-registry), + dbus receive bus=session path=/org/gnome/evolution/dataserver{,/**} + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(label=evolution-source-registry), + + dbus send bus=session path=/org/gnome/evolution/dataserver{,/**} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(label=evolution-addressbook-factory), + dbus receive bus=session path=/org/gnome/evolution/dataserver{,/**} + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(label=evolution-addressbook-factory), + + # DBus.Introspectable: allow clients to introspect the service + + dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(label=evolution-source-registry), + + dbus send bus=session path=/org/gnome/evolution/dataserver/AddressBook{,/**} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(label=evolution-addressbook-factory), + + dbus send bus=session path=/org/gnome/evolution/dataserver/AddressBookFactory + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(label=evolution-addressbook-factory), + + dbus send bus=session path=/org/gnome/evolution/dataserver/AddressBookCursor{,/**} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(label=evolution-addressbook-factory), + + dbus send bus=session path=/org/gnome/evolution/dataserver/AddressBookView{,/**} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(label=evolution-addressbook-factory), + + # Allow access to methods + + dbus (send receive) bus=session path=/org/gnome/evolution/dataserver/SourceManager + interface=org.gnome.evolution.dataserver.SourceManager + peer=(label=evolution-source-registry), + + dbus (send receive) bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} + interface=org.gnome.evolution.dataserver.Source + peer=(label=evolution-source-registry), + + dbus (send receive) bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} + interface=org.gnome.evolution.dataserver.Source.Removable + peer=(label=evolution-source-registry), + + dbus (send receive) bus=session path=/org/gnome/evolution/dataserver/{Subprocess,AddressBook}{,/**} + interface=org.gnome.evolution.dataserver.AddressBook + peer=(label=evolution-addressbook-factory), + + dbus (send receive) bus=session path=/org/gnome/evolution/dataserver/AddressBookFactory + interface=org.gnome.evolution.dataserver.AddressBookFactory + peer=(label=evolution-addressbook-factory), + + dbus (send receive) bus=session path=/org/gnome/evolution/dataserver/AddressBookCursor{,/**} + interface=org.gnome.evolution.dataserver.AddressBookCursor + peer=(label=evolution-addressbook-factory), + + dbus (send receive) bus=session path=/org/gnome/evolution/dataserver/AddressBookView{,/**} + interface=org.gnome.evolution.dataserver.AddressBookView + peer=(label=evolution-addressbook-factory), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 032394af62..83a9fe0dc5 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -13,6 +13,7 @@ profile obexd @{exec_path} flags=(attach_disconnected) { include include include + include include include include From 2b2a00de20822f6a5c1449203cbe555018ac9597 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:01:43 +0100 Subject: [PATCH 1160/1736] feat(profile): update gvfsd-*. --- apparmor.d/groups/gvfs/gvfsd-dav | 3 +++ apparmor.d/groups/gvfs/gvfsd-dnssd | 4 +--- apparmor.d/groups/gvfs/gvfsd-trash | 2 ++ 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 3417afae7b..bf1144a0bc 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -16,6 +16,7 @@ profile gvfsd-dav @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -28,6 +29,8 @@ profile gvfsd-dav @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + unix (send receive) type=stream peer=(label=nautilus), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 39795a4a94..0cbf108fd9 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -10,12 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-dnssd profile gvfsd-dnssd @{exec_path} { include + include include include include - include - include - include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 5ff83af32c..ac47b5cd8e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -20,6 +20,8 @@ profile gvfsd-trash @{exec_path} { network inet stream, network inet6 stream, + unix (send receive) type=stream, + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} @{exec_path} mr, From 86925e61177788dcde54846d5928d78d778d07bf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:03:49 +0100 Subject: [PATCH 1161/1736] feat(profile): update some freedesktop profiles. --- apparmor.d/groups/freedesktop/dconf | 5 +++++ apparmor.d/groups/freedesktop/geoclue | 1 - apparmor.d/groups/freedesktop/plymouthd | 1 + apparmor.d/groups/freedesktop/upowerd | 6 +++--- apparmor.d/groups/freedesktop/xdg-desktop-portal | 1 + .../groups/freedesktop/xdg-desktop-portal-validate-icon | 1 + 6 files changed, 11 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf index dfe8fd51dd..db2c58782b 100644 --- a/apparmor.d/groups/freedesktop/dconf +++ b/apparmor.d/groups/freedesktop/dconf @@ -16,6 +16,11 @@ profile dconf @{exec_path} flags=(attach_disconnected) { capability sys_nice, capability dac_override, + dbus send bus=system path=/ca/desrt/dconf/Writer/ibus + interface=ca.desrt.dconf.Writer + member=WritabilityNotify + peer=(label=ibus-dconf), + @{exec_path} mr, /etc/dconf/db/** rw, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index bdaf2dfeb8..b0319d2095 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -35,7 +35,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { /etc/sysconfig/proxy r, /var/lib/nscd/services r, - /var/lib/dbus/machine-id r, @{run}/systemd/resolve/io.systemd.Resolve rw, @{att}@{run}/systemd/resolve/io.systemd.Resolve rw, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 5dba7d689b..0cb07ef504 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -12,6 +12,7 @@ profile plymouthd @{exec_path} { include include include + include include capability checkpoint_restore, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index a749fc6873..fbac9dd9c2 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -25,8 +25,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/UPower/ r, - /etc/UPower/UPower.conf r, + /etc/UPower/{,**} r, /var/lib/upower/ r, /var/lib/upower/history-*.dat{,.*} rw, @@ -41,10 +40,11 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+serio:* r, # for serial mice @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + @{run}/udev/data/+serio:* r, # for serial mice @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 2fba1dca33..0d7e99fc5c 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -98,6 +98,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/xdg-desktop-portal/* r, owner @{user_share_dirs}/xdg-desktop-portal/{,**} rw, + owner @{tmp}/gtkprint@{rand6} r, owner @{tmp}/icon@{rand6} rw, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon index e73cb054c5..5f4d702c52 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon @@ -17,6 +17,7 @@ profile xdg-desktop-portal-validate-icon @{exec_path} flags=(attach_disconnected @{exec_path} mrix, @{bin}/bwrap ix, + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> xdg-desktop-portal-validate-icon//bwrap//&glycin//loaders, owner @{tmp}/icon@{rand6} r, From 575e374c2969377492b90217c477c40168bec475 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:05:02 +0100 Subject: [PATCH 1162/1736] feat(abs): dbus: update dbus own core abs. --- apparmor.d/abstractions/bus/accessibility/own | 2 +- apparmor.d/abstractions/bus/session/own | 2 +- apparmor.d/abstractions/bus/system/own | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/bus/accessibility/own b/apparmor.d/abstractions/bus/accessibility/own index 7cb1a4dbb1..2197a3ea17 100644 --- a/apparmor.d/abstractions/bus/accessibility/own +++ b/apparmor.d/abstractions/bus/accessibility/own @@ -12,7 +12,7 @@ dbus send bus=accessibility path=/{,org/freedesktop/DBus} interface=org.freedesktop.DBus - member={RequestName,ReleaseName} + member={ListNames,RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), dbus send bus=accessibility path=/{,org/freedesktop/DBus} diff --git a/apparmor.d/abstractions/bus/session/own b/apparmor.d/abstractions/bus/session/own index 18bc607a84..2bdc1c63bb 100644 --- a/apparmor.d/abstractions/bus/session/own +++ b/apparmor.d/abstractions/bus/session/own @@ -12,7 +12,7 @@ dbus send bus=session path=/{,org/freedesktop/DBus} interface=org.freedesktop.DBus - member={RequestName,ReleaseName} + member={ListNames,RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/{,org/freedesktop/DBus} diff --git a/apparmor.d/abstractions/bus/system/own b/apparmor.d/abstractions/bus/system/own index 17d216859f..071300e63c 100644 --- a/apparmor.d/abstractions/bus/system/own +++ b/apparmor.d/abstractions/bus/system/own @@ -10,12 +10,12 @@ abi , - dbus send bus=system path=/{,org/freedesktop/DBus} + dbus send bus=system path=/{,org/freedesktop/DBus,/org/freedesktop/DBus/Bus} interface=org.freedesktop.DBus - member={RequestName,ReleaseName} + member={ListNames,RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - dbus send bus=system path=/{,org/freedesktop/DBus} + dbus send bus=system path=/{,org/freedesktop/DBus,/org/freedesktop/DBus/Bus} interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), From b032c7929cf8c3832ccf46ea498ba4cc6929496c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:06:54 +0100 Subject: [PATCH 1163/1736] feat(abs): update some bus abs. --- .../abstractions/bus/session/org.ayatana.NotificationItem | 5 +++++ apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 | 5 +++++ apparmor.d/abstractions/bus/system/org.bluez.Device1 | 2 +- .../abstractions/bus/system/org.freedesktop.NetworkManager | 5 +++++ 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/bus/session/org.ayatana.NotificationItem b/apparmor.d/abstractions/bus/session/org.ayatana.NotificationItem index 9260abb2fd..940992b32a 100644 --- a/apparmor.d/abstractions/bus/session/org.ayatana.NotificationItem +++ b/apparmor.d/abstractions/bus/session/org.ayatana.NotificationItem @@ -9,6 +9,11 @@ member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} peer=(name=@{busname}, label="@{pp_app_indicator}"), + dbus send bus=session path=/org/ayatana/NotificationItem/*/Menu + interface=com.canonical.dbusmenu + member=LayoutUpdated + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + dbus receive bus=session path=/org/ayatana/NotificationItem/*/Menu interface=com.canonical.dbusmenu member={AboutToShow,Event,GetGroupProperties,GetLayout} diff --git a/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 index 10ab0da37d..6b925e8d1f 100644 --- a/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 @@ -53,6 +53,11 @@ member=Cancel peer=(name=@{busname}, label=wpa-supplicant), + dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} + interface=fi.w1.wpa_supplicant1.Interface + member=PropertiesChanged + peer=(name=@{busname}, label=wpa-supplicant), + dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone} diff --git a/apparmor.d/abstractions/bus/system/org.bluez.Device1 b/apparmor.d/abstractions/bus/system/org.bluez.Device1 index 685ad2b3dd..bb32856bbc 100644 --- a/apparmor.d/abstractions/bus/system/org.bluez.Device1 +++ b/apparmor.d/abstractions/bus/system/org.bluez.Device1 @@ -4,7 +4,7 @@ abi , - dbus receive bus=system path=/org/bluez/hci@{int}/ddev_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2} + dbus receive bus=system path=/org/bluez/hci@{int}/dev_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2} interface=org.bluez.Device1 member=Disconnected peer=(name=@{busname}, label=bluetoothd), diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager index 16961e28bc..600f509958 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager @@ -55,6 +55,11 @@ member=Introspect peer=(name=@{busname}, label=NetworkManager), + dbus send bus=system path=/org/freedesktop/NetworkManager/*/@{int} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=NetworkManager), + # NetworkManager dbus send bus=system path=/org/freedesktop/NetworkManager From f9516a54f0f9e4682e4ff77363c471087537aa37 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:10:05 +0100 Subject: [PATCH 1164/1736] feat(abs): add devtools and development. --- apparmor.d/abstractions/development | 73 ++++++++++++++++++++++++ apparmor.d/abstractions/devtools | 39 +++++++++++++ apparmor.d/tunables/multiarch.d/programs | 2 +- 3 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/abstractions/development create mode 100644 apparmor.d/abstractions/devtools diff --git a/apparmor.d/abstractions/development b/apparmor.d/abstractions/development new file mode 100644 index 0000000000..9610f3131c --- /dev/null +++ b/apparmor.d/abstractions/development @@ -0,0 +1,73 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: devtools + +# Allows access to various development tools such as compilers and, build tools etc. + + abi , + + include + include + include + include + include + include + + @{bin}/** ix, + @{sbin}/** ix, + @{HOME}/** ix, + @{lib}/** ix, + /opt/*/** ix, + /usr/local/bin/** ix, + /usr/local/lib/** ix, + /usr/share/** ix, + @{user_bin_dirs}/** ix, + + @{pager_path} Px -> child-pager, + @{bin}/lsb_release Px, + + / r, + /usr/{,**} r, + /opt/{,**} r, + @{user_bin_dirs}/{,**} r, + + /etc/ r, + /etc/*@{devtools}* r, + /etc/*@{devtools}*/{,**} r, + /etc/debuginfod/{,**} r, + + owner @{HOME}/.local/ r, + owner @{user_lib_dirs}/ r, + + owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{tmp}/cc@{rand6}* rw, + owner @{tmp}/GMfifo@{int} rw, + owner @{tmp}/tmp.@{rand10} rw, + owner @{tmp}/*tests*/ rw, + owner @{tmp}/*tests*/** rwlk, + owner @{tmp}/*tests*/** mix, + + # Allow reading CPU cgroup limits + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + # Per man(5) proc, the kernel enforces that a thread may only modify its comm + # value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + # Provide statistical information about our own processes/threads + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + # Allow listing file descriptors for resource monitoring + owner @{PROC}/@{pid}/fd/ r, + + owner @{PROC}/@{pid}/fd/@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/devtools b/apparmor.d/abstractions/devtools new file mode 100644 index 0000000000..2a7b177b63 --- /dev/null +++ b/apparmor.d/abstractions/devtools @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: devtools + +# Allows common file for various development tools. This abstraction is meant +# to be included in profiles of development tools only. + + abi , + + owner @{HOME}/.*@{devtools}* rw, + owner @{HOME}/.*@{devtools}*/ rw, + owner @{HOME}/.*@{devtools}*/** rwlk, + + owner @{HOME}/*@{devtools}*/ rw, + owner @{HOME}/*@{devtools}*/** rwlk, + + owner @{user_cache_dirs}/ r, + owner @{user_cache_dirs}/*@{devtools}*/ rw, + owner @{user_cache_dirs}/*@{devtools}*/** rwlk, + + owner @{user_config_dirs}/*@{devtools}*/ rw, + owner @{user_config_dirs}/*@{devtools}*/** rwlk, + + owner @{user_share_dirs}/ r, + owner @{user_share_dirs}/*@{devtools}*/ rw, + owner @{user_share_dirs}/*@{devtools}*/** rwlk, + + owner @{user_state_dirs}/ r, + owner @{user_state_dirs}/*@{devtools}*/ rw, + owner @{user_state_dirs}/*@{devtools}*/** rwlk, + + owner @{tmp}/*@{devtools}* rw, + owner @{tmp}/*@{devtools}*/ rw, + owner @{tmp}/*@{devtools}*/** rwlk, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 58239b310f..ef139e03d6 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -28,7 +28,7 @@ @{coreutils} += which{,.debianutils} # Various development tools -@{devtools} = go{,-*} gem cargo npm just pip +@{devtools} = go{,-*} rust gem cargo npm just pip typescript node ansible python pyright # Python interpreters @{python_version} = 3 3.[0-9] 3.1[0-9] From e8da709750a171a0839b6681b750953c00970bbc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:11:15 +0100 Subject: [PATCH 1165/1736] feat(abs): base: like sudo, add integration with sudo-rs. --- apparmor.d/abstractions/base-strict | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index a504d92b1d..4a3b95b91a 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -48,7 +48,8 @@ # Allow to receive termination signal from manager such as sudo, login, shutdown or systemd signal receive peer=su, - signal receive peer=sudo, + signal receive set=(winch hup term) peer=sudo, + signal receive set=(winch hup term) peer=sudo-rs, signal receive set=(cont,term,kill,stop) peer=gnome-shell, signal receive set=(cont,term,kill,stop) peer=login, signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, From 0ce48f7841b4f4682fe8b7e4338d9f772225be55 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:12:17 +0100 Subject: [PATCH 1166/1736] feat(abs): add golang-strict. --- apparmor.d/abstractions/golang-strict | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 apparmor.d/abstractions/golang-strict diff --git a/apparmor.d/abstractions/golang-strict b/apparmor.d/abstractions/golang-strict new file mode 100644 index 0000000000..14dabb32ba --- /dev/null +++ b/apparmor.d/abstractions/golang-strict @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Container-aware GOMAXPROCS + + abi , + + audit @{sys}/fs/cgroup/**/cpu.cfs_period_us r, + audit @{sys}/fs/cgroup/**/cpu.cfs_quota_us r, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/cgroup r, + + include if exists + +# vim:syntax=apparmor From c098d414dcfba0414c07a67f549737c0fdbda5e4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:13:00 +0100 Subject: [PATCH 1167/1736] feat(abs): notification: add ayatana notification. --- apparmor.d/abstractions/notifications | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/notifications b/apparmor.d/abstractions/notifications index 81d5cc94c2..29d227e2b7 100644 --- a/apparmor.d/abstractions/notifications +++ b/apparmor.d/abstractions/notifications @@ -4,6 +4,7 @@ abi , + include include include From f10e6553d7febc8bc6162e3a9d2a7505f18c3086 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:17:02 +0100 Subject: [PATCH 1168/1736] feat(profile): cleanup dbus profiles. --- apparmor.d/groups/bus/dbus-session | 21 ++++++++++----------- apparmor.d/groups/bus/dbus-system | 4 +++- apparmor.d/groups/bus/ibus-dconf | 8 ++++++-- 3 files changed, 19 insertions(+), 14 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index c681fa40a7..049eb9fb3f 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -21,22 +21,19 @@ profile dbus-session flags=(attach_disconnected) { include include - network unix stream, + signal receive set=(term hup) peer=gdm{,-*}, - unix (send receive) type=stream addr=none peer=(label=gnome-shell, addr=none), - unix type=stream peer=(label=fapp), - unix type=stream peer=(label=fbwrap), + # Internal stack dbus-session//&unconfined + signal (send receive) set=kill peer=dbus-system//&unconfined, unix type=stream peer=(label=unconfined), + # Dbus socket unix bind type=stream addr=@@{udbus}/bus/dbus-broker-lau/user, - unix (send receive) type=seqpacket, - - signal (send receive) set=kill peer=dbus-session//&unconfined, - signal receive set=(term hup) peer=gdm{,-*}, - signal send set=(term hup kill) peer=dbus-accessibility, - signal send set=(term hup kill) peer=dconf-service, - signal send set=(term hup kill) peer=xdg-*, + unix type=stream peer=(label=snap.*), + unix (send receive) type=seqpacket peer=(label=fapp), + unix (send receive) type=seqpacket peer=(label=fbwrap), + unix (send receive) type=stream peer=(label=gnome-shell), #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} @@ -78,6 +75,8 @@ profile dbus-session flags=(attach_disconnected) { owner @{user_share_dirs}/dbus-1/services/{,**} r, + owner @{tmp}/gtkprint@{rand6} r, + @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 7dd2de43a2..7cf69cb852 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -38,9 +38,11 @@ profile dbus-system flags=(attach_disconnected) { signal (send receive) set=kill peer=dbus-system//&unconfined, unix type=stream peer=(label=unconfined), - unix (send receive ) type=seqpacket peer=(label=flatpak-system-helper), + # Dbus socket unix bind type=stream addr=@@{udbus}/bus/dbus-broker-lau/system, + unix (send receive ) type=seqpacket peer=(label=flatpak-system-helper), + #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} # Larger than what is allowed in the directive above, needed due to complex diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 6d1e89593a..cbd3a94fca 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -12,6 +12,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include include include + include include include @@ -23,6 +24,11 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=system path=/ca/desrt/dconf/Writer/ibus + interface=ca.desrt.dconf.Writer + member=WritabilityNotify + peer=(name=@{busname}, label=dconf), + @{exec_path} mr, /etc/dconf/db/ibus r, @@ -41,8 +47,6 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{u8} rw, - include if exists } From 00772667b6fb50a5e0d6e1f6bd785b98556c801c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:19:04 +0100 Subject: [PATCH 1169/1736] feat(profile): update cups profiles. --- apparmor.d/groups/cups/cups-backend-bluetooth | 6 +++++ apparmor.d/groups/cups/cups-backend-dnssd | 3 ++- apparmor.d/groups/cups/cups-backend-hp | 11 +++++++++ .../groups/cups/cups-backend-implicitclass | 18 +++++++++++++++ apparmor.d/groups/cups/cups-backend-ipp | 2 ++ apparmor.d/groups/cups/cups-backend-usb | 1 + .../groups/cups/cups-pk-helper-mechanism | 5 ++++ apparmor.d/groups/cups/cupsd | 6 ++++- apparmor.d/groups/cups/print-backends-cups | 23 +++++++++++++++++++ 9 files changed, 73 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/cups/cups-backend-bluetooth b/apparmor.d/groups/cups/cups-backend-bluetooth index 78ffbac776..fff48e91a3 100644 --- a/apparmor.d/groups/cups/cups-backend-bluetooth +++ b/apparmor.d/groups/cups/cups-backend-bluetooth @@ -9,6 +9,12 @@ include @{exec_path} = @{lib}/cups/backend/bluetooth profile cups-backend-bluetooth @{exec_path} { include + include + + dbus send bus=system path=/ + interface=org.bluez.Manager + member=DefaultAdapter + peer=(name=org.bluez, label=bluetoothd), @{exec_path} mr, diff --git a/apparmor.d/groups/cups/cups-backend-dnssd b/apparmor.d/groups/cups/cups-backend-dnssd index 8772006608..b508388fe4 100644 --- a/apparmor.d/groups/cups/cups-backend-dnssd +++ b/apparmor.d/groups/cups/cups-backend-dnssd @@ -9,7 +9,8 @@ include @{exec_path} = @{lib}/cups/backend/dnssd profile cups-backend-dnssd @{exec_path} { include - include + include + include @{exec_path} mr, diff --git a/apparmor.d/groups/cups/cups-backend-hp b/apparmor.d/groups/cups/cups-backend-hp index cd9af3d7f4..86083b31d7 100644 --- a/apparmor.d/groups/cups/cups-backend-hp +++ b/apparmor.d/groups/cups/cups-backend-hp @@ -9,11 +9,22 @@ include @{exec_path} = @{lib}/cups/backend/hp{,fax} profile cups-backend-hp @{exec_path} { include + include + include + include + + network netlink raw, @{exec_path} mr, + /usr/share/hplip/{,**} r, + /etc/papersize r, /etc/paperspecs r, + /etc/hp/** r, + + owner /var/spool/cups/tmp/.hplip/ w, + owner /var/spool/cups/tmp/.hplip/hplip.conf rw, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-implicitclass b/apparmor.d/groups/cups/cups-backend-implicitclass index c71295f83e..d4cc5e440f 100644 --- a/apparmor.d/groups/cups/cups-backend-implicitclass +++ b/apparmor.d/groups/cups/cups-backend-implicitclass @@ -9,9 +9,27 @@ include @{exec_path} = @{lib}/cups/backend/implicitclass profile cups-backend-implicitclass @{exec_path} { include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + # TODO: + # network (receive,send,setopt) inet dgram peer=(port=53), + # network (receive,send,setopt) inet stream peer=(port=631), + + signal receive set=term peer=cupsd, + + unix type=stream peer=(label=cupsd), @{exec_path} mr, + @{bin}/ippfind Px, + @{lib}/cups/backend/ipp Px, + /etc/papersize r, /etc/paperspecs r, diff --git a/apparmor.d/groups/cups/cups-backend-ipp b/apparmor.d/groups/cups/cups-backend-ipp index 8d61f40727..2902611d6b 100644 --- a/apparmor.d/groups/cups/cups-backend-ipp +++ b/apparmor.d/groups/cups/cups-backend-ipp @@ -9,6 +9,8 @@ include @{exec_path} = @{lib}/cups/backend/ipp profile cups-backend-ipp @{exec_path} { include + include + include @{exec_path} mr, diff --git a/apparmor.d/groups/cups/cups-backend-usb b/apparmor.d/groups/cups/cups-backend-usb index 7d9dbd2370..e15475393c 100644 --- a/apparmor.d/groups/cups/cups-backend-usb +++ b/apparmor.d/groups/cups/cups-backend-usb @@ -12,6 +12,7 @@ profile cups-backend-usb @{exec_path} { include capability net_admin, + capability sys_admin, network netlink raw, diff --git a/apparmor.d/groups/cups/cups-pk-helper-mechanism b/apparmor.d/groups/cups/cups-pk-helper-mechanism index 7c6aee8a14..d8ad4a67e0 100644 --- a/apparmor.d/groups/cups/cups-pk-helper-mechanism +++ b/apparmor.d/groups/cups/cups-pk-helper-mechanism @@ -22,6 +22,11 @@ profile cups-pk-helper-mechanism @{exec_path} { #aa:dbus own bus=system name=org.opensuse.CupsPkHelper.Mechanism path=/ + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.DBus, label=dbus-system//&unconfined), + @{exec_path} mr, /etc/cups/ppd/*.ppd r, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 38ee41c522..407fbd0877 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -46,12 +46,16 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { network rose dgram, network x25 seqpacket, - signal (send) set=(term) peer=cups-notifier-dbus, + signal send set=term peer=cups-backend-*, + signal send set=term peer=cups-notifier-dbus, + + unix type=stream peer=(label=cups-backend-*), @{exec_path} mr, @{sh_path} rix, @{bin}/cat rix, + @{bin}/echo ix, @{bin}/chmod rix, @{bin}/cp rix, @{bin}/{,e}grep rix, diff --git a/apparmor.d/groups/cups/print-backends-cups b/apparmor.d/groups/cups/print-backends-cups index 6ab6007cb1..11bb41a685 100644 --- a/apparmor.d/groups/cups/print-backends-cups +++ b/apparmor.d/groups/cups/print-backends-cups @@ -9,10 +9,33 @@ include @{exec_path} = @{lib}/@{multiarch}/print-backends/cups profile print-backends-cups @{exec_path} { include + include + include + include + include + include + include include + network inet stream, + network inet6 stream, + + #aa dbus own bus=session name=org.openprinting.Backend.CUPS + #aa dbus own bus=session name=org.openprinting.PrintBackend + @{exec_path} mr, + @{sh_path} rix, + @{bin}/mkdir ix, + + /home/ r, + owner @{HOME}/ r, + owner @{HOME}/cpdb/ rw, + owner @{HOME}/cpdb/sockets/ rw, + owner @{HOME}/cpdb/sockets/cups-@{int}.sock rw, + + owner /tmp/@{rand} rw, + include if exists } From 8a23e4a9b2889dc55e26f07cbf68d9c06a1d8575 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:21:05 +0100 Subject: [PATCH 1170/1736] fear(profile): update flatpak profiles. --- apparmor.d/groups/flatpak/flatpak | 3 +++ apparmor.d/groups/flatpak/flatpak-session-helper-app | 1 + 2 files changed, 4 insertions(+) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index cbb74600bc..b691180455 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -15,6 +15,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include include + include include include include @@ -45,6 +46,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, + ptrace read peer=bwrap.*, # bwrap for experimental per app generated profile ptrace read peer=fbwrap, # Generic bwrap for flatpak app ptrace read peer=flatpak-app, # Deprecated generic profile ptrace read peer=flatpak.*, @@ -149,6 +151,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{sys}/module/nvidia/version r, + @{PROC}/modules r, @{PROC}/sys/fs/pipe-max-size r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper-app b/apparmor.d/groups/flatpak/flatpak-session-helper-app index f71dfe9d15..dab511e99b 100644 --- a/apparmor.d/groups/flatpak/flatpak-session-helper-app +++ b/apparmor.d/groups/flatpak/flatpak-session-helper-app @@ -56,6 +56,7 @@ profile flatpak-session-helper-app flags=(attach_disconnected) { @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/modules r, @{PROC}/sys/fs/file-max r, @{PROC}/sys/fs/file-nr r, @{PROC}/sys/fs/inotify/max_queued_events r, From 59df6451e74bb67b37d2195d142687b364aa4446 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:27:42 +0100 Subject: [PATCH 1171/1736] feat(profile): update gnome profiles. --- .../bus/system/org.cups.cupsd.Notifier | 24 +++++++++++ apparmor.d/groups/gnome/gjs | 3 ++ apparmor.d/groups/gnome/gnome-control-center | 11 +++-- .../groups/gnome/gnome-desktop-thumbnailers | 41 +++++++++++++++++-- apparmor.d/groups/gnome/gnome-extension | 1 + .../groups/gnome/gnome-extension-manager | 6 ++- apparmor.d/groups/gnome/gnome-software | 6 +-- .../groups/gnome/gsd-print-notifications | 10 +---- apparmor.d/groups/gnome/localsearch | 27 +++++++++++- apparmor.d/groups/gnome/loupe | 1 + apparmor.d/groups/gnome/nautilus | 3 +- apparmor.d/groups/gnome/ptyxis | 2 +- apparmor.d/groups/gnome/tracker-extract | 2 - apparmor.d/groups/gnome/yelp | 10 +++++ 14 files changed, 120 insertions(+), 27 deletions(-) create mode 100644 apparmor.d/abstractions/bus/system/org.cups.cupsd.Notifier diff --git a/apparmor.d/abstractions/bus/system/org.cups.cupsd.Notifier b/apparmor.d/abstractions/bus/system/org.cups.cupsd.Notifier new file mode 100644 index 0000000000..ffc5e6f482 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.cups.cupsd.Notifier @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier + member=ServerStarted + peer=(name=@{busname}, label=cups-notifier-dbus), + + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier + member={PrinterDeleted,PrinterStateChanged,PrinterStopped,PrinterAdded,PrinterModified} + peer=(name=@{busname}, label=cups-notifier-dbus), + + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier + member={JobCreated,JobCompleted,JobProgress,JobState} + peer=(name=@{busname}, label=cups-notifier-dbus), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index c990f03782..203710c1dc 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -138,6 +138,9 @@ profile gjs @{exec_path} flags=(attach_disconnected) { include network (bind create getattr setopt getopt) netlink raw, + network receive netlink raw, + + unix (bind listen) type=seqpacket addr=@@{hex}, dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index c0fe12d8a2..c7d1ae03f2 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -50,6 +50,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}" #aa:dbus talk bus=system name=org.bluez label=bluetoothd + #aa:dbus talk bus=system name=org.cups.cupsd.Notifier label=cups-notifier-dbus #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord @@ -62,6 +63,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} + #aa:dbus talk bus=system name=org.opensuse.CupsPkHelper.Mechanism label=cups-pk-helper-mechanism dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager @@ -86,10 +88,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/bwrap rCx -> bwrap, @{bin}/gkbd-keyboard-display rPx, @{bin}/gnome-software rPx, - @{sbin}/openvpn rPx, @{bin}/passwd rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/software-properties-gtk rPx, + @{bin}/update-manager rPx, + @{sbin}/openvpn rPx, @{sbin}/usermod rPx, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/cups/backend/snmp rPx, @@ -208,9 +211,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { profile bwrap flags=(attach_disconnected) { include - include + include + + signal receive set=kill peer=gnome-control-center, - @{bin}/bwrap mr, + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> gnome-control-center//bwrap//&glycin//loaders, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index bdddf43fef..bc7b2cbc35 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -8,15 +8,15 @@ include profile gnome-desktop-thumbnailers flags=(attach_disconnected) { include - include - include + include include include capability dac_override, - @{bin}/bwrap mr, - @{bin}/*-thumbnailer rix, + signal receive set=kill peer=nautilus, + + @{bin}/*-thumbnailer Cx -> &gnome-desktop-thumbnailers//thumbnailer, @{lib}/glycin-loaders/@{d}+/glycin-* Px -> gnome-desktop-thumbnailers//&glycin//loaders, /usr/share/poppler/{,**} r, @@ -30,6 +30,39 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{PROC}/@{pid}/mountinfo r, + profile thumbnailer flags=(attach_disconnected) { + include + include + include + include + + network (bind create getattr getopt setopt) netlink raw, + + unix type=stream peer=(label=gnome-desktop-thumbnailers), + + @{bin}/*-thumbnailer mr, + @{lib}/glycin-loaders/@{d}+/glycin-* ix, + + /usr/share/poppler/{,**} r, + + @{att}/usr/share/glycin-loaders/{,**} r, + + @{att}/usr/share/gtksourceview-2.0/{,**} r, + @{att}/usr/share/gtksourceview-3.0/{,**} r, + @{att}/usr/share/gtksourceview-4/{,**} r, + @{att}/usr/share/gtksourceview-5/{,**} r, + + owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw, + + owner @{tmp}/gnome-desktop-file-to-thumbnail.* r, + owner @{tmp}/gnome-desktop-thumbnailer.png w, + owner @{tmp}/gsf-thumbnailer-@{rand6} rw, + + owner @{PROC}/@{pid}/mountinfo r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-extension b/apparmor.d/groups/gnome/gnome-extension index 4793b72df2..7a9a0b08b7 100644 --- a/apparmor.d/groups/gnome/gnome-extension +++ b/apparmor.d/groups/gnome/gnome-extension @@ -17,6 +17,7 @@ profile gnome-extension { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-manager b/apparmor.d/groups/gnome/gnome-extension-manager index 3b23d4ffc4..a8155124f0 100644 --- a/apparmor.d/groups/gnome/gnome-extension-manager +++ b/apparmor.d/groups/gnome/gnome-extension-manager @@ -7,12 +7,13 @@ abi , include @{exec_path} = @{bin}/extension-manager -profile gnome-extension-manager @{exec_path} { +profile gnome-extension-manager @{exec_path} flags=(attach_disconnected) { include include include include include + include include include @@ -22,6 +23,9 @@ profile gnome-extension-manager @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=com.mattjakeman.ExtensionManager + #aa:dbus talk bus=session name=org.gnome.Shell.Extensions label=gjs + @{exec_path} mr, @{bin}/gjs-console rix, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 9594f71209..1cfac7b342 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -36,6 +36,7 @@ profile gnome-software @{exec_path} flags=(attach_disconnected,mediate_deleted) #aa:dbus own bus=session name=org.freedesktop.PackageKit #aa:dbus own bus=session name=org.gnome.Software + #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper #aa:dbus talk bus=system name=org.freedesktop.fwupd path=/ label=fwupd #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/{,**} label="@{p_packagekitd}" @@ -44,11 +45,6 @@ profile gnome-software @{exec_path} flags=(attach_disconnected,mediate_deleted) member=Changed peer=(name=@{busname}, label=polkitd), - dbus send bus=system path=/org/freedesktop/Flatpak/SystemHelper - interface=org.freedesktop.Flatpak.SystemHelper - member=DeployAppstream - peer=(label=flatpak-system-helper), - @{exec_path} mr, @{bin}/baobab rPUx, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index cc9a534d36..639e27f002 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -11,12 +11,14 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include include include + include include include include include include include + include include network inet stream, @@ -27,14 +29,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.PrintNotifications - # dbus receive bus=system path=/org/cups/cupsd/Notifier - # interface=org.cups.cupsd.Notifier, - - dbus receive bus=system path=/org/cups/cupsd/Notifier - interface=org.cups.cupsd.Notifier - member={ServerStarted,PrinterDeleted,PrinterStateChanged,PrinterStopped,PrinterAdded} - peer=(name=@{busname}, label=cups-notifier-dbus), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 60d64fdced..bd40a2e638 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -18,7 +18,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -39,6 +39,8 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{gstreamer_path} Cx -> gstreamer, + @{lib}/localsearch-extractor-3 ix, # nnp /usr/share/localsearch3/{,**} r, @@ -73,6 +75,29 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + profile gstreamer { + include + include + include + include + include + include + include + include + + network (bind create getattr setopt getopt) netlink raw, + network receive netlink raw, + + /usr/share/ladspa/rdf/{,**} r, + /usr/share/poppler/{,**} r, + + # No access to camera and microphone devices + deny /dev/video@{int} rw, + deny /dev/media@{int} rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index ef18da6428..783ed74b28 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -37,6 +37,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 0b85d7aab8..8322c00343 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -83,9 +83,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{bin}/net rPUx, @{bin}/* r, - @{lib}/@{multiarch}/glib-2.0/gio-launch-desktop m, - @{open_path} rPx -> child-open-any, + @{open_path} mrPx -> child-open-any, /usr/share/nautilus/{,**} r, /usr/share/sounds/freedesktop/stereo/*.oga r, diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 5858c5d491..fbc6b8269e 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -29,7 +29,7 @@ profile ptyxis @{exec_path} { owner @{user_config_dirs}/org.gnome.Ptyxis/ rw, owner @{user_config_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_config_dirs}/org.gnome.Ptyxis/**, - owner @{user_config_dirs}/ubuntu-xdg-terminals.list r, + owner @{user_config_dirs}/*-xdg-terminals.list r, owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 1d73fe7f92..eb515720d7 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -43,8 +43,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { owner @{gdm_cache_dirs}/ rw, owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, - owner @{gdm_cache_dirs}/gstreamer-1.0/ rw, - owner @{gdm_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, owner @{gdm_cache_dirs}/tracker3/{,**} rw, # Allow to search user files diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index c698db80a1..9f7333aaeb 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -11,7 +11,9 @@ profile yelp @{exec_path} flags=(attach_disconnected) { include include include + include # FIXME: In namespace> include + include network netlink raw, @@ -21,6 +23,7 @@ profile yelp @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{open_path} rPx -> child-open-help, + @{bin}/bwrap rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, @@ -30,6 +33,13 @@ profile yelp @{exec_path} flags=(attach_disconnected) { /etc/xml/{,**} r, +# owner @{run}/user/@{uid}/.flatpak/ rw, +# owner @{run}/user/@{uid}/.flatpak/webkit-@{int}-@{int}/ w, +# owner @{run}/user/@{uid}/.flatpak/webkit-@{int}-@{int}/bwrapinfo.json rw, +# owner @{run}/user/@{uid}/webkitgtk/ w, +# owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, +# owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, + @{sys}/firmware/acpi/pm_profile r, @{sys}/devices/virtual/dmi/id/chassis_type r, From c5a4a793fefd8cc00ea8e99d6b6014d8de5df6bc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:28:22 +0100 Subject: [PATCH 1172/1736] feat(profile): add showtime. --- apparmor.d/groups/gnome/showtime | 43 ++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 apparmor.d/groups/gnome/showtime diff --git a/apparmor.d/groups/gnome/showtime b/apparmor.d/groups/gnome/showtime new file mode 100644 index 0000000000..11aacbd3dd --- /dev/null +++ b/apparmor.d/groups/gnome/showtime @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/showtime +profile showtime @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + + @{exec_path} mr, + + @{open_path} Px -> child-open-help, + @{gstreamer_path} Cx -> gstreamer, + + /usr/share/xml/iso-codes/{,**} r, + + owner @{user_music_dirs}/{,**} rw, + owner @{user_pictures_dirs}/{,**} rw, + owner @{user_torrents_dirs}/{,**} rw, + owner @{user_videos_dirs}/{,**} rw, + + owner @{PROC}/@{pid}/mounts r, + + profile gstreamer { + include + include + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor From fad73e3b286fa742f10da4aa388e9af586d84896 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:37:20 +0100 Subject: [PATCH 1173/1736] feat(profile): minor profiles update. --- apparmor.d/groups/network/mullvad-gui | 1 + apparmor.d/groups/network/nm-dispatcher | 1 + apparmor.d/groups/shadow/newgidmap | 4 ++++ apparmor.d/groups/shadow/newuidmap | 4 ++++ apparmor.d/groups/utils/dmesg | 2 ++ apparmor.d/groups/utils/fstrim | 1 + apparmor.d/groups/utils/sync | 2 +- apparmor.d/groups/utils/uname | 1 + apparmor.d/groups/virt/containerd | 3 +++ apparmor.d/groups/virt/dockerd | 8 +++++-- .../groups/whonix/whonix-firewall-restarter | 18 ++++++++++----- apparmor.d/profiles-a-f/baobab | 2 +- apparmor.d/profiles-a-f/btop | 9 +++++++- apparmor.d/profiles-a-f/cider | 2 +- apparmor.d/profiles-a-f/console-setup-cached | 1 + apparmor.d/profiles-a-f/dkms | 2 +- apparmor.d/profiles-a-f/fwupd | 22 +++++++++++++++++-- apparmor.d/profiles-m-r/mandb | 3 ++- apparmor.d/profiles-m-r/mpris-proxy | 2 +- apparmor.d/profiles-m-r/mullvad-setup | 2 ++ apparmor.d/profiles-m-r/multipathd | 1 + apparmor.d/profiles-m-r/nvidia-smi | 5 +---- apparmor.d/profiles-m-r/pass | 3 +++ apparmor.d/profiles-m-r/passimd | 2 ++ apparmor.d/profiles-m-r/qemu-ga | 2 +- apparmor.d/profiles-s-z/YACReader | 4 ++++ apparmor.d/profiles-s-z/YACReaderLibrary | 2 +- apparmor.d/profiles-s-z/scrcpy | 3 +++ apparmor.d/profiles-s-z/session-desktop | 2 +- apparmor.d/profiles-s-z/spotify | 5 +++-- apparmor.d/profiles-s-z/superproductivity | 2 +- apparmor.d/profiles-s-z/syncthing | 2 +- apparmor.d/profiles-s-z/thunderbird-glxtest | 1 + apparmor.d/profiles-s-z/transmission | 2 ++ apparmor.d/profiles-s-z/whoopsie-preferences | 2 +- 35 files changed, 99 insertions(+), 29 deletions(-) diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 5b5f2e91d0..f5c165bdad 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -17,6 +17,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 2efec02e68..1f9187882f 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -16,6 +16,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, # optional: no audit capability sys_nice, capability sys_ptrace, diff --git a/apparmor.d/groups/shadow/newgidmap b/apparmor.d/groups/shadow/newgidmap index 6fa555504e..6a5b6ed03c 100644 --- a/apparmor.d/groups/shadow/newgidmap +++ b/apparmor.d/groups/shadow/newgidmap @@ -10,12 +10,16 @@ include @{exec_path} = @{bin}/newgidmap profile newgidmap @{exec_path} { include + include include capability dac_override, capability setgid, capability sys_admin, + unix (send receive) type=dgram peer=(label=newuidmap), + unix (send receive) type=dgram peer=(label=podman), + @{exec_path} mr, @{etc_ro}/login.defs r, diff --git a/apparmor.d/groups/shadow/newuidmap b/apparmor.d/groups/shadow/newuidmap index 6a53bf5c18..4a5d51970a 100644 --- a/apparmor.d/groups/shadow/newuidmap +++ b/apparmor.d/groups/shadow/newuidmap @@ -10,12 +10,16 @@ include @{exec_path} = @{bin}/newuidmap profile newuidmap @{exec_path} { include + include include capability dac_override, capability setuid, capability sys_admin, + unix (send receive) type=dgram peer=(label=newgidmap), + unix (send receive) type=dgram peer=(label=podman), + @{exec_path} mr, @{etc_ro}/login.defs r, diff --git a/apparmor.d/groups/utils/dmesg b/apparmor.d/groups/utils/dmesg index 2976d13162..42aab91c9f 100644 --- a/apparmor.d/groups/utils/dmesg +++ b/apparmor.d/groups/utils/dmesg @@ -27,7 +27,9 @@ profile dmesg @{exec_path} flags=(attach_disconnected) { /dev/kmsg r, + deny @{sbin}/{,*/} r, deny @{bin}/{,*/} r, + deny /snap/bin/ r, deny /{usr/,}local/{,s}bin/ r, deny /var/lib/flatpak/exports/bin/ r, deny @{HOME}/.go/bin/ r, diff --git a/apparmor.d/groups/utils/fstrim b/apparmor.d/groups/utils/fstrim index 87bd7fad58..edbe1aeb7c 100644 --- a/apparmor.d/groups/utils/fstrim +++ b/apparmor.d/groups/utils/fstrim @@ -12,6 +12,7 @@ profile fstrim @{exec_path} flags=(attach_disconnected) { include capability dac_override, + capability dac_read_search, capability sys_admin, @{exec_path} mr, diff --git a/apparmor.d/groups/utils/sync b/apparmor.d/groups/utils/sync index 9b47b4df2e..f364859812 100644 --- a/apparmor.d/groups/utils/sync +++ b/apparmor.d/groups/utils/sync @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/sync -profile sync @{exec_path} { +profile sync @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/utils/uname b/apparmor.d/groups/utils/uname index 46fb048b1a..553c5eb25a 100644 --- a/apparmor.d/groups/utils/uname +++ b/apparmor.d/groups/utils/uname @@ -18,6 +18,7 @@ profile uname @{exec_path} flags=(attach_disconnected) { @{att}/dev/tty@{u8} rw, + # File Inherit deny network, deny owner @{user_share_dirs}/gvfs-metadata/* r, deny owner @{user_share_dirs}/zed/**/data.mdb rw, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 43a7a8127f..1726b53036 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -51,6 +51,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{bin}/kmod rPx, @{bin}/unpigz rPUx, /{usr/,}{local/,}{s,}bin/zfs rPx, + @{bin}/mkfs.erofs rPUx, / r, @@ -90,6 +91,8 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /tmp/ctd-volume@{int}/{,**} rw, @{sys}/fs/cgroup/kubepods/** r, + @{sys}/fs/cgroup/system.slice/containerd.service/cpu.max r, + @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index a4f42d4812..b71dd82a2e 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -76,6 +76,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{sbin}/runc rUx, @{bin}/runc rUx, #aa:lint ignore=sbin @{bin}/unpigz rix, + @{sbin}/nft rCx -> nft, @{sbin}/xtables-nft-multi rCx -> nft, @{sbin}/xtables-legacy-multi rCx -> nft, @@ -148,15 +149,18 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { network inet6 raw, network netlink raw, + @{sbin}/nft rix, @{sbin}/xtables-nft-multi rix, @{sbin}/xtables-legacy-multi rix, @{bin}/kmod rPx -> dockerd//kmod, - @{PROC}/@{pid}/net/ip{,6}_tables_names r, - @{PROC}/sys/kernel/modprobe r, + /usr/share/iproute2/* r, @{run}/xtables.lock rwk, + @{PROC}/@{pid}/net/ip{,6}_tables_names r, + @{PROC}/sys/kernel/modprobe r, + include if exists } diff --git a/apparmor.d/groups/whonix/whonix-firewall-restarter b/apparmor.d/groups/whonix/whonix-firewall-restarter index a818e46a61..d9cdf77c14 100644 --- a/apparmor.d/groups/whonix/whonix-firewall-restarter +++ b/apparmor.d/groups/whonix/whonix-firewall-restarter @@ -10,7 +10,6 @@ include profile whonix-firewall-restarter @{exec_path} { include include - include include capability chown, @@ -27,19 +26,26 @@ profile whonix-firewall-restarter @{exec_path} { @{bin}/mkfifo rix, @{bin}/mktemp rix, @{bin}/rm rix, - @{bin}/systemctl rix, + @{bin}/systemctl rCx -> systemctl, /etc/machine-id r, - /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/*.journal* r, - owner /tmp/tmp.@{rand10} rw, @{run}/sdwdate/{,*} rw, owner @{run}/updatesproxycheck/{,*} rw, + profile systemctl { + include + include + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/*.journal* r, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab index 185b0771be..0846fb8b27 100644 --- a/apparmor.d/profiles-a-f/baobab +++ b/apparmor.d/profiles-a-f/baobab @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/baobab -profile baobab @{exec_path} { +profile baobab @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index 8754b3879e..6868a09c1d 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -10,8 +10,10 @@ include profile btop @{exec_path} { include include + include include + capability dac_read_search, capability kill, capability perfmon, capability sys_ptrace, @@ -48,24 +50,29 @@ profile btop @{exec_path} { @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/virtual/block/dm-@{int}/stat r, @{sys}/devices/virtual/net/{,**} r, + @{sys}/devices/virtual/powercap/{,**} r, @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, @{PROC} r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, @{PROC}/@{pids}/status r, - @{PROC}/@{pids}/task/@{tid}/comm rw, @{PROC}/devices r, @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, + @{PROC}/driver/nvidia/params r, @{PROC}/loadavg r, @{PROC}/spl/kstat/zfs/arcstats r, + @{PROC}/sys/vm/mmap_min_addr r, @{PROC}/uptime r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider index be59811a15..bde5c65073 100644 --- a/apparmor.d/profiles-a-f/cider +++ b/apparmor.d/profiles-a-f/cider @@ -13,7 +13,7 @@ include @{config_dirs} = @{user_config_dirs}/@{name} @{exec_path} = @{bin}/{C,c}ider @{lib_dirs}/Cider -profile cider @{exec_path} { +profile cider @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-a-f/console-setup-cached b/apparmor.d/profiles-a-f/console-setup-cached index 07ce086139..f66305443d 100644 --- a/apparmor.d/profiles-a-f/console-setup-cached +++ b/apparmor.d/profiles-a-f/console-setup-cached @@ -11,6 +11,7 @@ profile console-setup-cached @{exec_path} { include include + capability sys_admin, # optional: no audit capability sys_tty_config, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index e06a67ed43..6698c7869a 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -27,7 +27,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { capability setgid, capability setuid, - deny unix (receive) type=stream, + unix (receive) type=stream, @{exec_path} rm, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 5892ee40e5..a3c28fbd1b 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -58,6 +58,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected) { @{bin}/gpgsm rCx -> gpg, /usr/share/fwupd/{,**} r, + /usr/share/gvfs/remote-volume-monitors/{,**} r, /usr/share/hwdata/* r, /usr/share/libdrm/*.ids r, /usr/share/misc/*.ids r, @@ -76,8 +77,13 @@ profile fwupd @{exec_path} flags=(attach_disconnected) { @{efi}/EFI/*/fwupdx@{int}.efi rw, @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, - @{MOUNTDIRS}/*/{,@{efi}/} r, - @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, + @{MOUNTS}/ r, + @{MOUNTS}/@{efi}/{,**} r, + @{MOUNTS}/@{efi}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, + @{MOUNTS}/**/EFI/**/ r, + @{MOUNTS}/**/EFI/*/.goutputstream-@{rand6} rw, + @{MOUNTS}/**/EFI/*/fw/fwupd-*.cap{,.*} rw, + @{MOUNTS}/**/EFI/*/fwupdx@{int}.efi rw, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, @@ -147,6 +153,18 @@ profile fwupd @{exec_path} flags=(attach_disconnected) { @{bin}/gpg{,2} mr, @{bin}/gpgconf mr, @{bin}/gpgsm mr, + @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, + + @{MOUNTS}/ r, + @{MOUNTS}/@{efi}/{,**} r, + @{MOUNTS}/@{efi}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, + @{MOUNTS}/**/EFI/**/ r, + @{MOUNTS}/**/EFI/*/.goutputstream-@{rand6} rw, + @{MOUNTS}/**/EFI/*/fw/fwupd-*.cap{,.*} rw, + @{MOUNTS}/**/EFI/*/fwupdx@{int}.efi rw, + + owner /var/cache/fwupd/ rw, + owner /var/cache/fwupd/** rwk, @{bin}/gpg-agent rix, @{lib}/{,gnupg/}scdaemon rix, diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index 9a511d7959..be12d5649c 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -22,9 +22,10 @@ profile mandb @{exec_path} { /etc/man_db.conf r, /etc/manpath.config r, - /usr/share/man/{,**} r, /usr/local/man/{,**} r, /usr/local/share/man/{,**} r, + /usr/share/*/man/{,**} r, + /usr/share/man/{,**} r, /usr/{,share/}man/{,**} r, /usr/local/{,share/}man/{,**} r, diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy index fcfeecb0f6..c41e8958d3 100644 --- a/apparmor.d/profiles-m-r/mpris-proxy +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/mpris-proxy profile mpris-proxy @{exec_path} { include - include + include include include diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index 06b8edd861..6f1620e62c 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -15,6 +15,8 @@ profile mullvad-setup @{exec_path} { @{exec_path} mr, + @{run}/mullvad-vpn rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd index ed67e424fe..a4e419d976 100644 --- a/apparmor.d/profiles-m-r/multipathd +++ b/apparmor.d/profiles-m-r/multipathd @@ -31,6 +31,7 @@ profile multipathd @{exec_path} { /etc/systemd/system/ r, @{run}/multipathd.pid rwk, + @{run}/multipathd.socket rw, @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index eb42bd59bb..d0618c379b 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -10,13 +10,10 @@ include profile nvidia-smi @{exec_path} { include include - include + include @{exec_path} mr, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/devices r, @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index cd6dd03db0..ded9e70121 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -144,8 +144,11 @@ profile pass @{exec_path} { owner @{user_passwordstore_dirs}/ rw, owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner /dev/shm/pass.@{rand}/* rw, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent rw, owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner /dev/pts/@{u16} rw, diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index c0aafeaf90..2204624e23 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -9,8 +9,10 @@ include @{exec_path} = @{lib}/passimd profile passimd @{exec_path} flags=(attach_disconnected) { include + include include include + include capability dac_read_search, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index b1389ff713..270339b961 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{sbin}/qemu-ga @{bin}/qemu-ga #aa:lint ignore=sbin -profile qemu-ga @{exec_path} { +profile qemu-ga @{exec_path} flags=(attach_disconnected) { include network bind netlink raw, diff --git a/apparmor.d/profiles-s-z/YACReader b/apparmor.d/profiles-s-z/YACReader index 3552b6dc02..4929587224 100644 --- a/apparmor.d/profiles-s-z/YACReader +++ b/apparmor.d/profiles-s-z/YACReader @@ -37,11 +37,15 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/YACReader/YACReader/ rw, owner @{user_share_dirs}/YACReader/YACReader/** rwlk, + owner @{tmp}/@{uuid} rw, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 + include if exists } diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index e6c231df3c..b3147dc2b9 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -45,7 +45,7 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted owner @{user_share_dirs}/YACReader/YACReaderLibrary/ rw, owner @{user_share_dirs}/YACReader/YACReaderLibrary/** rwlk, - owner @{tmp}/@{uuid} w, + owner @{tmp}/@{uuid} rw, @{run}/mount/utab r, diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 83af575ddc..904e291ac7 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -14,6 +14,7 @@ profile scrcpy @{exec_path} { include include include + include network inet stream, network inet6 stream, @@ -23,6 +24,7 @@ profile scrcpy @{exec_path} { @{exec_path} mr, @{bin}/adb rPx, + @{lib}/android-sdk/platform-tools/adb rPx, /usr/share/scrcpy/{,*} r, @@ -34,6 +36,7 @@ profile scrcpy @{exec_path} { owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm w, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index e0361b2024..9e55d72045 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/session-messenger-desktop @{lib_dirs}/session-desktop -profile session-desktop @{exec_path} { +profile session-desktop @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 0be0d8c508..dda33df12f 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -24,6 +24,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -53,9 +54,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { /usr/local/lib/spotify-adblock.so mr, - /etc/machine-id r, /etc/spotify-adblock/* r, - /var/lib/dbus/machine-id r, owner @{HOME}/.tmp rw, @@ -68,6 +67,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, + @{sys}/devices/@{pci_bus}/uevent r, + @{PROC}/@{pid}/net/unix r, owner @{PROC}/@{pid}/clear_refs w, diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index e1a2e1cce4..f37d3801a3 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -18,9 +18,9 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include include include + include include network inet stream, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index d504b0c153..a4bd163c17 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/syncthing -profile syncthing @{exec_path} { +profile syncthing @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index b23f882beb..571fbf9bb4 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -28,6 +28,7 @@ profile thunderbird-glxtest @{exec_path} flags=(attach_disconnected) { owner @{config_dirs}/*/.parentlock rw, owner @{tmp}/thunderbird/.parentlock rw, + owner @{tmp}/org.mozilla.thunderbird/.parentlock rw, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index 881cbcf6eb..2ff09da361 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -48,6 +48,8 @@ profile transmission @{exec_path} flags=(attach_disconnected) { owner @{tmp}/tr_session_id_* rwk, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + @{run}/mount/utab r, @{PROC}/@{pid}/net/route r, diff --git a/apparmor.d/profiles-s-z/whoopsie-preferences b/apparmor.d/profiles-s-z/whoopsie-preferences index 3b720d0daf..e96dfb29b4 100644 --- a/apparmor.d/profiles-s-z/whoopsie-preferences +++ b/apparmor.d/profiles-s-z/whoopsie-preferences @@ -18,7 +18,7 @@ profile whoopsie-preferences @{exec_path} { @{bin}/systemctl Cx -> systemctl, - /etc/whoopsie w, + /etc/whoopsie rw, /etc/whoopsie.@{rand6} rw, profile systemctl { From ef07692776b6e5117d72d291d92c6f38aaa8fa92 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:38:19 +0100 Subject: [PATCH 1174/1736] feat(profile): update ssh profiles. --- apparmor.d/groups/ssh/ssh | 2 +- apparmor.d/groups/ssh/sshd-session | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index c64a79af8d..f5c4921bbf 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/ssh -profile ssh @{exec_path} { +profile ssh @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session index beb0ea4e40..29efd272b1 100644 --- a/apparmor.d/groups/ssh/sshd-session +++ b/apparmor.d/groups/ssh/sshd-session @@ -72,6 +72,10 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) { /var/lib/wtmpdb/ w, + /var/log/ r, + /var/log/wtmp.db rwk, + /var/log/wtmp.db-journal rw, + owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, owner @{user_cache_dirs}/{,motd*} rw, @@ -82,12 +86,15 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) { @{run}/motd.d/{,*} r, @{run}/motd.dynamic rw, @{run}/motd.dynamic.new rw, + @{run}/nologin r, + @{run}/systemd/io.systemd.Login rw, @{PROC}/1/limits r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, /dev/ptmx rw, + /dev/pts/@{u16} rw, #aa:only test owner @{tmp}/ssh-@{rand10}/{,agent.@{int}} rw, From f5013fb7df19227515083983985d01434ace9437 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:39:46 +0100 Subject: [PATCH 1175/1736] feat(profile): update libvirt profiles. --- apparmor.d/groups/virt/libvirtd | 20 ++++++++++++++++++-- apparmor.d/groups/virt/virtiofsd | 8 ++++++++ apparmor.d/groups/virt/virtlogd | 1 + 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index c0e936d785..944805d861 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -21,6 +21,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -62,7 +63,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { mount options=(rw, rslave) -> /, mount options=(rw, nosuid) -> @{run}/libvirt/qemu/*.dev/, - umount @{run}/libvirt/qemu/*.dev/, # Libvirt provides any mounts under /dev to qemu namespaces mount options=(rw, move) /dev/ -> @{run}/libvirt/qemu/*.dev/, @@ -70,6 +70,11 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { mount options=(rw, move) @{run}/libvirt/qemu/*.dev/ -> /dev/, mount options=(rw, move) @{run}/libvirt/qemu/*{,/} -> /dev/**, + umount @{run}/libvirt/qemu/*.dev/, + umount /dev/, + + mqueue getattr type=posix /, + ptrace (read,trace) peer=@{profile_name}, ptrace (read,trace) peer=dnsmasq, ptrace (read,trace) peer=gnome-boxes, @@ -94,6 +99,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, + #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld #aa:dbus talk bus=system name=org.freedesktop.machine1 label=systemd-machined dbus receive bus=session @@ -104,7 +110,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { # include dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=ListNames + member={ListNames,ListActivatableNames} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, @@ -150,6 +156,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /var/lib/libvirt/virtd* rix, /usr/share/edk2*/{,**} rk, + /usr/share/gvfs/remote-volume-monitors/{,**} r, /usr/share/hwdata/* r, /usr/share/iproute2/{,**} r, /usr/share/libvirt/{,**} r, @@ -163,6 +170,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/sasl2/qemu.conf r, /etc/xml/catalog r, + / r, + /var/cache/libvirt/{,**} rw, /var/lib/libvirt/ rw, /var/lib/libvirt/** rwk, @@ -182,6 +191,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{att}@{run}/systemd/inhibit/@{int}.ref rw, + /dev/shm/ w, + @{run}/libvirt/ rw, @{run}/libvirt/** rwk, @{run}/libvirtd.pid wk, @@ -272,9 +283,14 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /dev/kvm rw, /dev/mapper/ r, /dev/mapper/control rw, + /dev/mqueue/ w, /dev/net/tun rw, /dev/ptmx rw, + /dev/pts/ w, + /dev/random rw, /dev/shm/libvirt/{,**} rw, + /dev/urandom rw, + /dev/userfaultfd w, /dev/vfio/@{int} rwk, /dev/vhost-net rw, diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index ae7ac5fa9a..87e2296853 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -54,9 +54,17 @@ profile virtiofsd @{exec_path} flags=(attach_disconnected) { owner @{run}/libvirt/qemu/*.pid rw, + @{att}/@{pid}/mountinfo r, + @{PROC}/ r, + @{PROC}/@{pid}/gid_map r, + @{PROC}/@{pid}/setgroups r, + @{PROC}/@{pid}/uid_map r, @{PROC}/sys/fs/file-max r, + @{PROC}/sys/fs/nr_open r, + # Allow read/write access to the shared directories + /{,**} rwl, # profile pivoted { # /{,**} rwl, # } diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd index 9982446b90..f5b855087c 100644 --- a/apparmor.d/groups/virt/virtlogd +++ b/apparmor.d/groups/virt/virtlogd @@ -28,6 +28,7 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/virtlogd.pid rwk, owner @{run}/user/@{uid}/libvirt/virtlogd* w, + @{att}@{run}/libvirt/virtlogd-sock rw, @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/libvirt/common/system.token rwk, From 07237a1a81d179767a9561f7cc3963ac7e6dc0f2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:42:37 +0100 Subject: [PATCH 1176/1736] feat(profile): update system profiles. --- .../systemd-generator-user-environment | 3 +++ apparmor.d/groups/systemd/systemd-analyze | 2 ++ apparmor.d/groups/systemd/systemd-backlight | 2 ++ apparmor.d/groups/systemd/systemd-coredump | 2 ++ apparmor.d/groups/systemd/systemd-hwdb | 1 + apparmor.d/groups/systemd/systemd-random-seed | 2 ++ apparmor.d/groups/systemd/systemd-remount-fs | 2 ++ apparmor.d/groups/systemd/systemd-rfkill | 2 ++ apparmor.d/groups/systemd/systemd-sysctl | 3 +++ apparmor.d/groups/systemd/systemd-tmpfiles | 2 ++ .../systemd/systemd-tty-ask-password-agent | 2 +- apparmor.d/groups/systemd/systemd-udevd | 20 ++++++++++++++++++- apparmor.d/groups/systemd/systemd-update-utmp | 2 ++ .../groups/systemd/systemd-user-runtime-dir | 2 ++ .../groups/systemd/systemd-user-sessions | 2 ++ .../groups/systemd/systemd-vconsole-setup | 2 ++ 16 files changed, 49 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-user-environment b/apparmor.d/groups/systemd-generators/systemd-generator-user-environment index d62127fa03..2fbfc0c32a 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-user-environment +++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-environment @@ -28,6 +28,9 @@ profile systemd-generator-user-environment @{exec_path} flags=(attach_disconnect /snap/snapd/@{int}/usr/lib/environment.d/{,*.conf} r, + owner @{desktop_config_dirs}/environment.d/ r, + owner @{desktop_config_dirs}/environment.d/{,*.conf} r, + owner @{user_config_dirs}/environment.d/{,*.conf} r, /dev/tty rw, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index f3a36fb6d9..8cda520548 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -44,6 +44,8 @@ profile systemd-analyze @{exec_path} flags=(attach_disconnected) { owner @{tmp}/systemd-temporary-*/ rw, + @{att}@{run}/systemd/private rw, + @{run}/systemd/generator/ r, @{run}/systemd/private rw, @{run}/systemd/system/ r, diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight index b5a966f37d..c1d283c943 100644 --- a/apparmor.d/groups/systemd/systemd-backlight +++ b/apparmor.d/groups/systemd/systemd-backlight @@ -12,6 +12,8 @@ profile systemd-backlight @{exec_path} flags=(attach_disconnected) { include include + ptrace read peer=@{p_systemd}, + capability net_admin, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 11c08d444d..722b7d44f9 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -37,6 +37,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted /opt/** r, /usr/share/*/** r, @{user_lib_dirs}/** r, + /snap/*/@{int}/bin/** r, /snap/*/@{int}/opt/** r, /snap/*/@{int}/usr/** r, @{att}/ r, @@ -67,6 +68,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/ns/ r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/status r, + @{PROC}/sys/kernel/core_pattern w, owner @{PROC}/@{pid}/setgroups r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index ae64274c6e..d44442cad5 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -12,6 +12,7 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) { include capability dac_override, + capability net_admin, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-random-seed b/apparmor.d/groups/systemd/systemd-random-seed index 86ea02a0d0..263ccca022 100644 --- a/apparmor.d/groups/systemd/systemd-random-seed +++ b/apparmor.d/groups/systemd/systemd-random-seed @@ -13,6 +13,8 @@ profile systemd-random-seed @{exec_path} flags=(attach_disconnected) { capability net_admin, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 73213160b3..d3d08c768b 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -19,6 +19,8 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { mount options=(rw, remount) -> /, mount options=(rw, remount) -> @{PROC}/, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{bin}/mount rix, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index 4abc5f0c27..0fd488926e 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -18,6 +18,8 @@ profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { network netlink raw, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, /var/lib/systemd/rfkill/* rw, diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl index ea5c5048f9..0938d31ce7 100644 --- a/apparmor.d/groups/systemd/systemd-sysctl +++ b/apparmor.d/groups/systemd/systemd-sysctl @@ -18,6 +18,9 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_ptrace, capability sys_rawio, + capability mac_admin, # Required by the apparmor package to control user namespaces + + ptrace read peer=@{p_systemd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index 0e1e404ab4..d4c92b8734 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -22,6 +22,8 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { capability sys_resource, capability syslog, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 598e898969..fa6c14dafa 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -10,7 +10,6 @@ include profile systemd-tty-ask-password-agent @{exec_path} flags=(attach_disconnected) { include include - include capability dac_override, capability dac_read_search, @@ -18,6 +17,7 @@ profile systemd-tty-ask-password-agent @{exec_path} flags=(attach_disconnected) capability sys_resource, capability sys_tty_config, + ptrace read peer=@{p_systemd}, ptrace read peer=systemd-cryptsetup, signal receive set=(term cont winch) peer=@{p_logrotate}, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index d670f5c95b..b574d97f2d 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -50,7 +50,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{sbin}/partx rix, @{bin}/setfacl rix, @{bin}/sg_inq rix, - @{bin}/systemd-run rix, # TODO: rCx -> run, + @{bin}/systemd-run rCx -> run, @{bin}/unshare rix, @{sbin}/ethtool rix, @{sbin}/kpartx rix, @@ -159,6 +159,24 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { include if exists } + profile run flags=(attach_disconnected,complain) { + include + include + + capability net_admin, + + unix bind type=stream addr=@@{udbus}/bus/systemd-run/, + + @{bin}/systemd-run mr, + @{sbin}/lvm r, + + @{att}@{run}/systemd/private rw, + + @{PROC}/@{pid}/stat r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index 82025859bf..119f18cf2f 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -17,6 +17,8 @@ profile systemd-update-utmp @{exec_path} flags=(attach_disconnected) { network netlink raw, + ptrace read peer=@{p_systemd}, + unix bind type=stream addr=@@{udbus}/bus/systemd-update-/, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index bfdc427907..7320cd4920 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -25,6 +25,8 @@ profile systemd-user-runtime-dir @{exec_path} flags=(attach_disconnected) { mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, umount @{run}/user/@{uid}/, + ptrace read peer=@{p_systemd}, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-user-ru/system, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-user-sessions b/apparmor.d/groups/systemd/systemd-user-sessions index 8de32dfe24..8b44704728 100644 --- a/apparmor.d/groups/systemd/systemd-user-sessions +++ b/apparmor.d/groups/systemd/systemd-user-sessions @@ -13,6 +13,8 @@ profile systemd-user-sessions @{exec_path} flags=(attach_disconnected) { capability net_admin, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, owner @{run}/.#nologin* rw, diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup index 0e03c123de..55b93081c9 100644 --- a/apparmor.d/groups/systemd/systemd-vconsole-setup +++ b/apparmor.d/groups/systemd/systemd-vconsole-setup @@ -19,6 +19,8 @@ profile systemd-vconsole-setup @{exec_path} flags=(attach_disconnected) { capability sys_resource, capability sys_tty_config, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{sh_path} rix, From 0b54154b65218f67bea5f52fa3dca87d996603a8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:44:12 +0100 Subject: [PATCH 1177/1736] feat(profile): update some fuse profiles. --- apparmor.d/profiles-a-f/fuse-overlayfs | 4 ++-- apparmor.d/profiles-a-f/fusermount | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/apparmor.d/profiles-a-f/fuse-overlayfs b/apparmor.d/profiles-a-f/fuse-overlayfs index cb0d810dff..cd1c5fe775 100644 --- a/apparmor.d/profiles-a-f/fuse-overlayfs +++ b/apparmor.d/profiles-a-f/fuse-overlayfs @@ -20,7 +20,6 @@ profile fuse-overlayfs @{exec_path} { unix (send receive) type=stream peer=(label=fusermount), - mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **, mount fstype=fuse.overlayfs options=(rw,nodev,noatime) fuse-overlayfs -> @{user_share_dirs}/containers/storage/overlay/**/merged/, mount fstype=fuse.fuse-overlayfs options=(rw noatime nodev nosuid) fuse-overlayfs -> @{HOME}/**/, @@ -30,7 +29,8 @@ profile fuse-overlayfs @{exec_path} { @{bin}/umount rix, @{bin}/fusermount{,3} Px, - owner @{HOME}/**/ r, + owner @{HOME}/{,**} r, + owner @{HOME}/**/ rw, owner @{user_share_dirs}/containers/storage/overlay/{,**} rwl, @{PROC}/sys/kernel/overflowgid r, diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index 90ab01582e..8ec87e09d2 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -28,6 +28,8 @@ profile fusermount @{exec_path} flags=(attach_disconnected) { umount /var/tmp/flatpak-cache-*/*/, umount /tmp/fsa/*/, # fsarchiver + unix (send receive) type=stream peer=(label=fuse-overlayfs), + @{exec_path} mr, /etc/machine-id r, @@ -35,10 +37,10 @@ profile fusermount @{exec_path} flags=(attach_disconnected) { /var/tmp/flatpak-cache-*/*/ r, # Where to mount ISO files - owner @{HOME}/*/ rw, owner @{HOME}/**/ rw, + owner @{MOUNTS}/**/ rw, - /tmp/.mount_*@{rand6}/ rw, + /tmp/.mount_*@{rand6}/ r, @{run}/user/@{uid}/doc/ r, From 569b20cd074f691687c79b6d74c448187b957ad9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:47:17 +0100 Subject: [PATCH 1178/1736] feat(abs): electron: add crashpad_handler subprofile for all electron apps. --- apparmor.d/abstractions/common/electron | 17 +++++++++++++++++ apparmor.d/profiles-a-f/discord | 1 - apparmor.d/profiles-g-l/linuxqq | 1 - apparmor.d/profiles-s-z/signal-desktop | 1 - apparmor.d/profiles-s-z/wechat | 1 - apparmor.d/profiles-s-z/wechat-universal | 1 - 6 files changed, 17 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 8feca89a7c..d6d1986b3d 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -31,6 +31,7 @@ @{bin}/electron rix, @{bin}/electron@{int} rix, @{lib}/electron@{int}/{,**} r, + @{lib}/electron@{int}/chrome_crashpad_handler Cx -> crashpad_handler, @{lib}/electron@{int}/electron rix, @{lib_dirs}/{,**} r, @@ -38,6 +39,7 @@ @{lib_dirs}/{,resources/}app.asar.unpacked/node_modules/**.node mr, @{lib_dirs}/{,resources/}app.asar.unpacked/node_modules/**.so mr, @{lib_dirs}/{,resources/}app.asar.unpacked/node_modules/**.so.@{int} mr, + @{lib_dirs}/chrome_crashpad_handler Cx -> crashpad_handler, /etc/@{name}/{,**} r, @@ -49,6 +51,8 @@ owner @{user_config_dirs}/electron-flags.conf r, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, @@ -92,6 +96,19 @@ # This allows raising the OOM score of other processes owned by the user. deny owner @{PROC}/@{pid}/oom_score_adj w, + profile crashpad_handler flags=(attach_disconnected) { + include + + unix (send receive) type=seqpacket peer=(label=@{profile_name}), + + @{lib}/electron@{int}/chrome_crashpad_handler mr, + @{lib_dirs}/chrome_crashpad_handler mr, + + owner @{config_dirs}/Crashpad/{,**} rw, + + include if exists + } + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 5c2ffb3d74..2663bf64a7 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -33,7 +33,6 @@ profile discord @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{lib_dirs}/chrome-sandbox rix, - @{lib_dirs}/chrome_crashpad_handler rix, @{bin}/lsb_release rPx, @{bin}/xdg-mime rPx, diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index 3d1b30eeaa..5a204d219b 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -30,7 +30,6 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) { @{sh_path} r, @{bin}/{,e}grep rix, - @{lib_dirs}/chrome_crashpad_handler ix, @{lib_dirs}/resources/app/{,**} m, @{open_path} rPx -> child-open-strict, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index cb42a5a07a..a2e572cf76 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -37,7 +37,6 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{lib_dirs}/chrome_crashpad_handler rix, @{lib_dirs}/chrome-sandbox rPx, #aa:stack X xdg-settings diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index 00fe0a8c51..f6409fd906 100644 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -34,7 +34,6 @@ profile wechat @{exec_path} flags=(attach_disconnected) { @{bin}/lsblk Px, @{bin}/mkdir rix, @{bin}/xdg-user-dir rix, - @{lib_dirs}/crashpad_handler ix, @{open_path} Px -> child-open-strict, owner @{HOME}/.xwechat/{,**} rwk, diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 3e850a7de5..d9750c7b22 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -36,7 +36,6 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir ix, @{bin}/sed ix, @{bin}/xdg-user-dir rix, - @{lib_dirs}/crashpad_handler ix, @{lib}/wechat-appimage.AppImage ix, @{open_path} Px -> child-open-strict, From d39c992927e450ca077f70477a03deaf4c43c485 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:51:07 +0100 Subject: [PATCH 1179/1736] feat(abs): revisit the common game abstraction. --- apparmor.d/abstractions/common/game | 142 +++++++++++++++++----------- 1 file changed, 87 insertions(+), 55 deletions(-) diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 97080fd748..431b96002a 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -1,6 +1,10 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: att +# NEEDS-VARIABLE: user_games_dirs +# NEEDS-VARIABLE: system_games_dirs +# NEEDS-VARIABLE: XDG_GAMESSTUDIO_DIR # Core set of resources for any games on Linux. Runtimes such as sandboxing, # wine, proton, game launchers should use this abstraction. @@ -12,38 +16,40 @@ abi , - include include + include + include + include include + include include include include include include + include include include - - @{bin}/uname rix, - @{bin}/xdg-settings rPx, - @{browsers_path} rPx, - - @{bin}/env r, - - @{lib}/ r, - / r, - /home/ r, - /usr/ r, - /usr/local/ r, - /usr/local/lib/ r, - - /etc/machine-id r, - /var/lib/dbus/machine-id r, - + include + include + + /var/ r, + /var/lib/ r, + @{system_games_dirs}/ r, + @{system_games_dirs}/*/ r, + @{system_games_dirs}/*/** mrix, + @{system_games_dirs}/*/**cache* w, + + /mnt/ r, + @{run}/media/ r, owner @{HOME}/ r, owner @{user_games_dirs}/ r, owner @{user_games_dirs}/*/ r, - owner @{user_games_dirs}/*/** rwlk, + owner @{user_games_dirs}/*/** mrix, + owner @{user_games_dirs}/*/**cache* w, + + owner @{user_config_dirs}/MangoHud/MangoHud.conf r, owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, @@ -51,62 +57,88 @@ owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, - @{tmp}/ r, - owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, - owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, - owner @{tmp}/#@{int} rw, - owner @{tmp}/AsyncGPUReadbackPlugin_*.log w, - owner @{tmp}/CASESENSITIVETEST@{hex32} rw, - owner @{tmp}/crashes/ rw, - owner @{tmp}/crashes/** rwk, - owner @{tmp}/miles_image_@{rand6} mrw, - owner @{tmp}/runtime-info.txt.@{rand6} rw, - owner @{tmp}/tmp@{rand6}.tmp rw, - owner @{tmp}/tmp@{rand6}@{h}.tmp rw, - owner @{tmp}/tmp@{rand8}.tmp rw, + owner @{tmp}/CASESENSITIVETEST@{hex32} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, owner /dev/shm/mono.@{int} rw, owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, + # The orcexec.* file is JIT compiled code for various GStreamer elements. + owner @{run}/user/@{uid}/orcexec.@{rand6} mrw, + @{sys}/ r, - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/input/ r, + @{sys}/class/power_supply/ r, @{sys}/devices/ r, - @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/net/*/carrier r, - @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/**/{vendor,product} r, - @{sys}/devices/**/input/input@{int}/ r, + @{sys}/devices/**/power_supply/{AC,BAT@{int}}/ r, + @{sys}/devices/**/power_supply/{AC,BAT@{int}}/{type,online} r, @{sys}/devices/**/uevent r, - @{sys}/devices/system/ r, @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, - @{sys}/devices/system/cpu/cpu@{int}/ r, - @{sys}/devices/virtual/dmi/id/* r, - @{sys}/devices/virtual/net/*/carrier r, - @{sys}/kernel/ r, - + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor r, + + @{sys}/devices/virtual/dmi/id/bios_date r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/bios_version r, + @{sys}/devices/virtual/dmi/id/board_asset_tag r, + @{sys}/devices/virtual/dmi/id/board_name r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/board_version r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/devices/virtual/dmi/id/chassis_vendor r, + @{sys}/devices/virtual/dmi/id/chassis_version r, + @{sys}/devices/virtual/dmi/id/product_family r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_sku r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + # Allow reading CPU cgroup limits @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - @{PROC}/uptime r, - @{PROC}/version r, + @{PROC}/driver/nvidia/capabilities/mig/config r, + + # Allow to check check if BPF JIT is enabled + @{PROC}/sys/net/core/bpf_jit_enable r, + + # Allow to read the maximum number of file handles that can be allocated system-wide. + @{PROC}/sys/fs/file-max r, + + # Allow to read various device information + @{PROC}/devices r, + + # Allow to read system uptime + @{PROC}/uptime r, + + # Per man(5) proc, the kernel enforces that a thread may only modify its comm + # value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + # Provide statistical information about our own processes/threads + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + # Allow reading cgroup membership information for process introspection owner @{PROC}/@{pid}/cgroup r, + + # Allow reading command line arguments for process identification owner @{PROC}/@{pid}/cmdline r, + + # Allow listing file descriptors for resource monitoring owner @{PROC}/@{pid}/fd/ r, + + # Allow reading mount points for filesystem awareness owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, + + # Allow reading page mapping information for memory profiling owner @{PROC}/@{pid}/pagemap r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/ r, - /dev/hidraw@{int} rw, + owner @{PROC}/@{pid}/fdinfo/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, + /dev/tty rw, include if exists From f5ea6765f159835a43bc4beb551047dddd2b32ac Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 20:57:18 +0100 Subject: [PATCH 1180/1736] feat(profile): add initial profiles for umu-launcher. --- apparmor.d/abstractions/app/umu | 125 +++++++++++++++++++++++++++ apparmor.d/abstractions/common/game | 5 ++ apparmor.d/groups/umu/umu-bwrap | 43 ++++++++++ apparmor.d/groups/umu/umu-game | 29 +++++++ apparmor.d/groups/umu/umu-run | 129 ++++++++++++++++++++++++++++ 5 files changed, 331 insertions(+) create mode 100644 apparmor.d/abstractions/app/umu create mode 100644 apparmor.d/groups/umu/umu-bwrap create mode 100644 apparmor.d/groups/umu/umu-game create mode 100644 apparmor.d/groups/umu/umu-run diff --git a/apparmor.d/abstractions/app/umu b/apparmor.d/abstractions/app/umu new file mode 100644 index 0000000000..e09dc8b42b --- /dev/null +++ b/apparmor.d/abstractions/app/umu @@ -0,0 +1,125 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + signal (send receive) peer=umu-bwrap, + signal (send receive) peer=umu-bwrap//&umu-game, + signal (send receive) peer=umu-game, + + unix type=seqpacket peer=(label=umu-bwrap), + unix type=stream peer=(label=umu-bwrap), + unix (bind listen) type=seqpacket addr=@@{hex}, + unix bind type=seqpacket addr=@@{hex}, + unix bind type=seqpacket, + network unix seqpacket, + + ptrace (read trace) peer=umu-bwrap, + ptrace (read trace) peer=umu-bwrap//&umu-game, + ptrace (read trace) peer=umu-game, + + # DBus.Properties: receive property changed events + + dbus receive bus=system path=/org/freedesktop/systemd1/job/@{int} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(label="@{p_systemd}"), + + dbus receive bus=system path=/org/freedesktop/systemd1/unit/* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(label="@{p_systemd}"), + + # Common to all @{lib}/pressure-vessel/from-host/libexec/steam-runtime-tools-@{int}/pv-adverb + # Meaning umu, and steam + @{sh_path} rix, + @{coreutils_path} ix, + @{bin}/getopt ix, + @{bin}/gzip ix, + @{bin}/localedef ix, + @{bin}/steam-runtime-launcher-interface-@{int} ix, + @{bin}/steam-runtime-system-info ix, + @{bin}/steam-runtime-urlopen ix, + @{python_path} rix, + @{run}/host/@{bin}/localedef ix, + @{run}/host/@{sbin}/ldconfig ix, + @{sbin}/ldconfig ix, + + @{lib}/pressure-vessel/from-host/libexec/steam-runtime-tools-@{d}/** ix, + + @{att}@{steam_share_dirs}/compatibilitytools.d/ r, + @{att}@{steam_share_dirs}/compatibilitytools.d/*/ r, + @{att}@{steam_share_dirs}/compatibilitytools.d/*/** mrix, # TODO: -> &wine ?, with namespace + @{steam_share_dirs}/compatibilitytools.d/ r, + @{steam_share_dirs}/compatibilitytools.d/*/ r, + @{steam_share_dirs}/compatibilitytools.d/*/** mrix, # TODO: -> &wine ?, with namespace + + @{runtime_dirs}/pressure-vessel/@{bin}/** ix, + @{runtime_dirs}/pressure-vessel/@{lib}/** mr, + @{runtime_dirs}/umu-shim rix, + + @{run}/host/@{lib}/**.dll m, + @{run}/host/@{lib}/**.so* m, + + owner @{lib}/ r, + owner /usr/local/lib/ r, + owner /usr/local/lib/**/ r, + + # owner /var/pressure-vessel/** rw, + owner /var/pressure-vessel/ldso/* rw, + owner /var/cache/ldconfig/aux-cache* rw, + + # This is the fontconfig cache of the sandboxed runtime, not the host + owner /var/cache/fontconfig/** rwl, + + owner @{HOME}/.steam/steam.pid r, + + owner @{att}@{run}/user/@{uid}/bus rw, + owner @{att}@{run}/user/@{uid}/pulse/native rw, + + owner @{runtime_dirs}/pressure-vessel/lib/@{multiarch}/steam-runtime-tools-0/libcap.so.2 mr, + owner @{runtime_dirs}/var/tmp-@{rand6}/.ref rw, + owner @{att}@{runtime_dirs}/var/tmp-@{rand6}/.ref rw, + + # file_inherit + @{user_share_dirs}/umu/steamrt3/var/tmp-@{rand6}/usr/.ref rw, + @{att}@{user_share_dirs}/umu/steamrt3/var/tmp-@{rand6}/usr/.ref rw, + + owner @{user_cache_dirs}/umu-protonfixes/protonfixes_test.log w, + + owner @{att}@{wineprefix_dirs}/ rw, + owner @{att}@{wineprefix_dirs}/** rwk, + owner @{wineprefix_dirs}/ rw, + owner @{wineprefix_dirs}/** rwk, + + owner @{tmp}/pressure-vessel-libs-@{rand6}/{,**} rwlk, + owner @{tmp}/pressure-vessel-locales-@{rand6}/{,**} rwlk, + + @{run}/host/fonts/{,**} r, + @{run}/host/share/{,**} r, + @{run}/host/usr/{,**} r, + owner @{run}/pressure-vessel/{,**} r, + + @{sys}/devices/**/net/*/carrier r, + + @{PROC}/@{pid}/net/* r, + @{PROC}/sys/net/ipv4/conf/default/forwarding r, + @{PROC}/sys/net/ipv4/ip_default_ttl r, + + owner @{PROC}/@{pid}/uid_map r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 431b96002a..4e244dc910 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -141,6 +141,11 @@ /dev/tty rw, + @{att}/dev/dri/renderD128 rw, + @{att}/dev/dri/renderD129 rw, + /dev/nvidia-caps/ rw, + /dev/nvidia-caps/nvidia-cap@{int} rw, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/umu/umu-bwrap b/apparmor.d/groups/umu/umu-bwrap new file mode 100644 index 0000000000..274934d83b --- /dev/null +++ b/apparmor.d/groups/umu/umu-bwrap @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{share_dirs} = @{user_share_dirs}/umu +@{cache_dirs} = @{user_cache_dirs}/umu +@{runtime_dirs} = @{share_dirs}/steamrt3/ +@{wineprefix_dirs} = @{HOME}/Games/umu/@{int} + +@{steam_share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{steam_lib_dirs} = @{steam_share_dirs}/ubuntu@{int2}_{32,64} + +@{exec_path} = @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap +profile umu-bwrap flags=(attach_disconnected,mediate_deleted) { + include + include + include + + capability dac_override, + capability dac_read_search, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/sed ix, + @{bin}/tail ix, + @{bin}/true ix, + @{bin}/uname ix, + + @{lib}/pressure-vessel/from-host/libexec/steam-runtime-tools-@{d}/pv-adverb Px -> umu-bwrap//&umu-game, + + /bindfile@{rand6} rw, + + owner @{tmp}/#@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/umu/umu-game b/apparmor.d/groups/umu/umu-game new file mode 100644 index 0000000000..b7291ecc4a --- /dev/null +++ b/apparmor.d/groups/umu/umu-game @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{share_dirs} = @{user_share_dirs}/umu +@{cache_dirs} = @{user_cache_dirs}/umu +@{runtime_dirs} = @{share_dirs}/steamrt3/ +@{wineprefix_dirs} = @{HOME}/Games/umu/@{int} + +@{steam_share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{steam_lib_dirs} = @{steam_share_dirs}/ubuntu@{int2}_{32,64} + +@{exec_path} = @{lib}/pressure-vessel/from-host/libexec/steam-runtime-tools-@{int}/pv-adverb +profile umu-game flags=(attach_disconnected,mediate_deleted) { + include + include + + @{exec_path} mr, + + owner @{att}/dev/pts/@{int} rw, # file_inherit + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/umu/umu-run b/apparmor.d/groups/umu/umu-run new file mode 100644 index 0000000000..cd473b8a6a --- /dev/null +++ b/apparmor.d/groups/umu/umu-run @@ -0,0 +1,129 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{share_dirs} = @{user_share_dirs}/umu +@{cache_dirs} = @{user_cache_dirs}/umu +@{runtime_dirs} = @{share_dirs}/steamrt3/ +@{wineprefix_dirs} = @{HOME}/Games/umu/*/ + +@{steam_share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{steam_lib_dirs} = @{steam_share_dirs}/ubuntu@{int2}_{32,64} + +@{exec_path} = @{bin}/umu-run +profile umu-run @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/getopt rix, + @{bin}/readlink rix, + + @{bin}/gcc rix, + @{lib}/gcc/**/collect2 rix, + + @{sbin}/ldconfig rCx -> &umu-run//ldconfig, + @{bin}/bwrap Cx -> bwrap, + @{ldd_path} Cx -> &umu-run//ldd, + + @{runtime_dirs}/umu ix, + @{runtime_dirs}/run ix, + @{runtime_dirs}/pressure-vessel/bin/** rix, + @{runtime_dirs}/pressure-vessel/@{lib}/** rmix, + priority=1 @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{d}/srt-bwrap Px -> umu-bwrap, + + /opt/cuda/targets/@{arch}-linux/lib/*.so mr, + /opt/cuda/targets/@{arch}-linux/lib/*.so.* mr, + /opt/cuda/targets/@{arch}-linux/lib/ r, + + / r, + @{lib}/ r, + owner @{HOME}/ r, + + owner @{wineprefix_dirs}/ w, + owner @{wineprefix_dirs}/** w, + + owner @{steam_lib_dirs}/{,*} rw, + owner @{steam_share_dirs}/compatibilitytools.d/{,**} rw, + + owner @{cache_dirs}/ rw, + owner @{cache_dirs}/** rwlk -> @{share_dirs}/**, + + owner @{share_dirs}/ rw, + owner @{share_dirs}/** rwlk -> @{share_dirs}/**, + + owner @{run}/user/@{uid}/ r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + + owner /var/tmp/@{word8} rw, + owner @{tmp}/@{word8} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/tmp@{word8} rw, + owner @{tmp}/tmp@{word8}/ w, + owner @{tmp}/tmp@{word8}/* rw, + owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, + + owner /tmp/cc@{rand6}.* rw, + + @{sys}/module/nvidia/version r, + + /dev/tty rw, + + profile ldconfig flags=(attach_disconnected) { + include + include + + @{sbin}/ldconfig mr, + + @{sh_path} rix, + @{sbin}/ldconfig.real rix, + + include if exists + } + + profile ldd flags=(attach_disconnected) { + include + include + include + + @{ldd_path} mrix, + @{sh_path} r, + + include if exists + } + + profile bwrap flags=(attach_disconnected) { + include + include + + @{bin}/bwrap mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor From efae340461218efbdb5a0e6441434f653a0d0708 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 22:01:01 +0100 Subject: [PATCH 1181/1736] fix(profile): minor linter issues. --- apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem | 1 + apparmor.d/abstractions/common/game | 2 +- apparmor.d/groups/cups/cups-backend-implicitclass | 2 +- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/profiles-a-f/cider | 2 +- apparmor.d/profiles-a-f/deno | 2 +- apparmor.d/profiles-m-r/rga | 2 +- 7 files changed, 7 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem index c1175f4150..ca41a54ebf 100644 --- a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem @@ -7,6 +7,7 @@ abi , + #aa:lint ignore=abstractions # Required to own 'org.kde.StatusNotifierItem-@{int}' include diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 4e244dc910..0bd55b78b6 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -108,7 +108,7 @@ # Allow to read various device information @{PROC}/devices r, - # Allow to read system uptime + # Allow to read system uptime @{PROC}/uptime r, # Per man(5) proc, the kernel enforces that a thread may only modify its comm diff --git a/apparmor.d/groups/cups/cups-backend-implicitclass b/apparmor.d/groups/cups/cups-backend-implicitclass index d4cc5e440f..e37ee84098 100644 --- a/apparmor.d/groups/cups/cups-backend-implicitclass +++ b/apparmor.d/groups/cups/cups-backend-implicitclass @@ -21,7 +21,7 @@ profile cups-backend-implicitclass @{exec_path} { # network (receive,send,setopt) inet dgram peer=(port=53), # network (receive,send,setopt) inet stream peer=(port=631), - signal receive set=term peer=cupsd, + signal receive set=term peer=cupsd, unix type=stream peer=(label=cupsd), diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 407fbd0877..057054e078 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -46,7 +46,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { network rose dgram, network x25 seqpacket, - signal send set=term peer=cups-backend-*, + signal send set=term peer=cups-backend-*, signal send set=term peer=cups-notifier-dbus, unix type=stream peer=(label=cups-backend-*), diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider index bde5c65073..88411ceed7 100644 --- a/apparmor.d/profiles-a-f/cider +++ b/apparmor.d/profiles-a-f/cider @@ -14,7 +14,7 @@ include @{exec_path} = @{bin}/{C,c}ider @{lib_dirs}/Cider profile cider @{exec_path} flags=(attach_disconnected) { - include + include include include include diff --git a/apparmor.d/profiles-a-f/deno b/apparmor.d/profiles-a-f/deno index bb608454ac..e46ca9c108 100644 --- a/apparmor.d/profiles-a-f/deno +++ b/apparmor.d/profiles-a-f/deno @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/deno profile deno @{exec_path} { - include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/rga b/apparmor.d/profiles-m-r/rga index 4ed9892a26..ecd3bdee45 100644 --- a/apparmor.d/profiles-m-r/rga +++ b/apparmor.d/profiles-m-r/rga @@ -8,7 +8,7 @@ include @{exec_path} = @{bin}/rga profile rga @{exec_path} { - include + include capability dac_override, capability dac_read_search, From 51d4377fb0871c80bd8521fb0d66a0608ee6e417 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 22:03:54 +0100 Subject: [PATCH 1182/1736] refractor(abs): hwmon abstraction into system abs This are the first of a new kind of abstraction for very low level system access. --- apparmor.d/abstractions/hwmon | 170 ++---------------- apparmor.d/abstractions/hwmon-full | 108 ----------- apparmor.d/abstractions/hwmon-write | 25 +++ apparmor.d/abstractions/sys/hwmon | 21 +++ apparmor.d/abstractions/sys/hwmon-alarm | 51 ++++++ apparmor.d/abstractions/sys/hwmon-alarm:w | 19 ++ apparmor.d/abstractions/sys/hwmon-current | 27 +++ apparmor.d/abstractions/sys/hwmon-current:w | 20 +++ apparmor.d/abstractions/sys/hwmon-energy | 17 ++ apparmor.d/abstractions/sys/hwmon-energy:w | 14 ++ apparmor.d/abstractions/sys/hwmon-fan | 23 +++ apparmor.d/abstractions/sys/hwmon-fan:w | 19 ++ apparmor.d/abstractions/sys/hwmon-humidity | 17 ++ apparmor.d/abstractions/sys/hwmon-humidity:w | 14 ++ apparmor.d/abstractions/sys/hwmon-intrusion | 17 ++ apparmor.d/abstractions/sys/hwmon-intrusion:w | 15 ++ apparmor.d/abstractions/sys/hwmon-power | 38 ++++ apparmor.d/abstractions/sys/hwmon-power:w | 22 +++ apparmor.d/abstractions/sys/hwmon-pwm | 26 +++ apparmor.d/abstractions/sys/hwmon-pwm:w | 24 +++ apparmor.d/abstractions/sys/hwmon-temp | 32 ++++ apparmor.d/abstractions/sys/hwmon-temp:w | 28 +++ apparmor.d/abstractions/sys/hwmon-voltages | 26 +++ apparmor.d/abstractions/sys/hwmon-voltages:w | 19 ++ apparmor.d/abstractions/sys/hwmon:w | 14 ++ 25 files changed, 540 insertions(+), 266 deletions(-) delete mode 100644 apparmor.d/abstractions/hwmon-full create mode 100644 apparmor.d/abstractions/hwmon-write create mode 100644 apparmor.d/abstractions/sys/hwmon create mode 100644 apparmor.d/abstractions/sys/hwmon-alarm create mode 100644 apparmor.d/abstractions/sys/hwmon-alarm:w create mode 100644 apparmor.d/abstractions/sys/hwmon-current create mode 100644 apparmor.d/abstractions/sys/hwmon-current:w create mode 100644 apparmor.d/abstractions/sys/hwmon-energy create mode 100644 apparmor.d/abstractions/sys/hwmon-energy:w create mode 100644 apparmor.d/abstractions/sys/hwmon-fan create mode 100644 apparmor.d/abstractions/sys/hwmon-fan:w create mode 100644 apparmor.d/abstractions/sys/hwmon-humidity create mode 100644 apparmor.d/abstractions/sys/hwmon-humidity:w create mode 100644 apparmor.d/abstractions/sys/hwmon-intrusion create mode 100644 apparmor.d/abstractions/sys/hwmon-intrusion:w create mode 100644 apparmor.d/abstractions/sys/hwmon-power create mode 100644 apparmor.d/abstractions/sys/hwmon-power:w create mode 100644 apparmor.d/abstractions/sys/hwmon-pwm create mode 100644 apparmor.d/abstractions/sys/hwmon-pwm:w create mode 100644 apparmor.d/abstractions/sys/hwmon-temp create mode 100644 apparmor.d/abstractions/sys/hwmon-temp:w create mode 100644 apparmor.d/abstractions/sys/hwmon-voltages create mode 100644 apparmor.d/abstractions/sys/hwmon-voltages:w create mode 100644 apparmor.d/abstractions/sys/hwmon:w diff --git a/apparmor.d/abstractions/hwmon b/apparmor.d/abstractions/hwmon index 5f0ccfa21b..6172d3eccf 100644 --- a/apparmor.d/abstractions/hwmon +++ b/apparmor.d/abstractions/hwmon @@ -2,166 +2,20 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - @{sys}/class/hwmon/ r, - @{sys}/class/hwmon/hwmon@{int}/ r, - @{sys}/devices/**/hwmon/ r, - @{sys}/devices/**/hwmon@{int}/ r, - -# hwmon nodes below are written in accordance with https://www.kernel.org/doc/Documentation/hwmon/sysfs-interface -# Global attributes - @{sys}/devices/**/hwmon@{int}/ r, - @{sys}/devices/**/hwmon@{int}/fan@{int}_input r, - @{sys}/devices/**/hwmon@{int}/fan@{int}_label r, - @{sys}/devices/**/hwmon@{int}/update_interval r, - -# Voltages - @{sys}/devices/**/hwmon@{int}/in@{int}_min r, - @{sys}/devices/**/hwmon@{int}/in@{int}_max r, - @{sys}/devices/**/hwmon@{int}/in@{int}_lcrit r, - @{sys}/devices/**/hwmon@{int}/in@{int}_crit r, - @{sys}/devices/**/hwmon@{int}/in@{int}_input r, - @{sys}/devices/**/hwmon@{int}/in@{int}_average r, - @{sys}/devices/**/hwmon@{int}/in@{int}_lowest r, - @{sys}/devices/**/hwmon@{int}/in@{int}_highest r, - @{sys}/devices/**/hwmon@{int}/in@{int}_label r, - @{sys}/devices/**/hwmon@{int}/in@{int}_enable r, - @{sys}/devices/**/hwmon@{int}/cpu@{int}_vid r, - @{sys}/devices/**/hwmon@{int}/vrm r, - -# Fans -# Fan enumeration starts from 1 not 0 - @{sys}/devices/**/hwmon@{int}/fan@{int}_min r, - @{sys}/devices/**/hwmon@{int}/fan@{int}_max r, - @{sys}/devices/**/hwmon@{int}/fan@{int}_input r, - @{sys}/devices/**/hwmon@{int}/fan@{int}_div r, - @{sys}/devices/**/hwmon@{int}/fan@{int}_pulses r, - @{sys}/devices/**/hwmon@{int}/fan@{int}_target r, - @{sys}/devices/**/hwmon@{int}/fan@{int}_label r, - @{sys}/devices/**/hwmon@{int}/fan@{int}_enable r, - -# PWM -# PWM enumeration starts from 1 not 0 - @{sys}/devices/**/hwmon@{int}/pwm@{int} r, - @{sys}/devices/**/hwmon@{int}/pwm@{int}_enable r, - @{sys}/devices/**/hwmon@{int}/pwm@{int}_mode r, - @{sys}/devices/**/hwmon@{int}/pwm@{int}_freq r, - @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_channels_temp r, - @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_point@{int}_pwm r, - @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_point@{int}_temp r, - @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_point@{int}_temp_hyst r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_auto_point@{int}_pwm r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_auto_point@{int}_temp r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_auto_point@{int}_temp_hyst r, - -# Temperatures -# Temperatures enumeration starts from 1 not 0 - @{sys}/devices/**/hwmon@{int}/temp@{int}_type r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_min r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_max r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_min_hyst r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_max_hyst r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_input r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_crit r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_crit_hyst r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_emergency r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_emergency_hyst r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_lcrit r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_lcrit_hyst r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_offset r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_label r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_lowest r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_highest r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_enable r, - -# Currents -# Currents enumeration starts from 1 not 0 - @{sys}/devices/**/hwmon@{int}/curr@{int}_max r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_min r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_lcrit r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_crit r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_input r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_average r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_lowest r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_highest r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_enable r, -# line below is not in kernel doc, but present in real system for CPU hwmon - @{sys}/devices/**/hwmon@{int}/curr@{int}_label r, +# hwmon nodes are written in accordance with https://www.kernel.org/doc/Documentation/hwmon/sysfs-interface -# Power - @{sys}/devices/**/hwmon@{int}/power@{int}_average r, - @{sys}/devices/**/hwmon@{int}/power@{int}_average_interval r, - @{sys}/devices/**/hwmon@{int}/power@{int}_average_interval_max r, - @{sys}/devices/**/hwmon@{int}/power@{int}_average_interval_min r, - @{sys}/devices/**/hwmon@{int}/power@{int}_average_highest r, - @{sys}/devices/**/hwmon@{int}/power@{int}_average_lowest r, - @{sys}/devices/**/hwmon@{int}/power@{int}_average_max r, - @{sys}/devices/**/hwmon@{int}/power@{int}_average_min r, - @{sys}/devices/**/hwmon@{int}/power@{int}_input r, - @{sys}/devices/**/hwmon@{int}/power@{int}_input_highest r, - @{sys}/devices/**/hwmon@{int}/power@{int}_input_lowest r, - @{sys}/devices/**/hwmon@{int}/power@{int}_accuracy r, - @{sys}/devices/**/hwmon@{int}/power@{int}_cap r, - @{sys}/devices/**/hwmon@{int}/power@{int}_cap_hyst r, - @{sys}/devices/**/hwmon@{int}/power@{int}_cap_max r, - @{sys}/devices/**/hwmon@{int}/power@{int}_cap_min r, - @{sys}/devices/**/hwmon@{int}/power@{int}_max r, - @{sys}/devices/**/hwmon@{int}/power@{int}_crit r, - @{sys}/devices/**/hwmon@{int}/power@{int}_enable r, -# lines below is not in kernel doc, but present in real system - @{sys}/devices/**/hwmon@{int}/power@{int}_cap_default r, - @{sys}/devices/**/hwmon@{int}/power@{int}_label r, - -# Energy - @{sys}/devices/**/hwmon@{int}/energy@{int}_input r, - @{sys}/devices/**/hwmon@{int}/energy@{int}_enable r, - -# Humidity - @{sys}/devices/**/hwmon@{int}/humidity@{int}_input r, - @{sys}/devices/**/hwmon@{int}/humidity@{int}_enable r, - -# Alarms - @{sys}/devices/**/hwmon@{int}/in@{int}_alarm r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_alarm r, - @{sys}/devices/**/hwmon@{int}/power@{int}_alarm r, - @{sys}/devices/**/hwmon@{int}/fan@{int}_alarm r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_alarm r, - - @{sys}/devices/**/hwmon@{int}/in@{int}_min_alarm r, - @{sys}/devices/**/hwmon@{int}/in@{int}_max_alarm r, - @{sys}/devices/**/hwmon@{int}/in@{int}_lcrit_alarm r, - @{sys}/devices/**/hwmon@{int}/in@{int}_crit_alarm r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_min_alarm r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_max_alarm r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_lcrit_alarm r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_crit_alarm r, - @{sys}/devices/**/hwmon@{int}/power@{int}_cap_alarm r, - @{sys}/devices/**/hwmon@{int}/power@{int}_max_alarm r, - @{sys}/devices/**/hwmon@{int}/power@{int}_crit_alarm r, - @{sys}/devices/**/hwmon@{int}/fan@{int}_min_alarm r, - @{sys}/devices/**/hwmon@{int}/fan@{int}_max_alarm r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_min_alarm r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_max_alarm r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_lcrit_alarm r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_crit_alarm r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_emergency_alarm r, - - @{sys}/devices/**/hwmon@{int}/fan@{int}_fault r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_fault r, - - @{sys}/devices/**/hwmon@{int}/beep_enable r, - @{sys}/devices/**/hwmon@{int}/in@{int}_beep r, - @{sys}/devices/**/hwmon@{int}/curr@{int}_beep r, - @{sys}/devices/**/hwmon@{int}/fan@{int}_beep r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_beep r, - - @{sys}/devices/**/hwmon@{int}/alarms r, - @{sys}/devices/**/hwmon@{int}/beep_mask r, + abi , -# Intrusion detection - @{sys}/devices/**/hwmon@{int}/intrusion@{int}_alarm r, - @{sys}/devices/**/hwmon@{int}/intrusion@{int}_beep r, + include + include + include + include + include + include + include + include + include + include include if exists diff --git a/apparmor.d/abstractions/hwmon-full b/apparmor.d/abstractions/hwmon-full deleted file mode 100644 index 8a0e8d0598..0000000000 --- a/apparmor.d/abstractions/hwmon-full +++ /dev/null @@ -1,108 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - include - -# hwmon-full abstraction includes all rules from hwmon with read permission -# and adds rules for write and write-only permission in hwmon structure - -# hwmon nodes below are written in accordance with https://www.kernel.org/doc/Documentation/hwmon/sysfs-interface -# Global attributes - @{sys}/devices/**/hwmon@{int}/update_interval rw, - -# Voltages - @{sys}/devices/**/hwmon@{int}/in@{int}_min rw, - @{sys}/devices/**/hwmon@{int}/in@{int}_max rw, - @{sys}/devices/**/hwmon@{int}/in@{int}_lcrit rw, - @{sys}/devices/**/hwmon@{int}/in@{int}_crit rw, - @{sys}/devices/**/hwmon@{int}/in@{int}_reset_history w, - @{sys}/devices/**/hwmon@{int}/in_reset_history w, - @{sys}/devices/**/hwmon@{int}/in@{int}_enable rw, - -# Fans -# Fan enumeration starts from 1 not 0 - @{sys}/devices/**/hwmon@{int}/fan@{int}_min rw, - @{sys}/devices/**/hwmon@{int}/fan@{int}_max rw, - @{sys}/devices/**/hwmon@{int}/fan@{int}_div rw, - @{sys}/devices/**/hwmon@{int}/fan@{int}_pulses rw, - @{sys}/devices/**/hwmon@{int}/fan@{int}_target rw, - @{sys}/devices/**/hwmon@{int}/fan@{int}_enable rw, - -# PWM -# PWM enumeration starts from 1 not 0 - @{sys}/devices/**/hwmon@{int}/pwm@{int} rw, - @{sys}/devices/**/hwmon@{int}/pwm@{int}_enable rw, - @{sys}/devices/**/hwmon@{int}/pwm@{int}_mode rw, - @{sys}/devices/**/hwmon@{int}/pwm@{int}_freq rw, - @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_channels_temp rw, - @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_point@{int}_pwm rw, - @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_point@{int}_temp rw, - @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_point@{int}_temp_hyst rw, - @{sys}/devices/**/hwmon@{int}/temp@{int}_auto_point@{int}_pwm rw, - @{sys}/devices/**/hwmon@{int}/temp@{int}_auto_point@{int}_temp rw, - @{sys}/devices/**/hwmon@{int}/temp@{int}_auto_point@{int}_temp_hyst rw, - -# Temperatures -# Temperatures enumeration starts from 1 not 0 - @{sys}/devices/**/hwmon@{int}/temp@{int}_type rw, - @{sys}/devices/**/hwmon@{int}/temp@{int}_min rw, - @{sys}/devices/**/hwmon@{int}/temp@{int}_max rw, - @{sys}/devices/**/hwmon@{int}/temp@{int}_min_hyst rw, - @{sys}/devices/**/hwmon@{int}/temp@{int}_max_hyst rw, - @{sys}/devices/**/hwmon@{int}/temp@{int}_crit rw, - @{sys}/devices/**/hwmon@{int}/temp@{int}_crit_hyst rw, - @{sys}/devices/**/hwmon@{int}/temp@{int}_emergency rw, - @{sys}/devices/**/hwmon@{int}/temp@{int}_emergency_hyst rw, - @{sys}/devices/**/hwmon@{int}/temp@{int}_lcrit rw, - @{sys}/devices/**/hwmon@{int}/temp@{int}_lcrit_hyst rw, - @{sys}/devices/**/hwmon@{int}/temp@{int}_offset rw, - @{sys}/devices/**/hwmon@{int}/temp@{int}_reset_history w, - @{sys}/devices/**/hwmon@{int}/temp_reset_history w, - @{sys}/devices/**/hwmon@{int}/temp@{int}_enable rw, - -# Currents -# Currents enumeration starts from 1 not 0 - @{sys}/devices/**/hwmon@{int}/curr@{int}_max rw, - @{sys}/devices/**/hwmon@{int}/curr@{int}_min rw, - @{sys}/devices/**/hwmon@{int}/curr@{int}_lcrit rw, - @{sys}/devices/**/hwmon@{int}/curr@{int}_crit rw, - @{sys}/devices/**/hwmon@{int}/curr@{int}_reset_history w, - @{sys}/devices/**/hwmon@{int}/curr_reset_history w, - @{sys}/devices/**/hwmon@{int}/curr@{int}_enable rw, - -# Power - @{sys}/devices/**/hwmon@{int}/power@{int}_average_interval rw, - @{sys}/devices/**/hwmon@{int}/power@{int}_average_max rw, - @{sys}/devices/**/hwmon@{int}/power@{int}_average_min rw, - @{sys}/devices/**/hwmon@{int}/power@{int}_reset_history w, - @{sys}/devices/**/hwmon@{int}/power@{int}_cap rw, - @{sys}/devices/**/hwmon@{int}/power@{int}_cap_hyst rw, - @{sys}/devices/**/hwmon@{int}/power@{int}_max rw, - @{sys}/devices/**/hwmon@{int}/power@{int}_crit rw, - @{sys}/devices/**/hwmon@{int}/power@{int}_enable rw, - -# Energy - @{sys}/devices/**/hwmon@{int}/energy@{int}_enable rw, - -# Humidity - @{sys}/devices/**/hwmon@{int}/humidity@{int}_enable rw, - -# Alarms - @{sys}/devices/**/hwmon@{int}/beep_enable rw, - @{sys}/devices/**/hwmon@{int}/in@{int}_beep rw, - @{sys}/devices/**/hwmon@{int}/curr@{int}_beep rw, - @{sys}/devices/**/hwmon@{int}/fan@{int}_beep rw, - @{sys}/devices/**/hwmon@{int}/temp@{int}_beep rw, - - @{sys}/devices/**/hwmon@{int}/beep_maks rw, - -# Intrusion detection - @{sys}/devices/**/hwmon@{int}/intrusion@{int}_alarm rw, - @{sys}/devices/**/hwmon@{int}/intrusion@{int}_beep rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/hwmon-write b/apparmor.d/abstractions/hwmon-write new file mode 100644 index 0000000000..92d2a53244 --- /dev/null +++ b/apparmor.d/abstractions/hwmon-write @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# hwmon-write abstraction includes all rules from hwmon with read permission +# and adds rules for write and write-only permission in hwmon structure + + abi , + + include + + include + include + include + include + include + include + include + include + include + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon b/apparmor.d/abstractions/sys/hwmon new file mode 100644 index 0000000000..700e1d40a2 --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Global attributes +# See https://www.kernel.org/doc/Documentation/hwmon/sysfs-interface + + abi , + + @{sys}/class/hwmon/ r, + @{sys}/class/hwmon/hwmon@{int}/ r, + + @{sys}/devices/**/hwmon/ r, + @{sys}/devices/**/hwmon@{int}/ r, + + @{sys}/devices/**/hwmon@{int}/name r, + @{sys}/devices/**/hwmon@{int}/update_interval r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-alarm b/apparmor.d/abstractions/sys/hwmon-alarm new file mode 100644 index 0000000000..b978af21ac --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-alarm @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Alarms +# Alarms enumeration starts from 1 not 0 + + abi , + + include + + @{sys}/devices/**/hwmon@{int}/in@{int}_alarm r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_alarm r, + @{sys}/devices/**/hwmon@{int}/power@{int}_alarm r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_alarm r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_alarm r, + + @{sys}/devices/**/hwmon@{int}/in@{int}_min_alarm r, + @{sys}/devices/**/hwmon@{int}/in@{int}_max_alarm r, + @{sys}/devices/**/hwmon@{int}/in@{int}_lcrit_alarm r, + @{sys}/devices/**/hwmon@{int}/in@{int}_crit_alarm r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_min_alarm r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_max_alarm r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_lcrit_alarm r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_crit_alarm r, + @{sys}/devices/**/hwmon@{int}/power@{int}_cap_alarm r, + @{sys}/devices/**/hwmon@{int}/power@{int}_max_alarm r, + @{sys}/devices/**/hwmon@{int}/power@{int}_crit_alarm r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_min_alarm r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_max_alarm r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_min_alarm r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_max_alarm r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_lcrit_alarm r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_crit_alarm r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_emergency_alarm r, + + @{sys}/devices/**/hwmon@{int}/fan@{int}_fault r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_fault r, + + @{sys}/devices/**/hwmon@{int}/beep_enable r, + @{sys}/devices/**/hwmon@{int}/in@{int}_beep r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_beep r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_beep r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_beep r, + + @{sys}/devices/**/hwmon@{int}/alarms r, + @{sys}/devices/**/hwmon@{int}/beep_mask r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-alarm:w b/apparmor.d/abstractions/sys/hwmon-alarm:w new file mode 100644 index 0000000000..e8bbc79570 --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-alarm:w @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Alarms +# Alarms enumeration starts from 1 not 0 + + abi , + + @{sys}/devices/**/hwmon@{int}/beep_enable rw, + @{sys}/devices/**/hwmon@{int}/beep_maks rw, + @{sys}/devices/**/hwmon@{int}/curr@{int}_beep rw, + @{sys}/devices/**/hwmon@{int}/fan@{int}_beep rw, + @{sys}/devices/**/hwmon@{int}/in@{int}_beep rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_beep rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-current b/apparmor.d/abstractions/sys/hwmon-current new file mode 100644 index 0000000000..b034c2224d --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-current @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Currents +# Currents enumeration starts from 1 not 0 + + abi , + + include + + @{sys}/devices/**/hwmon@{int}/curr@{int}_average r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_crit r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_enable r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_highest r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_input r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_lcrit r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_lowest r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_max r, + @{sys}/devices/**/hwmon@{int}/curr@{int}_min r, + + # The line below is not in kernel doc, but present in real system for CPU hwmon + @{sys}/devices/**/hwmon@{int}/curr@{int}_label r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-current:w b/apparmor.d/abstractions/sys/hwmon-current:w new file mode 100644 index 0000000000..c56c854051 --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-current:w @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Currents +# Currents enumeration starts from 1 not 0 + + abi , + + @{sys}/devices/**/hwmon@{int}/curr_reset_history w, + @{sys}/devices/**/hwmon@{int}/curr@{int}_crit rw, + @{sys}/devices/**/hwmon@{int}/curr@{int}_enable rw, + @{sys}/devices/**/hwmon@{int}/curr@{int}_lcrit rw, + @{sys}/devices/**/hwmon@{int}/curr@{int}_max rw, + @{sys}/devices/**/hwmon@{int}/curr@{int}_min rw, + @{sys}/devices/**/hwmon@{int}/curr@{int}_reset_history w, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-energy b/apparmor.d/abstractions/sys/hwmon-energy new file mode 100644 index 0000000000..4123df6ca1 --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-energy @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Energy +# Energy enumeration starts from 1 not 0 + + abi , + + include + + @{sys}/devices/**/hwmon@{int}/energy@{int}_enable r, + @{sys}/devices/**/hwmon@{int}/energy@{int}_input r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-energy:w b/apparmor.d/abstractions/sys/hwmon-energy:w new file mode 100644 index 0000000000..dfd38845f2 --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-energy:w @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Energy +# Energy enumeration starts from 1 not 0 + + abi , + + @{sys}/devices/**/hwmon@{int}/energy@{int}_enable rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-fan b/apparmor.d/abstractions/sys/hwmon-fan new file mode 100644 index 0000000000..d908dc7a11 --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-fan @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Fans +# Fan enumeration starts from 1 not 0 + + abi , + + include + + @{sys}/devices/**/hwmon@{int}/fan@{int}_min r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_max r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_input r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_div r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_pulses r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_target r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_label r, + @{sys}/devices/**/hwmon@{int}/fan@{int}_enable r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-fan:w b/apparmor.d/abstractions/sys/hwmon-fan:w new file mode 100644 index 0000000000..0425686393 --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-fan:w @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Fans +# Fan enumeration starts from 1 not 0 + + abi , + + @{sys}/devices/**/hwmon@{int}/fan@{int}_div rw, + @{sys}/devices/**/hwmon@{int}/fan@{int}_enable rw, + @{sys}/devices/**/hwmon@{int}/fan@{int}_max rw, + @{sys}/devices/**/hwmon@{int}/fan@{int}_min rw, + @{sys}/devices/**/hwmon@{int}/fan@{int}_pulses rw, + @{sys}/devices/**/hwmon@{int}/fan@{int}_target rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-humidity b/apparmor.d/abstractions/sys/hwmon-humidity new file mode 100644 index 0000000000..58eb196979 --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-humidity @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Humidity +# Humidity enumeration starts from 1 not 0 + + abi , + + include + + @{sys}/devices/**/hwmon@{int}/humidity@{int}_enable r, + @{sys}/devices/**/hwmon@{int}/humidity@{int}_input r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-humidity:w b/apparmor.d/abstractions/sys/hwmon-humidity:w new file mode 100644 index 0000000000..c54c858c70 --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-humidity:w @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Humidity +# Humidity enumeration starts from 1 not 0 + + abi , + + @{sys}/devices/**/hwmon@{int}/humidity@{int}_enable rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-intrusion b/apparmor.d/abstractions/sys/hwmon-intrusion new file mode 100644 index 0000000000..9126c30f53 --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-intrusion @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Intrusion detection +# Intrusion detection enumeration starts from 1 not 0 + + abi , + + include + + @{sys}/devices/**/hwmon@{int}/intrusion@{int}_alarm r, + @{sys}/devices/**/hwmon@{int}/intrusion@{int}_beep r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-intrusion:w b/apparmor.d/abstractions/sys/hwmon-intrusion:w new file mode 100644 index 0000000000..066be28abb --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-intrusion:w @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Intrusion detection +# Intrusion detection enumeration starts from 1 not 0 + + abi , + + @{sys}/devices/**/hwmon@{int}/intrusion@{int}_alarm rw, + @{sys}/devices/**/hwmon@{int}/intrusion@{int}_beep rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-power b/apparmor.d/abstractions/sys/hwmon-power new file mode 100644 index 0000000000..e4ad634de9 --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-power @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Power +# Power enumeration starts from 1 not 0 + + abi , + + include + + @{sys}/devices/**/hwmon@{int}/power@{int}_accuracy r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_highest r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_interval r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_interval_max r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_interval_min r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_lowest r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_max r, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_min r, + @{sys}/devices/**/hwmon@{int}/power@{int}_cap r, + @{sys}/devices/**/hwmon@{int}/power@{int}_cap_hyst r, + @{sys}/devices/**/hwmon@{int}/power@{int}_cap_max r, + @{sys}/devices/**/hwmon@{int}/power@{int}_cap_min r, + @{sys}/devices/**/hwmon@{int}/power@{int}_crit r, + @{sys}/devices/**/hwmon@{int}/power@{int}_enable r, + @{sys}/devices/**/hwmon@{int}/power@{int}_input r, + @{sys}/devices/**/hwmon@{int}/power@{int}_input_highest r, + @{sys}/devices/**/hwmon@{int}/power@{int}_input_lowest r, + @{sys}/devices/**/hwmon@{int}/power@{int}_max r, + + # The lines below are not in kernel doc, but present in real system for CPU hwmon + @{sys}/devices/**/hwmon@{int}/power@{int}_cap_default r, + @{sys}/devices/**/hwmon@{int}/power@{int}_label r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-power:w b/apparmor.d/abstractions/sys/hwmon-power:w new file mode 100644 index 0000000000..e5ec2ad185 --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-power:w @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Power +# Power enumeration starts from 1 not 0 + + abi , + + @{sys}/devices/**/hwmon@{int}/power@{int}_average_interval rw, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_max rw, + @{sys}/devices/**/hwmon@{int}/power@{int}_average_min rw, + @{sys}/devices/**/hwmon@{int}/power@{int}_cap rw, + @{sys}/devices/**/hwmon@{int}/power@{int}_cap_hyst rw, + @{sys}/devices/**/hwmon@{int}/power@{int}_crit rw, + @{sys}/devices/**/hwmon@{int}/power@{int}_enable rw, + @{sys}/devices/**/hwmon@{int}/power@{int}_max rw, + @{sys}/devices/**/hwmon@{int}/power@{int}_reset_history w, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-pwm b/apparmor.d/abstractions/sys/hwmon-pwm new file mode 100644 index 0000000000..ae73674b42 --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-pwm @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# PWM +# PWM enumeration starts from 1 not 0 + + abi , + + include + + @{sys}/devices/**/hwmon@{int}/pwm@{int} r, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_channels_temp r, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_point@{int}_pwm r, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_point@{int}_temp r, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_point@{int}_temp_hyst r, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_enable r, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_freq r, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_mode r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_auto_point@{int}_pwm r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_auto_point@{int}_temp r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_auto_point@{int}_temp_hyst r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-pwm:w b/apparmor.d/abstractions/sys/hwmon-pwm:w new file mode 100644 index 0000000000..13f678a227 --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-pwm:w @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# PWM +# PWM enumeration starts from 1 not 0 + + abi , + + @{sys}/devices/**/hwmon@{int}/pwm@{int} rw, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_channels_temp rw, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_point@{int}_pwm rw, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_point@{int}_temp rw, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_auto_point@{int}_temp_hyst rw, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_enable rw, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_freq rw, + @{sys}/devices/**/hwmon@{int}/pwm@{int}_mode rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_auto_point@{int}_pwm rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_auto_point@{int}_temp rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_auto_point@{int}_temp_hyst rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-temp b/apparmor.d/abstractions/sys/hwmon-temp new file mode 100644 index 0000000000..4c06eadb75 --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-temp @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Temperatures +# Temperatures enumeration starts from 1 not 0 + + abi , + + include + + @{sys}/devices/**/hwmon@{int}/temp@{int}_crit r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_crit_hyst r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_emergency r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_emergency_hyst r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_enable r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_highest r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_input r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_label r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_lcrit r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_lcrit_hyst r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_lowest r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_max r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_max_hyst r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_min r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_min_hyst r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_offset r, + @{sys}/devices/**/hwmon@{int}/temp@{int}_type r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-temp:w b/apparmor.d/abstractions/sys/hwmon-temp:w new file mode 100644 index 0000000000..23b2a5d140 --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-temp:w @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Temperatures +# Temperatures enumeration starts from 1 not 0 + + abi , + + @{sys}/devices/**/hwmon@{int}/temp@{int}_type rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_min rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_max rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_min_hyst rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_max_hyst rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_crit rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_crit_hyst rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_emergency rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_emergency_hyst rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_lcrit rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_lcrit_hyst rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_offset rw, + @{sys}/devices/**/hwmon@{int}/temp@{int}_reset_history w, + @{sys}/devices/**/hwmon@{int}/temp_reset_history w, + @{sys}/devices/**/hwmon@{int}/temp@{int}_enable rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-voltages b/apparmor.d/abstractions/sys/hwmon-voltages new file mode 100644 index 0000000000..c8d6ba9e1a --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-voltages @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Voltages + + abi , + + include + + @{sys}/devices/**/hwmon@{int}/cpu@{int}_vid r, + @{sys}/devices/**/hwmon@{int}/in@{int}_average r, + @{sys}/devices/**/hwmon@{int}/in@{int}_crit r, + @{sys}/devices/**/hwmon@{int}/in@{int}_enable r, + @{sys}/devices/**/hwmon@{int}/in@{int}_highest r, + @{sys}/devices/**/hwmon@{int}/in@{int}_input r, + @{sys}/devices/**/hwmon@{int}/in@{int}_label r, + @{sys}/devices/**/hwmon@{int}/in@{int}_lcrit r, + @{sys}/devices/**/hwmon@{int}/in@{int}_lowest r, + @{sys}/devices/**/hwmon@{int}/in@{int}_max r, + @{sys}/devices/**/hwmon@{int}/in@{int}_min r, + @{sys}/devices/**/hwmon@{int}/vrm r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon-voltages:w b/apparmor.d/abstractions/sys/hwmon-voltages:w new file mode 100644 index 0000000000..0b8e1374d9 --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon-voltages:w @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Voltages + + abi , + + @{sys}/devices/**/hwmon@{int}/in_reset_history w, + @{sys}/devices/**/hwmon@{int}/in@{int}_crit rw, + @{sys}/devices/**/hwmon@{int}/in@{int}_enable rw, + @{sys}/devices/**/hwmon@{int}/in@{int}_lcrit rw, + @{sys}/devices/**/hwmon@{int}/in@{int}_max rw, + @{sys}/devices/**/hwmon@{int}/in@{int}_min rw, + @{sys}/devices/**/hwmon@{int}/in@{int}_reset_history w, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sys/hwmon:w b/apparmor.d/abstractions/sys/hwmon:w new file mode 100644 index 0000000000..96f01c5658 --- /dev/null +++ b/apparmor.d/abstractions/sys/hwmon:w @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Global attributes +# See https://www.kernel.org/doc/Documentation/hwmon/sysfs-interface + + abi , + + @{sys}/devices/**/hwmon@{int}/update_interval w, + + include if exists + +# vim:syntax=apparmor From 241ba7f2f0aa8a9fd2ebace29f4bd91d3c66aa73 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 22:22:29 +0100 Subject: [PATCH 1183/1736] feat(profile): use new hwmon abs. --- apparmor.d/groups/flatpak/flatpak-session-helper-app | 1 - apparmor.d/groups/freedesktop/xdg-dbus-proxy | 3 +-- apparmor.d/groups/gnome/gnome-shell | 9 +++------ apparmor.d/groups/gnome/nautilus | 7 ++----- apparmor.d/groups/procps/htop | 11 ++--------- apparmor.d/groups/virt/cockpit-bridge | 4 +--- apparmor.d/groups/xfce/xfce-sensors | 10 +--------- apparmor.d/profiles-a-f/btop | 3 +-- apparmor.d/profiles-g-l/hardinfo | 7 ++----- apparmor.d/profiles-m-r/monitorix | 3 +-- apparmor.d/profiles-m-r/nvtop | 9 ++++----- apparmor.d/profiles-s-z/sensors | 3 +-- apparmor.d/profiles-s-z/sysstat-sadc | 3 +-- apparmor.d/profiles-s-z/thermald | 5 +---- apparmor.d/profiles-s-z/thinkfan | 6 ++---- apparmor.d/profiles-s-z/virt-manager | 4 +++- apparmor.d/profiles-s-z/vnstat | 2 +- 17 files changed, 27 insertions(+), 63 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper-app b/apparmor.d/groups/flatpak/flatpak-session-helper-app index dab511e99b..c752452429 100644 --- a/apparmor.d/groups/flatpak/flatpak-session-helper-app +++ b/apparmor.d/groups/flatpak/flatpak-session-helper-app @@ -30,7 +30,6 @@ profile flatpak-session-helper-app flags=(attach_disconnected) { @{bin}/udevadm Cx -> udevadm, @{sys}/block/ r, - @{sys}/class/hwmon/ r, @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/stat r, @{sys}/devices/**/speed r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index f4d7f77030..17cb86b4f6 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -15,6 +15,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include include include + include include network unix stream, @@ -45,8 +46,6 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/temp* r, - /dev/dri/card@{int} rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 588efed7cb..cf6655e74c 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -30,6 +30,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include + include + include include include @@ -384,7 +387,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/**/uevent r, @{sys}/bus/ r, @{sys}/class/backlight/ r, - @{sys}/class/hwmon/ r, @{sys}/class/input/ r, @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @@ -402,10 +404,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/collisions r, @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/tx_{bytes,errors,packets} r, - @{sys}/devices/**/hwmon@{int}/{,name,temp*,fan*} r, - @{sys}/devices/**/hwmon@{int}/**/{,name,temp*,fan*} r, - @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, - @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/platform/**/input@{int}/{properties,name} r, @{sys}/devices/virtual/dmi/id/bios_vendor r, @@ -414,7 +412,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/virtual/net/*/statistics/collisions r, @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/in@{int}_input r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 8322c00343..41daa09325 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -20,6 +20,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include include + include + include include mqueue r type=posix /, @@ -123,11 +125,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, - @{sys}/devices/**/hwmon@{int}/{,name,temp*,fan*} r, - @{sys}/devices/**/hwmon@{int}/**/{,name,temp*,fan*} r, - @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, - @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, - @{PROC}/@{pids}/net/wireless r, @{PROC}/sys/dev/i915/perf_stream_paranoid r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index 7b2d564cee..7da2462d1d 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -12,6 +12,8 @@ profile htop @{exec_path} flags=(attach_disconnected) { include include include + include + include capability dac_read_search, capability kill, @@ -37,18 +39,9 @@ profile htop @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/htop/* rw, @{sys}/bus/*/devices/ r, - @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, @{sys}/class/power_supply/ r, @{sys}/devices/@{pci}/i2c-*/{,**/}name r, - @{sys}/devices/**/hwmon@{int}/ r, - @{sys}/devices/**/hwmon@{int}/{name,temp*} r, - @{sys}/devices/**/hwmon@{int}/**/ r, - @{sys}/devices/**/hwmon@{int}/**/{name,temp*} r, - @{sys}/devices/**/hwmon/ r, - @{sys}/devices/**/hwmon/{name,temp*} r, - @{sys}/devices/**/hwmon/**/ r, - @{sys}/devices/**/hwmon/**/{name,temp*} r, @{sys}/devices/**/power_supply/**/{uevent,type,online} r, @{sys}/devices/*/name r, @{sys}/devices/i2c-*/name r, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 3d01253ea8..292558abf7 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -18,6 +18,7 @@ profile cockpit-bridge @{exec_path} { include include include + include capability dac_read_search, capability net_admin, @@ -96,10 +97,7 @@ profile cockpit-bridge @{exec_path} { audit @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw, @{run}/utmp r, - @{sys}/class/hwmon/ r, @{sys}/class/net/ r, - @{sys}/devices/**/hwmon@{int}/ r, - @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/fs/cgroup/ r, @{sys}/fs/cgroup/**/ r, @{sys}/fs/cgroup/**/cpu.{stat,weight} r, diff --git a/apparmor.d/groups/xfce/xfce-sensors b/apparmor.d/groups/xfce/xfce-sensors index c1bd981114..0ab6812780 100644 --- a/apparmor.d/groups/xfce/xfce-sensors +++ b/apparmor.d/groups/xfce/xfce-sensors @@ -10,21 +10,13 @@ include profile xfce-sensors @{exec_path} { include include + include @{exec_path} mr, - @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, @{sys}/class/thermal/ r, @{sys}/devices/@{pci}/i2c-*/{,**/}name r, - @{sys}/devices/**/hwmon@{int}/ r, - @{sys}/devices/**/hwmon@{int}/{name,temp*} r, - @{sys}/devices/**/hwmon@{int}/**/ r, - @{sys}/devices/**/hwmon@{int}/**/{name,temp*} r, - @{sys}/devices/**/hwmon/ r, - @{sys}/devices/**/hwmon/{name,temp*} r, - @{sys}/devices/**/hwmon/**/ r, - @{sys}/devices/**/hwmon/**/{name,temp*} r, @{sys}/devices/**/power_supply/**/{uevent,type,online} r, @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index 6868a09c1d..43ae11a741 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -11,6 +11,7 @@ profile btop @{exec_path} { include include include + include include capability dac_read_search, @@ -33,7 +34,6 @@ profile btop @{exec_path} { owner @{user_state_dirs}/btop.log rw, @{sys}/bus/pci/devices/ r, - @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/{,**}/ r, @@ -41,7 +41,6 @@ profile btop @{exec_path} { @{sys}/devices/@{pci}/nvme/nvme@{int}/ r, @{sys}/devices/@{pci}/stat r, @{sys}/devices/@{pci}/usb@{int}/**/power_supply/** r, - @{sys}/devices/**/hwmon@{int}/{,*} r, @{sys}/devices/**/power_supply/{AC,BAT@{int}}/{,**} r, @{sys}/devices/*/events/{,*} r, @{sys}/devices/platform/*/ r, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index f48b02ae70..3fc19b36b6 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -15,6 +15,8 @@ profile hardinfo @{exec_path} { include include include + include + include include # This is needed to display some content of devices -> resources @@ -82,12 +84,7 @@ profile hardinfo @{exec_path} { @{sys}/devices/system/cpu/** r, @{sys}/devices/virtual/dmi/id/* r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/temp* r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp* r, - @{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r, - @{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r, @{sys}/devices/@{pci}/eeprom r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/temp* r, @{sys}/devices/**/power_supply/** r, @{PROC}/@{pid}/net/arp r, diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index 6cbef400ba..5c349423fe 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -13,6 +13,7 @@ profile monitorix @{exec_path} { include include include + include include include @@ -72,9 +73,7 @@ profile monitorix @{exec_path} { @{sys}/class/i2c-adapter/ r, @{sys}/devices/@{pci}/i2c-*/{,**/}name r, - @{sys}/class/hwmon/ r, @{sys}/devices/**/thermal*/{,**} r, - @{sys}/devices/**/hwmon*/{,**} r, @{PROC}/ r, @{PROC}/@{pid}/net/dev r, diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index 4766c7f5a0..d132d9d724 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -12,6 +12,10 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { include include include + include + include + include + include capability sys_ptrace, @@ -33,11 +37,6 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/current_link_{speed,width} r, @{sys}/devices/@{pci}/enable r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/fan@{int}_{enable,max} r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/power@{int}_cap r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/pwm@{int} r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/pwm@{int}_{enable,max} r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/temp@{int}_crit r, @{sys}/devices/@{pci}/max_link_{speed,width} r, @{sys}/devices/@{pci}/pcie_bw r, @{sys}/devices/**/uevent r, diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index ca2d43a650..8e68860987 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -11,6 +11,7 @@ include profile sensors @{exec_path} { include include + include @{exec_path} mr, @@ -19,11 +20,9 @@ profile sensors @{exec_path} { /etc/sensors3.conf r, @{sys}/bus/i2c/devices/ r, - @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-*/name r, @{sys}/devices/@{pci}/name r, - @{sys}/devices/**/hwmon*/{,**} r, # file_inherit deny @{PROC}/@{pid}/net/dev r, diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc index 7423a8c38b..63e9096ca5 100644 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -10,6 +10,7 @@ include profile sysstat-sadc @{exec_path} { include include + include capability sys_admin, @@ -23,11 +24,9 @@ profile sysstat-sadc @{exec_path} { @{sys}/bus/i2c/devices/ r, @{sys}/bus/usb/devices/ r, @{sys}/class/fc_host/ r, - @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, @{sys}/class/power_supply/ r, @{sys}/devices/**/duplex r, - @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/name r, @{sys}/devices/**/speed r, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 01ca79e066..988918f50d 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -14,6 +14,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_boot, @@ -27,7 +28,6 @@ profile thermald @{exec_path} flags=(attach_disconnected) { owner @{run}/thermald/** rw, owner @{run}/thermald/thermald.pid rwk, - @{sys}/class/hwmon/ r, @{sys}/class/thermal/ r, @{sys}/devices/platform/ r, @{sys}/devices/platform/** r, @@ -43,9 +43,6 @@ profile thermald @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/power_limits/power_limit_@{int}_tmax_us r, @{sys}/devices/@{pci}/power_limits/power_limit_@{int}_tmin_us r, - @{sys}/devices/**/hwmon@{int}/ r, - @{sys}/devices/**/hwmon@{int}/name r, - @{sys}/devices/**/hwmon@{int}/temp@{int}_{max,crit} r, @{sys}/devices/**/path r, @{sys}/devices/platform/*/uuids/current_uuid rw, diff --git a/apparmor.d/profiles-s-z/thinkfan b/apparmor.d/profiles-s-z/thinkfan index ddf7e1ff29..6165f2fb44 100644 --- a/apparmor.d/profiles-s-z/thinkfan +++ b/apparmor.d/profiles-s-z/thinkfan @@ -10,16 +10,14 @@ include @{exec_path} = @{bin}/thinkfan profile thinkfan @{exec_path} { include + include + include @{exec_path} mr, /etc/thinkfan.conf r, /etc/thinkfan.yaml r, - @{sys}/devices/**/hwmon/**/pwm@{int} rw, - @{sys}/devices/**/hwmon/**/pwm@{int}_enable rw, - @{sys}/devices/**/hwmon/**/temp@{int}_input r, - @{PROC}/acpi/ibm/thermal r, @{PROC}/acpi/ibm/fan rw, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 4f669ea751..4fc88f7eda 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -25,6 +25,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { include include include + include + include include include @@ -87,7 +89,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, + @{sys}/devices/@{pci_bus}/uevent r, @{sys}/devices/virtual/drm/ttm/uevent r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, diff --git a/apparmor.d/profiles-s-z/vnstat b/apparmor.d/profiles-s-z/vnstat index ce2ea85b11..41fe8cc16a 100644 --- a/apparmor.d/profiles-s-z/vnstat +++ b/apparmor.d/profiles-s-z/vnstat @@ -11,6 +11,7 @@ include profile vnstat @{exec_path} { include include + include capability chown, capability dac_override, @@ -43,7 +44,6 @@ profile vnstat @{exec_path} { deny @{PROC}/uptime r, deny @{PROC}/diskstats r, deny @{PROC}/loadavg r, - deny @{sys}/devices/**/hwmon/**/temp*_input r, owner /dev/tty@{u8} rw, deny network inet dgram, deny network inet6 dgram, From 28b8ae8a1ece1ea08bbd0aa9583c1c422e0a0647 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 22:53:33 +0100 Subject: [PATCH 1184/1736] feat(abs): add bus-system to the desktop abs. --- apparmor.d/abstractions/app/chromium | 1 - apparmor.d/abstractions/app/firefox | 1 - apparmor.d/abstractions/common/app | 1 - apparmor.d/abstractions/desktop | 1 + apparmor.d/abstractions/gnome-strict | 1 + apparmor.d/abstractions/kde-strict | 1 + apparmor.d/abstractions/lxqt | 1 + apparmor.d/abstractions/xfce | 1 + apparmor.d/groups/bluetooth/blueman | 1 - apparmor.d/groups/browsers/epiphany | 1 - apparmor.d/groups/bus/ibus-x11 | 1 - apparmor.d/groups/display-manager/lightdm | 1 - apparmor.d/groups/firewall/firewall-applet | 1 - apparmor.d/groups/freedesktop/polkit-kde-authentication-agent | 1 - apparmor.d/groups/freedesktop/pulseaudio | 1 - apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 1 - apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 1 - apparmor.d/groups/freedesktop/xorg | 1 - apparmor.d/groups/gnome/epiphany-search-provider | 1 - apparmor.d/groups/gnome/gjs | 1 - apparmor.d/groups/gnome/gnome-boxes | 1 - apparmor.d/groups/gnome/gnome-calculator | 1 - apparmor.d/groups/gnome/gnome-calendar | 1 - apparmor.d/groups/gnome/gnome-characters | 1 - apparmor.d/groups/gnome/gnome-clocks | 1 - apparmor.d/groups/gnome/gnome-contacts | 1 - apparmor.d/groups/gnome/gnome-contacts-search-provider | 1 - apparmor.d/groups/gnome/gnome-control-center | 1 - apparmor.d/groups/gnome/gnome-control-center-goa-helper | 1 - apparmor.d/groups/gnome/gnome-disk-image-mounter | 1 - apparmor.d/groups/gnome/gnome-extension-ding | 1 - apparmor.d/groups/gnome/gnome-extension-gsconnect | 1 - apparmor.d/groups/gnome/gnome-firmware | 1 - apparmor.d/groups/gnome/gnome-initial-setup | 1 - apparmor.d/groups/gnome/gnome-music | 1 - apparmor.d/groups/gnome/gnome-remote-desktop-daemon | 1 - apparmor.d/groups/gnome/gnome-session-binary | 1 - apparmor.d/groups/gnome/gnome-session-service | 1 - apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/gnome/gnome-software | 1 - apparmor.d/groups/gnome/gnome-system-monitor | 1 - apparmor.d/groups/gnome/gnome-text-editor | 1 - apparmor.d/groups/gnome/goa-daemon | 1 - apparmor.d/groups/gnome/gsd-color | 1 - apparmor.d/groups/gnome/gsd-keyboard | 1 - apparmor.d/groups/gnome/gsd-media-keys | 1 - apparmor.d/groups/gnome/gsd-power | 1 - apparmor.d/groups/gnome/gsd-xsettings | 1 - apparmor.d/groups/gnome/kgx | 1 - apparmor.d/groups/gnome/localsearch | 1 - apparmor.d/groups/gnome/loupe | 1 - apparmor.d/groups/gnome/mutter-x11-frames | 1 - apparmor.d/groups/gnome/nautilus | 1 - apparmor.d/groups/gnome/org.gnome.NautilusPreviewer | 1 - apparmor.d/groups/gnome/papers | 1 - apparmor.d/groups/gnome/ptyxis | 1 - apparmor.d/groups/gnome/seahorse | 1 - apparmor.d/groups/gnome/showtime | 1 - apparmor.d/groups/gnome/tracker-miner | 1 - apparmor.d/groups/gnome/yelp | 1 - apparmor.d/groups/kde/DiscoverNotifier | 1 - apparmor.d/groups/kde/dolphin | 1 - apparmor.d/groups/kde/kde-powerdevil | 1 - apparmor.d/groups/kde/kded | 1 - apparmor.d/groups/kde/kscreenlocker_greet | 1 - apparmor.d/groups/kde/ksmserver | 1 - apparmor.d/groups/kde/ksmserver-logout-greeter | 1 - apparmor.d/groups/kde/kwin_wayland | 1 - apparmor.d/groups/kde/kwin_x11 | 1 - apparmor.d/groups/kde/plasma-browser-integration-host | 1 - apparmor.d/groups/kde/plasmashell | 1 - apparmor.d/groups/kde/sddm | 1 - apparmor.d/groups/kde/sddm-greeter | 1 - apparmor.d/groups/kde/startplasma | 1 - apparmor.d/groups/lxqt/lxqt-config-powermanagement | 1 - apparmor.d/groups/ubuntu/software-properties-gtk | 1 - apparmor.d/groups/ubuntu/update-manager | 1 - apparmor.d/groups/ubuntu/update-notifier | 1 - apparmor.d/groups/xfce/xfce-panel | 1 - apparmor.d/groups/xfce/xfce-power-manager | 1 - apparmor.d/groups/xfce/xfce-terminal | 1 - apparmor.d/groups/xfce/xfsettingsd | 1 - apparmor.d/profiles-a-f/baobab | 1 - apparmor.d/profiles-a-f/calibre | 1 - apparmor.d/profiles-a-f/file-roller | 1 - apparmor.d/profiles-a-f/fractal | 1 - apparmor.d/profiles-g-l/keepassxc | 1 - apparmor.d/profiles-g-l/kerneloops-applet | 1 - apparmor.d/profiles-g-l/libreoffice | 1 - apparmor.d/profiles-g-l/localsend | 1 - apparmor.d/profiles-m-r/qbittorrent | 1 - apparmor.d/profiles-m-r/remmina | 1 - apparmor.d/profiles-s-z/simple-scan | 1 - apparmor.d/profiles-s-z/spice-vdagent | 1 - apparmor.d/profiles-s-z/system-config-printer | 1 - apparmor.d/profiles-s-z/totem | 1 - apparmor.d/profiles-s-z/transmission | 1 - apparmor.d/profiles-s-z/virt-manager | 1 - 98 files changed, 5 insertions(+), 93 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index df14c2e780..2ee5f6ba76 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -27,7 +27,6 @@ include include include - include include include include diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 8290bbc6f2..5c35c307d8 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -20,7 +20,6 @@ abi , include - include include include include diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 417d3d91cf..9040e838d3 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -15,7 +15,6 @@ include include include - include include include include diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index fca62391f7..a8e52c99ca 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -12,6 +12,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index fb48fa2ea8..2639f0bb8e 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -8,6 +8,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 7c021fa31f..9bc960bdd2 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -8,6 +8,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index 79051cccc2..18cbeaae8d 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -7,6 +7,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 114716c84f..86d267686d 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -8,6 +8,7 @@ include include include + include include include include diff --git a/apparmor.d/groups/bluetooth/blueman b/apparmor.d/groups/bluetooth/blueman index ccec1ec95e..ed6f2fedbf 100644 --- a/apparmor.d/groups/bluetooth/blueman +++ b/apparmor.d/groups/bluetooth/blueman @@ -12,7 +12,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index bda5b98c24..b71dccb82c 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -10,7 +10,6 @@ include profile epiphany @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index a26273760d..37fde622c3 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-x11 profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index 17ee6a72cd..a29cc91128 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/lightdm profile lightdm @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/firewall/firewall-applet b/apparmor.d/groups/firewall/firewall-applet index 52302b7382..bd144b7e28 100644 --- a/apparmor.d/groups/firewall/firewall-applet +++ b/apparmor.d/groups/firewall/firewall-applet @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/firewall-applet profile firewall-applet @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index b044f1974e..186e83e84a 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -11,7 +11,6 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include include diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 97f46e5517..295f59a5b8 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -12,7 +12,6 @@ include profile pulseaudio @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 319ebfd539..16382c86f5 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -10,7 +10,6 @@ include profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 12e1ac3867..69588b942a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -10,7 +10,6 @@ include profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index f8bd54a9e2..e1595855be 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -13,7 +13,6 @@ include @{exec_path} += @{lib}/xorg/Xorg{,.wrap} profile xorg @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index 9be57db646..04a7ec75a3 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/epiphany-search-provider profile epiphany-search-provider @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index 203710c1dc..20fb65fafe 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -34,7 +34,6 @@ profile gjs @{exec_path} flags=(attach_disconnected) { include # Only needed by gnome-extension-ding - include include include include diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 24c91f9030..9c46527989 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -10,7 +10,6 @@ include profile gnome-boxes @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index f74c3480a9..3bbe854744 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/gnome-calculator profile gnome-calculator @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index f7bc417863..1be458a901 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/gnome-calendar profile gnome-calendar @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 1bda7289f5..ecd24aa996 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/gnome-characters /usr/share/org.gnome.Characters/org.gnome.Characters profile gnome-characters @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index a329f5be2c..3a7df96f01 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -10,7 +10,6 @@ include profile gnome-clocks @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index c654001664..90ed07096b 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/gnome-contacts profile gnome-contacts @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-contacts-search-provider b/apparmor.d/groups/gnome/gnome-contacts-search-provider index c29f0fabaa..69bb8d915f 100644 --- a/apparmor.d/groups/gnome/gnome-contacts-search-provider +++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider @@ -10,7 +10,6 @@ include profile gnome-contacts-search-provider @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index c7d1ae03f2..23c1231859 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -11,7 +11,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index ebee0ca168..e8428c930c 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -10,7 +10,6 @@ include profile gnome-control-center-goa-helper @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index f8a09e1dbc..c43b4fc2f1 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 782173eded..acc85f442a 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -13,7 +13,6 @@ include profile gnome-extension-ding @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 41316ae8c2..1cf84db0e7 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -13,7 +13,6 @@ include profile gnome-extension-gsconnect @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-firmware b/apparmor.d/groups/gnome/gnome-firmware index 706c16e877..87b76cb80b 100644 --- a/apparmor.d/groups/gnome/gnome-firmware +++ b/apparmor.d/groups/gnome/gnome-firmware @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/gnome-firmware profile gnome-firmware @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index e070ae7aab..e21e2a752a 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -10,7 +10,6 @@ include profile gnome-initial-setup @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 8e9196708f..ccd52c22ce 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -10,7 +10,6 @@ include profile gnome-music @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 093c6ff5d5..bcb5b55a21 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gnome-remote-desktop-daemon profile gnome-remote-desktop-daemon @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index eae7cce2ac..bdcba775c8 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index d303e9a412..163940f79f 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gnome-session-service profile gnome-session-service @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index cf6655e74c..2b8a046a56 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -13,7 +13,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 1cfac7b342..7adadb0809 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -10,7 +10,6 @@ include profile gnome-software @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index b270772327..a31fa30a41 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 6fee553228..2b1aa8657e 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/gnome-text-editor profile gnome-text-editor @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index c262f7cb02..bb570bc133 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/goa-daemon profile goa-daemon @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 7b39b6bcbb..73e9822cf4 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 98b339c199..f5cd16fc33 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index dd93470fc7..0a747a72c0 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -10,7 +10,6 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 68b6496d30..57633c0c96 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -10,7 +10,6 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index eab603beda..a41eb9272a 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -10,7 +10,6 @@ include profile gsd-xsettings @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index f11dc42e1f..10343d0b8a 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/kgx profile kgx @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index bd40a2e638..6b1a7a5b09 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/localsearch @{lib}/localsearch-3 profile localsearch @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 783ed74b28..203691fed8 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index a0768f437a..ffe1d2661f 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/mutter-x11-frames profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 41daa09325..90f1e0dbaf 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/nautilus profile nautilus @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index 871be7331d..0ea4da6513 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -10,7 +10,6 @@ include profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 69e4d4d55c..c87909a476 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/papers profile papers @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index fbc6b8269e..5fb2f145cb 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/ptyxis profile ptyxis @{exec_path} { include - include include include diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 9946290f7b..14dc39f923 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -11,7 +11,6 @@ profile seahorse @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/showtime b/apparmor.d/groups/gnome/showtime index 11aacbd3dd..dd1e7ca076 100644 --- a/apparmor.d/groups/gnome/showtime +++ b/apparmor.d/groups/gnome/showtime @@ -10,7 +10,6 @@ include profile showtime @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 143a0dd41c..753fe59de0 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/tracker-miner-fs-{,control-,rss-}3 profile tracker-miner @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index 9f7333aaeb..2388d7cb9d 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -10,7 +10,6 @@ include profile yelp @{exec_path} flags=(attach_disconnected) { include include - include include # FIXME: In namespace> include include diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index b5e1b4ae8c..c1d1adfa1b 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -11,7 +11,6 @@ include profile DiscoverNotifier @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 2de2d5fb92..8fd078bbea 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -11,7 +11,6 @@ profile dolphin @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 2511cf844b..73ce5a7464 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -12,7 +12,6 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) include include include - include include include include diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 5baed5a792..01f85e9cd3 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -12,7 +12,6 @@ profile kded @{exec_path} { include #aa:only apt include include - include include include include diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 3656ad45bf..2eb9478444 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -12,7 +12,6 @@ include profile kscreenlocker_greet @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 462e52ea5a..ed661ff896 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -12,7 +12,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index 711da6e9d1..e356b46adb 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -12,7 +12,6 @@ include profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include include diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 4233dc518d..53875789da 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -11,7 +11,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index 86a32c8f1f..68be87c689 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -11,7 +11,6 @@ profile kwin_x11 @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index 9cd74670d8..9835e65500 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -10,7 +10,6 @@ include profile plasma-browser-integration-host @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 3921c21266..75ef52cd6e 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -12,7 +12,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include - include include include include diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 11d73de696..ad5fc299e0 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -12,7 +12,6 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 7e82877cbc..1675840a7a 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -11,7 +11,6 @@ include profile sddm-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include include diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 4bdba0b63b..e2e964989c 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -11,7 +11,6 @@ profile startplasma @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/lxqt/lxqt-config-powermanagement b/apparmor.d/groups/lxqt/lxqt-config-powermanagement index 4b96ccb361..a3da6c9a91 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-powermanagement +++ b/apparmor.d/groups/lxqt/lxqt-config-powermanagement @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/lxqt-config-powermanagement profile lxqt-config-powermanagement @{exec_path} { include - include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index e7fe3697f8..96e83b2819 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -11,7 +11,6 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index c6b31fed44..b1e9fdd060 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -11,7 +11,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index c6d9cbf73d..31e4c14881 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -11,7 +11,6 @@ profile update-notifier @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index 00c5d87000..244230c200 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-panel @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 profile xfce-panel @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index 6699a7116b..69cc4f519b 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -11,7 +11,6 @@ profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 0f88363269..8eb9d41c9d 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -10,7 +10,6 @@ include profile xfce-terminal @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index 1b54e9512d..08dc7d850e 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -10,7 +10,6 @@ include profile xfsettingsd @{exec_path} { include include - include include include diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab index 0846fb8b27..2060184982 100644 --- a/apparmor.d/profiles-a-f/baobab +++ b/apparmor.d/profiles-a-f/baobab @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/baobab profile baobab @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index c06b3b3b03..e6395875cd 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -12,7 +12,6 @@ include @{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer @{bin}/web2disk profile calibre @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index ad52acd7e5..083f648e49 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/file-roller profile file-roller @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 213f7e30bb..edbb8c7541 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -10,7 +10,6 @@ include profile fractal @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index 60505724b8..1b78ccc8c1 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/keepassxc profile keepassxc @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index efc3d45824..9e54844184 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/kerneloops-applet profile kerneloops-applet @{exec_path} { include - include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 7f654e3244..d8f37e02ee 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -12,7 +12,6 @@ profile libreoffice @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include diff --git a/apparmor.d/profiles-g-l/localsend b/apparmor.d/profiles-g-l/localsend index 94142ac8bf..810694a5ce 100644 --- a/apparmor.d/profiles-g-l/localsend +++ b/apparmor.d/profiles-g-l/localsend @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/localsend profile localsend @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index bece92ce89..ae9a284af0 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/qbittorrent profile qbittorrent @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 729032ba0c..4ed45df5c0 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -11,7 +11,6 @@ profile remmina @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/simple-scan b/apparmor.d/profiles-s-z/simple-scan index 6eb46a22b6..e6d09785bc 100644 --- a/apparmor.d/profiles-s-z/simple-scan +++ b/apparmor.d/profiles-s-z/simple-scan @@ -10,7 +10,6 @@ include profile simple-scan @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index bdfbdd901d..f1c4d0da0d 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -10,7 +10,6 @@ include profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index ac77a534e0..9c7ed77c85 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -11,7 +11,6 @@ include @{exec_path} += /usr/share/system-config-printer/system-config-printer.py profile system-config-printer @{exec_path} flags=(complain) { include - include include include include diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index e0b44d05e6..5600cac392 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -10,7 +10,6 @@ include profile totem @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index 2ff09da361..2187254621 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/transmission-{gtk,qt} profile transmission @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 4fc88f7eda..7a093bd1d5 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,7 +12,6 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include - include include include include From 7f5f1ff28d2debf1e9e4e93162f33a50dc47090d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 22:55:08 +0100 Subject: [PATCH 1185/1736] fix(profile): remove reference to abs to yet stable. --- apparmor.d/groups/gnome/localsearch | 2 +- apparmor.d/groups/umu/umu-run | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 6b1a7a5b09..dddefa3fbc 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -81,7 +81,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include - include + include include network (bind create getattr setopt getopt) netlink raw, diff --git a/apparmor.d/groups/umu/umu-run b/apparmor.d/groups/umu/umu-run index cd473b8a6a..c7ae2011b8 100644 --- a/apparmor.d/groups/umu/umu-run +++ b/apparmor.d/groups/umu/umu-run @@ -25,7 +25,7 @@ profile umu-run @{exec_path} flags=(attach_disconnected) { include include include - include + include network inet dgram, network inet stream, From 6ad48e631ec800b50d55760e807ab078cd51fea7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 23:07:27 +0100 Subject: [PATCH 1186/1736] fix(profile): keep compatibility with apparmor 4.0 Note: apparmor 4.0 will be deprecated soon. --- apparmor.d/groups/umu/umu-run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/umu/umu-run b/apparmor.d/groups/umu/umu-run index c7ae2011b8..bf10ad85b1 100644 --- a/apparmor.d/groups/umu/umu-run +++ b/apparmor.d/groups/umu/umu-run @@ -50,7 +50,7 @@ profile umu-run @{exec_path} flags=(attach_disconnected) { @{runtime_dirs}/run ix, @{runtime_dirs}/pressure-vessel/bin/** rix, @{runtime_dirs}/pressure-vessel/@{lib}/** rmix, - priority=1 @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{d}/srt-bwrap Px -> umu-bwrap, + priority=1 @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{d}/srt-bwrap Px -> umu-bwrap, #aa:only apparmor>=4.1 /opt/cuda/targets/@{arch}-linux/lib/*.so mr, /opt/cuda/targets/@{arch}-linux/lib/*.so.* mr, From 58aabe9da3856c6f8dce92232fed1bfd62455761 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 23:39:36 +0100 Subject: [PATCH 1187/1736] feat(abs): mirnor improvements --- apparmor.d/abstractions/app/firefox | 1 + apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/gnome-strict | 2 +- apparmor.d/abstractions/gstreamer | 3 +++ apparmor.d/abstractions/kde-strict | 2 +- apparmor.d/abstractions/lxqt | 2 +- apparmor.d/abstractions/vulkan-strict | 1 + apparmor.d/abstractions/wine | 2 ++ apparmor.d/abstractions/xfce | 2 +- 9 files changed, 12 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 5c35c307d8..7a6747a63b 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -36,6 +36,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index a8e52c99ca..0adebd467c 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -14,8 +14,8 @@ include include include - include include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 2639f0bb8e..2af4749287 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -10,8 +10,8 @@ include include include - include include + include include include include diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 93eb1dc4b3..4559415a9a 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -18,6 +18,9 @@ /etc/openni2/OpenNI.ini r, + /var/tmp/ r, + /tmp/ r, + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 9bc960bdd2..0f11fc098a 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -10,8 +10,8 @@ include include include - include include + include include include include diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index 18cbeaae8d..0ae59842e3 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -9,8 +9,8 @@ include include include - include include + include include include include diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index 1ad04157b7..3c8beb362d 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -20,6 +20,7 @@ owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/@{uuid}.@{int} rw, owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache owner @{user_cache_dirs}/radv_builtin_shaders{32,64}@{rand6} w, + owner @{user_cache_dirs}/radv_builtin_shaders/index rw, owner @{user_share_dirs}/vulkan/ rw, owner @{user_share_dirs}/vulkan/implicit_layer.d/ rw, diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine index 6289f0c94f..64f70fff54 100644 --- a/apparmor.d/abstractions/wine +++ b/apparmor.d/abstractions/wine @@ -9,6 +9,8 @@ owner @{user_share_dirs}/applications/wine/ rw, owner @{user_share_dirs}/applications/wine/**/ rw, + owner @{user_cache_dirs}/wine/* r, + owner @{tmp}/.wine-@{uid}/ rw, owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex6}/ rw, owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex6}/lock rwk, diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 86d267686d..745abadc5e 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -10,8 +10,8 @@ include include include - include include + include include include include From 79fb7cfbd95c5077ec714ccc3a0732db8218d050 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 23:44:32 +0100 Subject: [PATCH 1188/1736] tests: abstractions also detect for misplaced abs. --- tests/check.sh | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/tests/check.sh b/tests/check.sh index df79bcf8d5..de3b976365 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -186,6 +186,16 @@ declare -A ABS_DEPRECATED=( ["gnome"]="gnome-strict" ["kde"]="kde-strict" ) +declare -A ABS_AUTOMATIC=( + ["base-strict"]="base" + ["attached/base"]="base" + ["attached/consoles"]="consoles" + ["attached/nameservice-strict"]="nameservice-strict" + ["bus/accessibility/own"]="" + ["bus/session/own"]="" + ["bus/system/own"]="" +) + _check_abstractions() { _is_enabled abstractions || return 0 @@ -200,6 +210,17 @@ _check_abstractions() { _err abstractions "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" fi done + for absname in "${!ABS_AUTOMATIC[@]}"; do + if [[ "$line" == *"<$ABS/$absname>"* ]]; then + msg="the '<$ABS/$absname>' abstraction" + if [[ -z "${ABS_AUTOMATIC[$absname]}" ]]; then + msg+=" is automatically included when needed and does not need to be used" + else + msg+=" should not be used directly, use '<$ABS/${ABS_AUTOMATIC[$absname]}>' instead" + fi + _err abstractions "$file:$line_number" "$msg" + fi + done if [[ "$line" == *"<$ABS/ubuntu-"*">"* ]]; then _err abstractions "$file:$line_number" "deprecated, ubuntu only abstraction '<$ABS/$absname>'" fi From 97e710d64a44c54181a9dfde8516cd737fab8f9d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 23:46:12 +0100 Subject: [PATCH 1189/1736] tests(packer): add tests images for ubuntu 26.04 --- .../ubuntu26.04-desktop.user-data.yml | 9 +++++++++ .../ubuntu26.04-kubuntu.user-data.yml | 10 ++++++++++ .../ubuntu26.04-server.user-data.yml | 8 ++++++++ .../cloud-init/ubuntu26.04-test.user-data.yml | 20 +++++++++++++++++++ tests/packer/variables.pkr.hcl | 2 +- 5 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 tests/cloud-init/ubuntu26.04-desktop.user-data.yml create mode 100644 tests/cloud-init/ubuntu26.04-kubuntu.user-data.yml create mode 100644 tests/cloud-init/ubuntu26.04-server.user-data.yml create mode 100644 tests/cloud-init/ubuntu26.04-test.user-data.yml diff --git a/tests/cloud-init/ubuntu26.04-desktop.user-data.yml b/tests/cloud-init/ubuntu26.04-desktop.user-data.yml new file mode 100644 index 0000000000..6ce097d2c1 --- /dev/null +++ b/tests/cloud-init/ubuntu26.04-desktop.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *desktop-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/ubuntu26.04-kubuntu.user-data.yml b/tests/cloud-init/ubuntu26.04-kubuntu.user-data.yml new file mode 100644 index 0000000000..4f78d253e2 --- /dev/null +++ b/tests/cloud-init/ubuntu26.04-kubuntu.user-data.yml @@ -0,0 +1,10 @@ +#cloud-config + +packages: *kubuntu-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server + - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/ubuntu26.04-server.user-data.yml b/tests/cloud-init/ubuntu26.04-server.user-data.yml new file mode 100644 index 0000000000..0a4e22ba50 --- /dev/null +++ b/tests/cloud-init/ubuntu26.04-server.user-data.yml @@ -0,0 +1,8 @@ +#cloud-config + +packages: *core-packages + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server + - *disable-printk-ratelimit # Disable printk rate limiting diff --git a/tests/cloud-init/ubuntu26.04-test.user-data.yml b/tests/cloud-init/ubuntu26.04-test.user-data.yml new file mode 100644 index 0000000000..1d20baf79b --- /dev/null +++ b/tests/cloud-init/ubuntu26.04-test.user-data.yml @@ -0,0 +1,20 @@ +#cloud-config + +packages: + - apparmor-profiles + - apparmor-utils + - auditd + - debian-keyring + - htop + - libpam-apparmor + - qemu-guest-agent + - vim + +runcmd: + - /usr/bin/setup-testbed + - apt-get update + +write_files: + - *systemd-netword # Network configuration for server + - *disable-printk-ratelimit # Disable printk rate limiting + - *setup-testbed # Autopkgtest setup-testbed script diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index 65b4780b7c..7c96c2c7d8 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -112,7 +112,7 @@ variable "DM" { img_checksum = "https://cloud-images.ubuntu.com/questing/current/SHA256SUMS" }, "ubuntu26.04" : { - img_url = "https://cloud-images.ubuntu.com/resolute/current/questing-server-cloudimg-amd64.img" + img_url = "https://cloud-images.ubuntu.com/resolute/current/resolute-server-cloudimg-amd64.img" img_checksum = "https://cloud-images.ubuntu.com/resolute/current/SHA256SUMS" }, "opensuse" : { From e1ec017ba9f5babbcd7ba5e186cd17a2d557e38f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 23:47:42 +0100 Subject: [PATCH 1190/1736] tests: move bootstrap tests cmd. --- tests/cmd/{ => bootstrap}/main.go | 0 tests/cmd/{ => bootstrap}/tests.go | 0 tests/cmd/{ => bootstrap}/tldr.go | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename tests/cmd/{ => bootstrap}/main.go (100%) rename tests/cmd/{ => bootstrap}/tests.go (100%) rename tests/cmd/{ => bootstrap}/tldr.go (100%) diff --git a/tests/cmd/main.go b/tests/cmd/bootstrap/main.go similarity index 100% rename from tests/cmd/main.go rename to tests/cmd/bootstrap/main.go diff --git a/tests/cmd/tests.go b/tests/cmd/bootstrap/tests.go similarity index 100% rename from tests/cmd/tests.go rename to tests/cmd/bootstrap/tests.go diff --git a/tests/cmd/tldr.go b/tests/cmd/bootstrap/tldr.go similarity index 100% rename from tests/cmd/tldr.go rename to tests/cmd/bootstrap/tldr.go From b5821b08fc87f8be830635f83f82fdce9679e633 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 23:49:11 +0100 Subject: [PATCH 1191/1736] chore: update gitignore and gitlab ci. --- .gitignore | 3 ++- .gitlab-ci.yml | 6 ------ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index e7519a2946..d7ec4098f4 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,7 @@ .build .logs .pkg +.tree .snapd /snap snapd.backup @@ -19,11 +20,11 @@ site *.deb *.buildinfo *.changes -debian/hardened debian/.debhelper debian/*.debhelper # Debian build packages +debian/apparmor.d.*/ debian/apparmor.d.displace debian/apparmor.d.substvars debian/apparmor.d/ diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2ecc60425b..28c81e4c13 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,8 +1,5 @@ --- -include: - - template: Security/SAST.gitlab-ci.yml - variables: PKGDEST: $CI_PROJECT_DIR/.pkg PACKAGER: 'Alexandre Pujol ' @@ -42,9 +39,6 @@ packer: - packer fmt tests/packer/ - packer validate --syntax-only tests/packer/ -sast: - stage: lint - # Code test # --------- From b8e736df73a1c9cb84bfcbb2b8590b01e0271271 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 23:51:35 +0100 Subject: [PATCH 1192/1736] doc: update man page for aa-log. --- share/man/man8/aa-log.8 | 23 +++++++++++++++++++++-- share/man/man8/aa-log.md | 22 +++++++++++++++++++++- 2 files changed, 42 insertions(+), 3 deletions(-) diff --git a/share/man/man8/aa-log.8 b/share/man/man8/aa-log.8 index 62f40966e9..64a9f17a24 100644 --- a/share/man/man8/aa-log.8 +++ b/share/man/man8/aa-log.8 @@ -1,6 +1,6 @@ -.\" Automatically generated by Pandoc 3.1.12.1 +.\" Automatically generated by Pandoc 3.5 .\" -.TH "aa\-log" "8" "September 2024" "" "" +.TH "aa\-log" "8" "December 2025" "" .SH NAME aa\-log \[em] Review AppArmor generated messages in a colorful way. .SH SYNOPSIS @@ -20,6 +20,11 @@ profile. Default logs are read from \f[CR]/var/log/audit/audit.log\f[R]. Other files in \f[CR]/var/log/audit/\f[R] can easily be checked: \f[B]aa\-log \-f 1\f[R] parses \f[CR]audit.log.1\f[R] +.PP +Use \f[CR]aa\-log \-f \-\f[R] to read from standard input. +.PP +Logs written with \f[CR]aa\-log\f[R] can be read again with +\f[CR]aa\-log \-l\f[R]. .SH OPTIONS \f[B]aa\-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] .TP @@ -33,6 +38,9 @@ Set a logfile or a suffix to the default log file. Parse systemd logs from journalctl. Provides all AppArmor logs since the last boot. .TP +\f[CR]\-\-namespace\f[R], \f[CR]\-n\f[R] +Filter the log to the specified AppArmor namespace. +.TP \f[CR]\-\-rules\f[R], \f[CR]\-r\f[R] Convert the log into AppArmor rules. .TP @@ -40,6 +48,17 @@ Convert the log into AppArmor rules. Print the raw log without any formatting. Useful for reporting logs. .TP +\f[CR]\-\-since\f[R], \f[CR]\-S\f[R] +Show entries not older than the specified date. +It currently only supports log from journalctl (with +\f[CR]\-\-systemd\f[R]) +.TP +\f[CR]\-\-boot\f[R], \f[CR]\-b\f[R] +Show entries from the specified boot ID. +.TP +\f[CR]\-\-load\f[R], \f[CR]\-l\f[R] +Load logs from the default \f[CR]aa\-log\f[R] output. +.TP \f[CR]\-\-help\f[R], \f[CR]\-h\f[R] Print the program usage. .SH USAGE diff --git a/share/man/man8/aa-log.md b/share/man/man8/aa-log.md index 0b7fe8afa4..81b2039f8d 100644 --- a/share/man/man8/aa-log.md +++ b/share/man/man8/aa-log.md @@ -1,6 +1,6 @@ % aa-log(8) % aa-log was written by Alexandre Pujol (alexandre@pujol.io) -% September 2024 +% December 2025 # NAME @@ -20,6 +20,10 @@ It can be used to generate AppArmor rules from the logs and it therefore an alte Default logs are read from `/var/log/audit/audit.log`. Other files in `/var/log/audit/` can easily be checked: **aa-log -f 1** parses `audit.log.1` +Use `aa-log -f -` to read from standard input. + +Logs written with `aa-log` can be read again with `aa-log -l`. + # OPTIONS **aa-log** [*options…*] [*profile*] @@ -36,6 +40,10 @@ Default logs are read from `/var/log/audit/audit.log`. Other files in `/var/log/ : Parse systemd logs from journalctl. Provides all AppArmor logs since the last boot. +`--namespace`, `-n` + +: Filter the log to the specified AppArmor namespace. + `--rules`, `-r` : Convert the log into AppArmor rules. @@ -44,6 +52,18 @@ Default logs are read from `/var/log/audit/audit.log`. Other files in `/var/log/ : Print the raw log without any formatting. Useful for reporting logs. +`--since`, `-S` + +: Show entries not older than the specified date. It currently only supports log from journalctl (with `--systemd`) + +`--boot`, `-b` + +: Show entries from the specified boot ID. + +`--load`, `-l` + +: Load logs from the default `aa-log` output. + `--help`, `-h` : Print the program usage. From 044a33f2585fcb015356e2b1d29062817556bca7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 17 Dec 2025 23:53:53 +0100 Subject: [PATCH 1193/1736] build: update dist files. --- dists/flags/main.flags | 8 +++----- dists/flags/ubuntu.flags | 2 +- dists/ignore/main.ignore | 1 + 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 9fb66518ac..0f9d644704 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -159,8 +159,8 @@ grub-set-default complain grub-syslinux2cfg complain gsd-printer attach_disconnected,complain gsd-wwan complain -gvfsd-dav complain -gvfsd-wsdd complain +gvfsd-dav attach_disconnected,complain +gvfsd-wsdd attach_disconnected,complain hostnamectl complain hyprctl attach_disconnected,complain hyprlock attach_disconnected,complain @@ -170,7 +170,6 @@ hyprpm complain ibus-engine-table complain ibus-memconf attach_disconnected,complain im-launch complain -install-info complain iwctl complain iwd complain kaccess complain @@ -222,7 +221,7 @@ linux-check-removal complain linux-update-symlinks complain locale-gen complain localectl attach_disconnected,complain -localsearch complain +localsearch attach_disconnected,complain localsearch-control complain localsearch-writeback complain login attach_disconnected,complain @@ -359,7 +358,6 @@ systemd-journald attach_disconnected,mediate_deleted systemd-mount complain systemd-network-generator attach_disconnected,complain systemd-portabled complain -systemd-shutdown complain systemd-sleep-tlp complain systemd-socket-proxyd complain systemd-udevd attach_disconnected,complain diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index 125575ce19..2374988d59 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -17,7 +17,7 @@ notify-reboot-required complain package-data-downloader complain package-system-locked attach_disconnected,complain release-upgrade-motd complain -software-properties-gtk complain +software-properties-gtk attach_disconnected,complain ubuntu-advantage complain ubuntu-advantage-notification complain ubuntu-distro-info complain diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index 0665edf85f..de1049f9ca 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -10,5 +10,6 @@ man # Work in progress profiles apparmor.d/groups/steam +apparmor.d/groups/cosmic dunst plasma-discover From a614cf52b1224756412ce77beac561e31ecc29cf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 18 Dec 2025 00:17:00 +0100 Subject: [PATCH 1194/1736] fix(profile): linter issue. --- apparmor.d/groups/gnome/gnome-shell | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 2b8a046a56..8f9d127dc8 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -172,8 +172,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { member={Start,End} peer=(name=@{busname}), - # Needed as a dbus server to administrate the mpris interface - include + include #aa:lint ignore=abstractions dbus send bus=system path=/{,org/freedesktop/DBus} interface=org.freedesktop.DBus member={ListNames,RequestName,ReleaseName} From 1fd353a27cfba64e92066695b7ab72b51caa623a Mon Sep 17 00:00:00 2001 From: nobody43 Date: Wed, 17 Dec 2025 23:26:33 +0000 Subject: [PATCH 1195/1736] fixes --- apparmor.d/groups/kde/dolphin | 2 +- apparmor.d/profiles-g-l/goxray_cli | 2 +- apparmor.d/profiles-m-r/rustdesk | 6 +++--- apparmor.d/profiles-m-r/rustdesk_polkit | 17 ----------------- apparmor.d/profiles-m-r/rustdesk_startwm | 17 ----------------- apparmor.d/profiles-s-z/telegram-desktop | 2 +- apparmor.d/profiles-s-z/unix-chkpwd | 2 -- apparmor.d/profiles-s-z/xray | 1 - dists/flags/main.flags | 2 -- 9 files changed, 6 insertions(+), 45 deletions(-) delete mode 100644 apparmor.d/profiles-m-r/rustdesk_polkit delete mode 100644 apparmor.d/profiles-m-r/rustdesk_startwm diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 4fd5ad1120..a18b124ada 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -89,7 +89,7 @@ profile dolphin @{exec_path} { owner @{user_config_dirs}/dolphinrc.lock rwk, owner @{user_config_dirs}/kde.org/#@{int} rwk, owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, - owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.@{rand6} rwl -> @{user_config_dirs}/kde.org/#@{int}, + owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.@{rand6}} rwl -> @{user_config_dirs}/kde.org/#@{int}, owner @{user_config_dirs}/kdeglobals.@{rand6} l -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kdeglobals.lock k, owner @{user_config_dirs}/kiorc l -> @{user_config_dirs}/#@{int}, diff --git a/apparmor.d/profiles-g-l/goxray_cli b/apparmor.d/profiles-g-l/goxray_cli index f2026dc502..fa8e1ad8f1 100644 --- a/apparmor.d/profiles-g-l/goxray_cli +++ b/apparmor.d/profiles-g-l/goxray_cli @@ -5,7 +5,7 @@ abi , include -@{exec_path} = @{bin}/goxray_cli @{bin}/goxray_cli_linux_amd64 @{bin}/goxray_cli_linux_arm64 +@{exec_path} = @{bin}/goxray_cli @{bin}/goxray_cli_linux_@{arch} profile goxray_cli @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index 79327ec55d..84f5bd0cdd 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -8,7 +8,7 @@ include @{exec_path} = @{bin}/rustdesk /usr/share/rustdesk/rustdesk profile rustdesk @{exec_path} { - include + include include include include @@ -75,7 +75,7 @@ profile rustdesk @{exec_path} { signal (receive) set=(kill, term) peer=rustdesk_shell, profile sudo { - include + include include capability kill, @@ -90,7 +90,7 @@ profile rustdesk @{exec_path} { } profile rustdesk_shell { - include + include include capability dac_override, diff --git a/apparmor.d/profiles-m-r/rustdesk_polkit b/apparmor.d/profiles-m-r/rustdesk_polkit deleted file mode 100644 index a176c7a5ee..0000000000 --- a/apparmor.d/profiles-m-r/rustdesk_polkit +++ /dev/null @@ -1,17 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/rustdesk/files/polkit -profile rustdesk_polkit @{exec_path} { - include - - @{exec_path} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rustdesk_startwm b/apparmor.d/profiles-m-r/rustdesk_startwm deleted file mode 100644 index 18435f3bd5..0000000000 --- a/apparmor.d/profiles-m-r/rustdesk_startwm +++ /dev/null @@ -1,17 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /etc/rustdesk/startwm.sh -profile rustdesk_startwm @{exec_path} { - include - - @{exec_path} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop index 7a68e73e72..53eb1c6c28 100644 --- a/apparmor.d/profiles-s-z/telegram-desktop +++ b/apparmor.d/profiles-s-z/telegram-desktop @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/telegram-desktop @{bin}/Telegram /opt/Telegram/Telegram profile telegram-desktop @{exec_path} { - include + include include include include diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index ec88c2ded0..2a6a941198 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -27,8 +27,6 @@ profile unix-chkpwd @{exec_path} { @{run}/host/userdb/*.user r, @{run}/host/userdb/*.user-privileged r, - owner @{PROC}/@{pid}/status r, - owner /dev/tty@{u8} rw, include if exists diff --git a/apparmor.d/profiles-s-z/xray b/apparmor.d/profiles-s-z/xray index 1803bb4c1d..c935eb9f04 100644 --- a/apparmor.d/profiles-s-z/xray +++ b/apparmor.d/profiles-s-z/xray @@ -11,7 +11,6 @@ profile xray @{exec_path} flags=(attach_disconnected) { include include include - include include network inet dgram, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index d6f4cb05ca..b3ff980611 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -279,8 +279,6 @@ remmina attach_disconnected,complain run-parts complain runuser complain rustdesk complain -rustdesk_polkit complain -rustdesk_startwm complain sdcv complain sddm attach_disconnected,mediate_deleted,complain sddm-greeter attach_disconnected,mediate_deleted,complain From 304702df0a0d7e2124db5c84bb1c0d493b19f26b Mon Sep 17 00:00:00 2001 From: nobody43 Date: Wed, 17 Dec 2025 23:38:32 +0000 Subject: [PATCH 1196/1736] tails --- apparmor.d/groups/kde/dolphin | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index a18b124ada..8409b6c2fe 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -79,17 +79,16 @@ profile dolphin @{exec_path} { deny /tmp/.*/{,**} rw, owner @{user_state_dirs}/#@{int} rwk, - owner @{user_state_dirs}/dolphinstaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/dolphinstaterc{,.@{rand6}} rwl -> @{user_state_dirs}/#@{int}, owner @{user_share_dirs}/dolphin/ rw, owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/dolphinrc rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/dolphinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.lock rwk, owner @{user_config_dirs}/kde.org/#@{int} rwk, - owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.@{rand6}} rwl -> @{user_config_dirs}/kde.org/#@{int}, + owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, owner @{user_config_dirs}/kdeglobals.@{rand6} l -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kdeglobals.lock k, owner @{user_config_dirs}/kiorc l -> @{user_config_dirs}/#@{int}, @@ -111,7 +110,7 @@ profile dolphin @{exec_path} { owner @{tmp}/#@{int} rwk, owner @{tmp}/dolphin.@{rand6} rwl -> @{tmp}/#@{int}, owner @{tmp}/dolphin.@{rand6}.@{rand6} l -> @{tmp}/#@{int}, - owner @{tmp}/dolphin.@{rand6}.lock k, + owner @{tmp}/dolphin.@{rand6}.lock rwk, @{run}/issue r, @{run}/mount/utab r, From d233ae005eb9ffc875e290148c13317b8add5206 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Thu, 18 Dec 2025 02:15:12 +0000 Subject: [PATCH 1197/1736] assumptions --- apparmor.d/groups/kde/systemsettings | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index f4e8370850..91a0f9d136 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -82,8 +82,7 @@ profile systemsettings @{exec_path} { owner @{user_cache_dirs}/#@{int} rwk, owner @{user_cache_dirs}/kcrash-metadata/*.ini rw, owner @{user_cache_dirs}/kinfocenter/{,**} rwlk, - owner @{user_cache_dirs}/ksvg-elements rw, - owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/ksvg-elements{,.@{rand6}} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/ksvg-elements.lock rwlk, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements r, @@ -96,8 +95,7 @@ profile systemsettings @{exec_path} { owner @{user_config_dirs}/{P,p}lasma* r, owner @{user_config_dirs}/plasma-workspace/env/ r, owner @{user_config_dirs}/plasma-workspace/shutdown/ r, - owner @{user_config_dirs}/powerdevilrc rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/powerdevilrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/powerdevilrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/powerdevilrc.lock rwk, owner @{user_config_dirs}/device_automounter_kcmrc.lock rwk, owner @{user_config_dirs}/emaildefaults r, @@ -108,14 +106,11 @@ profile systemsettings @{exec_path} { owner @{user_config_dirs}/kde.org/{,**} rwlk, owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, - owner @{user_config_dirs}/kdeglobals w, - owner @{user_config_dirs}/kdeglobals.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kdeglobals.lock rwk, - owner @{user_config_dirs}/ksmserverrc w, - owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/ksmserverrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksmserverrc.lock rwk, - owner @{user_config_dirs}/kwinrc w, - owner @{user_config_dirs}/kwinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwinrc.lock rwk, owner @{user_config_dirs}/kdedefaults/ksplashrc r, owner @{user_config_dirs}/kdedefaults/ksplashrc.lock rwk, @@ -124,8 +119,8 @@ profile systemsettings @{exec_path} { owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/** rwlk, - owner @{user_config_dirs}/systemsettingsrc.lock rwk, owner @{user_config_dirs}/systemsettingsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/systemsettingsrc.lock rwk, owner @{user_share_dirs}/baloo/index r, owner @{user_share_dirs}/kactivitymanagerd/resources/database rwk, @@ -141,8 +136,7 @@ profile systemsettings @{exec_path} { owner @{user_share_dirs}/wallpapers/{,**} r, owner @{user_state_dirs}/#@{int} rwk, - owner @{user_state_dirs}/systemsettingsstaterc rw, - owner @{user_state_dirs}/systemsettingsstaterc.@{rand6} rwlk, + owner @{user_state_dirs}/systemsettingsstaterc{,.@{rand6}} rwlk, owner @{user_state_dirs}/systemsettingsstaterc.lock rwlk, @{run}/mount/utab r, From 54e107fd846720783775220ef8ec7aea99020f55 Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Fri, 19 Dec 2025 06:02:39 +0100 Subject: [PATCH 1198/1736] umu-run: allow mapping from proton runner ALLOWED umu-run file_mmap owner @{user_share_dirs}/Steam/compatibilitytools.d/proton-EM-10.0-32/files/lib/wine/@{arch}-windows/ia2comproxy.dll comm=ModManager.exe requested_mask=m denied_mask=m ALLOWED umu-run file_mmap owner @{user_share_dirs}/Steam/compatibilitytools.d/proton-EM-10.0-32/files/lib/wine/@{arch}-windows/msimg32.dll comm=ModManager.exe requested_mask=m denied_mask=m --- apparmor.d/groups/umu/umu-run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/umu/umu-run b/apparmor.d/groups/umu/umu-run index bf10ad85b1..ab05d143b7 100644 --- a/apparmor.d/groups/umu/umu-run +++ b/apparmor.d/groups/umu/umu-run @@ -64,7 +64,7 @@ profile umu-run @{exec_path} flags=(attach_disconnected) { owner @{wineprefix_dirs}/** w, owner @{steam_lib_dirs}/{,*} rw, - owner @{steam_share_dirs}/compatibilitytools.d/{,**} rw, + owner @{steam_share_dirs}/compatibilitytools.d/{,**} rwm, owner @{cache_dirs}/ rw, owner @{cache_dirs}/** rwlk -> @{share_dirs}/**, From 8c054de079d1d764b0138347fc5d6d5e8f2d22bc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Dec 2025 20:39:26 +0100 Subject: [PATCH 1199/1736] feat(abs): add sys/gpumon --- apparmor.d/abstractions/sys/gpu-info | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 apparmor.d/abstractions/sys/gpu-info diff --git a/apparmor.d/abstractions/sys/gpu-info b/apparmor.d/abstractions/sys/gpu-info new file mode 100644 index 0000000000..67d576f462 --- /dev/null +++ b/apparmor.d/abstractions/sys/gpu-info @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# GPU Power/Thermal Controls and Monitoring +# +# See: +# - https://www.kernel.org/doc/html/latest/gpu/amdgpu/thermal.html +# - https://www.kernel.org/doc/html/latest/gpu/amdgpu/driver-misc.html#gpu-memory-usage-information + + abi , + + @{sys}/devices/@{pci}/gpu_busy_percent r, + @{sys}/devices/@{pci}/mem_info_gtt_total r, + @{sys}/devices/@{pci}/mem_info_gtt_used r, + @{sys}/devices/@{pci}/mem_info_vis_vram_total r, + @{sys}/devices/@{pci}/mem_info_vis_vram_used r, + @{sys}/devices/@{pci}/mem_info_vram_total r, + @{sys}/devices/@{pci}/mem_info_vram_used r, + + # hwmon interfaces for GPU clocks: + @{sys}/devices/**/hwmon@{int}/freq@{int}_input r, + + include if exists + +# vim:syntax=apparmor From c6e21c779d18dd0868389c6ced85e8677efc2ae3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Dec 2025 20:48:35 +0100 Subject: [PATCH 1200/1736] fix(profile): umu: various fixes. fix #964 --- apparmor.d/abstractions/common/game | 5 +++-- apparmor.d/abstractions/wine | 8 ++++---- apparmor.d/groups/umu/umu-run | 2 ++ 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 0bd55b78b6..395fe78280 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -25,13 +25,14 @@ include include include + include include include include include + include include include - include /var/ r, /var/lib/ r, @@ -57,7 +58,7 @@ owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, - owner @{tmp}/CASESENSITIVETEST@{hex32} rw, + owner @{tmp}/CASESENSITIVETEST@{hex32} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, owner /dev/shm/mono.@{int} rw, diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine index 64f70fff54..6d93f70d33 100644 --- a/apparmor.d/abstractions/wine +++ b/apparmor.d/abstractions/wine @@ -12,10 +12,10 @@ owner @{user_cache_dirs}/wine/* r, owner @{tmp}/.wine-@{uid}/ rw, - owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex6}/ rw, - owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex6}/lock rwk, - owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex6}/socket rw, - owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex6}/tmpmap-@{hex8} mrw, + owner @{tmp}/.wine-@{uid}/server-*/ rw, + owner @{tmp}/.wine-@{uid}/server-*/lock rwk, + owner @{tmp}/.wine-@{uid}/server-*/socket rw, + owner @{tmp}/.wine-@{uid}/server-*/tmpmap-@{hex8} mrw, owner @{tmp}/protonfixes_test.log w, owner /dev/shm/wine-@{hex6}-fsync rw, diff --git a/apparmor.d/groups/umu/umu-run b/apparmor.d/groups/umu/umu-run index ab05d143b7..435d62333f 100644 --- a/apparmor.d/groups/umu/umu-run +++ b/apparmor.d/groups/umu/umu-run @@ -26,6 +26,7 @@ profile umu-run @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet stream, @@ -48,6 +49,7 @@ profile umu-run @{exec_path} flags=(attach_disconnected) { @{runtime_dirs}/umu ix, @{runtime_dirs}/run ix, + @{runtime_dirs}/*entry-point ix, @{runtime_dirs}/pressure-vessel/bin/** rix, @{runtime_dirs}/pressure-vessel/@{lib}/** rmix, priority=1 @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{d}/srt-bwrap Px -> umu-bwrap, #aa:only apparmor>=4.1 From 90dd5d6459ec430c13441d4a64d8e56e4f211ee3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Dec 2025 20:50:10 +0100 Subject: [PATCH 1201/1736] fix(tunable): add back pci_bus removed too early for apparmor 4.1 fix #962 --- apparmor.d/tunables/multiarch.d/system | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index b7d39d05eb..2815eadb50 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -61,6 +61,7 @@ # Shortcut for PCI device @{pci_id}=@{hex4}:@{hex2}:@{hex2}.@{h} +@{pci_bus}=pci@{hex4}:@{hex2} @{pci}=@{pci_bus}/**/ # Udev data dynamic assignment ranges From df13869854a591bb98d4f004330993fb5c89bb56 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Dec 2025 20:56:18 +0100 Subject: [PATCH 1202/1736] fix: move newlly create gpumon abs. --- apparmor.d/abstractions/graphics-full | 6 +----- apparmor.d/abstractions/sys/{gpu-info => gpumon} | 0 2 files changed, 1 insertion(+), 5 deletions(-) rename apparmor.d/abstractions/sys/{gpu-info => gpumon} (100%) diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index ce00659752..6e635c922d 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -8,11 +8,7 @@ include include - @{sys}/devices/@{pci}/gpu_busy_percent r, - @{sys}/devices/@{pci}/mem_info_gtt_total r, - @{sys}/devices/@{pci}/mem_info_gtt_used r, - @{sys}/devices/@{pci}/mem_info_vram_total r, - @{sys}/devices/@{pci}/mem_info_vram_used r, + include /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/abstractions/sys/gpu-info b/apparmor.d/abstractions/sys/gpumon similarity index 100% rename from apparmor.d/abstractions/sys/gpu-info rename to apparmor.d/abstractions/sys/gpumon From 08242f6a9b1115037fd44213bec0138d52d04b79 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Dec 2025 21:07:32 +0100 Subject: [PATCH 1203/1736] ci: disabling build on ubuntu 24.04 as ubuntu package with upstreamed vars keeps breaking apparmor.d Warning: at this rate, ubuntu support is going to be dropped. --- .github/workflows/main.yml | 196 ++++++++++++++++++------------------- .gitlab-ci.yml | 2 +- 2 files changed, 99 insertions(+), 99 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 90b709a31a..f89972de78 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -49,101 +49,101 @@ jobs: fi bash dists/build.sh dpkg - - name: Install apparmor.d - run: sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true - - - name: Reload AppArmor - run: | - if ! sudo systemctl restart apparmor.service; then - sudo journalctl -xeu apparmor.service - exit 1 - fi - - - name: Show AppArmor log and rules - run: | - sudo aa-log - sudo aa-log -s - sudo aa-log -r - - - name: Show Number of loaded profile - run: sudo aa-status --profiled - - - name: Cache the build package - if: matrix.mode == 'default' && matrix.os == 'ubuntu-24.04' - uses: actions/cache/save@v4 - with: - path: .pkg/apparmor.d_*_amd64.deb - key: ${{ matrix.os }}-${{ matrix.mode }}-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }} - - tests: - runs-on: ubuntu-24.04 - needs: build - if: github.ref_name == 'dev' || github.event_name == 'workflow_dispatch' - steps: - - name: Check out repository code - uses: actions/checkout@v4 - - - name: Restore the cached build package - uses: actions/cache/restore@v4 - with: - fail-on-cache-miss: true - path: .pkg/apparmor.d_*_amd64.deb - key: ubuntu-24.04-default-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }} - restore-keys: | - ubuntu-24.04-default- - - - name: Install Tests dependencies - run: | - sudo apt-get update -q - sudo apt-get install -y \ - apparmor-profiles apparmor-utils \ - bats bats-support - pipx install rust-just - echo "$HOME/.local/bin" >> $GITHUB_PATH - - - name: Install apparmor.d - run: | - sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true - sudo systemctl restart apparmor.service - sudo systemctl daemon-reload - systemctl --user daemon-reload - - - name: Restart some services to ensure they are confined - run: | - services=( - containerd cron - dbus docker - ModemManager multipathd - networkd-dispatcher - packagekit polkit - snapd - systemd-journald systemd-hostnamed systemd-logind systemd-networkd - systemd-resolved systemd-udevd - udisks2 - ) - sudo systemctl daemon-reload - for service in "${services[@]}"; do - sudo systemctl restart "$service" || systemctl status "$service.service" || true - done - systemctl restart --user dbus || systemctl status --user "dbus.service" || true - sudo ps auxZ | grep -v '\[.*\]' - sudo aa-log -s --raw - - - name: Install integration dependencies - run: | - just init - find /usr/sbin/ -type f - - - name: Run the integration tests - run: | - just integration - - - name: Show final AppArmor logs - if: always() - run: | - sudo aa-log -s --raw - - - name: Show final processes security context - if: always() - run: | - sudo ps auxZ | grep -v '\[.*\]' + # - name: Install apparmor.d + # run: sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true + + # - name: Reload AppArmor + # run: | + # if ! sudo systemctl restart apparmor.service; then + # sudo journalctl -xeu apparmor.service + # exit 1 + # fi + + # - name: Show AppArmor log and rules + # run: | + # sudo aa-log + # sudo aa-log -s + # sudo aa-log -r + + # - name: Show Number of loaded profile + # run: sudo aa-status --profiled + + # - name: Cache the build package + # if: matrix.mode == 'default' && matrix.os == 'ubuntu-24.04' + # uses: actions/cache/save@v4 + # with: + # path: .pkg/apparmor.d_*_amd64.deb + # key: ${{ matrix.os }}-${{ matrix.mode }}-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }} + + # tests: + # runs-on: ubuntu-24.04 + # needs: build + # if: github.ref_name == 'dev' || github.event_name == 'workflow_dispatch' + # steps: + # - name: Check out repository code + # uses: actions/checkout@v4 + + # - name: Restore the cached build package + # uses: actions/cache/restore@v4 + # with: + # fail-on-cache-miss: true + # path: .pkg/apparmor.d_*_amd64.deb + # key: ubuntu-24.04-default-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }} + # restore-keys: | + # ubuntu-24.04-default- + + # - name: Install Tests dependencies + # run: | + # sudo apt-get update -q + # sudo apt-get install -y \ + # apparmor-profiles apparmor-utils \ + # bats bats-support + # pipx install rust-just + # echo "$HOME/.local/bin" >> $GITHUB_PATH + + # - name: Install apparmor.d + # run: | + # sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true + # sudo systemctl restart apparmor.service + # sudo systemctl daemon-reload + # systemctl --user daemon-reload + + # - name: Restart some services to ensure they are confined + # run: | + # services=( + # containerd cron + # dbus docker + # ModemManager multipathd + # networkd-dispatcher + # packagekit polkit + # snapd + # systemd-journald systemd-hostnamed systemd-logind systemd-networkd + # systemd-resolved systemd-udevd + # udisks2 + # ) + # sudo systemctl daemon-reload + # for service in "${services[@]}"; do + # sudo systemctl restart "$service" || systemctl status "$service.service" || true + # done + # systemctl restart --user dbus || systemctl status --user "dbus.service" || true + # sudo ps auxZ | grep -v '\[.*\]' + # sudo aa-log -s --raw + + # - name: Install integration dependencies + # run: | + # just init + # find /usr/sbin/ -type f + + # - name: Run the integration tests + # run: | + # just integration + + # - name: Show final AppArmor logs + # if: always() + # run: | + # sudo aa-log -s --raw + + # - name: Show final processes security context + # if: always() + # run: | + # sudo ps auxZ | grep -v '\[.*\]' diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 28c81e4c13..aa95a9d307 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -90,7 +90,7 @@ debian: paths: - $PKGDEST/*.deb -ubuntu: +.ubuntu: stage: build image: registry.gitlab.com/roddhjav/builders/ubuntu:24.04 variables: From 422c54f0c3600c9e937373f8f36fb4b6c2e34099 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Dec 2025 21:10:22 +0100 Subject: [PATCH 1204/1736] fix(profile): polkit-agent-helper set nnp flag. --- apparmor.d/groups/polkit/polkit-agent-helper | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index 37b4ad1a08..46f068d95b 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -45,6 +45,9 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + #aa:only apparmor>=4.1 + priority=1 @{sbin}/unix_chkpwd Px -> &unix-chkpwd, + owner @{HOME}/.xsession-errors w, @{run}/faillock/@{user} rwk, From 4d76b675dac124cd8ff3519d0a463e24e07cf929 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Dec 2025 21:21:06 +0100 Subject: [PATCH 1205/1736] build: try to enable build on ubuntu 24 back again. --- .github/workflows/main.yml | 201 ++++++++++++------------- apparmor.d/tunables/multiarch.d/system | 2 +- 2 files changed, 99 insertions(+), 104 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f89972de78..028b03695c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -26,8 +26,6 @@ jobs: include: - os: ubuntu-24.04 mode: default - - os: ubuntu-24.04 - mode: full-system-policy steps: - name: Check out repository code uses: actions/checkout@v4 @@ -44,106 +42,103 @@ jobs: - name: Build the apparmor.d package run: | - if [[ ${{ matrix.mode }} == full-system-policy ]]; then - sed -e "s/just complain/just fsp-complain/" -i debian/rules - fi bash dists/build.sh dpkg - # - name: Install apparmor.d - # run: sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true - - # - name: Reload AppArmor - # run: | - # if ! sudo systemctl restart apparmor.service; then - # sudo journalctl -xeu apparmor.service - # exit 1 - # fi - - # - name: Show AppArmor log and rules - # run: | - # sudo aa-log - # sudo aa-log -s - # sudo aa-log -r - - # - name: Show Number of loaded profile - # run: sudo aa-status --profiled - - # - name: Cache the build package - # if: matrix.mode == 'default' && matrix.os == 'ubuntu-24.04' - # uses: actions/cache/save@v4 - # with: - # path: .pkg/apparmor.d_*_amd64.deb - # key: ${{ matrix.os }}-${{ matrix.mode }}-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }} - - # tests: - # runs-on: ubuntu-24.04 - # needs: build - # if: github.ref_name == 'dev' || github.event_name == 'workflow_dispatch' - # steps: - # - name: Check out repository code - # uses: actions/checkout@v4 - - # - name: Restore the cached build package - # uses: actions/cache/restore@v4 - # with: - # fail-on-cache-miss: true - # path: .pkg/apparmor.d_*_amd64.deb - # key: ubuntu-24.04-default-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }} - # restore-keys: | - # ubuntu-24.04-default- - - # - name: Install Tests dependencies - # run: | - # sudo apt-get update -q - # sudo apt-get install -y \ - # apparmor-profiles apparmor-utils \ - # bats bats-support - # pipx install rust-just - # echo "$HOME/.local/bin" >> $GITHUB_PATH - - # - name: Install apparmor.d - # run: | - # sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true - # sudo systemctl restart apparmor.service - # sudo systemctl daemon-reload - # systemctl --user daemon-reload - - # - name: Restart some services to ensure they are confined - # run: | - # services=( - # containerd cron - # dbus docker - # ModemManager multipathd - # networkd-dispatcher - # packagekit polkit - # snapd - # systemd-journald systemd-hostnamed systemd-logind systemd-networkd - # systemd-resolved systemd-udevd - # udisks2 - # ) - # sudo systemctl daemon-reload - # for service in "${services[@]}"; do - # sudo systemctl restart "$service" || systemctl status "$service.service" || true - # done - # systemctl restart --user dbus || systemctl status --user "dbus.service" || true - # sudo ps auxZ | grep -v '\[.*\]' - # sudo aa-log -s --raw - - # - name: Install integration dependencies - # run: | - # just init - # find /usr/sbin/ -type f - - # - name: Run the integration tests - # run: | - # just integration - - # - name: Show final AppArmor logs - # if: always() - # run: | - # sudo aa-log -s --raw - - # - name: Show final processes security context - # if: always() - # run: | - # sudo ps auxZ | grep -v '\[.*\]' + - name: Install apparmor.d + run: sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true + + - name: Reload AppArmor + run: | + if ! sudo systemctl restart apparmor.service; then + sudo journalctl -xeu apparmor.service + exit 1 + fi + + - name: Show AppArmor log and rules + run: | + sudo aa-log + sudo aa-log -s + sudo aa-log -r + + - name: Show Number of loaded profile + run: sudo aa-status --profiled + + - name: Cache the build package + if: matrix.mode == 'default' && matrix.os == 'ubuntu-24.04' + uses: actions/cache/save@v4 + with: + path: .pkg/apparmor.d_*_amd64.deb + key: ${{ matrix.os }}-${{ matrix.mode }}-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }} + + tests: + runs-on: ubuntu-24.04 + needs: build + if: github.ref_name == 'dev' || github.event_name == 'workflow_dispatch' + steps: + - name: Check out repository code + uses: actions/checkout@v4 + + - name: Restore the cached build package + uses: actions/cache/restore@v4 + with: + fail-on-cache-miss: true + path: .pkg/apparmor.d_*_amd64.deb + key: ubuntu-24.04-default-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }} + restore-keys: | + ubuntu-24.04-default- + + - name: Install Tests dependencies + run: | + sudo apt-get update -q + sudo apt-get install -y \ + apparmor-profiles apparmor-utils \ + bats bats-support + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH + + - name: Install apparmor.d + run: | + sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true + sudo systemctl restart apparmor.service + sudo systemctl daemon-reload + systemctl --user daemon-reload + + - name: Restart some services to ensure they are confined + run: | + services=( + containerd cron + dbus docker + ModemManager multipathd + networkd-dispatcher + packagekit polkit + snapd + systemd-journald systemd-hostnamed systemd-logind systemd-networkd + systemd-resolved systemd-udevd + udisks2 + ) + sudo systemctl daemon-reload + for service in "${services[@]}"; do + sudo systemctl restart "$service" || systemctl status "$service.service" || true + done + systemctl restart --user dbus || systemctl status --user "dbus.service" || true + sudo ps auxZ | grep -v '\[.*\]' + sudo aa-log -s --raw + + - name: Install integration dependencies + run: | + just init + find /usr/sbin/ -type f + + - name: Run the integration tests + run: | + just integration + + - name: Show final AppArmor logs + if: always() + run: | + sudo aa-log -s --raw + + - name: Show final processes security context + if: always() + run: | + sudo ps auxZ | grep -v '\[.*\]' diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 2815eadb50..47651e12b1 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -61,7 +61,7 @@ # Shortcut for PCI device @{pci_id}=@{hex4}:@{hex2}:@{hex2}.@{h} -@{pci_bus}=pci@{hex4}:@{hex2} +@{pci_bus}=pci@{hex4}:@{hex2} #aa:exclude ubuntu @{pci}=@{pci_bus}/**/ # Udev data dynamic assignment ranges From 24cbb9e0437484627e8d05251022a294181cedab Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Dec 2025 21:34:39 +0100 Subject: [PATCH 1206/1736] fix(ci): enable again ubuntu jobs. --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index aa95a9d307..28c81e4c13 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -90,7 +90,7 @@ debian: paths: - $PKGDEST/*.deb -.ubuntu: +ubuntu: stage: build image: registry.gitlab.com/roddhjav/builders/ubuntu:24.04 variables: From 03387e6580e0fa9c77694650a39fb291f5cefcd6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Dec 2025 21:49:51 +0100 Subject: [PATCH 1207/1736] fix(profile): umu: ensure hosts fonts are available from the container. --- apparmor.d/abstractions/app/umu | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/apparmor.d/abstractions/app/umu b/apparmor.d/abstractions/app/umu index e09dc8b42b..6f813eb8eb 100644 --- a/apparmor.d/abstractions/app/umu +++ b/apparmor.d/abstractions/app/umu @@ -107,9 +107,16 @@ owner @{tmp}/pressure-vessel-libs-@{rand6}/{,**} rwlk, owner @{tmp}/pressure-vessel-locales-@{rand6}/{,**} rwlk, + @{run}/host/fonts-cache/{,**} r, @{run}/host/fonts/{,**} r, + @{run}/host/local-fonts/{,**} r, @{run}/host/share/{,**} r, + @{run}/host/share/icons/{,**} r, + @{run}/host/user-share/icons/{,**} r, @{run}/host/usr/{,**} r, + owner @{run}/host/font-dirs.xml r, + owner @{run}/host/user-fonts-cache/@{hex32}-le{32,64}.cache-@{int} r, + owner @{run}/host/user-fonts/{,**} r, owner @{run}/pressure-vessel/{,**} r, @{sys}/devices/**/net/*/carrier r, From 3ee79657f588d090b47152e14c0706822cb49df5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Dec 2025 21:51:06 +0100 Subject: [PATCH 1208/1736] feat(abs): update dbus rules. --- .../abstractions/bus/session/org.freedesktop.portal.Desktop | 5 +++++ apparmor.d/abstractions/bus/session/org.gnome.SessionManager | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop index 557aacd183..7b1cae94a2 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop @@ -73,6 +73,11 @@ member=Close peer=(name=@{busname}, label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop/request/** + interface=org.freedesktop.portal.Request + member=Close + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager index f212c9b14e..41f73591f1 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager @@ -22,7 +22,7 @@ dbus receive bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager - member=SessionRunning + member={SessionRunning,SessionOver} peer=(name=@{busname}, label="@{p_gnome_session}"), dbus receive bus=session path=/org/gnome/SessionManager From 6fefc325de26bb6d2ea524c9219c2c5a5e814924 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Dec 2025 21:52:05 +0100 Subject: [PATCH 1209/1736] fix(abs): electron: new tmp paths. --- apparmor.d/abstractions/common/electron | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index d6d1986b3d..060c5866fc 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -51,6 +51,8 @@ owner @{user_config_dirs}/electron-flags.conf r, + owner @{tmp}/.@{domain}.chrome_*.@{rand6}/{,**} rw, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/fs/cgroup/user.slice/cpu.max r, From 73459683b7456a476a9851297f0071105bc5b43e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Dec 2025 22:02:06 +0100 Subject: [PATCH 1210/1736] feat(profile): ensure pacman can communicate with its hooks. It must be allowed globally as any programs can be handled by pacman as part of the update process. If denied, the pacman hooks/install/update script will fail and possibly fully break the system. Generalise 5c673ef --- apparmor.d/abstractions/base-strict | 4 ++++ apparmor.d/groups/apparmor/apparmor_parser | 2 -- apparmor.d/groups/freedesktop/fc-cache | 2 -- apparmor.d/groups/freedesktop/update-desktop-database | 2 -- apparmor.d/groups/freedesktop/update-mime-database | 2 -- apparmor.d/groups/pacman/archlinux-java | 2 -- apparmor.d/groups/pacman/mkinitcpio | 2 -- apparmor.d/groups/pacman/pacdiff | 2 -- apparmor.d/groups/pacman/pacman | 8 -------- apparmor.d/groups/pacman/pacman-conf | 2 -- apparmor.d/groups/pacman/pacman-hook-code | 2 -- apparmor.d/groups/pacman/pacman-hook-dconf | 2 -- apparmor.d/groups/pacman/pacman-hook-depmod | 2 -- apparmor.d/groups/pacman/pacman-hook-dkms | 2 -- apparmor.d/groups/pacman/pacman-hook-fontconfig | 2 -- apparmor.d/groups/pacman/pacman-hook-gio | 2 -- apparmor.d/groups/pacman/pacman-hook-gtk | 2 -- apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules | 2 -- apparmor.d/groups/pacman/pacman-hook-mkinitcpio | 2 -- apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove | 2 -- apparmor.d/groups/pacman/pacman-hook-perl | 2 -- apparmor.d/groups/pacman/pacman-hook-systemd | 2 -- apparmor.d/groups/systemd/systemd-detect-virt | 2 -- apparmor.d/groups/systemd/systemd-notify | 2 -- apparmor.d/groups/utils/blkid | 2 -- apparmor.d/groups/utils/findmnt | 2 -- apparmor.d/groups/utils/lsblk | 2 -- apparmor.d/groups/utils/uname | 2 -- apparmor.d/profiles-a-f/appstreamcli | 2 -- apparmor.d/profiles-g-l/ghc-pkg | 2 -- apparmor.d/profiles-g-l/glib-compile-schemas | 2 -- apparmor.d/profiles-g-l/gtk-query-immodules | 2 -- apparmor.d/profiles-g-l/install-info | 2 -- apparmor.d/profiles-m-r/mullvad-setup | 2 -- apparmor.d/profiles-s-z/update-ca-trust | 2 -- apparmor.d/profiles-s-z/vlc-cache-gen | 2 -- 36 files changed, 4 insertions(+), 76 deletions(-) diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 4a3b95b91a..92e8d9c31d 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -72,6 +72,10 @@ # Allow us to create and use abstract and anonymous sockets unix peer=(label=@{profile_name}), + #aa:only pacman + # Allow pacman to communicate with us via unix sockets. It ensures pacman can communicate with its hooks. + unix (send receive) type=stream peer=(label=pacman), + #aa:exclude RBAC # Allow unconfined processes to communicate with us via unix sockets unix receive peer=(label=unconfined), diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser index 72dddae80f..ff6af6b136 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -15,8 +15,6 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { capability mac_admin, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{lib_dirs}/@{multiarch}/** mr, diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache index bd0575d804..3720b369a2 100644 --- a/apparmor.d/groups/freedesktop/fc-cache +++ b/apparmor.d/groups/freedesktop/fc-cache @@ -17,8 +17,6 @@ profile fc-cache @{exec_path} { capability dac_read_search, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, /var/cache/fontconfig/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index 978ffa71e3..90be74ecf4 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -17,8 +17,6 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) { capability dac_override, capability dac_read_search, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{system_share_dirs}/*ubuntu/applications/.mimeinfo.cache.* rw, diff --git a/apparmor.d/groups/freedesktop/update-mime-database b/apparmor.d/groups/freedesktop/update-mime-database index 67f3f8f326..1c7cf6010c 100644 --- a/apparmor.d/groups/freedesktop/update-mime-database +++ b/apparmor.d/groups/freedesktop/update-mime-database @@ -15,8 +15,6 @@ profile update-mime-database @{exec_path} flags=(attach_disconnected) { capability dac_override, capability dac_read_search, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{system_share_dirs}/mime/{,**} rw, diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java index e84d8eba76..38cd95d0a6 100644 --- a/apparmor.d/groups/pacman/archlinux-java +++ b/apparmor.d/groups/pacman/archlinux-java @@ -12,8 +12,6 @@ profile archlinux-java @{exec_path} { capability dac_read_search, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index c65339896a..179dff8580 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -20,8 +20,6 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { network unix stream, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} rmix, @{sh_path} rix, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index faae3bc603..72ab91872f 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -16,8 +16,6 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index f984803214..cd7623f689 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -182,8 +182,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) { signal send set=(cont term) peer=systemd-tty-ask-password-agent, signal receive set=(term winch) peer=makepkg//sudo, - unix (send receive) type=stream peer=(label=pacman), - @{pager_path} rPx -> child-pager, @{bin}/systemd-tty-ask-password-agent rPx, @@ -207,8 +205,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include include - unix (send receive) type=stream peer=(label=pacman), - @{bin}/gdbus rix, include if exists @@ -223,8 +219,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) { signal send, - unix (send receive) type=stream peer=(label=pacman), - @{bin}/killall mr, @{bin}/pkill mr, @@ -244,8 +238,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability sys_chroot, - unix (send receive) type=stream peer=(label=pacman), - @{sh_path} rix, @{sbin}/ldconfig mrix, diff --git a/apparmor.d/groups/pacman/pacman-conf b/apparmor.d/groups/pacman/pacman-conf index b05651b61b..378b69fae8 100644 --- a/apparmor.d/groups/pacman/pacman-conf +++ b/apparmor.d/groups/pacman/pacman-conf @@ -11,8 +11,6 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) { include include - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, /etc/pacman.conf r, diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index b890d1b59c..c943daeea0 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -13,8 +13,6 @@ profile pacman-hook-code @{exec_path} { capability dac_read_search, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{bin}/env r, diff --git a/apparmor.d/groups/pacman/pacman-hook-dconf b/apparmor.d/groups/pacman/pacman-hook-dconf index a287daecfc..73c89293b9 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dconf +++ b/apparmor.d/groups/pacman/pacman-hook-dconf @@ -12,8 +12,6 @@ profile pacman-hook-dconf @{exec_path} flags=(attach_disconnected) { capability dac_read_search, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index 6d8039728b..8a471e55d7 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -12,8 +12,6 @@ profile pacman-hook-depmod @{exec_path} flags=(attach_disconnected) { capability dac_read_search, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms index 52809b7b06..e958f3e1eb 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dkms +++ b/apparmor.d/groups/pacman/pacman-hook-dkms @@ -16,8 +16,6 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) { network unix stream, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig index acb4731b75..5c6e98347e 100644 --- a/apparmor.d/groups/pacman/pacman-hook-fontconfig +++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig @@ -12,8 +12,6 @@ profile pacman-hook-fontconfig @{exec_path} { capability dac_read_search, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-gio b/apparmor.d/groups/pacman/pacman-hook-gio index c506ac29d4..17218158e1 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gio +++ b/apparmor.d/groups/pacman/pacman-hook-gio @@ -12,8 +12,6 @@ profile pacman-hook-gio @{exec_path} { capability dac_read_search, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk index dc251a70c0..960db0cbf6 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk +++ b/apparmor.d/groups/pacman/pacman-hook-gtk @@ -12,8 +12,6 @@ profile pacman-hook-gtk @{exec_path} flags=(attach_disconnected) { capability dac_read_search, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules index 8b56a8d66e..6f281efa30 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules +++ b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules @@ -13,8 +13,6 @@ profile pacman-hook-gtk4-querymodules @{exec_path} flags=(attach_disconnected) { capability dac_read_search, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{sh_path} r, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index b8681301ce..d31700de14 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -14,8 +14,6 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability mknod, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove index 3e62e80eb9..6378ca9918 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -13,8 +13,6 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { capability dac_read_search, capability mknod, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl index f2e55e477e..d8dbfc714a 100644 --- a/apparmor.d/groups/pacman/pacman-hook-perl +++ b/apparmor.d/groups/pacman/pacman-hook-perl @@ -14,8 +14,6 @@ profile pacman-hook-perl @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability mknod, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 788d7e841d..74fc56d6fc 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -13,8 +13,6 @@ profile pacman-hook-systemd @{exec_path} { capability dac_read_search, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 32d410a369..8a7993ab25 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -16,8 +16,6 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { ptrace read peer=@{p_systemd}, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{run}/cloud-init/ds-identify.log w, diff --git a/apparmor.d/groups/systemd/systemd-notify b/apparmor.d/groups/systemd/systemd-notify index f319798c71..973f8bdc8e 100644 --- a/apparmor.d/groups/systemd/systemd-notify +++ b/apparmor.d/groups/systemd/systemd-notify @@ -14,8 +14,6 @@ profile systemd-notify @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability net_admin, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/utils/blkid b/apparmor.d/groups/utils/blkid index 2c50ac065f..457b2d199b 100644 --- a/apparmor.d/groups/utils/blkid +++ b/apparmor.d/groups/utils/blkid @@ -15,8 +15,6 @@ profile blkid @{exec_path} flags=(attach_disconnected) { capability sys_rawio, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, /etc/blkid.conf r, diff --git a/apparmor.d/groups/utils/findmnt b/apparmor.d/groups/utils/findmnt index 124c069641..96ae6b6899 100644 --- a/apparmor.d/groups/utils/findmnt +++ b/apparmor.d/groups/utils/findmnt @@ -16,8 +16,6 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) { capability dac_read_search, capability sys_rawio, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, /etc/fstab r, diff --git a/apparmor.d/groups/utils/lsblk b/apparmor.d/groups/utils/lsblk index bf031bac68..6fc1d5bb25 100644 --- a/apparmor.d/groups/utils/lsblk +++ b/apparmor.d/groups/utils/lsblk @@ -17,8 +17,6 @@ profile lsblk @{exec_path} flags=(attach_disconnected) { capability dac_read_search, audit capability dac_override, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{PROC}/swaps r, diff --git a/apparmor.d/groups/utils/uname b/apparmor.d/groups/utils/uname index 553c5eb25a..8391287632 100644 --- a/apparmor.d/groups/utils/uname +++ b/apparmor.d/groups/utils/uname @@ -12,8 +12,6 @@ profile uname @{exec_path} flags=(attach_disconnected) { include include - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{att}/dev/tty@{u8} rw, diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index ff515666d7..f2231479dd 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -16,8 +16,6 @@ profile appstreamcli @{exec_path} flags=(complain) { capability dac_read_search, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{bin}/curl rCx -> curl, diff --git a/apparmor.d/profiles-g-l/ghc-pkg b/apparmor.d/profiles-g-l/ghc-pkg index fb13eb0adc..3ccfdec4aa 100644 --- a/apparmor.d/profiles-g-l/ghc-pkg +++ b/apparmor.d/profiles-g-l/ghc-pkg @@ -13,8 +13,6 @@ profile ghc-pkg @{exec_path} { capability dac_read_search, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index b632060a96..f1dfb68ce5 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -14,8 +14,6 @@ profile glib-compile-schemas @{exec_path} { network inet stream, network inet6 stream, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{system_share_dirs}/ r, diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index d41a29af4b..a7cbf52ae3 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -14,8 +14,6 @@ profile gtk-query-immodules @{exec_path} { capability dac_override, capability dac_read_search, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{lib}/gtk-{2,3,4}.0/**/immodules.cache w, diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info index 540797c000..65bc75bb78 100644 --- a/apparmor.d/profiles-g-l/install-info +++ b/apparmor.d/profiles-g-l/install-info @@ -13,8 +13,6 @@ profile install-info @{exec_path} flags=(attach_disconnected) { capability dac_read_search, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index 6f1620e62c..4c34dee55f 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -11,8 +11,6 @@ profile mullvad-setup @{exec_path} { include include - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{run}/mullvad-vpn rw, diff --git a/apparmor.d/profiles-s-z/update-ca-trust b/apparmor.d/profiles-s-z/update-ca-trust index 4fabd13887..c0f220919b 100644 --- a/apparmor.d/profiles-s-z/update-ca-trust +++ b/apparmor.d/profiles-s-z/update-ca-trust @@ -13,8 +13,6 @@ profile update-ca-trust @{exec_path} { capability dac_read_search, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-s-z/vlc-cache-gen b/apparmor.d/profiles-s-z/vlc-cache-gen index 0df0b88bcf..1c089b0f86 100644 --- a/apparmor.d/profiles-s-z/vlc-cache-gen +++ b/apparmor.d/profiles-s-z/vlc-cache-gen @@ -11,8 +11,6 @@ profile vlc-cache-gen @{exec_path} { include include - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{lib}/vlc/plugins/{,*} rw, From 4fb4f7c5da908d8f878971d8a9a83686596ac68b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Dec 2025 22:20:47 +0100 Subject: [PATCH 1211/1736] feat(ns): add the glycin namespace. By confining the glycin loaders inside it own namespace we follow the bwrap ns closelly and thus avoid nnp restriction when starting glycin loader from sandboxed app. This is not yet enabled in the gtk abstraction See #918 --- apparmor.d/namespaces/glycin/bwrap | 60 ++++++++++++++++++++++++++++ apparmor.d/namespaces/glycin/loaders | 29 ++++++++++++++ 2 files changed, 89 insertions(+) create mode 100644 apparmor.d/namespaces/glycin/bwrap create mode 100644 apparmor.d/namespaces/glycin/loaders diff --git a/apparmor.d/namespaces/glycin/bwrap b/apparmor.d/namespaces/glycin/bwrap new file mode 100644 index 0000000000..58f374d196 --- /dev/null +++ b/apparmor.d/namespaces/glycin/bwrap @@ -0,0 +1,60 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Confine glycin-loaders sandboxed with bwrap. It also confines bwrap itself. +# for this use case. + +abi , + +include + +profile :glycin:bwrap flags=(attach_disconnected) { + include + include + include + + # Need to be allowed for all peer because from the glycin namespace we do not + # see the root namespace. This is showned by 'peer=(label=---)' in the logs. + # + # As of today, we cannot specify the ns scope and view of the peer. + # See: https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorPolicyView + unix (send receive) type=seqpacket, + unix (send receive) type=stream, + + @{bin}/bwrap mr, + + # To test sandbox functionalities + # See; https://gitlab.gnome.org/GNOME/glycin/-/blob/main/glycin/src/sandbox.rs#L676 + @{bin}/true ix, + + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> bwrap//&loaders, + + /usr/share/glycin-loaders/{,**} r, + + /usr/share/gtksourceview-2.0/{,**} r, + /usr/share/gtksourceview-3.0/{,**} r, + /usr/share/gtksourceview-4/{,**} r, + /usr/share/gtksourceview-5/{,**} r, + + owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, + + #aa:lint ignore=too-wide + # Safe deny of inherited files from parent process. + deny network inet dgram, + deny network inet6 dgram, + deny network inet stream, + deny network inet6 stream, + priority=-1 deny /usr/share/** r, + deny owner @{HOME}/.*/** rw, + deny owner /tmp/*/** w, + deny /opt/*/** rw, + deny @{sys}/devices/system/** r, + deny owner @{PROC}/@{pid}/mountinfo r, + deny /dev/shm/** rw, + deny /dev/dri/* rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/namespaces/glycin/loaders b/apparmor.d/namespaces/glycin/loaders new file mode 100644 index 0000000000..f697e34eb1 --- /dev/null +++ b/apparmor.d/namespaces/glycin/loaders @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile :glycin:loaders flags=(attach_disconnected) { + include + include + + signal (send receive) peer=bwrap//&loaders, + + unix (send receive) type=stream, + + @{lib}/glycin-loaders/@{d}+/glycin-* mr, + + @{att}/usr/share/glycin-loaders/{,**} r, + + @{att}/usr/share/gtksourceview-2.0/{,**} r, + @{att}/usr/share/gtksourceview-3.0/{,**} r, + @{att}/usr/share/gtksourceview-4/{,**} r, + @{att}/usr/share/gtksourceview-5/{,**} r, + + include if exists +} + +# vim:syntax=apparmor From b9a8a1dc03d0c56dd628eb1c59a22f6dcd17e94b Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Sun, 21 Dec 2025 15:30:35 +0100 Subject: [PATCH 1212/1736] app-open: allow mpv launch DENIED child-open exec @{bin}/mpv comm=gio-launch-desk requested_mask=x denied_mask=x mpv should be allowed as it also can be the default media player, log caused by opening a downloaded video from firefox. --- apparmor.d/abstractions/app-open | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index c8e1942364..b806f28bc0 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -48,6 +48,7 @@ @{bin}/gnome-software Px, @{bin}/gwenview PUx, @{bin}/keepassxc Px, + @{bin}/mpv Px, @{bin}/qbittorrent Px, @{bin}/qpdfview Px, @{bin}/smplayer Px, From de46a85ecb3bc8d08a4a7c6b63c26bf51549067a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Dec 2025 22:38:55 +0100 Subject: [PATCH 1213/1736] fix(build): do not set BUILDDIR in arch build That generate an rsync infinite loop. --- dists/docker.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/dists/docker.sh b/dists/docker.sh index fc6a672617..6390b97c8f 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -68,7 +68,6 @@ build_in_docker_makepkg() { docker pull "$BASEIMAGE/$dist" docker run -tid --name "$img" --volume "$VOLUME:$BUILDIR" \ --env PKGDEST="$BUILDIR" --env PACKAGER="$PACKAGER" \ - --env BUILDDIR=/tmp/build \ "$BASEIMAGE/$dist" docker exec "$img" sudo pacman -Sy --noconfirm --noprogressbar fi From 6feaffaeeb435a97a47785b860610170fe3874c3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Dec 2025 22:57:06 +0100 Subject: [PATCH 1214/1736] build: docker: improve support for dev and tests flavor. --- dists/docker.sh | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/dists/docker.sh b/dists/docker.sh index 6390b97c8f..7cd2cd1682 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -19,11 +19,10 @@ readonly OUTDIR=".pkg" readonly DISTRIBUTION="$1" RELEASE="${2:-}" FLAVOR="${3:-}" -VERSION="0.$(git rev-list --count HEAD)" PACKAGER="$(git config user.name) <$(git config user.email)>" [[ "$RELEASE" == "-" ]] && RELEASE="" readonly OUTPUT="$PWD/$OUTDIR/$DISTRIBUTION/$RELEASE" -readonly RELEASE FLAVOR VERSION PACKAGER +readonly RELEASE FLAVOR PACKAGER _start() { local img="$1" @@ -51,9 +50,6 @@ _exist() { sync() { mkdir -p "$VOLUME" rsync -ra --delete . "$VOLUME/$PKGNAME" - if [[ "$FLAVOR" == "test" ]]; then - sed -i -e "s/just complain/just complain-test/" "$VOLUME/$PKGNAME/debian/rules" - fi } build_in_docker_makepkg() { @@ -79,8 +75,24 @@ build_in_docker_makepkg() { build_in_docker_dpkg() { local img dist="$1" target="$1" release="$2" - [[ "$dist" == whonix ]] && dist=debian + if [[ "$dist" == whonix ]]; then + dist=debian + fi img="$PREFIX$dist$release" + + # Adjustments for test flavor + if [[ "$FLAVOR" == "test" ]]; then + sed -i -e "s/just complain/just complain-test/" "$VOLUME/$PKGNAME/debian/rules" + fi + + # Adjustments for development releases + case "$release" in + 26.04) + img="$PREFIX${dist}25.10" + ;; + *) ;; + esac + if _exist "$img"; then if ! _is_running "$img"; then _start "$img" @@ -91,14 +103,14 @@ build_in_docker_dpkg() { --env DISTRIBUTION="$target" "$BASEIMAGE/$dist:$release" docker exec "$img" sudo apt-get update -q docker exec "$img" sudo apt-get install -y config-package-dev lsb-release libdistro-info-perl - if [[ "$dist" == debian && "$release" == "12" ]]; then + if [[ "$dist" == debian && "$release" == "12" ]]; then aptopt=(-t bookworm-backports) fi docker exec "$img" sudo apt-get install -y "${aptopt[@]}" golang-go fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh dpkg - mv "$VOLUME/$PKGNAME/$OUTDIR/${PKGNAME}_${VERSION}-1"_*.* "$OUTPUT" + mv "$VOLUME/$PKGNAME/$OUTDIR/${PKGNAME}"*.deb "$OUTPUT" } build_in_docker_rpm() { @@ -117,12 +129,13 @@ build_in_docker_rpm() { fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh rpm - mv "$VOLUME/$PKGNAME/$OUTDIR/$PKGNAME-$VERSION-"*.rpm "$OUTPUT" + mv "$VOLUME/$PKGNAME/$OUTDIR/$PKGNAME-"*.rpm "$OUTPUT" } main() { case "$DISTRIBUTION" in archlinux) + sync build_in_docker_makepkg "$DISTRIBUTION" ;; From 24b280c32f95f055bc7cffa065293203197e1084 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Dec 2025 22:57:57 +0100 Subject: [PATCH 1215/1736] build: remove old backported abs. --- dists/ubuntu/abstractions/trash | 75 ------------------------------- pkg/prebuild/prepare/configure.go | 12 ----- 2 files changed, 87 deletions(-) delete mode 100644 dists/ubuntu/abstractions/trash diff --git a/dists/ubuntu/abstractions/trash b/dists/ubuntu/abstractions/trash deleted file mode 100644 index d9ad012217..0000000000 --- a/dists/ubuntu/abstractions/trash +++ /dev/null @@ -1,75 +0,0 @@ -abi , - -# requires - - owner @{user_config_dirs}/trashrc rw, - owner @{user_config_dirs}/trashrc.lock rwk, - owner @{user_config_dirs}/#@{int} rwk, - owner @{user_config_dirs}/trashrc.* rwl -> @{user_config_dirs}/#@{int}, - - owner @{run}/user/@{uid}/#@{int} rw, - owner @{run}/user/@{uid}/trash.so*.[0-9].slave-socket rwl -> @{run}/user/@{uid}/#@{int}, - - # Home trash location - owner @{user_share_dirs}/Trash/ rw, - owner @{user_share_dirs}/Trash/#@{int} rw, - owner @{user_share_dirs}/Trash/directorysizes{,.*} rwl -> @{user_share_dirs}/Trash/#@{int}, - owner @{user_share_dirs}/Trash/files/{,**} rw, - owner @{user_share_dirs}/Trash/info/ rw, - owner @{user_share_dirs}/Trash/info/*.trashinfo{,.*} rw, - owner @{user_share_dirs}/Trash/expunged/ rw, - owner @{user_share_dirs}/Trash/expunged/[0-9]* rw, - owner @{user_share_dirs}/Trash/expunged/[0-9]*/ rw, - owner @{user_share_dirs}/Trash/expunged/[0-9]*/** rw, - - # Partitions' trash location when the admin creates the .Trash/ folder in the top lvl dir - owner /media/*/.Trash/ rw, - owner /media/*/.Trash/@{uid}/ rw, - owner /media/*/.Trash/@{uid}/#@{int} rw, - owner /media/*/.Trash/@{uid}/directorysizes{,.*} rwl -> /media/*/.Trash/@{uid}/#@{int}, - owner /media/*/.Trash/@{uid}/files/{,**} rw, - owner /media/*/.Trash/@{uid}/info/ rw, - owner /media/*/.Trash/@{uid}/info/*.trashinfo{,.*} rw, - owner /media/*/.Trash/@{uid}/expunged/ rw, - owner /media/*/.Trash/@{uid}/expunged/[0-9]* rw, - owner /media/*/.Trash/@{uid}/expunged/[0-9]*/ rw, - owner /media/*/.Trash/@{uid}/expunged/[0-9]*/** rw, - - # Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir - owner /media/*/.Trash-@{uid}/ rw, - owner /media/*/.Trash-@{uid}/#@{int} rw, - owner /media/*/.Trash-@{uid}/directorysizes{,.*} rwl -> /media/*/.Trash-@{uid}/#@{int}, - owner /media/*/.Trash-@{uid}/files/{,**} rw, - owner /media/*/.Trash-@{uid}/info/ rw, - owner /media/*/.Trash-@{uid}/info/*.trashinfo{,.*} rw, - owner /media/*/.Trash-@{uid}/expunged/ rw, - owner /media/*/.Trash-@{uid}/expunged/[0-9]* rw, - owner /media/*/.Trash-@{uid}/expunged/[0-9]*/ rw, - owner /media/*/.Trash-@{uid}/expunged/[0-9]*/** rw, - - # Removable media's trash location when the admin creates the .Trash/ folder in the top lvl dir - owner /media/*/*/.Trash/ rw, - owner /media/*/*/.Trash/@{uid}/ rw, - owner /media/*/*/.Trash/@{uid}/#@{int} rw, - owner /media/*/*/.Trash/@{uid}/directorysizes{,.*} rwl -> /media/*/*/.Trash/@{uid}/#@{int}, - owner /media/*/*/.Trash/@{uid}/files/{,**} rw, - owner /media/*/*/.Trash/@{uid}/info/ rw, - owner /media/*/*/.Trash/@{uid}/info/*.trashinfo{,.*} rw, - owner /media/*/*/.Trash/@{uid}/expunged/ rw, - owner /media/*/*/.Trash/@{uid}/expunged/[0-9]* rw, - owner /media/*/*/.Trash/@{uid}/expunged/[0-9]*/ rw, - owner /media/*/*/.Trash/@{uid}/expunged/[0-9]*/** rw, - - # Removable media's trash location when the admin doesn't create the .Trash/ folder in the top lvl dir - owner /media/*/*/.Trash-@{uid}/ rw, - owner /media/*/*/.Trash-@{uid}/#@{int} rw, - owner /media/*/*/.Trash-@{uid}/directorysizes{,.*} rwl -> /media/*/*/.Trash-@{uid}/#@{int}, - owner /media/*/*/.Trash-@{uid}/files/{,**} rw, - owner /media/*/*/.Trash-@{uid}/info/ rw, - owner /media/*/*/.Trash-@{uid}/info/*.trashinfo{,.*} rw, - owner /media/*/*/.Trash-@{uid}/expunged/ rw, - owner /media/*/*/.Trash-@{uid}/expunged/[0-9]* rw, - owner /media/*/*/.Trash-@{uid}/expunged/[0-9]*/ rw, - owner /media/*/*/.Trash-@{uid}/expunged/[0-9]*/** rw, - - include if exists diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index 7c1d913e2c..7cbdca92f5 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -52,24 +52,12 @@ func (p Configure) Apply() ([]string, error) { return res, err } } - if prebuild.Version < 3.0 { - if err := prebuild.DistDir.Join("ubuntu").CopyFS(prebuild.RootApparmord); err != nil { - return res, err - } - } case "debian", "whonix": if err := prebuild.DebianHide.Init(); err != nil { return res, err } - if prebuild.Version < 4.1 { - // Copy Debian specific abstractions - if err := prebuild.DistDir.Join("ubuntu").CopyFS(prebuild.RootApparmord); err != nil { - return res, err - } - } - default: return []string{}, fmt.Errorf("%s is not a supported distribution", prebuild.Distribution) From 05b5b1bc03c2daef3c791036f5727e8f21b20233 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 20 Dec 2025 21:40:19 +0100 Subject: [PATCH 1216/1736] build: replace build.sh by build-* recipies. --- .gitlab-ci.yml | 2 +- Justfile | 51 ++++++++++++++++++++++++++++++++++++++++--------- dists/build.sh | 51 ------------------------------------------------- dists/docker.sh | 8 ++++---- 4 files changed, 47 insertions(+), 65 deletions(-) delete mode 100644 dists/build.sh diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 28c81e4c13..81ffb049d6 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -20,7 +20,7 @@ bash: image: koalaman/shellcheck-alpine script: - shellcheck --shell=bash - PKGBUILD dists/build.sh dists/docker.sh tests/check.sh + PKGBUILD dists/*.sh tests/check.sh tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh tests/autopkgtest/autopkgtest.sh diff --git a/Justfile b/Justfile index 39a6413bac..78baf40cc6 100644 --- a/Justfile +++ b/Justfile @@ -213,22 +213,55 @@ dev +names: done sudo systemctl restart apparmor.service || sudo journalctl -xeu apparmor.service +# Build the package on Arch Linux +[group('packages')] +build-pkg: (_ensure_pkgdest) + @PKGDEST={{pkgdest}} BUILDDIR=/tmp/makepkg makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar + +# Build the package on Debian +[group('packages')] +build-dpkg: (_ensure_pkgdest) + dpkg-buildpackage -b -d {{ if sign == "true" { "--sign-key=" + gpgkey } else { "--no-sign" } }} + lintian --color always --display-info --pedantic --tag-display-limit 0 || true + mv ../{{pkgname}}*.deb {{pkgdest}}/ + +# Build the package on OpenSUSE +[group('packages')] +build-rpm: (_ensure_pkgdest) + #!/usr/bin/env bash + set -eu -o pipefail + RPMBUILD_ROOT=$(mktemp -d /tmp/$PKGNAME.XXXXXX) + ARCH=$(uname -m) + VERSION="$(just version)" + readonly RPMBUILD_ROOT ARCH VERSION + + mkdir -p "$RPMBUILD_ROOT"/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS/tmp} + cp -p "dists/$PKGNAME.spec" "$RPMBUILD_ROOT/SPECS" + tar -czf "$RPMBUILD_ROOT/SOURCES/$PKGNAME-$VERSION.tar.gz" --transform "s,^,$PKGNAME-$VERSION/," ./* + + cd "$RPMBUILD_ROOT" + rpmbuild -bb --define "_topdir $RPMBUILD_ROOT" "SPECS/$PKGNAME.spec" + + mv "$RPMBUILD_ROOT/RPMS/$ARCH/"*.rpm "{{pkgdest}}/" + rm -rf "$RPMBUILD_ROOT" + # Build & install apparmor.d on Arch based systems [group('packages')] -pkg: - @bash dists/build.sh pkg +pkg name="": (build-pkg) + @sudo pacman -U --noconfirm \ + {{pkgdest}}/{{pkgname}}{{ if name != "" { "-" + name } else { "" } }}-`just version`*.pkg.tar.zst # Build & install apparmor.d on Debian based systems [group('packages')] -dpkg: - @bash dists/build.sh dpkg - @sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb +dpkg name="": (build-dpkg) + @sudo dpkg -i \ + {{pkgdest}}/{{pkgname}}{{ if name != "" { "-" + name } else { "" } }}_`just version`*.deb # Build & install apparmor.d on OpenSUSE based systems [group('packages')] -rpm: - @bash dists/build.sh rpm - @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm +rpm name="": (build-rpm) + @sudo rpm -ivh --force \ + {{pkgdest}}/{{pkgname}}{{ if name != "" { "-" + name } else { "" } }}-`just version`*.rpm # Run the linters [group('linter')] @@ -237,7 +270,7 @@ lint: packer fmt tests/packer/ packer validate --syntax-only tests/packer/ shellcheck --shell=bash \ - PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \ + PKGBUILD dists/*.sh tests/check.sh \ tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ tests/autopkgtest/autopkgtest.sh debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm diff --git a/dists/build.sh b/dists/build.sh deleted file mode 100644 index e33c48695f..0000000000 --- a/dists/build.sh +++ /dev/null @@ -1,51 +0,0 @@ -#!/usr/bin/env bash -# Build the package for Archlinux/openSUSE/Debian/Ubuntu -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Usage: just [ dpkg | pkg | rpm ] - -set -eu -o pipefail - -readonly COMMAND="$1" -readonly OUTPUT="$PWD/.pkg" -readonly PKGNAME=apparmor.d -VERSION="0.$(git rev-list --count HEAD)" -readonly VERSION - -main() { - case "$COMMAND" in - pkg) - PKGDEST="$OUTPUT" BUILDDIR=/tmp/makepkg makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar - ;; - - dpkg) - dch --newversion="$VERSION-1" --urgency=medium --distribution="$(lsb_release -sc)" --controlmaint "Release $VERSION-1" - dpkg-buildpackage -b -d --no-sign - lintian || true - mv ../"${PKGNAME}_${VERSION}-1"_*.deb "$OUTPUT" - ;; - - rpm) - RPMBUILD_ROOT=$(mktemp -d /tmp/$PKGNAME.XXXXXX) - ARCH=$(uname -m) - readonly RPMBUILD_ROOT ARCH - - mkdir -p "$RPMBUILD_ROOT"/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS/tmp} - cp -p "dists/$PKGNAME.spec" "$RPMBUILD_ROOT/SPECS" - tar -czf "$RPMBUILD_ROOT/SOURCES/$PKGNAME-$VERSION.tar.gz" --transform "s,^,$PKGNAME-$VERSION/," ./* - - cd "$RPMBUILD_ROOT" - sed -i "s/^Version:.*/Version: $VERSION/" "SPECS/$PKGNAME.spec" - rpmbuild -bb --define "_topdir $RPMBUILD_ROOT" "SPECS/$PKGNAME.spec" - - mv "$RPMBUILD_ROOT/RPMS/$ARCH/"*.rpm "$OUTPUT" - rm -rf "$RPMBUILD_ROOT" - ;; - - *) ;; - esac -} - -mkdir -p "$OUTPUT" -main "$@" diff --git a/dists/docker.sh b/dists/docker.sh index 7cd2cd1682..8d044c2e9a 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -68,8 +68,8 @@ build_in_docker_makepkg() { docker exec "$img" sudo pacman -Sy --noconfirm --noprogressbar fi - docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh pkg - mv "$VOLUME/$PKGNAME/$OUTDIR/$PKGNAME"-*.pkg.* "$OUTPUT" + docker exec --workdir="$BUILDIR/$PKGNAME" "$img" just build-pkg + mv "$VOLUME/$PKGNAME/$OUTDIR/$PKGNAME"*.pkg.* "$OUTPUT" } build_in_docker_dpkg() { @@ -109,7 +109,7 @@ build_in_docker_dpkg() { docker exec "$img" sudo apt-get install -y "${aptopt[@]}" golang-go fi - docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh dpkg + docker exec --workdir="$BUILDIR/$PKGNAME" "$img" just build-dpkg mv "$VOLUME/$PKGNAME/$OUTDIR/${PKGNAME}"*.deb "$OUTPUT" } @@ -128,7 +128,7 @@ build_in_docker_rpm() { docker exec "$img" sudo zypper install -y distribution-release golang-packaging apparmor-profiles fi - docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh rpm + docker exec --workdir="$BUILDIR/$PKGNAME" "$img" just build-rpm mv "$VOLUME/$PKGNAME/$OUTDIR/$PKGNAME-"*.rpm "$OUTPUT" } From 9eec8347c1317cf763562c2ede7a7aef738c0314 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 20 Dec 2025 21:41:06 +0100 Subject: [PATCH 1217/1736] build: update release format. --- Justfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Justfile b/Justfile index 78baf40cc6..b837444cc2 100644 --- a/Justfile +++ b/Justfile @@ -555,7 +555,7 @@ version: # Create a new version number from the current release [group('version')] version-new: - @bash -c 'source PKGBUILD && echo $(echo "$pkgver" | awk "{print \$1 + 0.0001}")' + @bash -c 'source PKGBUILD && awk -v ver="$pkgver" "BEGIN {printf \"%.4f\n\", ver + 0.0001}"' # Create a new release [group('release')] From de10db70e415bd236bf050356f65eaac3fd1100f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 20 Dec 2025 21:43:14 +0100 Subject: [PATCH 1218/1736] build: update release process. --- Justfile | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/Justfile b/Justfile index b837444cc2..c45b279edc 100644 --- a/Justfile +++ b/Justfile @@ -16,6 +16,7 @@ build := ".build" pkgdest := `pwd` / ".pkg" pkgname := "apparmor.d" gpgkey := "06A26D531D56C42D66805049C5469996F0DF68EC" +sign := "false" # Prebuild options, only used for the `dev` install target opt := "complain" @@ -298,9 +299,10 @@ serve: clean: @rm -rf \ debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ + debian/*.substvars debian/*.debhelper debian/files \ {{pkgdest}}/{{pkgname}}* {{pkgdest}}/ubuntu {{pkgdest}}/debian \ {{pkgdest}}/archlinux {{pkgdest}}/opensuse {{pkgdest}}/version \ - {{build}} coverage.out .logs/autopkgtest/ + {{build}} coverage.out .logs/autopkgtest/ site .cache # Build the package in a clean OCI container [group('packages')] @@ -313,10 +315,10 @@ packages: (clean) #!/usr/bin/env bash set -eu -o pipefail declare -A matrix=( - ["archlinux"]="-" - ["debian"]="12 13" - ["ubuntu"]="22.04 24.04 25.04 25.10" - ["opensuse"]="-" + # ["archlinux"]="-" + ["debian"]="13" + ["ubuntu"]="24.04 25.10 26.04" + # ["opensuse"]="-" ) for dist in "${!matrix[@]}"; do IFS=' ' read -r -a releases <<< "${matrix[$dist]}" @@ -570,9 +572,9 @@ commit: cat > debian/changelog.tmp <<-EOF {{pkgname}} (${version}-1) stable; urgency=medium - * Release {{pkgname}} v${version} + * Release {{pkgname}} v${version} - -- $(git config user.name) <$(git config user.email)> $(date -R) + -- $(git config user.name) <$(git config user.email)> $(date -R) EOF cat debian/changelog >> debian/changelog.tmp @@ -581,6 +583,7 @@ commit: sed -i "s/^Version:.*/Version: $version/" "dists/{{pkgname}}.spec" git add PKGBUILD "dists/{{pkgname}}.spec" debian/changelog git commit -S -m "Release version $version" + git tag -a "v$version" -m "{{pkgname}} v$version" --local-user={{gpgkey}} # Create a release archive [group('release')] @@ -588,14 +591,14 @@ archive: #!/usr/bin/env bash set -eu -o pipefail version=`just version` - git tag -a "v$version" -m "{{pkgname}} v$version" --local-user={{gpgkey}} + mkdir -p {{pkgdest}}/release/ git archive \ --format=tar.gz \ --prefix={{pkgname}}-$version/ \ - --output={{pkgdest}}/{{pkgname}}-$version.tar.gz \ + --output={{pkgdest}}/release/{{pkgname}}-$version.tar.gz \ v$version - gpg --armor --default-key {{gpgkey}} --detach-sig {{pkgdest}}/{{pkgname}}-$version.tar.gz - gpg --verify {{pkgdest}}/{{pkgname}}-$version.tar.gz.asc + gpg --armor --default-key {{gpgkey}} --detach-sig {{pkgdest}}/release/{{pkgname}}-$version.tar.gz + gpg --verify {{pkgdest}}/release/{{pkgname}}-$version.tar.gz.asc # Publish the new release on Github [group('release')] @@ -610,6 +613,10 @@ publish: {{pkgdest}}/{{pkgname}}-$version.tar.gz \ {{pkgdest}}/{{pkgname}}-$version.tar.gz.asc + +_ensure_pkgdest: + @mkdir -p {{pkgdest}} + _get_ip osinfo flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{osinfo}}-{{flavor}} | \ head -1 | \ From 4b5f7c2f65dde5aaf853aee760e009fe5dd98585 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 20 Dec 2025 21:44:13 +0100 Subject: [PATCH 1219/1736] build(debian): build both complain and enforce version. --- debian/rules | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/debian/rules b/debian/rules index d78e652ca0..63da4a0f1d 100755 --- a/debian/rules +++ b/debian/rules @@ -10,8 +10,9 @@ override_dh_dwz: override_dh_auto_build: - just complain + just build=.build/enforce enforce + just build=.build/complain complain override_dh_auto_install: - just destdir="${CURDIR}/debian/apparmor.d" install - + just build=.build/complain destdir="${CURDIR}/debian/apparmor.d" install + just build=.build/enforce destdir="${CURDIR}/debian/apparmor.d.enforced" install From 243791ede55fd6476aaa4b714aa3039f32a09919 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 20 Dec 2025 21:56:03 +0100 Subject: [PATCH 1220/1736] fix(tunable): avoid a bug in the exclude directive. --- apparmor.d/tunables/multiarch.d/system | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 47651e12b1..9f496c416d 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -59,9 +59,11 @@ # System Internal # --------------- +#aa:exclude ubuntu +@{pci_bus}=pci@{hex4}:@{hex2} + # Shortcut for PCI device @{pci_id}=@{hex4}:@{hex2}:@{hex2}.@{h} -@{pci_bus}=pci@{hex4}:@{hex2} #aa:exclude ubuntu @{pci}=@{pci_bus}/**/ # Udev data dynamic assignment ranges From ac47900a9a06ccea25c7617ec1f8edaa18594ae0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 20 Dec 2025 22:26:58 +0100 Subject: [PATCH 1221/1736] build(debian): add apparmor.d.enforced. --- debian/control | 22 ++++++++++++++-------- debian/copyright | 8 ++++++++ 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/debian/control b/debian/control index 85c4d3786a..70a11e1625 100644 --- a/debian/control +++ b/debian/control @@ -1,9 +1,8 @@ Source: apparmor.d Section: admin -Priority: optional +Priority: standard Maintainer: Alexandre Pujol -Build-Depends: debhelper (>= 13.4), - debhelper-compat (= 13), +Build-Depends: debhelper-compat (= 13), golang-any, config-package-dev, just, @@ -15,9 +14,16 @@ Rules-Requires-Root: no Package: apparmor.d Architecture: any -Depends: apparmor-profiles -Conflicts: apparmor-profiles-extra -Provides: apparmor-profiles-extra -Description: Full set of AppArmor profiles (~ 2000 profiles) - apparmor.d is a set of over 2000 AppArmor profiles whose aim is to confine +Depends: apparmor-profiles, ${misc:Depends} +Conflicts: apparmor-profiles-extra, apparmor.d.enforced, +Description: Full set of AppArmor profiles (complain mode) + apparmor.d is a set of over 2000 AppArmor policies whose aim is to confine + most Linux based applications and processes. + +Package: apparmor.d.enforced +Architecture: any +Depends: apparmor-profiles, ${misc:Depends} +Conflicts: apparmor-profiles-extra, apparmor.d, +Description: Full set of AppArmor profiles (enforced mode) + apparmor.d is a set of over 2000 AppArmor policies whose aim is to confine most Linux based applications and processes. diff --git a/debian/copyright b/debian/copyright index 9dbcf97efb..04900924fa 100644 --- a/debian/copyright +++ b/debian/copyright @@ -6,3 +6,11 @@ Source: https://gitlab.com/roddhjav/apparmor.d Files: * Copyright: 2021-2025 Alexandre Pujol License: GPL-2 + +License: GPL-2 + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2. + . + On Debian systems, the complete text of version 2 of the GNU General + Public License can be found in `/usr/share/common-licenses/GPL-2' From b61830ad6e337bdda1a5a638cd50e32c9e819035 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Dec 2025 00:56:32 +0100 Subject: [PATCH 1222/1736] build: fix name of the pkg to install. --- Justfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Justfile b/Justfile index c45b279edc..e6d55a705c 100644 --- a/Justfile +++ b/Justfile @@ -250,19 +250,19 @@ build-rpm: (_ensure_pkgdest) [group('packages')] pkg name="": (build-pkg) @sudo pacman -U --noconfirm \ - {{pkgdest}}/{{pkgname}}{{ if name != "" { "-" + name } else { "" } }}-`just version`*.pkg.tar.zst + {{pkgdest}}/{{pkgname}}{{ if name != "" { "." + name } else { "" } }}-`just version`*.pkg.tar.zst # Build & install apparmor.d on Debian based systems [group('packages')] dpkg name="": (build-dpkg) @sudo dpkg -i \ - {{pkgdest}}/{{pkgname}}{{ if name != "" { "-" + name } else { "" } }}_`just version`*.deb + {{pkgdest}}/{{pkgname}}{{ if name != "" { "." + name } else { "" } }}_`just version`*.deb # Build & install apparmor.d on OpenSUSE based systems [group('packages')] rpm name="": (build-rpm) @sudo rpm -ivh --force \ - {{pkgdest}}/{{pkgname}}{{ if name != "" { "-" + name } else { "" } }}-`just version`*.rpm + {{pkgdest}}/{{pkgname}}{{ if name != "" { "." + name } else { "" } }}-`just version`*.rpm # Run the linters [group('linter')] From cc799b566c3ecc6e9a0935e7d351be18230bdc96 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Dec 2025 15:37:18 +0100 Subject: [PATCH 1223/1736] build(debian): common post script accross pkg editions. --- .gitlab-ci.yml | 4 ++-- Justfile | 4 ++-- debian/{apparmor.d.hide => common.hide} | 0 debian/{apparmor.d.postinst => common.postinst} | 0 debian/{apparmor.d.postrm => common.postrm} | 0 debian/rules | 7 +++++++ pkg/prebuild/directories.go | 4 ++-- 7 files changed, 13 insertions(+), 6 deletions(-) rename debian/{apparmor.d.hide => common.hide} (100%) rename debian/{apparmor.d.postinst => common.postinst} (100%) rename debian/{apparmor.d.postrm => common.postrm} (100%) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 81ffb049d6..6f7ef41e0e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -21,8 +21,8 @@ bash: script: - shellcheck --shell=bash PKGBUILD dists/*.sh tests/check.sh - tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh - tests/autopkgtest/autopkgtest.sh + tests/packer/*.sh tests/packer/src/aa-update + tests/autopkgtest/autopkgtest.sh debian/common.postinst debian/common.postrm golangci-lint: stage: lint diff --git a/Justfile b/Justfile index e6d55a705c..0e6baa0286 100644 --- a/Justfile +++ b/Justfile @@ -272,8 +272,8 @@ lint: packer validate --syntax-only tests/packer/ shellcheck --shell=bash \ PKGBUILD dists/*.sh tests/check.sh \ - tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ - tests/autopkgtest/autopkgtest.sh debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm + tests/packer/*.sh tests/packer/src/aa-update \ + tests/autopkgtest/autopkgtest.sh debian/common.postinst debian/common.postrm # Run style checks on the profiles [group('linter')] diff --git a/debian/apparmor.d.hide b/debian/common.hide similarity index 100% rename from debian/apparmor.d.hide rename to debian/common.hide diff --git a/debian/apparmor.d.postinst b/debian/common.postinst similarity index 100% rename from debian/apparmor.d.postinst rename to debian/common.postinst diff --git a/debian/apparmor.d.postrm b/debian/common.postrm similarity index 100% rename from debian/apparmor.d.postrm rename to debian/common.postrm diff --git a/debian/rules b/debian/rules index 63da4a0f1d..b372ddd27d 100755 --- a/debian/rules +++ b/debian/rules @@ -9,6 +9,13 @@ # golang/1.19 compresses debug symbols itself. override_dh_dwz: +override_dh_installdeb: + for pkgname in apparmor.d apparmor.d.enforced; do \ + install -D debian/common.postinst debian/$${pkgname}/DEBIAN/postinst; \ + install -D debian/common.postrm debian/$${pkgname}/DEBIAN/postrm; \ + done + dh_installdeb + override_dh_auto_build: just build=.build/enforce enforce just build=.build/complain complain diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index 07414a1eca..5c737cdea0 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -49,8 +49,8 @@ var ( // DebianDir is the directory where the debian specific files are stored DebianDir *paths.Path = paths.New("debian") - // DebianHide is the path to the debian/apparmor.d.hide file - DebianHide = DebianHider{path: DebianDir.Join("apparmor.d.hide")} + // DebianHide is the path to the debian/common.hide file + DebianHide = DebianHider{path: DebianDir.Join("common.hide")} Ignore = Ignorer{} Flags = Flagger{} From 95c01f3e3a931f288cc2f653d4c5673d9e0b327c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Dec 2025 16:34:15 +0100 Subject: [PATCH 1224/1736] build(debian): set go flags before build. --- Justfile | 4 ++-- debian/control | 6 +++--- debian/rules | 34 +++++++++++++++++++++++++++++----- 3 files changed, 34 insertions(+), 10 deletions(-) diff --git a/Justfile b/Justfile index 0e6baa0286..2832758d7c 100644 --- a/Justfile +++ b/Justfile @@ -298,10 +298,10 @@ serve: # Remove all build artifacts clean: @rm -rf \ - debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ + debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}}* \ debian/*.substvars debian/*.debhelper debian/files \ {{pkgdest}}/{{pkgname}}* {{pkgdest}}/ubuntu {{pkgdest}}/debian \ - {{pkgdest}}/archlinux {{pkgdest}}/opensuse {{pkgdest}}/version \ + {{pkgdest}}/archlinux {{pkgdest}}/opensuse \ {{build}} coverage.out .logs/autopkgtest/ site .cache # Build the package in a clean OCI container diff --git a/debian/control b/debian/control index 70a11e1625..2b61e694cf 100644 --- a/debian/control +++ b/debian/control @@ -3,7 +3,7 @@ Section: admin Priority: standard Maintainer: Alexandre Pujol Build-Depends: debhelper-compat (= 13), - golang-any, + golang-go, config-package-dev, just, Homepage: https://github.com/roddhjav/apparmor.d @@ -14,7 +14,7 @@ Rules-Requires-Root: no Package: apparmor.d Architecture: any -Depends: apparmor-profiles, ${misc:Depends} +Depends: apparmor-profiles, ${misc:Depends}, ${shlibs:Depends} Conflicts: apparmor-profiles-extra, apparmor.d.enforced, Description: Full set of AppArmor profiles (complain mode) apparmor.d is a set of over 2000 AppArmor policies whose aim is to confine @@ -22,7 +22,7 @@ Description: Full set of AppArmor profiles (complain mode) Package: apparmor.d.enforced Architecture: any -Depends: apparmor-profiles, ${misc:Depends} +Depends: apparmor-profiles, ${misc:Depends}, ${shlibs:Depends} Conflicts: apparmor-profiles-extra, apparmor.d, Description: Full set of AppArmor profiles (enforced mode) apparmor.d is a set of over 2000 AppArmor policies whose aim is to confine diff --git a/debian/rules b/debian/rules index b372ddd27d..7c54d4aae5 100755 --- a/debian/rules +++ b/debian/rules @@ -3,18 +3,42 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +export DEB_BUILD_MAINT_OPTIONS = hardening=+all +export DEB_LDFLAGS_MAINT_APPEND = -Wl,-z,relro,-z,now + +# Include hardening flags +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk + +# Pass hardening flags to Go +export CGO_CFLAGS := $(CFLAGS) +export CGO_LDFLAGS := $(LDFLAGS) +export GOFLAGS := -buildmode=pie -trimpath -mod=readonly -tags=dev + %: dh $@ --with=config-package # golang/1.19 compresses debug symbols itself. override_dh_dwz: -override_dh_installdeb: - for pkgname in apparmor.d apparmor.d.enforced; do \ - install -D debian/common.postinst debian/$${pkgname}/DEBIAN/postinst; \ - install -D debian/common.postrm debian/$${pkgname}/DEBIAN/postrm; \ +# Disable golang buildsystem auto-detection. +# Debhelper auto-detects Go projects from go.mod and tries to use the golang +# buildsystem, which creates symlink structures incompatible with //go:embed. +# We use 'just' for building with manual hardening flags instead. +override_dh_auto_configure: +override_dh_auto_test: + +override_dh_install: + dh_install + for pkgname in $(shell dh_listpackages); do \ + cp debian/common.hide debian/$${pkgname}.hide; \ + cp debian/common.postinst debian/$${pkgname}.postinst; \ + cp debian/common.postrm debian/$${pkgname}.postrm; \ done - dh_installdeb + +override_dh_fixperms: + dh_fixperms + find debian/*/usr/share -type d -empty -delete override_dh_auto_build: just build=.build/enforce enforce From 43a6eddd8b68482d6bedb95f1f4e5e78bbcc355c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Dec 2025 19:18:25 +0100 Subject: [PATCH 1225/1736] build(debian): remove debian 12 docker, add ubuntu 26.04 --- dists/docker.sh | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/dists/docker.sh b/dists/docker.sh index 8d044c2e9a..6557402311 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -85,14 +85,6 @@ build_in_docker_dpkg() { sed -i -e "s/just complain/just complain-test/" "$VOLUME/$PKGNAME/debian/rules" fi - # Adjustments for development releases - case "$release" in - 26.04) - img="$PREFIX${dist}25.10" - ;; - *) ;; - esac - if _exist "$img"; then if ! _is_running "$img"; then _start "$img" @@ -102,11 +94,7 @@ build_in_docker_dpkg() { docker run -tid --name "$img" --volume "$VOLUME:$BUILDIR" \ --env DISTRIBUTION="$target" "$BASEIMAGE/$dist:$release" docker exec "$img" sudo apt-get update -q - docker exec "$img" sudo apt-get install -y config-package-dev lsb-release libdistro-info-perl - if [[ "$dist" == debian && "$release" == "12" ]]; then - aptopt=(-t bookworm-backports) - fi - docker exec "$img" sudo apt-get install -y "${aptopt[@]}" golang-go + docker exec "$img" sudo apt-get install -y config-package-dev lsb-release libdistro-info-perl golang-go fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" just build-dpkg From d2c75b8fd7c7eb74051f96d52890aa75d23c3e04 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Dec 2025 20:35:26 +0100 Subject: [PATCH 1226/1736] build(debian): disable dbgsym. --- debian/rules | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/debian/rules b/debian/rules index 7c54d4aae5..f862a2d703 100755 --- a/debian/rules +++ b/debian/rules @@ -11,6 +11,7 @@ DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk # Pass hardening flags to Go +export CGO_CPPFLAGS := $(CPPFLAGS) export CGO_CFLAGS := $(CFLAGS) export CGO_LDFLAGS := $(LDFLAGS) export GOFLAGS := -buildmode=pie -trimpath -mod=readonly -tags=dev @@ -28,6 +29,9 @@ override_dh_dwz: override_dh_auto_configure: override_dh_auto_test: +override_dh_strip: + dh_strip --no-automatic-dbgsym + override_dh_install: dh_install for pkgname in $(shell dh_listpackages); do \ From 985afe8d9d4ceb89ecfa5984ad5572fc3cdae764 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Dec 2025 20:36:17 +0100 Subject: [PATCH 1227/1736] build(debian): set distribution prefix. --- Justfile | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Justfile b/Justfile index 2832758d7c..29bf86767b 100644 --- a/Justfile +++ b/Justfile @@ -222,6 +222,16 @@ build-pkg: (_ensure_pkgdest) # Build the package on Debian [group('packages')] build-dpkg: (_ensure_pkgdest) + #!/usr/bin/env bash + set -eu -o pipefail + version=`just version` + suffix="" + if dpkg-vendor --is Ubuntu; then + suffix="ubuntu1~$(lsb_release -sr)" + elif dpkg-vendor --is Debian; then + suffix="~deb$(lsb_release -sr)" + fi + dch --urgency=medium --newversion="$version-$suffix" --distribution=`lsb_release -sc` --controlmaint "Release $version-$suffix" dpkg-buildpackage -b -d {{ if sign == "true" { "--sign-key=" + gpgkey } else { "--no-sign" } }} lintian --color always --display-info --pedantic --tag-display-limit 0 || true mv ../{{pkgname}}*.deb {{pkgdest}}/ From 1e3166638d018c93c8661256c1e573515ff4c44e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Dec 2025 20:51:55 +0100 Subject: [PATCH 1228/1736] build: minor build improvments. --- Justfile | 10 ++++++---- dists/docker.sh | 9 ++++----- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/Justfile b/Justfile index 29bf86767b..31bee761f1 100644 --- a/Justfile +++ b/Justfile @@ -241,17 +241,19 @@ build-dpkg: (_ensure_pkgdest) build-rpm: (_ensure_pkgdest) #!/usr/bin/env bash set -eu -o pipefail - RPMBUILD_ROOT=$(mktemp -d /tmp/$PKGNAME.XXXXXX) + RPMBUILD_ROOT=$(mktemp -d /tmp/{{pkgname}}.XXXXXX) ARCH=$(uname -m) VERSION="$(just version)" + echo "Building {{pkgname}} version $VERSION for $ARCH architecture" readonly RPMBUILD_ROOT ARCH VERSION mkdir -p "$RPMBUILD_ROOT"/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS/tmp} - cp -p "dists/$PKGNAME.spec" "$RPMBUILD_ROOT/SPECS" - tar -czf "$RPMBUILD_ROOT/SOURCES/$PKGNAME-$VERSION.tar.gz" --transform "s,^,$PKGNAME-$VERSION/," ./* + cp -p "dists/{{pkgname}}.spec" "$RPMBUILD_ROOT/SPECS" + tar -czf "$RPMBUILD_ROOT/SOURCES/{{pkgname}}-$VERSION.tar.gz" --transform "s,^,{{pkgname}}-$VERSION/," ./* cd "$RPMBUILD_ROOT" - rpmbuild -bb --define "_topdir $RPMBUILD_ROOT" "SPECS/$PKGNAME.spec" + sed -i "s/^Version:.*/Version: $VERSION/" "SPECS/{{pkgname}}.spec" + rpmbuild -bb --define "_topdir $RPMBUILD_ROOT" "SPECS/{{pkgname}}.spec" mv "$RPMBUILD_ROOT/RPMS/$ARCH/"*.rpm "{{pkgdest}}/" rm -rf "$RPMBUILD_ROOT" diff --git a/dists/docker.sh b/dists/docker.sh index 6557402311..580fcf4549 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -15,13 +15,12 @@ readonly PREFIX="builder-" readonly PKGNAME=apparmor.d readonly VOLUME=/tmp/build readonly BUILDIR=/home/build/tmp -readonly OUTDIR=".pkg" +readonly OUTPUT=".pkg" readonly DISTRIBUTION="$1" RELEASE="${2:-}" FLAVOR="${3:-}" PACKAGER="$(git config user.name) <$(git config user.email)>" [[ "$RELEASE" == "-" ]] && RELEASE="" -readonly OUTPUT="$PWD/$OUTDIR/$DISTRIBUTION/$RELEASE" readonly RELEASE FLAVOR PACKAGER _start() { @@ -69,7 +68,7 @@ build_in_docker_makepkg() { fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" just build-pkg - mv "$VOLUME/$PKGNAME/$OUTDIR/$PKGNAME"*.pkg.* "$OUTPUT" + mv "$VOLUME/$PKGNAME/$OUTPUT/$PKGNAME"*.pkg.* "$OUTPUT" } build_in_docker_dpkg() { @@ -98,7 +97,7 @@ build_in_docker_dpkg() { fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" just build-dpkg - mv "$VOLUME/$PKGNAME/$OUTDIR/${PKGNAME}"*.deb "$OUTPUT" + mv "$VOLUME/$PKGNAME/$OUTPUT/$PKGNAME"*.deb "$OUTPUT" } build_in_docker_rpm() { @@ -117,7 +116,7 @@ build_in_docker_rpm() { fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" just build-rpm - mv "$VOLUME/$PKGNAME/$OUTDIR/$PKGNAME-"*.rpm "$OUTPUT" + mv "$VOLUME/$PKGNAME/$OUTPUT/$PKGNAME"*.rpm "$OUTPUT" } main() { From 08b84c433ae6c37a684526fa0b4a6d3f2b337fba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Dec 2025 21:20:32 +0100 Subject: [PATCH 1229/1736] build(debian): set revision number for debian. --- Justfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Justfile b/Justfile index 31bee761f1..4a832cd9ad 100644 --- a/Justfile +++ b/Justfile @@ -229,7 +229,7 @@ build-dpkg: (_ensure_pkgdest) if dpkg-vendor --is Ubuntu; then suffix="ubuntu1~$(lsb_release -sr)" elif dpkg-vendor --is Debian; then - suffix="~deb$(lsb_release -sr)" + suffix="1+deb$(lsb_release -sr)" fi dch --urgency=medium --newversion="$version-$suffix" --distribution=`lsb_release -sc` --controlmaint "Release $version-$suffix" dpkg-buildpackage -b -d {{ if sign == "true" { "--sign-key=" + gpgkey } else { "--no-sign" } }} From bee148f2f7c7715187c16431817c06988312d719 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Dec 2025 00:10:36 +0100 Subject: [PATCH 1230/1736] build(debian): fix goflags and diverted paths. --- debian/rules | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/debian/rules b/debian/rules index f862a2d703..e091888d09 100755 --- a/debian/rules +++ b/debian/rules @@ -14,7 +14,7 @@ include /usr/share/dpkg/buildflags.mk export CGO_CPPFLAGS := $(CPPFLAGS) export CGO_CFLAGS := $(CFLAGS) export CGO_LDFLAGS := $(LDFLAGS) -export GOFLAGS := -buildmode=pie -trimpath -mod=readonly -tags=dev +export GOFLAGS := -buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw %: dh $@ --with=config-package @@ -40,10 +40,6 @@ override_dh_install: cp debian/common.postrm debian/$${pkgname}.postrm; \ done -override_dh_fixperms: - dh_fixperms - find debian/*/usr/share -type d -empty -delete - override_dh_auto_build: just build=.build/enforce enforce just build=.build/complain complain From e470412d9475b5ac456fccbdea9ba6c740f12521 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Dec 2025 00:11:22 +0100 Subject: [PATCH 1231/1736] build(ubuntu): add build details for ubuntu 26.04 --- cmd/prebuild/main.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 455621e5ba..345e9fa562 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -52,6 +52,9 @@ func init() { case "questing": prebuild.ABI = 4 prebuild.Version = 5.0 + case "resolute": + prebuild.ABI = 4 + prebuild.Version = 5.0 } case "debian": From 0c26e27dcd25c0097e45eebbe0394e775332b657 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Dec 2025 00:24:23 +0100 Subject: [PATCH 1232/1736] ci: update ci build jobs. --- .github/workflows/main.yml | 2 +- .gitlab-ci.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 028b03695c..3a0f2261db 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -42,7 +42,7 @@ jobs: - name: Build the apparmor.d package run: | - bash dists/build.sh dpkg + just build-dpkg - name: Install apparmor.d run: sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6f7ef41e0e..e5ac2f9ceb 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -84,7 +84,7 @@ debian: - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl - - bash dists/build.sh dpkg + - just build-dpkg artifacts: expire_in: 1 day paths: @@ -99,7 +99,7 @@ ubuntu: - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl - - bash dists/build.sh dpkg + - just build-dpkg artifacts: expire_in: 1 day paths: @@ -118,7 +118,7 @@ opensuse: script: - mkdir -p "$PKGDEST" - sudo zypper install -y distribution-release golang-packaging apparmor-profiles - - bash dists/build.sh rpm + - just build-rpm artifacts: expire_in: 1 day paths: From 045f4710436df4595b3cdc15a9d0f4797a1860ed Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Dec 2025 21:28:31 +0100 Subject: [PATCH 1233/1736] doc: update install methods. --- docs/enforce.md | 75 +++++++++++++++++++-------------- docs/install.md | 110 ++++++++++++++++++------------------------------ 2 files changed, 86 insertions(+), 99 deletions(-) diff --git a/docs/enforce.md b/docs/enforce.md index 51eec0980f..cd72646457 100644 --- a/docs/enforce.md +++ b/docs/enforce.md @@ -11,58 +11,71 @@ The default package configuration installs all profiles in *complain* mode. This - When reporting an issue, you **must** ensure the affected profiles are in complain mode. +**Prerequisite** + +As the `enforced` version of the package conficts with the default `apparmor.d` package, you need to uninstall it first: + === ":material-arch: Archlinux" - In the `PKGBUILD`, replace `just complain` by `just enforce`: + ```sh + sudo pacman -R apparmor.d + ``` + +=== ":material-ubuntu: Ubuntu" - ```diff - - just complain - + just enforce + ```sh + sudo apt purge apparmor.d ``` - Then, build the package with: `just pkg` +=== ":material-debian: Debian" -=== ":material-ubuntu: Ubuntu" + ```sh + sudo apt purge apparmor.d + ``` - In `debian/rules`, replace `just complain` by `just enforce`: +=== ":simple-suse: openSUSE" - ```diff - override_dh_auto_build: - - just complain - override_dh_auto_build: - + just enforce + ```sh + sudo zypper remove apparmor.d ``` - Then, build the package with: `just dpkg` -=== ":material-debian: Debian" - - In `debian/rules`, replace `just complain` by `just enforce`: - - ```diff - override_dh_auto_build: - - just complain - override_dh_auto_build: - + just enforce +**Installation** + +=== ":material-arch: Archlinux" + + `apparmor.d.enforced` is available in the [Arch User Repository][aur]: + + ```sh + yay -S apparmor.d.enforced # or your preferred AUR install method ``` - Then, build the package with: `just dpkg` +=== ":material-ubuntu: Ubuntu" -=== ":simple-suse: openSUSE" + Using the [pkg.pujol.io][repo] debian repository, install the package: + ```sh + sudo apt install apparmor.d.enforced + ``` - In `dists/apparmor.d.spec`, replace `just complain` by `just enforce`: - ```diff - %build - - just complain - %build - + just enforce +=== ":material-debian: Debian" + + Using the [pkg.pujol.io][repo] debian repository, install the package: + ```sh + sudo apt install apparmor.d.enforced ``` - Then, build the package with: `just rpm` +=== ":simple-suse: openSUSE" + + openSUSE users need to add [cboltz](https://en.opensuse.org/User:Cboltz) repo on OBS: + + ```sh + zypper install apparmor.d.enforced + ``` === ":material-home: Partial Install" Use the `just enforce` command to build instead of `just complain` [aur]: https://aur.archlinux.org/packages/apparmor.d-git +[repo]: https://pkg.pujol.io diff --git a/docs/install.md b/docs/install.md index acb8a6c455..7529f6a834 100644 --- a/docs/install.md +++ b/docs/install.md @@ -63,97 +63,69 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf === ":material-arch: Archlinux" - `apparmor.d-git` is available in the [Arch User Repository][aur]: + `apparmor.d` is available in the [Arch User Repository][aur]: ```sh - yay -S apparmor.d-git # or your preferred AUR install method - ``` - - Or without an AUR helper: - - ```sh - git clone https://aur.archlinux.org/apparmor.d-git.git - cd apparmor.d-git - makepkg -si + yay -S apparmor.d # or your preferred AUR install method ``` === ":material-ubuntu: Ubuntu" - Build the package from sources: + `apparmor.d` is available under the [pkg.pujol.io][repo] debian repository. + The repository is signed with my [GPG key][keys]. Configure it as follows: ```sh - sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git just - git clone https://github.com/roddhjav/apparmor.d.git - cd apparmor.d - dpkg-buildpackage -b -d --no-sign - sudo dpkg -i ../apparmor.d_*.deb + sudo apt-get install wget gnupg + wget -qO - https://pkg.pujol.io/debian/gpgkey \ + | gpg --dearmor \ + | sudo tee /usr/share/keyrings/roddhjav.gpg >/dev/null + cat <<-EOF | sudo tee /etc/apt/sources.list.d/roddhjav.sources + Types: deb + URIs: https://pkg.pujol.io/debian/repo + Suites: $(lsb_release -cs) + Components: main + Signed-By: /usr/share/keyrings/roddhjav.gpg + EOF + sudo apt-get update ``` - !!! tip - - If you have `devscripts` installed, you can use the one liner: - - ```sh - just dpkg - ``` - - !!! note - - **Ubuntu 24.04 user will need to:** - - Install [just](https://github.com/casey/just). E.g: - ```sh - pipx install rust-just - ``` + Install the package: + ```sh + sudo apt install apparmor.d + ``` !!! warning - **Beware**: do not install a `.deb` made for Debian on Ubuntu as the packages are different. - - If your distribution is based on Ubuntu, you may want to manually set the target distribution by exporting `DISTRIBUTION=ubuntu`. + Only Ubuntu `24.04`, `25.10`, and `26.04` are currently supported. === ":material-debian: Debian" - Build the package from sources: + `apparmor.d` is available under the [pkg.pujol.io][repo] debian repository. + The repository is signed with my [GPG key][keys]. Configure it as follows: ```sh - sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git just - git clone https://github.com/roddhjav/apparmor.d.git - cd apparmor.d - dpkg-buildpackage -b -d --no-sign - sudo dpkg -i ../apparmor.d_*.deb + sudo apt-get install wget gnupg + wget -qO - https://pkg.pujol.io/debian/gpgkey \ + | gpg --dearmor \ + | sudo tee /usr/share/keyrings/roddhjav.gpg >/dev/null + cat <<-EOF | sudo tee /etc/apt/sources.list.d/roddhjav.sources + Types: deb + URIs: https://pkg.pujol.io/debian/repo + Suites: $(lsb_release -cs) + Components: main + Signed-By: /usr/share/keyrings/roddhjav.gpg + EOF + sudo apt-get update ``` - !!! tip - - If you have `devscripts` installed, you can use the one liner: - - ```sh - just dpkg - ``` - - !!! note - - **Debian 12 user will need to:** - - 1. Install Golang from the backports repository: - ```sh - echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list - sudo apt update - sudo apt install -t bookworm-backports golang-go - ``` - - 2. Install [just](https://github.com/casey/just) locally, and ignore the dependence. E.g: - ```sh - pipx install rust-just - sed '/just/d' -i debian/control - ``` + Install the package: + ```sh + sudo apt install apparmor.d + ``` !!! warning - **Beware**: do not install a `.deb` made for Ubuntu on Debian as the packages are different. - - If your distribution is based on Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian`. + Only `trixie` is currently supported. === ":simple-suse: openSUSE" @@ -220,3 +192,5 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf ``` [aur]: https://aur.archlinux.org/packages/apparmor.d-git +[keys]: https://pujol.io/keys +[repo]: https://pkg.pujol.io From 30a243c845d675de2623a8c821b2c48759e28a44 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Dec 2025 21:29:37 +0100 Subject: [PATCH 1234/1736] doc: stop hidding question. --- docs/report.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/report.md b/docs/report.md index e82d4e9e75..34a5ea69d0 100644 --- a/docs/report.md +++ b/docs/report.md @@ -11,7 +11,7 @@ When creating [an issue on Github][newissue], please post a link to the [paste] aa-log -R ``` -??? question "No logs with `aa-log`?" +!!! question "No logs with `aa-log`?" If the log file is empty, check that Auditd is running: @@ -30,7 +30,7 @@ If this command produces nothing, use `-s` to provide all logs since boot time ( aa-log -s -R ``` -??? question "No logs with `aa-log -s`?" +!!! question "No logs with `aa-log -s`?" On certain distributions/configurations, AppArmor logs in journal could be taken over by *auditd* when it is installed. To overcome this, `systemd-journald-audit.socket` could be enabled: From 16b8b83c3bf955e28b145ecea6cbf77e03e94dbb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Dec 2025 21:30:37 +0100 Subject: [PATCH 1235/1736] chore: cleanup .golangci --- .golangci.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.golangci.yaml b/.golangci.yaml index 6861d253d5..dc0ca11044 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -1,6 +1,7 @@ --- version: "2" + linters: settings: staticcheck: @@ -9,7 +10,7 @@ linters: - -SA1019 - -ST1000 exclusions: - paths: + paths: - pkg/paths - tests/cmd/ From f79d01934fc62bcd429017ead1fc70a00880747f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Dec 2025 21:38:45 +0100 Subject: [PATCH 1236/1736] build: remove systemd drop in file for early apparmor load. It has never worked fine as some service cannot be started early enough, or won't wait for apparmor to finish. - replaced by apparmor early load policy - require external configuration. !!! this is a breaking change !!! --- docs/development/build.md | 7 ------- pkg/prebuild/cli/cli.go | 2 -- pkg/prebuild/cli/cli_test.go | 2 -- pkg/prebuild/prepare/core_test.go | 6 ------ pkg/prebuild/prepare/systemd.go | 14 -------------- systemd/early/system/haveged.service | 2 -- systemd/early/system/multipathd.service | 2 -- systemd/early/system/pcscd.service | 2 -- systemd/early/system/systemd-journald.service | 2 -- systemd/early/system/systemd-networkd.service | 2 -- systemd/early/system/systemd-timesyncd.service | 2 -- 11 files changed, 43 deletions(-) delete mode 100644 systemd/early/system/haveged.service delete mode 100644 systemd/early/system/multipathd.service delete mode 100644 systemd/early/system/pcscd.service delete mode 100644 systemd/early/system/systemd-journald.service delete mode 100644 systemd/early/system/systemd-networkd.service delete mode 100644 systemd/early/system/systemd-timesyncd.service diff --git a/docs/development/build.md b/docs/development/build.md index e801553737..c7ce93d130 100644 --- a/docs/development/build.md +++ b/docs/development/build.md @@ -37,7 +37,6 @@ Prepare tasks: ignore - Ignore profiles and files from: server - Configure AppArmor for server systemd-default - Configure systemd unit drop in files to a profile for some units - systemd-early - Configure systemd unit drop in files to ensure some service start after apparmor attach - Configure tunable for re-attached path Build tasks: @@ -112,12 +111,6 @@ Install systemd unit drop in files from `systemd/default`. They configure the va *Enabled by default. Can be disabled in `cmd/prebuild/main.go`* -### **`systemd-early`** - -Install systemd unit drop in files from `systemd/early` to ensure some services start after AppArmor. THis task will be removed in the future, as it will not be needed any more. - -*Enabled by default. Can be disabled in `pkg/prebuild/cli/cli.go`* - ### **`fsp`** Configure AppArmor for full system policy. diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 1c90de02cb..ade26c6472 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -112,8 +112,6 @@ func Configure() { prepare.Register("fsp") builder.Register("fsp") prebuild.RBAC = true - } else if prebuild.SystemdDir.Exist() { - prepare.Register("systemd-early") } if complain { diff --git a/pkg/prebuild/cli/cli_test.go b/pkg/prebuild/cli/cli_test.go index dab3100204..76d13e5816 100644 --- a/pkg/prebuild/cli/cli_test.go +++ b/pkg/prebuild/cli/cli_test.go @@ -89,8 +89,6 @@ func Test_Prebuild(t *testing.T) { if full { prepare.Register("fsp") builder.Register("fsp") - } else { - prepare.Register("systemd-early") } if complain { diff --git a/pkg/prebuild/prepare/core_test.go b/pkg/prebuild/prepare/core_test.go index ea18d2cd85..a2efc5d955 100644 --- a/pkg/prebuild/prepare/core_test.go +++ b/pkg/prebuild/prepare/core_test.go @@ -76,12 +76,6 @@ func TestTask_Apply(t *testing.T) { wantErr: false, wantFiles: paths.PathList{prebuild.Root.Join("systemd/system/dbus.service")}, }, - { - name: "systemd-early", - task: Tasks["systemd-early"], - wantErr: false, - wantFiles: paths.PathList{prebuild.Root.Join("systemd/system/pcscd.service")}, - }, { name: "fsp", task: Tasks["fsp"], diff --git a/pkg/prebuild/prepare/systemd.go b/pkg/prebuild/prepare/systemd.go index b7646e4bf2..ece1929d55 100644 --- a/pkg/prebuild/prepare/systemd.go +++ b/pkg/prebuild/prepare/systemd.go @@ -13,10 +13,6 @@ type SystemdDefault struct { prebuild.Base } -type SystemdEarly struct { - prebuild.Base -} - func init() { RegisterTask(&SystemdDefault{ Base: prebuild.Base{ @@ -24,18 +20,8 @@ func init() { Msg: "Configure systemd unit drop in files to a profile for some units", }, }) - RegisterTask(&SystemdEarly{ - Base: prebuild.Base{ - Keyword: "systemd-early", - Msg: "Configure systemd unit drop in files to ensure some service start after apparmor", - }, - }) } func (p SystemdDefault) Apply() ([]string, error) { return []string{}, paths.CopyTo(prebuild.SystemdDir.Join("default"), prebuild.Root.Join("systemd")) } - -func (p SystemdEarly) Apply() ([]string, error) { - return []string{}, paths.CopyTo(prebuild.SystemdDir.Join("early"), prebuild.Root.Join("systemd")) -} diff --git a/systemd/early/system/haveged.service b/systemd/early/system/haveged.service deleted file mode 100644 index 544fb7da8d..0000000000 --- a/systemd/early/system/haveged.service +++ /dev/null @@ -1,2 +0,0 @@ -[Unit] -After=apparmor.service diff --git a/systemd/early/system/multipathd.service b/systemd/early/system/multipathd.service deleted file mode 100644 index 544fb7da8d..0000000000 --- a/systemd/early/system/multipathd.service +++ /dev/null @@ -1,2 +0,0 @@ -[Unit] -After=apparmor.service diff --git a/systemd/early/system/pcscd.service b/systemd/early/system/pcscd.service deleted file mode 100644 index 544fb7da8d..0000000000 --- a/systemd/early/system/pcscd.service +++ /dev/null @@ -1,2 +0,0 @@ -[Unit] -After=apparmor.service diff --git a/systemd/early/system/systemd-journald.service b/systemd/early/system/systemd-journald.service deleted file mode 100644 index cd28405714..0000000000 --- a/systemd/early/system/systemd-journald.service +++ /dev/null @@ -1,2 +0,0 @@ -[Unit] -After=apparmor.service \ No newline at end of file diff --git a/systemd/early/system/systemd-networkd.service b/systemd/early/system/systemd-networkd.service deleted file mode 100644 index cd28405714..0000000000 --- a/systemd/early/system/systemd-networkd.service +++ /dev/null @@ -1,2 +0,0 @@ -[Unit] -After=apparmor.service \ No newline at end of file diff --git a/systemd/early/system/systemd-timesyncd.service b/systemd/early/system/systemd-timesyncd.service deleted file mode 100644 index cd28405714..0000000000 --- a/systemd/early/system/systemd-timesyncd.service +++ /dev/null @@ -1,2 +0,0 @@ -[Unit] -After=apparmor.service \ No newline at end of file From bc6b60d5b97bfb2b52c1547adbfe1ea31e162c96 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Dec 2025 21:47:19 +0100 Subject: [PATCH 1237/1736] ci: only install one version of the packages. --- .gitlab-ci.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e5ac2f9ceb..db7c5ce575 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,6 +1,7 @@ --- variables: + PKGNAME: apparmor.d PKGDEST: $CI_PROJECT_DIR/.pkg PACKAGER: 'Alexandre Pujol ' @@ -135,7 +136,7 @@ preprocess-archlinux: - archlinux script: - pacman -Syu --noconfirm --noprogressbar apparmor - - pacman -U --noconfirm --noprogressbar $PKGDEST/* + - pacman -U --noconfirm --noprogressbar $PKGDEST/${PKGNAME}-* - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null preprocess-debian: @@ -146,7 +147,7 @@ preprocess-debian: script: - apt-get update -q - apt-get install -y apparmor apparmor-profiles - - dpkg --install $PKGDEST/* + - dpkg --install $PKGDEST/${PKGNAME}_* - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null preprocess-ubuntu: @@ -157,7 +158,7 @@ preprocess-ubuntu: script: - apt-get update -q - apt-get install -y apparmor apparmor-profiles - - dpkg --install $PKGDEST/* + - dpkg --install $PKGDEST/${PKGNAME}_* - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null .preprocess-whonix: From ed63d59e65b8f83027a84179d95f8f066da0c354 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Dec 2025 23:52:56 +0100 Subject: [PATCH 1238/1736] build: add repo recipie to start an update of the repo pkg. --- Justfile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Justfile b/Justfile index 4a832cd9ad..c595f7afe2 100644 --- a/Justfile +++ b/Justfile @@ -625,6 +625,11 @@ publish: {{pkgdest}}/{{pkgname}}-$version.tar.gz \ {{pkgdest}}/{{pkgname}}-$version.tar.gz.asc +# Create & upload new release packages to the repositories +[group('release')] +repo path="../../Packages": + just --justfile {{path}}/pkgbuilds/Justfile publish {{pkgname}} `just version` + just --justfile {{path}}/repo.pujol.io/Justfile publish {{pkgname}} `just version` _ensure_pkgdest: @mkdir -p {{pkgdest}} From 168ae72b895d38bee9acec073498c139e2fa5633 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Dec 2025 23:58:54 +0100 Subject: [PATCH 1239/1736] fix: linte issue. --- apparmor.d/profiles-g-l/goxray_cli | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/goxray_cli b/apparmor.d/profiles-g-l/goxray_cli index fa8e1ad8f1..680e7da08b 100644 --- a/apparmor.d/profiles-g-l/goxray_cli +++ b/apparmor.d/profiles-g-l/goxray_cli @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , From 24945d7adb4a5073dc0c7e8e381b2bd58daafbf5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Dec 2025 00:05:51 +0100 Subject: [PATCH 1240/1736] fix(profile): xdg-open can be used by sandboxed program. Fix #975 --- apparmor.d/abstractions/app/open | 3 +++ apparmor.d/groups/freedesktop/xdg-open | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 541e738ad1..3713a94cfa 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -35,7 +35,10 @@ include include + /etc/xdg/menus/*.menu r, + owner @{user_config_dirs}/kioclientrc r, + owner @{user_config_dirs}/menus/*.menu r, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open index e0265bfde0..d737fd2672 100644 --- a/apparmor.d/groups/freedesktop/xdg-open +++ b/apparmor.d/groups/freedesktop/xdg-open @@ -10,7 +10,7 @@ abi , include @{exec_path} = @{bin}/xdg-open -profile xdg-open @{exec_path} flags=(attach_disconnected) { +profile xdg-open @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include From 38e90221e0834019c48699900f7edf9efe7df4e3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Dec 2025 00:08:57 +0100 Subject: [PATCH 1241/1736] fix(profile): evince Save as restriction fix #935 --- apparmor.d/groups/polkit/pkexec | 1 + apparmor.d/profiles-a-f/evince | 1 + 2 files changed, 2 insertions(+) diff --git a/apparmor.d/groups/polkit/pkexec b/apparmor.d/groups/polkit/pkexec index 8c6d868da8..54d6f7b13d 100644 --- a/apparmor.d/groups/polkit/pkexec +++ b/apparmor.d/groups/polkit/pkexec @@ -28,6 +28,7 @@ profile pkexec @{exec_path} { /etc/default/locale r, + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 26087734a4..c659cedf6b 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -47,6 +47,7 @@ profile evince @{exec_path} { owner @{tmp}/evince-@{int}/{,**} rw, owner @{tmp}/gtkprint_@{rand6} rw, owner @{tmp}/gtkprint@{rand6} rw, + owner @{tmp}/org.gnome.Evince-@{int}/{,**} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, From db3124301944e5e01668ff52832ff9aa751b8aa9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Dec 2025 00:10:54 +0100 Subject: [PATCH 1242/1736] feat(profile): improve firefox bases profiles. --- apparmor.d/abstractions/app/firefox | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 7a6747a63b..508f6abb05 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -20,6 +20,7 @@ abi , include + include include include include @@ -121,6 +122,8 @@ owner @{tmp}/tmpaddon rw, owner @{tmp}/tmpaddon-@{int} r, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + owner /dev/shm/org.chromium.@{rand6} rw, owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, owner /dev/shm/wayland.mozilla.ipc.@{int} rw, @@ -177,6 +180,7 @@ deny owner @{HOME}/.* r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny @{run}/user/@{uid}/gnome-shell-disable-extensions w, + deny @{PROC}/pressure/* r, profile gstreamer { include From 0bfc403db9c03d91770c0d1714739cdbbc80919b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Dec 2025 00:13:18 +0100 Subject: [PATCH 1243/1736] feat(profile): add initial profile for sudo-rs. --- apparmor.d/abstractions/app/sudo-rs | 53 +++++++++++++++++++++++++ apparmor.d/abstractions/base.d/complete | 1 + apparmor.d/profiles-s-z/sudo-rs | 33 +++++++++++++++ 3 files changed, 87 insertions(+) create mode 100644 apparmor.d/abstractions/app/sudo-rs create mode 100644 apparmor.d/profiles-s-z/sudo-rs diff --git a/apparmor.d/abstractions/app/sudo-rs b/apparmor.d/abstractions/app/sudo-rs new file mode 100644 index 0000000000..987dc3732c --- /dev/null +++ b/apparmor.d/abstractions/app/sudo-rs @@ -0,0 +1,53 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Minimal set of rules for sudo-rs. + + abi , + + include + include + include + include + + capability audit_write, + capability dac_override, + capability dac_read_search, + capability net_admin, + capability setgid, + capability setuid, + + network (create receive send) netlink raw, + + unix type=stream addr=@@{udbus}/bus/sudo/system, + + dbus send bus=system path=/org/freedesktop/home1 + interface=org.freedesktop.home1.Manager + member=GetUserRecordByName + peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), + + @{bin}/sudo mr, + @{bin}/sudo-rs mr, + + @{etc_ro}/sudo.conf r, + @{etc_ro}/sudoers r, + @{etc_ro}/sudoers.d/{,*} r, + + /etc/machine-id r, + + owner @{run}/sudo-rs/ w, + owner @{run}/sudo-rs/ts/ w, + owner @{run}/sudo-rs/ts/@{uid} rwk, + + @{PROC}/@{pid}/loginuid r, + @{PROC}/@{pid}/stat r, + @{PROC}/sys/kernel/random/boot_id r, + + /dev/ptmx rwk, + /dev/tty rwk, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 311d51d0e7..4c6f3be7c3 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -25,6 +25,7 @@ # Allow to receive termination signal from manager such as sudo, login, shutdown or systemd signal receive peer=su, signal receive peer=sudo, + signal receive peer=sudo-rs, signal receive set=(cont,term,kill,stop) peer=gnome-shell, signal receive set=(cont,term,kill,stop) peer=login, signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, diff --git a/apparmor.d/profiles-s-z/sudo-rs b/apparmor.d/profiles-s-z/sudo-rs new file mode 100644 index 0000000000..bd4c2d985b --- /dev/null +++ b/apparmor.d/profiles-s-z/sudo-rs @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/sudo-rs @{lib}/cargo/bin/sudo +profile sudo-rs @{exec_path} { + include + include + include + + capability sys_ptrace, # optional: no audit + + ptrace read, + + signal send set=(winch, hup, term), + + @{exec_path} mr, + @{bin}/env ix, + @{bin}/tee m, + + @{bin}/@{shells} rUx, + @{lib}/** PUx, + /opt/*/** PUx, + /snap/snapd/@{int}@{bin}/snap rPUx, + + include if exists +} + +# vim:syntax=apparmor From b92955662a826e16523c0ee02c6cce1f56deaf82 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Dec 2025 00:14:23 +0100 Subject: [PATCH 1244/1736] fix(profile): ensure electron based profile can communicate with their own crashpad_handler. --- apparmor.d/abstractions/common/electron | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index beb7bcf07d..52fbf5344e 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -101,7 +101,7 @@ profile crashpad_handler flags=(attach_disconnected) { include - unix (send receive) type=seqpacket peer=(label=@{profile_name}), + unix (send receive) type=seqpacket peer=(label=@{name}), @{lib}/electron@{int}/chrome_crashpad_handler mr, @{lib_dirs}/chrome_crashpad_handler mr, From 30356f691d9823fb3c6f02bc24ff738f25c6ae5f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Dec 2025 00:15:35 +0100 Subject: [PATCH 1245/1736] feat(abs): minor update on some abs. --- apparmor.d/abstractions/development | 2 ++ apparmor.d/abstractions/devtools | 3 +++ apparmor.d/abstractions/screen-inhibit | 4 ++-- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/development b/apparmor.d/abstractions/development index 9610f3131c..2641ad48c2 100644 --- a/apparmor.d/abstractions/development +++ b/apparmor.d/abstractions/development @@ -48,6 +48,8 @@ owner @{tmp}/*tests*/** rwlk, owner @{tmp}/*tests*/** mix, + @{PROC}/sys/kernel/osrelease r, + # Allow reading CPU cgroup limits @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, diff --git a/apparmor.d/abstractions/devtools b/apparmor.d/abstractions/devtools index 2a7b177b63..06995033d7 100644 --- a/apparmor.d/abstractions/devtools +++ b/apparmor.d/abstractions/devtools @@ -11,9 +11,11 @@ owner @{HOME}/.*@{devtools}* rw, owner @{HOME}/.*@{devtools}*/ rw, owner @{HOME}/.*@{devtools}*/** rwlk, + owner @{HOME}/.*@{devtools}*/** mix, owner @{HOME}/*@{devtools}*/ rw, owner @{HOME}/*@{devtools}*/** rwlk, + owner @{HOME}/.*@{devtools}*/** mix, owner @{user_cache_dirs}/ r, owner @{user_cache_dirs}/*@{devtools}*/ rw, @@ -33,6 +35,7 @@ owner @{tmp}/*@{devtools}* rw, owner @{tmp}/*@{devtools}*/ rw, owner @{tmp}/*@{devtools}*/** rwlk, + owner @{tmp}/*@{devtools}*/** mix, include if exists diff --git a/apparmor.d/abstractions/screen-inhibit b/apparmor.d/abstractions/screen-inhibit index 1b7368ff4a..8a4d288dd1 100644 --- a/apparmor.d/abstractions/screen-inhibit +++ b/apparmor.d/abstractions/screen-inhibit @@ -18,12 +18,12 @@ dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Inhibit,Uninhibit} - peer=(name=@{busname}, label="@{p_gnome_session}"), + peer=(name="@{busname},org.gnome.SessionManager", label="@{p_gnome_session}"), dbus send bus=session path=/ScreenSaver interface=org.gnome.ScreenSaver member=SimulateUserActivity - peer=(name=@{busname}, label="@{p_gnome_session}"), + peer=(name="@{busname},org.gnome.SessionManager", label="@{p_gnome_session}"), # Generic freedesktop, not using bus/session/org.freedesktop.ScreenSaver as # it allows too much From 5759ff58bcc4de6988bca90787595774c89f54ad Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Dec 2025 00:17:06 +0100 Subject: [PATCH 1246/1736] feat(profile): update cups profiles. --- apparmor.d/groups/cups/cups-backend-implicitclass | 1 + apparmor.d/groups/cups/cups-backend-ipp | 12 ++++++++++++ apparmor.d/groups/cups/cupsd | 1 + 3 files changed, 14 insertions(+) diff --git a/apparmor.d/groups/cups/cups-backend-implicitclass b/apparmor.d/groups/cups/cups-backend-implicitclass index e37ee84098..b6f0379701 100644 --- a/apparmor.d/groups/cups/cups-backend-implicitclass +++ b/apparmor.d/groups/cups/cups-backend-implicitclass @@ -23,6 +23,7 @@ profile cups-backend-implicitclass @{exec_path} { signal receive set=term peer=cupsd, + unix type=stream peer=(label=cups-backend-ipp), unix type=stream peer=(label=cupsd), @{exec_path} mr, diff --git a/apparmor.d/groups/cups/cups-backend-ipp b/apparmor.d/groups/cups/cups-backend-ipp index 2902611d6b..cb50c6ad84 100644 --- a/apparmor.d/groups/cups/cups-backend-ipp +++ b/apparmor.d/groups/cups/cups-backend-ipp @@ -9,9 +9,21 @@ include @{exec_path} = @{lib}/cups/backend/ipp profile cups-backend-ipp @{exec_path} { include + include include include + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + # TODO: + # network (receive,send,setopt) inet dgram peer=(port=53), + # network (receive,send,setopt) inet stream peer=(port=631), + + unix type=stream peer=(label=cups-backend-implicitclass), + @{exec_path} mr, /etc/papersize r, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 057054e078..557ade6d00 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -50,6 +50,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { signal send set=term peer=cups-notifier-dbus, unix type=stream peer=(label=cups-backend-*), + unix type=stream peer=(label=ippfind), @{exec_path} mr, From 90f09ab647d7cc70ec7d73e93b74fef4192f8a50 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Dec 2025 00:19:56 +0100 Subject: [PATCH 1247/1736] feat(profile): update some desktop related profiles. --- apparmor.d/groups/firewall/firewall-applet | 3 +++ .../freedesktop/xdg-desktop-portal-gnome | 25 +++++++++++++++++++ apparmor.d/groups/freedesktop/xdg-email | 4 +-- apparmor.d/groups/gnome/gjs | 1 + apparmor.d/groups/gnome/papers | 1 + 5 files changed, 32 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/firewall/firewall-applet b/apparmor.d/groups/firewall/firewall-applet index bd144b7e28..7685a67d2a 100644 --- a/apparmor.d/groups/firewall/firewall-applet +++ b/apparmor.d/groups/firewall/firewall-applet @@ -12,8 +12,11 @@ profile firewall-applet @{exec_path} flags=(attach_disconnected) { include include include + include include + #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld + @{exec_path} mr, @{bin}/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 16382c86f5..2ba3b62ae8 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -53,11 +53,18 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { / r, @{bin}/ r, @{bin}/* r, + @{bin}/flatpak rCx -> flatpak, /opt/** r, + @{open_path} rPx -> child-open-any, + /usr/share/gdm/greeter/applications/{,**} r, /usr/share/thumbnailers/{,**} r, + /var/lib/flatpak/app/*/@{arch}/ r, + /var/lib/flatpak/repo/config r, + /var/lib/flatpak/runtime/*/@{arch}/ r, + owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, owner @{desktop_share_dirs}/applications/{,**} r, @@ -66,10 +73,13 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{HOME}/*/{,**} rw, owner @{MOUNTS}/ r, + owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, owner @{tmp}/gtkprint_ppd_@{rand6} rw, owner @{tmp}/gtkprint@{rand6} r, + owner @{tmp}/settings@{rand6}.ini rw, + owner @{tmp}/settings@{rand6}.ini.@{rand6} rw, owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @@ -86,6 +96,21 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, + profile flatpak { + include + + @{bin}/flatpak mr, + + /var/lib/flatpak/app/{,*/} r, + /var/lib/flatpak/repo/{,*/} r, + /var/lib/flatpak/runtime/{,*/} r, + + owner @{user_cache_dirs}/flatpak/system-cache/ r, + owner @{user_share_dirs}/flatpak/repo/** r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-email b/apparmor.d/groups/freedesktop/xdg-email index cf580ceacb..30db08f329 100644 --- a/apparmor.d/groups/freedesktop/xdg-email +++ b/apparmor.d/groups/freedesktop/xdg-email @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/xdg-email -profile xdg-email @{exec_path} flags=(complain) { +profile xdg-email @{exec_path} flags=(attach_disconnected) { include include include @@ -41,7 +41,7 @@ profile xdg-email @{exec_path} flags=(complain) { @{open_path} Px -> child-open-email, @{thunderbird_path} Px, - profile bus flags=(complain) { + profile bus flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index 20fb65fafe..331e6ab764 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -133,6 +133,7 @@ profile gjs @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index c87909a476..7d46399fb6 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -33,6 +33,7 @@ profile papers @{exec_path} flags=(attach_disconnected) { /etc/passwd r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, + owner @{user_config_dirs}/cpdb/print-settings r, owner @{HOME}/.pki/nssdb/pkcs11.txt r, owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, From cab0c8bbe16c1f22e8f9ba00f29495aca2f2bf6d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Dec 2025 00:26:38 +0100 Subject: [PATCH 1248/1736] feat(profile): various update on some core profiles. --- apparmor.d/groups/gpg/gpg | 2 +- apparmor.d/groups/gpg/gpg-agent | 1 + apparmor.d/groups/network/netplan-generate | 2 +- .../groups/pacman/archlinux-keyring-wkd-sync | 2 -- apparmor.d/groups/pacman/pacman-hook-systemd | 2 -- apparmor.d/groups/polkit/pkttyagent | 1 + apparmor.d/groups/polkit/polkitd | 1 + apparmor.d/groups/snap/snap | 3 ++- apparmor.d/groups/snap/snapd-apparmor | 1 + apparmor.d/groups/systemd/journalctl | 2 ++ apparmor.d/groups/systemd/systemd-machined | 1 + apparmor.d/groups/systemd/systemd-udevd | 3 +++ apparmor.d/profiles-g-l/glxgears | 7 ++----- apparmor.d/profiles-m-r/initramfs-hooks | 11 ++++++----- apparmor.d/profiles-m-r/needrestart-restart | 16 ++++++++++++++-- apparmor.d/profiles-m-r/nvtop | 2 +- apparmor.d/profiles-s-z/virt-manager | 2 ++ apparmor.d/profiles-s-z/whoopsie-preferences | 9 +++++++++ apparmor.d/tunables/multiarch.d/programs | 4 ++-- 19 files changed, 50 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 40746cf83e..eecacef514 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/gpg{,2} -profile gpg @{exec_path} { +profile gpg @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index bb1eb75cbc..8d754e8843 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -53,6 +53,7 @@ profile gpg-agent @{exec_path} { owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw, owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw, owner @{run}/user/@{uid}/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, owner @{run}/user/@{uid}/gnupg/sshcontrol r, owner @{tmp}/**/{.,}gnupg/ rw, diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate index 5ed37bf6f1..64bc431823 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan-generate @@ -55,7 +55,7 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/net/*/address r, - profile systemctl { + profile systemctl flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync index c895b23845..cc452e1ed3 100644 --- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync +++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync @@ -18,8 +18,6 @@ profile archlinux-keyring-wkd-sync @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - unix (send receive) type=stream peer=(label=pacman), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 74fc56d6fc..be5261c2c0 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -50,8 +50,6 @@ profile pacman-hook-systemd @{exec_path} { signal send set=(cont, term) peer=systemd-tty-ask-password-agent, - unix (send receive) type=stream peer=(label=pacman), - @{bin}/systemd-tty-ask-password-agent Px, include if exists diff --git a/apparmor.d/groups/polkit/pkttyagent b/apparmor.d/groups/polkit/pkttyagent index 67dae193e1..93c157f4cd 100644 --- a/apparmor.d/groups/polkit/pkttyagent +++ b/apparmor.d/groups/polkit/pkttyagent @@ -36,6 +36,7 @@ profile pkttyagent @{exec_path} { @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, @{lib}/polkit-agent-helper-[0-9] rPx, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index 8cd7964bca..7517ad5e48 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -35,6 +35,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { @{bin}/pkla-admin-identities rPx, /usr/share/gvfs/remote-volume-monitors/{,**} r, + /usr/share/polkit-1/polkitd.conf r, /etc/machine-id r, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 5e7cf6ab21..b1379160ad 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -90,7 +90,8 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{user_pkg_dirs}/** r, - owner @{tmp}/read-file@{int}/unpack/{,**} w, + @{tmp}/ r, + owner @{tmp}/read-file@{int}/{,**} w, owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, @{run}/user/@{uid}/bus rw, diff --git a/apparmor.d/groups/snap/snapd-apparmor b/apparmor.d/groups/snap/snapd-apparmor index c107cfb11a..652a0c265a 100644 --- a/apparmor.d/groups/snap/snapd-apparmor +++ b/apparmor.d/groups/snap/snapd-apparmor @@ -26,6 +26,7 @@ profile snapd-apparmor @{exec_path} { /var/lib/snapd/apparmor/profiles/ r, @{sys}/fs/cgroup/system.slice/snapd.apparmor.service/cpu.max r, + @{sys}/fs/cgroup/system.slice/snapd.service/cpu.max r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 55ca7bd212..d8305a5dca 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -26,6 +26,8 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { signal receive set=term peer=cockpit-bridge, signal send peer=child-pager, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{pager_path} rPx -> child-pager, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index b5058e5bdf..ff08812f93 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -61,6 +61,7 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected,mediate_deleted @{run}/systemd/machine/{,**} rwl, @{run}/systemd/machines/{,**} rwl, + @{run}/systemd/resolve.hook/{,**} rwl, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/fdinfo/@{int} r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index b574d97f2d..106d2f0451 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -164,6 +164,9 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_ptrace, + + ptrace read peer=@{p_systemd}, unix bind type=stream addr=@@{udbus}/bus/systemd-run/, diff --git a/apparmor.d/profiles-g-l/glxgears b/apparmor.d/profiles-g-l/glxgears index cfd9f0dac1..2fe222f532 100644 --- a/apparmor.d/profiles-g-l/glxgears +++ b/apparmor.d/profiles-g-l/glxgears @@ -10,10 +10,10 @@ include @{exec_path} = @{bin}/glxgears profile glxgears @{exec_path} { include - include - include + include include include + include capability sys_admin, @@ -24,9 +24,6 @@ profile glxgears @{exec_path} { @{exec_path} mr, - owner @{HOME}/.Xauthority r, - owner @{run}/user/@{uid}/xauth_@{rand6} r, - include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 6c79612205..ad9e13907a 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -13,8 +13,11 @@ profile initramfs-hooks @{exec_path} { include include + capability dac_read_search, capability sys_admin, # optional: no audit + mqueue getattr type=posix, + @{exec_path} mr, @{sh_path} rix, @@ -71,11 +74,9 @@ profile initramfs-hooks @{exec_path} { owner /var/tmp/mkinitramfs-EFW_@{rand10} rw, owner /var/tmp/mkinitramfs-EFW_@{rand10}/{,**} rwl, - /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, - /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, - /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, - /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, - /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + /tmp/tmp.@{rand10}/mkinitramfs* rw, + /tmp/tmp.@{rand10}/mkinitramfs*/ rw, + /tmp/tmp.@{rand10}/mkinitramfs*/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs*/**, /tmp/tmp.@{rand10}/modules_@{rand6} rw, @{sys}/bus/platform/drivers/simple-framebuffer/ r, diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart index 964ff1a746..3ba9f7b028 100644 --- a/apparmor.d/profiles-m-r/needrestart-restart +++ b/apparmor.d/profiles-m-r/needrestart-restart @@ -11,12 +11,24 @@ profile needrestart-restart @{exec_path} { include @{exec_path} mr, - - @{bin}/systemctl Cx -> systemctl, @{sh_path} r, + @{bin}/env mix, + @{bin}/kill Cx -> kill, + @{bin}/systemctl Cx -> systemctl, + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + profile kill { + include + + capability kill, + + @{bin}/kill mr, + + include if exists + } + profile systemctl { include include diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index d132d9d724..88e91c81b7 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -10,7 +10,7 @@ include profile nvtop @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 7a093bd1d5..f1d7b45fe8 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -33,6 +33,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + unix type=stream peer=(label=libvirtd), + #aa:dbus own bus=session name=org.virt-manager.virt-manager @{exec_path} rix, diff --git a/apparmor.d/profiles-s-z/whoopsie-preferences b/apparmor.d/profiles-s-z/whoopsie-preferences index e96dfb29b4..a852cfe573 100644 --- a/apparmor.d/profiles-s-z/whoopsie-preferences +++ b/apparmor.d/profiles-s-z/whoopsie-preferences @@ -12,8 +12,15 @@ profile whoopsie-preferences @{exec_path} { include include + capability net_admin, + #aa:dbus own bus=system name=com.ubuntu.WhoopsiePreferences + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=polkitd), + @{exec_path} mr, @{bin}/systemctl Cx -> systemctl, @@ -21,6 +28,8 @@ profile whoopsie-preferences @{exec_path} { /etc/whoopsie rw, /etc/whoopsie.@{rand6} rw, + /var/lib/whoopsie/whoopsie-id r, + profile systemctl { include include diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index ef139e03d6..64278a7651 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -17,7 +17,7 @@ # Coreutils programs that should not have dedicated profile. Also includes findutils and diffutils. # The remaining coreutils programs should have profile present in the utils group. -@{coreutils} = {,g,m}awk b2sum base32 base64 basename basenc cat chcon chgrp chmod chown +@{coreutils} = \[ {,g,m}awk b2sum base32 base64 basename basenc cat chcon chgrp chmod chown @{coreutils} += cksum cmp comm cp csplit cut date dd df dir dircolors dirname diff diff3 du echo env expand @{coreutils} += expr factor false find fmt fold {,e,f}grep head hostid id install join link @{coreutils} += ln locate logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt @@ -28,7 +28,7 @@ @{coreutils} += which{,.debianutils} # Various development tools -@{devtools} = go{,-*} rust gem cargo npm just pip typescript node ansible python pyright +@{devtools} = go{,-*} rust gem cargo npm just pip typescript node ansible python pyright ruby # Python interpreters @{python_version} = 3 3.[0-9] 3.1[0-9] From 4c4d76470693469833fbf747277eaa4d97e3b704 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Dec 2025 00:48:05 +0100 Subject: [PATCH 1249/1736] fix(profile): broken telegram profile. --- apparmor.d/profiles-s-z/telegram-desktop | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop index 53eb1c6c28..9f846ea0a0 100644 --- a/apparmor.d/profiles-s-z/telegram-desktop +++ b/apparmor.d/profiles-s-z/telegram-desktop @@ -12,7 +12,7 @@ profile telegram-desktop @{exec_path} { include include include - include + include include include include From c49d1ba67a918543813711044c320a469e0cb152 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Dec 2025 01:03:09 +0100 Subject: [PATCH 1250/1736] Release version 0.4900 --- PKGBUILD | 8 ++++---- debian/changelog | 6 ++++++ dists/apparmor.d.spec | 2 +- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index f336a3cad4..c698aa410c 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -5,13 +5,13 @@ pkgbase=apparmor.d pkgname=( - apparmor.d - # apparmor.d.enforced + apparmor.d + apparmor.d.enforced # apparmor.d.fsp apparmor.d.fsp.enforced # apparmor.d.server apparmor.d.server.enforced # apparmor.d.server.fsp apparmor.d.server.fsp.enforced ) -pkgver=0.0001 +pkgver=0.4900 pkgrel=1 pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') @@ -41,7 +41,7 @@ build() { local -A modes=( # Mapping of modes to just build target. [default]=complain - # [enforced]=enforce + [enforced]=enforce # [fsp]=fsp-complain # [fsp.enforced]=fsp # [server]=server-complain diff --git a/debian/changelog b/debian/changelog index 4ba7f268c2..6c94868045 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +apparmor.d (0.4900-1) stable; urgency=medium + + * Release apparmor.d v0.4900 + + -- Alexandre Pujol Tue, 23 Dec 2025 01:03:09 +0100 + apparmor.d (0.001-1) stable; urgency=medium * Release 0.001-1 diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index d608415810..ec1da24452 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -7,7 +7,7 @@ # Warning: for development only, use https://build.opensuse.org/package/show/home:cboltz/apparmor.d for production use. Name: apparmor.d -Version: 0.0001 +Version: 0.4900 Release: 1%{?dist} Summary: Set of over 1500 AppArmor profiles License: GPL-2.0-only From 16d371bcc83c8a15c0ba2f2206aa54264acb5314 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 6 Jan 2026 12:18:00 +0100 Subject: [PATCH 1251/1736] fix(abs): bus rule formation. --- apparmor.d/abstractions/screen-inhibit | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/screen-inhibit b/apparmor.d/abstractions/screen-inhibit index 8a4d288dd1..50320a4fba 100644 --- a/apparmor.d/abstractions/screen-inhibit +++ b/apparmor.d/abstractions/screen-inhibit @@ -18,12 +18,12 @@ dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Inhibit,Uninhibit} - peer=(name="@{busname},org.gnome.SessionManager", label="@{p_gnome_session}"), + peer=(name="{@{busname},org.gnome.SessionManager}", label="@{p_gnome_session}"), dbus send bus=session path=/ScreenSaver interface=org.gnome.ScreenSaver member=SimulateUserActivity - peer=(name="@{busname},org.gnome.SessionManager", label="@{p_gnome_session}"), + peer=(name="{@{busname},org.gnome.SessionManager}", label="@{p_gnome_session}"), # Generic freedesktop, not using bus/session/org.freedesktop.ScreenSaver as # it allows too much From 3c87092ec47eb7c02251f46ed790c42184fbcc31 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 6 Jan 2026 12:19:34 +0100 Subject: [PATCH 1252/1736] feat(abs): dbus: own path can also call /org/freedesktop/DBus/Bus --- apparmor.d/abstractions/bus/accessibility/own | 4 ++-- apparmor.d/abstractions/bus/session/own | 4 ++-- apparmor.d/abstractions/bus/system/own | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/bus/accessibility/own b/apparmor.d/abstractions/bus/accessibility/own index 2197a3ea17..bf6533cd8d 100644 --- a/apparmor.d/abstractions/bus/accessibility/own +++ b/apparmor.d/abstractions/bus/accessibility/own @@ -10,12 +10,12 @@ abi , - dbus send bus=accessibility path=/{,org/freedesktop/DBus} + dbus send bus=accessibility path=/{,org/freedesktop/DBus,org/freedesktop/DBus/Bus} interface=org.freedesktop.DBus member={ListNames,RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), - dbus send bus=accessibility path=/{,org/freedesktop/DBus} + dbus send bus=accessibility path=/{,org/freedesktop/DBus,org/freedesktop/DBus/Bus} interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), diff --git a/apparmor.d/abstractions/bus/session/own b/apparmor.d/abstractions/bus/session/own index 2bdc1c63bb..a48e33f123 100644 --- a/apparmor.d/abstractions/bus/session/own +++ b/apparmor.d/abstractions/bus/session/own @@ -10,12 +10,12 @@ abi , - dbus send bus=session path=/{,org/freedesktop/DBus} + dbus send bus=session path=/{,org/freedesktop/DBus,org/freedesktop/DBus/Bus} interface=org.freedesktop.DBus member={ListNames,RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session path=/{,org/freedesktop/DBus} + dbus send bus=session path=/{,org/freedesktop/DBus,org/freedesktop/DBus/Bus} interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), diff --git a/apparmor.d/abstractions/bus/system/own b/apparmor.d/abstractions/bus/system/own index 071300e63c..275e904229 100644 --- a/apparmor.d/abstractions/bus/system/own +++ b/apparmor.d/abstractions/bus/system/own @@ -10,12 +10,12 @@ abi , - dbus send bus=system path=/{,org/freedesktop/DBus,/org/freedesktop/DBus/Bus} + dbus send bus=system path=/{,org/freedesktop/DBus,org/freedesktop/DBus/Bus} interface=org.freedesktop.DBus member={ListNames,RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - dbus send bus=system path=/{,org/freedesktop/DBus,/org/freedesktop/DBus/Bus} + dbus send bus=system path=/{,org/freedesktop/DBus,org/freedesktop/DBus/Bus} interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), From 5bf41174960bd180aa3c877e93a17427c82043f3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 6 Jan 2026 12:30:42 +0100 Subject: [PATCH 1253/1736] chore(abs): improve documentation of some common rules. --- apparmor.d/abstractions/app/chromium | 25 ++++++++++++++++++++----- apparmor.d/abstractions/common/app | 5 ++++- apparmor.d/abstractions/common/game | 1 + 3 files changed, 25 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 2ee5f6ba76..a66f3acbcf 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -159,13 +159,32 @@ @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/**/uevent r, + # This is an information leak but disallowing it leads to developer confusion + # when using the chromium content api file chooser due to a (harmless) glib + # warning and the noisy AppArmor denial. + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, + + # Reads of oom_adj and oom_score_adj are safe + owner @{PROC}/@{pid}/oom_adj r, + owner @{PROC}/@{pid}/oom_score_adj r, + + # This allows raising the OOM score of other processes owned by the user. + owner @{PROC}/@{pid}/oom_score_adj w, + + # Per man(5) proc, the kernel enforces that a thread may only modify its comm + # value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/@{tid}/status r, - @{PROC}/pressure/{memory,cpu,io} r, + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/vmstat r, @@ -174,12 +193,8 @@ owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/mem r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, /dev/ r, diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 9040e838d3..dee388a733 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -84,7 +84,10 @@ # Show the list of active tty @{sys}/devices/virtual/tty/tty@{int}/active r, - # This is an information leak + # This is an information leak but disallowing it leads to developer confusion + # when using the chromium content api file chooser due to a (harmless) glib + # warning and the noisy AppArmor denial. + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, # Reads of oom_adj and oom_score_adj are safe diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 395fe78280..cbc53b4d4b 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -137,6 +137,7 @@ # Allow reading page mapping information for memory profiling owner @{PROC}/@{pid}/pagemap r, + # Allow reading file descriptor info owner @{PROC}/@{pid}/fdinfo/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, From 9db565372b18caa660d7e72cf72a3bb96095572b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 6 Jan 2026 12:52:35 +0100 Subject: [PATCH 1254/1736] feat(profile): various kde profile fixes. see #982 --- apparmor.d/abstractions/wutmp.d/complete | 9 +++++++++ apparmor.d/groups/apt/apt-methods-sqv | 7 +++++-- apparmor.d/groups/bus/dbus-accessibility | 2 ++ apparmor.d/groups/bus/dbus-session | 2 ++ apparmor.d/groups/filesystem/mkswap | 1 + apparmor.d/groups/freedesktop/xorg | 2 ++ apparmor.d/groups/kde/DiscoverNotifier | 5 +++-- apparmor.d/groups/kde/kauth-backlighthelper | 2 +- apparmor.d/groups/kde/kauth-chargethresholdhelper | 2 +- apparmor.d/groups/kde/kauth-discretegpuhelper | 2 +- apparmor.d/groups/kde/kauth-kded-smart-helper | 2 +- apparmor.d/groups/kde/kded | 4 ++-- apparmor.d/groups/kde/plasma_waitforname | 2 +- apparmor.d/groups/kde/plasmashell | 2 +- apparmor.d/groups/kde/wayland-session | 1 + apparmor.d/profiles-a-f/appstreamcli | 1 + apparmor.d/profiles-m-r/run-parts | 1 + 17 files changed, 35 insertions(+), 12 deletions(-) create mode 100644 apparmor.d/abstractions/wutmp.d/complete diff --git a/apparmor.d/abstractions/wutmp.d/complete b/apparmor.d/abstractions/wutmp.d/complete new file mode 100644 index 0000000000..b1e832262a --- /dev/null +++ b/apparmor.d/abstractions/wutmp.d/complete @@ -0,0 +1,9 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + /var/log/ r, + /var/log/wtmp.db rwk, + /var/log/wtmp.db-journal rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/apt-methods-sqv b/apparmor.d/groups/apt/apt-methods-sqv index 0dcd7da0d7..c53ff5925d 100644 --- a/apparmor.d/groups/apt/apt-methods-sqv +++ b/apparmor.d/groups/apt/apt-methods-sqv @@ -25,8 +25,11 @@ profile apt-methods-sqv @{exec_path} { @{bin}/sqv ix, /usr/share/apt/default-sequoia.config r, - /usr/share/keyrings/debian-archive-keyring.gpg r, - /usr/share/keyrings/debian-archive-keyring.pgp r, + /usr/share/keyrings/ r, + /usr/share/keyrings/*.{gpg,pgp,asc} r, + + /etc/apt/trusted.gpg.d/ r, + /etc/apt/trusted.gpg.d/*.{gpg,asc} r, owner /var/lib/apt/lists/{,**} r, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 5af2138bce..6dc0872823 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -24,6 +24,8 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + ptrace read, + signal receive set=(term hup kill) peer=dbus-session, signal receive set=(term hup kill) peer=gdm{,-session-worker}, signal receive set=(term hup kill) peer=gnome-session-binary, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 049eb9fb3f..29e97fd0b3 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -23,6 +23,8 @@ profile dbus-session flags=(attach_disconnected) { signal receive set=(term hup) peer=gdm{,-*}, + ptrace read, + # Internal stack dbus-session//&unconfined signal (send receive) set=kill peer=dbus-system//&unconfined, unix type=stream peer=(label=unconfined), diff --git a/apparmor.d/groups/filesystem/mkswap b/apparmor.d/groups/filesystem/mkswap index fa30030f3f..42caeafd2a 100644 --- a/apparmor.d/groups/filesystem/mkswap +++ b/apparmor.d/groups/filesystem/mkswap @@ -18,6 +18,7 @@ profile mkswap @{exec_path} { owner /swapfile rw, owner /swap/swapfile rw, + owner /var/swapfile rw, @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index bc6606e976..c75db9e0e3 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -40,6 +40,8 @@ profile xorg @{exec_path} flags=(attach_disconnected) { signal (receive) set=hup peer=gdm-session-worker, signal (receive) set=term peer=gdm{,-session}, + ptrace read peer=xsetroot, + unix (bind, listen) type=stream addr=@/tmp/.X11-unix/*, unix (send, receive, accept) type=stream addr=@/tmp/.X11-unix/*, # all peers diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index a9def8d167..6fa7e736d2 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -43,10 +43,11 @@ profile DiscoverNotifier @{exec_path} { /etc/machine-id r, /etc/flatpak/remotes.d/{,**} r, + /var/lib/apt/lists/* r, /var/lib/flatpak/{,**} r, - /var/cache/swcatalog/cache/ w, - /var/cache/swcatalog/xml/{,**} r, + /var/cache/swcatalog/cache/{,**} rw, + /var/cache/swcatalog/{,**} r, owner @{user_cache_dirs}/appstream/ rw, owner @{user_cache_dirs}/appstream/** rw, diff --git a/apparmor.d/groups/kde/kauth-backlighthelper b/apparmor.d/groups/kde/kauth-backlighthelper index 22d032f476..84684fa522 100644 --- a/apparmor.d/groups/kde/kauth-backlighthelper +++ b/apparmor.d/groups/kde/kauth-backlighthelper @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}backlighthelper -profile kauth-backlighthelper @{exec_path} { +profile kauth-backlighthelper @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/kde/kauth-chargethresholdhelper b/apparmor.d/groups/kde/kauth-chargethresholdhelper index 9c39650fb8..8de25da6fe 100644 --- a/apparmor.d/groups/kde/kauth-chargethresholdhelper +++ b/apparmor.d/groups/kde/kauth-chargethresholdhelper @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}chargethresholdhelper -profile kauth-chargethresholdhelper @{exec_path} { +profile kauth-chargethresholdhelper @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/kde/kauth-discretegpuhelper b/apparmor.d/groups/kde/kauth-discretegpuhelper index 9acd2124b5..a7be22d818 100644 --- a/apparmor.d/groups/kde/kauth-discretegpuhelper +++ b/apparmor.d/groups/kde/kauth-discretegpuhelper @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}discretegpuhelper -profile kauth-discretegpuhelper @{exec_path} { +profile kauth-discretegpuhelper @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index bf8ddab9be..fe471df541 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}kded-smart-helper -profile kauth-kded-smart-helper @{exec_path} { +profile kauth-kded-smart-helper @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 01f85e9cd3..2944e7ddac 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -132,9 +132,9 @@ profile kded @{exec_path} { owner @{HOME}/.var/ w, owner @{HOME}/.var/app/ w, + owner @{HOME}/.var/app/**/org.kde.plasma.browser_integration.json w, + owner @{HOME}/.var/app/**/plasma-browser-integration-host w, owner @{HOME}/.var/app/org.mozilla.firefox/**/ w, - owner @{HOME}/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/org.kde.plasma.browser_integration.json w, - owner @{HOME}/.var/app/org.mozilla.firefox/plasma-browser-integration-host w, @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasmashell/ rw, diff --git a/apparmor.d/groups/kde/plasma_waitforname b/apparmor.d/groups/kde/plasma_waitforname index d32122a8ac..e809e65fd4 100644 --- a/apparmor.d/groups/kde/plasma_waitforname +++ b/apparmor.d/groups/kde/plasma_waitforname @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/plasma_waitforname -profile plasma_waitforname @{exec_path} { +profile plasma_waitforname @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index d1bf204e45..bb643a1de3 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -114,7 +114,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, owner @{HOME}/.var/app/**.{png,jpg,svg} r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, + owner @{HOME}/@{XDG_DESKTOP_DIR}/* r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_games_dirs}/**.@{icon_ext} r, owner @{user_music_dirs}/**.@{icon_ext} r, diff --git a/apparmor.d/groups/kde/wayland-session b/apparmor.d/groups/kde/wayland-session index c07b068156..2c73fa80cc 100644 --- a/apparmor.d/groups/kde/wayland-session +++ b/apparmor.d/groups/kde/wayland-session @@ -10,6 +10,7 @@ include profile wayland-session @{exec_path} { include include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index f2231479dd..00bc8c27c0 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -15,6 +15,7 @@ profile appstreamcli @{exec_path} flags=(complain) { include capability dac_read_search, + capability mknod, # optional: no audit @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index aca4246774..27fe70ad02 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -102,6 +102,7 @@ profile run-parts @{exec_path} { /etc/network/if-up.d/ifenslave rPUx, /etc/network/if-up.d/openvpn rPUx, /etc/network/if-up.d/postfix rPUx, + /etc/network/if-up.d/resolved rPUx, /etc/network/if-up.d/ubuntu-fan rPx, /etc/network/if-up.d/wpasupplicant rPUx, From d7cf51434928cc2a312e77073144f0883f9ef657 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 6 Jan 2026 13:08:15 +0100 Subject: [PATCH 1255/1736] fix(profile): various profile fixes. see #980 --- apparmor.d/abstractions/app/pgrep | 1 + apparmor.d/abstractions/app/pkexec | 1 + apparmor.d/abstractions/fish | 4 +++- apparmor.d/groups/freedesktop/plymouthd | 2 +- apparmor.d/groups/freedesktop/wireplumber | 5 +++-- .../groups/gnome/gnome-control-center-print-renderer | 1 + apparmor.d/groups/gnome/gnome-terminal-server | 2 ++ apparmor.d/groups/gnome/gnome-tweaks | 2 ++ apparmor.d/groups/gpg/dirmngr | 10 ++++++---- apparmor.d/groups/network/nmcli | 2 +- apparmor.d/profiles-m-r/rtkit-daemon | 2 ++ apparmor.d/profiles-s-z/wpa-supplicant | 1 + 12 files changed, 24 insertions(+), 9 deletions(-) diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index 83df22f890..cf4d3271a9 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -9,6 +9,7 @@ include + capability dac_override, capability sys_ptrace, ptrace read, diff --git a/apparmor.d/abstractions/app/pkexec b/apparmor.d/abstractions/app/pkexec index 4cba81e967..b04a9b53d9 100644 --- a/apparmor.d/abstractions/app/pkexec +++ b/apparmor.d/abstractions/app/pkexec @@ -30,6 +30,7 @@ /etc/shells r, + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/abstractions/fish b/apparmor.d/abstractions/fish index 65f97f9f22..390a4c894e 100644 --- a/apparmor.d/abstractions/fish +++ b/apparmor.d/abstractions/fish @@ -8,10 +8,12 @@ abi , /usr/share/fish/{,**} r, + /usr/share/*-fish-config//{,**} r, /etc/fish/{,**} r, - owner @{user_config_dirs}/fish/{,**} r, + owner @{user_config_dirs}/fish/ rk, + owner @{user_config_dirs}/fish/** r, include if exists diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 0cb07ef504..139b8e557d 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -57,7 +57,7 @@ profile plymouthd @{exec_path} { @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/graphics/ r, - @{sys}/devices/virtual/graphics/fbcon/uevent r, + @{sys}/devices/**/uevent r, @{sys}/devices/virtual/tty/console/active r, @{sys}/firmware/acpi/bgrt/{,*} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index bdf08e263b..1946f1a0e1 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -21,6 +21,8 @@ profile wireplumber @{exec_path} flags=(attach_disconnected) { include include + capability sys_ptrace, + network bluetooth raw, network bluetooth seqpacket, network bluetooth stream, @@ -85,11 +87,10 @@ profile wireplumber @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{PROC}/@{pids}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/status r, - @{PROC}/1/cgroup r, - @{PROC}/1/status r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index f341d8d1bb..37bf83267b 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -21,6 +21,7 @@ profile gnome-control-center-print-renderer @{exec_path} { / r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 394a66952b..2139f5fa42 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -13,6 +13,8 @@ profile gnome-terminal-server @{exec_path} { include include include + include + include signal send set=(hup) peer=htop, signal send set=(term hup kill) peer=unconfined, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index 7f93b78641..4fbb4d5fa1 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -27,6 +27,8 @@ profile gnome-tweaks @{exec_path} flags=(attach_disconnected) { @{lib}/@{python_name}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, + @{system_share_dirs}/glib-2.0/schemas/org.gnome.*.gschema.xml r, + /etc/xdg/autostart/{,**} r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, diff --git a/apparmor.d/groups/gpg/dirmngr b/apparmor.d/groups/gpg/dirmngr index 2fbdfb086d..ad355e10e5 100644 --- a/apparmor.d/groups/gpg/dirmngr +++ b/apparmor.d/groups/gpg/dirmngr @@ -25,16 +25,18 @@ profile dirmngr @{exec_path} { /usr/share/gnupg/sks-keyservers.netCA.pem r, owner @{HOME}/@{XDG_GPG_DIR}/ rw, - owner @{HOME}/@{XDG_GPG_DIR}/dirmngr.conf r, - owner @{HOME}/@{XDG_GPG_DIR}/dirmngr_ldapservers.conf r, + owner @{HOME}/@{XDG_GPG_DIR}/common.conf r, owner @{HOME}/@{XDG_GPG_DIR}/crls.d/ rw, owner @{HOME}/@{XDG_GPG_DIR}/crls.d/DIR.txt rw, + owner @{HOME}/@{XDG_GPG_DIR}/dirmngr_ldapservers.conf r, + owner @{HOME}/@{XDG_GPG_DIR}/dirmngr.conf r, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw, - owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/dirmngr.conf r, - owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/dirmngr_ldapservers.conf r, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/common.conf r, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/crls.d/ rw, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/crls.d/DIR.txt rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/dirmngr_ldapservers.conf r, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/dirmngr.conf r, owner @{run}/user/@{uid}/gnupg/ rw, owner @{run}/user/@{uid}/gnupg/S.dirmngr rw, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index b4da14960c..849f38dc5e 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/nmcli -profile nmcli @{exec_path} { +profile nmcli @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index 85b97533b7..fe3c27b7d0 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -25,6 +25,8 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, + # When applying policies to processes @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/task/@{tid}/stat r, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index b20c6f1b48..2a987c789c 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -20,6 +20,7 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { capability mknod, capability net_admin, capability net_raw, + capability sys_admin, # optional: no audit capability sys_module, network inet dgram, From 3eedd689f26fd52d77b17caa47f9beac5efb928c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 6 Jan 2026 13:08:48 +0100 Subject: [PATCH 1256/1736] fix(profile): stacking of unix_chkpwd --- apparmor.d/groups/polkit/polkit-agent-helper | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index 46f068d95b..e35ff2599c 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -46,7 +46,7 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, #aa:only apparmor>=4.1 - priority=1 @{sbin}/unix_chkpwd Px -> &unix-chkpwd, + priority=1 @{sbin}/unix_chkpwd Px -> polkit-agent-helper//&unix-chkpwd, owner @{HOME}/.xsession-errors w, From 65bfb9b5fafe7f445394d5750879879b100a258f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 6 Jan 2026 13:10:32 +0100 Subject: [PATCH 1257/1736] feat(profile): simplify how gnome-session-service open program. see #981 --- apparmor.d/groups/gnome/gnome-session-service | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index 163940f79f..c9c193b90b 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -61,7 +61,8 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr, @{lib}/gio-launch-desktop mr, - @{sh_path} rPx -> gnome-session-service//shell, + @{sh_path} rix, + @{bin}/env rix, @{lib}/** PUx, @{bin}/** PUx, /opt/*/** PUx, @@ -72,19 +73,6 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { include if exists } - profile shell { - include - - @{sh_path} mr, - - @{bin}/im-launch Px, - @{bin}/input-remapper-control PUx, - - /dev/tty rw, - - include if exists - } - include if exists } From 12ed8b9eb2376b2072eb6fe139d0589769075761 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 6 Jan 2026 13:13:35 +0100 Subject: [PATCH 1258/1736] feat(abs): improve golang-strict --- apparmor.d/abstractions/golang-strict | 1 + apparmor.d/groups/apparmor/aa-log | 6 +----- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/golang-strict b/apparmor.d/abstractions/golang-strict index 14dabb32ba..6c3dcc1304 100644 --- a/apparmor.d/abstractions/golang-strict +++ b/apparmor.d/abstractions/golang-strict @@ -12,6 +12,7 @@ @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.scope/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log index 610aa00141..d4af439899 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -10,6 +10,7 @@ include profile aa-log @{exec_path} flags=(attach_disconnected) { include include + include include capability dac_read_search, @@ -21,11 +22,6 @@ profile aa-log @{exec_path} flags=(attach_disconnected) { /var/log/audit/* r, /var/log/syslog* r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, - - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/mountinfo r, - /dev/tty@{u8} rw, profile journalctl { From 56d5a4bcfe50e0c980106fb2790a97dc21ea9c43 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 6 Jan 2026 13:18:55 +0100 Subject: [PATCH 1259/1736] fix(profile): fwupd: allow more access on EFI folders. --- apparmor.d/profiles-a-f/fwupd | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index a3c28fbd1b..4b18a05cde 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -80,6 +80,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/ r, @{MOUNTS}/@{efi}/{,**} r, @{MOUNTS}/@{efi}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, + @{MOUNTS}/**/EFI/ r, @{MOUNTS}/**/EFI/**/ r, @{MOUNTS}/**/EFI/*/.goutputstream-@{rand6} rw, @{MOUNTS}/**/EFI/*/fw/fwupd-*.cap{,.*} rw, From 6244e466a3943294bfb6c2c2ecdae7a10aabbaf4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 6 Jan 2026 13:19:46 +0100 Subject: [PATCH 1260/1736] feat(abs): add gvfs-metadata --- apparmor.d/abstractions/gvfs-metadata | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 apparmor.d/abstractions/gvfs-metadata diff --git a/apparmor.d/abstractions/gvfs-metadata b/apparmor.d/abstractions/gvfs-metadata new file mode 100644 index 0000000000..a27cf2dd45 --- /dev/null +++ b/apparmor.d/abstractions/gvfs-metadata @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + + owner @{user_share_dirs}/gvfs-metadata/root r, + owner @{user_share_dirs}/gvfs-metadata/root-@{hex8}.log r, + + include if exists + +# vim:syntax=apparmor From 1fdd6c64a6d857dbaa0eddaedd48861c7e8d85fe Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 6 Jan 2026 13:47:05 +0100 Subject: [PATCH 1261/1736] fix(profile): small various fixes. see #977 --- apparmor.d/groups/filesystem/udiskie | 5 +++-- apparmor.d/groups/flatpak/flatpak-session-helper | 2 ++ apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland | 1 + apparmor.d/groups/gnome/gcr-prompter | 2 ++ apparmor.d/groups/network/NetworkManager | 1 + apparmor.d/groups/pacman/yay | 4 +--- apparmor.d/groups/procps/free | 2 +- apparmor.d/groups/procps/uptime | 2 +- apparmor.d/profiles-a-f/ddcutil | 5 +++-- apparmor.d/profiles-s-z/sensors | 2 +- apparmor.d/profiles-s-z/whoami | 2 +- 11 files changed, 17 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/filesystem/udiskie b/apparmor.d/groups/filesystem/udiskie index 53b726c23b..61e997efb6 100644 --- a/apparmor.d/groups/filesystem/udiskie +++ b/apparmor.d/groups/filesystem/udiskie @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/udiskie -profile udiskie @{exec_path} { +profile udiskie @{exec_path} flags=(attach_disconnected) { include include include @@ -29,9 +29,10 @@ profile udiskie @{exec_path} { owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, # Silencer deny @{lib}/** w, diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper b/apparmor.d/groups/flatpak/flatpak-session-helper index 1d8514dbb2..a78ef30a18 100644 --- a/apparmor.d/groups/flatpak/flatpak-session-helper +++ b/apparmor.d/groups/flatpak/flatpak-session-helper @@ -42,6 +42,8 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected,mediate_d /var/lib/flatpak/app/@{appid}/**/@{bin}/** rPx -> flatpak-session-helper-app, /var/lib/flatpak/app/@{appid}/**/@{lib}/** rPx -> flatpak-session-helper-app, + owner @{user_cache_dirs}/.flatpak-helper/{,**} rw, + owner @{user_config_dirs}/mimeapps.list w, owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland index 876825ee4a..15e130f923 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland @@ -33,6 +33,7 @@ profile xdg-desktop-portal-hyprland @{exec_path} { @{sys}/devices/virtual/dmi/id/sys_vendor r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm w, include if exists } diff --git a/apparmor.d/groups/gnome/gcr-prompter b/apparmor.d/groups/gnome/gcr-prompter index 6bcbd1cc00..9e7af4178f 100644 --- a/apparmor.d/groups/gnome/gcr-prompter +++ b/apparmor.d/groups/gnome/gcr-prompter @@ -9,7 +9,9 @@ include @{exec_path} = @{lib}/gcr-prompter profile gcr-prompter @{exec_path} { include + include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 9b34d13437..1029bc362e 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -93,6 +93,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{sbin}/nft rix, + @{sbin}/xtables-legacy-multi rix, @{sbin}/dnsmasq rPx, @{bin}/kmod rCx -> kmod, diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay index 4606a0aa2e..a154b4acc6 100644 --- a/apparmor.d/groups/pacman/yay +++ b/apparmor.d/groups/pacman/yay @@ -10,6 +10,7 @@ include profile yay @{exec_path} { include include + include include include @@ -36,9 +37,6 @@ profile yay @{exec_path} { owner @{user_config_dirs}/yay/{,**} rw, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/mountinfo r, - profile git { include include diff --git a/apparmor.d/groups/procps/free b/apparmor.d/groups/procps/free index 56075ae1c6..a965e9933d 100644 --- a/apparmor.d/groups/procps/free +++ b/apparmor.d/groups/procps/free @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/free -profile free @{exec_path} { +profile free @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/procps/uptime b/apparmor.d/groups/procps/uptime index 3da204a382..189a3c2f05 100644 --- a/apparmor.d/groups/procps/uptime +++ b/apparmor.d/groups/procps/uptime @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/uptime -profile uptime @{exec_path} { +profile uptime @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-a-f/ddcutil b/apparmor.d/profiles-a-f/ddcutil index d8cb23a5c1..e1023bb0b1 100644 --- a/apparmor.d/profiles-a-f/ddcutil +++ b/apparmor.d/profiles-a-f/ddcutil @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/ddcutil -profile ddcutil @{exec_path} { +profile ddcutil @{exec_path} flags=(attach_disconnected) { include include include @@ -18,10 +18,11 @@ profile ddcutil @{exec_path} { @{exec_path} mr, @{sh_path} rix, + @{bin}/{,e}grep rix, @{bin}/find rix, @{bin}/sed rix, + @{bin}/uname rix, @{bin}/xargs rix, - @{bin}/{,e}grep rix, / r, diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index 8e68860987..aac395c6ce 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/sensors -profile sensors @{exec_path} { +profile sensors @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-s-z/whoami b/apparmor.d/profiles-s-z/whoami index 3fc9e26b44..11c763474f 100644 --- a/apparmor.d/profiles-s-z/whoami +++ b/apparmor.d/profiles-s-z/whoami @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/whoami -profile whoami @{exec_path} { +profile whoami @{exec_path} flags=(attach_disconnected) { include include include From 4d521017a83b3c07ea1499096d990c90a3fc86b9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 6 Jan 2026 13:48:59 +0100 Subject: [PATCH 1262/1736] fix(profile): sensors: add back full hmon access Recent hwmon change were to limited for sensors see #977 --- apparmor.d/profiles-s-z/sensors | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index aac395c6ce..8f8d306aca 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -11,7 +11,7 @@ include profile sensors @{exec_path} flags=(attach_disconnected) { include include - include + include @{exec_path} mr, From 2a69363a6e14a55a231311bd720a97310e47a8e2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 6 Jan 2026 13:54:32 +0100 Subject: [PATCH 1263/1736] feat(profile): ensure sudo can start program in user_bin_dirs. --- apparmor.d/profiles-s-z/sudo | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index e1da24f364..75a8e566f6 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -29,6 +29,7 @@ profile sudo @{exec_path} flags=(attach_disconnected) { @{lib}/** PUx, /opt/*/** PUx, /snap/snapd/@{int}@{bin}/snap rPUx, + @{user_bin_dirs}/** PUx, @{user_share_dirs}/pipx/venvs/*/bin/* rPUx, /etc/default/locale r, From 18db0484f0e063a4cf62d21cbc72559844363369 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 6 Jan 2026 14:16:10 +0100 Subject: [PATCH 1264/1736] feat(profile): small profile improvments. --- apparmor.d/groups/gnome/gdm | 5 +++++ apparmor.d/groups/gnome/showtime | 2 ++ apparmor.d/groups/network/NetworkManager | 7 ++++--- apparmor.d/groups/network/mullvad-daemon | 6 ++++++ apparmor.d/groups/pacman/makepkg | 6 +++--- apparmor.d/groups/systemd/systemd-coredump | 1 + apparmor.d/groups/systemd/systemd-machine-id-setup | 1 + apparmor.d/groups/virt/dockerd | 2 ++ apparmor.d/profiles-a-f/browserpass | 3 +-- apparmor.d/profiles-a-f/fwupd | 5 +++++ apparmor.d/profiles-g-l/git | 4 ++++ apparmor.d/profiles-g-l/gitstatusd | 10 ++++++++-- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/homebank | 8 +++++++- apparmor.d/profiles-g-l/language-validate | 2 ++ apparmor.d/profiles-m-r/protonmail | 2 +- apparmor.d/profiles-m-r/reprepro | 5 ++++- apparmor.d/profiles-s-z/YACReader | 2 -- apparmor.d/profiles-s-z/thunderbird-vaapitest | 1 + apparmor.d/profiles-s-z/virt-manager | 2 +- apparmor.d/tunables/multiarch.d/paths | 4 ++-- apparmor.d/tunables/multiarch.d/programs | 4 ++-- 22 files changed, 63 insertions(+), 21 deletions(-) diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index a8d6a8e5b9..aa8d284517 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -39,6 +39,11 @@ profile gdm @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + dbus send bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member=ListCachedUsers + peer=(name=org.freedesktop.Accounts), + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/showtime b/apparmor.d/groups/gnome/showtime index dd1e7ca076..554e8bdb07 100644 --- a/apparmor.d/groups/gnome/showtime +++ b/apparmor.d/groups/gnome/showtime @@ -29,6 +29,8 @@ profile showtime @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 + profile gstreamer { include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 1029bc362e..1de7ee2638 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -122,15 +122,16 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{att}/ r, /etc/ r, + @{etc_rw}/netplan/50-cloud-init.yaml rw, + @{etc_rw}/netplan/90-NM-@{uuid}.yaml w, + @{etc_rw}/resolv.conf rw, + @{etc_rw}/resolv.conf.[0-9A-Z]* rw, /etc/iproute2/* r, /etc/machine-id r, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, /etc/NetworkManager/{,**} r, /etc/NetworkManager/system-connections/{,**} w, - @{etc_rw}/netplan/90-NM-@{uuid}.yaml w, - @{etc_rw}/resolv.conf rw, - @{etc_rw}/resolv.conf.[0-9A-Z]* rw, /var/lib/iwd/*open* rw, /var/lib/NetworkManager/{,**} rw, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 7506313ba3..0250779864 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -12,6 +12,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_override, @@ -32,6 +33,11 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { mount fstype=cgroup -> @{sys}/fs/cgroup/net_cls/, + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=@{busname}, label=NetworkManager), + @{exec_path} mr, @{bin}/ip rix, diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index 84136638c7..feed4edd9d 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -10,10 +10,8 @@ include profile makepkg @{exec_path} { include include + include include - include - include - include include include include @@ -27,6 +25,8 @@ profile makepkg @{exec_path} { signal send set=winch peer=pacman, signal send set=winch peer=pacman//systemctl, + unix (bind listen) type=stream, + file, @{pager_path} Px -> child-pager, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 722b7d44f9..4ac0e9f16c 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -17,6 +17,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted capability dac_override, capability dac_read_search, + capability kill, capability net_admin, capability setgid, capability setpcap, diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index 64b622dc36..429365cd38 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -12,6 +12,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { include capability dac_override, + capability net_admin, capability setgid, capability setuid, capability sys_admin, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index b71dd82a2e..aa89239d22 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -62,6 +62,8 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { signal send set=kill peer=docker-*, signal send set=term peer=containerd, + #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld + @{exec_path} mrix, @{sbin}/apparmor_parser rPx, diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index 0379d707d0..66ac964d8f 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/browserpass @{lib}/browserpass/browserpass-native profile browserpass @{exec_path} flags=(attach_disconnected) { include + include include network netlink raw, @@ -25,8 +26,6 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google@{d}/goog-phish-proto-@{int}.vlpset rw, owner @{tmp}/mozilla-temp-@{int} r, - owner @{PROC}/@{pid}/mountinfo r, - # Inherit Silencer deny network inet6, deny network inet, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 4b18a05cde..be4cfefb03 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -49,6 +49,11 @@ profile fwupd @{exec_path} flags=(attach_disconnected) { member=InterfacesAdded peer=(name=@{busname}, label=bluetoothd), + dbus receive bus=system path=/org/bluez/hci0/dev_* + interface=org.bluez.Device1 + member=Disconnected + peer=(name=@{busname}, label=bluetoothd), + @{exec_path} mr, @{lib}/fwupd/fwupd-detect-cet rix, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 6571f18631..73de3fc6bb 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -25,6 +25,10 @@ profile git @{exec_path} flags=(attach_disconnected) { network netlink raw, signal send peer=aurpublish, + signal receive set=term peer=code, + + unix (send receive) type=stream peer=(label=claude), + unix (send receive) type=stream peer=(label=code), @{exec_path} mrix, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index aabde9cef0..3c359376f6 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -8,12 +8,15 @@ include @{exec_path} = @{user_cache_dirs}/gitstatus/gitstatusd{,-*} @{exec_path} += /usr/share/zsh-theme-powerlevel{9,10}k/gitstatus/usrbin/gitstatusd{,-*} -profile gitstatusd @{exec_path} { +profile gitstatusd @{exec_path} flags=(attach_disconnected) { include include signal receive set=term peer=*//shell, signal receive set=term peer={,vs}code, + signal receive set=term peer=code-shells, + + unix (send receive) type=stream peer=(label=code), @{exec_path} mr, @@ -28,8 +31,11 @@ profile gitstatusd @{exec_path} { # Silencer deny capability dac_read_search, deny capability dac_override, + deny network netlink raw, + deny /usr/share/{,**} r, deny owner @{HOME}/.*-store/{,**} r, - deny owner @{user_share_dirs}/zed/**/data.mdb rw, + deny owner @{user_config_dirs}/*/logs/{,**} rw, + deny owner @{user_share_dirs}/**/data.mdb rw, include if exists } diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 3fc19b36b6..dd8b13c0a7 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -11,8 +11,8 @@ include profile hardinfo @{exec_path} { include include - include include + include include include include diff --git a/apparmor.d/profiles-g-l/homebank b/apparmor.d/profiles-g-l/homebank index 7fbe74040e..6e19043a5e 100644 --- a/apparmor.d/profiles-g-l/homebank +++ b/apparmor.d/profiles-g-l/homebank @@ -9,8 +9,12 @@ include @{exec_path} = @{bin}/homebank profile homebank @{exec_path} flags=(attach_disconnected) { include - include + include include + include + include + + #aa:dbus own bus=session name=fr.free.mdoyen.HomeBank @{exec_path} mr, @@ -18,6 +22,8 @@ profile homebank @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/homebank/{,**} rw, + owner @{PROC}/@{pid}/cgroup r, + include if exists } diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index 3d7383aefc..91f058d27d 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -17,8 +17,10 @@ profile language-validate @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/locale rix, + @{bin}/perl r, /usr/share/language-tools/{,*} r, + /usr/share/locale-langpack/{,*} r, include if exists } diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index 8a6a2982ed..a36c8b5e65 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -13,7 +13,7 @@ include @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} -@{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton* +@{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton?Mail profile protonmail @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-m-r/reprepro b/apparmor.d/profiles-m-r/reprepro index e235e06788..af0e9c9fa2 100644 --- a/apparmor.d/profiles-m-r/reprepro +++ b/apparmor.d/profiles-m-r/reprepro @@ -17,11 +17,12 @@ profile reprepro @{exec_path} { @{bin}/gpgconf rCx -> gpg, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgsm rCx -> gpg, + @{bin}/zstd ix, /var/cache/apt/archives/*.deb r, owner @{user_projects_dirs}/** r, - owner @{user_build_dirs}/** r, + owner @{user_build_dirs}/** rw, owner @{user_pkg_dirs}/ rw, owner @{user_pkg_dirs}/** rwlk, @@ -46,6 +47,8 @@ profile reprepro @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/YACReader b/apparmor.d/profiles-s-z/YACReader index 4929587224..fd3942a37b 100644 --- a/apparmor.d/profiles-s-z/YACReader +++ b/apparmor.d/profiles-s-z/YACReader @@ -28,8 +28,6 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/yacreader/{,**} r, - /etc/machine-id r, - owner @{user_books_dirs}/{,**} r, owner @{user_share_dirs}/YACReader/ rw, diff --git a/apparmor.d/profiles-s-z/thunderbird-vaapitest b/apparmor.d/profiles-s-z/thunderbird-vaapitest index c93d14bd72..3de90eadda 100644 --- a/apparmor.d/profiles-s-z/thunderbird-vaapitest +++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest @@ -20,6 +20,7 @@ profile thunderbird-vaapitest @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner @{tmp}/org.mozilla.thunderbird/.parentlock w, owner @{tmp}/thunderbird/.parentlock rw, deny @{cache_dirs}/*/startupCache/** r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index f1d7b45fe8..a24ae196da 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -20,6 +20,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -104,7 +105,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { # Silence the noise deny /usr/share/virt-manager/{,**} w, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists } diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 410ba3e50e..0865f74a50 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -43,7 +43,7 @@ # Emails @{thunderbird_path} = @{bin}/@{thunderbird_name} @{thunderbird_lib_dirs}/@{thunderbird_name} -@{emails_path} = @{thunderbird_path} @{bin}/@{emails_names} +@{emails_path} = @{thunderbird_path} @{bin}/@{emails_names} "/opt/proton-mail/Proton Mail" # Open @{open_path} = @{bin}/@{open_names} @@ -85,6 +85,6 @@ @{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor # Archives -@{archive_path} = @{bin}/@{archive_names} @{lib}/p7zip/7z +@{archive_path} = @{bin}/@{archive_names} @{lib}/p7zip/7z @{lib}/7zip/7z # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 64278a7651..e26865d20f 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -72,7 +72,7 @@ @{thunderbird_name} = thunderbird{,-bin} @{thunderbird_lib_dirs} = @{lib}/@{thunderbird_name} -@{emails_names} = evolution geary +@{emails_names} = evolution geary proton-mail # File explorers @{file_explorers_names} = dolphin nautilus thunar @@ -96,7 +96,7 @@ @{help_names} = yelp # Terminal emulator -@{terminal_names} = xdg-terminal-exec kgx terminator konsole ptyxis ghostty +@{terminal_names} = xdg-terminal-exec kgx terminator konsole ptyxis ghostty # Backup @{backup_names} = deja-dup borg From 1ff2da7994a32a3fdf26f2bc360430081372dc57 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 6 Jan 2026 14:17:29 +0100 Subject: [PATCH 1265/1736] feat(profile): git: ensure git can handle stacked ssh & gpg. --- apparmor.d/profiles-g-l/git | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 73de3fc6bb..3e7c4a06f4 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -76,8 +76,8 @@ profile git @{exec_path} flags=(attach_disconnected) { @{lib}/code/extensions/git/dist/git-editor.sh rPx, /usr/share/aurpublish/*.hook rPx, - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/ssh rCx -> &git//ssh, + @{bin}/gpg{,2} rCx -> &gpg, + @{bin}/ssh rCx -> &ssh, @{editor_path} rCx -> editor, /usr/share/git{,-core}/{,**} r, @@ -100,8 +100,13 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.netrc r, owner @{user_config_dirs}/git/{,*} rw, + # GPG owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{run}/user/@{uid}/keyring/ssh rw, + owner @{HOME}/@{XDG_GPG_DIR}/ rw, + owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + owner @{tmp}/.git_vtag_tmp@{rand6} r, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner @{tmp}/git-commit-msg-.txt rw, # For android studio From e8ac01b2f4ab3f40dafbbaaaedc201e873ad489f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 6 Jan 2026 14:19:31 +0100 Subject: [PATCH 1266/1736] feat(profile): unix-chkpwd: add attach_disconnected It is required when the parent profile itself has the same flag. --- apparmor.d/profiles-s-z/unix-chkpwd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 2a6a941198..14f1177b36 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{sbin}/unix_chkpwd -profile unix-chkpwd @{exec_path} { +profile unix-chkpwd @{exec_path} flags=(attach_disconnected) { include include include From 4c9058338e9bbfd541f7016bb986028bb02221df Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 6 Jan 2026 22:28:17 +0100 Subject: [PATCH 1267/1736] feat(profile): update pacman profiles. --- apparmor.d/groups/pacman/mkinitcpio | 6 ++++-- apparmor.d/groups/pacman/pacman-hook-mkinitcpio | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 179dff8580..ada7ce5a5a 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -28,11 +28,9 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/bsdtar rix, @{bin}/fc-match rix, @{bin}/findmnt rPx, - @{sbin}/fsck rix, @{bin}/getent rix, @{bin}/gzip rix, @{bin}/hexdump rix, - @{sbin}/ldconfig rix, @{bin}/ldd rix, @{bin}/loadkeys rix, @{bin}/objcopy rix, @@ -41,6 +39,9 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/xz rix, @{bin}/zcat rix, @{bin}/zstd rix, + @{bin}/zstdgrep rix, + @{sbin}/fsck rix, + @{sbin}/ldconfig rix, @{bin}/kmod rPx, @{bin}/plymouth rPx, @@ -75,6 +76,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/* mr, @{bin}/*/ r, @{lib}/ r, + @{lib}/modules/*/kernel/drivers/{,*,*/,**.ko.xz,**.ko.zst} r, @{lib}/plymouth/plymouthd-* mr, @{lib}/systemd/{,**} mr, @{lib}/udev/* mr, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index d31700de14..a122bba9f9 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -58,6 +58,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { profile pacman { include + include capability dac_read_search, From 202da46d6f39639b3b7606795c11a6ccc361d25f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 7 Jan 2026 13:24:27 +0100 Subject: [PATCH 1268/1736] refractor: move builder/configure/directive to they own pkg - Preparation for the install part - Needed as some tasks could be used at any stage: prebuild or/and install --- pkg/{prebuild => }/builder/abi.go | 16 ++++++++-------- pkg/{prebuild => }/builder/attach.go | 7 ++++--- pkg/{prebuild => }/builder/base-strict.go | 8 ++++---- pkg/{prebuild => }/builder/complain.go | 8 ++++---- pkg/{prebuild => }/builder/core.go | 6 +++--- pkg/{prebuild => }/builder/core_test.go | 2 +- pkg/{prebuild => }/builder/dbus.go | 12 ++++++------ pkg/{prebuild => }/builder/enforce.go | 8 ++++---- pkg/{prebuild => }/builder/fsp.go | 8 ++++---- pkg/{prebuild => }/builder/hotfix.go | 8 ++++---- pkg/{prebuild => }/builder/userspace.go | 7 ++++--- pkg/{prebuild/prepare => configure}/attach.go | 9 +++++---- pkg/{prebuild/prepare => configure}/configure.go | 11 ++++++----- pkg/{prebuild/prepare => configure}/core.go | 8 ++++---- pkg/{prebuild/prepare => configure}/core_test.go | 4 ++-- pkg/{prebuild/prepare => configure}/flags.go | 9 +++++---- pkg/{prebuild/prepare => configure}/fsp.go | 9 +++++---- pkg/{prebuild/prepare => configure}/ignore.go | 9 +++++---- pkg/{prebuild/prepare => configure}/merge.go | 9 +++++---- pkg/{prebuild/prepare => configure}/overwrite.go | 9 +++++---- pkg/{prebuild/prepare => configure}/server.go | 9 +++++---- .../prepare => configure}/synchronise.go | 9 +++++---- pkg/{prebuild/prepare => configure}/systemd.go | 9 +++++---- pkg/{prebuild => }/directive/core.go | 6 +++--- pkg/{prebuild => }/directive/core_test.go | 2 +- pkg/{prebuild => }/directive/dbus.go | 7 ++++--- pkg/{prebuild => }/directive/dbus_test.go | 2 +- pkg/{prebuild => }/directive/exec.go | 7 ++++--- pkg/{prebuild => }/directive/exec_test.go | 2 +- pkg/{prebuild => }/directive/filter.go | 11 ++++++----- pkg/{prebuild => }/directive/filter_test.go | 2 +- pkg/{prebuild => }/directive/stack.go | 7 ++++--- pkg/{prebuild => }/directive/stack_test.go | 2 +- pkg/{prebuild => tasks}/core.go | 4 ++-- pkg/{prebuild => tasks}/core_test.go | 4 ++-- 35 files changed, 133 insertions(+), 117 deletions(-) rename pkg/{prebuild => }/builder/abi.go (85%) rename pkg/{prebuild => }/builder/attach.go (94%) rename pkg/{prebuild => }/builder/base-strict.go (77%) rename pkg/{prebuild => }/builder/complain.go (87%) rename pkg/{prebuild => }/builder/core.go (90%) rename pkg/{prebuild => }/builder/core_test.go (99%) rename pkg/{prebuild => }/builder/dbus.go (94%) rename pkg/{prebuild => }/builder/enforce.go (86%) rename pkg/{prebuild => }/builder/fsp.go (78%) rename pkg/{prebuild => }/builder/hotfix.go (78%) rename pkg/{prebuild => }/builder/userspace.go (92%) rename pkg/{prebuild/prepare => configure}/attach.go (81%) rename pkg/{prebuild/prepare => configure}/configure.go (90%) rename pkg/{prebuild/prepare => configure}/core.go (79%) rename pkg/{prebuild/prepare => configure}/core_test.go (97%) rename pkg/{prebuild/prepare => configure}/flags.go (89%) rename pkg/{prebuild/prepare => configure}/fsp.go (94%) rename pkg/{prebuild/prepare => configure}/ignore.go (86%) rename pkg/{prebuild/prepare => configure}/merge.go (92%) rename pkg/{prebuild/prepare => configure}/overwrite.go (88%) rename pkg/{prebuild/prepare => configure}/server.go (93%) rename pkg/{prebuild/prepare => configure}/synchronise.go (88%) rename pkg/{prebuild/prepare => configure}/systemd.go (77%) rename pkg/{prebuild => }/directive/core.go (95%) rename pkg/{prebuild => }/directive/core_test.go (97%) rename pkg/{prebuild => }/directive/dbus.go (98%) rename pkg/{prebuild => }/directive/dbus_test.go (99%) rename pkg/{prebuild => }/directive/exec.go (92%) rename pkg/{prebuild => }/directive/exec_test.go (96%) rename pkg/{prebuild => }/directive/filter.go (94%) rename pkg/{prebuild => }/directive/filter_test.go (99%) rename pkg/{prebuild => }/directive/stack.go (93%) rename pkg/{prebuild => }/directive/stack_test.go (96%) rename pkg/{prebuild => tasks}/core.go (88%) rename pkg/{prebuild => tasks}/core_test.go (94%) diff --git a/pkg/prebuild/builder/abi.go b/pkg/builder/abi.go similarity index 85% rename from pkg/prebuild/builder/abi.go rename to pkg/builder/abi.go index 2d917fa6e1..de4bce4bf1 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/builder/abi.go @@ -1,11 +1,11 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package builder import ( - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" "github.com/roddhjav/apparmor.d/pkg/util" ) @@ -26,32 +26,32 @@ var ( ) type ABI5 struct { - prebuild.Base + tasks.Base } type ABI3 struct { - prebuild.Base + tasks.Base } type APPARMOR40 struct { - prebuild.Base + tasks.Base } func init() { RegisterBuilder(&ABI5{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "abi5", Msg: "Build: convert all profiles from abi 4.0 to abi 5.0", }, }) RegisterBuilder(&ABI3{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "abi3", Msg: "Build: convert all profiles from abi 4.0 to abi 3.0", }, }) RegisterBuilder(&APPARMOR40{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "apparmor4.0", Msg: "Build: convert all profiles from apparmor 4.1 to 4.0 or less", }, diff --git a/pkg/prebuild/builder/attach.go b/pkg/builder/attach.go similarity index 94% rename from pkg/prebuild/builder/attach.go rename to pkg/builder/attach.go index c44fb793ac..a49a46bd18 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/builder/attach.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package builder @@ -10,15 +10,16 @@ import ( "github.com/roddhjav/apparmor.d/pkg/aa" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) type ReAttach struct { - prebuild.Base + tasks.Base } func init() { RegisterBuilder(&ReAttach{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "attach", Msg: "Feat: re-attach disconnected path", }, diff --git a/pkg/prebuild/builder/base-strict.go b/pkg/builder/base-strict.go similarity index 77% rename from pkg/prebuild/builder/base-strict.go rename to pkg/builder/base-strict.go index 29a0656299..339f1faf1b 100644 --- a/pkg/prebuild/builder/base-strict.go +++ b/pkg/builder/base-strict.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package builder @@ -7,16 +7,16 @@ package builder import ( "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) type BaseStrict struct { - prebuild.Base + tasks.Base } func init() { RegisterBuilder(&BaseStrict{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "base-strict", Msg: "Feat: use 'base-strict' as base abstraction", }, diff --git a/pkg/prebuild/builder/complain.go b/pkg/builder/complain.go similarity index 87% rename from pkg/prebuild/builder/complain.go rename to pkg/builder/complain.go index 0d6a48f378..f6fa2cc9cf 100644 --- a/pkg/prebuild/builder/complain.go +++ b/pkg/builder/complain.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package builder @@ -9,7 +9,7 @@ import ( "slices" "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) var ( @@ -18,12 +18,12 @@ var ( ) type Complain struct { - prebuild.Base + tasks.Base } func init() { RegisterBuilder(&Complain{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "complain", Msg: "Build: set complain flag on all profiles", }, diff --git a/pkg/prebuild/builder/core.go b/pkg/builder/core.go similarity index 90% rename from pkg/prebuild/builder/core.go rename to pkg/builder/core.go index b687dae726..bf3b2feb37 100644 --- a/pkg/prebuild/builder/core.go +++ b/pkg/builder/core.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package builder @@ -10,7 +10,7 @@ import ( "github.com/roddhjav/apparmor.d/pkg/aa" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) var ( @@ -23,7 +23,7 @@ var ( // Builder main directive interface type Builder interface { - prebuild.BaseInterface + tasks.BaseInterface Apply(opt *Option, profile string) (string, error) } diff --git a/pkg/prebuild/builder/core_test.go b/pkg/builder/core_test.go similarity index 99% rename from pkg/prebuild/builder/core_test.go rename to pkg/builder/core_test.go index 6bcf74647f..a0cecc50bf 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/builder/core_test.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package builder diff --git a/pkg/prebuild/builder/dbus.go b/pkg/builder/dbus.go similarity index 94% rename from pkg/prebuild/builder/dbus.go rename to pkg/builder/dbus.go index 83ade83fec..0addbb574b 100644 --- a/pkg/prebuild/builder/dbus.go +++ b/pkg/builder/dbus.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package builder @@ -10,7 +10,7 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/aa" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) var ( @@ -22,23 +22,23 @@ var ( // StackedDbus is a fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 type StackedDbus struct { - prebuild.Base + tasks.Base } // DbusBroker is a fix for https://gitlab.com/apparmor/apparmor/-/issues/565 type DbusBroker struct { - prebuild.Base + tasks.Base } func init() { RegisterBuilder(&StackedDbus{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "stacked-dbus", Msg: "Fix: resolve peer label variable in dbus rules", }, }) RegisterBuilder(&DbusBroker{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "dbus-broker", Msg: "Fix: ignore peer name in dbus rules", }, diff --git a/pkg/prebuild/builder/enforce.go b/pkg/builder/enforce.go similarity index 86% rename from pkg/prebuild/builder/enforce.go rename to pkg/builder/enforce.go index 3d3d218c63..b0d2d16e86 100644 --- a/pkg/prebuild/builder/enforce.go +++ b/pkg/builder/enforce.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package builder @@ -8,16 +8,16 @@ import ( "slices" "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) type Enforce struct { - prebuild.Base + tasks.Base } func init() { RegisterBuilder(&Enforce{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "enforce", Msg: "Build: all profiles have been enforced", }, diff --git a/pkg/prebuild/builder/fsp.go b/pkg/builder/fsp.go similarity index 78% rename from pkg/prebuild/builder/fsp.go rename to pkg/builder/fsp.go index 12dab15cd8..36bec502df 100644 --- a/pkg/prebuild/builder/fsp.go +++ b/pkg/builder/fsp.go @@ -1,11 +1,11 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package builder import ( - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" "github.com/roddhjav/apparmor.d/pkg/util" ) @@ -16,12 +16,12 @@ var ( ) type FullSystemPolicy struct { - prebuild.Base + tasks.Base } func init() { RegisterBuilder(&FullSystemPolicy{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "fsp", Msg: "Feat: prevent unconfined transitions in profile rules", }, diff --git a/pkg/prebuild/builder/hotfix.go b/pkg/builder/hotfix.go similarity index 78% rename from pkg/prebuild/builder/hotfix.go rename to pkg/builder/hotfix.go index be8750f260..4757990c94 100644 --- a/pkg/prebuild/builder/hotfix.go +++ b/pkg/builder/hotfix.go @@ -1,11 +1,11 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package builder import ( - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" "github.com/roddhjav/apparmor.d/pkg/util" ) @@ -19,12 +19,12 @@ var ( ) type Hotfix struct { - prebuild.Base + tasks.Base } func init() { RegisterBuilder(&Hotfix{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "hotfix", Msg: "Fix: temporary solution for #74, #80 & #235", }, diff --git a/pkg/prebuild/builder/userspace.go b/pkg/builder/userspace.go similarity index 92% rename from pkg/prebuild/builder/userspace.go rename to pkg/builder/userspace.go index 70dff8ec96..ebd1fccefb 100644 --- a/pkg/prebuild/builder/userspace.go +++ b/pkg/builder/userspace.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package builder @@ -11,6 +11,7 @@ import ( "github.com/roddhjav/apparmor.d/pkg/aa" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) const tokATTACHMENT = "@{exec_path}" @@ -20,12 +21,12 @@ var ( ) type Userspace struct { - prebuild.Base + tasks.Base } func init() { RegisterBuilder(&Userspace{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "userspace", Msg: "Fix: resolve variable in profile attachments", }, diff --git a/pkg/prebuild/prepare/attach.go b/pkg/configure/attach.go similarity index 81% rename from pkg/prebuild/prepare/attach.go rename to pkg/configure/attach.go index 4523382d85..fe981fc83a 100644 --- a/pkg/prebuild/prepare/attach.go +++ b/pkg/configure/attach.go @@ -1,22 +1,23 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2025 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prepare +package configure import ( "strings" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) type ReAttach struct { - prebuild.Base + tasks.Base } func init() { RegisterTask(&ReAttach{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "attach", Msg: "Configure tunable for re-attached path", }, diff --git a/pkg/prebuild/prepare/configure.go b/pkg/configure/configure.go similarity index 90% rename from pkg/prebuild/prepare/configure.go rename to pkg/configure/configure.go index 7cbdca92f5..17a581541c 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/configure/configure.go @@ -1,23 +1,24 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prepare +package configure import ( "fmt" "strings" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) type Configure struct { - prebuild.Base + tasks.Base } func init() { RegisterTask(&Configure{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "configure", Msg: "Set distribution specificities", }, @@ -90,7 +91,7 @@ func (p Configure) Apply() ([]string, error) { } if prebuild.Version >= 5.0 { remove := []string{ - // Direct upstrem contributed profiles, similar to ours + // Direct upstream contributed profiles, similar to ours "dig", "free", "nslookup", diff --git a/pkg/prebuild/prepare/core.go b/pkg/configure/core.go similarity index 79% rename from pkg/prebuild/prepare/core.go rename to pkg/configure/core.go index 74d7778ed5..648a0477d5 100644 --- a/pkg/prebuild/prepare/core.go +++ b/pkg/configure/core.go @@ -1,13 +1,13 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prepare +package configure import ( "fmt" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) var ( @@ -20,7 +20,7 @@ var ( // Task main directive interface type Task interface { - prebuild.BaseInterface + tasks.BaseInterface Apply() ([]string, error) } diff --git a/pkg/prebuild/prepare/core_test.go b/pkg/configure/core_test.go similarity index 97% rename from pkg/prebuild/prepare/core_test.go rename to pkg/configure/core_test.go index a2efc5d955..e28d0f1cd3 100644 --- a/pkg/prebuild/prepare/core_test.go +++ b/pkg/configure/core_test.go @@ -1,8 +1,8 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prepare +package configure import ( "os" diff --git a/pkg/prebuild/prepare/flags.go b/pkg/configure/flags.go similarity index 89% rename from pkg/prebuild/prepare/flags.go rename to pkg/configure/flags.go index 5a851cbe9d..87e1cb58bf 100644 --- a/pkg/prebuild/prepare/flags.go +++ b/pkg/configure/flags.go @@ -1,8 +1,8 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prepare +package configure import ( "fmt" @@ -10,6 +10,7 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) var ( @@ -18,12 +19,12 @@ var ( ) type SetFlags struct { - prebuild.Base + tasks.Base } func init() { RegisterTask(&SetFlags{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "setflags", Msg: "Set flags on some profiles", }, diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/configure/fsp.go similarity index 94% rename from pkg/prebuild/prepare/fsp.go rename to pkg/configure/fsp.go index f8d3cb17fb..9bc16229fa 100644 --- a/pkg/prebuild/prepare/fsp.go +++ b/pkg/configure/fsp.go @@ -1,14 +1,15 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prepare +package configure import ( "regexp" "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) var ( @@ -62,12 +63,12 @@ var ( ) type FullSystemPolicy struct { - prebuild.Base + tasks.Base } func init() { RegisterTask(&FullSystemPolicy{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "fsp", Msg: "Configure AppArmor for full system policy", }, diff --git a/pkg/prebuild/prepare/ignore.go b/pkg/configure/ignore.go similarity index 86% rename from pkg/prebuild/prepare/ignore.go rename to pkg/configure/ignore.go index 2aece5174a..1f45e94319 100644 --- a/pkg/prebuild/prepare/ignore.go +++ b/pkg/configure/ignore.go @@ -1,21 +1,22 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prepare +package configure import ( "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) type Ignore struct { - prebuild.Base + tasks.Base } func init() { RegisterTask(&Ignore{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "ignore", Msg: "Ignore profiles and files from:", }, diff --git a/pkg/prebuild/prepare/merge.go b/pkg/configure/merge.go similarity index 92% rename from pkg/prebuild/prepare/merge.go rename to pkg/configure/merge.go index 528559a981..8ae8cc25f6 100644 --- a/pkg/prebuild/prepare/merge.go +++ b/pkg/configure/merge.go @@ -1,8 +1,8 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prepare +package configure import ( "os" @@ -10,15 +10,16 @@ import ( "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) type Merge struct { - prebuild.Base + tasks.Base } func init() { RegisterTask(&Merge{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "merge", Msg: "Merge profiles (from group/, profiles-*-*/) to a unified apparmor.d directory", }, diff --git a/pkg/prebuild/prepare/overwrite.go b/pkg/configure/overwrite.go similarity index 88% rename from pkg/prebuild/prepare/overwrite.go rename to pkg/configure/overwrite.go index d974b26e45..2d23ce8330 100644 --- a/pkg/prebuild/prepare/overwrite.go +++ b/pkg/configure/overwrite.go @@ -1,26 +1,27 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prepare +package configure import ( "fmt" "os" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) var ext = "." + prebuild.Pkgname type Overwrite struct { - prebuild.Base + tasks.Base Optional bool } func init() { RegisterTask(&Overwrite{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "overwrite", Msg: "Overwrite dummy upstream profiles", }, diff --git a/pkg/prebuild/prepare/server.go b/pkg/configure/server.go similarity index 93% rename from pkg/prebuild/prepare/server.go rename to pkg/configure/server.go index fb9a1f602d..71788ab46f 100644 --- a/pkg/prebuild/prepare/server.go +++ b/pkg/configure/server.go @@ -1,8 +1,8 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prepare +package configure import ( "fmt" @@ -10,6 +10,7 @@ import ( "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) var ( @@ -51,12 +52,12 @@ var ( ) type Server struct { - prebuild.Base + tasks.Base } func init() { RegisterTask(&Server{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "server", Msg: "Configure AppArmor for server", }, diff --git a/pkg/prebuild/prepare/synchronise.go b/pkg/configure/synchronise.go similarity index 88% rename from pkg/prebuild/prepare/synchronise.go rename to pkg/configure/synchronise.go index b6c2dbf5b6..13a0fd60b7 100644 --- a/pkg/prebuild/prepare/synchronise.go +++ b/pkg/configure/synchronise.go @@ -1,22 +1,23 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prepare +package configure import ( "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) type Synchronise struct { - prebuild.Base + tasks.Base Paths []string // File or directory to sync into the build directory. } func init() { RegisterTask(&Synchronise{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "synchronise", Msg: "Initialize a new clean apparmor.d build directory", }, diff --git a/pkg/prebuild/prepare/systemd.go b/pkg/configure/systemd.go similarity index 77% rename from pkg/prebuild/prepare/systemd.go rename to pkg/configure/systemd.go index ece1929d55..73d936153f 100644 --- a/pkg/prebuild/prepare/systemd.go +++ b/pkg/configure/systemd.go @@ -1,21 +1,22 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prepare +package configure import ( "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) type SystemdDefault struct { - prebuild.Base + tasks.Base } func init() { RegisterTask(&SystemdDefault{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "systemd-default", Msg: "Configure systemd unit drop in files to a profile for some units", }, diff --git a/pkg/prebuild/directive/core.go b/pkg/directive/core.go similarity index 95% rename from pkg/prebuild/directive/core.go rename to pkg/directive/core.go index cde9470dc3..0ab979714e 100644 --- a/pkg/prebuild/directive/core.go +++ b/pkg/directive/core.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package directive @@ -10,7 +10,7 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) var ( @@ -25,7 +25,7 @@ var ( // Directive main interface type Directive interface { - prebuild.BaseInterface + tasks.BaseInterface Apply(opt *Option, profile string) (string, error) } diff --git a/pkg/prebuild/directive/core_test.go b/pkg/directive/core_test.go similarity index 97% rename from pkg/prebuild/directive/core_test.go rename to pkg/directive/core_test.go index 428717be60..4fb8c4e1b1 100644 --- a/pkg/prebuild/directive/core_test.go +++ b/pkg/directive/core_test.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package directive diff --git a/pkg/prebuild/directive/dbus.go b/pkg/directive/dbus.go similarity index 98% rename from pkg/prebuild/directive/dbus.go rename to pkg/directive/dbus.go index 3a025fe1ef..2730a416db 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/directive/dbus.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only // Dbus directive @@ -19,15 +19,16 @@ import ( "github.com/roddhjav/apparmor.d/pkg/aa" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) type Dbus struct { - prebuild.Base + tasks.Base } func init() { RegisterDirective(&Dbus{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "dbus", Msg: "Dbus directive applied", Help: []string{ diff --git a/pkg/prebuild/directive/dbus_test.go b/pkg/directive/dbus_test.go similarity index 99% rename from pkg/prebuild/directive/dbus_test.go rename to pkg/directive/dbus_test.go index c165aafcbb..0a15959cc5 100644 --- a/pkg/prebuild/directive/dbus_test.go +++ b/pkg/directive/dbus_test.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package directive diff --git a/pkg/prebuild/directive/exec.go b/pkg/directive/exec.go similarity index 92% rename from pkg/prebuild/directive/exec.go rename to pkg/directive/exec.go index b348fb46bc..a9d67f5b1e 100644 --- a/pkg/prebuild/directive/exec.go +++ b/pkg/directive/exec.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only // TODO: Local variables in profile header need to be resolved @@ -13,15 +13,16 @@ import ( "github.com/roddhjav/apparmor.d/pkg/aa" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) type Exec struct { - prebuild.Base + tasks.Base } func init() { RegisterDirective(&Exec{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "exec", Msg: "Exec directive applied", Help: []string{"[P|U|p|u|PU|pu|] profiles..."}, diff --git a/pkg/prebuild/directive/exec_test.go b/pkg/directive/exec_test.go similarity index 96% rename from pkg/prebuild/directive/exec_test.go rename to pkg/directive/exec_test.go index 367dd13ac8..0cce48903e 100644 --- a/pkg/prebuild/directive/exec_test.go +++ b/pkg/directive/exec_test.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package directive diff --git a/pkg/prebuild/directive/filter.go b/pkg/directive/filter.go similarity index 94% rename from pkg/prebuild/directive/filter.go rename to pkg/directive/filter.go index 38bcd04149..de0641e77a 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/directive/filter.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package directive @@ -11,26 +11,27 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) type FilterOnly struct { - prebuild.Base + tasks.Base } type FilterExclude struct { - prebuild.Base + tasks.Base } func init() { RegisterDirective(&FilterOnly{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "only", Msg: "Only directive applied", Help: []string{"filters..."}, }, }) RegisterDirective(&FilterExclude{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "exclude", Msg: "Exclude directive applied", Help: []string{"filters..."}, diff --git a/pkg/prebuild/directive/filter_test.go b/pkg/directive/filter_test.go similarity index 99% rename from pkg/prebuild/directive/filter_test.go rename to pkg/directive/filter_test.go index c340583962..5de33af86d 100644 --- a/pkg/prebuild/directive/filter_test.go +++ b/pkg/directive/filter_test.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package directive diff --git a/pkg/prebuild/directive/stack.go b/pkg/directive/stack.go similarity index 93% rename from pkg/prebuild/directive/stack.go rename to pkg/directive/stack.go index a43849228c..3420e5f977 100644 --- a/pkg/prebuild/directive/stack.go +++ b/pkg/directive/stack.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package directive @@ -11,6 +11,7 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" "github.com/roddhjav/apparmor.d/pkg/util" ) @@ -25,12 +26,12 @@ var ( ) type Stack struct { - prebuild.Base + tasks.Base } func init() { RegisterDirective(&Stack{ - Base: prebuild.Base{ + Base: tasks.Base{ Keyword: "stack", Msg: "Stack directive applied", Help: []string{"[X] profiles..."}, diff --git a/pkg/prebuild/directive/stack_test.go b/pkg/directive/stack_test.go similarity index 96% rename from pkg/prebuild/directive/stack_test.go rename to pkg/directive/stack_test.go index 9937aee696..393c032d60 100644 --- a/pkg/prebuild/directive/stack_test.go +++ b/pkg/directive/stack_test.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package directive diff --git a/pkg/prebuild/core.go b/pkg/tasks/core.go similarity index 88% rename from pkg/prebuild/core.go rename to pkg/tasks/core.go index 8c2410d108..b9471af824 100644 --- a/pkg/prebuild/core.go +++ b/pkg/tasks/core.go @@ -1,8 +1,8 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prebuild +package tasks import "fmt" diff --git a/pkg/prebuild/core_test.go b/pkg/tasks/core_test.go similarity index 94% rename from pkg/prebuild/core_test.go rename to pkg/tasks/core_test.go index 5abf0a9c14..f737be06f6 100644 --- a/pkg/prebuild/core_test.go +++ b/pkg/tasks/core_test.go @@ -1,8 +1,8 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prebuild +package tasks import ( "slices" From ce9da1aa65972c7d02ceabd27b061e2b760d8d73 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 7 Jan 2026 14:27:15 +0100 Subject: [PATCH 1269/1736] feat(profile): small apt related improvment. see #982 --- apparmor.d/groups/apt/apt-listchanges | 3 ++- apparmor.d/groups/apt/dpkg-db-backup | 1 + apparmor.d/groups/apt/dpkg-preconfigure | 1 + apparmor.d/groups/systemd-generators/systemd-generator-sysv | 2 ++ apparmor.d/profiles-a-f/fwupdmgr | 1 + 5 files changed, 7 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 0ee42f5a4f..e7d5ce292f 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -45,8 +45,9 @@ profile apt-listchanges @{exec_path} { /var/lib/dpkg/status r, - /var/lib/apt/listchanges{,-new}.db rw, + /var/lib/apt/listchanges r, /var/lib/apt/listchanges-old.db rwl -> /var/lib/apt/listchanges.db, + /var/lib/apt/listchanges{,-new}.db rw, /var/cache/apt/archives/ r, diff --git a/apparmor.d/groups/apt/dpkg-db-backup b/apparmor.d/groups/apt/dpkg-db-backup index 8e99e70c50..6ab1083cf5 100644 --- a/apparmor.d/groups/apt/dpkg-db-backup +++ b/apparmor.d/groups/apt/dpkg-db-backup @@ -31,6 +31,7 @@ profile dpkg-db-backup @{exec_path} { /var/lib/dpkg/ r, /var/lib/dpkg/alternatives/{,*} r, + /var/lib/dpkg/arch r, /var/lib/dpkg/diversions r, /var/lib/dpkg/statoverride r, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 2698e48c09..9465f072d4 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -16,6 +16,7 @@ profile dpkg-preconfigure @{exec_path} { include capability dac_read_search, + capability mknod, # optional: no audit @{exec_path} r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-sysv b/apparmor.d/groups/systemd-generators/systemd-generator-sysv index fc290fca4c..952166615c 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-sysv +++ b/apparmor.d/groups/systemd-generators/systemd-generator-sysv @@ -10,6 +10,8 @@ include profile systemd-generator-sysv @{exec_path} flags=(attach_disconnected) { include + capability mknod, # optional: no audit + ptrace read peer=@{p_systemd}, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 948514f934..925fe24be3 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -39,6 +39,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { /etc/inputrc r, /etc/machine-id r, + /var/lib/dbus/machine-id r, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, From 9da5ae576402683be9f5f882d02559ebbade2f92 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 7 Jan 2026 14:29:39 +0100 Subject: [PATCH 1270/1736] chore(profile): chromium: cosmetic. --- apparmor.d/abstractions/app/chromium | 29 +++++++++++++--------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index a66f3acbcf..2f46e28c14 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -58,18 +58,15 @@ network inet6 stream, network netlink raw, - signal (receive) peer=@{profile_name}-crashpad-handler, - signal (send) set=(term, kill) peer=@{profile_name}-sandbox, - signal (send) set=(term, kill) peer=keepassxc-proxy, - - ptrace (read) peer=browserpass, - ptrace (read) peer=chrome-gnome-shell, - ptrace (read) peer=gnome-browser-connector-host, - ptrace (read) peer=keepassxc-proxy, - ptrace (read) peer=lsb_release, - ptrace (read) peer=plasma-browser-integration-host, - ptrace (read) peer=xdg-settings, - ptrace (trace) peer=@{profile_name}, + signal send set=(term, kill) peer=keepassxc-proxy, + + ptrace read peer=browserpass, + ptrace read peer=chrome-gnome-shell, + ptrace read peer=gnome-browser-connector-host, + ptrace read peer=keepassxc-proxy, + ptrace read peer=lsb_release, + ptrace read peer=plasma-browser-integration-host, + ptrace read peer=xdg-settings, @{lib_dirs}/{,**} r, @{lib_dirs}/*.so* mr, @@ -90,14 +87,14 @@ # For storing passwords externally @{bin}/keepassxc-proxy rix, # as a temporary solution - see issue #128 - @{bin}/browserpass rPx, + @{bin}/browserpass Px, # Gnome shell integration - @{bin}/chrome-gnome-shell rPx, - @{bin}/gnome-browser-connector-host rPx, + @{bin}/chrome-gnome-shell Px, + @{bin}/gnome-browser-connector-host Px, # Plasma integration - @{bin}/plasma-browser-integration-host rPx, + @{bin}/plasma-browser-integration-host Px, /usr/share/@{name}/{,**} r, /usr/share/chromium/extensions/{,**} r, From b9f0d09904c782a0d4b9c8030ad26c3bcd961a03 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 7 Jan 2026 14:30:06 +0100 Subject: [PATCH 1271/1736] feat(abs): gstreamer: add missing unix rule. --- apparmor.d/abstractions/gstreamer | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 4559415a9a..a192cc4663 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -7,6 +7,8 @@ include + unix (bind listen) type=seqpacket addr=@@{hex}, + @{gstreamer_path} rix, @{lib}/@{multiarch}/libproxy/*/modules/*.so mr, From 73ab6deecbc7fb8269944ebd26d2be01b2a27f6f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 7 Jan 2026 14:33:05 +0100 Subject: [PATCH 1272/1736] feat(abs): update dbus abs. --- .../bus/session/org.freedesktop.Secret | 18 ++++++++++++++- ...rg.freedesktop.impl.portal.PermissionStore | 7 +++++- .../bus/session/org.gnome.SessionManager | 23 ++++++++++++++++++- .../bus/session/org.gtk.Notifications | 5 +++- .../bus/session/org.gtk.vfs.Metadata | 1 - .../bus/system/net.reactivated.Fprint | 5 ++++ .../bus/system/org.bluez.ProfileManager1 | 2 +- 7 files changed, 55 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret index 1b6c0cd11e..3ef8bb34e1 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret @@ -21,7 +21,23 @@ abi , - #aa:dbus common bus=session name=org.freedesktop.Secret path=/org/freedesktop/secrets{,/**} label=gnome-keyring-daemon + # DBus.Properties: read properties from the interface + + dbus send bus=session path=/org/freedesktop/secrets{,/**} + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.secrets, label=gnome-keyring-daemon), + + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-keyring-daemon), + + # DBus.Properties: receive property changed events + + # DBus.ObjectManager: allow clients to enumerate sources + + # org.freedesktop.Secret dbus send bus=session path=/org/freedesktop/secrets{,/**} interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/session/org.freedesktop.impl.portal.PermissionStore index 2b61041591..e43fcd284a 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.impl.portal.PermissionStore +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.impl.portal.PermissionStore @@ -4,7 +4,12 @@ abi , - #aa:dbus common bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store + # dbus common bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store + + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label=xdg-permission-store), dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.impl.portal.PermissionStore diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager index 41f73591f1..32981dfa5f 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager @@ -8,7 +8,28 @@ abi , - #aa:dbus common bus=session name=org.gnome.SessionManager label="@{p_gnome_session}" + # DBus.Properties: read properties from the interface + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label="@{p_gnome_session}"), + + dbus send bus=session path=/org/gnome/SessionManager/Client@{int} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label="@{p_gnome_session}"), + + # DBus.Properties: receive property changed events + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label="@{p_gnome_session}"), + + # DBus.ObjectManager: allow clients to enumerate sources + + # gnome.SessionManager dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Notifications b/apparmor.d/abstractions/bus/session/org.gtk.Notifications index 151c642a82..59259545d7 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.Notifications +++ b/apparmor.d/abstractions/bus/session/org.gtk.Notifications @@ -4,7 +4,10 @@ abi , - #aa:dbus common bus=session name=org.gtk.Notifications label=gnome-shell + dbus send bus=session path=/org/gtk/Notifications + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label=gnome-shell), dbus send bus=session path=/org/gtk/Notifications interface=org.gtk.Notifications diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata index 9f1a77daf3..3f37300326 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata @@ -4,7 +4,6 @@ abi , - #aa:dbus common bus=system name=org.gtk.vfs.Metadata path=/org/gtk/vfs/metadata label=gvfsd-metadata dbus send bus=session path=/org/gtk/vfs/metadata interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/system/net.reactivated.Fprint b/apparmor.d/abstractions/bus/system/net.reactivated.Fprint index ab410dafc8..2d2c02fb3c 100644 --- a/apparmor.d/abstractions/bus/system/net.reactivated.Fprint +++ b/apparmor.d/abstractions/bus/system/net.reactivated.Fprint @@ -6,6 +6,11 @@ #aa:dbus common bus=system name=net.reactivated.Fprint label="@{p_fprintd}" + dbus send bus=system path=/net/reactivated/Fprint/Manager + interface=net.reactivated.Fprint.Manager + member=GetDefaultDevice + peer=(name=net.reactivated.Fprint), + dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} diff --git a/apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 b/apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 index a09d40a7ab..203a75bdb8 100644 --- a/apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 +++ b/apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 @@ -6,7 +6,7 @@ dbus send bus=system path=/org/bluez interface=org.bluez.ProfileManager1 - member=RegisterProfile + member={RegisterProfile,UnregisterProfile} peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus receive bus=system path=/Profile/HFPAG From 4befecd37d79cc61ca6c7197a5cd342e3e8dd257 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 7 Jan 2026 14:34:44 +0100 Subject: [PATCH 1273/1736] feat(abs): update nvidia. For now it works(TM). Later implementation copuld split this in multiple abs. --- apparmor.d/abstractions/nvidia-strict | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index a3ba47a601..6f6ccaf966 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -33,6 +33,8 @@ @{sys}/module/nvidia_drm/version r, @{sys}/module/nvidia/version r, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, @{PROC}/driver/nvidia/gpus/@{pci_id}/information r, @{PROC}/driver/nvidia/params r, @@ -44,7 +46,13 @@ @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/comm r, - /dev/char/195:@{u8} w, # Nvidia graphics devices + /dev/ r, + + # Nvidia graphics devices + /dev/char/195:@{u8} w, + + # Dynamic device files for nvidia-uvm and nvidia-uvm-tools + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 # Nvidia proprietary modset driver /dev/nvidia-modeset rw, From e88024297ea5045507848e0c285bac0c7261b713 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 7 Jan 2026 14:38:43 +0100 Subject: [PATCH 1274/1736] feat(profile): update flatpak/freedesktop. --- apparmor.d/groups/flatpak/fbwrap | 2 ++ apparmor.d/groups/flatpak/flatpak-session-helper | 2 ++ apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 2 ++ 3 files changed, 6 insertions(+) diff --git a/apparmor.d/groups/flatpak/fbwrap b/apparmor.d/groups/flatpak/fbwrap index 9a1e07d4f6..f1ce8fc0e9 100644 --- a/apparmor.d/groups/flatpak/fbwrap +++ b/apparmor.d/groups/flatpak/fbwrap @@ -74,6 +74,8 @@ profile fbwrap flags=(attach_disconnected,mediate_deleted) { @{sbin}/ldconfig mr, @{lib}/ r, + /usr/share/runtime/lib/plugins/QGnomePlatform/lib/{,*} r, + /app/lib/{,**} r, /app/lib{32,64}/{,**} r, diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper b/apparmor.d/groups/flatpak/flatpak-session-helper index a78ef30a18..00acf58faf 100644 --- a/apparmor.d/groups/flatpak/flatpak-session-helper +++ b/apparmor.d/groups/flatpak/flatpak-session-helper @@ -68,6 +68,8 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected,mediate_d @{lib}/p11-kit/p11-kit-remote ix, @{lib}/p11-kit/p11-kit-server ix, + owner @{user_cache_dirs}/.flatpak-helper/pkcs11-flatpak-@{int} rw, + owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int} rw, owner @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 2ba3b62ae8..f5cfb983d4 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -26,7 +26,9 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { signal receive set=term peer=gdm, signal receive set=(hup term) peer=gdm-session-worker, + #aa:dbus own bus=session name=org.freedesktop.impl.portal.FileChooser #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome + #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider From 7f94eda0af267ba76deac15273bd5832af2bb8aa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 7 Jan 2026 14:41:29 +0100 Subject: [PATCH 1275/1736] feat(profile): update gnome profiles, add gvfs abs. --- apparmor.d/abstractions/gvfs | 15 +++++++++++++++ apparmor.d/groups/gnome/gnome-extension-gsconnect | 2 ++ apparmor.d/groups/gnome/papers | 3 +-- apparmor.d/groups/gnome/showtime | 13 +++++++++++-- 4 files changed, 29 insertions(+), 4 deletions(-) create mode 100644 apparmor.d/abstractions/gvfs diff --git a/apparmor.d/abstractions/gvfs b/apparmor.d/abstractions/gvfs new file mode 100644 index 0000000000..92640a2da8 --- /dev/null +++ b/apparmor.d/abstractions/gvfs @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow access to GVFS files. + + abi , + + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 87fc6e7f64..63e9aaa063 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -67,12 +67,14 @@ profile gnome-extension-gsconnect @{exec_path} flags=(attach_disconnected) { @{share_dirs}/gsconnect-preferences rix, owner @{user_cache_dirs}/gsconnect/{,**} rw, + owner @{user_cache_dirs}/*/**.png r, owner @{user_config_dirs}/gsconnect/{,**} rw, owner @{user_config_dirs}/mimeapps.list w, owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, owner @{HOME}/.mozilla/firefox{,-esr}/firefox-mpris/@{word}.png r, + owner @{HOME}/.var/app/*/**.png r, owner @{tmp}/.org.chromium.Chromium.@{rand6} r, diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 7d46399fb6..3dee66d3b9 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -10,6 +10,7 @@ include profile papers @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -19,8 +20,6 @@ profile papers @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Papers - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - dbus send bus=session path=/org/freedesktop/portal/desktop/session/** interface=org.freedesktop.portal.Session member=Close diff --git a/apparmor.d/groups/gnome/showtime b/apparmor.d/groups/gnome/showtime index 554e8bdb07..74995108c9 100644 --- a/apparmor.d/groups/gnome/showtime +++ b/apparmor.d/groups/gnome/showtime @@ -2,6 +2,17 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Consider the following structure in order to support MLS: +# :user:showtime Normal user profile; no MLS +# :user//media:showtime +# :user//work:showtime +# :user//anonymous:showtime + +# TODO: have simimar structure than selinux with s0, s0:c0,c1 ... +# :user:showtime s0 +# :user//media:showtime s0:c0,c1 +# :user//work:showtime s0:c2,c3 + abi , include @@ -29,8 +40,6 @@ profile showtime @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, - /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - profile gstreamer { include include From 88c58af1b83ece6f0e79f9cbf9ea81dc4963ec58 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 7 Jan 2026 15:06:57 +0100 Subject: [PATCH 1276/1736] build: ensure directive can find profiles regardless of the folder structure. --- pkg/directive/exec.go | 17 ++++++++++++++++- pkg/directive/stack.go | 17 ++++++++++++++++- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/pkg/directive/exec.go b/pkg/directive/exec.go index a9d67f5b1e..321fad438b 100644 --- a/pkg/directive/exec.go +++ b/pkg/directive/exec.go @@ -12,6 +12,7 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/aa" + "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/tasks" ) @@ -43,8 +44,22 @@ func (d Exec) Apply(opt *Option, profileRaw string) (string, error) { } rules := aa.Rules{} + ignoreDir := paths.FilterNames("tunables", "abstractions", "disable") for name := range opt.ArgMap { - profiletoTransition := prebuild.RootApparmord.Join(name).MustReadFileAsString() + files, err := prebuild.RootApparmord.ReadDirRecursiveFiltered( + paths.NotFilter(ignoreDir), paths.FilterOutDirectories(), paths.FilterNames(name), + ) + if err != nil { + return "", err + } + if len(files) == 0 { + return "", fmt.Errorf("no profile found for exec: %s", name) + } + if len(files) != 1 { + return "", fmt.Errorf("multiple profiles found for exec: %s", name) + } + + profiletoTransition := files[0].MustReadFileAsString() dstProfile := aa.DefaultTunables() if _, err := dstProfile.Parse(profiletoTransition); err != nil { return "", err diff --git a/pkg/directive/stack.go b/pkg/directive/stack.go index 3420e5f977..d0b761a0cf 100644 --- a/pkg/directive/stack.go +++ b/pkg/directive/stack.go @@ -10,6 +10,7 @@ import ( "slices" "strings" + "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/tasks" "github.com/roddhjav/apparmor.d/pkg/util" @@ -55,8 +56,22 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) { } res := "" + ignoreDir := paths.FilterNames("tunables", "abstractions", "disable") for name := range opt.ArgMap { - stackedProfile, err := prebuild.RootApparmord.Join(name).ReadFileAsString() + files, err := prebuild.RootApparmord.ReadDirRecursiveFiltered( + paths.NotFilter(ignoreDir), paths.FilterOutDirectories(), paths.FilterNames(name), + ) + if err != nil { + return "", err + } + if len(files) == 0 { + return "", fmt.Errorf("no profile found for stack: %s", name) + } + if len(files) != 1 { + return "", fmt.Errorf("multiple profiles found for stack: %s", name) + } + + stackedProfile := files[0].MustReadFileAsString() if err != nil { return "", fmt.Errorf("%s need to stack: %w", name, err) } From 744366d4abde9a57473d5d91fc2549e839657262 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 9 Jan 2026 19:00:18 +0100 Subject: [PATCH 1277/1736] feat(abs): upgrade dbus abs. --- apparmor.d/abstractions/bluetooth-control | 1 - apparmor.d/abstractions/bluetooth-observe | 1 + .../bus/session/org.gnome.SessionManager | 42 +++++++++++++------ .../bus/session/org.gnome.Shell.Introspect | 8 ++-- 4 files changed, 35 insertions(+), 17 deletions(-) diff --git a/apparmor.d/abstractions/bluetooth-control b/apparmor.d/abstractions/bluetooth-control index 66fc5cb936..1803a101b8 100644 --- a/apparmor.d/abstractions/bluetooth-control +++ b/apparmor.d/abstractions/bluetooth-control @@ -9,7 +9,6 @@ include - include include include include diff --git a/apparmor.d/abstractions/bluetooth-observe b/apparmor.d/abstractions/bluetooth-observe index 73a60b52dd..6c7fab15ab 100644 --- a/apparmor.d/abstractions/bluetooth-observe +++ b/apparmor.d/abstractions/bluetooth-observe @@ -8,6 +8,7 @@ include + include include include diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager index 32981dfa5f..8110c4c861 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager @@ -13,58 +13,76 @@ dbus send bus=session path=/org/gnome/SessionManager interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=@{busname}, label="@{p_gnome_session}"), + peer=(name="{@{busname},org.gnome.SessionManager}", label="@{p_gnome_session}"), dbus send bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=@{busname}, label="@{p_gnome_session}"), + peer=(name="{@{busname},org.gnome.SessionManager}", label="@{p_gnome_session}"), # DBus.Properties: receive property changed events dbus receive bus=session path=/org/gnome/SessionManager interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=@{busname}, label="@{p_gnome_session}"), + peer=(name="{@{busname},org.gnome.SessionManager}", label="@{p_gnome_session}"), - # DBus.ObjectManager: allow clients to enumerate sources + # DBus.Introspectable: allow clients to introspect the service - # gnome.SessionManager + dbus send bus=session path=/org/gnome/SessionManager + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{@{busname},org.gnome.SessionManager}", label="@{p_gnome_session}"), + + # SessionManager dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={RegisterClient,IsSessionRunning} - peer=(name=@{busname}, label="@{p_gnome_session}"), + peer=(name="{@{busname},org.gnome.SessionManager}", label="@{p_gnome_session}"), dbus receive bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={ClientAdded,ClientRemoved} - peer=(name=@{busname}, label="@{p_gnome_session}"), + peer=(name="{@{busname},org.gnome.SessionManager}", label="@{p_gnome_session}"), dbus receive bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={SessionRunning,SessionOver} - peer=(name=@{busname}, label="@{p_gnome_session}"), + peer=(name="{@{busname},org.gnome.SessionManager}", label="@{p_gnome_session}"), dbus receive bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={InhibitorAdded,InhibitorRemoved} - peer=(name=@{busname}, label="@{p_gnome_session}"), + peer=(name="{@{busname},org.gnome.SessionManager}", label="@{p_gnome_session}"), dbus receive bus=session path=/org/gnome/SessionManager/Presence interface=org.gnome.SessionManager.Presence member=StatusChanged - peer=(name=@{busname}, label="@{p_gnome_session}"), + peer=(name="{@{busname},org.gnome.SessionManager}", label="@{p_gnome_session}"), dbus send bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member=EndSessionResponse - peer=(name=@{busname}, label="@{p_gnome_session}"), + peer=(name="{@{busname},org.gnome.SessionManager}", label="@{p_gnome_session}"), dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name=@{busname}, label="@{p_gnome_session}"), + peer=(name="{@{busname},org.gnome.SessionManager}", label="@{p_gnome_session}"), + +# ==================== +# +# This one is not in this abs +# dbus send bus=session path=/org/gnome/SessionManager +# interface=org.gnome.SessionManager +# member={Inhibit,Uninhibit} +# peer=(name="@{busname}", label="@{p_gnome_session}"), +# +# dbus send bus=session path=/org/gnome/SessionManager +# interface=org.gnome.SessionManager +# member=Setenv +# peer=(name=org.gnome.SessionManager, label="@{p_gnome_session}"), include if exists diff --git a/apparmor.d/abstractions/bus/session/org.gnome.Shell.Introspect b/apparmor.d/abstractions/bus/session/org.gnome.Shell.Introspect index c9197e769c..7473303fe0 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.Shell.Introspect +++ b/apparmor.d/abstractions/bus/session/org.gnome.Shell.Introspect @@ -9,26 +9,26 @@ dbus send bus=session path=/org/gnome/Shell/Introspect interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name="@{busname},org.gnome.Shell.Introspect", label=gnome-shell), + peer=(name="{@{busname},org.gnome.Shell.Introspect}", label=gnome-shell), # DBus.Properties: receive property changed events dbus receive bus=session path=/org/gnome/Shell/Introspect interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name="@{busname}", label=gnome-shell), + peer=(name="{@{busname},org.gnome.Shell.Introspect}", label=gnome-shell), # Shell.Introspect dbus send bus=session path=/org/gnome/Shell/Introspect interface=org.gnome.Shell.Introspect member=GetRunningApplications - peer=(name="@{busname}", label=gnome-shell), + peer=(name="{@{busname},org.gnome.Shell.Introspect}", label=gnome-shell), dbus receive bus=session path=/org/gnome/Shell/Introspect interface=org.gnome.Shell.Introspect member={RunningApplicationsChanged,WindowsChanged} - peer=(name="@{busname}", label=gnome-shell), + peer=(name="{@{busname},org.gnome.Shell.Introspect}", label=gnome-shell), include if exists From 81ecde9a4ba117fb2b03e948253e987dbd60bf73 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 9 Jan 2026 19:01:18 +0100 Subject: [PATCH 1278/1736] feat(abs): flatpak: more needed for all devices. --- apparmor.d/abstractions/flatpak/devices/all | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/abstractions/flatpak/devices/all b/apparmor.d/abstractions/flatpak/devices/all index 18072f1d51..1e72b85dff 100644 --- a/apparmor.d/abstractions/flatpak/devices/all +++ b/apparmor.d/abstractions/flatpak/devices/all @@ -24,6 +24,7 @@ include @{sys}/class/*/ r, + @{sys}/bus/*/devices/ r, @{sys}/devices/@{pci_bus}/ r, @{sys}/devices/@{pci}/ r, @@ -31,6 +32,8 @@ owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/uid_map r, + # Allow reading info about the physical mapping of virtual pages owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pids}/pagemap r, From fac194344b9bf12033cdbc702607c1eca212c36b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 9 Jan 2026 19:02:29 +0100 Subject: [PATCH 1279/1736] feat(tunable): add missing sudo alias & add tools to devtools. --- apparmor.d/tunables/alias.d/uutils | 1 + apparmor.d/tunables/multiarch.d/programs | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/tunables/alias.d/uutils b/apparmor.d/tunables/alias.d/uutils index a67db7c57e..d82a6d5c3b 100644 --- a/apparmor.d/tunables/alias.d/uutils +++ b/apparmor.d/tunables/alias.d/uutils @@ -6,6 +6,7 @@ # are now link to one of these two implementations. To avoid breaking profiles, # we provide aliases for all the coreutils names to their rust counterpart. + alias /{,usr/}bin/sudo -> /usr/lib/cargo/bin/sudo, alias /{,usr/}bin/mv -> /usr/lib/cargo/bin/coreutils/mv, alias /{,usr/}bin/mkfifo -> /usr/lib/cargo/bin/coreutils/mkfifo, alias /{,usr/}bin/dirname -> /usr/lib/cargo/bin/coreutils/dirname, diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index e26865d20f..4a912a7134 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -28,7 +28,8 @@ @{coreutils} += which{,.debianutils} # Various development tools -@{devtools} = go{,-*} rust gem cargo npm just pip typescript node ansible python pyright ruby +@{devtools} = ansible cargo gem go{,-*} just node npm pip pyright python ruby +@{devtools} += rust typescript yarn # Python interpreters @{python_version} = 3 3.[0-9] 3.1[0-9] From 1b6e072b3312c12b93ba753765c629fa488b7c6b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 9 Jan 2026 19:03:33 +0100 Subject: [PATCH 1280/1736] feat(abs): chromium: minor rule tweak. --- apparmor.d/abstractions/app/chromium | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 2f46e28c14..8f5c8dc891 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -67,6 +67,7 @@ ptrace read peer=lsb_release, ptrace read peer=plasma-browser-integration-host, ptrace read peer=xdg-settings, + ptrace read peer=kwin_wayland_wrapper, @{lib_dirs}/{,**} r, @{lib_dirs}/*.so* mr, @@ -134,7 +135,7 @@ /tmp/ r, /var/tmp/ r, - owner @{tmp}/.@{domain}.*/** rw, + owner @{tmp}/.@{domain}.*/{,**} rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, owner @{tmp}/cache/Default/ rw, owner @{tmp}/cache/Default/** rwk, From d8bb658708fcd783d76b906d2d61daf023036c16 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 9 Jan 2026 19:10:10 +0100 Subject: [PATCH 1281/1736] feat(profile): various minor update. --- apparmor.d/groups/_full/systemd | 2 +- .../groups/browsers/firefox-crashhelper | 1 + apparmor.d/groups/ubuntu/apport | 3 ++- apparmor.d/profiles-a-f/dkms | 2 +- apparmor.d/profiles-a-f/fractal | 1 + apparmor.d/profiles-a-f/fwupd | 1 + apparmor.d/profiles-g-l/git | 2 ++ apparmor.d/profiles-g-l/glib-mkenums | 21 ++++++++++++++++ apparmor.d/profiles-g-l/homebank | 4 ++++ apparmor.d/profiles-m-r/packagekitd | 24 ++++++++++++------- apparmor.d/profiles-m-r/remmina | 4 ++-- apparmor.d/profiles-m-r/rtkit-daemon | 4 ++++ apparmor.d/profiles-s-z/totem | 1 + 13 files changed, 57 insertions(+), 13 deletions(-) create mode 100644 apparmor.d/profiles-g-l/glib-mkenums diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index c54285bd21..e3b654cdb5 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -33,7 +33,7 @@ # Advantages: # - Differentiate systemd (PID 1) and `system --user` # - Keep `systemd` and systemd-user as mininal as possible, and transition to less privileged profiles. -# - Allow the executor profiles to handled stacked profiles. +# - Allow the executor profiles to handle stacked profiles. # - Most additions need to be done in the `sd`/`sdu` profile, not in `systemd`/`systemd-user`. # - Dedicated `sd-mount` profile for most mount from the unit services. diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper index 1a2fc842cc..abf1e2d6ea 100644 --- a/apparmor.d/groups/browsers/firefox-crashhelper +++ b/apparmor.d/groups/browsers/firefox-crashhelper @@ -17,6 +17,7 @@ profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) { unix type=seqpacket peer=(label=firefox-crashreporter), unix type=seqpacket peer=(label=firefox-glxtest), + unix type=seqpacket peer=(label=firefox-vaapitest), unix type=seqpacket peer=(label=firefox), @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 8c5c1a4337..c08934b5bf 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -10,6 +10,7 @@ include profile apport @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -36,7 +37,7 @@ profile apport @{exec_path} flags=(attach_disconnected) { /usr/share/apport/{,**} r, @{etc_ro}/login.defs r, - /etc/apport/report-ignore/{,**} r, + /etc/apport/{,**} r, /etc/dpkg/dpkg.cfg r, /etc/dpkg/dpkg.cfg.d/{,**} r, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 6698c7869a..cbe15f3df8 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -118,7 +118,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/*.slice/cpu.max r, /tmp/@{word8} rw, /tmp/@{word8}/{,*} rw, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index edbb8c7541..17a978100e 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -13,6 +13,7 @@ profile fractal @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index be4cfefb03..45738db922 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -93,6 +93,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected) { owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, + owner /var/lib/fwupd/ rw, owner /var/lib/fwupd/** rwk, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 3e7c4a06f4..f3db216534 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -115,6 +115,8 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gcr/ssh rw, + # file_inherit + deny /usr/share/code/{,**} r, deny owner @{code_config_dirs}/** rw, deny owner @{user_share_dirs}/gvfs-metadata/* r, deny owner @{user_share_dirs}/vulkan/** r, diff --git a/apparmor.d/profiles-g-l/glib-mkenums b/apparmor.d/profiles-g-l/glib-mkenums new file mode 100644 index 0000000000..a53bb7983e --- /dev/null +++ b/apparmor.d/profiles-g-l/glib-mkenums @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/glib-mkenums +profile glib-mkenums @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/ r, + + include if exists +} + +# vim:syntax=apparmor + diff --git a/apparmor.d/profiles-g-l/homebank b/apparmor.d/profiles-g-l/homebank index 6e19043a5e..cfc1d01689 100644 --- a/apparmor.d/profiles-g-l/homebank +++ b/apparmor.d/profiles-g-l/homebank @@ -20,6 +20,10 @@ profile homebank @{exec_path} flags=(attach_disconnected) { /usr/share/homebank/{,**} r, + owner @{HOME}/**.xhb rw, + owner @{HOME}/**.xhb~ rw, + owner @{HOME}/**.xhb~.@{rand6} rw, + owner @{user_config_dirs}/homebank/{,**} rw, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 03e4d9e475..e639fb66ea 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -59,23 +59,31 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{bin}/appstreamcli rPx, - @{bin}/arch-audit rPx, #aa:only arch - @{bin}/dpkg rPx -> child-dpkg, #aa:only apt @{bin}/fc-cache rPx, - @{bin}/systemctl rCx -> systemctl, @{bin}/glib-compile-schemas rPx, @{bin}/install-info rPx, @{bin}/ischroot rPx, - @{bin}/rpm rPUx, #aa:only opensuse - @{bin}/rpmdb2solv rPUx, #aa:only opensuse + @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-inhibit rPx, @{bin}/update-desktop-database rPx, - @{lib}/apt/methods/* rPx, #aa:only apt @{lib}/cnf-update-db rPx, - @{lib}/update-notifier/update-motd-updates-available rPx, - @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile + + #aa:only pacman + @{bin}/arch-audit rPx, /usr/share/libalpm/scripts/* rPx, + #aa:only apt + @{bin}/dpkg rPx -> child-dpkg, + @{lib}/apt/methods/* rPx, + + #aa:only opensuse + @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile + @{bin}/rpm rPUx, + @{bin}/rpmdb2solv rPUx, + + #aa:only ubuntu + @{lib}/update-notifier/update-motd-updates-available rPx, + #aa:lint ignore=too-wide # Install/update packages / r, diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 4ed45df5c0..089a362055 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -47,12 +47,12 @@ profile remmina @{exec_path} flags=(attach_disconnected) { /etc/timezone r, owner @{HOME}/@{XDG_SSH_DIR}/config r, - owner @{HOME}/@{XDG_SSH_DIR}/known_hosts r, + owner @{HOME}/@{XDG_SSH_DIR}/known_hosts* r, owner @{user_cache_dirs}/org.remmina.Remmina/{,**} rw, owner @{user_cache_dirs}/remmina/{,**} rw, owner @{user_config_dirs}/autostart/remmina-applet.desktop r, - owner @{user_config_dirs}/freerdp/known_hosts2 rwk, + owner @{user_config_dirs}/freerdp/known_hosts* rwk, owner @{user_config_dirs}/remmina/{,**} rw, owner @{user_share_dirs}/remmina/{,**} rw, diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index fe3c27b7d0..274e5f2022 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -14,6 +14,10 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { include include + # As abstractions/bus-session is not set, only the bus=system part of the + # abstraction will be allowed. i.e. org.freedesktop.login1.Manager + include + capability dac_read_search, capability setgid, capability setuid, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index 5600cac392..4bb79cf212 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -13,6 +13,7 @@ profile totem @{exec_path} flags=(attach_disconnected) { include include include + include include include include From ae69813e7e73abb9f9060003d88fe13e46ffec61 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 9 Jan 2026 19:10:34 +0100 Subject: [PATCH 1282/1736] feat(abs): fontconfig: ensure /var/cache/fontconfig/ can be created. --- apparmor.d/abstractions/fontconfig-cache-write | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write index a3b7379d21..6252c24921 100644 --- a/apparmor.d/abstractions/fontconfig-cache-write +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -9,7 +9,7 @@ include - owner /var/cache/fontconfig/ w, + /var/cache/fontconfig/ w, owner /var/cache/fontconfig/CACHEDIR.TAG w, owner /var/cache/fontconfig/CACHEDIR.TAG.LCK wl, owner /var/cache/fontconfig/CACHEDIR.TAG.NEW w, From b388795014cb6414f4d03929ab4a21e224a27ffe Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 9 Jan 2026 19:12:40 +0100 Subject: [PATCH 1283/1736] feat(abs): limit the use of named transition for link. --- apparmor.d/abstractions/X-strict | 2 +- apparmor.d/abstractions/common/electron | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 316f1e3bb5..2415bc0677 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -30,7 +30,7 @@ owner @{run}/user/@{uid}/iceauth_@{rand6} r, owner @{run}/user/@{uid}/ICEauthority r, owner @{run}/user/@{uid}/X11/Xauthority r, - owner @{run}/user/@{uid}/xauth_@{rand6} rl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/xauth_@{rand6} rl, include if exists diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 52fbf5344e..3b47b64250 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -44,10 +44,10 @@ /etc/@{name}/{,**} r, owner @{config_dirs}/ rw, - owner @{config_dirs}/** rwlk -> @{config_dirs}/**, + owner @{config_dirs}/** rwlk, owner @{cache_dirs}/ rw, - owner @{cache_dirs}/** rwlk -> @{cache_dirs}/**, + owner @{cache_dirs}/** rwlk, owner @{user_config_dirs}/electron-flags.conf r, From 2b17b88710af8c123f8ab27551841935f87eb0f0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 9 Jan 2026 19:15:45 +0100 Subject: [PATCH 1284/1736] feat(abs): add busnum and devnum to usb abs. --- apparmor.d/abstractions/devices-usb-read | 2 ++ apparmor.d/groups/bluetooth/obexautofs | 5 ----- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read index 85e3fcb723..cd095672bf 100644 --- a/apparmor.d/abstractions/devices-usb-read +++ b/apparmor.d/abstractions/devices-usb-read @@ -19,7 +19,9 @@ @{sys}/devices/**/usb@{int}/ r, @{sys}/devices/**/usb@{int}/{,*/}bConfigurationValue r, + @{sys}/devices/**/usb@{int}/{,*/}busnum r, @{sys}/devices/**/usb@{int}/{,*/}descriptors r, + @{sys}/devices/**/usb@{int}/{,*/}devnum r, @{sys}/devices/**/usb@{int}/{,*/}manufacturer r, @{sys}/devices/**/usb@{int}/{,*/}product r, @{sys}/devices/**/usb@{int}/{,*/}serial r, diff --git a/apparmor.d/groups/bluetooth/obexautofs b/apparmor.d/groups/bluetooth/obexautofs index 9803490861..a7f991a0fb 100644 --- a/apparmor.d/groups/bluetooth/obexautofs +++ b/apparmor.d/groups/bluetooth/obexautofs @@ -27,11 +27,6 @@ profile obexautofs @{exec_path} { owner @{HOME}/*/ r, owner @{HOME}/*/*/ r, - @{sys}/devices/@{pci}/usb@{int}/bConfigurationValue r, - @{sys}/devices/@{pci}/usb@{int}/**/bConfigurationValue r, - @{sys}/devices/@{pci}/usb@{int}/{uevent,busnum,devnum,speed,descriptors} r, - @{sys}/devices/@{pci}/usb@{int}/**/{uevent,busnum,devnum,speed,descriptors} r, - /dev/fuse rw, profile fusermount { From 34e5c348c38d7352f236662c51c19b7378769b38 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 9 Jan 2026 19:24:54 +0100 Subject: [PATCH 1285/1736] build: cleanup release process. --- Justfile | 6 +++--- PKGBUILD | 5 ----- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/Justfile b/Justfile index c595f7afe2..4762d52632 100644 --- a/Justfile +++ b/Justfile @@ -620,10 +620,10 @@ publish: owner="roddhjav" version=`just version` git push origin main --tags - gh release create "v$version" --notes-from-tag --repo $owner/{{pkgname}} + gh release create "v$version" --notes "" --repo $owner/{{pkgname}} gh release upload "v$version" --repo $owner/{{pkgname}} \ - {{pkgdest}}/{{pkgname}}-$version.tar.gz \ - {{pkgdest}}/{{pkgname}}-$version.tar.gz.asc + {{pkgdest}}/release/{{pkgname}}-$version.tar.gz \ + {{pkgdest}}/release/{{pkgname}}-$version.tar.gz.asc # Create & upload new release packages to the repositories [group('release')] diff --git a/PKGBUILD b/PKGBUILD index c698aa410c..20cebedaa7 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -20,11 +20,6 @@ license=('GPL-2.0-only') depends=('apparmor>=4.1.0' 'apparmor<5.0.0') makedepends=('go' 'git' 'rsync' 'just') -pkgver() { - cd "$srcdir/$pkgbase" - echo "0.$(git rev-list --count HEAD)" -} - prepare() { rsync -a --delete "$startdir" "$srcdir" } From 9389294db20cb0a5dba844f5cfd1c5310779b018 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 9 Jan 2026 19:26:50 +0100 Subject: [PATCH 1286/1736] Release version 0.4901 --- PKGBUILD | 2 +- debian/changelog | 6 ++++++ dists/apparmor.d.spec | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index 20cebedaa7..efd89c322d 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -11,7 +11,7 @@ pkgname=( # apparmor.d.server apparmor.d.server.enforced # apparmor.d.server.fsp apparmor.d.server.fsp.enforced ) -pkgver=0.4900 +pkgver=0.4901 pkgrel=1 pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') diff --git a/debian/changelog b/debian/changelog index 6c94868045..e84beb3c76 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +apparmor.d (0.4901-1) stable; urgency=medium + + * Release apparmor.d v0.4901 + + -- Alexandre Pujol Fri, 09 Jan 2026 19:26:50 +0100 + apparmor.d (0.4900-1) stable; urgency=medium * Release apparmor.d v0.4900 diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index ec1da24452..4af68f6723 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -7,7 +7,7 @@ # Warning: for development only, use https://build.opensuse.org/package/show/home:cboltz/apparmor.d for production use. Name: apparmor.d -Version: 0.4900 +Version: 0.4901 Release: 1%{?dist} Summary: Set of over 1500 AppArmor profiles License: GPL-2.0-only From a64f30f600d146aaf7dcb08366081701b5bda8db Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 9 Jan 2026 22:58:17 +0100 Subject: [PATCH 1287/1736] refractor(build): move the build tasks to a simplier pipeline system. --- pkg/builder/abi.go | 41 +++++++++++++++++----------- pkg/builder/attach.go | 14 +++++----- pkg/builder/base-strict.go | 11 ++++---- pkg/builder/complain.go | 11 ++++---- pkg/builder/core.go | 42 ++++++++++++++-------------- pkg/builder/dbus.go | 23 ++++++++++------ pkg/builder/enforce.go | 11 ++++---- pkg/builder/fsp.go | 11 ++++---- pkg/builder/hotfix.go | 11 ++++---- pkg/builder/userspace.go | 13 +++++---- pkg/configure/attach.go | 14 +++++----- pkg/configure/configure.go | 25 +++++++++-------- pkg/configure/core.go | 46 +++++++++++++++++++------------ pkg/configure/flags.go | 15 +++++----- pkg/configure/fsp.go | 17 ++++++------ pkg/configure/ignore.go | 15 +++++----- pkg/configure/merge.go | 22 +++++++-------- pkg/configure/overwrite.go | 19 +++++++------ pkg/configure/server.go | 16 +++++------ pkg/configure/synchronise.go | 30 ++++++++------------ pkg/configure/systemd.go | 13 +++++---- pkg/tasks/runner.go | 53 ++++++++++++++++++++++++++++++++++++ pkg/tasks/task.go | 51 ++++++++++++++++++++++++++++++++++ 23 files changed, 328 insertions(+), 196 deletions(-) create mode 100644 pkg/tasks/runner.go create mode 100644 pkg/tasks/task.go diff --git a/pkg/builder/abi.go b/pkg/builder/abi.go index de4bce4bf1..2067978b30 100644 --- a/pkg/builder/abi.go +++ b/pkg/builder/abi.go @@ -26,36 +26,45 @@ var ( ) type ABI5 struct { - tasks.Base + tasks.BaseTask } type ABI3 struct { - tasks.Base + tasks.BaseTask } type APPARMOR40 struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterBuilder(&ABI5{ - Base: tasks.Base{ - Keyword: "abi5", - Msg: "Build: convert all profiles from abi 4.0 to abi 5.0", - }, - }) - RegisterBuilder(&ABI3{ - Base: tasks.Base{ +// NewABI3 creates a new ABI3 builder. +func NewABI3() *ABI3 { + return &ABI3{ + BaseTask: tasks.BaseTask{ Keyword: "abi3", Msg: "Build: convert all profiles from abi 4.0 to abi 3.0", }, - }) - RegisterBuilder(&APPARMOR40{ - Base: tasks.Base{ + } +} + +// NewABI5 creates a new ABI5 builder. +func NewABI5() *ABI5 { + return &ABI5{ + BaseTask: tasks.BaseTask{ + Keyword: "abi5", + Msg: "Build: convert all profiles from abi 4.0 to abi 5.0", + }, + } +} + +// NewAPPARMOR40 creates a new APPARMOR40 builder. +func NewAPPARMOR40() *APPARMOR40 { + return &APPARMOR40{ + BaseTask: tasks.BaseTask{ Keyword: "apparmor4.0", Msg: "Build: convert all profiles from apparmor 4.1 to 4.0 or less", }, - }) + } } func (b ABI5) Apply(opt *Option, profile string) (string, error) { diff --git a/pkg/builder/attach.go b/pkg/builder/attach.go index a49a46bd18..b90237ddb6 100644 --- a/pkg/builder/attach.go +++ b/pkg/builder/attach.go @@ -9,21 +9,21 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/aa" - "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/tasks" ) type ReAttach struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterBuilder(&ReAttach{ - Base: tasks.Base{ +// NewAttach creates a new ReAttach builder. +func NewAttach() *ReAttach { + return &ReAttach{ + BaseTask: tasks.BaseTask{ Keyword: "attach", Msg: "Feat: re-attach disconnected path", }, - }) + } } // Apply will re-attach the disconnected path @@ -35,7 +35,7 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { var insert string var origin = "profile " + opt.Name - isInside, err := opt.File.IsInsideDir(prebuild.RootApparmord.Join("abstractions/attached")) + isInside, err := opt.File.IsInsideDir(b.RootApparmor.Join("abstractions/attached")) if err != nil { return profile, fmt.Errorf("attach: %v", err) } diff --git a/pkg/builder/base-strict.go b/pkg/builder/base-strict.go index 339f1faf1b..0e87edf42d 100644 --- a/pkg/builder/base-strict.go +++ b/pkg/builder/base-strict.go @@ -11,16 +11,17 @@ import ( ) type BaseStrict struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterBuilder(&BaseStrict{ - Base: tasks.Base{ +// NewBaseStrict creates a new BaseStrict builder. +func NewBaseStrict() *BaseStrict { + return &BaseStrict{ + BaseTask: tasks.BaseTask{ Keyword: "base-strict", Msg: "Feat: use 'base-strict' as base abstraction", }, - }) + } } func (b BaseStrict) Apply(opt *Option, profile string) (string, error) { diff --git a/pkg/builder/complain.go b/pkg/builder/complain.go index f6fa2cc9cf..02abc7571e 100644 --- a/pkg/builder/complain.go +++ b/pkg/builder/complain.go @@ -18,16 +18,17 @@ var ( ) type Complain struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterBuilder(&Complain{ - Base: tasks.Base{ +// NewComplain creates a new Complain builder. +func NewComplain() *Complain { + return &Complain{ + BaseTask: tasks.BaseTask{ Keyword: "complain", Msg: "Build: set complain flag on all profiles", }, - }) + } } func (b Complain) Apply(opt *Option, profile string) (string, error) { diff --git a/pkg/builder/core.go b/pkg/builder/core.go index bf3b2feb37..1f2b6cf0d7 100644 --- a/pkg/builder/core.go +++ b/pkg/builder/core.go @@ -13,17 +13,9 @@ import ( "github.com/roddhjav/apparmor.d/pkg/tasks" ) -var ( - // Build the profiles with the following directive applied - Builds = []Builder{} - - // Available builders - Builders = map[string]Builder{} -) - // Builder main directive interface type Builder interface { - tasks.BaseInterface + tasks.BaseTaskInterface Apply(opt *Option, profile string) (string, error) } @@ -42,24 +34,24 @@ func NewOption(file *paths.Path) *Option { } } -func Register(names ...string) { - for _, name := range names { - if b, present := Builders[name]; present { - Builds = append(Builds, b) - } else { - panic(fmt.Sprintf("Unknown builder: %s", name)) - } - } +// Builders executes builders on profile strings in a pipeline. +type Builders struct { + *tasks.BaseRunner[Builder] } -func RegisterBuilder(d Builder) { - Builders[d.Name()] = d +// NewRunner creates a new Builders instance. +func NewRunner(t tasks.TaskConfig) *Builders { + return &Builders{ + BaseRunner: tasks.NewBaseRunner[Builder](t), + } } -func Run(file *paths.Path, profile string) (string, error) { - var err error +// Run executes all builders on a profile string. +func (r *Builders) Run(file *paths.Path, profile string) (string, error) { opt := NewOption(file) - for _, b := range Builds { + var err error + + for _, b := range r.Tasks { profile, err = b.Apply(opt, profile) if err != nil { return "", fmt.Errorf("%s %s: %w", b.Name(), opt.File, err) @@ -67,3 +59,9 @@ func Run(file *paths.Path, profile string) (string, error) { } return profile, nil } + +// Add appends a builder to the pipeline with fluent interface. +func (r *Builders) Add(builder Builder) *Builders { + r.BaseRunner.Add(builder) + return r +} diff --git a/pkg/builder/dbus.go b/pkg/builder/dbus.go index 0addbb574b..49afed9a9c 100644 --- a/pkg/builder/dbus.go +++ b/pkg/builder/dbus.go @@ -22,27 +22,32 @@ var ( // StackedDbus is a fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 type StackedDbus struct { - tasks.Base + tasks.BaseTask } // DbusBroker is a fix for https://gitlab.com/apparmor/apparmor/-/issues/565 type DbusBroker struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterBuilder(&StackedDbus{ - Base: tasks.Base{ +// NewStackedDbus creates a new StackedDbus builder. +func NewStackedDbus() *StackedDbus { + return &StackedDbus{ + BaseTask: tasks.BaseTask{ Keyword: "stacked-dbus", Msg: "Fix: resolve peer label variable in dbus rules", }, - }) - RegisterBuilder(&DbusBroker{ - Base: tasks.Base{ + } +} + +// NewDbusBroker creates a new DbusBroker builder. +func NewDbusBroker() *DbusBroker { + return &DbusBroker{ + BaseTask: tasks.BaseTask{ Keyword: "dbus-broker", Msg: "Fix: ignore peer name in dbus rules", }, - }) + } } func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { diff --git a/pkg/builder/enforce.go b/pkg/builder/enforce.go index b0d2d16e86..ab7937cebd 100644 --- a/pkg/builder/enforce.go +++ b/pkg/builder/enforce.go @@ -12,16 +12,17 @@ import ( ) type Enforce struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterBuilder(&Enforce{ - Base: tasks.Base{ +// NewEnforce creates a new Enforce builder. +func NewEnforce() *Enforce { + return &Enforce{ + BaseTask: tasks.BaseTask{ Keyword: "enforce", Msg: "Build: all profiles have been enforced", }, - }) + } } func (b Enforce) Apply(opt *Option, profile string) (string, error) { diff --git a/pkg/builder/fsp.go b/pkg/builder/fsp.go index 36bec502df..affff245a8 100644 --- a/pkg/builder/fsp.go +++ b/pkg/builder/fsp.go @@ -16,16 +16,17 @@ var ( ) type FullSystemPolicy struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterBuilder(&FullSystemPolicy{ - Base: tasks.Base{ +// NewFSP creates a new FullSystemPolicy builder. +func NewFSP() *FullSystemPolicy { + return &FullSystemPolicy{ + BaseTask: tasks.BaseTask{ Keyword: "fsp", Msg: "Feat: prevent unconfined transitions in profile rules", }, - }) + } } func (b FullSystemPolicy) Apply(opt *Option, profile string) (string, error) { diff --git a/pkg/builder/hotfix.go b/pkg/builder/hotfix.go index 4757990c94..1371cbcabb 100644 --- a/pkg/builder/hotfix.go +++ b/pkg/builder/hotfix.go @@ -19,16 +19,17 @@ var ( ) type Hotfix struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterBuilder(&Hotfix{ - Base: tasks.Base{ +// NewHotFix creates a new Hotfix builder. +func NewHotFix() *Hotfix { + return &Hotfix{ + BaseTask: tasks.BaseTask{ Keyword: "hotfix", Msg: "Fix: temporary solution for #74, #80 & #235", }, - }) + } } func (b Hotfix) Apply(opt *Option, profile string) (string, error) { diff --git a/pkg/builder/userspace.go b/pkg/builder/userspace.go index ebd1fccefb..bfa1e9caea 100644 --- a/pkg/builder/userspace.go +++ b/pkg/builder/userspace.go @@ -21,21 +21,22 @@ var ( ) type Userspace struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterBuilder(&Userspace{ - Base: tasks.Base{ +// NewUserspace creates a new Userspace builder. +func NewUserspace() *Userspace { + return &Userspace{ + BaseTask: tasks.BaseTask{ Keyword: "userspace", Msg: "Fix: resolve variable in profile attachments", }, - }) + } } func (b Userspace) Apply(opt *Option, profile string) (string, error) { for _, dir := range []string{"abstractions", "tunables", "local", "mappings"} { - if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join(dir)); ok { + if ok, _ := opt.File.IsInsideDir(b.RootApparmor.Join(dir)); ok { return profile, nil } } diff --git a/pkg/configure/attach.go b/pkg/configure/attach.go index fe981fc83a..fbd644cb94 100644 --- a/pkg/configure/attach.go +++ b/pkg/configure/attach.go @@ -7,28 +7,28 @@ package configure import ( "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/tasks" ) type ReAttach struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterTask(&ReAttach{ - Base: tasks.Base{ +// NewAttach creates a new ReAttach task. +func NewAttach() *ReAttach { + return &ReAttach{ + BaseTask: tasks.BaseTask{ Keyword: "attach", Msg: "Configure tunable for re-attached path", }, - }) + } } func (p ReAttach) Apply() ([]string, error) { res := []string{} // Remove the @{att} tunable that is going to be defined in profile header - path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + path := p.RootApparmor.Join("tunables/multiarch.d/system") out, err := path.ReadFileAsString() if err != nil { return res, err diff --git a/pkg/configure/configure.go b/pkg/configure/configure.go index 17a581541c..39b80d405f 100644 --- a/pkg/configure/configure.go +++ b/pkg/configure/configure.go @@ -13,21 +13,22 @@ import ( ) type Configure struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterTask(&Configure{ - Base: tasks.Base{ +// NewConfigure creates a new Configure task. +func NewConfigure() *Configure { + return &Configure{ + BaseTask: tasks.BaseTask{ Keyword: "configure", Msg: "Set distribution specificities", }, - }) + } } -func removeFiles(files []string) error { +func (p Configure) removeFiles(files []string) error { for _, name := range files { - if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { + if err := p.RootApparmor.Join(name).RemoveAll(); err != nil { return err } } @@ -49,7 +50,7 @@ func (p Configure) Apply() ([]string, error) { remove := []string{ "tunables/multiarch.d/base", } - if err := removeFiles(remove); err != nil { + if err := p.removeFiles(remove); err != nil { return res, err } } @@ -70,7 +71,7 @@ func (p Configure) Apply() ([]string, error) { "fbwrap", "fapp", } - if err := removeFiles(remove); err != nil { + if err := p.removeFiles(remove); err != nil { return res, err } } @@ -85,7 +86,7 @@ func (p Configure) Apply() ([]string, error) { // Direct upstream contributed profiles, similar to ours "wg", } - if err := removeFiles(remove); err != nil { + if err := p.removeFiles(remove); err != nil { return res, err } } @@ -96,12 +97,12 @@ func (p Configure) Apply() ([]string, error) { "free", "nslookup", } - if err := removeFiles(remove); err != nil { + if err := p.removeFiles(remove); err != nil { return res, err } // @{pci_bus} was upstreamed in 5.0 - path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + path := p.RootApparmor.Join("tunables/multiarch.d/system") out, err := path.ReadFileAsString() if err != nil { return res, err diff --git a/pkg/configure/core.go b/pkg/configure/core.go index 648a0477d5..724bbc4fa9 100644 --- a/pkg/configure/core.go +++ b/pkg/configure/core.go @@ -7,33 +7,45 @@ package configure import ( "fmt" + "github.com/roddhjav/apparmor.d/pkg/logging" "github.com/roddhjav/apparmor.d/pkg/tasks" ) -var ( - // Prepare the build directory with the following tasks - Prepares = []Task{} - - // Available prepare tasks - Tasks = map[string]Task{} -) - // Task main directive interface type Task interface { - tasks.BaseInterface + tasks.BaseTaskInterface Apply() ([]string, error) } -func Register(names ...string) { - for _, name := range names { - if b, present := Tasks[name]; present { - Prepares = append(Prepares, b) - } else { - panic(fmt.Sprintf("Unknown task: %s", name)) +// Configures executes configure tasks in a pipeline. +type Configures struct { + *tasks.BaseRunner[Task] +} + +// NewRunner creates a new Configures instance. +func NewRunner(t tasks.TaskConfig) *Configures { + return &Configures{ + BaseRunner: tasks.NewBaseRunner[Task](t), + } +} + +// Run executes all tasks in the pipeline, logging their output. +func (r *Configures) Run() error { + for _, task := range r.Tasks { + msg, err := task.Apply() + if err != nil { + return fmt.Errorf("%s: %w", task.Name(), err) + } + logging.Success("%s", task.Message()) + for _, m := range msg { + logging.Bullet("%s", m) } } + return nil } -func RegisterTask(t Task) { - Tasks[t.Name()] = t +// Add appends a task to the pipeline with fluent interface. +func (r *Configures) Add(task Task) *Configures { + r.BaseRunner.Add(task) + return r } diff --git a/pkg/configure/flags.go b/pkg/configure/flags.go index 87e1cb58bf..0536102c6b 100644 --- a/pkg/configure/flags.go +++ b/pkg/configure/flags.go @@ -19,23 +19,24 @@ var ( ) type SetFlags struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterTask(&SetFlags{ - Base: tasks.Base{ +// NewSetFlags creates a new SetFlags task. +func NewSetFlags() *SetFlags { + return &SetFlags{ + BaseTask: tasks.BaseTask{ Keyword: "setflags", - Msg: "Set flags on some profiles", + Msg: "Set flags as definied in dist/flags", }, - }) + } } func (p SetFlags) Apply() ([]string, error) { res := []string{} for _, name := range []string{"main", prebuild.Distribution} { for profile, flags := range prebuild.Flags.Read(name) { - file := prebuild.RootApparmord.Join(profile) + file := p.RootApparmor.Join(profile) if !file.Exist() { res = append(res, fmt.Sprintf("Profile %s not found, ignoring", profile)) continue diff --git a/pkg/configure/fsp.go b/pkg/configure/fsp.go index 9bc16229fa..e0d5cbb1fb 100644 --- a/pkg/configure/fsp.go +++ b/pkg/configure/fsp.go @@ -63,28 +63,29 @@ var ( ) type FullSystemPolicy struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterTask(&FullSystemPolicy{ - Base: tasks.Base{ +// NewFullSystemPolicy creates a new FullSystemPolicy task. +func NewFullSystemPolicy() *FullSystemPolicy { + return &FullSystemPolicy{ + BaseTask: tasks.BaseTask{ Keyword: "fsp", Msg: "Configure AppArmor for full system policy", }, - }) + } } func (p FullSystemPolicy) Apply() ([]string, error) { res := []string{} // Install full system policy profiles - if err := paths.New("apparmor.d/groups/_full/").CopyFS(prebuild.Root.Join("apparmor.d")); err != nil { + if err := paths.New("apparmor.d/groups/_full/").CopyFS(p.RootApparmor); err != nil { return res, err } // Set profile name for FSP - path := prebuild.RootApparmord.Join("tunables/multiarch.d/profiles") + path := p.RootApparmor.Join("tunables/multiarch.d/profiles") out, err := path.ReadFileAsString() if err != nil { return res, err @@ -102,5 +103,5 @@ func (p FullSystemPolicy) Apply() ([]string, error) { } // Set systemd unit drop-in files - return res, paths.CopyTo(prebuild.SystemdDir.Join("full"), prebuild.Root.Join("systemd")) + return res, paths.CopyTo(prebuild.SystemdDir.Join("full"), p.Root.Join("systemd")) } diff --git a/pkg/configure/ignore.go b/pkg/configure/ignore.go index 1f45e94319..35bff7a815 100644 --- a/pkg/configure/ignore.go +++ b/pkg/configure/ignore.go @@ -11,25 +11,26 @@ import ( ) type Ignore struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterTask(&Ignore{ - Base: tasks.Base{ +// NewIgnore creates a new Ignore task. +func NewIgnore() *Ignore { + return &Ignore{ + BaseTask: tasks.BaseTask{ Keyword: "ignore", Msg: "Ignore profiles and files from:", }, - }) + } } func (p Ignore) Apply() ([]string, error) { res := []string{} for _, name := range []string{"main", prebuild.Distribution} { for _, ignore := range prebuild.Ignore.Read(name) { - profile := prebuild.Root.Join(ignore) + profile := p.Root.Join(ignore) if profile.NotExist() { - files, err := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterNames(ignore)) + files, err := p.RootApparmor.ReadDirRecursiveFiltered(nil, paths.FilterNames(ignore)) if err != nil { return res, err } diff --git a/pkg/configure/merge.go b/pkg/configure/merge.go index 8ae8cc25f6..a8d189e2e2 100644 --- a/pkg/configure/merge.go +++ b/pkg/configure/merge.go @@ -9,21 +9,21 @@ import ( "path/filepath" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/tasks" ) type Merge struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterTask(&Merge{ - Base: tasks.Base{ +// NewMerge creates a new Merge task. +func NewMerge() *Merge { + return &Merge{ + BaseTask: tasks.BaseTask{ Keyword: "merge", Msg: "Merge profiles (from group/, profiles-*-*/) to a unified apparmor.d directory", }, - }) + } } func (p Merge) Apply() ([]string, error) { @@ -36,18 +36,18 @@ func (p Merge) Apply() ([]string, error) { idx := 0 for idx < len(dirToMerge)-1 { dirMoved, dirRemoved := dirToMerge[idx], dirToMerge[idx+1] - files, err := filepath.Glob(prebuild.RootApparmord.Join(dirMoved).String()) + files, err := filepath.Glob(p.RootApparmor.Join(dirMoved).String()) if err != nil { return res, err } for _, file := range files { - err := os.Rename(file, prebuild.RootApparmord.Join(filepath.Base(file)).String()) + err := os.Rename(file, p.RootApparmor.Join(filepath.Base(file)).String()) if err != nil { return res, err } } - files, err = filepath.Glob(prebuild.RootApparmord.Join(dirRemoved).String()) + files, err = filepath.Glob(p.RootApparmor.Join(dirRemoved).String()) if err != nil { return []string{}, err } @@ -60,7 +60,7 @@ func (p Merge) Apply() ([]string, error) { } // Namespaces directory - nsRoot := prebuild.RootApparmord.Join("namespaces") + nsRoot := p.RootApparmor.Join("namespaces") if !nsRoot.Exist() { return res, nil } @@ -75,7 +75,7 @@ func (p Merge) Apply() ([]string, error) { return res, err } for _, file := range files { - destPath := prebuild.RootApparmord.Join(":" + nsName + ":" + file.Base()) + destPath := p.RootApparmor.Join(":" + nsName + ":" + file.Base()) err := os.Rename(file.String(), destPath.String()) if err != nil { return res, err diff --git a/pkg/configure/overwrite.go b/pkg/configure/overwrite.go index 2d23ce8330..4cddfa7c10 100644 --- a/pkg/configure/overwrite.go +++ b/pkg/configure/overwrite.go @@ -15,18 +15,19 @@ import ( var ext = "." + prebuild.Pkgname type Overwrite struct { - tasks.Base + tasks.BaseTask Optional bool } -func init() { - RegisterTask(&Overwrite{ - Base: tasks.Base{ +// NewOverwrite creates a new Overwrite task with optional configuration. +func NewOverwrite(optional bool) *Overwrite { + return &Overwrite{ + BaseTask: tasks.BaseTask{ Keyword: "overwrite", Msg: "Overwrite dummy upstream profiles", }, - Optional: false, - }) + Optional: optional, + } } func (p Overwrite) Apply() ([]string, error) { @@ -35,7 +36,7 @@ func (p Overwrite) Apply() ([]string, error) { return res, nil } - disableDir := prebuild.RootApparmord.Join("disable") + disableDir := p.RootApparmor.Join("disable") if err := disableDir.Mkdir(); err != nil { return res, err } @@ -45,8 +46,8 @@ func (p Overwrite) Apply() ([]string, error) { return res, fmt.Errorf("%s not found", path) } for _, name := range path.MustReadFilteredFileAsLines() { - origin := prebuild.RootApparmord.Join(name) - dest := prebuild.RootApparmord.Join(name + ext) + origin := p.RootApparmor.Join(name) + dest := p.RootApparmor.Join(name + ext) if !dest.Exist() && p.Optional { continue } diff --git a/pkg/configure/server.go b/pkg/configure/server.go index 71788ab46f..3bf461f4ab 100644 --- a/pkg/configure/server.go +++ b/pkg/configure/server.go @@ -9,7 +9,6 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/tasks" ) @@ -52,16 +51,17 @@ var ( ) type Server struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterTask(&Server{ - Base: tasks.Base{ +// NewServer creates a new Server task. +func NewServer() *Server { + return &Server{ + BaseTask: tasks.BaseTask{ Keyword: "server", Msg: "Configure AppArmor for server", }, - }) + } } func (p Server) Apply() ([]string, error) { @@ -70,7 +70,7 @@ func (p Server) Apply() ([]string, error) { // Ignore desktop related groups groupNb := 0 for _, group := range serverIgnoreGroups { - path := prebuild.RootApparmord.Join("groups", group) + path := p.RootApparmor.Join("groups", group) if path.IsDir() { if err := path.RemoveAll(); err != nil { return res, err @@ -83,7 +83,7 @@ func (p Server) Apply() ([]string, error) { // Ignore profiles using a desktop related abstraction fileNb := 0 - files, _ := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) + files, _ := p.RootApparmor.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) for _, file := range files { if !file.Exist() { continue diff --git a/pkg/configure/synchronise.go b/pkg/configure/synchronise.go index 13a0fd60b7..28cc6afcbe 100644 --- a/pkg/configure/synchronise.go +++ b/pkg/configure/synchronise.go @@ -6,37 +6,29 @@ package configure import ( "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/tasks" ) type Synchronise struct { - tasks.Base - Paths []string // File or directory to sync into the build directory. + tasks.BaseTask + Sources []*paths.Path // Files or directories to sync into the build directory. } -func init() { - RegisterTask(&Synchronise{ - Base: tasks.Base{ +// NewSynchronise creates a new Synchronise task. +func NewSynchronise(sources []*paths.Path) *Synchronise { + return &Synchronise{ + BaseTask: tasks.BaseTask{ Keyword: "synchronise", - Msg: "Initialize a new clean apparmor.d build directory", + Msg: "Initialize a new clean apparmor.d directory", }, - Paths: []string{"apparmor.d", "share"}, - }) + Sources: sources, + } } func (p Synchronise) Apply() ([]string, error) { res := []string{} - if err := prebuild.Root.Join("systemd").RemoveAll(); err != nil { - return res, err - } - if err := prebuild.RootApparmord.RemoveAll(); err != nil { - return res, err - } - - for _, name := range p.Paths { - src := paths.New(name) - dst := prebuild.Root.Join(name) + for _, src := range p.Sources { + dst := p.Root.Join(src.Base()) if err := dst.RemoveAll(); err != nil { return res, err } diff --git a/pkg/configure/systemd.go b/pkg/configure/systemd.go index 73d936153f..3222fb42b7 100644 --- a/pkg/configure/systemd.go +++ b/pkg/configure/systemd.go @@ -11,18 +11,19 @@ import ( ) type SystemdDefault struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterTask(&SystemdDefault{ - Base: tasks.Base{ +// NewSystemd creates a new SystemdDefault task. +func NewSystemd() *SystemdDefault { + return &SystemdDefault{ + BaseTask: tasks.BaseTask{ Keyword: "systemd-default", Msg: "Configure systemd unit drop in files to a profile for some units", }, - }) + } } func (p SystemdDefault) Apply() ([]string, error) { - return []string{}, paths.CopyTo(prebuild.SystemdDir.Join("default"), prebuild.Root.Join("systemd")) + return []string{}, paths.CopyTo(prebuild.SystemdDir.Join("default"), p.Root.Join("systemd")) } diff --git a/pkg/tasks/runner.go b/pkg/tasks/runner.go new file mode 100644 index 0000000000..f620a13cc6 --- /dev/null +++ b/pkg/tasks/runner.go @@ -0,0 +1,53 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package tasks + +import ( + "fmt" +) + +// Runner provides a fluent interface for building and executing task pipelines. +type Runner[T BaseTaskInterface] interface { + // Add appends a task to the execution pipeline + Add(task T) Runner[T] + + // Run executes all tasks in order, stopping on first error + Run() error + + // Help returns usage information for all registered tasks + Help(name string) string +} + +// BaseRunner provides common runner implementation for task pipelines. +type BaseRunner[T BaseTaskInterface] struct { + TaskConfig + Tasks []T +} + +// NewBaseRunner creates a new BaseRunner instance. +func NewBaseRunner[T BaseTaskInterface](config TaskConfig) *BaseRunner[T] { + r := &BaseRunner[T]{ + TaskConfig: config, + Tasks: make([]T, 0), + } + return r +} + +// Add appends a task to the execution pipeline. +func (r *BaseRunner[T]) Add(task T) *BaseRunner[T] { + task.SetConfig(r.TaskConfig) + r.Tasks = append(r.Tasks, task) + return r +} + +func (r *BaseRunner[T]) Help(name string) string { + res := fmt.Sprintf("%s tasks:\n", name) + for _, t := range r.Tasks { + res += fmt.Sprintf(" %s - %s\n", t.Name(), t.Message()) + } + return res +} + +// Run is not implemented in BaseRunner - concrete runners must implement their own Run method. diff --git a/pkg/tasks/task.go b/pkg/tasks/task.go new file mode 100644 index 0000000000..78ad57c040 --- /dev/null +++ b/pkg/tasks/task.go @@ -0,0 +1,51 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package tasks + +import ( + "github.com/roddhjav/apparmor.d/pkg/paths" +) + +type TaskConfig struct { + Root *paths.Path // Root is the root directory for the runner (e.g. .build) + RootApparmor *paths.Path // RootApparmor is the source apparmor.d directory (e.g. .build/apparmor.d) +} + +func NewTaskConfig(root *paths.Path) TaskConfig { + return TaskConfig{ + Root: root, + RootApparmor: root.Join("apparmor.d"), + } +} + +type BaseTaskInterface interface { + Message() string + Name() string + Usage() []string + SetConfig(c TaskConfig) +} + +type BaseTask struct { + TaskConfig + Msg string + Keyword string + Help []string +} + +func (b BaseTask) Name() string { + return b.Keyword +} + +func (b *BaseTask) SetConfig(c TaskConfig) { + b.TaskConfig = c +} + +func (b BaseTask) Usage() []string { + return b.Help +} + +func (b BaseTask) Message() string { + return b.Msg +} From 6f3c2a6ede52f7a03168186a50482f931845d815 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 9 Jan 2026 23:00:46 +0100 Subject: [PATCH 1288/1736] refractor(build): also convert the directive into the pipeline. --- pkg/directive/core.go | 74 +++++++++++++++++++++++++---------------- pkg/directive/dbus.go | 13 ++++---- pkg/directive/exec.go | 14 ++++---- pkg/directive/filter.go | 23 ++++++++----- pkg/directive/stack.go | 12 +++---- 5 files changed, 79 insertions(+), 57 deletions(-) diff --git a/pkg/directive/core.go b/pkg/directive/core.go index 0ab979714e..d8af6cddb6 100644 --- a/pkg/directive/core.go +++ b/pkg/directive/core.go @@ -17,21 +17,40 @@ var ( // Define the directive keyword globally Keyword = "#aa:" - // Build the profiles with the following directive applied - Directives = map[string]Directive{} - regDirective = regexp.MustCompile(`(?m).*` + Keyword + `([a-z]*)( .*)?`) ) // Directive main interface type Directive interface { - tasks.BaseInterface + tasks.BaseTaskInterface Apply(opt *Option, profile string) (string, error) } -func Usage() string { +// Directives handles directive registration and execution. +type Directives struct { + *tasks.BaseRunner[Directive] + Directives map[string]Directive +} + +// NewRunner creates a new Directives instance. +func NewRunner(c tasks.TaskConfig) *Directives { + return &Directives{ + BaseRunner: tasks.NewBaseRunner[Directive](c), + Directives: make(map[string]Directive), + } +} + +// Register adds a directive to the runner. +func (r *Directives) Register(d Directive) *Directives { + r.BaseRunner.Add(d) + r.Directives[d.Name()] = d + return r +} + +// Usage returns usage information for all registered directives. +func (r *Directives) Usage() string { res := "Directive:\n" - for _, d := range Directives { + for _, d := range r.Directives { for _, h := range d.Usage() { res += fmt.Sprintf(" %s%s %s\n", Keyword, d.Name(), h) } @@ -39,6 +58,26 @@ func Usage() string { return res } +// Run executes all directives found in the profile via regex. +func (r *Directives) Run(file *paths.Path, profile string) (string, error) { + var err error + for _, match := range regDirective.FindAllStringSubmatch(profile, -1) { + opt := NewOption(file, match) + drtv, ok := r.Directives[opt.Name] + if !ok { + if opt.Name == "lint" { + continue + } + return "", fmt.Errorf("unknown directive '%s' in %s", opt.Name, opt.File) + } + profile, err = drtv.Apply(opt, profile) + if err != nil { + return "", fmt.Errorf("%s %s: %w", drtv.Name(), opt.File, err) + } + } + return profile, nil +} + // Option for the directive type Option struct { Name string @@ -95,26 +134,3 @@ func (o *Option) IsInline() bool { } return inline } - -func RegisterDirective(d Directive) { - Directives[d.Name()] = d -} - -func Run(file *paths.Path, profile string) (string, error) { - var err error - for _, match := range regDirective.FindAllStringSubmatch(profile, -1) { - opt := NewOption(file, match) - drtv, ok := Directives[opt.Name] - if !ok { - if opt.Name == "lint" { - continue - } - return "", fmt.Errorf("unknown directive '%s' in %s", opt.Name, opt.File) - } - profile, err = drtv.Apply(opt, profile) - if err != nil { - return "", fmt.Errorf("%s %s: %w", drtv.Name(), opt.File, err) - } - } - return profile, nil -} diff --git a/pkg/directive/dbus.go b/pkg/directive/dbus.go index 2730a416db..4663861d51 100644 --- a/pkg/directive/dbus.go +++ b/pkg/directive/dbus.go @@ -23,12 +23,13 @@ import ( ) type Dbus struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterDirective(&Dbus{ - Base: tasks.Base{ +// NewDbus creates a new Dbus directive. +func NewDbus() *Dbus { + return &Dbus{ + BaseTask: tasks.BaseTask{ Keyword: "dbus", Msg: "Dbus directive applied", Help: []string{ @@ -36,8 +37,8 @@ func init() { "talk bus= name= label= [interface=AARE] [path=AARE]", "see bus= name= label=", }, - }}, - ) + }, + } } func (d Dbus) Apply(opt *Option, profile string) (string, error) { diff --git a/pkg/directive/exec.go b/pkg/directive/exec.go index 321fad438b..1e0893473f 100644 --- a/pkg/directive/exec.go +++ b/pkg/directive/exec.go @@ -13,22 +13,22 @@ import ( "github.com/roddhjav/apparmor.d/pkg/aa" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/tasks" ) type Exec struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterDirective(&Exec{ - Base: tasks.Base{ +// NewExec creates a new Exec directive. +func NewExec() *Exec { + return &Exec{ + BaseTask: tasks.BaseTask{ Keyword: "exec", Msg: "Exec directive applied", Help: []string{"[P|U|p|u|PU|pu|] profiles..."}, }, - }) + } } func (d Exec) Apply(opt *Option, profileRaw string) (string, error) { @@ -46,7 +46,7 @@ func (d Exec) Apply(opt *Option, profileRaw string) (string, error) { rules := aa.Rules{} ignoreDir := paths.FilterNames("tunables", "abstractions", "disable") for name := range opt.ArgMap { - files, err := prebuild.RootApparmord.ReadDirRecursiveFiltered( + files, err := d.RootApparmor.ReadDirRecursiveFiltered( paths.NotFilter(ignoreDir), paths.FilterOutDirectories(), paths.FilterNames(name), ) if err != nil { diff --git a/pkg/directive/filter.go b/pkg/directive/filter.go index de0641e77a..772684c3b6 100644 --- a/pkg/directive/filter.go +++ b/pkg/directive/filter.go @@ -15,28 +15,33 @@ import ( ) type FilterOnly struct { - tasks.Base + tasks.BaseTask } type FilterExclude struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterDirective(&FilterOnly{ - Base: tasks.Base{ +// NewFilterOnly creates a new FilterOnly directive. +func NewFilterOnly() *FilterOnly { + return &FilterOnly{ + BaseTask: tasks.BaseTask{ Keyword: "only", Msg: "Only directive applied", Help: []string{"filters..."}, }, - }) - RegisterDirective(&FilterExclude{ - Base: tasks.Base{ + } +} + +// NewFilterExclude creates a new FilterExclude directive. +func NewFilterExclude() *FilterExclude { + return &FilterExclude{ + BaseTask: tasks.BaseTask{ Keyword: "exclude", Msg: "Exclude directive applied", Help: []string{"filters..."}, }, - }) + } } func cmp[T float64 | int](refValue T, operator string, value T) bool { diff --git a/pkg/directive/stack.go b/pkg/directive/stack.go index d0b761a0cf..47458c0399 100644 --- a/pkg/directive/stack.go +++ b/pkg/directive/stack.go @@ -11,7 +11,6 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/tasks" "github.com/roddhjav/apparmor.d/pkg/util" ) @@ -27,17 +26,18 @@ var ( ) type Stack struct { - tasks.Base + tasks.BaseTask } -func init() { - RegisterDirective(&Stack{ - Base: tasks.Base{ +// NewStack creates a new Stack directive. +func NewStack() *Stack { + return &Stack{ + BaseTask: tasks.BaseTask{ Keyword: "stack", Msg: "Stack directive applied", Help: []string{"[X] profiles..."}, }, - }) + } } func (s Stack) Apply(opt *Option, profile string) (string, error) { From 9d42003d2ce426d1ceeea43578c28472011fedec Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 9 Jan 2026 23:02:52 +0100 Subject: [PATCH 1289/1736] refractor: rewrite prebuild to the new pipeline. --- cmd/prebuild/main.go | 63 +++++++++----- pkg/prebuild/cli/cli.go | 176 ++++++++++++++++++---------------------- 2 files changed, 119 insertions(+), 120 deletions(-) diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 345e9fa562..0bde18f03c 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -5,10 +5,13 @@ package main import ( + "github.com/roddhjav/apparmor.d/pkg/builder" + "github.com/roddhjav/apparmor.d/pkg/configure" + "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" - "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" "github.com/roddhjav/apparmor.d/pkg/prebuild/cli" - "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" + "github.com/roddhjav/apparmor.d/pkg/run" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) // Cli arguments have priority over the settings entered here @@ -19,24 +22,6 @@ func init() { // Define the default version prebuild.Version = 4.1 - // Define the tasks applied by default - prepare.Register( - "synchronise", // Initialize a new clean apparmor.d build directory - "ignore", // Ignore profiles and files from dist/ignore - "merge", // Merge profiles (from group/, profiles-*-*/) to a unified apparmor.d directory - "configure", // Set distribution specificities - "setflags", // Set flags as definied in dist/flags - "overwrite", // Overwrite dummy upstream profiles - "systemd-default", // Set systemd unit drop in files for dbus profiles - ) - - // Build tasks applied by default - builder.Register( - "userspace", // Resolve variable in profile attachments - "hotfix", // Temporary fix for #74, #80 & #235 - "base-strict", // Use base-strict as base abstraction - ) - // Matrix of ABI/Apparmor version to integrate with switch prebuild.Distribution { case "arch": @@ -85,6 +70,40 @@ func init() { } func main() { - cli.Configure() - cli.Prebuild() + c := tasks.NewTaskConfig(cli.GetPrebuildRoot()) + r := run.NewRunners(c) + + // Add default configure tasks + r.Configures. + // Initialize a new clean apparmor.d build directory + Add(configure.NewSynchronise( + []*paths.Path{paths.New("apparmor.d"), paths.New("share")}, + )). + + // Ignore profiles and files from dist/ignore + Add(configure.NewIgnore()). // TODO: Keep it here, have one in aa-install, as well as a Include + + // Set distribution specificities + Add(configure.NewConfigure()). + // Add(configure.NewSetFlags()). // Set flags as definied in dist/flags + + // Overwrite dummy upstream profile + Add(configure.NewOverwrite(false)). // TODO: Move in aa-install + + // Set systemd unit drop in files for dbus profiles + Add(configure.NewSystemd()) + + // Default build tasks + r.Builders. + // Resolve variable in profile attachments + Add(builder.NewUserspace()). + + // Temporary fix for #74, #80 & #235 + Add(builder.NewHotFix()). + + // Use base-strict as base abstraction + Add(builder.NewBaseStrict()) + + r = cli.Configure(r) + cli.Prebuild(r) } diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index ade26c6472..ef58506b6f 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -2,142 +2,123 @@ // Copyright (C) 2023-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only +// Package cli provides the command line interface for prebuilding apparmor.d profiles. +// It is separated from the main package as it is also used by downstream projects. + package cli import ( "flag" "fmt" "os" - "slices" - "strings" + "github.com/roddhjav/apparmor.d/pkg/builder" + "github.com/roddhjav/apparmor.d/pkg/configure" + "github.com/roddhjav/apparmor.d/pkg/directive" "github.com/roddhjav/apparmor.d/pkg/logging" "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" - "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" - "github.com/roddhjav/apparmor.d/pkg/prebuild/directive" - "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" + "github.com/roddhjav/apparmor.d/pkg/run" ) const ( - nilABI = 0 - nilVer = 0.0 - usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE] + nilABI = 0 + nilVer = 0.0 + nilBuild = "" + nilSrc = "" + usage = `aa-prebuild [-h] [--status] [--abi 3|4|5] [--version V] [--fsp] [--src DIR] [--buildir DIR] Prebuild apparmor.d profiles for a given distribution and apply internal built-in directives. Options: -h, --help Show this help message and exit. - -c, --complain Set complain flag on all profiles. - -e, --enforce Set enforce flag on all profiles. + -s, --status Show the status of enabled build tasks. -a, --abi ABI Target apparmor ABI. -v, --version V Target apparmor version. - -f, --full Set AppArmor for full system policy. - -s, --server Set AppArmor for server. - -b, --buildir DIR Root build directory. - -F, --file Only prebuild a given file. + -f, --fsp Configure AppArmor for full system policy and RBAC. + -S, --src DIR Profile source directory (default: apparmor.d/). + -b, --buildir DIR Destination root build directory (default: .build/). --test Enable test mode. --debug Enable debug mode. ` ) var ( - help bool - complain bool - enforce bool - full bool - server bool - debug bool - test bool - abi int - version float64 - file string - buildir string + help bool + status bool + fsp bool + debug bool + test bool + abi int + version float64 + src string + buildir string ) func init() { flag.BoolVar(&help, "h", false, "Show this help message and exit.") flag.BoolVar(&help, "help", false, "Show this help message and exit.") - flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.") - flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.") - flag.BoolVar(&server, "s", false, "Set AppArmor for server.") - flag.BoolVar(&server, "server", false, "Set AppArmor for server.") - flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.") - flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.") - flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.") - flag.BoolVar(&enforce, "enforce", false, "Set enforce flag on all profiles.") + flag.BoolVar(&status, "s", false, "Show the status of enabled build tasks.") + flag.BoolVar(&status, "status", false, "Show the status of enabled build tasks.") + flag.BoolVar(&fsp, "f", false, "Configure AppArmor for full system policy and RBAC.") + flag.BoolVar(&fsp, "fsp", false, "Configure AppArmor for full system policy and RBAC.") flag.IntVar(&abi, "a", nilABI, "Target apparmor ABI.") flag.IntVar(&abi, "abi", nilABI, "Target apparmor ABI.") flag.Float64Var(&version, "v", nilVer, "Target apparmor version.") flag.Float64Var(&version, "version", nilVer, "Target apparmor version.") - flag.StringVar(&file, "F", "", "Only prebuild a given file.") - flag.StringVar(&file, "file", "", "Only prebuild a given file.") - flag.StringVar(&buildir, "b", "", "Root build directory.") - flag.StringVar(&buildir, "buildir", "", "Root build directory.") + flag.StringVar(&src, "S", nilSrc, "Profile source directory.") + flag.StringVar(&src, "src", nilSrc, "Profile source directory.") + flag.StringVar(&buildir, "b", nilBuild, "Destination root build directory.") + flag.StringVar(&buildir, "buildir", nilBuild, "Destination root build directory.") flag.BoolVar(&debug, "debug", false, "Enable debug mode.") flag.BoolVar(&test, "test", false, "Enable test mode.") } -func Configure() { - flag.Usage = func() { - fmt.Printf("%s\n%s\n%s\n%s", usage, - prebuild.Help("Prepare", prepare.Tasks), - prebuild.Help("Build", builder.Builders), - directive.Usage(), - ) +func GetPrebuildRoot() *paths.Path { + if buildir != nilBuild { + return paths.New(buildir) } + return paths.New(".build") +} + +func Configure(r *run.Runners) *run.Runners { + flag.Usage = func() { fmt.Print(usage) } flag.Parse() if help { flag.Usage() os.Exit(0) } - if server { - idx := slices.Index(prepare.Prepares, prepare.Tasks["merge"]) - if idx == -1 { - prepare.Register("server") - } else { - prepare.Prepares = slices.Insert(prepare.Prepares, idx, prepare.Tasks["server"]) - } - - // Remove hotfix task as it is not needed on server - idx = slices.Index(prepare.Prepares, prepare.Tasks["hotfix"]) - if idx != -1 { - prepare.Prepares = slices.Delete(prepare.Prepares, idx, idx+1) - } - } + // Register all directives (always available) + r.Directives. + Register(directive.NewDbus()). + Register(directive.NewExec()). + Register(directive.NewFilterOnly()). + Register(directive.NewFilterExclude()). + Register(directive.NewProfile()). + Register(directive.NewRestart()). + Register(directive.NewStack()) - if full && paths.New("apparmor.d/groups/_full").Exist() { - prepare.Register("fsp") - builder.Register("fsp") + if fsp && paths.New("apparmor.d/groups/_full").Exist() { + r.Configures.Add(configure.NewFullSystemPolicy()) + r.Builders.Add(builder.NewFSP()) prebuild.RBAC = true } - if complain { - builder.Register("complain") - if debug { - builder.Register("debug") - } - if test { - prebuild.Test = true - } - } else if enforce { - builder.Register("enforce") - } - if abi != nilABI { prebuild.ABI = abi } switch prebuild.ABI { case 3: - builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 - builder.Register("apparmor4.0") // Convert convert all profiles from apparmor 4.1 to 4.0 or less + r.Builders. + Add(builder.NewABI3()). // Convert all profiles from abi 4.0 to abi 3.0 + Add(builder.NewAPPARMOR40()) // Convert all profiles from apparmor 4.1 to 4.0 or less case 4: // priority support was added in 4.1 if prebuild.Version == 4.0 { - builder.Register("apparmor4.0") + r.Builders.Add(builder.NewAPPARMOR40()) } // Re-attach disconnected path @@ -147,18 +128,17 @@ func Configure() { // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 // Use stacked-dbus builder to resolve dbus rules - builder.Register("stacked-dbus") + r.Builders.Add(builder.NewStackedDbus()) } else { if !prebuild.DownStream { - prepare.Register("attach") + r.Configures.Add(configure.NewAttach()) } - builder.Register("attach") - + r.Builders.Add(builder.NewAttach()) } case 5: - builder.Register("abi5") // Convert all profiles from abi 4.0 to abi 5.0 + r.Builders.Add(builder.NewABI5()) // Convert all profiles from abi 4.0 to abi 5.0 // Re-attach disconnected path if prebuild.Distribution == "ubuntu" { @@ -167,16 +147,16 @@ func Configure() { // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 // Use stacked-dbus builder to resolve dbus rules - builder.Register("stacked-dbus") + r.Builders.Add(builder.NewStackedDbus()) } else { if !prebuild.DownStream { - prepare.Register("attach") + r.Configures.Add(configure.NewAttach()) } - builder.Register("attach") + r.Builders.Add(builder.NewAttach()) // Fix dbus rules for dbus-broker - builder.Register("dbus-broker") + r.Builders.Add(builder.NewDbusBroker()) prebuild.DbusDaemon = false } @@ -187,32 +167,32 @@ func Configure() { if version != nilVer { prebuild.Version = version } - if buildir != "" { - prebuild.Root = paths.New(buildir) - prebuild.RootApparmord = prebuild.Root.Join("apparmor.d") - } - if file != "" { - sync, _ := prepare.Tasks["synchronise"].(*prepare.Synchronise) - sync.Paths = []string{file} - overwrite, _ := prepare.Tasks["overwrite"].(*prepare.Overwrite) - overwrite.Optional = true + + if status { + fmt.Printf("%s\n%s\n%s", + r.Configures.Help("Enabled configure"), + r.Builders.Help("Enabled build"), + r.Directives.Usage(), + ) + os.Exit(0) } + return r } -func Prebuild() { +func Prebuild(r *run.Runners) { logging.Step("Building apparmor.d profiles for %s", prebuild.Distribution) logging.Success("AppArmor ABI targeted: %d", prebuild.ABI) logging.Success("AppArmor version targeted: %.1f", prebuild.Version) if prebuild.Test { logging.Warning("Test mode enabled") } - if full { + if fsp { logging.Success("Full system policy enabled") } - if err := Prepare(); err != nil { + if err := r.Configure(); err != nil { logging.Fatal("%s", err.Error()) } - if err := Build(); err != nil { + if err := r.Build(); err != nil { logging.Fatal("%s", err.Error()) } } From b269cfe9ffe7e967b82323c7dd2870a418e915b7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 9 Jan 2026 23:32:58 +0100 Subject: [PATCH 1290/1736] refractor: continue moving code outside of prebuild. --- cmd/prebuild/main.go | 6 +- pkg/builder/userspace.go | 3 +- pkg/configure/configure.go | 6 +- pkg/configure/flags.go | 2 +- pkg/configure/ignore.go | 2 +- pkg/directive/filter.go | 4 +- pkg/directive/stack.go | 2 +- pkg/prebuild/cli/cli.go | 74 +------- pkg/prebuild/directories.go | 8 +- pkg/runtime/runners.go | 94 ++++++++++ pkg/tasks/core.go | 39 ---- pkg/tasks/core_test.go | 62 ------ pkg/{prebuild => tasks}/os.go | 13 +- pkg/{prebuild => tasks}/os_test.go | 4 +- pkg/tasks/task_test.go | 291 +++++++++++++++++++++++++++++ 15 files changed, 418 insertions(+), 192 deletions(-) create mode 100644 pkg/runtime/runners.go delete mode 100644 pkg/tasks/core.go delete mode 100644 pkg/tasks/core_test.go rename pkg/{prebuild => tasks}/os.go (81%) rename pkg/{prebuild => tasks}/os_test.go (98%) create mode 100644 pkg/tasks/task_test.go diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 0bde18f03c..ac71aff36d 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -23,11 +23,11 @@ func init() { prebuild.Version = 4.1 // Matrix of ABI/Apparmor version to integrate with - switch prebuild.Distribution { + switch run.Distribution { case "arch": case "ubuntu": - switch prebuild.Release["VERSION_CODENAME"] { + switch run.Release["VERSION_CODENAME"] { case "jammy": prebuild.ABI = 3 prebuild.Version = 3.0 @@ -43,7 +43,7 @@ func init() { } case "debian": - switch prebuild.Release["VERSION_CODENAME"] { + switch run.Release["VERSION_CODENAME"] { case "bullseye", "bookworm": prebuild.ABI = 3 prebuild.Version = 3.0 diff --git a/pkg/builder/userspace.go b/pkg/builder/userspace.go index bfa1e9caea..8a5e5673c8 100644 --- a/pkg/builder/userspace.go +++ b/pkg/builder/userspace.go @@ -10,7 +10,6 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/aa" - "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/tasks" ) @@ -42,7 +41,7 @@ func (b Userspace) Apply(opt *Option, profile string) (string, error) { } f := aa.DefaultTunables() - if prebuild.Distribution == "arch" { + if tasks.Distribution == "arch" { f.Preamble = append(f.Preamble, &aa.Variable{ Name: "sbin", Values: []string{"/{,usr/}{,s}bin"}, Define: true, }) diff --git a/pkg/configure/configure.go b/pkg/configure/configure.go index 39b80d405f..fa60b19c83 100644 --- a/pkg/configure/configure.go +++ b/pkg/configure/configure.go @@ -38,7 +38,7 @@ func (p Configure) removeFiles(files []string) error { func (p Configure) Apply() ([]string, error) { res := []string{} - switch prebuild.Distribution { + switch tasks.Distribution { case "arch", "opensuse": case "ubuntu": @@ -46,7 +46,7 @@ func (p Configure) Apply() ([]string, error) { return res, err } - if prebuild.Release["VERSION_CODENAME"] == "noble" { + if tasks.Release["VERSION_CODENAME"] == "noble" { remove := []string{ "tunables/multiarch.d/base", } @@ -61,7 +61,7 @@ func (p Configure) Apply() ([]string, error) { } default: - return []string{}, fmt.Errorf("%s is not a supported distribution", prebuild.Distribution) + return []string{}, fmt.Errorf("%s is not a supported distribution", tasks.Distribution) } diff --git a/pkg/configure/flags.go b/pkg/configure/flags.go index 0536102c6b..d4199b625f 100644 --- a/pkg/configure/flags.go +++ b/pkg/configure/flags.go @@ -34,7 +34,7 @@ func NewSetFlags() *SetFlags { func (p SetFlags) Apply() ([]string, error) { res := []string{} - for _, name := range []string{"main", prebuild.Distribution} { + for _, name := range []string{"main", tasks.Distribution} { for profile, flags := range prebuild.Flags.Read(name) { file := p.RootApparmor.Join(profile) if !file.Exist() { diff --git a/pkg/configure/ignore.go b/pkg/configure/ignore.go index 35bff7a815..4c21a6e928 100644 --- a/pkg/configure/ignore.go +++ b/pkg/configure/ignore.go @@ -26,7 +26,7 @@ func NewIgnore() *Ignore { func (p Ignore) Apply() ([]string, error) { res := []string{} - for _, name := range []string{"main", prebuild.Distribution} { + for _, name := range []string{"main", tasks.Distribution} { for _, ignore := range prebuild.Ignore.Read(name) { profile := p.Root.Join(ignore) if profile.NotExist() { diff --git a/pkg/directive/filter.go b/pkg/directive/filter.go index 772684c3b6..0f0ef8cf88 100644 --- a/pkg/directive/filter.go +++ b/pkg/directive/filter.go @@ -103,10 +103,10 @@ func filterRuleForUs(opt *Option) bool { if prebuild.Test && arg == "test" { res = true } - if arg == prebuild.Distribution { + if arg == tasks.Distribution { res = true } - if arg == prebuild.Family { + if arg == tasks.Family { res = true } if strings.HasPrefix(arg, "abi") { diff --git a/pkg/directive/stack.go b/pkg/directive/stack.go index 47458c0399..01eb70f080 100644 --- a/pkg/directive/stack.go +++ b/pkg/directive/stack.go @@ -58,7 +58,7 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) { res := "" ignoreDir := paths.FilterNames("tunables", "abstractions", "disable") for name := range opt.ArgMap { - files, err := prebuild.RootApparmord.ReadDirRecursiveFiltered( + files, err := s.RootApparmor.ReadDirRecursiveFiltered( paths.NotFilter(ignoreDir), paths.FilterOutDirectories(), paths.FilterNames(name), ) if err != nil { diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index ef58506b6f..47f695d981 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -18,7 +18,8 @@ import ( "github.com/roddhjav/apparmor.d/pkg/logging" "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" - "github.com/roddhjav/apparmor.d/pkg/run" + "github.com/roddhjav/apparmor.d/pkg/runtime" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) const ( @@ -82,7 +83,7 @@ func GetPrebuildRoot() *paths.Path { return paths.New(".build") } -func Configure(r *run.Runners) *run.Runners { +func Configure(r *runtime.Runners) *runtime.Runners { flag.Usage = func() { fmt.Print(usage) } flag.Parse() if help { @@ -122,7 +123,7 @@ func Configure(r *run.Runners) *run.Runners { } // Re-attach disconnected path - if prebuild.Distribution == "ubuntu" && prebuild.Version >= 4.1 { + if tasks.Distribution == "ubuntu" && prebuild.Version >= 4.1 { // Ignored on ubuntu 25.04+ due to a memory leak that fully prevent // profiles compilation with re-attached paths. // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 @@ -141,7 +142,7 @@ func Configure(r *run.Runners) *run.Runners { r.Builders.Add(builder.NewABI5()) // Convert all profiles from abi 4.0 to abi 5.0 // Re-attach disconnected path - if prebuild.Distribution == "ubuntu" { + if tasks.Distribution == "ubuntu" { // Ignored on ubuntu 25.04+ due to a memory leak that fully prevent // profiles compilation with re-attached paths. // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 @@ -179,8 +180,8 @@ func Configure(r *run.Runners) *run.Runners { return r } -func Prebuild(r *run.Runners) { - logging.Step("Building apparmor.d profiles for %s", prebuild.Distribution) +func Prebuild(r *runtime.Runners) { + logging.Step("Building apparmor.d profiles for %s", tasks.Distribution) logging.Success("AppArmor ABI targeted: %d", prebuild.ABI) logging.Success("AppArmor version targeted: %.1f", prebuild.Version) if prebuild.Test { @@ -196,64 +197,3 @@ func Prebuild(r *run.Runners) { logging.Fatal("%s", err.Error()) } } - -func Prepare() error { - for _, task := range prepare.Prepares { - msg, err := task.Apply() - if err != nil { - return err - } - if file != "" && task.Name() == "setflags" { - continue - } - logging.Success("%s", task.Message()) - logging.Indent = " " - for _, line := range msg { - if strings.Contains(line, "not found") { - logging.Warning("%s", line) - } else { - logging.Bullet("%s", line) - } - } - logging.Indent = "" - } - return nil -} - -func Build() error { - files, _ := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) - for _, file := range files { - if !file.Exist() { - continue - } - profile, err := file.ReadFileAsString() - if err != nil { - return err - } - profile, err = builder.Run(file, profile) - if err != nil { - return err - } - profile, err = directive.Run(file, profile) - if err != nil { - return err - } - if err := file.WriteFile([]byte(profile)); err != nil { - return err - } - } - - logging.Success("Build tasks:") - logging.Indent = " " - for _, task := range builder.Builds { - logging.Bullet("%s", task.Message()) - } - logging.Indent = "" - logging.Success("Directives processed:") - logging.Indent = " " - for _, dir := range directive.Directives { - logging.Bullet("%s%s", directive.Keyword, dir.Name()) - } - logging.Indent = "" - return nil -} diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index 5c737cdea0..fba711b601 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package prebuild @@ -28,12 +28,6 @@ var ( // Pkgname is the name of the package Pkgname = "apparmor.d" - // Root is the root directory for the build (default: .build) - Root *paths.Path = paths.New(".build") - - // RootApparmord is the final built apparmor.d directory (default: .build/apparmor.d) - RootApparmord *paths.Path = Root.Join("apparmor.d") - // DistDir is the directory where the distribution specific files are stored DistDir *paths.Path = paths.New("dists") diff --git a/pkg/runtime/runners.go b/pkg/runtime/runners.go new file mode 100644 index 0000000000..60d62351ac --- /dev/null +++ b/pkg/runtime/runners.go @@ -0,0 +1,94 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package runtime + +import ( + "strings" + + "github.com/roddhjav/apparmor.d/pkg/builder" + "github.com/roddhjav/apparmor.d/pkg/configure" + "github.com/roddhjav/apparmor.d/pkg/directive" + "github.com/roddhjav/apparmor.d/pkg/logging" + "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/tasks" +) + +// Runners groups all runners used during install or prebuild jobs. +type Runners struct { + Configures *configure.Configures + Builders *builder.Builders + Directives *directive.Directives +} + +// NewRunners groups all runners used during install. +func NewRunners(c tasks.TaskConfig) *Runners { + return &Runners{ + Configures: configure.NewRunner(c), + Builders: builder.NewRunner(c), + Directives: directive.NewRunner(c), + } +} + +// Configure runs all configure tasks. +func (r *Runners) Configure() error { + for _, task := range r.Configures.Tasks { + msg, err := task.Apply() + if err != nil { + return err + } + logging.Success("%s", task.Message()) + logging.Indent = " " + for _, line := range msg { + if strings.Contains(line, "not found") { + logging.Warning("%s", line) + } else { + logging.Bullet("%s", line) + } + } + logging.Indent = "" + } + return nil +} + +// Build runs all build tasks and processes all directives. +func (r *Runners) Build() error { + files, _ := r.Builders.RootApparmor.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) + for _, file := range files { + if !file.Exist() { + continue + } + profile, err := file.ReadFileAsString() + if err != nil { + return err + } + profile, err = r.Builders.Run(file, profile) + if err != nil { + return err + } + profile, err = r.Directives.Run(file, profile) + if err != nil { + return err + } + if err := file.WriteFile([]byte(profile)); err != nil { + return err + } + } + + logging.Success("Build tasks:") + logging.Indent = " " + for _, task := range r.Builders.Tasks { + logging.Bullet("%s", task.Message()) + } + if len(r.Directives.Directives) > 0 { + logging.Indent = "" + logging.Success("Directives processed:") + logging.Indent = " " + for _, d := range r.Directives.Directives { + logging.Bullet("%s%s", directive.Keyword, d.Name()) + } + logging.Indent = "" + } + return nil +} diff --git a/pkg/tasks/core.go b/pkg/tasks/core.go deleted file mode 100644 index b9471af824..0000000000 --- a/pkg/tasks/core.go +++ /dev/null @@ -1,39 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2026 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package tasks - -import "fmt" - -type BaseInterface interface { - Message() string - Name() string - Usage() []string -} - -type Base struct { - Msg string - Keyword string - Help []string -} - -func (b Base) Name() string { - return b.Keyword -} - -func (b Base) Usage() []string { - return b.Help -} - -func (b Base) Message() string { - return b.Msg -} - -func Help[T BaseInterface](name string, tasks map[string]T) string { - res := fmt.Sprintf("%s tasks:\n", name) - for _, t := range tasks { - res += fmt.Sprintf(" %s - %s\n", t.Name(), t.Message()) - } - return res -} diff --git a/pkg/tasks/core_test.go b/pkg/tasks/core_test.go deleted file mode 100644 index f737be06f6..0000000000 --- a/pkg/tasks/core_test.go +++ /dev/null @@ -1,62 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2026 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package tasks - -import ( - "slices" - "strings" - "testing" -) - -func TestBase_Helpers(t *testing.T) { - tests := []struct { - name string - b Base - want string - }{ - { - name: "base", - b: Base{Keyword: "test", Help: []string{"test"}, Msg: "test"}, - want: "test", - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got := tt.b.Name(); got != tt.want { - t.Errorf("Base.Name() = %v, want %v", got, tt.want) - } - if got := tt.b.Usage(); !slices.Equal(got, []string{tt.want}) { - t.Errorf("Base.Usage() = %v, want %v", got, tt.want) - } - if got := tt.b.Message(); got != tt.want { - t.Errorf("Base.Message() = %v, want %v", got, tt.want) - } - }) - } -} - -func TestHelp(t *testing.T) { - tests := []struct { - name string - tasks map[string]Base - want string - }{ - { - name: "one", - tasks: map[string]Base{ - "one": {Keyword: "one", Help: []string{"one"}, Msg: "one"}, - "two": {Keyword: "two", Help: []string{"two"}, Msg: "two"}, - }, - want: `one`, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got := Help(tt.name, tt.tasks); !strings.Contains(got, tt.want) { - t.Errorf("Help() = %v, want %v", got, tt.want) - } - }) - } -} diff --git a/pkg/prebuild/os.go b/pkg/tasks/os.go similarity index 81% rename from pkg/prebuild/os.go rename to pkg/tasks/os.go index 8ef8fb79e8..65885cea6d 100644 --- a/pkg/prebuild/os.go +++ b/pkg/tasks/os.go @@ -1,8 +1,8 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prebuild +package tasks import ( "os" @@ -16,6 +16,15 @@ var ( Distribution = getDistribution() Release = getOSRelease() Family = getFamily() + + // DebianDir is the directory where the debian specific files are stored + // DebianDir *paths.Path = paths.New("debian") + + // // DebianHide is the path to the debian/common.hide file + // DebianHide = DebianHider{path: DebianDir.Join("common.hide")} + + // Ignore = Ignorer{} + // Flags = Flagger{} ) var ( diff --git a/pkg/prebuild/os_test.go b/pkg/tasks/os_test.go similarity index 98% rename from pkg/prebuild/os_test.go rename to pkg/tasks/os_test.go index 8f9bd338fe..63824d253e 100644 --- a/pkg/prebuild/os_test.go +++ b/pkg/tasks/os_test.go @@ -1,8 +1,8 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prebuild +package tasks import ( "reflect" diff --git a/pkg/tasks/task_test.go b/pkg/tasks/task_test.go new file mode 100644 index 0000000000..f3520b18f0 --- /dev/null +++ b/pkg/tasks/task_test.go @@ -0,0 +1,291 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package tasks + +import ( + "slices" + "strings" + "testing" + + "github.com/roddhjav/apparmor.d/pkg/paths" +) + +func TestBaseTask_Name(t *testing.T) { + tests := []struct { + name string + b BaseTask + want string + }{ + { + name: "simple", + b: BaseTask{Keyword: "test"}, + want: "test", + }, + { + name: "with-dashes", + b: BaseTask{Keyword: "test-task"}, + want: "test-task", + }, + { + name: "empty", + b: BaseTask{Keyword: ""}, + want: "", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := tt.b.Name(); got != tt.want { + t.Errorf("BaseTask.Name() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestBaseTask_Usage(t *testing.T) { + tests := []struct { + name string + b BaseTask + want []string + }{ + { + name: "single", + b: BaseTask{Help: []string{"test"}}, + want: []string{"test"}, + }, + { + name: "multiple", + b: BaseTask{Help: []string{"line1", "line2", "line3"}}, + want: []string{"line1", "line2", "line3"}, + }, + { + name: "empty", + b: BaseTask{Help: []string{}}, + want: []string{}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := tt.b.Usage(); !slices.Equal(got, tt.want) { + t.Errorf("BaseTask.Usage() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestBaseTask_Message(t *testing.T) { + tests := []struct { + name string + b BaseTask + want string + }{ + { + name: "simple", + b: BaseTask{Msg: "test message"}, + want: "test message", + }, + { + name: "empty", + b: BaseTask{Msg: ""}, + want: "", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := tt.b.Message(); got != tt.want { + t.Errorf("BaseTask.Message() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestBaseTask_SetConfig(t *testing.T) { + tests := []struct { + name string + root string + wantAA string + }{ + { + name: "standard", + root: "/tmp/build", + wantAA: "/tmp/build/apparmor.d", + }, + { + name: "root", + root: "/", + wantAA: "/apparmor.d", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + root := paths.New(tt.root) + config := NewTaskConfig(root) + task := &BaseTask{} + task.SetConfig(config) + + if task.Root.String() != tt.root { + t.Errorf("BaseTask.SetConfig() Root = %v, want %v", task.Root, tt.root) + } + if task.RootApparmor.String() != tt.wantAA { + t.Errorf("BaseTask.SetConfig() RootApparmor = %v, want %v", task.RootApparmor, tt.wantAA) + } + }) + } +} + +func TestNewTaskConfig(t *testing.T) { + tests := []struct { + name string + root string + wantRoot string + wantAA string + }{ + { + name: "standard", + root: "/tmp/build", + wantRoot: "/tmp/build", + wantAA: "/tmp/build/apparmor.d", + }, + { + name: "root", + root: "/", + wantRoot: "/", + wantAA: "/apparmor.d", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + root := paths.New(tt.root) + got := NewTaskConfig(root) + if got.Root.String() != tt.wantRoot { + t.Errorf("NewTaskConfig().Root = %v, want %v", got.Root, tt.wantRoot) + } + if got.RootApparmor.String() != tt.wantAA { + t.Errorf("NewTaskConfig().RootApparmor = %v, want %v", got.RootApparmor, tt.wantAA) + } + }) + } +} + +func TestNewBaseRunner(t *testing.T) { + tests := []struct { + name string + root string + }{ + { + name: "standard", + root: "/tmp/test", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + root := paths.New(tt.root) + config := NewTaskConfig(root) + runner := NewBaseRunner[*BaseTask](config) + + if runner == nil { + t.Fatal("NewBaseRunner() returned nil") + } + if runner.Root.String() != tt.root { + t.Errorf("NewBaseRunner().Root = %v, want %v", runner.Root, tt.root) + } + if len(runner.Tasks) != 0 { + t.Errorf("NewBaseRunner().Tasks length = %v, want 0", len(runner.Tasks)) + } + }) + } +} + +func TestBaseRunner_Add(t *testing.T) { + tests := []struct { + name string + tasks []*BaseTask + wantCount int + }{ + { + name: "single", + tasks: []*BaseTask{ + {Keyword: "task1", Help: []string{"help1"}, Msg: "msg1"}, + }, + wantCount: 1, + }, + { + name: "multiple", + tasks: []*BaseTask{ + {Keyword: "task1", Help: []string{"help1"}, Msg: "msg1"}, + {Keyword: "task2", Help: []string{"help2"}, Msg: "msg2"}, + {Keyword: "task3", Help: []string{"help3"}, Msg: "msg3"}, + }, + wantCount: 3, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + root := paths.New("/tmp/test") + config := NewTaskConfig(root) + runner := NewBaseRunner[*BaseTask](config) + + for _, task := range tt.tasks { + runner.Add(task) + } + + if len(runner.Tasks) != tt.wantCount { + t.Errorf("BaseRunner.Add() tasks length = %v, want %v", len(runner.Tasks), tt.wantCount) + } + + // Verify tasks received config + for i, task := range runner.Tasks { + if task.Root.String() != root.String() { + t.Errorf("Task[%d] config not set, Root = %v, want %v", i, task.Root, root) + } + } + }) + } +} + +func TestBaseRunner_Help(t *testing.T) { + tests := []struct { + name string + runnerName string + tasks []*BaseTask + wantStrings []string + }{ + { + name: "single", + runnerName: "test-runner", + tasks: []*BaseTask{ + {Keyword: "build", Help: []string{"build help"}, Msg: "Build the project"}, + }, + wantStrings: []string{"test-runner tasks:", "build", "Build the project"}, + }, + { + name: "multiple", + runnerName: "suite", + tasks: []*BaseTask{ + {Keyword: "build", Help: []string{"build help"}, Msg: "Build the project"}, + {Keyword: "test", Help: []string{"test help"}, Msg: "Run tests"}, + }, + wantStrings: []string{"suite tasks:", "build", "Build the project", "test", "Run tests"}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + root := paths.New("/tmp/test") + config := NewTaskConfig(root) + runner := NewBaseRunner[*BaseTask](config) + + for _, task := range tt.tasks { + runner.Add(task) + } + + got := runner.Help(tt.runnerName) + + for _, want := range tt.wantStrings { + if !strings.Contains(got, want) { + t.Errorf("BaseRunner.Help() missing expected string %q\nGot: %s", want, got) + } + } + }) + } +} From 22141147695f768cb078b8af561e496a53633ee9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 11 Jan 2026 00:05:04 +0100 Subject: [PATCH 1291/1736] build: stop setting build settings as global variables. --- cmd/prebuild/main.go | 47 ++++++++++++++++++---------------- pkg/builder/core.go | 2 +- pkg/configure/configure.go | 6 ++--- pkg/configure/core.go | 2 +- pkg/configure/overwrite.go | 5 ++-- pkg/directive/core.go | 2 +- pkg/directive/dbus.go | 9 +++---- pkg/directive/filter.go | 21 ++++++++-------- pkg/prebuild/cli/cli.go | 27 ++++++++++---------- pkg/prebuild/directories.go | 21 ---------------- pkg/runtime/runners.go | 10 +++++--- pkg/tasks/config.go | 50 +++++++++++++++++++++++++++++++++++++ pkg/tasks/runner.go | 4 +-- pkg/tasks/task.go | 22 +++------------- 14 files changed, 122 insertions(+), 106 deletions(-) create mode 100644 pkg/tasks/config.go diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index ac71aff36d..5928f0aca4 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -10,48 +10,52 @@ import ( "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/prebuild/cli" - "github.com/roddhjav/apparmor.d/pkg/run" + "github.com/roddhjav/apparmor.d/pkg/runtime" "github.com/roddhjav/apparmor.d/pkg/tasks" ) // Cli arguments have priority over the settings entered here -func init() { +func configInit() *tasks.TaskConfig { + c := tasks.NewTaskConfig(cli.GetPrebuildRoot()) + // Define the default ABI - prebuild.ABI = 4 + c.ABI = 4 // Define the default version - prebuild.Version = 4.1 + c.Version = 4.1 // Matrix of ABI/Apparmor version to integrate with - switch run.Distribution { + switch tasks.Distribution { case "arch": + c.ABI = 5 + c.Version = 5.0 case "ubuntu": - switch run.Release["VERSION_CODENAME"] { + switch tasks.Release["VERSION_CODENAME"] { case "jammy": - prebuild.ABI = 3 - prebuild.Version = 3.0 + c.ABI = 3 + c.Version = 3.0 case "noble": - prebuild.ABI = 4 - prebuild.Version = 4.0 + c.ABI = 4 + c.Version = 4.0 case "questing": - prebuild.ABI = 4 - prebuild.Version = 5.0 + c.ABI = 4 + c.Version = 5.0 case "resolute": - prebuild.ABI = 4 - prebuild.Version = 5.0 + c.ABI = 4 + c.Version = 5.0 } case "debian": - switch run.Release["VERSION_CODENAME"] { + switch tasks.Release["VERSION_CODENAME"] { case "bullseye", "bookworm": - prebuild.ABI = 3 - prebuild.Version = 3.0 + c.ABI = 3 + c.Version = 3.0 } case "whonix": - prebuild.ABI = 3 - prebuild.Version = 3.0 + c.ABI = 3 + c.Version = 3.0 // Hide rewritten Whonix profiles prebuild.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure @@ -67,11 +71,12 @@ func init() { /etc/apparmor.d/whonix-firewall ` } + return c } func main() { - c := tasks.NewTaskConfig(cli.GetPrebuildRoot()) - r := run.NewRunners(c) + c := configInit() + r := runtime.NewRunners(c) // Add default configure tasks r.Configures. diff --git a/pkg/builder/core.go b/pkg/builder/core.go index 1f2b6cf0d7..88d9709b93 100644 --- a/pkg/builder/core.go +++ b/pkg/builder/core.go @@ -40,7 +40,7 @@ type Builders struct { } // NewRunner creates a new Builders instance. -func NewRunner(t tasks.TaskConfig) *Builders { +func NewRunner(t *tasks.TaskConfig) *Builders { return &Builders{ BaseRunner: tasks.NewBaseRunner[Builder](t), } diff --git a/pkg/configure/configure.go b/pkg/configure/configure.go index fa60b19c83..a74358a6d8 100644 --- a/pkg/configure/configure.go +++ b/pkg/configure/configure.go @@ -65,7 +65,7 @@ func (p Configure) Apply() ([]string, error) { } - if prebuild.Version < 4.1 { + if p.Version < 4.1 { remove := []string{ // Require priority support "fbwrap", @@ -75,7 +75,7 @@ func (p Configure) Apply() ([]string, error) { return res, err } } - if prebuild.Version >= 4.1 { + if p.Version >= 4.1 { remove := []string{ // Remove files upstreamed in 4.1 "abstractions/devices-usb-read", @@ -90,7 +90,7 @@ func (p Configure) Apply() ([]string, error) { return res, err } } - if prebuild.Version >= 5.0 { + if p.Version >= 5.0 { remove := []string{ // Direct upstream contributed profiles, similar to ours "dig", diff --git a/pkg/configure/core.go b/pkg/configure/core.go index 724bbc4fa9..2d48ce6e80 100644 --- a/pkg/configure/core.go +++ b/pkg/configure/core.go @@ -23,7 +23,7 @@ type Configures struct { } // NewRunner creates a new Configures instance. -func NewRunner(t tasks.TaskConfig) *Configures { +func NewRunner(t *tasks.TaskConfig) *Configures { return &Configures{ BaseRunner: tasks.NewBaseRunner[Task](t), } diff --git a/pkg/configure/overwrite.go b/pkg/configure/overwrite.go index 4cddfa7c10..f60b8e1d33 100644 --- a/pkg/configure/overwrite.go +++ b/pkg/configure/overwrite.go @@ -12,8 +12,6 @@ import ( "github.com/roddhjav/apparmor.d/pkg/tasks" ) -var ext = "." + prebuild.Pkgname - type Overwrite struct { tasks.BaseTask Optional bool @@ -32,7 +30,7 @@ func NewOverwrite(optional bool) *Overwrite { func (p Overwrite) Apply() ([]string, error) { res := []string{} - if prebuild.ABI == 3 { + if p.ABI == 3 { return res, nil } @@ -41,6 +39,7 @@ func (p Overwrite) Apply() ([]string, error) { return res, err } + ext := "." + p.Pkgname path := prebuild.DistDir.Join("overwrite") if !path.Exist() { return res, fmt.Errorf("%s not found", path) diff --git a/pkg/directive/core.go b/pkg/directive/core.go index d8af6cddb6..9286ec856d 100644 --- a/pkg/directive/core.go +++ b/pkg/directive/core.go @@ -33,7 +33,7 @@ type Directives struct { } // NewRunner creates a new Directives instance. -func NewRunner(c tasks.TaskConfig) *Directives { +func NewRunner(c *tasks.TaskConfig) *Directives { return &Directives{ BaseRunner: tasks.NewBaseRunner[Directive](c), Directives: make(map[string]Directive), diff --git a/pkg/directive/dbus.go b/pkg/directive/dbus.go index 4663861d51..0de93d0187 100644 --- a/pkg/directive/dbus.go +++ b/pkg/directive/dbus.go @@ -18,7 +18,6 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/aa" - "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/tasks" ) @@ -123,7 +122,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { // Interfaces for _, iface := range interfaces { var peerNames = make([]string, 2) - if prebuild.DbusDaemon { + if d.DbusDaemon { peerNames[0] = `"@{busname}"` peerNames[1] = `"{@{busname},org.freedesktop.DBus}"` } @@ -142,7 +141,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { } var peerNames = make([]string, 4) - if prebuild.DbusDaemon { + if d.DbusDaemon { peerNames[0] = `"{@{busname},org.freedesktop.DBus}"` peerNames[1] = `"@{busname}"` peerNames[2] = `"{@{busname},` + rules["name"] + `}"` @@ -194,7 +193,7 @@ func (d Dbus) talk(rules map[string]string) aa.Rules { } peerName := `` - if prebuild.DbusDaemon { + if d.DbusDaemon { peerName = `"{@{busname},` + rules["name"] + `}"` } @@ -243,7 +242,7 @@ func (d Dbus) talk(rules map[string]string) aa.Rules { func (d Dbus) see(rules map[string]string) aa.Rules { peerName := `` - if prebuild.DbusDaemon { + if d.DbusDaemon { peerName = `"{@{busname},` + rules["name"] + `}"` } diff --git a/pkg/directive/filter.go b/pkg/directive/filter.go index 0f0ef8cf88..f6660638b7 100644 --- a/pkg/directive/filter.go +++ b/pkg/directive/filter.go @@ -10,7 +10,6 @@ import ( "strconv" "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/tasks" ) @@ -94,13 +93,13 @@ func compare(refValue any, prefix string, arg string) bool { return res } -func filterRuleForUs(opt *Option) bool { +func filterRuleForUs(c *tasks.TaskConfig, opt *Option) bool { for _, arg := range opt.ArgList { var res bool - if prebuild.RBAC && arg == "RBAC" { + if c.RBAC && arg == "RBAC" { res = true } - if prebuild.Test && arg == "test" { + if c.Test && arg == "test" { res = true } if arg == tasks.Distribution { @@ -110,10 +109,10 @@ func filterRuleForUs(opt *Option) bool { res = true } if strings.HasPrefix(arg, "abi") { - res = compare(prebuild.ABI, "abi", arg) + res = compare(c.ABI, "abi", arg) } if strings.HasPrefix(arg, "apparmor") { - res = compare(prebuild.Version, "apparmor", arg) + res = compare(c.Version, "apparmor", arg) } if res { @@ -123,11 +122,11 @@ func filterRuleForUs(opt *Option) bool { return false } -func filter(only bool, opt *Option, profile string) (string, error) { - if only && filterRuleForUs(opt) { +func filter(c *tasks.TaskConfig, only bool, opt *Option, profile string) (string, error) { + if only && filterRuleForUs(c, opt) { return opt.Clean(profile), nil } - if !only && !filterRuleForUs(opt) { + if !only && !filterRuleForUs(c, opt) { return opt.Clean(profile), nil } @@ -141,9 +140,9 @@ func filter(only bool, opt *Option, profile string) (string, error) { } func (d FilterOnly) Apply(opt *Option, profile string) (string, error) { - return filter(true, opt, profile) + return filter(d.TaskConfig, true, opt, profile) } func (d FilterExclude) Apply(opt *Option, profile string) (string, error) { - return filter(false, opt, profile) + return filter(d.TaskConfig, false, opt, profile) } diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 47f695d981..c5916e99eb 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -17,7 +17,6 @@ import ( "github.com/roddhjav/apparmor.d/pkg/directive" "github.com/roddhjav/apparmor.d/pkg/logging" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/runtime" "github.com/roddhjav/apparmor.d/pkg/tasks" ) @@ -104,13 +103,13 @@ func Configure(r *runtime.Runners) *runtime.Runners { if fsp && paths.New("apparmor.d/groups/_full").Exist() { r.Configures.Add(configure.NewFullSystemPolicy()) r.Builders.Add(builder.NewFSP()) - prebuild.RBAC = true + r.RBAC = true } if abi != nilABI { - prebuild.ABI = abi + r.ABI = abi } - switch prebuild.ABI { + switch r.ABI { case 3: r.Builders. Add(builder.NewABI3()). // Convert all profiles from abi 4.0 to abi 3.0 @@ -118,12 +117,12 @@ func Configure(r *runtime.Runners) *runtime.Runners { case 4: // priority support was added in 4.1 - if prebuild.Version == 4.0 { + if r.Version == 4.0 { r.Builders.Add(builder.NewAPPARMOR40()) } // Re-attach disconnected path - if tasks.Distribution == "ubuntu" && prebuild.Version >= 4.1 { + if tasks.Distribution == "ubuntu" && r.Version >= 4.1 { // Ignored on ubuntu 25.04+ due to a memory leak that fully prevent // profiles compilation with re-attached paths. // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 @@ -132,7 +131,7 @@ func Configure(r *runtime.Runners) *runtime.Runners { r.Builders.Add(builder.NewStackedDbus()) } else { - if !prebuild.DownStream { + if !r.DownStream { r.Configures.Add(configure.NewAttach()) } r.Builders.Add(builder.NewAttach()) @@ -151,22 +150,22 @@ func Configure(r *runtime.Runners) *runtime.Runners { r.Builders.Add(builder.NewStackedDbus()) } else { - if !prebuild.DownStream { + if !r.DownStream { r.Configures.Add(configure.NewAttach()) } r.Builders.Add(builder.NewAttach()) // Fix dbus rules for dbus-broker r.Builders.Add(builder.NewDbusBroker()) - prebuild.DbusDaemon = false + r.DbusDaemon = false } default: - logging.Fatal("Invalid ABI version: %d", prebuild.ABI) + logging.Fatal("Invalid ABI version: %d", r.ABI) } if version != nilVer { - prebuild.Version = version + r.Version = version } if status { @@ -182,9 +181,9 @@ func Configure(r *runtime.Runners) *runtime.Runners { func Prebuild(r *runtime.Runners) { logging.Step("Building apparmor.d profiles for %s", tasks.Distribution) - logging.Success("AppArmor ABI targeted: %d", prebuild.ABI) - logging.Success("AppArmor version targeted: %.1f", prebuild.Version) - if prebuild.Test { + logging.Success("AppArmor ABI targeted: %d", r.ABI) + logging.Success("AppArmor version targeted: %.1f", r.Version) + if r.Test { logging.Warning("Test mode enabled") } if fsp { diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index fba711b601..9ecbd87013 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -7,27 +7,6 @@ package prebuild import "github.com/roddhjav/apparmor.d/pkg/paths" var ( - // AppArmor ABI version - ABI = 0 - - // AppArmor version - Version = 4.0 - - // Tells the build we are a downstream project using apparmor.d as dependency - DownStream = false - - // Either or not RBAC is enabled - RBAC = false - - // Either or not we are in test mode - Test = false - - // The dbus implementation used - DbusDaemon = true - - // Pkgname is the name of the package - Pkgname = "apparmor.d" - // DistDir is the directory where the distribution specific files are stored DistDir *paths.Path = paths.New("dists") diff --git a/pkg/runtime/runners.go b/pkg/runtime/runners.go index 60d62351ac..a68704b18b 100644 --- a/pkg/runtime/runners.go +++ b/pkg/runtime/runners.go @@ -17,17 +17,19 @@ import ( // Runners groups all runners used during install or prebuild jobs. type Runners struct { + *tasks.TaskConfig Configures *configure.Configures Builders *builder.Builders Directives *directive.Directives } // NewRunners groups all runners used during install. -func NewRunners(c tasks.TaskConfig) *Runners { +func NewRunners(config *tasks.TaskConfig) *Runners { return &Runners{ - Configures: configure.NewRunner(c), - Builders: builder.NewRunner(c), - Directives: directive.NewRunner(c), + TaskConfig: config, + Configures: configure.NewRunner(config), + Builders: builder.NewRunner(config), + Directives: directive.NewRunner(config), } } diff --git a/pkg/tasks/config.go b/pkg/tasks/config.go new file mode 100644 index 0000000000..559b85ccff --- /dev/null +++ b/pkg/tasks/config.go @@ -0,0 +1,50 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package tasks + +import "github.com/roddhjav/apparmor.d/pkg/paths" + +type TaskConfig struct { + // AppArmor ABI version + ABI int + + // AppArmor version + Version float64 + + // Tells the build we are a downstream project using apparmor.d as dependency + DownStream bool + + // Either or not RBAC is enabled + RBAC bool + + // Either or not we are in test mode + Test bool + + // The dbus implementation used (true for dbus-daemon, false for dbus-broker) + DbusDaemon bool + + // Pkgname is the name of the package + Pkgname string + + // Root is the root directory for the runner (e.g. .build) + Root *paths.Path + + // RootApparmor is the source apparmor.d directory (e.g. .build/apparmor.d) + RootApparmor *paths.Path +} + +func NewTaskConfig(root *paths.Path) *TaskConfig { + return &TaskConfig{ + ABI: 0, + Version: 4.0, + DownStream: false, + RBAC: false, + Test: false, + DbusDaemon: true, + Pkgname: "apparmor.d", + Root: root, + RootApparmor: root.Join("apparmor.d"), + } +} diff --git a/pkg/tasks/runner.go b/pkg/tasks/runner.go index f620a13cc6..f980f3c59a 100644 --- a/pkg/tasks/runner.go +++ b/pkg/tasks/runner.go @@ -22,12 +22,12 @@ type Runner[T BaseTaskInterface] interface { // BaseRunner provides common runner implementation for task pipelines. type BaseRunner[T BaseTaskInterface] struct { - TaskConfig + *TaskConfig Tasks []T } // NewBaseRunner creates a new BaseRunner instance. -func NewBaseRunner[T BaseTaskInterface](config TaskConfig) *BaseRunner[T] { +func NewBaseRunner[T BaseTaskInterface](config *TaskConfig) *BaseRunner[T] { r := &BaseRunner[T]{ TaskConfig: config, Tasks: make([]T, 0), diff --git a/pkg/tasks/task.go b/pkg/tasks/task.go index 78ad57c040..14a6bece93 100644 --- a/pkg/tasks/task.go +++ b/pkg/tasks/task.go @@ -4,31 +4,15 @@ package tasks -import ( - "github.com/roddhjav/apparmor.d/pkg/paths" -) - -type TaskConfig struct { - Root *paths.Path // Root is the root directory for the runner (e.g. .build) - RootApparmor *paths.Path // RootApparmor is the source apparmor.d directory (e.g. .build/apparmor.d) -} - -func NewTaskConfig(root *paths.Path) TaskConfig { - return TaskConfig{ - Root: root, - RootApparmor: root.Join("apparmor.d"), - } -} - type BaseTaskInterface interface { Message() string Name() string Usage() []string - SetConfig(c TaskConfig) + SetConfig(c *TaskConfig) } type BaseTask struct { - TaskConfig + *TaskConfig Msg string Keyword string Help []string @@ -38,7 +22,7 @@ func (b BaseTask) Name() string { return b.Keyword } -func (b *BaseTask) SetConfig(c TaskConfig) { +func (b *BaseTask) SetConfig(c *TaskConfig) { b.TaskConfig = c } From 77465e4593f1cef0e89ece1c0bd6c88ba9616f6f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 11 Jan 2026 00:44:09 +0100 Subject: [PATCH 1292/1736] feat(profile): various improvement and fixes. fix #987 #988 #973 --- apparmor.d/abstractions/app/chromium | 1 + apparmor.d/abstractions/audio-client | 1 + apparmor.d/abstractions/development | 4 +++- apparmor.d/abstractions/golang-strict | 1 + apparmor.d/groups/freedesktop/xdg-desktop-portal | 4 ++-- apparmor.d/groups/gnome/gnome-control-center | 10 +++++----- apparmor.d/groups/gpg/scdaemon | 3 +++ apparmor.d/groups/kde/kaccess | 5 ++--- apparmor.d/groups/kde/kde-powerdevil | 1 + apparmor.d/groups/kde/konsole | 4 ++-- apparmor.d/groups/kde/kwin_wayland | 4 ++-- apparmor.d/groups/pacman/aurpublish | 8 ++++++-- apparmor.d/groups/pacman/pacman-hook-code | 1 + apparmor.d/groups/pacman/pacman-hook-mkinitcpio | 1 + apparmor.d/groups/systemd/systemd-udevd | 1 + apparmor.d/groups/systemd/systemd-vconsole-setup | 2 ++ apparmor.d/profiles-a-f/fwupd | 2 ++ 17 files changed, 36 insertions(+), 17 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 8f5c8dc891..ac6b49f8b3 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -186,6 +186,7 @@ @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/vmstat r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/clear_refs w, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/environ r, diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index d4961b2958..64d695f864 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -65,6 +65,7 @@ @{sys}/class/ r, @{sys}/class/sound/ r, + @{sys}/devices/*/sound/*/uevent r, /dev/shm/ r, owner /dev/shm/pulse-shm-@{int} rw, diff --git a/apparmor.d/abstractions/development b/apparmor.d/abstractions/development index 2641ad48c2..eae07691af 100644 --- a/apparmor.d/abstractions/development +++ b/apparmor.d/abstractions/development @@ -36,6 +36,7 @@ /etc/*@{devtools}* r, /etc/*@{devtools}*/{,**} r, /etc/debuginfod/{,**} r, + /etc/inputrc r, owner @{HOME}/.local/ r, owner @{user_lib_dirs}/ r, @@ -48,7 +49,7 @@ owner @{tmp}/*tests*/** rwlk, owner @{tmp}/*tests*/** mix, - @{PROC}/sys/kernel/osrelease r, + @{sys}/kernel/mm/transparent_hugepage/enabled r, # Allow reading CPU cgroup limits @{sys}/fs/cgroup/user.slice/cpu.max r, @@ -68,6 +69,7 @@ # Allow listing file descriptors for resource monitoring owner @{PROC}/@{pid}/fd/ r, + @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/@{int} rw, include if exists diff --git a/apparmor.d/abstractions/golang-strict b/apparmor.d/abstractions/golang-strict index 6c3dcc1304..857ad37461 100644 --- a/apparmor.d/abstractions/golang-strict +++ b/apparmor.d/abstractions/golang-strict @@ -12,6 +12,7 @@ @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.scope/*.scope/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.scope/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 0d7e99fc5c..e7134e79c6 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -51,7 +51,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { member=Register peer=(name=@{busname}), - dbus send bus=session path=/org/freedesktop/portal/desktop/session/1_125/gtk904232872 + dbus send bus=session path=/org/freedesktop/portal/desktop/session/** interface=org.freedesktop.impl.portal.Session member=Close peer=(name=@{busname}, label=xdg-desktop-portal-gtk), @@ -61,7 +61,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal.GlobalShortcuts path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gnome - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit label=xdg-desktop-portal-gtk + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gtk #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal dbus receive bus=session diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 23c1231859..b4f37f4b92 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -64,15 +64,15 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} #aa:dbus talk bus=system name=org.opensuse.CupsPkHelper.Mechanism label=cups-pk-helper-mechanism - dbus send bus=system path=/org/freedesktop + # Get new/old interfaces signals from any other services + dbus send bus=system path=/{,org/freedesktop} interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=@{busname}, label=NetworkManager), - - dbus receive bus=system path=/org/freedesktop + peer=(name=@{busname}), + dbus receive bus=system path=/{,org/freedesktop} interface=org.freedesktop.DBus.ObjectManager member={InterfacesAdded,InterfacesRemoved} - peer=(name=@{busname}, label=NetworkManager), + peer=(name=@{busname}), @{exec_path} mr, diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index c5d16217db..6db7e8bf8f 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -35,6 +35,9 @@ profile scdaemon @{exec_path} { owner /var/tmp/zypp.*/zypp-general-kr*/S.scdaemon w, owner /var/tmp/zypp.*/zypp-trusted-*/S.scdaemon w, + # comm=pipe-connection ???? + @{sys}/devices/**/uevent r, + @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index a2aa64bdd5..1aeaeba747 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -10,7 +10,6 @@ include profile kaccess @{exec_path} { include include - include include include include @@ -23,11 +22,11 @@ profile kaccess @{exec_path} { @{bin}/gsettings rPx, - /etc/machine-id r, - owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kaccessrc r, + owner @{PROC}/@{pid}/stat r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index b75c92bc3b..5fce9a7fd1 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -87,6 +87,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/@{pci}/i2c-*/**/dev r, @{sys}/devices/**/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/i2c-*/name r, @{sys}/devices/platform/**/i2c-*/**/name r, @{sys}/devices/platform/*/i2c-*/name r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 6ecebddbfa..d6b1a59ae7 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -17,9 +17,9 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - ptrace (read), + ptrace read, - signal (send) set=(hup), + signal send, #aa:dbus own bus=session name=org.kde.konsole-@{int} diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 53875789da..da8d3626d7 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -79,9 +79,9 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{sddm_config_dirs}/kcminputrc r, owner @{sddm_config_dirs}/kdeglobals r, owner @{sddm_config_dirs}/kglobalshortcutsrc.lock rwk, - owner @{sddm_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{sddm_config_dirs}/#@{int}, + owner @{sddm_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl, owner @{sddm_config_dirs}/kwinrc.lock rwk, - owner @{sddm_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{sddm_config_dirs}/#@{int}, + owner @{sddm_config_dirs}/kwinrc{,.@{rand6}} rwl, owner @{user_cache_dirs}/ r, owner @{user_cache_dirs}/ksvg-elements r, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index df9af9fefd..8e89dbf629 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -7,7 +7,7 @@ abi , include @{exec_path} = /usr/share/aurpublish/*.hook -profile aurpublish @{exec_path} { +profile aurpublish @{exec_path} flags=(attach_disconnected) { include include include @@ -23,6 +23,7 @@ profile aurpublish @{exec_path} { @{exec_path} mr, @{sh_path} rix, + @{bin}/{,e}grep rix, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/curl rix, @@ -30,7 +31,6 @@ profile aurpublish @{exec_path} { @{bin}/gettext rix, @{bin}/git rPx, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/{,e}grep rix, @{bin}/makepkg rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @@ -38,6 +38,7 @@ profile aurpublish @{exec_path} { @{bin}/nproc rix, @{bin}/rm rix, @{bin}/sha*sum rix, + @{bin}/sort rix, @{bin}/tput rix, @{bin}/wc rix, @@ -55,6 +56,7 @@ profile aurpublish @{exec_path} { owner @{user_cache_dirs}/makepkg/src/** rw, owner @{user_config_dirs}/pacman/makepkg.conf r, + owner /tmp/*/ rw, owner /tmp/*/src/ w, owner @{tmp}/tmp.@{rand10} rw, @@ -80,10 +82,12 @@ profile aurpublish @{exec_path} { owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.browser w, owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.extra w, owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.ssh w, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon w, owner @{tmp}/tmp.@{rand10} rw, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index c943daeea0..ca10081ba1 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/code-{features,marketplace}{,-insiders}/patch.py profile pacman-hook-code @{exec_path} { include + include include capability dac_read_search, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index a122bba9f9..7fdcb4736e 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -58,6 +58,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { profile pacman { include + include include capability dac_read_search, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 106d2f0451..b84d31d0ce 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -70,6 +70,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{sbin}/lvm rPx, @{sbin}/multipath rPx, @{sbin}/sysctl rPx, + @{sbin}/tlp rPx, @{sbin}/u-d-c-print-pci-ids rPx, @{lib}/crda/* rPUx, diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup index 55b93081c9..7929be288b 100644 --- a/apparmor.d/groups/systemd/systemd-vconsole-setup +++ b/apparmor.d/groups/systemd/systemd-vconsole-setup @@ -36,6 +36,8 @@ profile systemd-vconsole-setup @{exec_path} flags=(attach_disconnected) { @{sys}/module/vt/parameters/default_utf8 w, + @{PROC}/sys/fs/nr_open r, + /dev/console k, /dev/tty@{u8} rwk, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 45738db922..5550ee3687 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -90,6 +90,8 @@ profile fwupd @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/**/EFI/*/.goutputstream-@{rand6} rw, @{MOUNTS}/**/EFI/*/fw/fwupd-*.cap{,.*} rw, @{MOUNTS}/**/EFI/*/fwupdx@{int}.efi rw, + @{run}/media/**/EFI/ r, + @{run}/media/**/EFI/**/ r, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, From 21da2611d2a13eeb3e8b8c59fb9b782ee37ad15c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 11 Jan 2026 00:50:44 +0100 Subject: [PATCH 1293/1736] feat(tunable): pci_id is now upstreamed in apparmor 4.1.3 Older uses apparmor.d/tunables/multiarch.d/base --- apparmor.d/tunables/multiarch.d/system | 3 --- 1 file changed, 3 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 9f496c416d..b7d39d05eb 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -59,9 +59,6 @@ # System Internal # --------------- -#aa:exclude ubuntu -@{pci_bus}=pci@{hex4}:@{hex2} - # Shortcut for PCI device @{pci_id}=@{hex4}:@{hex2}:@{hex2}.@{h} @{pci}=@{pci_bus}/**/ From b99e3104174424ad6c0c382e60c4821091723a3b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 11 Jan 2026 01:01:26 +0100 Subject: [PATCH 1294/1736] Release version 0.4902 --- PKGBUILD | 2 +- debian/changelog | 6 ++++++ dists/apparmor.d.spec | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index efd89c322d..f9173d904c 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -11,7 +11,7 @@ pkgname=( # apparmor.d.server apparmor.d.server.enforced # apparmor.d.server.fsp apparmor.d.server.fsp.enforced ) -pkgver=0.4901 +pkgver=0.4902 pkgrel=1 pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') diff --git a/debian/changelog b/debian/changelog index e84beb3c76..1aba877a87 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +apparmor.d (0.4902-1) stable; urgency=medium + + * Release apparmor.d v0.4902 + + -- Alexandre Pujol Sun, 11 Jan 2026 01:01:26 +0100 + apparmor.d (0.4901-1) stable; urgency=medium * Release apparmor.d v0.4901 diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index 4af68f6723..a25d0c560f 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -7,7 +7,7 @@ # Warning: for development only, use https://build.opensuse.org/package/show/home:cboltz/apparmor.d for production use. Name: apparmor.d -Version: 0.4901 +Version: 0.4902 Release: 1%{?dist} Summary: Set of over 1500 AppArmor profiles License: GPL-2.0-only From f752f498313888f80d193439276e92d2c925840c Mon Sep 17 00:00:00 2001 From: K-Hobert <71878930+K-Hobert@users.noreply.github.com> Date: Tue, 13 Jan 2026 21:15:30 -0600 Subject: [PATCH 1295/1736] Added kde-open for KDE Plasma 6.5.5 "Unable to create KIO worker. Can not create a socket for launching a KIO worker for protocol 'file'." kde-open requested_mask=l denied_mask=l --- apparmor.d/abstractions/app/open | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 3713a94cfa..fdb89d4ec8 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -42,6 +42,7 @@ owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/kde-open@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, @{PROC}/sys/kernel/random/boot_id r, From 4aaa5980961840bdfff4f70c36fae852ff56a488 Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Wed, 14 Jan 2026 22:28:42 +0100 Subject: [PATCH 1296/1736] udiskds: add f2fs to allowed mount fstypes --- apparmor.d/groups/filesystem/udisksd | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 10f9c7faba..9f3105830e 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -30,9 +30,9 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { network netlink raw, # Allow mounting of removable devices - mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/, - mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, - mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,f2fs,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,f2fs,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,f2fs,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/, # Allow mounting of loop devices (ISO files) mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3,squashfs} /dev/loop[0-9]* -> @{MOUNTS}/*/, @@ -43,8 +43,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> @{MOUNTS}/*/, # Allow mounting od sd cards - mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/, - mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,f2fs,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,f2fs,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, mount options=(rw move) -> @{MOUNTS}/, mount options=(rw move) -> @{MOUNTS}/*/, From c5d011f37b38b2303f614eeb59bb4695f201e099 Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Tue, 20 Jan 2026 13:05:17 +0100 Subject: [PATCH 1297/1736] fwupd: add @{run}/reboot-required DENIED fwupd mknod @{run}/reboot-required.MSIFJ3 comm=fwupd requested_mask=c denied_mask=c ALLOWED fwupd rename_dest @{run}/reboot-required comm=fwupd requested_mask=wc denied_mask=wc ALLOWED fwupd mknod @{run}/reboot-required.pkgs.WVI4I3 comm=fwupd requested_mask=c denied_mask=c ALLOWED fwupd rename_dest @{run}/reboot-required.pkgs comm=fwupd requested_mask=wc denied_mask=wc --- apparmor.d/profiles-a-f/fwupd | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 5550ee3687..360a1b6a3d 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -131,6 +131,11 @@ profile fwupd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+*:* r, # Identifies all subsystems @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/reboot-required rw, + @{run}/reboot-required.@{rand6} rw, + @{run}/reboot-required.pkgs rw, + @{run}/reboot-required.pkgs.@{rand6} rw, + @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, From 7654960de4b52a886be170f839ed91c55bd4302d Mon Sep 17 00:00:00 2001 From: valoq Date: Mon, 19 Jan 2026 17:08:51 +0100 Subject: [PATCH 1298/1736] Add new XDG config path Firefox 147 added support for configuration path following the XDG specification. When firefox >=147 is started for the first time and ~/.mozilla does not exist, it attempts to create ~/.config/mozilla by default --- apparmor.d/groups/browsers/firefox | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 7461e136dd..9344e71b78 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -10,6 +10,7 @@ include @{name} = firefox{,-esr,-bin} @{lib_dirs} = @{lib}/firefox{,-esr,-beta,-devedition,-nightly} /opt/@{name} @{config_dirs} = @{HOME}/.mozilla/ +@{config_dirs} += @{user_config_dirs}/mozilla/ @{cache_dirs} = @{user_cache_dirs}/mozilla/ @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} From 942c04842750c6e1279b36d166b669fc433f5c48 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 28 Jan 2026 00:12:18 +0100 Subject: [PATCH 1299/1736] tests(build): update tests to the last structural changes. --- pkg/builder/core_test.go | 70 +++++++++++++---------- pkg/configure/core_test.go | 65 ++++++++++++--------- pkg/configure/systemd.go | 4 +- pkg/directive/core_test.go | 13 +++-- pkg/directive/dbus_test.go | 4 +- pkg/directive/exec_test.go | 7 ++- pkg/directive/filter_test.go | 27 +++++---- pkg/directive/stack_test.go | 9 ++- pkg/prebuild/cli/cli_test.go | 108 ----------------------------------- pkg/runtime/runners_test.go | 93 ++++++++++++++++++++++++++++++ 10 files changed, 211 insertions(+), 189 deletions(-) delete mode 100644 pkg/prebuild/cli/cli_test.go create mode 100644 pkg/runtime/runners_test.go diff --git a/pkg/builder/core_test.go b/pkg/builder/core_test.go index a0cecc50bf..523d7998d8 100644 --- a/pkg/builder/core_test.go +++ b/pkg/builder/core_test.go @@ -5,10 +5,14 @@ package builder import ( - "slices" "testing" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/tasks" +) + +var ( + cfg = tasks.NewTaskConfig(paths.New(".build")) ) func TestBuilder_Apply(t *testing.T) { @@ -21,7 +25,7 @@ func TestBuilder_Apply(t *testing.T) { }{ { name: "abi3", - b: Builders["abi3"], + b: NewABI3(), profile: ` abi , profile test { @@ -37,7 +41,7 @@ func TestBuilder_Apply(t *testing.T) { }, { name: "complain-1", - b: Builders["complain"], + b: NewComplain(), profile: ` @{exec_path} = @{bin}/foo profile foo @{exec_path} { @@ -59,7 +63,7 @@ func TestBuilder_Apply(t *testing.T) { }, { name: "complain-2", - b: Builders["complain"], + b: NewComplain(), profile: ` @{exec_path} = @{bin}/foo profile foo @{exec_path} flags=(complain) { @@ -81,7 +85,7 @@ func TestBuilder_Apply(t *testing.T) { }, { name: "complain-3", - b: Builders["complain"], + b: NewComplain(), profile: ` @{exec_path} = @{bin}/foo profile foo @{exec_path} flags=(attach_disconnected) { @@ -103,7 +107,7 @@ func TestBuilder_Apply(t *testing.T) { }, { name: "enforce-1", - b: Builders["enforce"], + b: NewEnforce(), profile: ` @{exec_path} = @{bin}/foo profile foo @{exec_path} { @@ -125,7 +129,7 @@ func TestBuilder_Apply(t *testing.T) { }, { name: "enforce-2", - b: Builders["enforce"], + b: NewEnforce(), profile: ` @{exec_path} = @{bin}/foo profile foo @{exec_path} flags=(complain) { @@ -146,8 +150,8 @@ func TestBuilder_Apply(t *testing.T) { }`, }, { - name: "complain-3", - b: Builders["enforce"], + name: "enforce-3", + b: NewEnforce(), profile: ` @{exec_path} = @{bin}/foo profile foo @{exec_path} flags=(attach_disconnected,complain) { @@ -169,7 +173,7 @@ func TestBuilder_Apply(t *testing.T) { }, { name: "fsp", - b: Builders["fsp"], + b: NewFSP(), profile: ` @{exec_path} = @{bin}/foo profile foo @{exec_path} { @@ -195,7 +199,7 @@ func TestBuilder_Apply(t *testing.T) { }, { name: "userspace-1", - b: Builders["userspace"], + b: NewUserspace(), profile: ` @{exec_path} = @{bin}/baloo_file @{lib}/{,kf6/}baloo_file @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloo_file @@ -219,7 +223,7 @@ func TestBuilder_Apply(t *testing.T) { }, { name: "userspace-2", - b: Builders["userspace"], + b: NewUserspace(), profile: ` profile foo /usr/bin/foo { include @@ -233,7 +237,7 @@ func TestBuilder_Apply(t *testing.T) { }, { name: "stacked-dbus-1", - b: Builders["stacked-dbus"], + b: NewStackedDbus(), profile: ` profile foo { dbus send bus=session path=/org/freedesktop/DBus @@ -257,7 +261,7 @@ dbus send bus=session path=/org/freedesktop/DBus }, { name: "base-strict-1", - b: Builders["base-strict"], + b: NewBaseStrict(), profile: ` profile foo { include @@ -269,7 +273,7 @@ profile foo { }, { name: "attach-1", - b: Builders["attach"], + b: NewAttach(), profile: ` profile attach-1 flags=(attach_disconnected) { include @@ -286,7 +290,7 @@ profile attach-1 flags=(attach_disconnected,attach_disconnected.path=@{att}) { }, { name: "attach-2", - b: Builders["attach"], + b: NewAttach(), profile: ` profile attach-2 flags=(complain) { include @@ -304,7 +308,8 @@ profile attach-2 flags=(complain) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - opt := &Option{File: prebuild.RootApparmord.Join(tt.name), Name: tt.name} + opt := &Option{File: cfg.RootApparmor.Join(tt.name), Name: tt.name} + tt.b.SetConfig(cfg) got, err := tt.b.Apply(opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Builder.Apply() error = %v, wantErr %v", err, tt.wantErr) @@ -317,26 +322,31 @@ profile attach-2 flags=(complain) { } } -func TestRegister(t *testing.T) { +func TestBuilders_Add(t *testing.T) { tests := []struct { - name string - names []string - wantSuccess bool + name string + builders []Builder + want []string }{ { - name: "test", - names: []string{"complain", "enforce"}, - wantSuccess: true, + name: "add-builders", + builders: []Builder{NewComplain(), NewEnforce()}, + want: []string{"complain", "enforce"}, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - Register(tt.names...) - for _, name := range tt.names { - if got := slices.Contains(Builds, Builders[name]); got != tt.wantSuccess { - t.Errorf("Register() = %v, want %v", got, tt.wantSuccess) + r := NewRunner(cfg) + for _, b := range tt.builders { + r.Add(b) + } + if len(r.Tasks) != len(tt.want) { + t.Errorf("Builders.Add() len = %v, want %v", len(r.Tasks), len(tt.want)) + } + for i, name := range tt.want { + if r.Tasks[i].Name() != name { + t.Errorf("Builders.Add() name = %v, want %v", r.Tasks[i].Name(), name) } - } }) } diff --git a/pkg/configure/core_test.go b/pkg/configure/core_test.go index e28d0f1cd3..2359f09d19 100644 --- a/pkg/configure/core_test.go +++ b/pkg/configure/core_test.go @@ -11,7 +11,11 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" +) + +var ( + cfg = tasks.NewTaskConfig(paths.New(".build")) ) func chdirGitRoot() { @@ -37,56 +41,57 @@ func TestTask_Apply(t *testing.T) { }{ { name: "synchronise", - task: Tasks["synchronise"], + task: NewSynchronise([]*paths.Path{paths.New("apparmor.d"), paths.New("share")}), wantErr: false, - wantFiles: paths.PathList{prebuild.RootApparmord.Join("/groups/_full/systemd")}, + wantFiles: paths.PathList{cfg.RootApparmor.Join("/groups/_full/systemd")}, }, { name: "ignore", - task: Tasks["ignore"], + task: NewIgnore(), wantErr: false, want: "dists/ignore/main.ignore", }, { name: "merge", - task: Tasks["merge"], + task: NewMerge(), wantErr: false, - wantFiles: paths.PathList{prebuild.RootApparmord.Join("aa-log")}, + wantFiles: paths.PathList{cfg.RootApparmor.Join("aa-log")}, }, { name: "configure", - task: Tasks["configure"], + task: NewConfigure(), wantErr: false, }, { name: "setflags", - task: Tasks["setflags"], + task: NewSetFlags(), wantErr: false, want: "dists/flags/main.flags", }, { name: "overwrite", - task: Tasks["overwrite"], + task: NewOverwrite(false), wantErr: false, - wantFiles: paths.PathList{prebuild.RootApparmord.Join("flatpak.apparmor.d")}, + wantFiles: paths.PathList{cfg.RootApparmor.Join("flatpak.apparmor.d")}, }, { name: "systemd-default", - task: Tasks["systemd-default"], + task: NewSystemdDefault(), wantErr: false, - wantFiles: paths.PathList{prebuild.Root.Join("systemd/system/dbus.service")}, + wantFiles: paths.PathList{cfg.Root.Join("systemd/system/dbus.service")}, }, { name: "fsp", - task: Tasks["fsp"], + task: NewFullSystemPolicy(), wantErr: false, - wantFiles: paths.PathList{prebuild.RootApparmord.Join("systemd")}, + wantFiles: paths.PathList{cfg.RootApparmor.Join("systemd")}, }, } chdirGitRoot() - _ = prebuild.Root.RemoveAll() + _ = cfg.Root.RemoveAll() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { + tt.task.SetConfig(cfg) got, err := tt.task.Apply() if (err != nil) != tt.wantErr { t.Errorf("Task.Apply() error = %v, wantErr %v", err, tt.wantErr) @@ -104,26 +109,32 @@ func TestTask_Apply(t *testing.T) { } } -func TestRegister(t *testing.T) { +func TestConfigures_Add(t *testing.T) { tests := []struct { - name string - names []string - wantSuccess bool + name string + tasks []Task + want []string }{ { - name: "test", - names: []string{"synchronise", "ignore"}, - wantSuccess: true, + name: "add-tasks", + tasks: []Task{NewSynchronise(nil), NewIgnore()}, + want: []string{"synchronise", "ignore"}, }, } + c := tasks.NewTaskConfig(paths.New(".build")) for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - Register(tt.names...) - for _, name := range tt.names { - if got := slices.Contains(Prepares, Tasks[name]); got != tt.wantSuccess { - t.Errorf("Register() = %v, want %v", got, tt.wantSuccess) + r := NewRunner(c) + for _, task := range tt.tasks { + r.Add(task) + } + if len(r.Tasks) != len(tt.want) { + t.Errorf("Configures.Add() len = %v, want %v", len(r.Tasks), len(tt.want)) + } + for i, name := range tt.want { + if r.Tasks[i].Name() != name { + t.Errorf("Configures.Add() name = %v, want %v", r.Tasks[i].Name(), name) } - } }) } diff --git a/pkg/configure/systemd.go b/pkg/configure/systemd.go index 3222fb42b7..ecfb014b99 100644 --- a/pkg/configure/systemd.go +++ b/pkg/configure/systemd.go @@ -14,8 +14,8 @@ type SystemdDefault struct { tasks.BaseTask } -// NewSystemd creates a new SystemdDefault task. -func NewSystemd() *SystemdDefault { +// NewSystemdDefault creates a new SystemdDefault task. +func NewSystemdDefault() *SystemdDefault { return &SystemdDefault{ BaseTask: tasks.BaseTask{ Keyword: "systemd-default", diff --git a/pkg/directive/core_test.go b/pkg/directive/core_test.go index 4fb8c4e1b1..fe5de0b874 100644 --- a/pkg/directive/core_test.go +++ b/pkg/directive/core_test.go @@ -9,10 +9,12 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) var ( - apparmorDDir = paths.New("../../../apparmor.d") + apparmorDDir = paths.New("../../apparmor.d") + cfg = tasks.NewTaskConfig(paths.New(".build")) ) func TestNewOption(t *testing.T) { @@ -68,7 +70,7 @@ func TestNewOption(t *testing.T) { } } -func TestRun(t *testing.T) { +func TestDirectives_Run(t *testing.T) { tests := []struct { name string file *paths.Path @@ -91,13 +93,14 @@ func TestRun(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := Run(tt.file, tt.profile) + r := NewRunner(cfg).Register(NewDbus()) + got, err := r.Run(tt.file, tt.profile) if (err != nil) != tt.wantErr { - t.Errorf("Run() error = %v, wantErr %v", err, tt.wantErr) + t.Errorf("Directives.Run() error = %v, wantErr %v", err, tt.wantErr) return } if got != tt.want { - t.Errorf("Run() = %v, want %v", got, tt.want) + t.Errorf("Directives.Run() = %v, want %v", got, tt.want) } }) } diff --git a/pkg/directive/dbus_test.go b/pkg/directive/dbus_test.go index 0a15959cc5..0aa099bfa8 100644 --- a/pkg/directive/dbus_test.go +++ b/pkg/directive/dbus_test.go @@ -182,7 +182,9 @@ func TestDbus_Apply(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := Directives["dbus"].Apply(tt.opt, tt.profile) + drctv := NewDbus() + drctv.SetConfig(cfg) + got, err := drctv.Apply(tt.opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Dbus.Apply() error = %v, wantErr %v", err, tt.wantErr) return diff --git a/pkg/directive/exec_test.go b/pkg/directive/exec_test.go index 0cce48903e..f0b86e9c77 100644 --- a/pkg/directive/exec_test.go +++ b/pkg/directive/exec_test.go @@ -8,7 +8,6 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" ) func TestExec_Apply(t *testing.T) { @@ -51,8 +50,10 @@ func TestExec_Apply(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - prebuild.RootApparmord = tt.rootApparmord - got, err := Directives["exec"].Apply(tt.opt, tt.profile) + drctv := NewExec() + drctv.SetConfig(cfg) + drctv.RootApparmor = tt.rootApparmord + got, err := drctv.Apply(tt.opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Exec.Apply() error = %v, wantErr %v", err, tt.wantErr) return diff --git a/pkg/directive/filter_test.go b/pkg/directive/filter_test.go index 5de33af86d..c271a28210 100644 --- a/pkg/directive/filter_test.go +++ b/pkg/directive/filter_test.go @@ -7,7 +7,7 @@ package directive import ( "testing" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) func Test_cmp(t *testing.T) { @@ -197,11 +197,14 @@ func TestFilterOnly_Apply(t *testing.T) { owner /dev/shm/ r,`, }, } + // c := tasks.NewTaskConfig(paths.New(".build")) for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - prebuild.Distribution = tt.dist - prebuild.Family = tt.family - got, err := Directives["only"].Apply(tt.opt, tt.profile) + tasks.Distribution = tt.dist + tasks.Family = tt.family + drctv := NewFilterOnly() + drctv.SetConfig(cfg) + got, err := drctv.Apply(tt.opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("FilterOnly.Apply() error = %v, wantErr %v", err, tt.wantErr) return @@ -268,9 +271,11 @@ func TestFilterExclude_Apply(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - prebuild.Distribution = tt.dist - prebuild.Family = tt.family - got, err := Directives["exclude"].Apply(tt.opt, tt.profile) + tasks.Distribution = tt.dist + tasks.Family = tt.family + drctv := NewFilterExclude() + drctv.SetConfig(cfg) + got, err := drctv.Apply(tt.opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("FilterExclude.Apply() error = %v, wantErr %v", err, tt.wantErr) return @@ -378,9 +383,11 @@ func TestFilterCmp_Apply(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - prebuild.Version = tt.version - prebuild.ABI = tt.abi - got, err := Directives["only"].Apply(tt.opt, tt.opt.Raw) + cfg.Version = tt.version + cfg.ABI = tt.abi + drctv := NewFilterOnly() + drctv.SetConfig(cfg) + got, err := drctv.Apply(tt.opt, tt.opt.Raw) if (err != nil) != tt.wantErr { t.Errorf("FilterOnly.Apply() error = %v, wantErr %v", err, tt.wantErr) return diff --git a/pkg/directive/stack_test.go b/pkg/directive/stack_test.go index 393c032d60..7c0710fc19 100644 --- a/pkg/directive/stack_test.go +++ b/pkg/directive/stack_test.go @@ -8,10 +8,11 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" ) func TestStack_Apply(t *testing.T) { + cfg := tasks.NewTaskConfig(paths.New(".build")) tests := []struct { name string rootApparmord *paths.Path @@ -68,8 +69,10 @@ profile parent @{exec_path} { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - prebuild.RootApparmord = tt.rootApparmord - got, err := Directives["stack"].Apply(tt.opt, tt.profile) + drctv := NewStack() + drctv.SetConfig(cfg) + drctv.RootApparmor = tt.rootApparmord + got, err := drctv.Apply(tt.opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Stack.Apply() error = %v, wantErr %v", err, tt.wantErr) return diff --git a/pkg/prebuild/cli/cli_test.go b/pkg/prebuild/cli/cli_test.go deleted file mode 100644 index 76d13e5816..0000000000 --- a/pkg/prebuild/cli/cli_test.go +++ /dev/null @@ -1,108 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package cli - -import ( - "os" - "os/exec" - "testing" - - "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" - "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" - "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" -) - -func setTestBuildDirectories(name string) { - testRoot := paths.New("/tmp/tests") - prebuild.Root = testRoot.Join(name) - prebuild.RootApparmord = prebuild.Root.Join("apparmor.d") -} - -func chdirGitRoot() { - cmd := exec.Command("git", "rev-parse", "--show-toplevel") - out, err := cmd.Output() - if err != nil { - panic(err) - } - root := string(out)[0 : len(out)-1] - if err := os.Chdir(root); err != nil { - panic(err) - } -} - -func Test_Prebuild(t *testing.T) { - tests := []struct { - name string - wantErr bool - full bool - complain bool - enforce bool - dist string - }{ - { - name: "Build for Archlinux", - wantErr: false, - full: false, - complain: true, - enforce: false, - dist: "arch", - }, - { - name: "Build for Ubuntu", - wantErr: false, - full: true, - complain: false, - enforce: true, - dist: "ubuntu", - }, - { - name: "Build for Debian", - wantErr: false, - full: true, - complain: false, - enforce: false, - dist: "debian", - }, - { - name: "Build for OpenSUSE Tumbleweed", - wantErr: false, - full: true, - complain: true, - enforce: false, - dist: "opensuse", - }, - } - chdirGitRoot() - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - setTestBuildDirectories(tt.dist) - prebuild.Distribution = tt.dist - prepare.Prepares = []prepare.Task{} - prepare.Register( - "synchronise", "ignore", "merge", - "configure", "setflags", "systemd-default", - ) - - if full { - prepare.Register("fsp") - builder.Register("fsp") - } - - if complain { - builder.Register("complain") - } else if enforce { - builder.Register("enforce") - } - - if err := Prepare(); (err != nil) != tt.wantErr { - t.Errorf("Prepare() error = %v, wantErr %v", err, tt.wantErr) - } - if err := Build(); (err != nil) != tt.wantErr { - t.Errorf("Build() error = %v, wantErr %v", err, tt.wantErr) - } - }) - } -} diff --git a/pkg/runtime/runners_test.go b/pkg/runtime/runners_test.go new file mode 100644 index 0000000000..12efb10abd --- /dev/null +++ b/pkg/runtime/runners_test.go @@ -0,0 +1,93 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package runtime + +import ( + "os" + "os/exec" + "testing" + + "github.com/roddhjav/apparmor.d/pkg/configure" + "github.com/roddhjav/apparmor.d/pkg/directive" + "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/tasks" +) + +func chdirGitRoot() { + cmd := exec.Command("git", "rev-parse", "--show-toplevel") + out, err := cmd.Output() + if err != nil { + panic(err) + } + root := string(out)[0 : len(out)-1] + if err := os.Chdir(root); err != nil { + panic(err) + } +} + +func TestRunners_Build(t *testing.T) { + tests := []struct { + name string + wantErr bool + abi int + dist string + }{ + { + name: "Build for Archlinux", + wantErr: false, + abi: 4, + dist: "arch", + }, + { + name: "Build for Ubuntu", + wantErr: false, + abi: 4, + dist: "ubuntu", + }, + { + name: "Build for Debian", + wantErr: false, + abi: 4, + dist: "debian", + }, + { + name: "Build for OpenSUSE Tumbleweed", + wantErr: false, + abi: 4, + dist: "opensuse", + }, + } + chdirGitRoot() + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tasks.Distribution = tt.dist + root := paths.New("/tmp/tests").Join(tt.dist) + cfg := tasks.NewTaskConfig(root) + cfg.ABI = tt.abi + cfg.Test = true + r := NewRunners(cfg) + + // Add required configure tasks + r.Configures. + Add(configure.NewSynchronise([]*paths.Path{paths.New("apparmor.d")})). + Add(configure.NewMerge()) + + // Register all directives + r.Directives. + Register(directive.NewDbus()). + Register(directive.NewExec()). + Register(directive.NewFilterOnly()). + Register(directive.NewFilterExclude()). + Register(directive.NewStack()) + + if err := r.Configure(); (err != nil) != tt.wantErr { + t.Errorf("Runners.Configure() error = %v, wantErr %v", err, tt.wantErr) + } + if err := r.Build(); (err != nil) != tt.wantErr { + t.Errorf("Runners.Build() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} From 595063fef09daf7a78c6a4100949d03fdb7613eb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 28 Jan 2026 00:14:45 +0100 Subject: [PATCH 1300/1736] build: update prebuild to last changes. For not there is no functional changes yet. --- cmd/prebuild/main.go | 13 +++++++++---- pkg/prebuild/cli/cli.go | 38 +++++++++++++++++++++++++++----------- 2 files changed, 36 insertions(+), 15 deletions(-) diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 5928f0aca4..faf19d6a06 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -86,17 +86,22 @@ func main() { )). // Ignore profiles and files from dist/ignore - Add(configure.NewIgnore()). // TODO: Keep it here, have one in aa-install, as well as a Include + Add(configure.NewIgnore()). + + // Merge profiles (from group/, profiles-*-*/) to a unified apparmor.d directory + Add(configure.NewMerge()). // Set distribution specificities Add(configure.NewConfigure()). - // Add(configure.NewSetFlags()). // Set flags as definied in dist/flags + + // Set flags as definied in dist/flags + Add(configure.NewSetFlags()). // Overwrite dummy upstream profile - Add(configure.NewOverwrite(false)). // TODO: Move in aa-install + Add(configure.NewOverwrite(false)). // Set systemd unit drop in files for dbus profiles - Add(configure.NewSystemd()) + Add(configure.NewSystemdDefault()) // Default build tasks r.Builders. diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index c5916e99eb..f0eecd9f48 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -33,6 +33,8 @@ const ( Options: -h, --help Show this help message and exit. + -c, --complain Set complain flag on all profiles. + -e, --enforce Set enforce flag on all profiles. -s, --status Show the status of enabled build tasks. -a, --abi ABI Target apparmor ABI. -v, --version V Target apparmor version. @@ -45,20 +47,26 @@ Options: ) var ( - help bool - status bool - fsp bool - debug bool - test bool - abi int - version float64 - src string - buildir string + help bool + complain bool + enforce bool + status bool + fsp bool + debug bool + test bool + abi int + version float64 + src string + buildir string ) func init() { flag.BoolVar(&help, "h", false, "Show this help message and exit.") flag.BoolVar(&help, "help", false, "Show this help message and exit.") + flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.") + flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.") + flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.") + flag.BoolVar(&enforce, "enforce", false, "Set enforce flag on all profiles.") flag.BoolVar(&status, "s", false, "Show the status of enabled build tasks.") flag.BoolVar(&status, "status", false, "Show the status of enabled build tasks.") flag.BoolVar(&fsp, "f", false, "Configure AppArmor for full system policy and RBAC.") @@ -96,10 +104,18 @@ func Configure(r *runtime.Runners) *runtime.Runners { Register(directive.NewExec()). Register(directive.NewFilterOnly()). Register(directive.NewFilterExclude()). - Register(directive.NewProfile()). - Register(directive.NewRestart()). Register(directive.NewStack()) + if complain { + r.Builders.Add(builder.NewComplain()) + if debug { + r.Builders.Add(builder.NewDebug()) + } + r.Test = test + } else if enforce { + r.Builders.Add(builder.NewEnforce()) + } + if fsp && paths.New("apparmor.d/groups/_full").Exist() { r.Configures.Add(configure.NewFullSystemPolicy()) r.Builders.Add(builder.NewFSP()) From 91be0d69e653695f6075d4b7914137d25ccc28fc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 28 Jan 2026 00:16:53 +0100 Subject: [PATCH 1301/1736] build(arch): initial PKGBUILD for future builds. --- Justfile | 2 +- PKGBUILD | 105 +++++-------------------------------------------------- 2 files changed, 9 insertions(+), 98 deletions(-) diff --git a/Justfile b/Justfile index c595f7afe2..83b95b9efa 100644 --- a/Justfile +++ b/Justfile @@ -564,7 +564,7 @@ tests-run osinfo flavor name="": (tests-resync osinfo flavor) # Get the current apparmor.d release version [group('version')] version: - @bash -c 'source PKGBUILD && echo "$pkgver"' + @bash -c 'source PKGBUILD && echo "${pkgver%~dev}"' # Create a new version number from the current release [group('version')] diff --git a/PKGBUILD b/PKGBUILD index c698aa410c..d1cd8b1a4e 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -6,10 +6,8 @@ pkgbase=apparmor.d pkgname=( apparmor.d - apparmor.d.enforced - # apparmor.d.fsp apparmor.d.fsp.enforced - # apparmor.d.server apparmor.d.server.enforced - # apparmor.d.server.fsp apparmor.d.server.fsp.enforced + # apparmor.d-base + # apparmor.d-tools ) pkgver=0.4900 pkgrel=1 @@ -17,12 +15,11 @@ pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') url="https://github.com/roddhjav/apparmor.d" license=('GPL-2.0-only') -depends=('apparmor>=4.1.0' 'apparmor<5.0.0') -makedepends=('go' 'git' 'rsync' 'just') +depends=('apparmor>=4.1.3') +makedepends=('go' 'rsync' 'just') pkgver() { - cd "$srcdir/$pkgbase" - echo "0.$(git rev-list --count HEAD)" + echo "${pkgver%~dev}~dev" } prepare() { @@ -38,96 +35,10 @@ build() { export GOPATH="${srcdir}" export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw -tags=dev" export DISTRIBUTION=arch - local -A modes=( - # Mapping of modes to just build target. - [default]=complain - [enforced]=enforce - # [fsp]=fsp-complain - # [fsp.enforced]=fsp - # [server]=server-complain - # [server.enforced]=server - # [server.fsp]=server-fsp-complain - # [server.fsp.enforced]=server-fsp - ) - for mode in "${!modes[@]}"; do - just build=".build/$mode" "${modes[$mode]}" - done -} - -_conflicts() { - local mode="$1" - local pattern=".$mode" - if [[ "$mode" == "default" ]]; then - pattern="" - else - echo "$pkgbase" - fi - for pkg in "${pkgname[@]}"; do - if [[ "$pkg" == "${pkgbase}${pattern}" ]]; then - continue - fi - echo "$pkg" - done -} - -_install() { - local mode="${1:?}" - cd "$srcdir/$pkgbase" - just build=".build/$mode" destdir="$pkgdir" install + just complain } package_apparmor.d() { - mode=default - pkgdesc="$pkgdesc (complain mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.enforced() { - mode=enforced - pkgdesc="$pkgdesc (enforced mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.fsp() { - mode="fsp" - pkgdesc="$pkgdesc (FSP mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.fsp.enforced() { - mode="fsp.enforced" - pkgdesc="$pkgdesc (FSP enforced mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.server() { - mode="server" - pkgdesc="$pkgdesc (server complain mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.server.enforced() { - mode="server.enforced" - pkgdesc="$pkgdesc (server enforced mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.server.fsp() { - mode="server.fsp" - pkgdesc="$pkgdesc (server FSP complain mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.server.fsp.enforced() { - mode="server.fsp.enforced" - pkgdesc="$pkgdesc (server FSP enforced mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode + cd "$srcdir/$pkgbase" + just destdir="$pkgdir" install } From fffd79d03158745b1ba594b625edabeb2227e878 Mon Sep 17 00:00:00 2001 From: K-Hobert <71878930+K-Hobert@users.noreply.github.com> Date: Tue, 20 Jan 2026 01:48:34 -0600 Subject: [PATCH 1302/1736] Vesktop Fixes Camera access included, user's picture/video folders allowed RW and audio source discovery for screen sharing fixed --- apparmor.d/profiles-s-z/vesktop | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop index 70696e0046..5232ffde78 100644 --- a/apparmor.d/profiles-s-z/vesktop +++ b/apparmor.d/profiles-s-z/vesktop @@ -22,6 +22,7 @@ profile vesktop @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, @@ -32,8 +33,12 @@ profile vesktop @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{bin}/speech-dispatcher rPx, - @{open_path} rPx -> child-open, + @{open_path} rPx -> child-open-strict, + owner @{user_videos_dirs}/{,**} rwl, + owner @{user_pictures_dirs}/{,**} rwl, + + owner /tmp/.org.chromium.Chromium.* rwm, owner @{run}/user/@{uid}/discord-ipc-@{int} rw, @{sys}/devices/@{pci}/usb@{int}/**/interface r, From 69ddaffbc037384b5898bd900ba1d2c29a75b4dd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 28 Jan 2026 00:24:30 +0100 Subject: [PATCH 1303/1736] build: add debug builder. --- pkg/builder/debug.go | 55 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 pkg/builder/debug.go diff --git a/pkg/builder/debug.go b/pkg/builder/debug.go new file mode 100644 index 0000000000..735f5465e9 --- /dev/null +++ b/pkg/builder/debug.go @@ -0,0 +1,55 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "regexp" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/tasks" +) + +var ( + regDebug = regexp.MustCompile(`(?m)^([ \t]*)(.*)(pi|Pi|pu|PU|p|P|C|c)x(.*),(.*)$`) +) + +type Debug struct { + tasks.BaseTask +} + +// NewDebug creates a new Debug builder. +func NewDebug() *Debug { + return &Debug{ + BaseTask: tasks.BaseTask{ + Keyword: "debug", + Msg: "Build: debug mode enabled", + }, + } +} + +func (b Debug) Apply(opt *Option, profile string) (string, error) { + for _, dir := range []string{"tunables"} { + if ok, _ := opt.File.IsInsideDir(b.RootApparmor.Join(dir)); ok { + return profile, nil + } + } + + lines := strings.Split(profile, "\n") + for i, line := range lines { + trimmed := strings.TrimLeft(line, " \t") + if strings.HasPrefix(trimmed, "#") { + continue + } + if strings.Contains(trimmed, "=") { + continue + } + if strings.HasPrefix(trimmed, "audit") { + continue + } + lines[i] = regDebug.ReplaceAllString(line, `${1}audit ${2}${3}x${4},${5}`) + } + profile = strings.Join(lines, "\n") + return profile, nil +} From 0a13f5e631019fad7a688f3728719d810b4147ea Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 28 Jan 2026 22:51:52 +0100 Subject: [PATCH 1304/1736] fix(build): ensure buildir is can be read from the command flags. --- cmd/prebuild/main.go | 1 + pkg/prebuild/cli/cli.go | 17 ++++++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index faf19d6a06..2915592a75 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -75,6 +75,7 @@ func configInit() *tasks.TaskConfig { } func main() { + cli.ParseFlags() c := configInit() r := runtime.NewRunners(c) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index f0eecd9f48..53bf0016db 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -83,6 +83,16 @@ func init() { flag.BoolVar(&test, "test", false, "Enable test mode.") } +// ParseFlags parses command line flags. Must be called before GetPrebuildRoot(). +func ParseFlags() { + flag.Usage = func() { fmt.Print(usage) } + flag.Parse() + if help { + flag.Usage() + os.Exit(0) + } +} + func GetPrebuildRoot() *paths.Path { if buildir != nilBuild { return paths.New(buildir) @@ -91,13 +101,6 @@ func GetPrebuildRoot() *paths.Path { } func Configure(r *runtime.Runners) *runtime.Runners { - flag.Usage = func() { fmt.Print(usage) } - flag.Parse() - if help { - flag.Usage() - os.Exit(0) - } - // Register all directives (always available) r.Directives. Register(directive.NewDbus()). From c932f52b0142a97f71977d9847515a474480bd1b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 28 Jan 2026 23:17:02 +0100 Subject: [PATCH 1305/1736] fix: linter issues. --- pkg/directive/core.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/directive/core.go b/pkg/directive/core.go index 9286ec856d..22d76e0eda 100644 --- a/pkg/directive/core.go +++ b/pkg/directive/core.go @@ -42,7 +42,7 @@ func NewRunner(c *tasks.TaskConfig) *Directives { // Register adds a directive to the runner. func (r *Directives) Register(d Directive) *Directives { - r.BaseRunner.Add(d) + r.Add(d) r.Directives[d.Name()] = d return r } From 25bfccdb394dae6b2b9b944d8099555b92392967 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 28 Jan 2026 23:18:33 +0100 Subject: [PATCH 1306/1736] ci(gitlab): disable check job as it is long and we reach the limit of GitLab CI minutes --- .gitlab-ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index db7c5ce575..a0473e87e9 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -57,7 +57,9 @@ tests: - go test $(go list ./pkg/... | grep -v /pkg/paths) -v -cover -coverprofile=coverage.out - go tool cover -func=coverage.out -check: +# Disabled as it is long and we reach the limit of GitLab CI minutes +# Enabled in Github Actions CI +.check: stage: test image: registry.gitlab.com/roddhjav/builders/archlinux script: From 357bcb5d449cd863e998e6f033d46a85433889b0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 28 Jan 2026 23:28:10 +0100 Subject: [PATCH 1307/1736] fix(build): arch is not on apparmor 5 yet. --- cmd/prebuild/main.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 2915592a75..f50853478e 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -27,8 +27,6 @@ func configInit() *tasks.TaskConfig { // Matrix of ABI/Apparmor version to integrate with switch tasks.Distribution { case "arch": - c.ABI = 5 - c.Version = 5.0 case "ubuntu": switch tasks.Release["VERSION_CODENAME"] { From 2d704c45685ea18ecd144c52ebee4defddcadf65 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 28 Jan 2026 23:51:54 +0100 Subject: [PATCH 1308/1736] feat: pci_bus has now be upstreamed for all apparmor 4.1+. --- apparmor.d/tunables/multiarch.d/system | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 9f496c416d..d501ce69e4 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -59,7 +59,7 @@ # System Internal # --------------- -#aa:exclude ubuntu +#aa:only debian @{pci_bus}=pci@{hex4}:@{hex2} # Shortcut for PCI device From a352a6ffef977fcd2f31eb632a78c37f39dadbfd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 Jan 2026 00:18:54 +0100 Subject: [PATCH 1309/1736] feat(profile): new font-manager need userns. Note: this is internally handled by glycin, thus in apparmor.d we do not need it in the profile. Fix #999 --- dists/overwrite | 1 + 1 file changed, 1 insertion(+) diff --git a/dists/overwrite b/dists/overwrite index 2f2bbddd2e..da6ba97fe9 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -12,6 +12,7 @@ epiphany firefox flatpak foliate +font-manager loupe msedge mullvad From c7b18a20064dbc616d93d99c9adc9c843131e6d7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 Jan 2026 10:59:12 +0100 Subject: [PATCH 1310/1736] feat(abs): add gvfs-metadata to gnome-base. --- apparmor.d/abstractions/gnome-base | 1 + apparmor.d/groups/gnome/gnome-terminal-server | 1 - apparmor.d/profiles-s-z/virt-manager | 1 - 3 files changed, 1 insertion(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/gnome-base b/apparmor.d/abstractions/gnome-base index 28e4d0e7ee..b0dd35b29f 100644 --- a/apparmor.d/abstractions/gnome-base +++ b/apparmor.d/abstractions/gnome-base @@ -7,6 +7,7 @@ abi , include + include # DBus.Introspectable: allow introspection from gnome-shell dbus receive bus=session diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 2139f5fa42..763c27c03c 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -13,7 +13,6 @@ profile gnome-terminal-server @{exec_path} { include include include - include include signal send set=(hup) peer=htop, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index a24ae196da..e8f7d8d934 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -20,7 +20,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include include From 87469315a577e4d1f6b15d595272a84a123af602 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 Jan 2026 11:01:40 +0100 Subject: [PATCH 1311/1736] feat(abs): minor abs improvment. --- apparmor.d/abstractions/devtools | 7 +++++++ apparmor.d/abstractions/dri | 1 + apparmor.d/abstractions/input | 2 +- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/devtools b/apparmor.d/abstractions/devtools index 06995033d7..585614f04e 100644 --- a/apparmor.d/abstractions/devtools +++ b/apparmor.d/abstractions/devtools @@ -5,6 +5,10 @@ # Allows common file for various development tools. This abstraction is meant # to be included in profiles of development tools only. +# +# It does not aims at allowing execution of development tools, only file access. +# The tools are defined in the `@{devtools}` variable. +# abi , @@ -21,6 +25,7 @@ owner @{user_cache_dirs}/*@{devtools}*/ rw, owner @{user_cache_dirs}/*@{devtools}*/** rwlk, + owner @{user_config_dirs}/ r, owner @{user_config_dirs}/*@{devtools}*/ rw, owner @{user_config_dirs}/*@{devtools}*/** rwlk, @@ -32,6 +37,8 @@ owner @{user_state_dirs}/*@{devtools}*/ rw, owner @{user_state_dirs}/*@{devtools}*/** rwlk, + /tmp/ r, + owner @{tmp}/ r, owner @{tmp}/*@{devtools}* rw, owner @{tmp}/*@{devtools}*/ rw, owner @{tmp}/*@{devtools}*/** rwlk, diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index a367d1ad14..1da420da5a 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -32,6 +32,7 @@ @{sys}/devices/@{pci}/vendor r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, + @{sys}/devices/@{pci}/gpu_metrics r, # Allow access to all cards /dev/dri/ r, diff --git a/apparmor.d/abstractions/input b/apparmor.d/abstractions/input index de141e099b..5cba80d16d 100644 --- a/apparmor.d/abstractions/input +++ b/apparmor.d/abstractions/input @@ -19,9 +19,9 @@ @{sys}/devices/**/input@{int}/event@{int}/uevent r, @{sys}/devices/**/input@{int}/{,**/}properties r, @{sys}/devices/**/input@{int}/{,**/}uevent r, - @{sys}/devices/virtual/input/mice/uevent r, @{sys}/devices/**/input@{int}/id/product r, @{sys}/devices/**/input@{int}/id/vendor r, + @{sys}/devices/virtual/input/mice/uevent r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # for /dev/input/* From 2cbbdaa938df384198d04fe03dbf6f8c88f7ed84 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 Jan 2026 11:10:54 +0100 Subject: [PATCH 1312/1736] feat(profile): various small fixes and improvment. --- apparmor.d/groups/apt/apt-listchanges | 8 +++++-- apparmor.d/groups/apt/dpkg-preconfigure | 2 ++ apparmor.d/groups/browsers/firefox | 2 +- .../groups/browsers/firefox-crashhelper | 1 + apparmor.d/groups/browsers/firefox-vaapitest | 1 + .../groups/cups/cups-backend-implicitclass | 2 ++ apparmor.d/groups/cups/cups-backend-ipp | 7 ++++++ apparmor.d/groups/cups/ippfind | 2 ++ apparmor.d/groups/cups/print-backends-cups | 5 ++-- apparmor.d/groups/flatpak/fbwrap | 5 ++++ .../groups/flatpak/flatpak-system-helper | 1 + .../groups/freedesktop/xdg-desktop-portal | 1 + .../freedesktop/xdg-desktop-portal-gnome | 10 +++++--- apparmor.d/groups/gnome/nautilus | 2 +- apparmor.d/groups/pacman/pacman-conf | 4 ++++ apparmor.d/groups/pacman/pacman-key | 3 +++ apparmor.d/groups/pacman/pkgctl | 24 +++++++++++++++++++ .../groups/systemd/systemd-nsresourcework | 2 +- apparmor.d/groups/systemd/systemd-resolved | 4 ++++ apparmor.d/groups/systemd/systemd-timesyncd | 4 +++- apparmor.d/groups/ubuntu/apport | 3 ++- apparmor.d/profiles-m-r/initramfs-hooks | 4 +++- apparmor.d/profiles-m-r/needrestart-restart | 2 ++ apparmor.d/profiles-m-r/passimd | 3 ++- apparmor.d/profiles-m-r/pcscd | 2 ++ apparmor.d/profiles-m-r/reprepro | 2 +- apparmor.d/profiles-s-z/sudo | 1 + apparmor.d/profiles-s-z/transmission | 2 -- apparmor.d/profiles-s-z/vlc | 1 + apparmor.d/profiles-s-z/wsdd | 2 ++ 30 files changed, 94 insertions(+), 18 deletions(-) create mode 100644 apparmor.d/groups/pacman/pkgctl diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index e7d5ce292f..071ce29197 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -33,6 +33,7 @@ profile apt-listchanges @{exec_path} { @{sbin}/exim4 Px, # Send results using email /usr/share/apt-listchanges/{,**} r, + /usr/share/doc/{,**} r, /etc/apt/listchanges.conf r, /etc/apt/listchanges.conf.d/{,*} r, @@ -45,9 +46,12 @@ profile apt-listchanges @{exec_path} { /var/lib/dpkg/status r, - /var/lib/apt/listchanges r, + /var/lib/apt/listchanges rwk, + /var/lib/apt/listchanges-new rw, + /var/lib/apt/listchanges-new.db rw, + /var/lib/apt/listchanges-old rwl -> /var/lib/apt/listchanges, /var/lib/apt/listchanges-old.db rwl -> /var/lib/apt/listchanges.db, - /var/lib/apt/listchanges{,-new}.db rw, + /var/lib/apt/listchanges.db rw, /var/cache/apt/archives/ r, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 9465f072d4..363c109b69 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -27,6 +27,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/cut ix, @{bin}/debconf-escape Px, @{bin}/dialog ix, + @{bin}/dirname ix, @{bin}/expr ix, @{bin}/find ix, @{bin}/getent ix, @@ -39,6 +40,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/sed ix, @{bin}/sort ix, @{bin}/stty ix, + @{bin}/touch ix, @{bin}/tr ix, @{bin}/uniq ix, @{bin}/which{,.debianutils} rix, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 9344e71b78..4cd08e7b6a 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -57,7 +57,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{bin}/update-mime-database rPx, @{lib}/gvfsd-metadata rPx, @{lib}/mozilla/kmozillahelper rPUx, - @{open_path} rPx -> child-open, + @{open_path} rPx -> child-open-any, # Common extensions @{bin}/browserpass rPx, diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper index abf1e2d6ea..a60d37c07e 100644 --- a/apparmor.d/groups/browsers/firefox-crashhelper +++ b/apparmor.d/groups/browsers/firefox-crashhelper @@ -22,6 +22,7 @@ profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner "@{config_dirs}/firefox{,-esr}/" rw, owner "@{config_dirs}/firefox{,-esr}/Crash Reports/" rw, owner "@{config_dirs}/firefox{,-esr}/Crash Reports/crash_helper_server.log" rw, diff --git a/apparmor.d/groups/browsers/firefox-vaapitest b/apparmor.d/groups/browsers/firefox-vaapitest index 390d0fa247..62d56e4693 100644 --- a/apparmor.d/groups/browsers/firefox-vaapitest +++ b/apparmor.d/groups/browsers/firefox-vaapitest @@ -19,6 +19,7 @@ profile firefox-vaapitest @{exec_path} flags=(attach_disconnected) { network netlink raw, unix type=seqpacket peer=(label=firefox), + unix (send receive) type=seqpacket peer=(label=firefox-crashhelper), @{exec_path} mr, diff --git a/apparmor.d/groups/cups/cups-backend-implicitclass b/apparmor.d/groups/cups/cups-backend-implicitclass index b6f0379701..28d0128335 100644 --- a/apparmor.d/groups/cups/cups-backend-implicitclass +++ b/apparmor.d/groups/cups/cups-backend-implicitclass @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/cups/backend/implicitclass profile cups-backend-implicitclass @{exec_path} { include + include include include @@ -22,6 +23,7 @@ profile cups-backend-implicitclass @{exec_path} { # network (receive,send,setopt) inet stream peer=(port=631), signal receive set=term peer=cupsd, + signal send set=term peer=cups-backend-ipp, unix type=stream peer=(label=cups-backend-ipp), unix type=stream peer=(label=cupsd), diff --git a/apparmor.d/groups/cups/cups-backend-ipp b/apparmor.d/groups/cups/cups-backend-ipp index cb50c6ad84..7529ecb1a6 100644 --- a/apparmor.d/groups/cups/cups-backend-ipp +++ b/apparmor.d/groups/cups/cups-backend-ipp @@ -10,6 +10,7 @@ include profile cups-backend-ipp @{exec_path} { include include + include include include @@ -22,10 +23,16 @@ profile cups-backend-ipp @{exec_path} { # network (receive,send,setopt) inet dgram peer=(port=53), # network (receive,send,setopt) inet stream peer=(port=631), + signal receive set=term peer=cups-backend-implicitclass, + signal receive set=term peer=cupsd, + unix type=stream peer=(label=cups-backend-implicitclass), @{exec_path} mr, + /etc/cups/ppd/*.ppd r, + /etc/cups/snmp.conf r, + /etc/cups/ssl/* r, /etc/papersize r, /etc/paperspecs r, diff --git a/apparmor.d/groups/cups/ippfind b/apparmor.d/groups/cups/ippfind index 8040dadff0..1ef0866a54 100644 --- a/apparmor.d/groups/cups/ippfind +++ b/apparmor.d/groups/cups/ippfind @@ -14,6 +14,8 @@ profile ippfind @{exec_path} { include include + unix type=stream peer=(label=cupsd), + @{exec_path} mr, @{bin}/echo rix, diff --git a/apparmor.d/groups/cups/print-backends-cups b/apparmor.d/groups/cups/print-backends-cups index 11bb41a685..3a1a1341ce 100644 --- a/apparmor.d/groups/cups/print-backends-cups +++ b/apparmor.d/groups/cups/print-backends-cups @@ -9,11 +9,10 @@ include @{exec_path} = @{lib}/@{multiarch}/print-backends/cups profile print-backends-cups @{exec_path} { include + include include include - include - include - include + include include include diff --git a/apparmor.d/groups/flatpak/fbwrap b/apparmor.d/groups/flatpak/fbwrap index f1ce8fc0e9..2b9dc7efb6 100644 --- a/apparmor.d/groups/flatpak/fbwrap +++ b/apparmor.d/groups/flatpak/fbwrap @@ -23,6 +23,11 @@ profile fbwrap flags=(attach_disconnected,mediate_deleted) { signal receive peer=gnome-software, signal receive peer=flatpak, + # Required by the xdg-dbus-proxy stack + # By design xdg-dbus-proxy proxies and filters dbus communication from flatpak + # apps to the system. Thus, it can manage the full session bus. + dbus bus=session, + dbus send bus=accessibility path=/ interface=org.freedesktop.DBus member=ListNames diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 2735b81c73..99127e85f9 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -64,6 +64,7 @@ profile flatpak-system-helper @{exec_path} flags=(attach_disconnected,mediate_de @{tmp}/remote-summary-sig.@{rand6} r, @{tmp}/remote-summary.@{rand6} r, + @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index e7134e79c6..bdecef6e47 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -59,6 +59,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Background path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal.GlobalShortcuts path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gtk diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index f5cfb983d4..aca213f32c 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -11,7 +11,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -26,8 +26,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { signal receive set=term peer=gdm, signal receive set=(hup term) peer=gdm-session-worker, - #aa:dbus own bus=session name=org.freedesktop.impl.portal.FileChooser #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome + #aa:dbus own bus=session name=org.freedesktop.impl.portal.FileChooser path=/org/freedesktop/portal/desktop #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell @@ -100,15 +100,19 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { profile flatpak { include + include @{bin}/flatpak mr, /var/lib/flatpak/app/{,*/} r, + /var/lib/flatpak/app/*/@{arch}/ r, /var/lib/flatpak/repo/{,*/} r, + /var/lib/flatpak/repo/config r, /var/lib/flatpak/runtime/{,*/} r, + /var/lib/flatpak/runtime/*/@{arch}/ r, owner @{user_cache_dirs}/flatpak/system-cache/ r, - owner @{user_share_dirs}/flatpak/repo/** r, + owner @{user_share_dirs}/flatpak/repo/{,**} r, include if exists } diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 90f1e0dbaf..2448a0dc33 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -33,7 +33,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 #aa:dbus own bus=session name=org.gnome.Nautilus - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.portal.FileTransfer label=xdg-document-portal #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell diff --git a/apparmor.d/groups/pacman/pacman-conf b/apparmor.d/groups/pacman/pacman-conf index 378b69fae8..b22140a91e 100644 --- a/apparmor.d/groups/pacman/pacman-conf +++ b/apparmor.d/groups/pacman/pacman-conf @@ -13,10 +13,14 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /usr/share/devtools/pacman.conf.d/* r, + /etc/pacman.conf r, /etc/pacman.d/mirrorlist r, /etc/pacman.d/*-mirrorlist r, + /var/lib/archbuild/extra-@{arch}/*/etc/pacman.conf r, + /dev/tty@{u8} rw, # Inherit Silencer diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 70cac6d36f..67b67196cc 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -37,6 +37,9 @@ profile pacman-key @{exec_path} { /etc/pacman.d/gnupg/ rw, /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, + /var/lib/archbuild/extra-@{arch}/*/etc/pacman.d/gnupg/ rw, + /var/lib/archbuild/extra-@{arch}/*/etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, + /dev/tty rw, profile gpg { diff --git a/apparmor.d/groups/pacman/pkgctl b/apparmor.d/groups/pacman/pkgctl new file mode 100644 index 0000000000..1050e78c5a --- /dev/null +++ b/apparmor.d/groups/pacman/pkgctl @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This profile is large on purpose: +# - Pkgctl uses a lot of different binaries and scripts inside sandbox. +# - Using the unconfined flag would Pix everything, we do not want that as the +# transitioned profile would have to account for pkgctl paths too. +# - It could be restricted latter using a namsepace approach. + +abi , + +include + +@{exec_path} = @{bin}/pkgctl +profile pkgctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { + include + + all, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-nsresourcework b/apparmor.d/groups/systemd/systemd-nsresourcework index 5b8d53398f..60fca2117c 100644 --- a/apparmor.d/groups/systemd/systemd-nsresourcework +++ b/apparmor.d/groups/systemd/systemd-nsresourcework @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-nsresourcework -profile systemd-nsresourcework @{exec_path} { +profile systemd-nsresourcework @{exec_path} flags=(attach_disconnected) { include capability sys_resource, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 3fb02d674d..cebae13eea 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -36,7 +36,11 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { /etc/systemd/resolved.conf r, /etc/systemd/resolved.conf.d/{,*} r, + @{run}/systemd/netif/io.systemd.Network rw, + @{att}@{run}/systemd/netif/io.systemd.Network rw, + @{run}/systemd/netif/links/* r, + @{run}/systemd/resolve.hook/{,**} rw, @{run}/systemd/resolve/{,**} rw, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index b0af937616..8ae122919d 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -34,9 +34,11 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { owner /var/lib/systemd/timesync/clock rw, + @{run}/systemd/resolve/io.systemd.Resolve rw, + @{att}@{run}/systemd/resolve/io.systemd.Resolve rw, + @{run}/resolvconf/*.conf r, @{run}/systemd/netif/state r, - @{run}/systemd/resolve/io.systemd.Resolve rw, @{run}/systemd/timesyncd.conf.d/{,**} r, owner @{run}/systemd/timesync/synchronized rw, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index c08934b5bf..c484e24e1d 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -46,7 +46,7 @@ profile apport @{exec_path} flags=(attach_disconnected) { /var/lib/dpkg/info/*.md5sums r, /var/lib/dpkg/diversions r, /var/lib/dpkg/triggers/* r, - /var/lib/dpkg/updates/ r, + /var/lib/dpkg/updates/{,*} r, /var/lib/apport/coredump/{,**} r, /var/lib/systemd/coredump/{,**} r, @@ -72,6 +72,7 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fdinfo/@{int} r, + @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/status r, @{PROC}/sys/fs/suid_dumpable w, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index ad9e13907a..8ab846b710 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -25,10 +25,11 @@ profile initramfs-hooks @{exec_path} { @{bin}/{,3}cpio ix, @{bin}/dpkg Px, @{bin}/fc-cache ix, + @{bin}/fc-match Px, @{bin}/ischroot Px, - @{ldd_path} Cx -> ldd, @{bin}/plymouth Px, @{bin}/update-alternatives Px, + @{ldd_path} Cx -> ldd, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox ix, @{lib}/klibc/bin/fstype ix, @@ -36,6 +37,7 @@ profile initramfs-hooks @{exec_path} { @{sbin}/cryptsetup PUx, @{sbin}/dmsetup Px, @{sbin}/iucode_tool ix, + @{sbin}/plymouth-set-default-theme Px, /usr/share/mdadm/mkconf Px, @{bin}/* mr, diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart index 3ba9f7b028..23de12a488 100644 --- a/apparmor.d/profiles-m-r/needrestart-restart +++ b/apparmor.d/profiles-m-r/needrestart-restart @@ -24,6 +24,8 @@ profile needrestart-restart @{exec_path} { capability kill, + signal send, + @{bin}/kill mr, include if exists diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index 2204624e23..c2dd3677f9 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -20,7 +20,8 @@ profile passimd @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus own bus=system name=org.freedesktop.Passim + #aa:dbus own bus=system name=org.freedesktop.Passim path=/ + #aa:dbus talk bus=system name=org.freedesktop.Avahi.EntryGroup path=/ label=@{p_avahi_daemon} @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index d5bcc42931..a2c53224c2 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -31,6 +31,8 @@ profile pcscd @{exec_path} { owner @{run}/pcscd/{,pcscd.pid} rw, + @{sys}/devices/**/uevent r, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/profiles-m-r/reprepro b/apparmor.d/profiles-m-r/reprepro index af0e9c9fa2..1630ba1949 100644 --- a/apparmor.d/profiles-m-r/reprepro +++ b/apparmor.d/profiles-m-r/reprepro @@ -21,7 +21,7 @@ profile reprepro @{exec_path} { /var/cache/apt/archives/*.deb r, - owner @{user_projects_dirs}/** r, + owner @{user_projects_dirs}/** rw, owner @{user_build_dirs}/** rw, owner @{user_pkg_dirs}/ rw, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 75a8e566f6..6c22bd9db4 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -17,6 +17,7 @@ profile sudo @{exec_path} flags=(attach_disconnected) { capability fowner, capability mknod, capability sys_ptrace, + capability kill, network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index 2187254621..8ff1c7b8c0 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -60,8 +60,6 @@ profile transmission @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - deny @{user_share_dirs}/gvfs-metadata/* r, - include if exists } diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 2616001a55..c0f279cb6f 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -25,6 +25,7 @@ profile vlc @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index b72cff3c45..f06bbe844c 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -36,6 +36,8 @@ profile wsdd @{exec_path} { owner @{run}/user/@{uid}/wsdd w, owner @{run}/user/@{uid}/*/wsdd w, + owner @{PROC}/@{pid}/mounts r, + include if exists } From c3a315fed4083d3bdd36ed3e89d683e831db8255 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 Jan 2026 11:15:34 +0100 Subject: [PATCH 1313/1736] docs: improve inline documentation of the abstractions. --- apparmor.d/abstractions/app-open | 4 +-- apparmor.d/abstractions/app/bus | 2 +- apparmor.d/abstractions/app/bwrap-glycin | 3 +- apparmor.d/abstractions/app/chromium | 21 ++++++----- apparmor.d/abstractions/app/firefox | 12 ++++--- apparmor.d/abstractions/app/flatpak | 20 ++++++----- apparmor.d/abstractions/attached/base | 9 +++-- apparmor.d/abstractions/attached/consoles | 9 +++-- .../abstractions/attached/nameservice-strict | 9 +++-- apparmor.d/abstractions/audio-client | 5 +++ apparmor.d/abstractions/base-strict | 24 +++++++------ apparmor.d/abstractions/bus/accessibility/own | 9 +++-- apparmor.d/abstractions/bus/session/own | 9 +++-- apparmor.d/abstractions/bus/system/own | 9 +++-- apparmor.d/abstractions/bwrap | 11 +++--- apparmor.d/abstractions/common/app | 2 +- apparmor.d/abstractions/common/chromium | 8 +++-- apparmor.d/abstractions/common/electron | 14 +++++--- apparmor.d/abstractions/common/game | 9 ++--- apparmor.d/abstractions/common/gnome | 5 +++ apparmor.d/abstractions/deny-sensitive-home | 13 +++---- apparmor.d/abstractions/desktop | 9 +++-- apparmor.d/abstractions/disks-read | 2 +- apparmor.d/abstractions/fontconfig-cache | 35 ++++++++++++++----- apparmor.d/abstractions/glibc | 6 ++++ apparmor.d/abstractions/gstreamer-registry | 2 +- apparmor.d/abstractions/ld | 10 ++++-- apparmor.d/abstractions/locale | 6 ++++ apparmor.d/abstractions/lttng | 6 ++++ apparmor.d/abstractions/nss | 2 +- apparmor.d/abstractions/secrets-service | 6 ++-- apparmor.d/abstractions/sys/gpumon | 1 + apparmor.d/abstractions/sys/hwmon | 1 + apparmor.d/abstractions/sys/hwmon-alarm | 1 + apparmor.d/abstractions/sys/hwmon-alarm:w | 1 + apparmor.d/abstractions/sys/hwmon-current | 1 + apparmor.d/abstractions/sys/hwmon-current:w | 1 + apparmor.d/abstractions/sys/hwmon-energy | 1 + apparmor.d/abstractions/sys/hwmon-energy:w | 1 + apparmor.d/abstractions/sys/hwmon-fan | 1 + apparmor.d/abstractions/sys/hwmon-fan:w | 1 + apparmor.d/abstractions/sys/hwmon-humidity | 1 + apparmor.d/abstractions/sys/hwmon-humidity:w | 1 + apparmor.d/abstractions/sys/hwmon-intrusion | 1 + apparmor.d/abstractions/sys/hwmon-intrusion:w | 1 + apparmor.d/abstractions/sys/hwmon-power | 1 + apparmor.d/abstractions/sys/hwmon-power:w | 1 + apparmor.d/abstractions/sys/hwmon-pwm | 1 + apparmor.d/abstractions/sys/hwmon-pwm:w | 1 + apparmor.d/abstractions/sys/hwmon-temp | 1 + apparmor.d/abstractions/sys/hwmon-temp:w | 1 + apparmor.d/abstractions/sys/hwmon:w | 1 + apparmor.d/abstractions/tests | 12 +++++-- apparmor.d/abstractions/tpm | 4 +-- apparmor.d/abstractions/trash-strict | 4 +-- 55 files changed, 231 insertions(+), 101 deletions(-) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index b806f28bc0..a9ea3ea5ef 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -2,9 +2,9 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Instead of allowing the run of all software in @{bin}/, @{lib} the purpose of +# Instead of allowing the run of all software in `@{bin}/`, `@{lib}` the purpose of # this abstraction is to list all GUI program that can open resources. - +# # Ultimately, only sandbox manager such as like bwrap, snap, flatpak, firejail # should be present here. Until this day, this profile will be a controlled mess. diff --git a/apparmor.d/abstractions/app/bus b/apparmor.d/abstractions/app/bus index 8c7e6e98bc..619a899f1a 100644 --- a/apparmor.d/abstractions/app/bus +++ b/apparmor.d/abstractions/app/bus @@ -3,7 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Minimal set of rules for dbus-send/dbus-launch. +# Minimal set of rules for `dbus-send` or `dbus-launch`. abi , diff --git a/apparmor.d/abstractions/app/bwrap-glycin b/apparmor.d/abstractions/app/bwrap-glycin index 94da17cdf3..f93af58651 100644 --- a/apparmor.d/abstractions/app/bwrap-glycin +++ b/apparmor.d/abstractions/app/bwrap-glycin @@ -4,9 +4,10 @@ # LOGPROF-SUGGEST: no # Base set of rules for glycin-loaders sandboxed with bwrap. +# # - It is very safe to use when used like in the glycin profile. # - It is **not** safe to use when used by a profile stacking glycin - +# # See https://github.com/roddhjav/apparmor.d/issues/881 for more details. abi , diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index ac6b49f8b3..b2e13643bf 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -8,19 +8,22 @@ # NEEDS-VARIABLE: config_dirs # NEEDS-VARIABLE: cache_dirs -# Full set of rules for all chromium based browsers. It works as a *function* +# A full set of rules for all chromium based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the -# header of the calling profile. Example: +# header of the calling profile. Example: AAA # -# @{name} = chromium -# @{domain} = org.chromium.Chromium -# @{lib_dirs} = @{lib}/chromium -# @{config_dirs} = @{user_config_dirs}/chromium -# @{cache_dirs} = @{user_cache_dirs}/chromium +# !!! quote "[apparmor.d/groups/browsers/chromium](https://github.com/roddhjav/apparmor.d/blob/e979fe05b06f525e5a65c767b4eabe5600147355/apparmor.d/groups/browsers/chromium#L10-L14)" # -# If your application requires chromium to run use abstractions/common/chromium -# or abstractions/common/electron instead. +# ``` +# @{name} = chromium +# @{domain} = org.chromium.Chromium +# @{lib_dirs} = @{lib}/chromium +# @{config_dirs} = @{user_config_dirs}/chromium +# @{cache_dirs} = @{user_cache_dirs}/chromium +# ``` # +# If your application requires chromium to run use [`common/chromium`](#commonchromium) +# or [`common/electron`](#commonelectron) instead. abi , diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 508f6abb05..4c9d77038e 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -11,10 +11,14 @@ # and requires some variables to be provided as *arguments* and set in the # header of the calling profile. Example: # -# @{name} = firefox{,.sh,-esr,-bin} -# @{lib_dirs} = @{lib}/@{name} /opt/@{name} -# @{config_dirs} = @{HOME}/.mozilla/ -# @{cache_dirs} = @{user_cache_dirs}/mozilla/ +# !!! quote "" +# +# ``` +# @{name} = firefox{,.sh,-esr,-bin} +# @{lib_dirs} = @{lib}/@{name} /opt/@{name} +# @{config_dirs} = @{HOME}/.mozilla/ +# @{cache_dirs} = @{user_cache_dirs}/mozilla/ +# ``` # abi , diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak index 90ffeae76c..f94caa4cbb 100644 --- a/apparmor.d/abstractions/app/flatpak +++ b/apparmor.d/abstractions/app/flatpak @@ -7,27 +7,29 @@ # Default rules for all flatpak applications. Ideally, they should be # generated with settings from the flatpak metadata. - +# # Security objectives: +# # 1. Split the sandbox handler (bwrap) from the app profile (fapp) # 2. Provide defence in depth, as flatpak already provides a sandbox # 3. The main purpose of this profile is to ensure all processes are confined - +# # Notable security improvements over no profile at all: -# - No capabilities (except dac_override & dac_read_search) +# +# - No capabilities (except `dac_override` & `dac_read_search`) # - Restrict unix socket to profiles defined in apparmor.d # - Limit dbus system communication to profiles defined in apparmor.d # - Ensure flatpak-spawn and host-spawn are confined too -# - Filter /proc/, /sys/ access - +# - Filter `/proc/`, `/sys/` access +# # Keep in mind that the profile is still common for all apps and is therefore # way more permissive than a per-app profile would be. - -# Abstractions in 'abstractions/flatpak' closelly follow the sandbox defined by +# +# Abstractions in `abstractions/flatpak/` closelly follow the sandbox defined by # flatpak, and are therefore different to they host equivalents, as flatpak apps # do not have access to the full host filesystem. - -# attach_disconnected: tweak the build system to replace attached abstractiosn +# +# attach_disconnected: tweak the build system to replace attached abstractions abi , diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index df184b93c0..3412612468 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -3,8 +3,13 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no - # Do not use it manually, It automatically replaces the base abstraction in a - # profile with the attach_disconnected flag set and the re-attached path enabled. +# Add common attached path to the base abstraction. +# +# !!! warning +# +# Do not use it manually, It automatically replaces the base abstraction in a +# profile with the attach_disconnected flag set and the re-attached path enabled. +# abi , diff --git a/apparmor.d/abstractions/attached/consoles b/apparmor.d/abstractions/attached/consoles index f306c22736..c97d2f4060 100644 --- a/apparmor.d/abstractions/attached/consoles +++ b/apparmor.d/abstractions/attached/consoles @@ -3,8 +3,13 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no - # Do not use it manually, It automatically replaces the consoles abstraction in a - # profile with the attach_disconnected flag set and the re-attached path enabled. +# Add common attached path to the consoles abstraction. +# +# !!! warning +# +# Do not use it manually, It automatically replaces the consoles abstraction in a +# profile with the attach_disconnected flag set and the re-attached path enabled. +# abi , diff --git a/apparmor.d/abstractions/attached/nameservice-strict b/apparmor.d/abstractions/attached/nameservice-strict index bdb413d272..86a0e968b9 100644 --- a/apparmor.d/abstractions/attached/nameservice-strict +++ b/apparmor.d/abstractions/attached/nameservice-strict @@ -3,8 +3,13 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no - # Do not use it manually, It automatically replaces the consoles abstraction in a - # profile with the attach_disconnected flag set and the re-attached path enabled. +# Add common attached path to the nameservice-strict abstraction. +# +# !!! warning +# +# Do not use it manually, It automatically replaces the nameservice-strict abstraction in a +# profile with the attach_disconnected flag set and the re-attached path enabled. +# abi , diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 64d695f864..2627532a54 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -4,6 +4,11 @@ # Most programs do not need access to audio devices, audio-client only includes # configuration files to be used by client applications. +# +# !!! warning "TODO" +# +# Will have to be split into `pipewire-client` and `pulse-client` abstractions +# abi , diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 92e8d9c31d..1543c3d730 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -5,16 +5,20 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no - # Do not use it manually, It automatically replaces the base abstraction in - # profiles when the base-strict prebuild feature is enabled (default). - - # It is mostly a restructuring of the base abstraction with awareness - # of the apparmor.d architecture. - # - # Changes from the base abstraction: - # - Removed access to @{run}/uuidd/request - # - owner only access to some files in @{PROC}/@{pid}/ - # - denied lttng +# It is mostly a restructuring of the base abstraction with awareness +# of the apparmor.d architecture. +# +# Changes from the base abstraction: +# +# - Removed access to `@{run}/uuidd/request` +# - owner only access to some files in `@{PROC}/@{pid}/` +# - denied lttng +# +# !!! warning +# +# Do not use it manually, It automatically replaces the base abstraction in +# profiles when the base-strict prebuild feature is enabled (default). +# abi , diff --git a/apparmor.d/abstractions/bus/accessibility/own b/apparmor.d/abstractions/bus/accessibility/own index bf6533cd8d..bef63d73e2 100644 --- a/apparmor.d/abstractions/bus/accessibility/own +++ b/apparmor.d/abstractions/bus/accessibility/own @@ -3,10 +3,13 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Do not use it manually, It is automatically included in a profile by the -# `aa:dbus own` directive. - # Allow owning a name on DBus public bus +# +# !!! warning +# +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. +# abi , diff --git a/apparmor.d/abstractions/bus/session/own b/apparmor.d/abstractions/bus/session/own index a48e33f123..62c932bbb7 100644 --- a/apparmor.d/abstractions/bus/session/own +++ b/apparmor.d/abstractions/bus/session/own @@ -3,10 +3,13 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Do not use it manually, It is automatically included in a profile by the -# `aa:dbus own` directive. - # Allow owning a name on DBus public bus +# +# !!! warning +# +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. +# abi , diff --git a/apparmor.d/abstractions/bus/system/own b/apparmor.d/abstractions/bus/system/own index 275e904229..00c31033cc 100644 --- a/apparmor.d/abstractions/bus/system/own +++ b/apparmor.d/abstractions/bus/system/own @@ -3,10 +3,13 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Do not use it manually, It is automatically included in a profile by the -# `aa:dbus own` directive. - # Allow owning a name on DBus public bus +# +# !!! warning +# +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. +# abi , diff --git a/apparmor.d/abstractions/bwrap b/apparmor.d/abstractions/bwrap index b1070402b9..e841f38793 100644 --- a/apparmor.d/abstractions/bwrap +++ b/apparmor.d/abstractions/bwrap @@ -4,15 +4,16 @@ # NEEDS-VARIABLE: att # Bubblewrap creates isolated environments for applications. It requires the -# sys_admin capability to enter a new PID namespace. Until this capability is +# `sys_admin` capability to enter a new PID namespace. Until this capability is # dropped, the process can potentially escape confinement. For this reason, we # typically transition to another application profile, even if it requires -# managing a stacked set of profiles since bwrap sets the no_new_privs (nnp) -# flag. The resulting profile should take the form: //& +# managing a stacked set of profiles since bwrap sets the `no_new_privs` (nnp) +# flag. The resulting profile should take the form: `//&` # # A profile using this abstraction still needs to set: -# - the flag: attach_disconnected -# - bwrap execution: '@{bin}/bwrap ix,' or memory mapping '@{bin}/bwrap mr,' +# +# - the flag: `attach_disconnected` +# - bwrap execution: `@{bin}/bwrap ix,` or memory mapping `@{bin}/bwrap mr,` abi , diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index dee388a733..4c2575414a 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -5,7 +5,7 @@ # NEEDS-VARIABLE: att # Common rules for a generic UI application. - +# # This abstraction is wide on purpose. It is meant to be used by a generic # user UI aplications wich no asumption made on the access they need. diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 16a23f7312..afa15c04b4 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -6,11 +6,15 @@ # This abstraction is for chromium based application. Chromium based browsers # need to use abstractions/app/chromium instead. - +# # It works as a *function* and requires a variable to be provided as *arguments* # and set in the header of the calling profile. Example: # -# @{domain} = org.chromium.Chromium +# !!! quote "" +# +# ``` +# @{domain} = org.chromium.Chromium +# ``` # abi , diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 3b47b64250..55444a0889 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -11,11 +11,15 @@ # *function* and requires some variables to be provided as *arguments* and set # in the header of the calling profile. Example: # -# @{name} = spotify -# @{domain} = org.chromium.chromium -# @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ -# @{config_dirs} = @{user_config_dirs}/@{name} -# @{cache_dirs} = @{user_cache_dirs}/@{name} +# !!! quote "" +# +# ``` +# @{name} = spotify +# @{domain} = org.chromium.chromium +# @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ +# @{config_dirs} = @{user_config_dirs}/@{name} +# @{cache_dirs} = @{user_cache_dirs}/@{name} +# ``` # abi , diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index cbc53b4d4b..fa38303c61 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -8,11 +8,12 @@ # Core set of resources for any games on Linux. Runtimes such as sandboxing, # wine, proton, game launchers should use this abstraction. - +# # This abstraction uses the following tunables: -# - @{XDG_GAMESSTUDIO_DIR}/ for game studio and game engines specific directories -# (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d") -# - @{user_games_dirs}/ for user specific game directories (eg: steam storage dir) +# +# - `@{XDG_GAMESSTUDIO_DIR}/` for game studio and game engines specific directories +# (Default: `@{XDG_GAMESSTUDIO_DIR}="unity3d"`) +# - `@{user_games_dirs}/` for user specific game directories (eg: steam storage dir) abi , diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index 7ae0f2e37b..674632d1b9 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -4,6 +4,11 @@ # Minimal set of rules for all gnome based UI application. +# !!! warning +# +# In the future, this abstraction could be generalized and renamed to `gui` +# + abi , include diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home index 68c013a51d..d39c35e681 100644 --- a/apparmor.d/abstractions/deny-sensitive-home +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -2,13 +2,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# DO NOT USE IT WITHOUT EXPLICIT AUTHORISATION FROM THE PROJECT MAINTAINER - # Per the first rule of this project: -# As these are mandatory access control policies only what it explicitly required -# should be authorized. Meaning, you should not allow everything (or a large area) -# and blacklist some sub area. - +# +# !!! quote +# +# As these are mandatory access control policies only what it explicitly required +# should be authorized. Meaning, you should not allow everything (or a large area) +# and blacklist some sub area. +# # The only legitimate use in this project is for file browser and search engine. abi , diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 0adebd467c..d0f90c8dd2 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -3,9 +3,12 @@ # SPDX-License-Identifier: GPL-2.0-only # Unified minimal abstraction for all UI application regardless of the desktop environment. - -# When supported in apparmor, condition will be used in this abstraction to filter -# resources specific for supported DE. +# +# !!! note +# +# When supported in apparmor, condition will be used in this abstraction to filter +# resources specific for supported DE. +# abi , diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 6e32286091..1e4f35a51b 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - # The /sys/ entries probably should be tightened + # The `/sys/` entries probably should be tightened abi , diff --git a/apparmor.d/abstractions/fontconfig-cache b/apparmor.d/abstractions/fontconfig-cache index 35818dd2a2..92d90a49b7 100644 --- a/apparmor.d/abstractions/fontconfig-cache +++ b/apparmor.d/abstractions/fontconfig-cache @@ -3,15 +3,32 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - # The fontconfig cache can be generated via the following command: - # $ fc-cache -f -v - # - # There is no need to give apps the ability to create cache for their own. - # However, apps can generate the fontconfig cache if some cache files are missing. - # Therefore, if this behavior is desirable, you can use - # - # If not, you can block writing to the cache directories with - # +# The fontconfig cache can be generated via the following command: +# +# !!! quote "" +# +# ``` +# fc-cache -f -v +# ``` +# +# There is no need to give apps the ability to create cache for their own. +# However, apps can generate the fontconfig cache if some cache files are missing. +# Therefore, if this behavior is desirable, you can use: +# +# !!! quote "" +# +# ``` +# +# ``` +# +# If not, you can block writing to the cache directories with +# +# !!! quote "" +# +# ``` +# +# ``` +# abi , diff --git a/apparmor.d/abstractions/glibc b/apparmor.d/abstractions/glibc index 09f7277d50..2beebf2704 100644 --- a/apparmor.d/abstractions/glibc +++ b/apparmor.d/abstractions/glibc @@ -4,6 +4,12 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# !!! note +# +# As this abstraction is included in the `base` / `base-strict` abstractions. +# It is not necessary to include it manually. +# + abi , # Used by Glibc when binding to ephemeral ports diff --git a/apparmor.d/abstractions/gstreamer-registry b/apparmor.d/abstractions/gstreamer-registry index 137cb508fa..a7a7291d44 100644 --- a/apparmor.d/abstractions/gstreamer-registry +++ b/apparmor.d/abstractions/gstreamer-registry @@ -5,7 +5,7 @@ # Plugin registry cache for the multimedia framework GStreamer. # It stores metadata about all the GStreamer plugins available on the system, # including their types, capabilities, and locations. - +# # It is usually needed by application calling GStreamer libraries. abi , diff --git a/apparmor.d/abstractions/ld b/apparmor.d/abstractions/ld index 21ac745e27..c3bbcec8a1 100644 --- a/apparmor.d/abstractions/ld +++ b/apparmor.d/abstractions/ld @@ -4,8 +4,14 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - # ld.so.cache and ld are used to load shared libraries. - # As such, they can be used everywhere +# ld.so.cache and ld are used to load shared libraries, therefore they are +# required by almost all applications. +# +# !!! note +# +# As this abstraction is included in the `base` / `base-strict` abstractions. +# It is not necessary to include it manually. +# abi , diff --git a/apparmor.d/abstractions/locale b/apparmor.d/abstractions/locale index 873c303f50..796b479aec 100644 --- a/apparmor.d/abstractions/locale +++ b/apparmor.d/abstractions/locale @@ -4,6 +4,12 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# !!! note +# +# As this abstraction is included in the `base` / `base-strict` abstractions. +# It is not necessary to include it manually. +# + abi , @{etc_ro}/locale.alias r, diff --git a/apparmor.d/abstractions/lttng b/apparmor.d/abstractions/lttng index 9220655310..7f9a1e1331 100644 --- a/apparmor.d/abstractions/lttng +++ b/apparmor.d/abstractions/lttng @@ -5,6 +5,12 @@ # LTTng is an open source tracing framework for Linux - https://lttng.org # # Lttng tracing is very noisy and should not be allowed by confined apps. +# +# !!! note +# +# As this abstraction is included in the `base` / `base-strict` abstractions. +# It is not necessary to include it manually. +# abi , diff --git a/apparmor.d/abstractions/nss b/apparmor.d/abstractions/nss index 3ff04292f0..af7a85881e 100644 --- a/apparmor.d/abstractions/nss +++ b/apparmor.d/abstractions/nss @@ -3,7 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Network Security Services (NSS) - +# # It only allows access to the system-provided configuration files, not the ones # that are applications specific. diff --git a/apparmor.d/abstractions/secrets-service b/apparmor.d/abstractions/secrets-service index 083672cc92..809b0d9b5f 100644 --- a/apparmor.d/abstractions/secrets-service +++ b/apparmor.d/abstractions/secrets-service @@ -3,8 +3,7 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Provide full access to the secret-service API: -# - https://standards.freedesktop.org/secret-service/) +# Provide full access to the secret-service API: https://standards.freedesktop.org/secret-service/ # # The secret-service allows managing (add/delete/lock/etc) collections and # (add/delete/etc) items within collections. The API also has the concept of @@ -15,8 +14,7 @@ # as a database of key/value attributes each with an associated secret that # applications may query. Because AppArmor does not mediate member data, # typical and recommended usage of the API does not allow for application -# isolation. For details, see: -# - https://standards.freedesktop.org/secret-service/ch03.html +# isolation. For details, see: https://standards.freedesktop.org/secret-service/ch03.html # abi , diff --git a/apparmor.d/abstractions/sys/gpumon b/apparmor.d/abstractions/sys/gpumon index 67d576f462..e97e0e9c61 100644 --- a/apparmor.d/abstractions/sys/gpumon +++ b/apparmor.d/abstractions/sys/gpumon @@ -5,6 +5,7 @@ # GPU Power/Thermal Controls and Monitoring # # See: +# # - https://www.kernel.org/doc/html/latest/gpu/amdgpu/thermal.html # - https://www.kernel.org/doc/html/latest/gpu/amdgpu/driver-misc.html#gpu-memory-usage-information diff --git a/apparmor.d/abstractions/sys/hwmon b/apparmor.d/abstractions/sys/hwmon index 700e1d40a2..fc66a2bab3 100644 --- a/apparmor.d/abstractions/sys/hwmon +++ b/apparmor.d/abstractions/sys/hwmon @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Global attributes +# # See https://www.kernel.org/doc/Documentation/hwmon/sysfs-interface abi , diff --git a/apparmor.d/abstractions/sys/hwmon-alarm b/apparmor.d/abstractions/sys/hwmon-alarm index b978af21ac..430288563d 100644 --- a/apparmor.d/abstractions/sys/hwmon-alarm +++ b/apparmor.d/abstractions/sys/hwmon-alarm @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Alarms +# # Alarms enumeration starts from 1 not 0 abi , diff --git a/apparmor.d/abstractions/sys/hwmon-alarm:w b/apparmor.d/abstractions/sys/hwmon-alarm:w index e8bbc79570..50ee26ff1b 100644 --- a/apparmor.d/abstractions/sys/hwmon-alarm:w +++ b/apparmor.d/abstractions/sys/hwmon-alarm:w @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Alarms +# # Alarms enumeration starts from 1 not 0 abi , diff --git a/apparmor.d/abstractions/sys/hwmon-current b/apparmor.d/abstractions/sys/hwmon-current index b034c2224d..9d9e1ff7ab 100644 --- a/apparmor.d/abstractions/sys/hwmon-current +++ b/apparmor.d/abstractions/sys/hwmon-current @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Currents +# # Currents enumeration starts from 1 not 0 abi , diff --git a/apparmor.d/abstractions/sys/hwmon-current:w b/apparmor.d/abstractions/sys/hwmon-current:w index c56c854051..a098631753 100644 --- a/apparmor.d/abstractions/sys/hwmon-current:w +++ b/apparmor.d/abstractions/sys/hwmon-current:w @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Currents +# # Currents enumeration starts from 1 not 0 abi , diff --git a/apparmor.d/abstractions/sys/hwmon-energy b/apparmor.d/abstractions/sys/hwmon-energy index 4123df6ca1..cca45f79e5 100644 --- a/apparmor.d/abstractions/sys/hwmon-energy +++ b/apparmor.d/abstractions/sys/hwmon-energy @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Energy +# # Energy enumeration starts from 1 not 0 abi , diff --git a/apparmor.d/abstractions/sys/hwmon-energy:w b/apparmor.d/abstractions/sys/hwmon-energy:w index dfd38845f2..b5e709b91c 100644 --- a/apparmor.d/abstractions/sys/hwmon-energy:w +++ b/apparmor.d/abstractions/sys/hwmon-energy:w @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Energy +# # Energy enumeration starts from 1 not 0 abi , diff --git a/apparmor.d/abstractions/sys/hwmon-fan b/apparmor.d/abstractions/sys/hwmon-fan index d908dc7a11..faf682dd1a 100644 --- a/apparmor.d/abstractions/sys/hwmon-fan +++ b/apparmor.d/abstractions/sys/hwmon-fan @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Fans +# # Fan enumeration starts from 1 not 0 abi , diff --git a/apparmor.d/abstractions/sys/hwmon-fan:w b/apparmor.d/abstractions/sys/hwmon-fan:w index 0425686393..4bcdcdb579 100644 --- a/apparmor.d/abstractions/sys/hwmon-fan:w +++ b/apparmor.d/abstractions/sys/hwmon-fan:w @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Fans +# # Fan enumeration starts from 1 not 0 abi , diff --git a/apparmor.d/abstractions/sys/hwmon-humidity b/apparmor.d/abstractions/sys/hwmon-humidity index 58eb196979..d3870ff91e 100644 --- a/apparmor.d/abstractions/sys/hwmon-humidity +++ b/apparmor.d/abstractions/sys/hwmon-humidity @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Humidity +# # Humidity enumeration starts from 1 not 0 abi , diff --git a/apparmor.d/abstractions/sys/hwmon-humidity:w b/apparmor.d/abstractions/sys/hwmon-humidity:w index c54c858c70..82974d213e 100644 --- a/apparmor.d/abstractions/sys/hwmon-humidity:w +++ b/apparmor.d/abstractions/sys/hwmon-humidity:w @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Humidity +# # Humidity enumeration starts from 1 not 0 abi , diff --git a/apparmor.d/abstractions/sys/hwmon-intrusion b/apparmor.d/abstractions/sys/hwmon-intrusion index 9126c30f53..af81e6ec20 100644 --- a/apparmor.d/abstractions/sys/hwmon-intrusion +++ b/apparmor.d/abstractions/sys/hwmon-intrusion @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Intrusion detection +# # Intrusion detection enumeration starts from 1 not 0 abi , diff --git a/apparmor.d/abstractions/sys/hwmon-intrusion:w b/apparmor.d/abstractions/sys/hwmon-intrusion:w index 066be28abb..5b9d353774 100644 --- a/apparmor.d/abstractions/sys/hwmon-intrusion:w +++ b/apparmor.d/abstractions/sys/hwmon-intrusion:w @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Intrusion detection +# # Intrusion detection enumeration starts from 1 not 0 abi , diff --git a/apparmor.d/abstractions/sys/hwmon-power b/apparmor.d/abstractions/sys/hwmon-power index e4ad634de9..b8482d0c6c 100644 --- a/apparmor.d/abstractions/sys/hwmon-power +++ b/apparmor.d/abstractions/sys/hwmon-power @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Power +# # Power enumeration starts from 1 not 0 abi , diff --git a/apparmor.d/abstractions/sys/hwmon-power:w b/apparmor.d/abstractions/sys/hwmon-power:w index e5ec2ad185..4267e6b0c3 100644 --- a/apparmor.d/abstractions/sys/hwmon-power:w +++ b/apparmor.d/abstractions/sys/hwmon-power:w @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Power +# # Power enumeration starts from 1 not 0 abi , diff --git a/apparmor.d/abstractions/sys/hwmon-pwm b/apparmor.d/abstractions/sys/hwmon-pwm index ae73674b42..095edfd713 100644 --- a/apparmor.d/abstractions/sys/hwmon-pwm +++ b/apparmor.d/abstractions/sys/hwmon-pwm @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # PWM +# # PWM enumeration starts from 1 not 0 abi , diff --git a/apparmor.d/abstractions/sys/hwmon-pwm:w b/apparmor.d/abstractions/sys/hwmon-pwm:w index 13f678a227..ca24a4616a 100644 --- a/apparmor.d/abstractions/sys/hwmon-pwm:w +++ b/apparmor.d/abstractions/sys/hwmon-pwm:w @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # PWM +# # PWM enumeration starts from 1 not 0 abi , diff --git a/apparmor.d/abstractions/sys/hwmon-temp b/apparmor.d/abstractions/sys/hwmon-temp index 4c06eadb75..423b5cba1b 100644 --- a/apparmor.d/abstractions/sys/hwmon-temp +++ b/apparmor.d/abstractions/sys/hwmon-temp @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Temperatures +# # Temperatures enumeration starts from 1 not 0 abi , diff --git a/apparmor.d/abstractions/sys/hwmon-temp:w b/apparmor.d/abstractions/sys/hwmon-temp:w index 23b2a5d140..1ef37a0f19 100644 --- a/apparmor.d/abstractions/sys/hwmon-temp:w +++ b/apparmor.d/abstractions/sys/hwmon-temp:w @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Temperatures +# # Temperatures enumeration starts from 1 not 0 abi , diff --git a/apparmor.d/abstractions/sys/hwmon:w b/apparmor.d/abstractions/sys/hwmon:w index 96f01c5658..ea93705d6c 100644 --- a/apparmor.d/abstractions/sys/hwmon:w +++ b/apparmor.d/abstractions/sys/hwmon:w @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Global attributes +# # See https://www.kernel.org/doc/Documentation/hwmon/sysfs-interface abi , diff --git a/apparmor.d/abstractions/tests b/apparmor.d/abstractions/tests index 0de2e594db..a8f0b2ec94 100644 --- a/apparmor.d/abstractions/tests +++ b/apparmor.d/abstractions/tests @@ -5,8 +5,16 @@ # Common temporary tests directories used by autopkgtest. # -# Do not use it manually, It is automatically included in the base abstraction -# when the 'test' prebuild flag is set. +# !!! warning +# +# Do not use it manually, It is automatically included in the base abstraction +# when the 'test' prebuild flag is set. +# +# !!! note +# +# When needed, this abstraction is included in the `base` / `base-strict` abstractions. +# It is not necessary to include it manually. +# abi , diff --git a/apparmor.d/abstractions/tpm b/apparmor.d/abstractions/tpm index ef7b30a2b7..5306cd48bd 100644 --- a/apparmor.d/abstractions/tpm +++ b/apparmor.d/abstractions/tpm @@ -3,8 +3,8 @@ # Copyright (C) 2021-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Communication to the system TPM chip over /dev/tpm@{int} and kernel TPM -# resource manager /dev/tpmrm@{int} +# Communication to the system TPM chip over `/dev/tpm@{int}` and kernel TPM +# resource manager `/dev/tpmrm@{int}` abi , diff --git a/apparmor.d/abstractions/trash-strict b/apparmor.d/abstractions/trash-strict index 30d5188172..367a83680c 100644 --- a/apparmor.d/abstractions/trash-strict +++ b/apparmor.d/abstractions/trash-strict @@ -5,8 +5,8 @@ # Already upstreamed. Different because recent change does not play well # with upstream's version. - -# There is no 'owner' rule on expunged folders because some internally sandboxed +# +# There is no `owner` rule on expunged folders because some internally sandboxed # app (using bwrap) run on a different private user. abi , From 6ba6ec2c12b9c1d4007fe7fa6f94456e9b0551f2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 Jan 2026 12:08:42 +0100 Subject: [PATCH 1314/1736] doc: add docstring generation script. --- Justfile | 5 + dists/docstring.sh | 325 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 330 insertions(+) create mode 100644 dists/docstring.sh diff --git a/Justfile b/Justfile index d877f28f75..b5146a5ec1 100644 --- a/Justfile +++ b/Justfile @@ -297,6 +297,11 @@ check: man: @pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md +# Generate abstractions and tunable documentation from the source +[group('docs')] +docstring: + @bash dists/docstring.sh + # Build the documentation [group('docs')] docs: diff --git a/dists/docstring.sh b/dists/docstring.sh new file mode 100644 index 0000000000..06b52b914d --- /dev/null +++ b/dists/docstring.sh @@ -0,0 +1,325 @@ +#!/usr/bin/env bash +# Generate markdown documentation from abstractions and tunables +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Usage: +# just docstring + +set -eu -o pipefail + +readonly ABSTRACTIONS_DIR="apparmor.d/abstractions" +readonly TUNABLES_DIR="apparmor.d/tunables" +readonly ABSTRACTIONS_DOCS_DIR="docs/abstractions/" +readonly TUNABLES_DOCS_DIR="docs/tunables/" + +# Extract description from abstraction file header +# Skips copyright/license and extracts meaningful comments +_get_docs() { + local file="$1" + while IFS= read -r line; do + [[ -z "$line" ]] && continue + [[ ! "$line" =~ ^# ]] && break + [[ "$line" =~ (Copyright|SPDX-License-Identifier|^#\ apparmor\.d\ ) ]] && continue + [[ "$line" =~ (LOGPROF-SUGGEST|NEEDS-VARIABLE) ]] && continue + [[ "$line" =~ ^#aa: ]] && continue + + local comment="${line#\# }" + if [[ $comment == "#" ]]; then + echo "" + elif [[ -n "$comment" ]]; then + echo "$comment" + fi + done < "$file" +} + +# Extract required variables from abstraction file +_get_variables() { + local file="$1" + grep "^# NEEDS-VARIABLE:" "$file" 2>/dev/null | sed 's/^# NEEDS-VARIABLE: //' | tr '\n' ', ' | sed 's/, $//' || true +} + +# Check if an abstraction is core (has no external includes) +# Returns 0 if core, 1 if not core +_is_core_abstraction() { + local file="$1" + local name="$2" + + # Get base name without path components + local base_name + base_name="$(basename "$name")" + + # Check for include directives, excluding self-includes to .d directories + while IFS= read -r line; do + # Skip comments and empty lines + [[ "$line" =~ ^[[:space:]]*# ]] && continue + [[ -z "$line" ]] && continue + + # Check for include directives + if [[ "$line" =~ ^[[:space:]]*include ]]; then + # Extract the included path + local included_path="${line#*> "$TUNABLES_DOCS_DIR/$category.md" + done < <(find "$TUNABLES_DIR" -type f -print0 | sort -z) +} + +# Generate documentation for abstractions +_generate_abstractions_docs() { + echo "Generating abstraction documentation..." + + while IFS= read -r -d '' file; do + name="${file#apparmor.d/abstractions/}" + # Skip files inside .d directories (e.g., bash.d/complete) + [[ "$name" == *".d/"* ]] && continue + category="$(_get_abstraction_type "$name" "$file")" + # echo "Processing: $file -> |$category|" + + docs="$(_get_docs "$file")" + variables="$(_get_variables "$file")" + + if [[ -z "$docs" && -z "$variables" ]]; then + continue + fi + printf "\n## %s\n\n" "$name" >> "$ABSTRACTIONS_DOCS_DIR/$category.md" + + if [[ -n "$docs" ]]; then + printf "%s\n" "$docs" >> "$ABSTRACTIONS_DOCS_DIR/$category.md" + fi + if [[ -n "$variables" ]]; then + printf "\n**Required variables:** %s\n" "$variables" >> "$ABSTRACTIONS_DOCS_DIR/$category.md" + fi + done < <(find "$ABSTRACTIONS_DIR" -type f -print0 | sort -z) +} + +mkdir -p "$ABSTRACTIONS_DOCS_DIR" "$TUNABLES_DOCS_DIR" +_init_files +_generate_abstractions_docs +_generate_tunables_docs From fcf3c11ddeba2754ee07130ec62092bced226263 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 Jan 2026 12:42:31 +0100 Subject: [PATCH 1315/1736] doc: move from mkdocs to zensical. --- .gitlab-ci.yml | 2 +- Justfile | 4 +- docs/assets/stylesheets/extra.css | 30 +++-- docs/index.md | 13 --- mkdocs.yml | 171 ---------------------------- requirements.txt | 6 +- zensical.toml | 182 ++++++++++++++++++++++++++++++ 7 files changed, 206 insertions(+), 202 deletions(-) delete mode 100644 mkdocs.yml create mode 100644 zensical.toml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a0473e87e9..5abf6128ea 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -191,7 +191,7 @@ pages: GIT_DEPTH: 0 script: - pip install -r requirements.txt - - mkdocs build --site-dir public + - zensical build --site-dir public artifacts: paths: - public diff --git a/Justfile b/Justfile index b5146a5ec1..49c6b431f0 100644 --- a/Justfile +++ b/Justfile @@ -305,12 +305,12 @@ docstring: # Build the documentation [group('docs')] docs: - @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict + @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true zensical build --strict # Serve the documentation [group('docs')] serve: - @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve + @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false zensical serve --open # Remove all build artifacts clean: diff --git a/docs/assets/stylesheets/extra.css b/docs/assets/stylesheets/extra.css index 8691707dbe..a472882313 100644 --- a/docs/assets/stylesheets/extra.css +++ b/docs/assets/stylesheets/extra.css @@ -1,22 +1,22 @@ -[data-md-color-scheme=default] { - --md-footer-fg-color: var(--md-text-color); - --md-footer-fg-color--light: #808080; - --md-footer-fg-color--lighter: #b6b6b6; - --md-footer-bg-color: transparent; - --md-footer-bg-color--dark: transparent; +[data-md-color-scheme="default"] { + --md-footer-bg-color: #ffffff; --pg-purple: #603aa0; --pg-red: #c0322f; - --pg-orange: #ac2f09; + --pg-orange: #ffa500; --pg-teal: #04756a; --pg-brown: #8d6e62; --pg-blue: #0e66ae; --pg-green: #2e7e31; --pg-blue-gray: #546d78; + + /* Custom accent color - warm amber-brown */ + --md-accent-fg-color: #a67c52; + --md-accent-fg-color--transparent: #a67c521a; + --md-accent-bg-color: #fff; } -[data-md-color-scheme=slate] { - --md-footer-bg-color: transparent; - --md-footer-bg-color--dark: var(--md-default-bg-color--darkest); +[data-md-color-scheme="slate"] { + --md-footer-bg-color: #0b0c0f; --pg-purple: #af94de; --pg-red: #ff6c6a; --pg-orange: #e97b5a; @@ -25,6 +25,16 @@ --pg-blue: #74b9f1; --pg-green: #72cd75; --pg-blue-gray: #9ab2bc; + + /* Custom accent color - lighter amber-brown for dark mode */ + --md-accent-fg-color: #d4a574; + --md-accent-fg-color--transparent: #d4a5741a; + --md-accent-bg-color: #000; +} + +.md-footer-meta { + background-color: var(--md-footer-bg-color); + border-top: .05rem solid var(--md-footer-bg-color); } /* Badge colors */ diff --git a/docs/index.md b/docs/index.md index 9602207d0a..25d8ef366e 100644 --- a/docs/index.md +++ b/docs/index.md @@ -24,19 +24,6 @@ hide: display: none; } - /* Get started button */ - .md-typeset .md-button--primary { - color: var(--md-primary-fg-color); - background-color: var(--md-primary-bg-color); - border-color: var(--md-primary-bg-color); - } - - .md-typeset .md-button--primary:hover { - color: var(--md-primary-bg-color); - background-color: var(--md-primary-fg-color); - border-color: var(--md-primary-bg-color); - } - .tx-hero { max-width: 700px; display: flex; diff --git a/mkdocs.yml b/mkdocs.yml deleted file mode 100644 index 6697caedf1..0000000000 --- a/mkdocs.yml +++ /dev/null @@ -1,171 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Project information -site_name: AppArmor.d -site_url: https://apparmor.pujol.io -site_author: Alexandre Pujol -site_description: >- - Full set of AppArmor profiles - -# Repository -repo_name: roddhjav/apparmor.d -repo_url: https://github.com/roddhjav/apparmor.d -edit_uri: edit/main/docs/ - -# Copyright -copyright: Copyright © 2021-2025 Alexandre Pujol - -# Configuration -theme: - name: material - logo: assets/favicon.png - favicon: assets/favicon.png - palette: - - scheme: default - primary: white - toggle: - icon: material/brightness-7 - name: Switch to dark mode - - - scheme: slate - primary: brown - accent: deep orange - toggle: - icon: material/brightness-4 - name: Switch to light mode - icon: - repo: fontawesome/brands/github - edit: material/file-edit-outline - view: material/file-eye-outline - features: - - content.action.edit - - content.code.annotate - - content.code.copy - - content.tabs.link - - content.tooltips - - navigation.indexes - - navigation.instant - - navigation.sections - - navigation.tabs - - navigation.top - - search.highlight - - search.share - - search.suggest - -extra_css: - - assets/stylesheets/extra.css - -# Plugins -plugins: - - privacy - - search - - offline: - enabled: !ENV [MKDOCS_OFFLINE, true] - - git-revision-date-localized: - enabled: !ENV [ENABLED_GIT_REVISION_DATE, true] - enable_creation_date: true - fallback_to_build_date: true - - minify: - minify_html: true - - git-committers: - enabled: !ENV [ENABLED_GIT_REVISION_DATE, true] - token: !ENV [MKDOCS_GIT_COMMITTERS_APIKEY] - repository: roddhjav/apparmor.d - branch: main - -# Customization -extra: - social: - - icon: fontawesome/brands/twitter - link: https://twitter.com/roddhjav - - icon: fontawesome/brands/github - link: https://github.com/roddhjav/apparmor.d - - icon: fontawesome/brands/gitlab - link: https://gitlab.com/roddhjav/apparmor.d - - icon: fontawesome/solid/up-right-from-square - link: https://pujol.io - -# Extensions -markdown_extensions: - - abbr - - admonition - - attr_list - - def_list - - footnotes - - tables - - md_in_html - - toc: - permalink: true - toc_depth: 3 - - pymdownx.betterem: - smart_enable: all - - pymdownx.caret - - pymdownx.mark - - pymdownx.tilde - - pymdownx.details - - pymdownx.emoji: - emoji_index: !!python/name:material.extensions.emoji.twemoji - emoji_generator: !!python/name:material.extensions.emoji.to_svg - - pymdownx.highlight: - anchor_linenums: true - - pymdownx.inlinehilite - - pymdownx.keys - - pymdownx.magiclink: - repo_url_shorthand: true - user: squidfunk - repo: mkdocs-material - - pymdownx.smartsymbols - - pymdownx.snippets: - auto_append: - - docs/abbreviations.md - - pymdownx.superfences: - custom_fences: - - name: mermaid - class: mermaid - format: !!python/name:pymdownx.superfences.fence_code_format - - pymdownx.tabbed: - alternate_style: true - slugify: !!python/object/apply:pymdownx.slugs.slugify - kwds: - case: lower - - pymdownx.tasklist: - custom_checkbox: true - -# Page tree -nav: - - Home: - - index.md - - Getting Started: - - overview.md - - concepts.md - - install.md - - configuration.md - - usage.md - - report.md - - Advanced: - - variables.md - - enforce.md - - full-system-policy.md - - Troubleshooting: - - issues.md - - recovery.md - - Development: - - development/index.md - - development/roadmap.md - - Profiles: - - development/workflow.md - - development/guidelines.md - - development/abstractions.md - - development/internal.md - - development/directives.md - - development/dbus.md - - development/recommendations.md - - Packages: - - development/build.md - - Tests: - - development/tests.md - - development/vm.md - - development/integration.md - - development/autopkgtest.md diff --git a/requirements.txt b/requirements.txt index d30bccf196..39b3613053 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1 @@ -mkdocs -mkdocs-git-committers-plugin-2 -mkdocs-git-revision-date-localized-plugin -mkdocs-material -mkdocs-minify-plugin +zensical diff --git a/zensical.toml b/zensical.toml new file mode 100644 index 0000000000..f6f652dfc8 --- /dev/null +++ b/zensical.toml @@ -0,0 +1,182 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# https://zensical.org/docs/setup/basics/ + +[project] + +# Project information +site_name = "AppArmor.d" +site_url = "https://apparmor.pujol.io" +site_description = "Full set of AppArmor profiles" +site_author = "Alexandre Pujol" +copyright = "Copyright © 2021-2026 Alexandre Pujol" + +# Repository +repo_name = "roddhjav/apparmor.d" +repo_url = "https://github.com/roddhjav/apparmor.d" +edit_uri = "edit/main/docs/" + +# Extra stylesheets and scripts +extra_css = ["assets/stylesheets/extra.css"] + +# Navigation structure +nav = [ + { "Home" = [ + { "Home" = [ + "index.md", + ] }, + { "Getting Started" = [ + "overview.md", + "install.md", + "configuration.md", + "usage.md", + "report.md", + ] }, + { "Advanced" = [ + "variables.md", + "enforce.md", + "full-system-policy.md", + ] }, + { "Troubleshooting" = [ + "issues.md", + "recovery.md", + ] }, + ] }, + { "Development" = [ + { "Development" = [ + "development/index.md", + "development/roadmap.md", + ] }, + { "Profiles" = [ + "development/workflow.md", + "development/guidelines.md", + "development/internal.md", + "development/directives.md", + "development/dbus.md", + "development/recommendations.md", + ] }, + { "Packages" = [ + "development/overview.md", + "development/build.md", + ] }, + { "Tests" = [ + "development/tests.md", + "development/vm.md", + "development/integration.md", + "development/autopkgtest.md", + ] }, + ] }, +] + +# Navigation structure +# Theme configuration +[project.theme] +logo = "assets/favicon.png" +favicon = "assets/favicon.png" +features = [ + "content.action.edit", + "content.action.view", + "content.code.annotate", + "content.code.copy", + "content.code.select", + "content.footnote.tooltips", + "content.tabs.link", + "content.tooltips", + "navigation.indexes", + "navigation.instant.prefetch", + "navigation.instant", + "navigation.sections", + "navigation.tabs", + "navigation.top", + "navigation.tracking", + "search.highlight", +] + +# Extensions +[project.markdown_extensions.abbr] +[project.markdown_extensions.admonition] +[project.markdown_extensions.attr_list] +[project.markdown_extensions.def_list] +[project.markdown_extensions.footnotes] +[project.markdown_extensions.md_in_html] +[project.markdown_extensions.toc] +permalink = true +toc_depth = 4 +[project.markdown_extensions.pymdownx.arithmatex] +generic = true +[project.markdown_extensions.pymdownx.betterem] +smart_enable = "all" +[project.markdown_extensions.pymdownx.caret] +[project.markdown_extensions.pymdownx.details] +[project.markdown_extensions.pymdownx.emoji] +emoji_generator = "zensical.extensions.emoji.to_svg" +emoji_index = "zensical.extensions.emoji.twemoji" +[project.markdown_extensions.pymdownx.highlight] +anchor_linenums = true +[project.markdown_extensions.pymdownx.inlinehilite] +[project.markdown_extensions.pymdownx.keys] +[project.markdown_extensions.pymdownx.magiclink] +repo_url_shorthand = true +user = "squidfunk" +repo = "mkdocs-material" +[project.markdown_extensions.pymdownx.mark] +[project.markdown_extensions.pymdownx.smartsymbols] +[project.markdown_extensions.pymdownx.superfences] +custom_fences = [ + { name = "mermaid", class = "mermaid", format = "pymdownx.superfences.fence_code_format" }, +] +[project.markdown_extensions.pymdownx.tabbed] +alternate_style = true +[project.markdown_extensions.pymdownx.tabbed.slugify] +kwds = { case = "lower" } +object = "pymdownx.slugs.slugify" +[project.markdown_extensions.pymdownx.tasklist] +custom_checkbox = true +[project.markdown_extensions.pymdownx.tilde] + +# Plugins +[project.plugins.offline] +enabled = false + +# Palette toggle for automatic mode +[[project.theme.palette]] +media = "(prefers-color-scheme)" +toggle.icon = "lucide/sun-moon" +toggle.name = "Switch to light mode" + +# Palette toggle for light mode +[[project.theme.palette]] +media = "(prefers-color-scheme: light)" +scheme = "default" +primary = "brown" +accent = "deep orange" +toggle.icon = "lucide/sun" +toggle.name = "Switch to dark mode" + +# Palette toggle for dark mode +[[project.theme.palette]] +media = "(prefers-color-scheme: dark)" +scheme = "slate" +primary = "brown" +accent = "deep orange" +toggle.icon = "lucide/moon" +toggle.name = "Switch to system preference" + +# Customization +[[project.extra.social]] +icon = "fontawesome/brands/mastodon" +link = "https://mamot.fr/@roddhjav" + +[[project.extra.social]] +icon = "fontawesome/brands/github" +link = "https://github.com/roddhjav/apparmor.d" + +[[project.extra.social]] +icon = "fontawesome/brands/gitlab" +link = "https://gitlab.com/roddhjav/apparmor.d" + +[[project.extra.social]] +icon = "fontawesome/solid/up-right-from-square" +link = "https://pujol.io" From db4ebe716b9a85eef9b2eec840012b4d137e438c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 Jan 2026 12:47:14 +0100 Subject: [PATCH 1316/1736] doc: general documentation update. --- docs/development/build.md | 10 +++ docs/development/dbus.md | 4 +- docs/development/guidelines.md | 5 +- docs/development/internal.md | 4 +- docs/development/roadmap.md | 2 + docs/development/tests.md | 64 ++++++++++------ docs/development/vm.md | 71 +++--------------- docs/full-system-policy.md | 132 ++++++++++++++++++++++----------- docs/index.md | 2 +- docs/overview.md | 2 +- docs/report.md | 1 + docs/usage.md | 8 +- 12 files changed, 170 insertions(+), 135 deletions(-) diff --git a/docs/development/build.md b/docs/development/build.md index c7ce93d130..4f7cb0b29d 100644 --- a/docs/development/build.md +++ b/docs/development/build.md @@ -154,6 +154,16 @@ This task reattaches disconnected paths. See the [Re-attached path](internal.md# *Enabled when abi >= 4.0* +### **`stacked-dbus`** + +Stacked profile name is under the form `A//&B`. The resulting stacked name can be used in peer label rules. However, in dbus rules, + +Resolve peer label variable in dbus rules. It transforms peer label rules set from `label="@{p_dbus_session}"` to `label="A//&B"`. + +See: https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 + +*Enabled for Ubuntu 25.04+* + ### **`hotfix`** Temporary fix for #74, #80 & #235. Only an issue on Gnome, can be disabled on server. diff --git a/docs/development/dbus.md b/docs/development/dbus.md index 165626f24f..7dc1008fb5 100644 --- a/docs/development/dbus.md +++ b/docs/development/dbus.md @@ -47,8 +47,8 @@ We use a special [directive](directives.md) to generate more advanced dbus acces : Access type. Can be `own` or `talk`: - - `own` means the profile owns the dbus interface. It is allowed to send and receive from anyone on this interface. - - `talk` means the profile can talk on a given interface to the profile that owns it (a label must be given under the `label` option). + - `own` means the profile owns the dbus interface. It is allowed to send and receive from anyone on this interface. It should only be used for profile owning the dbus interface. + - `talk` means the profile can talk on a given interface to the profile that owns it (a label must be given under the `label` option). It should only be used when full access to an interface is required. **``** diff --git a/docs/development/guidelines.md b/docs/development/guidelines.md index fad9015818..98948dc36e 100644 --- a/docs/development/guidelines.md +++ b/docs/development/guidelines.md @@ -13,7 +13,7 @@ For example, if a program needs to run executable binaries then the rules allowi * A profile has access to a given resource * A profile enforces a strict [write xor execute](https://en.wikipedia.org/wiki/W%5EX) (W^X) policy. -It also improves compatibilities and makes personalization easier thanks to the use of more variables. +It also improves compatibility and makes personalization easier thanks to the use of more variables. ## Guidelines @@ -132,3 +132,6 @@ If there is no predictable label it can be omitted. ``` Does not help, and if generalized it would add a lot of complexity to any profiles. +#### :material-numeric-7-circle: Clarity over cleverness + +: Always prefer clarity to cleverness. E.g., if a rule is more explicit but longer, prefer it over a shorter but less explicit one. diff --git a/docs/development/internal.md b/docs/development/internal.md index c90391b048..9c3b13478a 100644 --- a/docs/development/internal.md +++ b/docs/development/internal.md @@ -209,8 +209,8 @@ The possible solutions are: ``` ## Udev rules - -See the **[kernel docs](https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt)** to check the major block and char numbers used in `/run/udev/data/`. +c +See the **[kernel docs](https://www.kernel.org/doc/html/latest/admin-guide/devices.html)** to check the major block and char numbers used in `/run/udev/data/`. Special care must be given as sometimes udev numbers are allocated dynamically by the kernel. Therefore, the full range must be allowed: diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index 379241a495..5efd8129a4 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -68,6 +68,8 @@ This is the current list of features that must be implemented to get to a stable - [ ] Unrestricted shell role without FSP enabled - [ ] Define the roles when FSP is enabled +________________________________________________________________________________ + ## Done **General improvements** diff --git a/docs/development/tests.md b/docs/development/tests.md index 80bf903d19..c02427ae50 100644 --- a/docs/development/tests.md +++ b/docs/development/tests.md @@ -6,28 +6,48 @@ Misconfigured AppArmor profiles is one of the most effective ways to break someo **Current** -- [x] **[Build:](https://gitlab.com/roddhjav/apparmor.d/-/pipelines)** `just complain` - - Build the profiles for all supported distributions. - - All CI jobs validate the profiles syntax and ensure they can be safely loaded into a kernel. - - Ensure the profile entry point (`@{exec_path}`) is defined. - -- [x] **[Checks:](https://github.com/roddhjav/apparmor.d/blob/main/tests/check.sh)** `just check` checks basic style of profiles: - - Ensure apparmor.d header & licence - - Ensure 2 spaces indentation - - Ensure local include for profile and subprofiles - - Ensure abi 4 is used - - Ensure modern profile naming - - Ensure `vim:syntax=apparmor` - -- [x] **[Integration Tests:](integration.md)** `just test-run ` - - Run simple CLI commands to ensure no logs are raised. - - Uses the [bats](https://github.com/bats-core/bats-core) test system. - - Run in the Github Action as well as in all local [test VM](vm.md). - -- [x] **[Distribution Tests:](autopkgtest.md)** `just autopkgtest ` - - Run the autopkgtest suite for Ubuntu and Debian. - -**Plan** +
+ +- :material-github:   **[Build](build.md)** `just complain` + + --- + + Build the profiles for all supported distributions. + + - [x] All CI jobs validate the profiles syntax and, + - [x] ensure they can be safely loaded into a kernel. + +- :octicons-check-24:   **[Checks](check.md)** `just check` + + --- + + Checks for common style and security issues: + + - [x] Security checks + - [x] Style and maintainability checks + +- :material-package:   **[Integration Tests](integration.md)** `just test-run` + + Run commands to ensure no logs are raised. + + --- + + - [x] Uses the [bats](https://github.com/bats-core/bats-core) test system. + - [x] Run in the Github Action as well as in all local [test VM](vm.md). + +- :material-test-tube:   **[Distribution Tests](autopkgtest.md)** `just autopkgtest` + + Run the autopkgtest suite for Ubuntu and Debian. + + --- + + - [x] Setup autopkgtest for Ubuntu. + - [x] Validate profiles on Ubuntu. + +
+ + +**Future** For more complex software suite, more integration tests need to be done. The plan is to run existing integration suite from these very software in an environment with `apparmor.d` profiles. diff --git a/docs/development/vm.md b/docs/development/vm.md index e0f35a4639..1ca3851567 100644 --- a/docs/development/vm.md +++ b/docs/development/vm.md @@ -17,41 +17,7 @@ Available recipes: help # Show this help message clean # Remove all build artifacts - [build] - build # Build the go programs - enforce # Prebuild the profiles in enforced mode - enforce-test # Prebuild the profiles in enforce mode (test) - complain # Prebuild the profiles in complain mode - complain-test # Prebuild the profiles in complain mode (test) - fsp # Prebuild the profiles in FSP mode - fsp-complain # Prebuild the profiles in FSP mode (complain) - fsp-debug # Prebuild the profiles in FSP mode (debug) - server # Prebuild the profiles in server mode - server-complain # Prebuild the profiles in server mode (complain) - server-fsp # Prebuild the profiles in server FSP mode - server-fsp-complain # Prebuild the profiles in server FSP mode (complain) - server-fsp-debug # Prebuild the profiles in server FSP mode (debug) - - [install] - install # Install prebuild profiles - local +names # Locally install prebuild profiles - dev name # Prebuild, install, and load a dev profile - - [packages] - pkg name="" # Build & install apparmor.d on Arch based systems - dpkg name="" # Build & install apparmor.d on Debian based systems - rpm name="" # Build & install apparmor.d on OpenSUSE based systems - package dist release="" flavor="" # Build the package in a clean OCI container - packages # Build all packages in a clean OCI container - - [linter] - lint # Run the linters - check # Run style checks on the profiles - - [docs] - man # Generate the man pages - docs # Build the documentation - serve # Serve the documentation + ... [vm] img dist release flavor # Build the VM image @@ -60,6 +26,10 @@ Available recipes: halt osinfo flavor # Stops the machine reboot osinfo flavor # Reboot the machine destroy osinfo flavor # Destroy the machine + snapshots osinfo flavor # List all snapshots for a machine + snapshot osinfo flavor snapname # Snapshot a machine + restore osinfo flavor snapname # Restore a machine to a specified snapshot + delete osinfo flavor snapname # Delete a specified snapshot from a machine ssh osinfo flavor # Connect to the machine mount osinfo flavor # Mount the shared directory on the machine umount osinfo flavor # Unmout the shared directory on the machine @@ -67,41 +37,20 @@ Available recipes: images # List the VM images available # List the VM images that can be created - [tests] - tests # Run the unit tests - autopkgtest osinfo # Run the autopkgtest tests - autopkgtest-update dist release # Update the apparmor.d package on the test machine - autopkgtest-log # Report all collected logs - autopkgtest-rules # Report all generated rules - init # Install dependencies for the integration tests - integration name="" # Run the integration tests - tests-init osinfo flavor # Install dependencies for the integration tests (machine) - tests-sync osinfo flavor # Synchronize the integration tests (machine) - tests-resync osinfo flavor # Re-synchronize the integration tests (machine) - tests-run osinfo flavor name="" # Run the integration tests (machine) - - [version] - version # Get the current apparmor.d release version - version-new # Create a new version number from the current release - - [release] - release # Create a new release - commit # Write the new release version to package files & commit - archive # Create a release archive - publish # Publish the new release on Github - repo # Create & upload new release packages to the repositories + ... Build variables available: build # Build directory (default: .build) destdir # Installation destination (default: /) - pkgdest # Package output directory (default/ .pkg) + pkgdest # Package output directory (default: /home/alex/06_Projects/Security/apparmor.d/.pkg) + opt # Prebuild option, only used for the dev install target (default: complain) Development variables available: username # VM username (default: user) password # VM password (default: user) disk_size # VM disk size (default: 40G) - vcpus # VM CPU (default: 12) - ram # VM RAM (default: 8192) + vcpus # VM CPU (default: 6) + ram # VM RAM (default: 4096) See https://apparmor.pujol.io/development/ for more information. ``` diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index a5ac57f11d..b3ebc240a6 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -4,9 +4,9 @@ title: Full system policy (FSP) !!! danger - Full system policy is still under early development: - - - Do not run this outside of a development VM! + Full system policy is still under development: + + - It is experimental, and it has only been tested on server. - This is an **advanced** feature, you should understand what you are doing before use. **You have been warned!!!** @@ -29,8 +29,7 @@ Particularly: - Desktop environment must be explicitly supported, your UI will not start otherwise. Again, it is a **feature**. - In FSP mode, all sandbox managers **must** have a profile. Then user sandboxed applications (flatpak, snap, etc) will work as expected. - PID 1 is the last program that should be confined. It does not make sense to confine only PID. All other programs must be confined first. - - +- User interactive shell must be confined. This is done through PAM and Role Based Access Control (RBAC). ## Installation @@ -98,73 +97,118 @@ Optimize=compress-fast Use the `just fsp-complain` command to build instead of `just complain` +## Systemd -## Structure +The profiles dedicated for full system policies are maintained in the **[`_full`][full]** group. Systemd (as PID 1) is the entrypoint of the system, thus in FSP mode, it is also the entry point of the confinement. -The profiles dedicated for full system policies are maintained in the **[`_full`][full]** group. +```sh +systemd # PID 1, entrypoint, requires "Early policy" +├── systemd # To restart itself +├── systemd-generators-* # Systemd system and environment generators +└── sd # Internal service starter and config handler, handles all services + ├── Px or px, # Any service with profile + ├── Px -> # Any service without profile defined in the unit file (see systemd/full/systemd) + ├── &* # Stacked service as defined in the unit file (see systemd/full/systemd) + ├── sd-mount # Handles mount operations from services + ├── sd-umount # Handles unmount operations from services + ├── sd//systemctl # Internal system systemctl + └── systemd-user # Profile for 'systemd --user' + ├── systemd-user # To restart itself + ├── systemd-user-generators-* # Systemd user and environment generators + └── sdu # Handles all user services + ├── Px or px, # Any user service with profile + ├── Px -> # Any user service without profile defined in the unit file (see systemd/full/systemd) + ├── &* # Stacked user service as defined in the unit file (see systemd/full/systemd) + └── sdu//systemctl # Internal user systemctl +``` +
+
Overall architecture of the systemd profiles stack
+
-### Systemd +### Design rationale -**`systemd`** +The systemd profiles design aims at providing a flexible and secure confinement for systemd and its services while addressing several challenges: -This profile aims to confine PID 1. Systemd is (kind of obviously) a highly privileged program. The purpose of this profile is to transition to other less privileged program as soon as possible. On high security environments, it can also be used to strictly limit the list of allowed privileged program. +- Differentiate systemd (PID 1) and `system --user` +- Keep `systemd` and `systemd-user` as mininal as possible, and transition to less privileged profiles. +- Allow the executor profiles to handled stacked profiles. +- Most additions need to be done in the `sd`/`sdu` profile, not in `systemd`/`systemd-user`. +- Dedicated `sd-mount` / `sd-umount` profiles for most mount from the unit services. -- It allows internal systemd access, -- It allows starting all common root services. +### Profile `systemd` -To work as intended, all privileged services started by systemd **must** have a profile. For a given distribution, the list of these services can be found under: -```sh -/usr/lib/systemd/system-generators/* -/usr/lib/systemd/system-environment-generators/* -/usr/lib/systemd/system/*.service -``` +The profile for `systemd` (PID 1) does not specify an attachment path because it is directly loaded by systemd thanks to the [early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) feature. -The main [fallback](#fallback) profile (`default`) is not intended to be used by privileged program or service. Such programs must have a dedicated profile and will fail otherwise. This is a **feature**, not a bug. +Systemd is (kind of obviously) a highly privileged program. The purpose of this profile is to transition to other less privileged program as soon as possible. It only allows transition to two kinds of profiles: -**`systemd-user`** +- The systemd executor (profile named `sd`) it is the systemd internal service starter and config handler. +- The system generators (profiles named `systemd-generators-*`), they are used at boot time to generate systemd unit files based on the current system configuration. -This profile is for `systemd --user`, it aims to confine userland systemd. It does not require a lot of access and is only intended to handle user services. +!!! note "Profile requirement" -- It allows internal systemd user access, -- It allows starting all common user services. + To work as intended, all system generators **must** have a profile. For a given distribution, the list of these generators can be found under `/usr/lib/systemd/system-generators/*` -To work as intended, userland services started by `systemd --user` **should** have a profile. For a given distribution, the list of these services can be found under: +### Profile `sd` -```sh -/usr/lib/systemd/user-environment-generators/* -/usr/lib/systemd/user-generators/* -/usr/lib/systemd/user/*.service -``` +`sd` is a profile for SystemD-executor run as root, it is used to run all services files and to encapsulate stacked services profiles (hence the short name to keep security attribute easy to read). It aims at reducing the size of the main systemd profile. + +In an even more secure environment, it can also be used to strictly limit the list of allowed services that can be started by systemd(1). +{ .annotate } -!!! info +1. **:construction: Work in Progress :construction:** - To be allowed to run, additional root or user services may need to add extra rules inside the `usr/systemd.d` or `usr/systemd-user.d` directory. For example, when installing a new privileged service `foo` with [stacking](development/internal.md#no-new-privileges) you may need to add the following to `/etc/apparmor.d/usr/systemd.d/foo`: +!!! note "Profile requirement" + + To work as intended, all privileged services **must** have a profile For a given distribution, the list of these services can be found under: ``` - @{lib}/foo rPx -> systemd//&foo, + /usr/lib/systemd/system/*.service + /usr/lib/systemd/system-environment-generators/* ``` -### Role Based Access Control (RBAC) +### Profile `systemd-user` -In FSP, interactive shell from the user must be confined. This is done through [pam_apparmor](https://gitlab.com/apparmor/apparmor/-/wikis/pam_apparmor). It provides [Role-based access controls (RBAC)](https://en.wikipedia.org/wiki/Role-based_access_control) that can restrict interactive shell to well-defined role. The role needs to be defined. This project ship with a default set of roles, but you can create your own. The default roles are: +`sd` allow transition to `systemd-user`, the profile for `systemd --user`. It is only intended to handle user based sessions. -- **`user`**: This is the default role. It is used for any user that does not have a specific role defined. It has access to the user home directory and other sensitive files. +Similarly to `systemd`, it only allows transition to two kinds of profiles: -- **`admin`**: This role is used for any user that has administrative access. It has access to the system files and directories, but not to the user home directory. +- The systemd executor (profile named `sdu`) it is the systemd internal **user** service starter and config handler. +- The user generators, they are used at user session start to generate systemd unit files based on the current user configuration. + +!!! note "Profile requirement" + + To work as intended, all userland generators **must** have a profile For a given distribution, the list of these services can be found under: + ``` + /usr/lib/systemd/user-environment-generators/* + /usr/lib/systemd/user-generators/* + ``` + +!!! info "Future Improvements" + + To differentiate user session started with `systemd --user` and a root session also started with `systemd --user`, future improvements will use apparmor namespace and will allow further restrictions of this profile. -- **`system`**: This role is used for any user that has system access. It has access to the system files and directories, but not to the user home directory. +### Profile `sdu` -### Fallback +`sdu` is a profile for SystemD-executor run as User, it is used to run all services files and to encapsulate stacked services profiles (hence the short name). It aims at reducing the size of the systemd-user profile. -In addition to the `systemd` profiles, a full system policy needs to ensure that no programs run in an unconfined state at any time. The fallback profiles consist of a set generic specialized profiles: +!!! note "Profile requirement" -- **`default`** is used for any *classic* user application with a GUI. It has full access to user home directories. -- **`bwrap`, `bwrap-app`** are used for *classic* user application that are sandboxed with **bwrap**. + To work as intended, all userland services **must** have a profile For a given distribution. If it is to complex to ensure all services are profiled, you can add rules in a local addition file under `/etc/apparmor.d/usr/sdu.d`. + +## Role Based Access Control (RBAC) + +In FSP, interactive shell from the user must be confined. This is done through [pam_apparmor](https://gitlab.com/apparmor/apparmor/-/wikis/pam_apparmor). It provides [Role-based access controls (RBAC)](https://en.wikipedia.org/wiki/Role-based_access_control) that can restrict interactive shell to well-defined role. The role needs to be defined. This project ship with a default set of roles, but you can create your own. The default roles are: + +- **`user`**: This is the default role. It is used for any user that does not have a specific role defined. It has access to the user home directory and other sensitive files. + +- **`admin`**: This role is used for any user that has administrative access. It has access to the system files and directories, but not to the user home directory. -!!! warning +The profiles dedicated for the roles definition are maintained in the **[`_roles`][role]** group. - The main fallback profile (`default`) is not intended to be used by privileged program or service. Such programs **must** have they dedicated profile and would break otherwise. +!!! note -Additionally, special user access can be setup using PAM rules set such as a random shell interactively opened (as user or as root). + The roles provided are only examples. It is recommended to create your own roles based on your needs. + For example, the play machine provides three roles: `root`, `play`, and `deploy`. See the [play machine](play.md) page for more details. [apparmor-wiki]: https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy [full]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/_full +[role]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/_roles diff --git a/docs/index.md b/docs/index.md index 25d8ef366e..88aa903699 100644 --- a/docs/index.md +++ b/docs/index.md @@ -39,7 +39,7 @@ hide: } .tx-hero p { - color: var(--md-primary-bg-color--light); + color: var(--md-default-fg-color); font-weight: 400; font-size: 20px; line-height: 32px; diff --git a/docs/overview.md b/docs/overview.md index 20a5a454f7..b63e0ae201 100644 --- a/docs/overview.md +++ b/docs/overview.md @@ -23,7 +23,7 @@ See the [Concepts](concepts.md)' page for more detail on the architecture. - Target both desktops and servers - Support for all distributions that support AppArmor: * [:material-arch: Arch Linux](install.md#archlinux) - * [:material-ubuntu: Ubuntu 24.04/22.04](install.md#ubuntu) + * [:material-ubuntu: Ubuntu 24.04/25.10](install.md#ubuntu) * [:material-debian: Debian 12/13](install.md#debian) * [:simple-suse: openSUSE Tumbleweed](install.md#opensuse) - Support for all major desktop environments: diff --git a/docs/report.md b/docs/report.md index 34a5ea69d0..199951f633 100644 --- a/docs/report.md +++ b/docs/report.md @@ -43,6 +43,7 @@ You can get older logs with: ```sh aa-log -R -f ``` + Where `` is `1`, `2`, `3` and `4` (the rotated audit log file). [newissue]: https://github.com/roddhjav/apparmor.d/issues/new diff --git a/docs/usage.md b/docs/usage.md index 372762998a..c9d19bad83 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -116,7 +116,7 @@ profile dnsmasq { ### Help ``` -aa-log [-h] [--systemd] [--file file] [--rules | --raw] [--since] [profile] +aa-log [-h] [--systemd] [--file file] [--load] [--rules | --raw] [--since] [--namespace] [profile] Review AppArmor generated messages in a colorful way. It supports logs from auditd, systemd, syslog as well as dbus session events. @@ -125,12 +125,18 @@ aa-log [-h] [--systemd] [--file file] [--rules | --raw] [--since] [profile] Default logs are read from '/var/log/audit/audit.log'. Other files in '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' + Use 'aa-log -f -' to read from standard input. + + Logs written with 'aa-log' can be read again with 'aa-log -l'. Options: -h, --help Show this help message and exit. -f, --file FILE Set a logfile or a suffix to the default log file. -s, --systemd Parse systemd logs from journalctl. + -n, --namespace NS Filter the logs to the specified namespace. -r, --rules Convert the log into AppArmor rules. -R, --raw Print the raw log without any formatting. + -b, --boot NUM Show entries from the specified boot. -S, --since DATE Show entries not older than the specified date. + -l, --load Load logs from the default aa-log output. ``` From 89cebb68e4d6160d947e03cef0d337a02278b643 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 01:08:02 +0100 Subject: [PATCH 1317/1736] docs: add initial version of the security model section. --- README.md | 2 - docs/concepts.md | 19 -------- docs/overview.md | 2 +- docs/security/arch1.png | Bin 0 -> 97235 bytes docs/security/arch2.png | Bin 0 -> 97664 bytes docs/security/architecture.md | 81 ++++++++++++++++++++++++++++++++++ docs/security/ecosystem.md | 79 +++++++++++++++++++++++++++++++++ docs/security/hardening.md | 30 +++++++++++++ docs/security/index.md | 64 +++++++++++++++++++++++++++ docs/security/model.md | 12 +++++ docs/security/threat.md | 37 ++++++++++++++++ zensical.toml | 14 ++++++ 12 files changed, 318 insertions(+), 22 deletions(-) delete mode 100644 docs/concepts.md create mode 100644 docs/security/arch1.png create mode 100644 docs/security/arch2.png create mode 100644 docs/security/architecture.md create mode 100644 docs/security/ecosystem.md create mode 100644 docs/security/hardening.md create mode 100644 docs/security/index.md create mode 100644 docs/security/model.md create mode 100644 docs/security/threat.md diff --git a/README.md b/README.md index c1c7726c5d..a64e0d900c 100644 --- a/README.md +++ b/README.md @@ -45,8 +45,6 @@ You want to try this project, or you are curious about the advanced usage and se ## Concepts -*One profile a day keeps the hacker away* - There are over 50000 Linux packages and even more applications. It is simply not possible to write an AppArmor profile for all of them. Therefore, a question arises: **What to confine and why?** diff --git a/docs/concepts.md b/docs/concepts.md deleted file mode 100644 index eb4ccbbc42..0000000000 --- a/docs/concepts.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Concepts ---- - -*One profile a day keeps the hacker away* - -There are over 50000 Linux packages and even more applications. It is simply not possible to write an AppArmor profile for all of them. Therefore, a question arises: - -**What to confine and why?** - -We take inspiration from the [Android/ChromeOS Security Model](https://arxiv.org/pdf/1904.05572v2.pdf), and we apply it to the Linux world. Modern [Linux security distributions](https://clip-os.org/en/) usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the *core* applications you will usually find in a Linux system: all systemd services, xwayland, network, bluetooth, your desktop environment, etc. Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox, etc). - -This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users. - - -[android_model]: https://arxiv.org/pdf/1904.05572v2.pdf -[clipos]: https://clip-os.org/en/ -[write xor execute]: https://en.wikipedia.org/wiki/W%5EX - diff --git a/docs/overview.md b/docs/overview.md index b63e0ae201..50f8d17cb1 100644 --- a/docs/overview.md +++ b/docs/overview.md @@ -16,7 +16,7 @@ title: Overview - Confine some *"special"* user applications: web browsers, file managers, etc - Should not break a normal usage of the confined software -See the [Concepts](concepts.md)' page for more detail on the architecture. +See the **[Security Model](security/index.md)** pages for more detail on the architecture. ### Goals diff --git a/docs/security/arch1.png b/docs/security/arch1.png new file mode 100644 index 0000000000000000000000000000000000000000..fc5ae8b531cdd55eca620d5112ebbeac2998dd50 GIT binary patch literal 97235 zcmZ6y1yEaG@HTvd1$TG%;!d#^T3m{|yF;;J!M#8!6o;b4in|5(;_gt~i~E<~_sY!w z%}yqhJCiv%d+yz5pJ#WYRFywsppv2j0DvJUEBy%o;3{BmHe@8&mA?91C)fvq`#U)e zWZ26O*&-759pwJ$<2&H@AMyhLpa$fmr8K;ajPV{T z`gS$69G))SsLvZdF8Nkc%M+-ke?mZz!q)hbwC3ylFy`#SCCDT!D9j|hv*zRPo#2}^ zG%7kY8u;QYdg8^>9XSd4e@qh9euEEQPu<&7aXuF5f7*8>bQ^xo;Q#j*!}d_f-1i*X zX{mhB|1@~LF;Nq~|7i*TNV#(PcZvr;PuM{Jr$MwXF^Mt$vnCsp%k){Zy}7YGi~Hz2 z?=-g$Dj(qgm&wgQKoxQt9X@rF5N!-{ac|Y~r~8j;zr0b@I+k>eoO$PECZXY)BYh2V zM=~8x*3s!086OOqJ$m%GPm^wE#_#pCZls-JefB#m&m=LAMLfEEQVgz@6+Bk` zxo`NNN-`7)6Z&8^C^>61ec2MVq@*WZC$@J~Z8qQVCeJ16Q=V?|>DTeK4%-lBgSLXf zG&XG$e+8}g5q}$9_cuTT%|f16zfuM4ehCE}|4NVeQnCE;v-?x-ZC{Fqy)>n8j=xj; zvKrGqTVPNy?RpyGH-5#-6$l^nw%YVs-gPss5j>M;+YfUm_2hrP=xj?nwc5#s}W8{MJnL+{YzE=jM{4zK?j$FU|)1{mp@CDP7 z#|!tf|J9%=;@8XUM2Rij{_2DIWV4*NF0(ch(tn4uM7P>sZeo6-KK=LxsqKK@upo~G zH{b1cM)9H%{F&%ad=Eyv4ExTkEyd^HWt8iVqhS8{_faj^B@w;xbhX*AT<@xO%KFW{ z(e9rl!Jf0puJd_g?2njK-_A7P@0AUSFZL06i=q*ynaaFc_UZ*=f@NZ48ZP={;Id|Z z&CAvuuZiZx8Cxk4NsMPQ&PPq=&BWSng{+nLqtAoAsa(_sksl$G#)Ki!}!ETc3!5pH;!gU5B1+R zhgeFp4JGnwGYTYDF^8^TyD@?*8B_|!IGNtdaj{s#JYJ>ics7e%sP~AmS$KK-(dw&= z-)r`2p2od=o>ji=rA=Plz=wfw?JAoKWNKL|fl9+S3#lp+Cw!B4D;zigIpaf&mysrQ zu|u-m*RyO7^E1~IKuuPBgcVYL)T{Jk zMG(jO77T{m*y9oOk`SfN-=B`nZrPk8_gSI41J0dl63$*-3^-828~4Go@zV9}{)y@{ z0vyND90A>@t5uEb%j|jd$caJ%mz3||NF>KUaW>}5;T~{=_y86&#`{$JM=9>?J@mkB zM78D{;XJiR<>GW*F7s%FO!b-0Nw27y9lC1<5KA|yYSAZp-*LeXt3_HwJ$pf04z~qN zis$V)A0dokp%Yh^aGJg}Ln%L!G2nd~BSJ(s zub#4$i7#`GzI(ftn04h$Rdnl?kra>4;btK*t0IDi6!?tkw?)xTfOSsi zQ>2syCtX3bDNd6>-Mj94m%66qp-sdYxtwMMY@{DgnRFH3e{ z7B^61L$?N)O&_N#%^Hi32{(Sw`Kb|r_prigxfL5VALE?Oh zhorGWwB$c6K@XOW#7q)F6@F4K((}?Fs1%zpVPZKc;;CkJREyJud;E||ja6Q?BI1sW znJbnMYZ;p3YK!LaLiKxx^$x@1m1gzhrFsSO@4u0rU>E$iMtR5a*|dM-M_^KXlCa)R zl?d$EFnXD((AOT#7SneWchHI><^R;V_j~Xbk(dwsw>Qptx82a?GijYy z`O`$&BaM3PP5e%Nyf|ye-4>c!jfLDSe}A-c9hb`J4G^Ur_ zp6AEgvLn!^r`YCPC4Z$TT!!A=u?&?l28oZA55iix=HO4B&@T7=q=2Fqv9k~YX4{Q! z(RZERoXBmH+grB~if4zHvA0x7p!6pt{RfKaK=(6Kl2Bp$xpLK_WWS!jLmsGH_2N~Z z3guCAg`?)Ew&%7zj@U1I8;O+K4D#pP?@!2u-RRZZh3fbC2rI{Tf=1t5?#fK4oUOI@ z!Q67}eNW`vNn1MaO#jDeZdk#6mlT%W2H{UjZsdAQO-R{A-V|&(6dcWuh^)KeStM;@ z#c;$Bk$ry=jKK?Bc-!c(nD>$+VK4$`po8@B!u@58%AYFcE(jhxV^y%sY1mSy)9P8V z)O3Y3vW`K@hkdy_HUgwBZ1A<3uHFIq082on;Jee;d+XAL%-;gyFGvP&3|lmwJCO_t z*t9hKEn}a`9Tsa)v8#|Toj(Vizdo7f7YE*~^S-$43`fOqb_i`<(ra@gG+Ia>#RSW2S|^(IQ`VMOa}b+Z;d-I_ml6zp@&|}583t;#e1rq<65eb9apz`fqz=_ zNTlssTO0!h{97dE;J+eOJt+n@#;OOtKD=JH{Ok-|LkSpI2Q-czdwj7>p0DSPXL*Mt zdA3Jzcu4#QB&Vj-G=jF!wO=l2=DorKW=k~{%5`h|kM@oZT1JUAD$G|?ldG?05AFkA}%V^{sRK8T# zxtu2xqik6GST3lHQMK?Hz)Vl8N$)1X8sBw>VpETxMpnpALqg(W?Ni?96LQaL)Ybf` zx_T6!`E980xJLRNgn!IlG{?eToJ}R#G&4T?0AE+BSI^ob)&1qy#OwGv`6poX0lIl5 zIA8Cu`044q2a5y~eeU+%ZPKmMk-~UALFhrwMMs5xqcVuZAE=SY@PV5+r_{w_js5YM zsvzmix7kXq_GLgkks$Bsk9OUWbH}|EVoQG<8IeWpVqS&qbWxQ3@8%EOkI2GO5pDlE zp)1_K-;pE6;Cnbm_wcUggDR?R z$=DX^=Z)A-+om-vVwFO6Ir4*M=3wDt*0G7m$onTxV@(&?MR8DZ_7{0{Qa)LBohs;h z9A%}`T3hq}Vr}tV=j)?HyjSW-9g>mvCgR0r1QqLTv`w&t`RQAq_bM9W;TYy(U#@I; z<;3~9JdbrQ<~v{b;cW_~FVbqdjq?zWB!6%iDmOFJA2#dm2;cP?2R>hKeHA?&WPQ)G z%>@ITDjRCk-0PYV4)s$I-N&zdcpK{QDiY6icN-yC-|gRFo2^HZ2|BT-<^(=%Q%UjV zR4h?%Y-f3`p`1u=YNu%%dL%E@TF0aI^K7ZWmn-?f-?=a;2&K9~joZI?)U+hbjXO@} zh3&6*c8d5BbHmmf{6Z>AY!e3R_BubR?ELdZ58X#vMf|?N`|+ev<$kH}QYfo<_D~xv z>N>3?7`5!w`X;-G?v#NUc|N>UvkYm;iIxB6;ixiZ-pE%8aX0MEjAf3fPq58md!zkV zLjecB+z2cxN>8sEgGag#vDh$9(y0Rjp{f24)C&aK20#6};_l`p+rM1T=y}3c6kSt9 z2MDm(M)-n0{3mowslcPaS2V7;#ptwoSEuq=%0Jk$42iv*1-`Pa`QI8QXF;GmWq`#$ zBKE({5uKyy9J@--dRLu$UFtjbrh44PI38pL32K|k+D2+GHM*KYiW{_5E}PvG5wc3x zC3F%*?Z4Y)@L6<+FMLL6#Mg8D{>kk>57}WsJr34iUmDG!=6U@hwo~+oEj(z)3L1e^ zC&CuKU6spY#U5R;C1zb$Luw(LQ;wrWogd&A<^KDx?6m9tw^^yY*23JUcAAXT!vr;oa2*$6$eS5p& zo(F?wDS?bnj_t26k8nBL(pBz9DV#V-5mSGJ+hGy8<1g5 z3R8Bx|AS8g!b-(L)>82nO+W^ytO|}=30I(0#@$XTWij0O-Fk{!uzi1AJ1$*sM{+Hq zv1|LrxV;EQ#;iws=w#*tUoNR!hZug`*}<>kLJ&lI*HZ`OKr#Ua!AUKiC#-9}XJW2v zK703ef>|89)F3=c#);}fI^GHQNg1LN$j6?#hrpOYhj#+Vj|QiUG(lF}UbzR?a^TxD zJip2UF*f68_JQSa3^GPa?+uWpCij*xJY}t4hCjQ)HONuramN2*TbS}DFCNg0s~G) z5wFv7H=}RY5Pb0x=Ge4hH3ZH+*4VSekCa3Bb=?Vsoa)LmjwJ2KQsvJRx7-o(3u}p;U%o%q-{SQy}kf%|I zmbwA7^K_Kr1N=emfB7gu`k<{&r$+?(Hh6#Ik;n=HI_`z}B*x*tN^5^$ zJDaKJGb>fW-@t0P>v%lHJ6WnnYipe?)7A!ZG(^)-c1QG`+ckIIh`m0+k^y$fl6HL7 z*(4LONV7)xlhN$NU+deQvf_#h8#*CW5QHl|o zg`AV0ED}AVWQ}TMW`3#BO?xJ}g1{_cH}sA($kordeJ^t`;unusJaX`ZhHTI~JfQIoG)H81$mg=cQT@29;!e zcR2jb)D|&3lby0DgW!#xM#b1MKd;p&_Rh!;tfOkzM*FkIb);&OcX^+W7t}r<&J3NM zEFL~UrOGmHvVC?*G%@U7p6*KxY!ZSGj33QwHX=aB!N-;B4TH;rV01jv&sF&TAPrpM z)pA{46~lbuuALvol(Pt6Ui2o0Ff0!E66S(3+6ReRJFUqF%>A%gxn$H2ZFJ=Ch%;~k zNxiQoKhAn3Cv1@v7Np~~?(cQz$)ofIN!7wX^Q}+KA@^@y zBZI*$63P@>GrFq|ZmUt^3V-B^)jmD>tEhnp9!~Y`R(v^Vw zt|B5d7+*Q~j=QUlkkiPZFm`i08Y$(Dn!BqS+SmOQ01Jnu!T13ArPz35#$X639Y~42 zUwWIj!TT??L(FVB{F>w+K5oGW0GWTh9Xaz^K%2heiB9uC7u`2{T+x?Epb)0&Z zAXe??yES#UgFSGGF$8&(PBLBn5f-w&q|yu_S>m!62EnT)%C5F1)%5<#R>5nh&3lwP zV3M0Wd6bFO<%Z~J>shxG!WgCqY#wFei(*iR^;)Y%uomX+675dq?XDdklyoTlkDzUD zCz9vcS_PCP7pL@)AY^GgjSP_DS_%R>DW?c>DG*M zr#}Oc=p#_{2p@F|l`;gPX;9#sx__J9u&U-t zu7HrxtP~S{P>U^O@4N2+V4hc7~H>7Hcdum-r1dCs<+-{KHIp1PS^HQoh|HQL)0M^WaIIw%@Lm zEr9ZFdhkbQU;>y1OXUi}C9cV1ACWP7Et_tQBPyET>+|j5c?LTTa*W4l0aC0Z(qJfD z&<2to)=0?p{;d&S7DxLO|GcY%it=mgAa&1|aC@R7p)aACCY(y4Hb(|u$%Vg*!aX7# zE%Zj=5kw{Y=R^sA1~e=Ltdk8|sL}tv!yt0QhF?kf6c0D8V- zqUZZj7oxZZZtMi?|BT@IrF<_x3?$ZO)c-4(%CT0)lL)-6XnIFTH1VnA6GQUXQOrN9 zq%*n6KD`mRP-QEmvNP5U36aUf1*t=?l_pm+CRn^?ppwO&0`L#i z)1{hh9;u)@w{97s1(WPeuB`|qNZK|D!fO|LC<{!AB!tOI*#1tgSUjc|A>2$7zhMt7 zR4}baHE-&N@by=v80W;0TAWwXLG-%Qr52gkfLD*nmu>}_!gP-(3F?@&E>I4PMNFAq&k_45gsS|1p!-{OPQE|J*op7Yue!Va8S(q%jqtIGy2mGThyEw$5r_! zRP=;^Ayhrkz0pVoPeAZ0W#E(RyfxgRD;~8bQSk5J2~H=*J9Y^e2`XJ-fb$Jp^_VXS z>1$jM@I`%V#`yQ1Ttv3XnP}?W!F%8gHiahP&f6S%kuW7BDhX&r?ds!kZ2hE z{_C?CO0BVOp<{gFz>p1`PcN0h%K|42qe(PLOiJg|4rer1?eEKD^<#!N`VDWd-Fb+x z$?{25%c}v~GK)FqN)dCFv)QsAsJn&62^jtlPidw|JfU{U%Z<+3^cW9S#izaUgTyYI zCRBe_@)lexx6%K#NJ^C%VP`5=`(aD}ayR?8#kTK}z*Po(P_{|+tJpR5GX!O)k^v)J zL2bQ$lBvu572_ZJq_@uo6}r&wD+8YuWVqoz-(wFx4$I-I*CDM!XrDH)jU0@)bk=gi z!r-SdptxdsmQz(yc^1vltZ~Zh!TN}3Xt^UVrY-egn?7`jb-jp|^0nY>b?QGObmSX1M(bNWL-45$)dZtweSxOx40E zVhC5|QRearha=&_c)f%NkJBatu#UzWu^pYZY$e#%M>a#o<}mfNUuq=DR~iKq$XmCO zI*NyxyiUCe^I3&gx@v0DNG~cubMkOrd6rn``VUKioKv@$a|)3lGZpMX6indwhZc!M zK$}}hw-{PDwkLLqDjJ~>uuo#0=^DLa;@JIAh-eb&OX$lQJVJR?RZoqv;WJ&NWT&!L zV;Mt>giPG=@^F+agJLrDFd~Ak!(cwK((FFl0TmBZ$ZLQEVG$EqAQG~acS59Z&=-`= z92eNC7C_h}@GToz-SaCdo$YNP$Y+4f$z~tdz!bxiuIWeJw<|QUZ?g#V@^j3F>~i4J zpc0^ApH)#?hI1SBFi*##d9jHW+ zD}WoOB5H8LIe{{tjwgLG2Tc$_8CRw8mK`K@im4%)+(DBEkvw3{nX@k^7}K zAp(4I6^Jod@B5;Xh3T=Q;;4|4lUNjmV@QQ<`HzM@j^-=1(a2xpb2ub3UT^iJ;t&yt z;E8W+oH#>_y+38nRz=y&h_8HRY#S$M?)Jvw^;MaEzHJJJE-gzP)v5LLHYgqS^}(OU z`bOfX3AsL{{ww+X4aOmIhAUIv=fIv#lZqgSWc&xSdC1L)l_9)Ab>I>CW_kjYKc=2o z6%h&#)ELt?ZB=X6U{w{twE$7rlD+=>e(UAiz`Gk7fPDi`LTl**&~dzd+;!YqK7uV+ z7gEV48E0*-gqVAnirZld;d3(o@&;j|no3d&q(?&5xowSH0M>!a{qr*?&|I#b=ho=) zMCP(BAM$wxnXuRyM*219p|MUV_bxv?n`pDVxFfwosuWD{M9Hu?w*v; znb5HH%zYHYDxa)6)8*VWscyK9#W+UEUMreX8!J+u3|5ZC?R>py9b^-9W!iKJQ}_nc zT1wLE(PJ=EIO#6zA;ef$LzD{a$bT`Qm|pxh($dA5p*u4LsJ?GEuvH%}2B_HnAycDC zNund(zC$;??ltSD99@#ZCXW5pkm3q}M-#s&ph;Ci)C@>W3_-cdB^-;zCR)Ogc9W2d zK>d)ad%-*4Ti7#IRUGh*rl9WV$9#Zwkq<^dmkd{Tf)$|DACe3hny}C(kWknLLEym~ zQ^>YG*Ia$EnrOacLd@veeWU%!k?UX>(-2X@Cgh}qz!h;ABC5WB9U31R;&kYG0wH&e zBUSa=^2^eMz%dEx3~9)&k*5Uc@?DtjhJM8&pb{BsY3{8 z^lrk8EoTCw+;(JM;9jN!@6((KB?&*DG;Hmy9S6Mm&EyC6ocLnElRxm6hCSy>216f! zcNo6FZ$oa4FIf@KO+F)P7>e}5kbJ-%kYc3pCB#?UJC*<#7L@#yb>Ew+fXd11OoW8* z;N^AILFwgXK>t*sLQGEtR+*%6a3074TjDq$_;^DNke_+d?X`S zONP;ds&a^y_*abznKPL&fXvUHJ@1}&WAd{fuck)-CBTg`1^B6x)EHQpX5 zXNF=u*Ai~!R7}fF84nUcNx{4e(f|n*mof3F3S0jz5q9Y`t{cX9KdlXcEF!Tgz%V}c zgEI$Jr&|-0qcvv<6@28AfS-|)1?oT>5G{5HAWLzFs9JOes~FG~Ac+86XRwkGcPlKS z2uM_o)TvBxnVT5-V4l6S3`NSQJ>V*ud9MKtgZYWo?x^<+TmN( zzaiYw__q>eHT0%O1f2?!Dtr^A<&-?`k}tuVdSb!kY>Xbn3UG0t0I61q4fW_KiUhFi zR5!0Fmk%Wr+jOkwThAGg1qcU3lu?|$$wgtr_nb%<$3};?#*t)aE@0~bGB@gGhUXtY zxH!TY9CEw8DQ7*Vorhxv{b)%=TW9Cc1MGA(wg>^A@{rUCL5GFh2RLdbq;5N1_+PbF zcC;8&>WU}FF?v8uT_5k$)w1|&9ZFSbGLqkvU>P=3aJ}+lS+{IbSI}NahDq6?xeE@^ z1P1{%-_`OsFL@+*pi@K`9y1Q!F01InZbs?jO^eaq9`d4E7r5>-B&wz=#3UptbSg4V zW~w4hfpR?#qV?`PmkZqN79RH%=4#U&x5?XvBm#4;2$Lc?f(iK?+!A9I`4~5xGyWJc z#rF$@p_|Ta)bc5n%u82qNsc$@?{I1-x)~bcEzMe*FreUj^CB+LG$JyW|J|3>gG^`#*Vb$-S2wHs`*t70(|SMR1Y* z@&Os&F&K;1`i<77tm=N238HWUHkgzI_h+@##BKsr9b;pR;~Uq+@Bum=>rkz*R6#A& zth$-O%)IMuP$dPEj&hzSVWa~_A*%*%MT_x&*j2kZ6-C_FoIlu&Hk^Bu(jk-ik)!NP3)a_Y`P9fr-dL@l{=wM8g~-tEa6 zi+Yamj~YfDoK7*gcd@WtGHNeKIGTCbNm>50q2~4Zj4YTG@w(Q!4jK${>kHJ(%}rj~M=L<7 zb*z*~+CJoP`vOG(9OIl7M9=^%Y7`fY*3V2OqMunQ$p_?iEIrVvE_M}aXtgXSYxK`j zHKJLNbErr8Qhh&3!8YbSFd`Kz;qZ-}$EmwfttygN^F$$`K}i zc)t$S#>#NAp>(t$06h&K@X7-XLVPm(cC=n+$_wI;xd?-8Q5w3n7nG<0SFl28nOW)n zTh)mcyG=N5|50Sud&Aq0e{K78Q{z!4O7pkA6(T%HNz*W;X%J2E;r#8PQheVAz2R}X zhy{7U6TkD*Q|}U^&e}z4$Gec<0NH+E<~*Y3D)_J8#b&KA;@2YA0(sxfo-0p;WmL+0 z!R%WGwsi#n%aTBNP*+C#p$D<}OZy#azH0RC58Y|Q=WmM;S&%g4N7&gwoT-j1h!dy( zcF-%~B%Y4q1l|b>L!&S@Zlw!*JU{Iqze+#RVNr+_+>inE$HepIKezS#81COg2!ez~ zH~(IiPOos>Go>~6;onJ2}fI1yu?dWv_QeQkelzD#zRX7 z_HvC4>Q18?Df^Z&jE5cUuGTm-@XJRh9{*7nUAsm{YQ|lg%i&ffO|BJfTpEX^f*)Oi zdV5;ZSWV1LGL^VC(%(5_8SR7k2ZPGVH5loxF#?l(6V}zSLnBS>({^(Q!1i6YlCQ`A zRu|OrOhwc5nEo16+|_m0F|u+C0nr`__uCut5Uk0qzXJt)HA$)>8O(OU8h3&A0cJ}y z_rkNAHe}l16VKkCUk6XQ5Z{H;QeC0t4%E7q0w%U6jCIcM^zH%GF1tdn(>rs_;{6W$nWmmCx=Ld)`+<^dB zxoAO8E$TWmOVFTQu(1+&9)ApibWFY4NHE_yze{tmik>I>Lbbr`$>H{ zVjBiw@gaXxJrAE5Y4nK~bVEzHb#B674Wb3MPpn;4a2#?jR`vWF+r^__y9-gyuOcXuOAIK&n# z)8L55@B~q}L=&IknnYsY=MFKBU0+2FdgFfWsi_%)`y3VA5W_KxCQA$QqD5#R2f(=~ zNt1B`gjXP9T3g?R;L5kn6d?6B-oIYbT;@ptWj{%-G{DRQtF#iJhc1#(Da_I8$UiY> zVNQ{A>C~pKOCR8Ms<3}7KZ%XQC?nkb2zu+8>{yq0PSLn5rY!*8* zCEP<rS15)L}qln;$T*O_%ZwU4% zNBTO7KlMAKY9WitVP=9C`zihzA$W7lf=BP)p15;rVXg&zt|lK4H9A!xwz2Fn18uAD zz*Tdhxx!h~^am#8#^jboBXHB)2%KA*foLjl6$$PID@qhQUY^X=8st4-&72A<@i}k( zs;JZ3rwg@9k65&zAJP;j(to?>6JaQ>q{^*+lk`nbRpg+xoRdvUYJ5ig5h-8)$FrT( z6HSmjYn(gMTC~2)3qc=IeXl>StJh63G;TL*$F~;F_emRN6hRX7wftQl1vFo|j$%%z z{AB8*pU8!MeaOD_+Z^ljH-v0jiV4ZIil)4X$Z8yOhuxe!239Mv~=kqV?XSz<6NsyiU;Y%07et}d#cR|N47=Eyh>$a&_ z=uMrp*miLrFD`>dxOqNwM+)49@O->I^_p1vIc~|zjh$||ZSxgb5?x(LRh1(0TY?ju zXm1OY3POGKHH+I!$%68PL`g^6yFXLdJw&4N9k%Qr5j64Y z?1pB~$KqUZ&>EiYOlGn1% zOsih|JaL95UcrTLiX`eb7-DKp6Hf9OH`?s{xyq&|74FpZxQ$1U{ff&wN^uoYAwoA3 z%Hu0x9Y^)XZFiWWo;2-8^GdCI>)qCgw)FCvzjX4F2b~j5H>IbD1B^j@eJ#!)$ui+u z0qL;m`U;_61i0Uw(>6V>_@1@f)hZR#IWB8ae2dKCg7udi$Cpzy6@(e`G3kv171DjR z9UIzl>wLa%9_xreOi( zGn_K6+3K%v778S1rY*A;ogo(IkG zzgZ0BVYqvby8@`2tIYEUOgv7d9r8_H|Fdr^9lQ{E8j|omu$@#+FJcpI@`09OJ5mbR z^sz#V4sXaY$@X*VBkI2@eTSDgg)<6;(in7i-;CAYA~uju3($wb>Ov;YrpAhd8+(R5 zDx^e+zDPJ+@U9d_i0+~g>~ov?Q}1?(>?2~Zld29k-vmS@Ip`X#;1m{Yp#k^CV&W55sxp7NA;*_Y5X1J0ln{)9Yy<8C@V=FlkJEQN`0m(>OV6m+;w z^atc{2_x0fcd?17m8IJtsWQ3ix)%2vCX>Lg%$J1;Ai+;Dy)>c-t41Vw`fjnw2lH7v zkp0O>0Hd;{z)_NoimrqgmqyppX@cO4clVcGy`9Y1halZ1)yb`&Wk2E~dQv@TFt&dp zuyvVjzz+w@=YqaKIWsZBZ)ZteP#~KVeecG`LHT+M<-nqYjsr&(uBSkd5`vYuqUkoY zJGcxxBSh2XLg?gbI`07wJSo`Wn0i!2;sDBd9#C7aQlJ zq{F1Y7j0gwFih8kO==HnOznZZYq&vEI!tw)MxR>{-iJ1Ozzi&ar~2i3R{P`1V4E8= zI25#&YK)l(um;Bg!3m-wDje&a9M%x!IXcYJ2d+~1nEO9CW(wZ(k;{Jjan;UG{>w~uT!*CFmo zB?QJkoh99RK9Q|p!-LJO$h6@Lc}KMWbTc!9H_NvG)rW8s>KMTRWSp4(+aX&F7NETl zYFCj!co$)@iyGU8NFu!5h>e;mIDsqs?g$jJXilzTaq%MWPlKx8c)YUPrX)Cjd_jO@ z#-m-nOGs{5F}f`06O6@~$I+1?j*ENzO>-RQ1ph z9($BC;afN(nnGY;i302g$Bn>c89#81a>ROuPe{CGJ;wmF;8lT{HZTDbq^ji#{+4s3 z`>z+ZI}n+`ic{hZ?Cgj&AxSQx4fKHipF!jDZCpZC^O_nAYJ=skFDN4Z<}s6G!1zoJ$V=D`5<(?4Xw@HbO<)2 z*vm(9?YF7ql_}yPB!+fLRAj8EcEGG*1HVE4-h{=3S~yfEEnfPDAu*Rf*0uV8HtL3M z#=Oe`BVo=JS=oH0!8Gfi3g)sV6Z&)bEF*fcK;QCo1&;LCOXLC7>XJ-t0=db_1t9{m z>#v;z_`z9F-coEF1K#e`a4DRg=~eR@$MHD18+T5UJB29~xJuXX4k**{;5(A-1g%3P z4DbgL(Gn01%&tKW?<6<-^Hx#r#Wr;H$$;oye@QFh=H~sj@?-ep5>J|Gq$8eKHg7mK ziqN#=5}Ak%bRByaB$9Yw7h;QP-nOpuc96q_h^N^Ffb0(s|0jRiW)sC>(K<{VT6Y5# zepQ)wnFtf|8z~u`c{$d7Zf}Zt6|4P_0ZZj%ts;-r=)yeJYTW+@O0&~pqG8N`r3nm44AU!dUfAKM&{GIk0Bgi0xPPCJ_>5n9h)Ab{};{?)Gx9um{zetdQiX}y& zGv3`XPXjCMA!0yQt(RTwC^M&Mbc0(J}D@ zvfYiz`0;bcAkw<-8j<_q+7}Q#x8ZhD1)^1Qd(za@lQI!`kZS}+s7C~USUvrn8Wp|| zW?J}XOA%siNoMpyflha^b!JGi1AJAXjuzJIR;MH3{!tkeqB?nf{|xDqK;&)=dtqcn#AHDEWptSYbV8e}xIX;hb4I9?2? zexp1?rsFfl@d*;KJv#_1JHq=A?3#>=AIiGc%GQb zjjpE3h#KZ@i1;8q;cGjRhr`;uJob~ta&<42(liPG8fK%SOlIQ~b`LRehr9EHRT>MFbNf@!&uN49zHow5S#qDNS{SPMOh znBLRxTqsR2Bu5@?5#51L2J*-O@Ku``!<2{ zvpc~w8eIACCZH0o_9g<*AE8uWLTKgSJ*t21S?aARnX3l?fm6Mx-&xoChjJbf1F|4B zkGKc}g=6%`<0p)DAS3rbBf5+{9DeVUB$DqEg9E4>B_d*__%cc>`;-7E$(vXH?QPYH zXS3^ezLgT_rf0&zb@c@Q$J5@d-tm))U_EZ`%mWvL?I*#B*jZtk6vfE)`Wj_nn%|0l#Sx*^FNK%%H(5a(K=bv zS>_M?Glj{*fGR>VsAI(h^`kC0KDj|o3L_A(cM*< zzc7&jU@>A@Nd{N6yG~r~U|W6b1)5;WTq{m)3>t*@Wz+9Xb^nS2^tfSIp3u=sG(;Ol z!hU?lAJ5oObQ23sFtEMV(}4tifBrLUu`Xa0h{ z?5w+z6jW{?oGbCs3{yRYDC=04$Flz=`3<`287nsWA=>y@{|`a=BCN6~QF3laiK68=vwz=g?AIR?4wW+`oUo;&44&F+fhjk#<4z8TK&NHpg* zv8#Rer`qFyPbGZCB`ZV_@c_qi#2XFInB7tQ%g!wN-%Wd6O%V`}g7VS%%&VazwDGSZMtqIU2N>7ZOm|FAdg)ibDZ7+-W(65kq zmfyaBTv=f0a=AGQ9rEmugix(u7(Bdqb@`=81)0<~IeA^H%tF`Kv}^9;bug;l$F}=# zHhxalY8T~6Rsv-<6T>Xb$%osAS6a%-f3K*L5bjZh<-#f2kNFlMmg4lvUVekApwIV< z)JB+!To5fFum00VY{!A+52fQ6+aZS3GH6U5d8JtveJT>sXZ-;`6(3;({n6TQ)XoO{ z3ZGlv`KuB-kZVQ0r$O(esC)VUm^urus=hDUUoIuxB_Rz0QWDaalQ@XpmyWhFr@qTZ-e}Hk>=bXLQUTe}#lF$kwA26QRCn9lb`?5$fqPz9sXA=#XeLS}9?3KzrIiwuee@)XULu4blzZ zOnUzAMsX2r?u>+6E1`nl77HjP92Z=f)Z&Ju(BBakG5i><^vf;{n%rw@6G?`zdU_75{(^BM(+oG16E{ z*jj(Z2DY<6DMp*b-DC&C=2zTY-w&Dbv7CakcU#Z_V~ixMHqX-9V6+WP?L}Gi=ebZJ zv^BE8uOzEt)x+6I!VVZ6K^DL#`wbJ#Ixl*T6QmT-L)(Awv+A~Y$&%x&00F8{#hGke zX}R-GlHx6bk^LuTi+vv&i3Liq=+g|Ym6|@}R3?JMMAKG@hKY0z|Iva$=d%+eE;uYr z?P)4r*4pfnKKQW4ArXMz4-!5TuD&p#RlXG#LKzFQOdsK`QLYgd(y2$Z$iuknBLbvb z7faRcCfBt>FPvXa00+ujr~`#YS$?*mKEZzYtrhB5T=hgyiLW)20>95w65-X+7pSQm zDk7KnSD*00yiT&RBd!W(8@~l<8)+dWI7tU%tNNNnkkb6I(`00BSa+GFbruw%H2;bF zLugQ-u&qFbk2jGD=zQe~K^Wh=ghp`zJ>IxkYB$;x&yJ<{I6cvUh+-vCdIC?kD@#UD zZ)!4hQP{MU4^sv;e-u*3&v#62->Q#UjZkMk3IWUtv1zA+pEYkeZaApf`8fnCQVW;2 zOp+Cn)E&q2wEcb;{LSqUk6Y*(O+p1H=kfh0Xr7e7z-j(tht*oqK3zwoT({;SN;F}T zT)#>5rTSD3Z!FBgh`j!E_Rf74`PQ=d?G%6Wm<*=A5OFKM=>K7)rck3Z)jNJfyL!2jBQ1+CMwJeI#E}7rL zdnK--2XJ-EtHEErh&km!e|a_3U9Q(|oSejA6V+hRk(TWz3buPXqK^&vYJI-Z6Dx31 z>)wV}yYUez$NZPF&_L}>tgN+7-45quiq*Z-q-j7BikH-T(>FTD)Q`7E_8HZvv(PDXdn1Ped*ZMHdt7)hOc~Vhj#*kbHlzsjzC{;DAR5*_ z!Z}&oJzPeLM_MC@eaJb?d#rVmt=?F!Xrb6}gfIq(4>I3zqG?I7+xTb8z(6{EA1Nv{a?wR`|U1q1A zV8Vyt{u;x*4u8Db&j}D)3LuFf5u}#OOr@EOnp9=H7Y$S&lZMCOQcF|)6gnGyB^c*J z{K-DEnEDHF8k70l8O2W##kT0Eab9>br*VJQ^_d;G@HRq%@r?Tl55a*Ka=n17@;GP7 zmOge86KJg39ZaJu{Y=-o?A`3jKzce~C5O+=qk#JXFZtr<_5RhQQ$M6TBwICD8p}Jx zvZpM-G4>|#`XT;8QSe(7bV8v3&(_Pk_tiA(M;E)AeBw|=gavqPkfL8dKN{uya~}&S z=I#z{wdwL(_w7?hulO&=`XVQbz$IahVlotuSzRQqT$N@cIqB@Zo^05sf&g?V%cc2` zZ8V&eQZ&nJa=}SKIAeTFr8Lq1^_{&zttI36rpS~kq@mtzby%1ODC-Nah~nIx7^3^- zRu%4)nVuaYn%?09y`T%C1>?VD0M&!iyj(Zi@wh1>zJ3q!ClOM|@omB8m6q@!;ybTQ z>5z@jL~$VPb4$6pizeY;EJrS&vLvUXU&lLSAUECfORw?M2;YzeQa#G3wl#vr{aH2R z@!zN2GuMY=r^I%6_b4VzHufSu3NqAVLk5|d^eT-9?-QdH`G~%3KAP+VjU4)@HI;j~ zY^_`U7|!B-Jgh=4Ri0=7E(~oMxM;N}^HqAXcUQ3R+M6FR9RMPVg9tuSRltX3tuT}| zJCPId<|xJ+Vx-@UGQDK&-SiKb?zU%Hd0R2vJ70m_XZ!Tr&vzm zOyyy2?RdMXBNZ(EX7`Y4na>@?Uw8{Oe66q;FVpD$gmJt|M=$hCF<{}xb?;TX?Z=v4jejl3%b>61h|Sd9eDtSOwCS?)a(&hu7ugKtspmsPusc)*nftPr~lGAF6K7qFSS^z`fDyle}!}G>w*5f?4c!7%BqX1b_nBnVexn8z# zAcFDz#Ws4Z%87%C>>;`}#ig1=jD5mhJCs45Y*+Ub0=U z`1o&rx`P=Epuh19aI+C3hBN+KiwzfF%3t50sDy;R>f5|`^bSz7WX>7W%~Sdd^dM=f z{Dz#zVPzCu*J$onXMb5`q)bT?vW>ahZ~i(xI@+AuenC)&Y=77 zZmdkiIrg}9Fv-OK_acABG>4paImJt>S^nX0w$L+;5MwU9>RrZFb3j^e?mjiJM@Z)Z z2J_I@r(Geo5{%wL#VR51usTnWtqR^SaMmmSfK%Zor^w4UJqck3@e5Oq4CJ_L-(g(YCM=Nmi2x@;Xq&nPxz^*N|+-O*O zyepJ#MO)0+?FXH#w#xjzI}QRKdut`!SlHpjT-6u6GpP{85L|8yuh%rV-uZ!NhQc<4 zzqJU{1Qo{?JAcGy(>G3h1&kpj8a>H}fPqsHY7O#JljXLaS#yeC0I%uRe9H=F704Xq z>U^UKzhg7}STRKI|7GK7r%ZekJ&g*115k}r0qT+M&u-&>d}1pfFU%VdI({NCRmf87 zHyP(DB(@PIf`)@t%fe;_Ks76ct_CUqq67&%*R&bIr^;Cnf|fR)I+b3wb%PFUuTM8VuZ;>;q>h#C|-GB5$@gfI%0wR+ylql~4L4%mCxnfYt7c8W_UxR?wa9UJkI z2<^d+-&dEI!d**cqFVG6;5lj6n2nHpk6`REL)yB;qqj#s%8!YNnI{1L(t?<0Br!L0 zZF#uYqv>|Ve7UQ^thwS^ru*fN@%6zp!>3_M2{e%Uo&G`n$y#B`TTYV$Y9wu=;n?^D zj4^3vPO$nfw^={4Ob21AOISoNZVF8FjjV!UIHPW;d$N@yigir-29%~u+o~G3w4yw} zooNF9azERDFn6@s4M3>S(=Ke@I!iTG}xCgA!&I}t~ok2)hXsH%f zlq=3O9}5s|ml~960Xw{D(x>CvNs&XDCN5bQ|5G}jjh*2UqaOTN1M0F)WLAE0(W_|S%4USxjwPRiKADDe%qEfZF42HmO-W+*a3Ix2 zbyu@-%mj9)^VvKf<5$^XsO9IW=>5(QV+^|Y*;i@)GTo441$dkNdR2a69$6+qV0E{? zH=1xG+NviP#rFe_G)0>1zTBq~?$vH~c>iV5^&c~3I-fN^hL##o5%rcQ8sN;;OjJ>< zth21Ri;omd-cA4nhbr4eE;frX@_4QRW)LYDvWeGr3`n&HYSrq+Ip8gV+2{~DfZLR! zuAgC(g{eIfWNR#Hm|XXj>Z25?pP&X}BS`6o>J#Cf?4iy4b` zKrDHaMHi3&^f4IiS^wjv8@c1}`iJ~(uK9Bw+QV@-(s-s`A1ZlToXw#+6Q1|i)<@M@ zs6iOdQV@`Zs7Vb-h35C3G9PL0-uIK11^(I|G`Lo^9a&B$0%M?;k}8xpT!=Z{ol}4Au2z(+qpF0k4dY2 ztj_wMeI6)d{@pnSnKVSuUslC->|LL(8syoqW9z}HeD*1yK>aJJ9HAJf9*}2fbe4lE z9je^69zxu0UC~Or@W=UI74cNfL@TNE+6JHb$X8%+ZehOFA8iZ(ULr()-_3t!h$_-~ z?Z1KuAHdZEZivOtelt)$*4Ej#;tt%c%gNR8Iy`fd=rfpwlapVJ_|U& z@~mgetzPIcjS|ZaXOT8nTRjeZY~lOkfGs3PK{~0-We=-%8{7k zzffn*=qpJ#CT+z^sJw){0qCLS7NGFP=6*J~M8feAGSKDQj?R9@)3^<&PAFlSLNG|{ZJ^ar0H%Z1sRq;mt z-`EWxGP<#p!WX~@st2R)c)YL;SXHYzPQ{W#PQhyDqy187rO|Cyngx;{-13;1?L)49 z?)rWGZ#zA-1ZWQN+6#B`yveQf4pQPcRyD-=oSQN?FOR1`0SAAPZt;vPxT+;gHS4cX zo!sb8`DJ-O64^r(mKH;ZHLCP|Y`}}6+%+`N9{ZsNo z)WDd#Gic-it+v(?%8eF(upYu%}D4`y!vuDSjN%^xu!^w}O=5 z1o}+`gbmBpBlVZIi(RYihtfOGjpa<>-rTmo3e+r;__j-e)t6XHzXvut?J^)dHSVV4 zY=v?FGk>^#02?E9KgJWkay6UsI1TNd6{kpCb8z497i6e1n|SH`5}WOaT=k)njw^}! zE7WMW+*I78#V*WvLOPto-;svy z+G1AFbt6f*Gv>XwqH*llzhPo%j;fFL$^^;8^u8W{_2uJ4mHw+D+a z!Ry1U$}d1~kCQDC*qc4jsK@U8s-)he`;=7Fw^3{m@{ zHDmC8FOyDNiZJiAp^nLTG9=$G^&aQKg@)6e8LIkH_21<917RgI1idMf)B{4*r3rom zY)ypmc&72*t@S`PHdJc~c(6DDi#`dj#q!mmbaH`n-IsDr@DD@nbA^92D$PAq?XNG* z#iimY{KaC?r2fA<-{7-=Z$H7Q+~6kgeD|s+dTnw(6gydJRAZ=TP%EZSL<;g#)Kxqy z+0B&j)ZSwWR=C(2$QcyI8Osmejde{pS1nPO)1r-9Zg%~NM$A>XrYt?n1>6rPr;}FC zbA;wDEMyNAR=rD<4;xLJ&L3r+TA>|+4GzpV7BtC^hRIuPwiSXzF;zO>g~^6IPa6B! zJRut)sS64dNOzB`mup236l=UvD4-?Jsmct)&$5gndFFsDNxfjaMp#*Q4M4J}zeKsr zvy52eta!?)VGW+hGVX^sZVkV8a@Kd2mSZiOD&4ggrbVDj7P7785Kq*A$LPd;ihaB} zCWg_T&uo7>`>@I*0mJ2o1wr{zs+bjUAc(h6Xpb1W?hV%hvImiyAo9@0-oXZe==^Ac zGM+DnSQt!+XSpoKAX{-wVjxcb!%CBD7=;;=2g|qdp>6#;`)K^I%!S4e-ibXe-Nos-fr3FGd z7Pj&xoa28j4dA)BZim+E$G`{@48dJplhlccod~_0W58&?f z%KxyJ16Ie#-`YtHWE2X0e=*2dfeYoyd;%B~H7mqqYoST+iW%zaaRouO)dQQJs21O1 zMh$!<;(crZnuuTP51T=>T4i(Z+$X{3%Iz%#fO}T$@#d7oFdz7EvsH_f2hqT*Rvk3H zuy&Gz?SR+&+7t4|54#urCOjj$_lGqM7YP4E{40o-(AWpvFS`ubecorngHpI`Q|Og* zL%|#%ng!T3%(($h5Q`tqQHmMd7d6Mt-d}i8q-@4wa2D`e5pI{_M2)^#h3fUfrICua zN;byF)iewX%gjmj&A1#U$uVl3Y=vT>)S$i1Sk)Z^R0fxL z(Z-&56?u;)0xGL)h3;dRBgtG)2#&HWtiPZ7@V}3JJ``_daO!l>MdwibW}ogasZ{+| zx4u@}n5}$dXP%I6lE!_+8Nuz{L7D5CjSGJ35<2PKa)d!65lO9xk`e;v*Chep|E7y%zxQ9TQ3PDA zvJ?`27;H!^s`oLE((&&HhA0ME7&!Y(2k@xLUf~I>&AJMbp}zwhJyrJ4joPmkS(e8G z5whUF6hNfX9k8#$ewX{%lgkoe+yLP1;pPkgc0X7fS|;wp1T|0+3AJHaUB{GF$DlUi zrXAkkN(|TNe#cN&aNSSy^J5AUcF7MRAbWQq&`jJ&o-JDO^MR_tSBQ0K%EwzGwA}9q zV3;!fkimh(iyS6p7mB_WHp`boY8h&YSg|T0rhL16RzD(Q-zj@Fmpi2&8 z-^u#fSfEg=CjY|H`HS}ZbSyIw4*~NeqxbP7VmBZNEvirl!X)!0+?&o8)CLNRQLDBc zOvK79*6iS~fvyCYaBcxbb;yQ$05ne(lGv4`c8B1Oo^RoY-}wkT+2;gmEu{fb5lVqD zR=@CPKkmY5TXKJFe|AeRJ8iw1kioO)@fxi+##{Q1?;|97)qJV15cvRhb`86zZg5_E`0M=UFjLSCko?h)gV(l+cOl>* zWX(Td2VKF2^e(~CY~NCN67X|B)I<90=~4s>pNZG|aycq=I~mkC1HFdIL9d}wzWO{+p{vNlJ1Bz_{vKRyNjeW|>w=22;iM+GzO zsg58?6Aqas>g6Zt;y*zb`NuteyOQuBugeIS=vJ* z!6YMM6gh;^W2%&dJVX?M93RxxVtFHf8~HVMx3e2;226y{njkWu}LLiKYnCQeH z!r^)^3_n5$QaE$|w-Su^;bb<9JH~$0PUx5U{`7u;q5PPv^H#)=00f%}Zdlg=qn>-i z%(=<;MUcj~7wa`3t|7mH9cHiJ3P5lJC$YzhvO9GED5%`U-i((bkYleuW9+n8x|WXc zOS&lHAqmra-pJ3OGQSr$Z|^d1h!C8{dOPalKYxjjCz^_PJniQ4Nd|uJWm#+(XB`^W zyaSX>_1(>r_&zis0*coetgWW~fQu$LNv=b$HoAN~-;L$PdgP0yx6oF$BnuifYArTA z#+f6yOkXX5{sxhJ*919`$M7S?U^-eXT9UZ>XW{REUr>qI#qI$*6rLZPW(Qnpu*X)g zOdK{mvN=Zu@BTM{yReaIqEe_=4$p<^0`}efj~K}%yST_ziW6_05xx*XYqui_dQu>T*GWIw9;OZl%zea~FzV|t8 zOBgzcUxwawpuPNhn{;jq<8l|+(FWTI({Tp@XC@mY3Hq_(BhJ7sjDu6rC2J5_d9Kq2 z?cv03bxBY$%!6F8kAVKi))kkr@6QK)%v_|qf#~jxXb@@mY zpRUp}l~c__;(ZTQ$qlHKLk(xr5uh~^B%De$f0kY4be=+GWPzMWpG>ihH9cS$ z-A@LANE2o!&)g8`7Z-nOM3Ut$r;ta-^l;1G5#t9+&d7N-R` zz>98d@Uh2r;ZpnS{)FLL{7}RP?IjtZfVPlR%wBZGgT7fdZJ{$Xn&7y)F$timj(?X= zJo$Et--m8w9+-h*3zWZ1Ze%?UKK-rT&?t#L>nm0ulqY?IXHC5Cl0h&Q_R84U(@M5B zA%_U%>S<{~%b#p+g3&aZ`3B#{g9Cu(hjrTaSPpisl4htBx*}cW?;w-Kq?PizW%alI zsLOOT3N(fBfa%-M!U>UY*GX(&;4)tmbnKKYi#)FO9HfIA5OEpOqn|Hx40?rIox)Hs z8*KK@>C$>z(f%P5X&O7 z3DsmpAI1m?BXtCUm>?z78e9oCDgz`$2z>Rx3_>Z_WFPgV>uoLj4dCz)60yC5!|;4| zABTEIsd|e|^>@LyAn6O<``U7C`onpa2l3xP7J$OY`XW--DR<1G%I15IarfP{f;LOK zF%KY@LAXs1`!R!Nh_;Waeb7p?g}|KK8gG0U;JjAMNGdO5m72u6tF)`%D!Gr9bddBN z(j8oD71@)j(}xCGoWK-~DNG_lZ~k-8d!X7twJDrMt!~_1O?Agpk{eI4}{SstY} z?W-rR`RM1rTk;ExUI8%FcTAmc;AwKtvcXt>N#FR+C0#f^E2lKL94{O|LWIgsni}bdZ)`@ArjY~^daz6N-dy>EAc&~)`NA%s&M3RtF zcFzrsV#iE?0XZ;cl${}k+#bzN`kPq^)q)1odT%W2$4QubI`mQvhL%we?XS-Y$t`b! zs!(|7ht$iMQ_^QYOj4M01ILs|6YIs2@biYkN zGpMX;$G1*UsCfh<6E8zOi7n>wJIxTmaIDS5Jf+5o5F`40Mi0z)2pRS>F(B<&GU;#s zEju=t6~~F~O73~#`${$V;A*qjpdSu3kl$PoG?uFYUBVO0abaD2@A)VoLtQ^PhvoA>T`i4CwutaB;fmIq6haP*DD9{s2D38q?SlDHeJ^R%A{7mq z^%)UmSFd|X_w6`=4u!}0b8R$jp}RF$wKz)Dc|a&Zu2|6}{tP%%*sH(J?9v2S_TX6@ z^i!~3__Xpq&DH3QWk9nw0QFT|^kJjPp8y!Foh#AD+aG{ti9)`=6lBt7&%hvZ;R^<_ z-Q#~yqqVR5_f|+^r==`|BA5{7N9FGviC@xhC#6F$1Jv$!%4i&5H6ZwwXANHO%!kOk zdUsv0pw=mArA;!-UzU2*DtETpHPSG8RM0JcKhHnNU%dmr%~)R6+M|f6sx`QkD)hK! zR8U16&9GFeJ}($M#FSA3$C)I6_eg+7Kz&3)PW*X>RQ?$`RxrMp%!1_E$N0B6R24w!#y+|vhe10>e z8WC>){W+TyVqHc%GQFzKLoa+d4CrHeu>1QB69MOi?Z;}(f7&b z9d!6`71jj`D z6JOOi{a0?qzRC4gQU?tVtUX(%$$*Ua0iP4%Kaw^jms^IcGKU%2pIJ#sBf}$TwwoZw z@cG?e+@hF*$frm?lYf$$ip^1#F9UQLs_w)_Vn93h7phW^SUxOCDLm}b)uC!Vi4(mk z&O0a`RQu0R;=4AQi-9m+(nnpao!UI{#hg`7z2B4Bav|;kmNbLJzP6g@mEAu*A!f2r z9Ff?vx~*x4iBT0WKUWe{SFS;kn)OY;FO$wuuQ28NTuC@XSa#gmdlLN;R%tH(ytOdU zC5WdpQ-L*Y!oX&IqPzUB!T_sR6anR1~yPqXUh}tE1!r41rPtolkrOo_>jbI7SdTwMIJHk-{HTq%KQehSjJ0b zB13h1hGD~RiQthL^ghMY3p(CK4O=#AX{}55yAR764h`&JfA9p!GG^APwD*g8m>s9C z5(8r&Y7OW?ljR6os97UFwE+fBh4!#=+C+2BPRgdI0{7zkw)$lp7-=nwea24keA%lr zmY)AQ%-jNZQ{{tfbB$?U@$^q07uhuh;o#So+xD5s9^Y`xPqq7bR$`%dg6 z9r)WMpuyD?Fq2u0xOSjasEH&T{IOXPKgmxJV!hcLT~y~{yGYsguxAUetuw%3C0~x0 z?61C5MQ^_bU%L~XS@#SdE&jPQGrs>B(0TnJL^0_#-lug;fh!v!g)rJGD#u^rgHBX` zhpbj;yG`Vk_DysDFwV<)N8A5Jjz^Qd{Qr%I;A+u5PS})cj8wKYwrJrnqi?Y$HA>kn z=g5VtJ@LJ=#gD6jAfy3JJ5|5QW7Tw`NonSP*N#;J4o^WAi+t?wC{cTX=9_Y=fIEH~ zzIFR%DyL8FT#H##*0xIrab~o{0m_fnpw+oWiBX_e2s)a5c%*M zpbresBqLAMvk2r4QO%KqreYdv@RACtG5G9cQxe;#FW%DSs|Bj>AmJ}DLs5jQsP|&u z+Ak0kWR>_gvl>87d-$R7d$eV`1IT#W!Uc|d&p*tW1{xCMzHSBNXMTSsMqyWAJjL2} z)9DWk*8_l&`gmiX!#aS+Xm-a5Pq{=mV6w-EHEPldU+8J7jbm%qBsX6uy6Rxp=4(Orl%nl{IKGKrS3FnVW`uB&0k*bP<=o5LQDOZ~ndV4;IVJLCkDeibLFvG|h zjMy16=r}*?K#N;vQZ03x3Vq1D+L}QhCLHEIA&#X}h-g5?ISf(|f(FTm2He_T*2V~c zG6d`S%N|`$QCl&L4*7;}2GXnC&W%5hy)_YM0ef{eDn5rG_3v}^9hm8C{5O`|) z9@h%ZDe{wdfQE@j%naIlQbi&WoL?*b<&2N^hUm`P+r5#(yui9J8XCP zGy0^nv^`qodUzd@5eyps?$5*< zzNqA2y-cDz24iYHb;(wV3Kqyus%HZ+TUfJeO;tL7)^`>WEy^^jvWvAtSh8b5S17?r zQTjr$t~tK1FSOfg;Vd+M8Ar6LS&S;Q>|bEocHu>tF@+C!(BCQWpNoZHH;D~kc-*kX z4=ud6|IkZO@NAoV-lbvC>>Kr`6ygs?sLg*KPJtmr`(zE}qu(rk)etO$!`FgeZSr?y z6Koc@uCkv&MItGN#_70&zwPrDG19E1P{0tpXx&+g#{&8p`Y~zyel7E~Jg#Z-!QKP& zlht+uAn?Gze}>qufuc-R`WsL5^%l#BL1q-=+BeuTI8vh~I{J$9#Fg{6~Xg{KY{9yvT|Dv`6hT)_TxRSe`ca4H&FKvjX`N6<+2H9($p5i|V ze_5VPqPp4;h|lPaU`K;VZ7d9%Jl4!ZGT^&xK(qKIh~kApl5jcj#;3&4vcvm*a%Oy{ zjMpo`;9kp%-h2Crh+bQ@N$z(6GxZ0s0ChqqN03IL{$$}Sv@bUTEhu>nJ3u|g z4b$cdA6scko40;ZL*Q=mN7wZ+escNP^o>}%>oC7aKa|B9a2B)K5 z^VUtfc~MpBUqUn!L}+!n0+b8|($r>%JqVlCG28P?*u$l<0)E!dnR1!AH6efyRjQxrHc4@$gX^PW-%nb{HlN$CNsX{ zlk8>OE2^j={O6YIYS|m#s;~!F90;Rj>eAd@7j|Kq&%?gdQ0vhU4 zFi9xVKIQWgzu{t!!n?G0O%?i2KO3$p zUe9J58W*6CVgGF?acvB_M+9n$<#?X?)CeYiWM($&VGW&LDw_)k|JOuuE>$&(yK3{d z{p{hE1L)VIdje8^5JdD=9rD{b6alGu8ku=_mUuEkI6jtD8{RD27VoB z%*Hj*V*d1+vFp5T@LZgc)vI|DT-5yv+jKAMKOc(IPEev|j8qQsAH3q=r?B9+4CBe@6ygs|Ch2ZAnquv6o<~IOa9A*oDrz!r9St?C}BHk@%BF|YzS)O}B;b~gKK=O6%p=j@A`>S(2fXt@s-{+6b()E|<8_Z(EaGnA+hFYnAQr5t43Gb%KA z@VWJglcZ}}bvwXP4@ip0v>Z3ylh$4d@MZt|tyD=Ko}d1$2pg*B{VX}+BUGRTr1umv zxPe$ds3!A~!(Mpk6YqC!-guSLtC9o%UJku_X;PtDNy5dg7?5kjfd4_8`b{^JZbN0E zM#V}|7s20*M$>gzKhJmuH6Wpdm&J+K2}A9wSiP)xVN!&qs?K^gjDJF-0mz&g6sri{ z1*Vvz2jt=dU-Uv!I%$cyY%rT$jmw%G23OogRKgbN+ZX(Wlz7!>xt%9nBa()E7@#5n>(K z$ZiF+UdnfE+<7DRe;qO#4tWL`#CNR%V~0Pypx|IIK4{+!z89YrY*D1&+EfV4sjXr- zEGwJ*2#Yab^g*9MQKmx)Kfd%uydOjS1j9t}6#jyx*doT+vBmyciKWF_;e<^ zO$K-ltP_FC3Fc93L}EotAADi2Lva_elsBvcEK1x8om@&Th{+F+6jtn>$34}0sxZsv z-?N|8MUV12Ml0*;@akYZqZ*CCm6$!flfsmsliSnXxyp1)(mUOhPlPoI=V`3WH{g}5 zSMyVTP%eD}t1hkMKc3G@SaHI4MRz7SJ)iRINurU7(J(vi?zad)Pg%faS%Q^4!yYXImC|0L1$-LL{P(lZ{N>Ztz zgRj#RH83fa`8G}y-hR3KyCj7pppq>T2AmsqGP+b%!=D7bAFiSS`6u!LZV;8anP_A@ zM^+zy4E-l(5#%2n{>AYh&Hsg_fZZM1N}`A*<(8YAk0%ZRRC#bAPLzy~s2w>EfP}8^ zqoBZ)W)&9L{K#eK$Q%Uj?5vBTl4K(8zaw#ute%5G9}fV@rSs3*eG43e#L;5}Tmo?} z3r-EL6!KBuK4Zz+_ECfdHFut_C{e5Es9RNtmc0UbLmw=I{ltye27^F&@knr+A+MZn zY*?9IeYeR{Fi9ekO47@>xF)ghBv0W9bPX}sc#MY0YcSV5t`D??4FCBju}81JJ)!80 zgrlV|UP6pg2V(I)n=n}#SXDoLND&ZyW3cVxx`sHsWd*R&qag*e4B#*buQ<6~?)8Fo zMIFYcir-^d4FrA$9*WS_REnVl)^nN4r1N050*GQ6pmW)0<^1FIm;c`O$lh}D*{)qR zj%j|`p^wz@wDmSWe=paXee*7gG5rl{OO)2auXyj}Tk#?n{pDQp1O4mFFp)cZ97!}J z`@|owJk*5FIN5KcjHHq)t?x8)+IYGnUPK}2Wc(J~XuQY_-SJ!wzFEENIRh7LV)54W z#GSDB4hbpu=)(5oxlhD-7$RHr-m+_j1mIp*^li@HG^W^|vX6FgNSia=`M+EiCl!Qj zMQO57MLH)t&w93+Ux3gz>c!Cbls{`bAfI2v+<(GoR~2YcgD#D0$TFJI0tUpu(+g~I z+TSZhq?MMI|2QA2r*22dsPVpx+fT+oVM9ElFo&HfT^MI zRflO8n@TD9;EAk7}C7$s{7&F2!zEHM+v`6N)b@UUTBt^ zTPB_|Q-^Mw_M=@lOd^TKQ6vkBbT5PmQ6%$hYX$Ok5wi$ahw7dgCy0tT^EIdFd|Dh&fM^4I2d;0#vH^TC9#Pj zerv5_L~dGiSusttzs|7lZ0a9j2+p6tI<#ovXw(GLxWfb0z3FgEybbA>tW!?r8^SH- zv@{XIZWN`ml1WolSEuQ+StpKyZw!pjn zSmTp=T?L3aCcEnxE!K^&n^b2V_+y^TSPwG z|4AJnGQrCJ`~2M#M2!#bVz16w;h9z9?na=&XGbv#RuwU(kj4~#!wNS;8i67trK*Oj z!ky($u0$4uACHa=U*+5%BkHE8Ls8yhPn1mgx{tYK#%A1ihS5)KA>pvGXo8<@&9gVl`}T1ji52JX zvzU6LACPpm@v1-IGIgNd#>MG6Llcrv%;hnxRdnc`4|&4;C^0?ZC~3>+M5~y%voufS ztLp9+*cj<@WvxDx#Rn=HM^+QJPdkq5^U)vP51i-|c5ni&2N(lklz|m}<*o z`l|BuqYDwH`p;p)!-NDuGLt#7uY~EfL?qDiN&4)^{d4nNa8huTBjlt{qU7RyI~%CH z&KGKC3X%v*it2<4GidmGpqcv>kfjoH#IhwfXXQ5dHQO z@$aNH*)-m1C#M(<#~_Gvlpc!l-~5DHb~;)7as+-p#q~RM5kt~dsVPBR4KF$>y$L!I zL>!F%N`mpnr|p8=e|Z|x*Ow|T!l7_18*H170am9`>gs%zjJ(Sv>f=j@Cv&AndL-Mi zr0rh~R<|XK&!tO-%!Ft;s+Mqxq*AZ7q5nFnf2fpo;dH&lc;`cTw8o;X!L7IOzfw>C zDVw=Z7E1fVJa4we-^y)+6wfA&=MxF)PO*Iy$3#BC(3Ak>Dp#gEbplZzVoX;)zJ6Ty z{Z-u;iTBipS`oUh@H&xjn{nmhdDJenf(6kra!*Q1onEd#`-+d>#}6T+g^}iR)U`!q z)u!q_LdQnV8fV(dtM%6A!;^&|=EzOJl-85vNdiAnu`z zzHv=yIyaZ(*Ew9R0Yvy@`>+v$pc+AW>Wx4T~V`w8I&K!{IJbtr5`@=g+6WPH zo|fXoUcbub=hykW9>5~7XxCs;#Haj4OR(&XTdu9bz6V_7Ku%kH3W0u%%@>l~czV3| z!5LI>t2=ci%HIaUOc(2HfLBLS0PH|j*79_QBV#K;*OU|;9~c)>X}kExh5M7$;V3@0*-L3bKTwNo08oS7GsubfB&@uyGQHZuVx}j?{n=nlAVDSH{nT6N)$5; zjgP)fcaVQCjd&oG8$ZGiB%nn$yeEo2`$SQZ;&MdUGZ?23f>i=J;sxR+NxyO!lXubk zVH$SJo&c4%s-!icnt7-SQbo^YxMsco5lhW|{F(E6Tb~h3Lkl`wf7DROk|bmI&!ot1 zitujsjh`HZWF|PG_Y`2*efwoD--8Nv*Ng5<3_~v1GX1;6-G2_oJb+PeWt7fokFP>1 zxp+EnW&1+_C)>W81X)IFZ^1bRPSS50DY|*EQOw+L#QpaBoinb%Ak<=>Xv00=#+AUx zyAroy3a1WyxLeb+;P>I{wN&GyfJ5_V_`{t*W5YRSjE6NRY+9%#^t6)S4NW|o3-JW z-?@p~4>3;iKNJk*rzfs1GBr=?HS0Y^$NC{n5tX7sXwS+it8OK@4Ehr{$ACJZJ~@@w z`M|{2>(>^RCV33Dt=}8E?(Q+}M_eVr(2p`+V~W+O;>~*dMJ>P$tn@fnc__W?a%w)PIDZaw9XYTKZ9oTfNFBq4stoT#^C`Gdaqm^K4ty( zVKA^cfmDZUAPMGl(cCl>H6UoQ2?(#T?azO>K0vagaAs~+cHH^LSXhfmb~=w;C7Gh^VmJwmsuKh<4>POGGQ>S-&{_%6w7_G1HEvMRLb4gU^(`W)Hr$hgQU z=ZMwf9hWTaPwbmngu;>i%Bs~~dAP7`vBvS42i+F7bCpJLb?ydX?0+Tx4^dwk7UlN6 ztw;<=HI^AN7LanLT^< zUh7_W2=V8aTrxNg*gDQO+SSJ}sZ8>?^E0J79YRBQ@F#yx_4!{$w(fms?T~ghUejGx z31e}4#hYty&}4Hc4T0FvR(`^_i=AoKQnV7T;HE=P%oRTVqp4-u4A0_VvAC*(J`uA;glO^8`Wd?H2wD3KfE(dPMsgNc4^DFrW?K9f&(9c{_h?3 zQx3+IS|~z1*nE4X??0%KQWm1G5+;H-@rWrYO@WRflwBlK9q+a57rUM_bA|*Rxnc=d zf_mqrTtjV(r(x#wb4@tg=5s|jiPa|WShe{t|59Cr&Ni-8Up9T@bl6HzDWs>n1qruy z{LhU^vX9ArUM^fXTO~wUDk=gj$+J0ZI}o~=#Jm0CfZg;q%AybL@8fGv z93t`S4&}_N9BI;?+rRC3?8XmUKh0?Q^?&o4n&f1bl3sq(u7SD@$h2x=r!ThY6MCZy zi7+U{O|&Tn-jGF!A@W;A#T-4pCmg@ND%t?33IP&TL0L;8OiUB~%h6~wewF!2WQmvl zVEF{|G~DNi*7qbq6-HtA<32%ARuUQeesev zH_m?tpW+x?Byqf@E%Fsmip@$hNzr!|-A^iAm4iH|JSJhIcjb22!@!~Z_4ifg`&4gL z>t7$am5*dyU&-h_xtU}?8+D$ro^HCDT{INgNo4co)UA-I`@v#r>~k3U)1(Jsu1`r3 zKTxu^Zk&~BX9mm0j7=-Y^gC4ki8v4R^^PW-U#ObDm_5K-B<#y~97G^?t_*Hs@8$JJ zpB0?4i6e%XUnFZ(=`SKK;;QmWMR-BYg`xI2sLjmQ3GDli?Z77$iA&EaYkMfo#6zKO!i+;>mVuoz}D zBa4^v zwe@cw<&U}|r;nLz*yZDSd9fO2#|e{8*4lX1me;5>##A*c?MWwh;@M`Dm z$7PnN$Ht@Z$l2Zr7EGw?A2z~sx&w??XJB|vV!byyrIvQ1(XVakq}R=FxZl%IBHCPU z^)Jm3qkYvUZ(xoV?4#Z>X~v}W-X7hYZk~*|8&JX(vXZCehG>euXEGr)a6oa*eaPPt6 z;KX9GIA$9CRB&U+0DLe}`)2p*d_QmeN=(E(B>4@U*MjPBqOMmiuT`v8>0ngKli-%x z$lw^kE^QFFmF2qu_DhXlo4%yw_cQ6Q6H)*R7yj`9~6)j&Iu8Q1rh4 zCA;VL*3XcPb+0zVst?bsGEcXON=WRM`4G?0BIursLwlZE6HnPN{!8d%vMYx*Caf-bTnwoMtc7o%1sw=A$Vh$@DzCLbl(7c1Cl>437Su>KtvT z<(Tg;@o3$+cl4vY;LooqBZ&2P=9o>0u#h5-jHHTa;4*$TTBY5vHOs5DKzX&dt?^xk z>-|5=-MhpszSnM)RC&X?wYjK;Wkj1d^!zDCt`k~E$ng3Jgu0~}*`6j|*SV+e)aD=( zl`=-6QfA`Uzu3f$unOAQFDMd-gp)5k4@2p0$NQWszHqb~pjozPA+^=aF-%QREb28~ zu+9ppfuqmcyE--eV=oRkS>M-Lp=FJS>e&3Lp9w+P{9TJp``e`8bQG4fQ`ALC0=su=!U4?Y``2ke>&*zVUS$s+*R>m@E*@PAA^Okt*R62(p_wVkOu0yFpiFKyUb{SMu?mIAeC8v2;! zz390kecYmjEkg+bbylM^;Mv6eyNaD@6=yP*^_gwK)IKeo21~qY_vxs(wa&P`|6R=R zgOoFM0tE%+66T*hIe+l|FkaIDEDl|z3@)9)D~{+G+7=9an>Wby;y5@NQ^R=kEwVm? z&-*Mrfof^8$$Dal?ZYE>FL((s`gh9BJ!%;*(NQc)>UTDqp|#4E~Dkt;tk|#oe)H@!z#h_Z~;~c z7B*hn=jq1JEV9MWmsYD@e^NT5VsvdyUQfjwEXzK`Xx1(Lv)lwJJjnCEt3Cgy?*YNj z`2ygK=W`JxN;bH(FKxe6{IO5uv)Ngh2t%aGh+-gy$ioQ5ew6$Bdbu}m+K8NC8JDWc zbTs^olK2e8*Fh)==7Ql7;}bd9q7m_HpQrcWj(*b|>a)5=z5i=lvYR+nNnaDEe1We2 z?|0yxRL~WVUu}-9I3OVvE8(^pBQUhL&~68*lBowzF_*^Q8O+3QVAW6QvS-+raIO+Mg|X!x__(W^VVYDCUIsCMm3yJQvt|2(uc z`6{4^JnP)wvHI=JCp|nfgDL+VN!(nDOE`0%Cv&X8beDbKfP#jli};Gi?P+v&Ls^Hu z=@M%pQ1uvhbCt^IE_)vzV`B*)TOnUsP;e9)j=Stc1ceL$nTqYq9_`ku%k0;Un<7;( z_O1OT=@+3kv=q;mvys$&gJn&^M;_mOWe*vyFh7P zyqZ<^KeQH3)q>~LuFiM?XnE?SyJ27Lr)$0u>Q*t-$|)&rUy&%U7v~!*!LuBaP-Jg@ zjEl{k>StkH)Y(+2)n7}nYoiiBbU+rA&qg{28S9kUku_j!0 z@bFBc4tLZE^wAghzhou4K12|^GZFP|#VLxc5;Vn+9 z959P{a^4NU6#?Jn-qCcSo(HBY^Lh5YKPx+gE*!c3GKY_JFKp2;5~4`?+8^I$9n*1* zq&ow?<8eEv%t+0ao`2}t&h8iMN%t;IiheF0&-~0OS1ex7PY@k5=of&!RCB=`)TG&T zx?ho2*|K(Joh{7Q?$cu`l3De_g{TIX;al5x(G=e2&%=9;vz^%IZn8F>dk7{y-pd28 zKeK^<@AmR35fyYPdjstp=ecDLj$JfftyQsFUhc_Fk5;rZ)e77Xqn{~gpUOf?2HK=z z9YxA%JsPUO`)-+c&xx7$CWHtUnEXu~mxBCR@Ejx257)nHtLt3?cko5>M#-@t;)k+y z^vFZooa~)qC~+(+#XE)9&phZ_jf+HYvMHMDch)=1FS1uh;Dc%L!se5gyW^wqBr@Wt z;NulnNUC%;6=I#kMu>4pwZbP24rmwFS`{XJd&V1qJItD0+_qb5%kVnVekyv&yl*Hd zar%HHvwp9Q{=2QyjY7H3#|3{w(@#+8;qS2Vl>n1iCl;OVKhTx^0wdl%@U9cHDQ)spQnA z>u;rRJ5U$;E`-;HR9k$~v~#?JyhGEvvI-6bEbzGo;b;3ZyJ^-uTEPWmg^y7OB;jh9b{0Rm?%S5E1$7-;eEGkz|#5(PHTs>;fb7C4lLEPmKK}quL(My3fbXoMee!M)% zyY%&XN;0XwrJH0{%|13>d@1=HNxe_D&4|aCpZ&s7C3Wc};yLA0)}9bQh{*e5D&aUY zy&RuyJyE7-fhU_poBU{2GVAi4XAIAUVSxgHceY!oX*t;~6Pn6o&HUw2xN}=BkvwXc z|3Oi5rT!0IG;6A?d@WhbK+ItA=9zmgdlx%hrr4ePSYkFkw%#6;cO)fG`-ubd_q&+c z?~Um0z0b$eC%=RuFHjE%z|^KV4d}=GpZU2pFHsu(bP}GM8DHke5mGjZ^`{IO)7z3F zI9P~(5V%e?tp0(T51}3c?J9A^WpzuXhJL&8K+B2KJa5c=A!l-6P_1yeWu>?P&nk9O zZn%0+_tmm5$ADjP+ul7)i;Cj-h>UBCqLZN_=wz*h&hZz^*66~ly4TC8se=6~sx;w7 zLI5yBV!>MTd60O8(Z_odq#wiMG%DVDvJ%J|_YHrvoITH06>V1)9p&9Nia(3_P1-{o zh?jSjN5$LK+1&kU5Zx53fwT$|5*Uy;`Rpq~ljI?I$=9en7$}t5oN4DYt@1P;-T`Zz zC9JNz{UtWsV-}E?Ty*#O==pNiLW>)B5#Di1l zy)e@V!YSkzpr#Ax-bz;!k5{hlT;zRK-X7U8ir#ecX-(@!k@l7Q@hY%ex7dF5Gq=KwKLl!>z8+s!&x*bt6Bh19Y0xQZN8kJ z{nY;<%#26$au#st?HvEP3H_+B0MAr}#;qU7)>{ogzg(oU7^_Dma}ZU`Y+hY(|G*f` zWcs+)=1o(#?13`lcT5P+7u^ujD-XqWzAvo2RM5fB^(isvItwqSV-} z3J=;tOuuN~0n20Ntz%1KA}+;6F)4enH?D)eCkekLPW@Ht#YMXHs9*{ z5#aDVrPEr>YZNl1rzRyku`lonr1k}F;-4&`|^87IYNOsBM~w4OXAJ(n*aXFNJh zQmygoN{d!y`8(gwvR&zL8mCe7OSIkc&f|z;=Fd=hf%DH6~HknZNe&3G23yz#T{uz@|-waPc{Vixcb*8c?h_EnZPbo%?o?4vEs zXvXLUk*`=V>dZ8I7yE92iHEeDKSB-Q`HEPi>@*(~{P>nCX~TV>qkb74r3t}quhd?n z5@H9IfY5`y^JeASm^rry<#W891v7>GFis4|4WJ(-!GYoJ(`&E+BkX{o0t(> zN^`Pfy2FT#r6s;>-jYxBu zX%D2G86CCpY2EmEvEk5_=n7BMMa-Tx8TqZ!;GX5@!o_-S_n7PVY>J~Pn6rjEA(1e* z;BM2CjfO#fvnOtwd^wzh2Yh?(soIY-)4v*7-^$fHS#+_6KXba6mumBg@%GGvE;o!R zlUPP;--#`ys`t*18cE(<+B=IAbLhWS(mB%^g8Vo?A1+Pp`4tQ1vsaD5zqG=K-HS@p z*=+c2ciiU}(uCy}&N8z@g!!eHJb#|0jDN}}58U59A7t4i871O z!)bVe=BNDgJkrM^1;rXW(S6wY(uP&QWbM<6NFZVg?Li>nJfQtr^=1l_b&-Jan z&We>XBvlX=F7ZZzo!8Ciff4tQhHZUwzJ2~OS|t=e6|E7mrIC>ZxA73E3{#^O(Rk(L zYDOzh^H-O4^AJ7z2;w0vc$W8Uc=z1vrx}ORM(R*H$*v|~fT{eI6UJ8-RZaU0&ozP@ z%fd-IxAV<#a=b*KN$KJAZw8G@H^b2@&u?a@F>nmsiznRGL~^}mrHCme#ya(1<*T6& z&IvX-GY+&w+f&VXGp2p)&U$D=J`|wgET6RLP=CfC5H4Qs^&=7+x(1Uo%NegYoQH0D z;gmO95PrQi6a_jE^KPk`Pex##7`nf&h?pI&+PZi$bOOAcIX91o7|B!-S3jomG9xEF zbFthz`UDuJh@uc}Qx#u#mg?cJ+&cHdO)eal>b@VnzpoC?DeDKfC0!UqCbVIN0re1J zxcQu_l$<2SI>IXgYj*E!F?SDbj=!pza^pKw&vWZK(sHn@Q4((nOnA<>3=P+>u4x6> z_3wzzTlnSJHBot;7?=3j1<(-qT zBPYuYsL2gQ1PA(+0NX>p@Csc(-j$B8Q9Qs@-bUGkwf9g6+QGu4BouAJp1j(P{_n>s z@I5+p1O}}>Bj%5$AJ>*i!L`6_j2QnlqO3Xme?J4T9~6|wmMRGVK4w1eyi6!^!+FRp zCQA^(j{;4Y{QX599?lnr_kUb~;SAnF$K~&=lcTS^O(oImUym~E;2d5D>Ae_nNh7en zmJ*9Q3wN=vxfAY}-fh+t*S$N&ll&57(6WnD%sEc8ce&j3l+U%tIvXY5H!9MGa?9g& z*!9hr>WfG-W<_~x4nAGsQyFJF>;9hRxaCC=BXZeUyyD^4{m-U7WXr{BTf&2vsqN=} zh>0hAi|SHJv;H{G7V|z+_!fk=-ZW>g?Do%0)fAwBY%5>S?W?NRdc}ZuDH9-}P|yfi z(4Z@29t6U=C@qW8TtmR0BySJ`&P*vFaUMgATRD}(xhEtQ%hD=6UPE3rVACX3qjN7! zso`3(U24}w5O2wm=59ts!v7gw3S($gV6bP2*`I9Mt!d#644XJI(tOjsE{C9rRoA#s zUdz4h9~9zME<}ud$MKN_*-w;lxL%1Ryv;(K(@}AJ?{x2Y7KPe99{sN7nr-^fu}>(| zLfxTe->v0breTh3+JH=kT;l;1NQe>`O};Sd!`b0>?>cEB=Fq0+ zl`QbpLS2ak&(R`XMFJ?p$mcC^N0nl#JX!sD?T}X1IFiOL;;y>CfH-4C!9=b|2+d2o zj{jDK1K$JWd#z_VbR|&mTB35^A#bzD9~c=2I>yQXYY)z?eu`YWm?4qi-fHMOQDC`Z~jm&LrfWULJFbz1FIi!L;)L%ivsY{^n0oBNJokUq57+juz zG86*hT2Yr{K17L@NbBcSRmssQBIM`k3JHgRFl?WnGP_p>#2>nLH z&gWT@Q_p0nUi#=FC6dO`ziZ3QQRsir8(c)yL*Xh;RaW-qC(c-wA{vq&cYogq0 zVjdW_F*3Wp&ySLjlc0NxXfuN|dtUpy4_QnZaf5<%5Q6`nmN@W3I9T})0*teC_=0Xb z>GQx1LfiF(FIjQ?y9{rHK*%+qAl9rAvjf|;54*Dycjh35=&#`{5M>}`cc9m2LwX7U z07?g_GR$=}K!3^veEQXg=RT3JphN~pv=pQO{Bwnfxp7;{)AZ{vnSVYv0gzY_Y-Q&8 zc#9i!=}$-_(n|nBuY=&y+A{NzY@tH=IGWTGLyzUqBk&DoCdOyiuBh?-_DX1-c=K0& za0B3^CGLaobbkZ4`0Ys&hi;7o0MJ-Jl5wYk1^1eqD%E`Ic_*=HcXTEfbxeH;F?F>(Q zh3_n^c<_7ZElPxx(Fz`Ie^CM&Zq*RHHsnJrOgxV|3OREtsaZorqNW1x$FQkde` zecCOuHjp3ed~dMjmqf7lXjl3Qd5v8?!Ly5zd_cPe&_4LuU{WP*`5afv9~8ZAzs?)5 zXc}d2O3nLUTgt~gVXC(pZG!J@`9Dn-s|0kKU-x` z$%D4#lM4otg`_)g-h<6WHdN>pOCMhYIq2NTAbf8@|GNJ!S4cI?|04CR%f_unVUeF2 z;Tig`uwrH8RS$nR*b#HJ8Yf-=yuO{`oXrD7YNE>+s4_Od=5>;msF&o2&dFgvZL`Q> zEtnQ4184g6QStkRu1ur{?ZW)pMf6J`_c;Q7l2<8)^_Hs2BTC7F858KP#A&Dzd2?Q8 zJFLL&{`GXQOhW)*<|-|E?~A=76W6YKD`e2mH}y6t`k8>k;#=@lQzmX@zJMjp zJO02qa~Qb&BpJNZ4R)RV1Z*A`fORPqcD7xg?fJdmu}lM1WHJGRT){NPO%&49Ksjn5 zmD~7b#tiW-$%7*jaxvDgu zP%P!qjjJN9V?arzlcxVvz$cAsv*Lz@h%jCcc=!mUr2g{xPUrKAqZfQvrxT?jDECm~ zl?R?~F|KXyci*Q1NKFsr8hrXn89Wvoy5e^iU+_ymnf69$Yvq9X_B>Ekx((g{T~cx? zr@?HYTj~WA9=|>Qq>RN?GMoBHKVJ&1JV1CCx<-=UN!MyGeJdH-s~Ti+3v5z`Xzb^j zDr360S~LpA`Kx3vaY#c0V;sN8$2GYwxQvQvlxi?R-I&ZCx&3*RA1=ykkN+-NH)0D| z@Yqe*^o7M3m5fJAi}Gg`y1hLSmi-zd!C2th7vjY8?qI|Dm|;|L5G#dP7u+%tgy38H z1+{>bh#Hknq~voj23}M9y!7)odJ0eX9>j|ZJP)Fi>Uxc?{y;vKiWN*B8n^y3#EB+W zT!7P4Ph+muOkP<--TEH*OwCyM63^Y;UK^O|7Alb#7!`zFMb6Fu$L;bmDcwy0%6htr zN`vMm)CoHue)qk%?Y5gIWIV5kAB-YUU=zT zm;Qs!TnU5`6?q1krt_#VK>6bpxiu&tXz~P%dnG#jtTzhn?)&zU#342V@le)8(+!{0 zZfd4+!{#qMayD=1CX)w?c!|f5yt1;An`^+WR45CJ)|)c&u4IY?Gb~TUMni%Pv~GK{ zvL5vq92d=N6E^i^Q>$drgwz9cyYb^3dUXRpfti>S#{M0+Q&~U7z=c^bkR@PJ{jegf zxQrpZ1{$~_-ceBo!?q8Rq_+C8^!S>n>7sbFFXyjDi~IbjjzVwv?L$tycEwiN{_HCy zW%8Upk)^9=02{S_>EUL@y{(V+Y(r@c1I_10GuW26FxPSUrDJtv^=C5;sPC9ii7A^7 z-ktI!8~7+fEm_J+>Px~dhE~+DO0lhqZ@YZ2Z6mn&6C_tUun7m9_}@EmQ8tVSZ*x$H zoSC~(54;D2UE6Wgt3U0n(Jlv)var7va6&OI45YP`u^T6UQtfY??}`_k*v`Z7jGqQ9 ztt@SS9xThelPh$qgGtuFp8k#3E>??9Tjf@{Jqf-0vbSOi%(jXkj3_7xY?boq(TmQN zS|RYX_cm#A*Ahp_4?$|TyMnn z5-n$PV-(`V&XzQ&P|3fC#<64V$kY0oD{cV1H!*dp^H(o7Q4m&ZOqdWB3`i?0%2C*u zvpy@#MF}g4z$jl9jiA3E)~ebDBEc8$e|>GktocaMt>NB&(8=^Uz+GS|;D#qJ}_v%8p-Qd{slh zA)#pReoR&w+N6ygiiBdPav9E+d9#F(_h8cZS<;1L6LMko{)V&IfD&O+tqB~51n2lm zTJoK$rOzTRfuP>jS09>bK6u0jd73~-CEeQNkla#%^p#z}4wc+fFH=v49^rfSE6hu1 z*Iw^;FI@pKsuTC0eUK~-HwqTsUDw>6qj5yx9^jTCM@z#DcL+fn3JnpV{7a9n_4qZa zX|zOv68q1&TF);X#|I0}?~a>5wO>r$tou<1mFFes;Dg~lgMOs)jS;DbqnxDq0FA%R9i!F+ahxPnq!^9pbD9lKN zIaHW6lG44wuc6-WK1j!x4Gh%lFiv?36}6p(VD_hmu#;Q4*FC59lF! zILSES79QhD)l4_AR-%PfKBF%Un;%-|O@4v&5C*=# zXb|4@K3_Jfv+C#Hp8FT5DU}D6(N^skJMTjjkg`#Cmv@maHKLo@zYvgfd&tw@eF}t= zO$6vGFnsN+xF}@^2frqPcv`ffkjvj_E6oNjS-L8Sj54h7H=xv}5!^1NY8!eF>7BmN zc6y7U!47{7HviApKT2~3BOv&a4|>y18tuh@M^EeQCegD}^4P40YNh)WI6`3$|Vce8@`-59Rk8ec0h}USHOD)uTeQ z{qO=G*L{zlhnpFbpCOD~$XmdDr(r$g!9&wZ!sI-`sureyzl%Qj5&W>i3AM#(?IG<- zs3EN{*UOw=`hd0`2C8>#{!gWMl?NaE9o}Ci);c_-D2xCgdIQQDTNA&3ACVU2qM;5U$+7l+#wm$AGod1&0=M}#7jw)+8B z`qaVqpmUT_eoyppJASeNV*UWxM+ZobbD6(IMaOx<$fT64kc!5>dZz7N1Sz0JHI>x| z-hEuY`@3AHTnit(FE9}Zxp7s$7Ga$vpj9}b`qEK!lHJzMu~!ufKi_bDI>mal(L)hRCW z1i(l%Gng5zH zX|RRmDAjl4{%d)AAU*o9!a(1>R;_>goQ3lr5p(5eEGQWdL4UZ7BQS50G6{Se=y^>( z``(ZRiitES=AwiW1G|vj0(=v>i0}~KudLlTX;+paGoHI!DO6I zpUY`M=(O_>0jq9BNOl5K`H~Ql%?zAcGtFj(g?h!{(_OGHYa?mK{k%C#k7qkh0wp>W z*gJhI%-Bmk-g{jjUY$vPi3>Xb!v(Ngc0QHhlq{%jUY;=G= zG%D@H_HXP@%JqR|>BMeF^}$TB@FgKi)o3ZHPIKP=vK*b!`si-|JT_2OrY4fGDK8Ti z-i&0N9-m8zwPItof6@b1P9VxI6);UmoqcsmoMPVy7dI^lAx{-1|KY@7jI%*4Lx*$a zQV8zq%WZDpd)vrOTut4@>qpN1@je|EX`Z#`u6UN+nmAGKzJW_2_9+jVEnhg)x{;+Q zq1^4J^5it8Lcis!pPylM_>BV7ZO=YVxqf-S)?<>|`AFw7Jo_vwtiGO9Aj| z#7czjYbh?gpID^vWe?5ILgn5snj=F*`IY!BHq7(bt}n0Eq|T)&{W<0R`qQ&|;WQ)G ziP7qPoxXjdzQNBz-E%zpuDh(Q$7Bj_BS6)&eqD_|Jqp;L!!9=zX^qNcGu}Hvf9-~S z({E_LPhFj3E)7N!^{?-s#}s(9M)~cgi=XPufRwRL`O%88uls`M8_4m_#i3c>?K%gq z9?OpVNG8+c^@DH08bDeUkc7#M0tTOFloWp^Lm9>W4P3-UAl9Qzh~*7sM5FT+(ggFKENhgNOW3)s?Nb?Q=IZ2bD;zq6xI zCVb6iNz(4!sVTn@ZjP6=UHq`M*Lscra4Wx`J8LnhGgqxzqX8*2a(*XOb{HY6H_SR0 zDbKxE@alZW!tfPsRHgN8E>mjXpJ6NKJ|^YlvYP1rwJ#{+@;jR%)iJg7ttwXfu@4Tt z{3pk&KeDlO9Um<-c!u{0fwnOr(c)$(z;iItT{4&_)r8c~UY_naG(UeA7%xT2p6%JR!Q9EYjYCr;9)D5RxP6flSbbv3tNsa_ zKldV0f6FClGK_QfLe*!!;I!f@hNG$r9cI{Nl1s(6*6_3PFU_$Y=buH2>zP67xp`wF zGYm;9pIS;`U-n7)*v!t+pASIQ4^tG8KW`f7ayp< zXqj@iTj1!9p@afK#IjJWx&jeVphu!MzA4HJxJqB%y_bq9N>QaY>Pi4O1q1^s02?_< zqEGe#iO))nWM6MVaj}R>->zrho?eIIb}VPs+V1_ryX48Nf^R96Jp3)QBC>QT$g7pf z(JSM>^Ah}a-XvfwY9pQInqT<=j0t$K348w8P3l^;21ju`6*xE92hnN(T*2m-f%g=-s2%r zLD?WCK??~t73a8RcJ5ppuAbEc(}E!Y%K$33j|S-DS@jSid)v^lR6u=F4n_xlfmLsj z?9OFgNHr3m1Uz5~y2@njt0TZ2FVM|!b{_jN+V|N;zX%E0u)t2qg(2$jRL(+=!xbbN zqX66u5+OR@V?Sh5b^*s7y;{>yOtKFuLuuUHV7_o>^DUFl#(ZNW2SAhW^tyannd$+c zl!_!FinxOu1?}B{>B$mxX+T5wWo?;)njI5MNivdn3vvT~0H) z_|yW|k!tbT^qKQ496e7T!Vl)y9~#O2hXHQ|Qm&N(NJ_C?4q6S83KF;s+jQy6f%*Y* z4{)JMLJ+VtL42qWkW$;Ft_4CZY^~HhU{-I8MRLV`A+~l7THnNMAs3}2X4N$Sprzhk zpDT|QsWRDU-zOIdzl@UTAfU@4*XyWiJ-+kMsXXn4Je+?NhD|{a%Fifu99FXH@faO= zD;Zw`|H7V1(p95|ES(r~BYZ6Z{$Da(*LxzHOWoZ!mm7I!9I4IKZCh-uAn8st;&^@TIv5TD;&jGfN;0KfL3cWgovTSdozi80lQ_)IA zcE^`MpM>c@VJMAfS>vtTp5%pm`V6r(lDkTP*Cqk{Tpwkk*}=HH3t(K6Y_%N0*H6-0 zgEdy0F)zipE9xt*bOGW=0Ss!jm@%-)tnhAgz@R5;s|jOTIiN<7$wp z*RIre8zZr1#bOPs-U1->I*3PU*y3mc3~qoA$AaXXpDPU@_^Q0Z$a#>-8CXAg?{plG z)L%#kd{ajfa)<-pGaLZq4_@=`$6E7}-$%FK&@_RYAI;uXSQ#wr1C#~U6Fg>)QdM}XV~tRlIM3d*hV0FI(#8<#m+79gWUhAcqn)8_9+cNrO zRs=EkLO!PB;|9RqCInz4Gm{8q;X$TNRqdKBm}qI#n)Vi~wxA|W`|ii zfZpudGZ}%48l_;#lG5PMErUMK)+OgiR!InavJa(tbiP! z^<3}01n}V-gEK7k&EpWbm6;F9j3 zvk$;tVBhOS)b`oLpl9lbfu(C9P~a|b-M(sMR-Vj3+-^>(C^RPJKN{4%*dEC5i}T9Q ze#d;L=Ku07h8n>DF|x04=s1*X$HY8+#;XtJN_G<7H>{n*>RQlJU_sPW491+gz?}77 z5rB@BvjYgBf|!Lvqp)pBIcDRQH-BgX<^ukAm~T=CHVj3qhr&hh7Az1jtF*can}PX3 zad?-Z$og;_&d;*sfiM#I+M>W!vAbZSZ5^9?0fC06Nr( zdgbX0lOxLJ0D&c+F^71r&JzvER#`&}3aVa`?h$bH%vd-hTSx^J)Yn}{q%15O{ML!- z)W5W!O4D_+RKD0sBBM#NIR2}v)hO|s(D~wz-%KN5F0mTQ#nOuX-4y=xqZDE;^Y4x? z+p)JIyZPt$mtAHCZkG|T86r=|e0FO4&HsE2JbUvN-H|||)~%lrC*K;(=K=EvHE!39XGy#a&dMh^peG`VcQc#4W{r`KuSq3oeLm;oExRcQI}>1}O@&Z9o#v2uE)-*@pi z-{#*xi=5_Spuh?nUQX7gtPNzzKY9CGpBek=MQ^Q8FN9IZc|BGB+P~5aoE%tS9nr}x z-P)6WN4{3IrS}3>OSVt6xfxm?WL0HAv z4KW9nZFQSUn9DLv%*N&FU&3&bNCqN^CGdTR6(!=0>`OqVM-oFgo?{?=ICF0GsT0aqFzF2kLErxpM-MrSt0+8CId) z4+|lwMt#O}$k{nPOje(IC*1d-=*HqkKXP8$^1DQs+BUCow92`(+|VAf2(f%F^GC?z z;1e=!$t^T-jW^PyfV{X;scy`^0W9s;+)t-14<%k^5Lk}pE))`uiI|*NY7omqIWA^`a+JHEv>S#c@r4n=2Mbh$i7Mrx9(#q*J3=uCj zgGl^;Cb62m>O-@gZwgK>)mW&makA9Jio|>+a{FP^XUWX3e~QbHktiIeE^n%%rWQa6 z)BD-`-B0L%t#ngCtKn!;e$RXp>?d2s`5ZSX9NF4kJ|JVq<{}r zs4OadeX^Hpy6^E)Zi_}jgIpV3z;>EW2L3Me`Ro~}US>l?7*jFN?xNimezV1qj3ZIo zB6A&OO0XA;aP}}Y+08j^&ZwBT-*_nflmCdB@gp>3CI*oy5P{IIP&p#5#1%vxS**24 zTH}|gUD4aPde`K+%a&oo&kiVTJ@J$DgMb!yxTd}|G>KzV=yO_MXry_M!vo5h1flM` z_i+1v!H5qUw{CM&zQzrVG!rei)aRGf#+?@qm##hd*PdUrcR6Ox8!5!2`Pu`Tl@^0S z#pVLpI)RYejmS8~Wwbf{`iV%?re>FvEDpiBc6Y084%R)zu{^=;pj?fG|f1n7(Oh87Yx100sbm{hC#t?_c*P^mz0H_8zZ- za!Um0u+XIRXR1*ywf}ET^lea}HCFv@LNyL?n4C$nSR~w=Q_dQ!Tv_+ww;d}p8~PU0 zQ`34~0QelV8voOlcAEzMDdaFXKf`l-{rhaRh`K$3J3;>8{ojQokr24Hm?q$LR~l2t zJ17WlxgAqFoNDH_nj}Ut4TXGGD6M18E$KFZ_i3@4-!&+@(SPN-=s>$Q6iLlcfn7&m z%Y$_CLZmExciLk7QtKn>0Ict6we_wrGt1Q=hm-vrz+EyRR6Im6ripw8Zr!W$(f8-E zoRqufrSVR*hjlpy0&^Cc%qTN4OO4e+Y+g#cx-Y!LsCX=h`8;Yq|FNlHd)Cxa{r1-m zn+T>0rJ1nhR}AN!X?0%9^)&#+DaX!xiq4hOGLxcghBgE}IiFD$b2veL)>uFy&;n>6 zdUrR+YOS|tb9TbcJc28GXMmF-=UX#yr3(bP?e{;XfH$Z0m)&{Ll^lT}G?~u5_aqP) z)01D7&5LaQx2I`Tf{tISJ|$Ye<^2CV9sK7giZY}4#@tM)H*3I@qsfV~e4@(A|2k7z zA2|Ei%=6qRBK`N*fo?CRxo%(vhwF&Zd8uPco^C6?11@sWt#Hqib#6&%{2u6c_cUsB zk2v197+~KYaC%c|J#n3#a@-c&6yQW0711z%@;WpxmaxX?yiB~s4#N9=&et5ZcoSyt zw?=mAGkxu#zhcm&kJH+6%I9bC$xj;bC_#H*Yh|Vz{_XY})%f5_r=dZqReyy+Vt^gt zR1aejn~ugbvsjbg_j<8T?D_6sx+d$QkJ4c}KHAv#R7>OL5SToU^)ciD+1}dEZShOo zcETw%&=C+NZcD`b+Ers7ht7WNw)sf9$!<B3B99Re^Q2E)CWQ4ajmyxMT)rRKHsOgL1gK;SsjQjP_?oEs zs`&&4nj7ePcxA=!^+ zP{;9(X(v9&8g4?ZSC)`h5{)9eJ&Nz%roHdn!dbvz#CkgcU!gjEpCHAPr)s&`GV{O{ zfYC74a@2U$f#wCb zEW3!cXOJ-

*K3PaufwAjM+_{y z&9xq2-dF(V=G5dPA-gZ)EhtD*QO2rrJgzqdAh3_q|$S z=AXIcpSWo$+B^xW*20hrD0ygx-r=BD;(KV}tbP0V_7%;$8~Std`vD1PEsNRY=+c~F zGv5|pGJuG$Q)=xm3E#oeYIH+7jv9Z2=+34qPxFbcrAj z`E6>S$LM}HIt+`PuIUT05&>c9C~~e}@7?Zm4K;q*B1EbW*D=Sv?W~m`1wcxgCGN4} z2ermrOnLf>Dy`gpixtP90n<~08ZksDYW_Sv;gBGOpl&lODm%TLaWoL3foo12{Gv_> zbH%-FhB&G$QtWt`m&a;^isHFxh_P#IT@>DPtnEZ5Wm^@UXy@17tZ6Z(B|mUs>r}+E z0KS>sKIrw`$Z-#OkIK^0B3?5N=yFSQ&kXQ2D?r$C>Wy%IGhG+H(;W?3kGDw* z{y(1HIxNcV|Na(4x|iq#LBW>)CUDpYQYM zxz1d8&)l{5daw0byTucx3M^)|bBA~II-*5Cg)X(HnEzOq`@1)KLM}DYHSZuPS(2K|4($b!AuCV#rO&zJ)V{v-mqh)Hs4IcIgZmGagqxNJd-3Mn3Dts@N2`0jVTexNZ8G0UR1s3^AfCblrx9%{F6S#|(SkL4 zw{Blh_o$P4sw{>Vl$RB$uy)~(iNKljgUat_=)&<+Fw}=QimBlSM4TDG#8+9!3W!SM zFgx7FH~HcgyX9v8gHu0XnkaUQY68WseDr(#%Nc{yp&Tro@gsiG?+pNDzX|~_6mO8J z1t=ZUv5A`jh9p!umWd$(xm9avt=(LPgq-*jAeKC@VgPZycc(68tgRziiT^SV8=uoF zV}GJiS^EUD*nA*#SZ;25>$^CH`S)iHkmp|U5?&Ctqf@{8f(7z^y9P{}9`^ z3rcP^_Uh_??!k18V}%8TxQ(4S^QR7WC1}Fnx9HX#AWIi4$+NMuH%Fx5ymQd%uPEu8 z`K)h_q< z8ao;K0ag${^VQ-VYbm$1Xoo#z{dya!FF*IOO-j`*pF)>jGZ#|-GtQ|N*d7h?hfAEU zYQCy^tdge6Qes)%?N5z_x+Hwny$k^BJ)N!)gbJ=mkByksBNQKlD%)?1A)T&CcU*q5 z8m4`SecklPbe4F8aQ8ZA8-m2A80}b*os>zc8Zl@=9B`hy;9ZsTfmdQS6L`YtTCsH) zGVqD3kp)AgqQo76Ub&Ae9zqO1(ET&u;dXY7YH;$oBK@s2P*d4Z=!4;8h;mU<=?4k7 zH94H&oL>-BgTAclY1vjTWWkVIAYs;Y5<9lGv3z~U+QZJBTmt3gjtvmnxjPl#)`wps zm}AW3(MX4Fhf>ku68?W3{Vc2H>92n`hE>iG=HJ7brL5Im^D*QI!t?|xFGyqX3p6F5 z8at*<)i}-1F>9F5j4Rw||tX&jB|18MV5nCXEo^}09LFAkG@ZOCQ8n=@ewSVjMKqWlHgb;%vP zQW0<^*do>OV-KUAV&Hh9i|h3=rm~SsmxK=DVg#w$4Cws0EjZegP7=q%LX{ z+z~*c%Hl0=>8BgJB>^Yk>!*S5w7*bt!(Q9`s4oONje9I!OP1p*$%&hRLy7Cw+}K9npuZ9lp=ei+Xdz*HjU}H()>AQsq)nSpA=DsL?dcEV13nuy= zJ7#`6q(9)`_48>UkFY7rW4DX}6r2f^uxA>GFwU6j7^&@ZgWwNL6a4(fPy+E2;4(0` zxR2`^8aT#ca9`LYckVr3&wXa;4E9#mhbJREO*V?QKq&&s@M%JBD&n&P+d-U9b-3Ku zUs?OOPdXdTOQ`6PJHJ%L1=KHFT#;OT8ka(VNO(q_)NcrOcm9ly&WJ9+pk)5@*^({y^tkR{IdV`n`)PM5c?A_D`3dmbMa5XBy5BCZq%he7+@>>K1# z%V04i#38aZ#%)3IEy~WvZRwfqA9I}kKQhb%(nt7z8&l^YoyUK^yPQoKYx@fEbo~CO z%*VjavxBWoZDu`6B1{VSMU?*VH@`X@#Ue(1ai9_=|LK@L#F+YB)#3TzaYtsMP;X`G zu^B@QWqh7>9&);DOe(}OM4y&tc8oUM(YoH^@`(27aX!OBtRwsMTH}m(COtcEYq^uR zpwU7;w$D|IJ}}#JZb!<|FoKdP<$6DaE|4Kmtxoa#&7HQpn3F=}E8Ne3!bO|3BiI=y zjviQrB6*Ev?$zFTEaDTF;`XM}Nyz6OdP3~fvu{)LX~Q!Nr5=HAnv5pZBPu6xD-a@i z>!et~bt^;phTp%5d-(Q+9%> z!)U25Fx$REC`bCy3-jQnR7EVDHQRp9Z+C|w))fOf%A8uYe7{w9(-Qy0m#ugAuB$50 z7xH(*1GhVcOttKBzw*r{5+29-0EYrv+C74Dfxkl0kzm5AjaarTqU)EI!!s#dYRtVD zzV*?99#PG!(=9Wj0)`$$xU7+Sx6KMyJMMHGgXFK~ybiYvw~_QOfeSRUAc=qv-ZGDd zG8@*_5f6tf3}@+Ugql<#>=;M ze7Eriyj`uhWlqtHmR$E=wFwjFX|f3+Ljn?>otMWS-{n=8)viNddsj0`9ET+zEgJEOo8qVh$+B*0+_Wxr z(Pmi4Gcm(>d4JlHKT8x7pXLB`1ON3eL!ddwbukRtD_~5;;|F2mnC|$UWTf(;CBH?S z!o>~pcIt%B_~G2BA44XFkIzuiVzjg>$K>#OPPQZE-t*t6GOFW9iq*mHJgz*y; z4kTaR@%+NlmuuWZoBNKh_NnaK^$N`Ey&(=+jj9ALc2WjD+DJ_3B^|kQUmTs&bd_%5 zkdi)az4FDJ$CuW&&qz*H&ywtQD@+y1pG5i0W$k}v0?@@bFn5?$;k+9}M72(89=H%m zNn+JASA1RRqKRSN_8ZG{q4q&d%*o9>FK(q0d|vPF)T}-#97zE32b%@V8==_$E|{o3 z9c{1ho7C7vjyS*n1~7xjo$*y-OE=7WZ}zONk!I@8QDG*MjbTEgWUAL<-wu9x9WA+y zh+aVjG_RGUdzs(+ zzV+&u4K(Uc6^`XO@Q9ymzJ9$oPwE6m`3loE_`9!%3-y)$0n)lScnWz9W*vwu!S`Uk*Ir;& zD+;X5FTHxa3u+x_HFZU0Ag=QeYH3!ktsemF^38+k?F;XL~|bH~d>R z?k(hF2$jh>z@)J1b>7UQSao&8gu_=F^^#yA+*eb1URO!&3xtczXcc6jZyA*ui|#da zCr95;_^k%sY!Vhl3CW2j8@ffVP!2dIpZkNArwSk1mLY{$LMTleF1DCOBNf%)&+j6R z@J3jDYC8g(XU7(LD7mUak`(xj3d7f4Olg}8yEYxfSgN~H)dEM2XRI$Bv4bRvx-f%) z#;Kbtxu8?sDMMupP3#-Wo2gcTFO&&Y8gJfi(kxbSR7BcQ(4#X)5yRh`t1h|+IHIJK zrmH3297EhO!IR${aou2Q+i(gllsPNc2&PMLPw7kb+ZzJOdIOYyCQg?aFc|P{`>z|{ zm}kRpBwr!2xMPdUfTk66sau#Vh#k{>3BnfxFpBr2EOlHnVuL5B2ATG^-2Ypy!x>c* z3LIoDk00-Hzx3=g&yi1_z6N|E9tC0=%&3gJU?5>^FCOku!P-HX9gdXk z&T;m>FO~bpTXSk3L#)Ek4Nb9-WD9JyukHefI~%uvi)$c@m-w41( z-J=vt@ES6o@`u4}kU`ZkPuHU&m#^56{UNLFO}~zyme56juG>aGdC{-9{>@Yg1l*)5 zAo=fpzmSx0Zh7#$Q<2^D1u3r2#&~@wu-~)h^y{V`dJMR`GuWbR1cDKdaFhBpD&lDj zuC)<0Hi?++7}Hn&9(URkqZTK(O?Y#B0F2`}=lom!-R|fRMGem6_(^SCT)QdAyTTxy z(ntb$$eUh$ptYBz^*s-^@=qF~wq_m3Yn0N~Q(BcA&=j=9y%;-S97a!Z*R>AP*2J{8 zRBA4T=qWH^kx=M@AErYZ_2L8QE72L-gp)DQuysXy&zirNYJ?=*?0KNyFu4pWds6vb zvfgT*I0c8SUrIbt&(;Y_7=wse(j+CH@%N;EVO6?|nflIhl2pb@dmvP+x{@`eNDPvzgWy-W+wLifUzcEBk2QS`V{IpbTR?;mG{W>b-|p7E8EzXYssIHj>LN? z0P7lEd{CwCv_*} zkA$$WAmv)bM-<|&z=WDn`rYl-7hITCJaOX}jBSuDiB0zmqy^v_DQW)__od;PWn!{C zc(k$k6a?I=1kO@z(GN9BcprznF2b_oJbxui^_&Kq1K62HCFx;}t9N7@Hz{$8p7TzZ zsmPJ$9WSMV@)+I7S1WXX%MqF44sqkJDcukiX%40H*KVM}1tn5+K95MADHu)I&0GA6 zwt)*j5cVp|32Xo>NmJCRQah!GZJ%#TLa2YR8ce*SzW@)BQdPd^^=pDkPuQaBvY-b= z@oxV|sfdYB*r{Va>l{XqN4)aFpzfv3^SDw;4~_lIGCPr$qlTkqOBM^@fhcFOS?TYm zIFKrl30dLJI$~Ud$)JAsCq2`dpS@JRU*SDiY{qVjAHCqb0gl!E55=73RY8gf-AY0a zArPT%Xr6kGl;UsNNu(3&uhjntD?b>|oIYEZ1TA7nMB5}3rhYlp z!y=HIAR=yePqKZzB;}ot3F`?l4PJ2thz?D1Km-h?{iGBYhjh|w+l_k)0y*Z9N=lCh z`yt^g61`N`jGjM3v4sa`S4T9@fwJVHi2e%0yu*!um%KUaXWB}y@$-PZ)3x=ZJvX9a zF$Kbq1RJ)^hQ(auS=l>eQC?7BN80{H6d6;{o#xg1uZstMYRhEqeq5PG4K{pTp&UuM9LC_)kiIJP=7Z)_;ib#3?aHy$~Q2irE z!+r%6C1}Q9u^uKE)5S%Q7T39wcao1QKly|QQFi~L5fH?~=_J=S+;zQU7k;cr=t6*l zj}0tIHjlYOj^eRs^A${ciEG!i8b-R0TU_88O@FSR!~vftzQX{FmK=%0Cs>5I=xh|o zKf?#p)~z7cy&PffJ26lFgT%6lo8;)#c<=)*+sYZ^7lwHI-i^0~7f^~IX}J$`^;Yrt z9Pg+vLjNV&1xv{3=*t6#F>G|)Sq<`qS=X<}!mhs`mm3b^a_%z4TTiOv3oRs2@xwU0 zbS6Z~=?1XGE}VaT{5 z4tA8gOe|)_o#mECKL;I$WmP>${l6bLS_eZUH>gY|cO0t7WpTgy86m3kKbVh=h*%%Tb;ak(AVyoNG5?;8YZ{oWn zGk7!0XRL)# z28+V4;R0BrU-1=$M9ng?=3k%n99dqhwd6mLKQRgI)Hlu5JYg%8LKC+avq9GVFNYY9 zS;gR~-&1J^1)pIm6+dH6%-R-vh|NocPy$+$jtk_|aFTx^`N8jV1fvUDkneGAP zwM_ZC?p6H*CwV^M3tT$x$y=(LNtlnQ1;Y};O4IN?H@CL}3MG5)`hQ-4Xl5`mrqn-0 zS(O!(7qzm$|Bdck%QP3?L?;$^3wLo3f*&;1$3 z#3t1gI4mL?NDxwM3M|i`UnDmR2IL!WgAhil47m+nMc%?%Pt?FOYC`JapWhuNx>YeX zG3o0RR@_x?8Y>sR(NUGHsF}E$NEceSugjFU*1iZd-Ie|pUBhG-&6lfhY>3@Toymd8 ztw!Pf^O+?r*lv!4i|sLkMXM(oQX~3NR+Q84sWK{>9 z{-7p?cP=sHg7kXsmdW#3KB`JOBK3mwWS=vz#qr^H)EfHY#0MU(b#m{^>m#;VqYSgf z{P(w6!!207^2S%?N5;i96sdk*M@TuI5X(k(QDtB=MzDp1ZCd>fuM5?u9Pyj$@BS%# zSVybpMcw20tNrRF9Z_QJsfH1?J!2%~y|&4u#@ueFcqnpiD~(^-E6jR#LxM&_MzSt` z^{)o_);a|muc-4(rJH1G;KX%GsmF`EB@dg>ty1#6_ykt@zuKclBJv-5qE96eh;}17 zzW@BpVNTSn9bxYXZ7D>gGlFVeMduoW{bw_*sH_#rT*2p;kio5h*!O({T}fSr%gi*| zR4rv@AJJ&>?aY4K%gW#=6l__#NbtX-U_E8Kfy-+gm*f7vx1N6{MBRtaS_eI5N{-(y z{wf_7{D8Xo3V}>T*W^S?j#PEYQLGm$TG;;ulYF|;qQD^GuW~s&wUz>!wFIznTyg_R zS7g)6w%A0JzO>ER#UhY@2x$eBYAc{vYPQId_WhVa`k^%=Q=&WyO(ZSnD>kN{=POQ@ zb+_*C=4G)0GPK+EsHEU9wMLIHk}Q_+k4EYIfV1iG?I8KQ8U`M?G+C9Wg)I3_yoIDu zOewcfcB#32wt!2$UMiW0dO{3RJ1T7mxmudE?#XJ;kMX4l839Ja7gR+lUo~ETU+j>5 z#^%7fIs07WdL+!A{sb>{)b%s|HpVE;oB^t!@3Ymb$@rCCT(xY5U3N{P4s2WpJ&O#8+5+ zB-jq`Lm;`SVWZ(oZlNFWa4}z=*Atk3b~pVZB8ZUes4<@AD8t**iftO+HxOz4DOofw zP}P)R{67L-4;8jd#x&Pwr2aQ1SYo*Kont?7FPYyoH@f{zomdDLp$*c{vB#*tIkCxv z=$(*z28o!}gf~htp47|4ht&+1_*ZY{naP4bi&@DZ64RjoX;FZ;>#{r`;OCh>9XESF zc4^%7k$8xHZZU%y;uOJ6;;_JO>&`>SAHmCxQx}cx%ti1njKyxKke0n;uG+L)d$!iA zHbF2aPP@eD&E>%?TWAy+%5*Ge4hJB=#<&NRPSq9SGwHPZ#h?UFJnnl&N|a3ro@*A% zFcp4qo8Uy~bsyW`vA*&#&!f-UnzL#dP6QGesG zq}%%^vCpy{j6U8|>nS1`+C2F6|8~HYo;Cy4%kB};69dh$;zsQ;Am9Vy$@1~ygAG?8_-hG474{6ntIYWvKg^|Sj#JO(ydG}*(z=;p zC|m)GO{X5SDvJL2RkV|z3L;*uyl;z*^km@PBgbf#Ky%8p}lF0>({R307CM{|(6q z*ElD+hK`z+Xbw(&`wwO!E-nMtOLT(m0_iQeXC!4uX(LEMiE>2m{ z>Zg~FNVqm!w2uZ+Y7=R&In#`E_W- zgG0B{TJ9%iJ$fieI5i&u*9MEbD5b=BlHfxd$HV~?=gccIjoW}k@#lh5Mq9wK}?0?}kI9hBTJO93XkAdFv9$uojs%!|khWcYya_iU)c3?7x5WUL1ZsEP$Pq z+=)0K9Q>7MNae_wu{*+VUtdQ*^-hj0_gQ&~zhbBr?FvcuJ;^dq`Nzw0li7L@@^8=m ziMH@p*j5p;B|7*T+yzBdxv=2JA@ck0*5k*eo4L(i;h~F4SAQHHVnBiF)*3^)^LqOcEj$--1oF7k#pLYc4y1~0}-U;&0XH~}U z1d`z=1?i*j5DOLH9#Gs`Ja^0)0=7};|FtN6q$&&8e682wR*&xyTr=Y`MqjKsur>6- z`SP~iZ|Si3?CX=+&-Xi>Nf!>8q*48f>DYjU3)3|+BOfPa6%Cq(S}v4zsL z-9Xjrx3T|l=WX;W!?=o(`kkY6I2YvyYqtD>&}6z2%(QPbkUkI-8QNHy_=6PntZkFO zbU=SX$nN^xmRyMvufu?%lW^EntUR-~^*?hX{7AQp@20F}m(R z?#_haO|+a^ey7DUwdR1*?3?DAJRHX(TSRHA!%kOBpT{M?g@;oIsMOSM&#NHDfQctn z_XDON0NWFo8DoF2s&Rj?7qgpxAftX2Yj7#l?7be2k;FEPp&30_b=9ckIru%O!hXze zRlgt2xsmoOD}_jz31ahgLSK#k;_diNuyV)TYqyoV3g@oZ?)mKR_QFto-goV}w2*sN z8C+y~5UlSD`m^#=Ls-X!+Ger+&z4Ast0$YF^K|}hcp-B-vQ#_Zd#VaS({gAa56ChT zRr*d&6g}d#&J#&tJbzw{H-gu+WP{;v%|y<3$m4RfC1g~q>Y8J?bQnIDf5ttc*O|-h z4t_;g`}F7hzP?OkH894?vwRxu=jByEwDW%`^%}^^6yE%WM3Ly0ShPj5Uj+z6zhGld zW=mcZ*f6mg`Mqh8Oln1a&4XahY9vI*ytH`>TjzesC18Ix<5_r(B#r_a%rq*?Zwni+ zQvIO%R0PkCMkp}j^pZu7`3DcnOf{|XxX@`lR)}|#jj?Nq$GxQYwOqEpRPj*$UwuMQs3jN zqM{_!Bu!iJ1kL8E>?*vDjCZC>=DGOcHWT>lh20S00~Gg0y^Q(am1lVwnb=KL`wrVS z)=1$fXu*CKyB^!>@#jG}lr1)EZhVf5Vxr8@YFMg70^1wZ07Uz?g7LZNfUw8$_ePJS zp)K4`^W>sH}L&R1;iDkpKi$}XPOq}dR-2K76t{>v54@$^f`^Ey z39t}=s|gtqM8n%wit{ZQ;Vr`b>|Yk({pyiRpbEC={t63$r8rPwkqJ+F;z3mdrg zmeRRxEP}9dq3+lnHnP=Ma$y}z!IO8?lh}5>u&J7=Xt7LxvWK4N5yO*7z)e@xw^LyK zb42EGD$yxPYy0G>`2+Yf`al*9!*27kRQAiu)LmWx7Gi$)J0piysVI{PS%#)WI)ikt zt|B>oB29=?|G%$?3Hy3xC3Ksd2oXQIT$V&6wY*2U2*B)N##R}JCj|`sxzi>9pb8e} zvs~+pl*_9JW;f|UDyzc|1^2B%E@%l*^TUp_KyF6<4STKKM7KyRVlA+gXo84U9@Aze zm_aE69mx^|bHb?3fU|3JGn_I2yDCeEDj)I>aIJ_+=zS#8z^U|A8L>>{&>sbiEjd35 zvWnZR;DE;)oAm)y9HhMEfV-iUI6yekitQL?Gps^eYXapPS}&n3;LBD3JsqzP!5plB zptwQm<9}R6oNq>&{PQ7|H;uPBJ^9{+a^hm(Qlylh%_#8nO=Vi7_W$NQCvf0q&DViU0foVpahiya|XR!J`ln~ zI9pPt_*2C<0k)oFQ1j+kdWhbxq##5pg8ymsPp*G-l8esB`Ww;%U!I|qTR^9==ah^` zeF^d4>|BJ)RU@S?wJoB4MAkr(i=|)#$uEA=AP<7yKgb_upE2m{@v0S1@9yZUmLy}1 z->y_A4=hBA_lNQ?=N~>3GRF^clmp8@KCe$Nv+I#1D5#CFS!*TAs7wL&OmIsbe*=Ad zw#rVct<)XV*UCww3d&COiANAYU9OK;!+ItEj;iG9g(gVNjjCn2b`!sL+fZ1a_Ze4Y z=t7{mkt7>4mU3f?|FgFH?3>I)+S_J5(LexSBi1Bm3TzJNobcpntfKUS>tzn80Vta+ zCQ3~V<2v=aJ^|`Vsu{?IM`DMXftde|o!!wwgm&KJQ&sPdzDdbD0r)rK7trEtAswY; zX1majd*^1Qy|_n z>)(dF)Yru{JHZP6(nnds6#S+*S^ZrE%|_g<0ri`#)tlne%`#o^lT$#Zu5!exP(CLX z5U)Jf``L?=jFvbkwX&@!-X|X;+!|(dw{c*$Y@@STT@xjNDc4G9H$__Rc8ok)AS+`! zwoiOIzbYL=X+UbixQh9SgGsDV5=Dl12>88(RlnKNQJ39sJk!+)4kL2=`hC?Seg0u1 zed=t3_~7n4=eQewkS_N1`KAp5<#ZzfU`36sTY{l)xyWxj*g`!N_6h^pF}`qqM38Q5 z|7ANJCGnA(^FGgO)4S)@@ri=}Set8^}Bt+@0^P22L;U9;`sC3_VRaEEEMr0xRVrd;N*L%Bq)bG@M|GqWN9j zOz`5~IO~P`rzr2Dkc{?ix6TNhtuk$)JAK42-;;pl2ob)rCpMA8I8btz$CX=jsut#yj)(zaZ8V29s5snoH*U3owO}>A(ISeshi;^GQMcC<)KL;i4JV+7R zu!RCQHqq%8%j>dM*P_Xe@m|C8jdqvxt!?;$2>pO+` z@Wu@%%_xkv?EN&)&H9x%6g+{5m*O(sK7byuUgfJrX4$Bh@hnGo4GDs)e+@Pgs8g2!6RzxYrv$AB`y55ue81^jzWRB9Uq_K7d0Aq?w)8qS25qkkFoe}$Z<-Sv=Sbl z-kA8v*=J5_|NeMPnMI&Ep7!tnS)~QYs&h;}rY8FY-|^v6gCj-X@%# z^9qjJ{&zekvqtF{Eb_mU->PDWdDL~-(p>sm&VM6ya2mC^rTRVH$PbgBT0wW1jPjKZ z{+NB}3PG>O?9!BX-=Z!HJfgT6@%OhnIy7?I!{bn_?|)nA*a@h13;;jJm+bW4dg>$9 zN_rJ;$o<3{an)FT2R8hmPuPF|xHb)Dat=d=P^avb;xRMZmBNS~gq-5Yy!k?I z;0v2peovfe#}C?BfQEJvuJ#`3ymB&c25O?l)QVBnO-Ob zl1+b4Y(#QyBV!7MMgBcehXbq0AG&=`16o4McD0(lucd-Ch>Go`}SJ-<|(Xxq*A+!bp&=q&a6iBuc^*Y*#SQ?b#S7uv`5e zPSD;cRcgJ7kDvE3iA=L|8o#9{gmYFgXmE_2eZNw(T1`#;$N(jjny?`@S^%4he zX*v0@scR>_#BHF(7!n1*gCR)(MYA#vmX%bnKaOC{_DT!qdS_2k^M@i@p?dYl0zS#T z%pqjfbpDw-Cwz9D`xJrivxX&PMj~e2OHWsMnoY*i^(SLL*6sHyN5qQw&AUP~#GuGf z*lMk?L&qJqjDamq0oXkAxwkmxgQ1%H0>zjH}hDl6DNjJPTdMw5Uo z%^}E*-XlZpIjhRfEgY-I=1TgX_XXLMagG6^RVPruj`@Eg509*AJ)XgJwEUrad(u>V zbIg+m~?95iJ9ws}cWq zT=g%5B0E~*RwUC;l5WNgdm70m?Y+EoZAwT>>m(u|?Sa3ShVP{|vf>K_#R! z0|Qsf^s>qc2@P3C3_hnDk^C&nBTRM|7>V@S2=LP2-+Zg;VET~r;(s*gI_wngfMUPL zWkRUzwzJ#ghg!t2=%ok(qDg%S%?c^_>HfPwVPs=Qcu5-0mHNQ`{ugH(xdw+xABXf` z=vDnJ;8m}y=9FzE1dBiaHfZF3M+3&k z4bij_a$#qYStbqEO9FebF(SMi%wT@V4p1Sf6@UAe-rK$aNs=%~Kq)dp zEO?KvaLwTUhfM)uf+Nsjj2pLK7V3ZwvZt#b<1dluO6=x&^~(*vf{z+5+{}6WcliX% zn4b2!Y!rDJCsX+UPQJ9sq_iC4O74o*g|)pxKzRQpJ+ zl=M)>l>n9cB36Vhe;^xj`4^nqg9Zhb6g1d|8cogu(iGH ztlUw+QMfD0J8=K^S!CRxSYvO^fJ{COpb+vh85Al(WEt{V!3`Xw!L5N17X^fmIRIFI z;bSh`f}m2RssCNb5N@1nuVpdK@21rC1NDo{TC$1`1(zAq!VI)4U#hx&>svv<(CYCk z6XxoJs{N$6qEZqYVb~@p(zV*IVblDnz{R9d;HcKEKM$)&h?0nrGrhSt*%*>PO6If4 zVB0pD=Qo)DczsMgTjmB^EO;7TjQ)djZ7aZnsl`RW(wJOi`JrCG1464x_ z24{{g+~HM9xwEf)R>sPXW=eJGX)_G8Af7f^3?I^Xu$0dh!;gBq!J0(j1b29d*(=uh|J5Cw@n*2?gWZnPMs#UaoAPa_ zedb5Wmj`;&yMR@7HzFRF#lK*^wV^A^TT)I_utN|uNej^&C((a+@Vz2A{d;>(p;`9c z?Cb&vU-J`XkN@Wdu$;Lp3EPlO(+x-!G5*UtV?QYqmBdOA*54o6(mx%&m#-VCskygN zkY(xii#t_HpR{^sWxsJRBwmLhVC9!A8dM@j%59jJKipqD@YeFj;d0u@NaLD5lS%#@ zmmMah&?`#OCyp~c!Jfdq;-#7J&6Bf@Y)de=7~DSaJx`dU_yF6}=~a4^gEyEV`{5m+ zLqBp}9@Aw=5k-Ky;;Zlww3uNxq^TtJYVl}&oF48 zkVQ`)EL~si-}(D`4gj3j*Lj7K_%tP;2zHE1oL}wFtvb>x3EhNTkz$q2f_B4Ya$FPI zi##J`*o~h+b=;oq5+{v>1@!jDk71*d`)+Bkq$i?0P0#-DYJvr1H7P&ZXIro?s{nj1`FAW~ z-+fiPCjyC>3^GKhn#o7%IRX4I9PGcl>r)FPbxGhqxy)C!8J7M%3!Cp~4%d|~`-W*_ zvZClH?ult$1}Pt_J1!9JI4%2vYQl5m@h4-l#zHrZ+NGIBxYjx8HG_6sW$7QT{X4qh zcAh1@6v%Hvqr*a3%EuGmnAG<^ozbngi366G*X3>tu04uH6T=Cbo6I4JXA?7@txBa^ z3*~{%AL9RJd4x!~-?0%a-0XS-eoCBr38(Y$p}e&Zb-42qI52$N8*u~vF6G4nwoHu4 zZ_$|sV6nO= zaC`dFaj{O)xb6;7uuxULek0~?0yWHk*szbx9ZX@@ekB7Ozv)CcI4d-;TYqnYME|TB z(~f)-GL1$CkEeK+G(K&=6+~kisj4CW{4hUKRH{rz;OPnH8yVY!Rm_PG``emE?b2n& z;z!#Z#pkQV6VT8+BX*K+|0EGfYme|RAB1{dSPh4ihq118ugU87V39f&!+%rUqfb3w zd>8hwR;Z+*auwOj;^w}3n|!T7i+TFzCh=oW$&mQ^c+o4D$NSSeAY|uFQ9h0}Aac*m z?$!7LwR;AIi^qN8YRkPH{cVZXQwopsmuC!re7$wSTQP+>ULKQsq+0BOwXz%~F^EHq zu5-Eb%|qj!GsfNHwqnfNHtLgJ!FS8A@-vAto!i`AU$=0eklaP_s(Bp$!%IRsfHo;0 z^}NQhmv!B4>n;K-@sLffp4qR1w{~AQ`qF3Y_AoSm`CW%~UZTBv8e}QO7SjUrMp_rnbIzIYa!CA1I#%5d{A^eq@;{-mHh4Z}y32%^soWi0$hbuwr4IAQA&!&F8vl+BnF_K@y5A zPErmpV*@oLyluInB<84E5wT_>oiT%=Wxp0&2*^*6thJk;Df}v^PRO(SP}OXPFfi6y zqAM_R0ynY;S(*;Z2ZncB{p9-7hv}dU$&s^3d9rfSZAu7m}{t zW)hH}mpPoyk(~$kgW{%RoHc{j=<;yM&e`s?LI~2s)3b>ZYeZ1Gwe7e1s?Vw9ACmyp@evdeSRU5<*c67TVlB-s_^%a) z23x>R)y#m$L6%CMnsaUaDmqnsBDiAvr`l-uhCYJ!M4Cf`F=SvAN*jqF6R}TlfF=G9YwE98|jeP>QEjpN_&s z7`wrzx(7IYmOw8W2ds4%1#Gg!;GJ9y88MazPBv&sja~@2J8;`fT*aY_(^n4}92S4_ z1A=I*-}#ulBEyE{q{+bhL%a{{81LchE!q0qu&&LHCAKe%oZNont;xVJK>sbS72YAZ zq1lm(eyoDIWncT8TF%zH|2W^D)q+7)1y@7xK&t$@YVzAH{`kiwpY1-A$J6B227i#~ zDA)&Nr?~5?VfIL;OQ6V9Wu1JN2BdL^eTY*Hqn#iVz8yHCS0!9iu21&>=B&Ap_ ztcuU^uex*HD&h?c{8s8-E!fH0Aq3JP6_^5WlPs#QAHoc~m~#1=u)2u)tuzN%)ehg> zw5}CE(p7k$nCq391_2bB>advbeZ?2uv-9`>Kw?9zH3@up8{qEz{qsII5(2f%m-fW9 zZqkm@H(0s%3Radpb{{xidO-b&7g{FXm$n>iOJY20$y6aF$_U4z!X#65;Tk$xAgclki9EClBLF-)H%9XW zsT+m%ahD4bA~` zM@}SnqT&bQ}Rkh9hid?~TgMWzAMyTktNgM!mXX4uA{E<9=ATL^D4MTdHT6w*2ut zE!>f!rcqs!?Dnw!?0vk!9sBIa!uo<}*p2A8_!4Ea`_qQklJK2R5c~_MOeF4>s0HSV z{}y+^)mgk36FJ?F_~{RO(|y^G=L~1Yux=LTKRfh0OHB>Ikr~#> z&Dh$+tH4YMUhO(U3{csuoyyvs%z@XPpJWOE{m33NI*hP;!0ba2@HB>WE85RCo<~}% zNMcfc{720lQ-PZW`V_){WHTQ<>DgpjEj@siixfc$vqm@I4|3X*@PK=K1g3N-KtEN0 zh>`TqA8MH&tF9;1gjK-}mud0qd061x{PG4EGC|~`Nfb+so6r^IMzxzkA4#{#b$Jg( z{D|1y;5Ayy)8kzMItQG|_~p^^)4!RnFNDdU{pPOwi%<|{NTyKZ_1c#Lm)W1k!gB{m zpl>B*tp~6P`~5&-Muf{oTB?Z%uMYA)WvFTP20Z9CvY+mM%r;iJEF0fm9;AB^;sJAo z8nlDBst_OX+k9ZIZn=4d!_4nI+1K@4&u~1$!M7K_CI39v%!wWX=x`Kt<(Dq$DSa82 zR5?}&fPF9G5Zbc1S%;ED*Vl;P%!X>m>HC+kBhK3E;o#`ra_j@z&Frn-xOHIMa8l2g z?)DgU#4jOqHHS6&6|(yLinR#QHVa?a5GLYKy~Ipq8yqR?&dh^nfk;1gv~bY3D{L&| z>CQKzeh`04a*ksukSMb!>T$>$w8T3vcmL7xm5}vPiU;r1s${b6D z*A;so5XtLzU*q_IN8r%L;B|ydh*TtwMaQM0?QG5Rfk1VNx06bvLI$1I2FR>ya2G6O z`#2fz+wl1_3Zgxvi&a~_D>XLKDK+-@D6g1Px?`{3>pi+Yb^SQU?yQ$+wN1lA6YxTH z2$aFJ$N5GJHz-y`(l#Oa4L3-LI+}#V8SoRAf^Ozw{p#I+^wVGJwCImUKvpBxS#wcl zIY|p}NcF&2YOH+IS=aVS-ah;Q?{31GWOh*MV~W=2qzpBEfP@6Bmu0@@FU8g1al*~8 zH}-E0c7NJ;@Di+o<9m8vPL#+%-C7?EX(rQdA$99Q8`>y0QK=uP?67axIUj2c&b z9Q8j|u)V817;F95Q zt^bypy|(B^C+2rH)HE?Nf%57hmFG@nwE3?^GW4f#Squ)eE!*Bvsp}})KGj$b**~Q0 zFOWzmuzv1Ut6=?`q@am~h_-WJ9&y=fzyA;4Shp5&WV(kvEa_QYwF@6dtq!|(hdjw$ z)5Btc>)mXfVp+PnF8TrdMm2JXm@)}R#ind$F=Aib*60gHT)Rpip9@!=Wj**|cV}G3 zz*@`2FZah^{g)n!g*mRSj4c^8DRN}Gw|0g*ng_q)d1k6q!SbqAW)#;~u#^lsrI;ar zMr2v=Sn3#bzbO)Re>$B03ATq6Bj8ENMLtIu#IK7s=!vl3=)fjCO@ePPy5_s(xn;fO zpuqfeO}YuEPpVQeSXotL14g)^Y^ z`f^R}SzB0!WI9Jx65krSM2qN4+n1CVB>E zu&sN|8QY@62-C46#GSTQ=HG%6qbgm6eL!I4xaKubfi;cw7Jtb3#Q9lV-;M8NWw3kw zGnN>q{xPTz8V6}Du@wvG`h)dnX`>yaW1GA<6-AbDRB9^*Zcr;{F{}mP|1aPMMOB1w7^8;+C|aw(T0%00RUF?iSqLU4taZKyb+57Tn$4-H8ARGC0BA-CYC0-Sahj@B4e+ zUmV8((=%1wRbAEBS| zg3+v8U6Ei8OG4jSbiM3_XP_7nnJ$NBmL}@Tws;gYif6IA9?rYhjPJb;Xva1x3JHy@ zLRXKF(XkFk^?k;u?>V36uyp3M1jw#$9J)n5UD+r2P%8*8KucQTer&g*=CCc&m0Ai< zF$XNKq3I2XwoJwNep<>~Ad2!YTI?=GGqu{CMJyrtoAe8Sz{xaFPAbfm6hpYwqFx-# zA+U85iIfy`OZX|<7+Mr>gF*##6+FXXOyZm6^2 zj)3r567M>5cR-RWP{|78{8)FkV&#`A#D7`bOf z!=d2GGu~B6z@jgUv+wIwaM=|=L&jJv&9~qru<)R>mz0a<;iAMU+%pZ#w0dyV6=6B5 ze}CWk33TL+g}>RiibZ5tb-?J52>i7#&e<5TXEK-*g zhBjp54JP-!D*3>Di!5~{TREQcCS)NU85jrRYDv$au@69t%Vizht1%`F*u12EE>)noCZBK59a^cB%t{E+0D310xK-&*V07R32l$AkdWCmtV5tH?3edkZ>CaZN;m? zua|yhPy`b$TJU0lKJaGR1drEk60uv)G8b{E&Mv-rW4VJi7iZ`$DVXgOFfI5kV(+ob zNIGSh!jxi<#`se>k?2=7LIKp~&-Un)3hbuUxR^7-G#YOBtCBL2gJ-C@KYClbwqv(i zB7yu1ly&01&X~r8E=LI^Rk{iz)B>Q$F~ZI3H;$NVIKA0`PZi7}KQtm<6Kb2DNGYU6 z@u|VNvUQk8mB|9q52?oXiH3aTF%#id8#Vig}&Us_0#XkTBiykOinF?4Ax$)8p-8>_TIi_L+bA?`DVXX#$-&ah^GJre zmax((9dL)3hnLcg-R|A_O_T224DFcvN)HNb39G(i(Ca0`)oWU@NmMJk+#rdADgCHi zbxUAkf&q4FD&-*)o{-(tFsijb+fF$6M4^1^wTa_zp+ozL64+`)!aI-5L9_CNCPKoT z5*^O5xL{+C78t)?Ej)>Xe|5&1eOlqHwNb6-6ezS*DOD!Ds(9}vdF_y5P1X4z&Aen5 zMy61#dS6Zj!hluIyItI%1AUK)y0+nL)t>ZZj=bfnvs+nA4?iwIS)FO0dx2O?|QWZcPqKR9DN5X){;$g8@2v33QNHits9Ntm3Qdbp1J}F?66@v zCm<6)BT34F4`blhDL955==tER!~%D_Wo$=hgN-a4n3^xo6!xB!&%U;ZEpO_-pE8QAC4yTFma2_e z!Ph4s*TXT+;17vNYKm!2`{;6}X;(h~Fu=87sbj;Rqrjj3`8D(rLOu@uX2uH#Fbfv- z3{FRmSnKg9zCHy7afP)W4sB`0=5xmywWC$_)G}V9Pd;kJcwD^B$YEg)3zAZAto0Xl z7V+%C2Lp@`<4nq1Bk%Gw5jG_#fC4<{KlqFWiw{3Oz8$lam6R7hZc%OSnQAu^mOA9k z?rXfppdwT04e_H0mM@|+1}ZMb7n_DpGsjTt%GE;l&N`&{|v&TvPHSA$TZp{%(=N_5^_(yVQJ zY^u?GC(Y9lNxjk`ZM0|0lOOnJzf;v*1Y{yJs_ z=Y&tme#Ow|=l>WXD@-`&(i>zBZ9;ky(E-)b=I~U!>@Bz%?I9GfEC+Up1!g!)X7C3{ zpoPhvb$oinS)|h~ICScKh%X2FdxX(h^=wONUmGBYD5O^1bp@{;H6@?dB@(ny-bNC6 z$*0}s2Fuep_yA@{<%bC2B+U?zX2Y0A#TS9vk;Y#i8Qf9WdT(Pt0Mnz`yL$zTXi{43 z(k-W#~#H*Db%2fwK=@Ov`lh4Jhp+KQ1(HPsh&$J}#Y#%)hkL8EKesVr8Oj0cUyslXk{)Tp#uGYz!Qo(u)wk@AIprmaZ( z=$bJB<(!?=ZI6pLPLP}ig(ZNbueFGl@V&`VxsOvJPwyyfdqF3p0hJR}623*KXV?*> z2eGd^T*3|LG>^|qe;`=zJ?)X%dud`4NqZNZafCTI3t_kziAG-ew3FimhCCn>Td2C5 zDmW@ZJ*dFVHCtY%of;uoFt>;-KtJ@7J5#EET<&}jC)J5d=c4@it?6?Z2F01m*@vqp z6P}d$8iQ(s@v(&9^q=~Pfl7K%rd5x63TfZj`uBBAcphEq^AugQ4XtSy8Aq2XP_y{IY^lnSU8$Ua)4;aWPBUA{ce+r>B zn>Tr9U^Hxm?A6aN9XLRGgWio*H$b8X8M7qD^{Wo%jV9-nCaSZeFBzi8*C7S&=P9|h z1<_5TVzeO;*3%tXBHm2UdtQ1S^mO_b{7T4^{ZAURM^F^DB$j~WR!|6iB4WUEPjXcL z$4^0T_M0sAIoxk3sB}K+*m&@<|2;QgKVHbj8GsK!C~^@m>i7BWyNACEb0GPYVOkjo z+RpLlv8yW@!QB_60}def8~0}!wdThYV7M@aAt)M;NwXynV<5cgE;IjSva+svYlgb$ zv#TnpTP1r+hQJul&Tga511a5a%cj$Do2PNsS#c^>hS)>?au`;z za^$Kz_23NguumR*I(3joNepd7h_S8?>1n@rlzhJs0ZW2T?pO1*a>~pJMw*xdR*ds_ zomO0^J4prxN5MCqBbXGFse$x5iMd%0(~zS9WCATjwVWsnxywq!;*9S70!ZX!HIa4A zJB>6uY@`lPZf8+&(h$=H^emb7x+HNJCTS+L97_=V5WprvTcIkZM8sbO z#>M89(Se=3qrlJN^+L=Sa^O87+R7PwGxievLFv;X7tQe?+ISXmZD)+QVL^C5WMw*k z3u+oRNctVZcY?LUwQ=5x{ciCOt0Q+g0%=%yeCQ2^HH;~#E#C=KaH`5z4As%l%o~3- zNzmsuXLM6CCKT{nVp=#`k`v|$#rX2wh(n4X-#$)f!cwQzo5Kc5j)mfs5o~8_F?E{x zyh{OMF7Aj4xJfQ@(+^UP?Qb4|UB%d{>${%WQqvX5KZt}TE8!ph;8}YZ?C~VgO$gQ!qo{=ASz${kp7DunHb-BakK*lUvAO`UO_Iou!+k^V@kCmEFX2-l)y^mGBF8!o_hPQN z?RVDaYfJN2Qi==V>{{jd8D`F5uF3p;Hm*7?mH0-BpE_i+EJpxYO5O;royeK=m=QI) zf|+umhxzC_aMfDzK&SIgD9W^MF*##O!mdxfib0kWtH?LYfifXy$f^b=d(rY2!Am7{ zx~6=(ckExBim)%(_vu77mWD7);U6Aqe#LRqNY>A zPXkn^#GH`=*&T8p*|&_phrv|CY()j-!xnILz!#$2nN?A<@M9As4`5ZJ5Sqc(yKzc| zG6sdD$ee4zg>_f6=zhALW0ZYC)@bT-PMC_=&-|>>VjpcU_B7@-I=`_JsqM~}AvFH^4Aa!O zO8T|Qpb+YvF=uGHxVO#IL@I~xg13hP^rl0keqGhS?hVd~xyjbAA*qDzHHQv zZ39oGO9~)qDfSQk36V3uPou|$MG%)?(ZsHRJf+{oSguH=bOQ8Is%F4j#^BmxvU=6{ zsdJ9(4~~cbPoFm1)@wpv4L&{k)-TNG8#iicxcD}$rX(9d(Hw(>+v4RER zMqG+|PphBE7e6J(ghZ+s(#!=@+-G3WZzc0^C$6h@E%r5c?D8i1Gb)nx+o}rB_hb;v zeiT|WSM;L3BA;bVc5py=%zO%Gnw5(WI9DEb9Fo?orv;Wyu{502TJLct+~<0L#RMf4!2nvVwysN0zl;M1S&5H zh1n8ue`8LC=w`g8wj2ZC3R^nZMfivkpTqvs<{b}ZL*R}u(hA%uj2__+(vie~t&XCM zVvFLiP#o4XfE(ELa=na?SBnTOA@*9POfRP#fs9fPL#irfXZ{((qv0Rp7K*z!vyu)y zr3bNEbhb0zOzM`SqF#_MGW9ZoX}AqqgyQYJi{6YK3$-2f;!et!??F!RvtIQho_s3r zd>E5WIkU%7mZW31-^l8-z{P1t5=;D+62q~!)JQY?(z!;k9VswrZ&%%RRe2LrX=JkK zO>F(*_ZQNOF#6*18pAw@{<`iuJOjxzXPe|}1q-~=<9E;gTw-(1mExL%pRUP$hiCIv z>q0noU9w1>**pRn-OsU-gpV2Ra0X9w`qJTT1bsI(dc8i0)$A1H8;#b`q&c>Ky38Z+ zkUsN|dYwfwi@vJ|^b+MIPn554=K?abHiZ4xYnZcb!Z9u=GNR(|4GA{`2Cwkfn{_0f zDIv2&IIrU5X9{=*RX%X%KyIr#IuaxQvSn`PFA`T6Oti*L``xPJ1`+ypcpl45MnVgF ziliXYZ@s}2q3c0fKn9!CBD=ZiY8SNkIHxBkBow!$pcBFPY5dTR7!DCN2&PEDC9CWX zlO_HLr8!EPI`BF~X7ot;Xhs(T1H^vVa>G6r`A!Gqh;2v9WP-FHu9Ar4vUXqzTxlWo zu^J_&_g~{P4%5ruFc|E5x*6O~7SeWl_iSS*m{ph9W#JQPy$B;W5WQdeI`e9homD#0=f;;p_2Ru06*dMHS)i--P56wCri2+`Z0m<0}V_>XMi5~)~cRF9KB-8vNA4X#}sR5qz zrVr-|`G&GmVj-j?oaePtQd$<4A}_DNFdsyRkf6NT#^|vw%_ZA+dmJ~_1e$q@%3P?$ zkaf~Azv><;iHXkjWW5z%le={t7J`ZnyQd`SqhY!)wyZG^y>l@{kA~u$e-AH8DF>aJIJ&Ydv@UBwYa(W9b}ln?-wKO(Y`xFQPbBZ6swDRcl>+$(2|h0CpNpHkYM|! z$6!p_FC;lCbuKCG3%*ot<^1yCpy+F1*18xnGUqVHF?W(6j&qG}%11PcuYnZN8gVMh zaHFtG)X3g}Ao#qlc~vIFY^>J;&^?G%yU?OUr1Vhao=5MSMcRIiQgkpcJ~6M#>{UqB zX!k(ys8G_u^CuHI&B)#q83N;IO;KW@Kck&UZ(^8TOuQ@Kh^JDbPpFFbExv;gdk~}x z>4;Mb>XbRaqX7eX?dZg$GdpJX!fj2!856pNa>@X8m_i;h+0{e%rzYU$8x4WGzrlf$ zc{QG&J1UwUYW)r64v;19CZ285+PKcsNTx3!aQIfa8ZjCPo9YI+O9+;u6FYMtAeB)M zV!TELvDRDTTyS@zB4QG&mWSC5A((|%S^IQ)#Hp={9~Z48N6fxKM5W2NdOi2*99c}h z?P{Y}67poAe(x{~AM?{iC6e2LnQo$R-yeR9z}u4g5A8)@Z8FZfySHR>=M1gP45SQ%gJ*(yvc^gRmti>L-`1>N92bPc5y*4d2|6&` zBD+X!4SR?3OusERITCw~YqP#V=u5*sDY!k7R$|jLIC++hPCXmdrT!Vom$&l43_S>U zgdrz!rIRX1iU&7o*n zsE~n9viH=aNr-HGY$0h#ydQi(Omz{n@JZ~*{_bbx=rV;KbQd1@MEE^swkCRL%&^{Q1nyLpWYFx!tCmjA{FWLexKcmbtYkGA4h6Ntj3US z&}Vnm#f69w%X@9+-N7D?qt#fp9|R#HcVcA7t}`)MIA}|IjUd4yBBWP3%05EV>N>C; zFrZamCxQcMpTYy9FW94ncsYw@?z&{*mA^K-cu6U#8g|Ugzlld?)q}#?S_(fQQ}()m zdXn-yIDj4m>=Ef+`FgGb)SKz1dx%CLQsP#IR0UQr*wsJ%)tiQWs`Q)r+D-b%eUZcn z*fmzyB2bZ%8@qstnkI7^PLc7MLaoFx+-2v%;P};_qAn@ zMv!Y{`c%0W?%L6;W z*8N$6x9WoVD*zBEu01iZZxGs~k7^iq_Qk!b;n^u}t`yqd z>G|9pHD;IA1lUEAj*kWgu1xEdVH{ku3+li0EFF{T@eQQ`#kVW0zZBnU{Uo&K-4);# zP#$F#e;X-YO5q=h@drbTZ_@zzWwU3wk=+!TlxxmPX#xp+l-u)0BXl-xJkXAh=RqV> z;!%%dshQ7om}53NP79=g5JAmC=gjSX`*jmDEO9VV%lFeo+-__m8fRz^LK2TPnW=vj z=!i~^*n6#)gBA-q(7-9qK0zV1sbiS&Q&)2WD%soeI95aC46;5zKw?-7*MX^$GL5Cf z!QjGYRX&8IQ<~qV6#jx1l-cOW4^p!A3pD7d)X#`+7NLJb)I66xL(;vTGT8Ow9W6-Z zmFF?TKH^8nQ(@UAlN|1l4QFcU3VqXshrMR#KphC*ozfL*xAR{3NsjQ+O{;b0*caFa zz0Yv?{TZfMQ`3i(Oln&o)3u9&)D%A2zIJIHQS{=t_Wz=3m*I626g z1kXPZuVSq|RR6S=IOX|~GUZ))l3J>=t8!(6_Z-fkJ~<#w2!=6(KktUiNm8(mT#w3R zK|purpwop`Xw?h^@tQ|XIUN0_vZGU~lXzNc?Xlua*I~T~l`P|VPc)`RlNU@Y0 z@Q!2Ah*{gHcY}HMwY9`42!T5N2s7w`dBS&S#qT`7-4s zT{1S5W{Saq*eo#JTu0^CKY+5Vu3KGcr|FaY_0DH;^7}|29gujXqMApf1`PBM)zTD1Um3rkx0ObcIvipa$d)}MLz}VWrmA>e9>}E-ZhN~8HMU*j z`Vb^r+OUN2VF`A}4I{e%^7S?}fskP^7aIby3b`4`4Q?B&3Rc zlP+8jh}MycVt`V3Pi(4eWhv;f-xP^-e+Up5Cxs`_i1Hv)DZ@J$*2Vebb}+LyjaA)y zhkIcD^8>vYrbJ;0O(Zfxf(vnA96qrdY&fYRJ+T$m4q^8!T3D7tki?(pYaAQ}Vh2)a z{htjJpo+m}>lo4Ua>~G4ospc}gnJNVp47Xe1ae&8CPPvqQ$|&t-YDa@ePmFxCCWcwQ`ZhRK+upY2+m`V}_{S2-%5c5#!v z{MYV_sYrvv;5BbQHT}d>mC-#GrhIqo-uaDnjLEN4vd}o#VQbTWtub%NxTSDkyooaV znCWXxk;++W1TjkS%E^Z9G7iP#dXEJ~?pJ}^`%NUpWH|4Xr>5BwJj)&t{~W|2LOY03N@DLpouFyfY`@`kbh<*d`U0aYIj-bHySWZB0(5>s4;PwMyd?%SJ`3sh;y{Ag-rr}jYEL6j5|9Nt2 zMA#l25mzvW_%>mY!(v=~p~g8Z+xbcbm4~N3UQ66Wb4WMbG|hdNnI zd`wW9>Q$*hx*vPjS0FSb5Qfegb7wOzoV>tL_kM_Ek7(}KWWM>f(81GoNMrU5kzxBX zg}z;T0nJT8+48uZt*Hei2*vW_4uU7yMNgl)0u%k=Df+gZEgT3C9A@~#5VJ5N#CPR) z&E9r|O=asSyq`KiW>HCEMR8b15R+K$t?mj;$l|WppWFju$xsl%1;o#OT&f=!b}ZVN zzF-}#7ENbIJ?Z}D;pz>{5_A;p8xs2Pw|lK(LJ3VL%S|#CaepNQbA19x_V}CWsg}RO zecSz9_D>5sG$d$_FmP3yiU1%NBel$*j4TjJF!UZVIbIm(Zv&zmn14SZhszl}wX{OD zcNM`%E+uXo@mqqMr<&KSt~9ZREuAs+!RiygVb7?(j+rCF1rtz(3v9&w`=+G7ewe?7 z(|y6MHW`K_m{qU8XrMU06p>}RC-PWL%bTlb)>FlEBZS-c?dz2zRAoDjeusjpMW(7{sEh;#96b#Zyt3xymI) z>e_dl#IXFXW3R9$(X#y)kT>7+>Y#5KHwW^u!Pg(oodpcByw zDN-B$IvRp^zi(M0g3 z9{;LNjoTW;bTz3GJ~ha~x!hj(PdQOH#!K<|{L}TsL7Q(6C*!()k?wc>5Qsv}qk)38 z zL$`vv#8~gfjewKe6<=9{YkM~V-ijy7p-ube1?VM-$LZKp^V5>Ag%|(i-Z8d+Gm?p4 zli!{PyW^LQn{jADYh3cIuiXXa)6z#e?e;StElb-R1?#D^si!#ZI={wWJ-e1u!Otpd zjZ;;pXK|OuYgnX$pD(!v>(|uD))v}qi5mgeT4 zCz1=y(;D#rxLvnrJZ7EoXfM&4yrs3ffg52dq8s;j^>tQ0lkl()KZ2jPMYeM!q6UR} zD)^86ymz1bc#48sO>%FTx>ir<0X#KPRpjsX4ffb)MKEsQyO-HHP@JOJWniqvEYF$m z0WfIE+9J4};m~7NujigJS8dRn!3GW?^al>+{IV;=Rn%YJjzG**NDLvU-jG?ojXq(F zx>T+(53C^ya`7X8tD zEGYKzHH0XzrVYq;+-*G^R|!~Q_6LH{XjXnXI>w!pzqRXoHJ|YFiFmku;MvwsGWck( zj%``2BTaB&%;xWcO2O0qbM|wgy)9vZB~T7784SF5@0lV4J{ZiFT54H!6M9w{a;IhS zXxxMSi9t8EaCsb~0}-2VQ$XK9Uny_o^O^3j8*B%ysol^`*3FbU#-Xm#9t++m;$|Yd zd{RzmYi>Q}fI~VKm=$rG7lmPZP+b^lU3qh~+&C4l<#5Af*f#erQpk?yOYYjx33cv1 zaLN3~zy^rR|M@*8nhe|^C;-NUFU8pVx!>mCwq(etEU}J?$(z0|xQ1Er9Kl&BH0r?* zZUST$D_y~MccK+vKoxjdZCEP8kwK!Wcud6(V6CYA_|6<~(VNp7#kL54%8XX5)MZ|N zCMV8#FLooFSk=QH=uj!KNl(LYNxzm5ds2?H^h_gG_RZD0>gdEs%J0-rqDc*Un$KO<50kBY#~AinPc|&FHmy=?SPupZ zc_3S*^X2a4r{=7N3$l5)F32yUVtYCh*8VpbHfRHvT!@ z;t69vTPmnFo^jgu*di4uQCP&3p(uJ$h^ViWq>RwM{J%s<%OGt!z|;nOMS0}EL|sC4NP6j&!gDbv~Ne!cxe_bu=pxDoi< z`|+v)e|}8r`!;|h1?qqRqzW_+j{cW|5#OcA&zv3JXR5F~e#z22-nX{>_Rp^b$O1Tm zkQ5gpQ?|EVztBx<0eo=B7c3??MhObg z@r8Jx6lX(^7iy(i-H#CWy*o-YD(s%J!}9C?W8NujK>!~^uhH~~I@uugCHSB?b2fPW zrB*4KBHn3oFaXDnVc%(^M58t~aW?s~@L&HVU`cxqh&<@$7xE-vnYe;~%bt^2F@g0X7UTMjMHd)wAf0UM@(1n`>m z1tB+nX?3D6ALL@GK+JIDq7Mz+kQvoXH$jp4z*=sg$=QLwoe2O0GUPzhPyKucm5ua& z<#Azd>8YswO}#C_o*RI}Xh}SobsEBxne|pL8e__|1?!id=;+^KH`p_{SGzM5i4?qIAgBV6yR+u^U%_1$4?e1TuKc!)YF{gp z-|qQ@c|$!9SF1j{p3JAZ=*|8}UBe_#e1Sf_@6dy1%-3>Ps!fMV%Q-%78Qm}0Yy8l_ z8%W|K!OD_*hC?j*91@v(RBIcN9G2I5C8EY%zy`G6eV_s^BU}JgJm+MSNr&)4on_E# zwhv%co9S+64j>e_$x-O5i-sm6xX?@|^QF`lkP|3X;gm#w<9-jE)l5+q@3^#wbLYQS zy=KxCWFGl0b73B}rL9-&j{0q?!DHE@{PVel;N@?^RAk@gsorRITT53fZAQaJuui6~ zm@gYB6sYkV03crg$UHt;GTQ`9m{?(I01rERF}~Qsh--G07?QZwh0PsT3WwRXMNrvzQ9G6t4O!r29_fE48V@LKh)7-pkN{j> z0l?+Rt@fh!&bk(VC(Xp9eEG%&k0K$x;S*?U3&72Ks`Egpl9 zv(SwTtyoeTV*O;M8#i=vr!@aYkJtXk+Owz)ti*>(;w;%BKP}lXWu&ty1DB$eu@ctF_gsn`DMh(Cq4yVZa zQs&cNp3IM`X?IO~<-TSmH``O!?hxFBZL!502(456v4Vp42QiT=)aW813>*y1Z7 zxh9@bv-DQshvkcg0tP`t7JNj5Ue)-*OJ{D?R1(#G6*XB#vsEV9yR-UXBryxR`!a`YyEM&)$WX^k2Oa`J^bYE2O-6n)8@H7&R)v3&A7 za^Y67rUGxhxuDYgUo8N{XGr#H&N2yOqa57aS|oru_xlI9Wxd~GN*&I9q&^IbH1TdK zZd-jsfcsAgUhH-2t;Y>v&~P&(mspUM-S{M%D~=_TtBZj;UFlajoNj{FV&$BNef@yB{H-!1b?Sg)B;Ys7dfyNw?qlM_8^CfLDSnCq=r-JkYo%XS ze!vH1ZqK%gdtFBdM!fQpp{S>9-?veBtyZ9fMO3FMMaf< zH2KG4Lk5iM7FfsN?^N-4z%1qB{XZ!84MMnX^O``kjQ5E&;NYS9ye2ViViFc+Ku1;dv6-#0Dw@? zB;tlpkP3wwCS+&haPp-wQnw|Tt6s(^9XE&-$o@aw_isCj-rf{ppD4ali2APso%rGY z-p{oaTg`l*{PNDEUUWw~9e*^_&bw3SrEqaXb21a;eP2lxkAtA02yU!@sL{^-FqxV7 zV@esolqu?|P64BX5}?oA0ie^d3Q%#&3gAY;tilJ9+@i%56_{!Xg|;;<$Ez!ne`>Jo z4(`J@5(g|>!I9n#AZvWHuzeBG9FxHi&foJ`&-MeV$r4~)$XM~T_V?NCn{G|1zViqV zBMUv>C&1#vchg!Y@)28Jz*1!{)cV&X`O6zU-Gl3L zHD4wGEYVU-cmZv9ij!0mhuGSLOLn$*hbb%a{GJ5p7)f;wkBrGy!AWGVM(8}-R*Nq}jGqoLv&ML1< z*eGH;1KqvG&Odr52b>C}rayzH85xp_3>gBy$7PB?U5A${AtL})$ZucbR$ic{7f$zu zJTBL%l2lB2OAFwM5*lUhK=ze9ppe`Kq;<+xt(gmdLGA#ok@G^}Opez~-San61WfybEL?5exdLVapS~j6*GsU~SfHHm;l{ zh0(T+x?~=TFP}(?2PUvmC1&MR@_jvN_PzvwBwtOm)LYLTLxKb-E(YlHP__?&x-{NJ z8SYHLqWa>#^}Gl0(5Cm#*Y$0LiQoz_Pll*Z6Xkc{l*+B5Tk*MB0U8{~auNEC5t%dk zR2eYeigbiB*ey4xe}Dgt3YShf9w5CZN!A(F^4mG~KaFNHf(n4(E_tA3RkCLQR-TXm zu3UGx#&?WC<+AvjBK=FnxRWr=dN* z&~Sh+?c~LRvD5JP(FOIFo+p(N5L$USX=4MVvz*A;00`;|tpeirVx!4K79lEY?pqiy zxm3kK3Y9EZ#tOyi z!$uB}RxtX00|JbF-{(_y#EIU21tLugBtuLmZ~n}^10Z2*Xa7iyj2WUL51*YB?O+HY zF1>1WCX&WW`t%?`a+yNMfGgt{<<&F*g8rCncC%*$prh%g-ED-I2ixG7EJ3iV{YXn* z9h2o%P-3Y%Lf}7|qU&37vyEZPNkBRhWcvZ8WP`0Qa3CQ zKI@)1Az(9L&W@yikMSjnT7*1mAYpg{r^>y`;bgw5D;;B^DL7MhW&HFNQQ>&c40@~1 z!B$^O1aA~#whY6=`&6JSazOg_y*T zfSdIAf^3T#03pkIjJ6@q_B>0&+x&nXK^r~#hbIiaWr`Q{^o|Qm1T6(78Jb(XgFxu$3IRtX;QjNPp2{rbwS`3q@38h2<8?w0+OtagG9XBha zbo_0VgQ;(K8>Z9kwC1~vkXKGmfH;6CX8fbu3hkF1S8%H7oW0LuIv?f5H8&4B6OGAa zu|nzU3%Cij@z{ouvEvRp!?VeDxL@6!R?{SOVV%Rh=ET40BVSPh$&|=^|$w`rNZed-S!XDL+7kPh^#s1!n?V1EaEXSt{6+%h20E&XQ z;I_W7YDbMIc=d>l*xJj<*^{=SvGJz%Xg^YXP{F#1S9rqHQ7|JURHjfO2*7?P^<;s?|v%pmAXtNzqs)A z@rpIC^=(r%cI4}Laz5BcQ_7C`4fkLNhiSYR7T+=*-0|l^^Bo6*;5uOcqZctiP^w%m zmc){~$i{$Wf8;Gj*89aylFnTM51{8td>*dlunZFTh|Rcvwp>Vas71Vp2dg$pzTpK> zyxc6o3__45v`iA^iaG-$cR^0!mExOk+u?%drHF2SY^32IdFa&w?Lu;3l+Z0UdQ_@b zD2-agA=!msSz^P@mTlKt3wuGct8@@KJ8$b5gQQSMrzVe#&K4D@$A9Ux6~jjahauWH zfe`7{zPcim15d+K=pyywo{TfB7w?8h`6gbom;VIkxd8Nm8J$FY(^J#SD%Wug3030; z2n8kndqH5}4%912ngdqj^R%|d9v!j<+qYyLQ~`SE&(LHJuWOqc$KqBLtx$5m$BAjw zjVA4KYLGs0=FmGL{b*1>2i!#O4w8-4+z(rQgmyF*R&{=gj<;2mfa8z1g}astgaFJw zWxbXoO-!e8QbnC`1Coxw$Tmourf+!FT4aN+%cCAC|zx|KMA#CW}V@dhuRbB_ERN5Y^tYkADy` zgb=3TP^*Ru0cnblGQ#t{SvKKMcxU7XxIe(XlL2vj3GnX7jwt~;l5gv6mn`%V$Co8Z z&RA6519BL8`_{Wsfsr^QJZq)5_I-t|IvS@7=2DHGS5{L9%K?>Im3K-mcM&G3hkI^- zFE}LIcQ#08KvwHQ6QP;_kOK0o#%nJuL8sGVLvhY`u90akUr|EX;R^+Vl}$2DCn%a= zqDn+UNRB*)edM+1(zN7X>o(e~)FIaEk7^PlxbtgY^65EU@2Z$*t+y}vUYQ4dm64t0^RH4*# zipvP$Oc4WEntWfv&zPhhB4lSs(dZX1ZriAIGe{=h8mo!{vmljK1iwcN-TwEoADquV zpbzyPuO){V&D!WDfPNrp*)$piH1I0vl*$>w2OYJYKAT{bd{~TaeVtb)RP}PkF{e&= z{UPz&U+J)pZxWNs^i=?HsKoLSV4UOoe4h_&E4|#Rw|VZl;4U}1)RQqAo_4Ya2BCA*^&ClM}v74yVbCm~R)Gl`AU z94%q`H&kvy1}idPpD`W{!8i9Z={1Y)+k$aNlEJNbri;4&^v;a56?wnT%iovHi7$Q@ za_Z#aLl2Wt6?^(D@Ta^c5fgr!AW6*FmtQ4j{Vj~gZZOZz|5h@$a^gG{&sCGjk>YAE z)5#AV_A&mhG`C^yM%{5&NpOV9feX1ub!7)uGJjkHgM+7FSrlU8htl07VT4)ckIXLt z8R+({Onpt$G*~Pn3fS^2aMFg9b*#p>|7f2@K)_v$N*tYqA4@p-fUU@^9M^+&F^{|) z!eMQn_UaAa-nv2V=kmf?1?+yFmzCt)=UQIwpqCr%2(JDO!cCg*-Jvk0UaW)^CNRh` z0D>%!QV!-eJna!GySYM31h#C=xPWC}O(Q(iU8WuWU%6!uz{Umvm8Z*U=0E9U#Q1zP z{#*2-04oHffa=r&lZ$u`=p<%9x6>AJyVj)-uIlCW~yTMr=T3ZJa2uz{gv%`EaS9%*0-nl3OW%f zF8DIw<#UENvgHzV-X@^TTY#!!jrz;vyC0qCmlm z0F`FaH0ZJ5;8#4y(cykV*8S5g>@@Qci;fLpG#f!!+P`o{DoR3Aew`fdb;U9o%{nYx zLxa1~iD9Ddk3i(|0#q9DmtVlstcw6YSM_kg(r~~_G$6WwF68Ib>C4ObE?Wk0mp%+H zeEE8*RbN2VGm^kABWMv4I})!8dc1Ns1`j$5&yt6Ob8^3%z) zt5iJ)Mkwwb96zQU7@C~?o>8-^`iSQGxk@RPOn{kIDJ3B(67Qxg$%k9%dGV^bxU^Kk zGV2vypOdrMOd(=m)%WRgQ?JWb>pygNJ{Ph(G2gtd1?pVa6W`bUjMFTei?7BjyPXNZ z0CvF>r=i^6rl5`YKWoeH&2!D}b~OsDTo|<*GuQsO2ae6Ul+mz=bj|fGBmx!bjobIT z)r-cg>BzgdHmpoO&aiQjUuK{q2UUAFN7c4ZL_N?^-PT5(Lw}WYw)s5$rtH^@;Ay{) z-X~9Ot`D=cEFTrMze0vSkHy*s3Q&>+5{zwLh#b0qgkh1XVTJgwmo3~XfAf`v zZxh}144_%@SW9=EpOkJC_cUtDCyH z%Y^d}=jZ~Dzwf+%UmRSWix$ky?nZqYt;aPxnw0sjx+lta7oky{ka^qTKpRVx?VQVP zxzalpyO7j3)U>0NtaCVf;wnZK_Pol5yXvJhQesh5>ZJO>3LGW(tcW>}tE-RugP_6O zJ5@$KR>PbkT{*LsIOJ!&B46sfy)Vs%Q0KfXAFurPt%BihPxnE_iCMVr ztX%Z5DHu#?-+U%2)^dCU&)Y=}$xr^a#R-1mO|u|yIjz|uFhqh!(F>m$oqJev1VZ-+ zg&sf5{7|eAbn?9^d%C~9`@>OvHn($dVifsg!wUL^D@IcA{J!i=ce3!~p1+R~>xzAo z5@%#~^3T!dw(EWxLvmn)(t>41O1a$pIeDO!oaN$g+q;L=w>|GfX$@0=UPAnnmzBga zGy3(XO%?v5+I)*=3C{X_-|UUPs%u@jfw19%dadh6ffD8CS~))%hHMD`!b%l|Bq7bJHCArGY)`ZA*9Go$?PWbsdh94*v* z8Js$x+nEVXQ8M4{4kV}m8T#F}2!?2C*!(gx`u|G%@_4AjukFFe49ZxtFJl)WDO+T0 z5uqr`zEwnIjZoIIFCnsp6lLG{ea)IR`;sVI29ZKNXR6=(JkR@i|9kt)ADa2jcfId( zpL1Pju4_f$n^(rI!w_D<^KWlHv43cRuy7hw<@Qn()nAd6*H27+6g{gWoGLcLZ}(8I z`L*sw(!o=ch3<_K{UdMOFv;tlyF05STvQfR@KdaMopPOr1sp$p(tPgIn5O;y>h{W% z14C;Y|0{#nfTg1T{j>3}>xNbx?K@Au(mwF5$CwG#I^qSJYpjL$p3ZLXmuEjPc!_^# z9)F$~PyX48Y`4_ncasKtMAq?j$%0?kLiUiX$nvr|@59Mvj}@|uub9j1+U7VWE4p^W zSBI%+P=>a?DJ6V|rlooXla~(#ik^*xdS|#^GaIM|fvD%QTWmWs4lZ9w2eU^S4u75s z-4n8J=-(Jd$mh2=Y**i5_~KpTGJ58QjI%)_$A!HsfgB;rOiVg26)a~XOGh8N+3lnp zIViuEPbZSh)hqJ#%l8)4QS4wO>-p?jJieXm!E6TA>SyhYI%!7sC~KjvA3VfF!UN3e zT|(}0qx-Gwvev%#$}G*VYqiH3lWqyOKRNj{Z$YU%v(3`~=gV2Ii*sxNr;5)VF_5vX z-e~#7Ke9s_Zz3G$-O;*4ym`iLPw4!{r+J@LZugH8xYD1s!ouf%hU$e;^>eE)4y~%a z+4?2f7|#6(XWDGN`pHH!;An?*6z()l<89^g4e`xSgE#MHMHYscrRq7O)YtiXy%c4q z3ph|Zs2$y|XZrjUzVh0-nI4l`TLrqO56@F{Pb{3;1QZH_nlJuj{DEsuh{EOqO1llLe5qp-=B#saC9 z19sMC%G=^i4-z)WGdM%0)%TxWt9l%ECr9%(**N?4v{85RWl4TSG7Xrm7pwSjPxTZZkNr|g?{0ySXXqJX z_FQ9)MymNBKSuiWp@XR#*gBbrwB@w&kNr$d9LqT5EzfXm4-h*a`OEFim4fKxyR_}Z zRMJ0jRR`ssFwMP(9z5S_Q`>oPNMAox@M!;C%!AAF%dM|F}m4$koIc=4;XsVZIYu3~mPrV>IIeR6jDt$$ot7^U=s zZ`nCTL*D&MeSLjyBklRcWiMi5>7)Vu8arfWLnb}CbLZ`+rKM_SAv(P!BG4zyJgt%z zFd5&+8ZIMaq%?0Hs6X~yZEm3>@`-H4<>zJ`=E7ob*=@BFTHXok!yb|2J6V%`M*ZR8 z?Fsf1jN5}{y}j&b#072?XRggQ%%V#k$O#K;IypI&u1u`YoT>K;bvRCDo z;UeaxrO;DjnOq~aLIS4woHmpE^hs`Hd@IUOQXy!dzy9 zXj^7wnCjN;!n01>^^NQbrds>TA7;W?B)f*+=)Q8_{3w%f;|YxDF33<oSnu8GQt?o|u{WL?@(GO}ejF5?b}Er@J0znu zsXl0-&a;1X=1cCC?2M7G;+%}8l50&&FGArQ^-=vP=k#v@JRK*bKRPavs|303O=5!# zR}fQOIkE^yc!u4vn!ghrOXPsbHYgKR$&q~Krx)eJg&XJ!|4(#~fO%Xctk!6VELBOvuoD1D#;YfGuB$cLBEQ(|OoY5owIXcqK`k_1 zLH=2rIGWciXmtN;jrP~dg@{hKz8N(vF>D!*PK3l(^dTbo#!}3OZViHf6ozwVq|H-hmcgQX#EzmD8)lSYYp*aF zOu?Mq@y2(uIMh;O$O6_uG;$H1O8np}jSjYQ&?fEdc`m*PJ|l79!Xw%Liy)Zm`oWl= zjEX(BwDgQ`<<0}7#e)UxkXJuD0DA07-$Adqew zGr}McSq^|c?O=t2>7;>bBzs&*pNz(@U;7R=AM#Ubp(oL?qXcjQ1a5f69o!9#m+K#R^duIYj!zW&v%NNmE58(1kjo-X%J3vT=PeVkv< z?_SB-Kbh%f#d%uee ztZGDasl@W1J$v@r?)oG@hyunvFkq`UYXC0f#EoJrqn>w|yp4w6^$;BRMC@Kizf*x@ zR*fc=?7(&FZ4^)o4`bigdwag??Y)+9_DZOuBU&tnpf8*(<*3NJ_yi$(B_kk=`K&tc zYGnLr&@Se!ln2hN5>MGdp+CVSO&rAXLgFqn#{#o-=2|eanF}V;=Az#k5nvjI*Zm1g zqrXqI3>v-SNGq58G%k)8e*oi09W5vtceDH1n*?KS`|m0DXQJVD>$TP#?U>NFiF8*@`{OZ?FP#k>$wlY$ZwU73k24*hr!S` ze-FfmyMg{2iTMUU*nh2Km|lNnZux=$S#8TEPkCJ_zqN)7`YK46-s(wE7+^N;SxZ5d z64o&gl+F>YI?5tpeZMD!2O~s`u>&Hd6udtM^vp<0Nc_kpKTw~3pLvmXdA6YeXP2H} zDI6|l;hv9~B!+kf&>2O25`&-)7uK~r53l~Nn z6DPMXpld%*7W7JFfow~s%t#nJ&t#4S=Sf&fb?`$c-$>f^TLib`a1nVA$QpO1Dfq{#7MnIa^x&JD{r7Lu; zE?n|o;A(SQ>19I&@F5u-s5~I&-a$+)Xf+0s_?p*kH@EVT{xb{#M7RKjgd5@vILeQm zY(;Z;2{13$IxQ|v;L!)GU2WNPw?~>@YBhl7a&3cxSxacBs9p_mqzFnabpwJsi!noYa`*J?eWqBl<#aK`m#UzHpssJZNcF)4kOvz4{Ej z8iPB7em}&lS-qBooT7bCpI3?S6P2Z>!P5{ejIpa8R-yu5?gN{jt)VEz-qDr;X~mm8 z&4ue6saIGpDy=E@aL&-Ms|Lvjou*T=W-=#hzan27jd_Df!>fOEpB4xjXr->ba*vKm zn@2hQN>9gvy>y0ytQvy!BUP$lknU8MWI)A07U#1R3zI7ximYq*PEe@+bR%`l#y|b2 z$XAxo6@>3uvsS!PkQQ1#siO(ppM7{Rv5+X- z+(mrl5v6Ht;}6oz@=JKfsq|Q&;DoF%L8_G|53ktV5~A9mIF?9(6pI+0H=k;F)IgIK zlzx_>)tPGn(VDpF!e4tV^2~zhwl>0cdcFSVTAcnfkF~< z>PpJMy(?2os$n8pN@136vTx}*QJ57>QYSGc+lO>!7U=xG?qsvP&`<-^BcJ=sV$~PK z6e;jB*Kx8*(#WLvXgP#U7uM^>|4O(1&$K8IR8DqenN2vhmD{Z0Cv~;eu$kLt>g$sy zbml~O8ZP7GPbU|oSQw&vNaM5SJXpa&;HP+ikciRzY-KJoa-G0Wg8;eyj0$Vuf?J*A zTDSzp5g(8-$H=;4E-n%|Z#}IkrbvgsD*EY)idZD6gLtb@*XBY;97@#`m#OX{+i zNXfh+gNVj)!KG4O3y=@F7GzMh3MN89feilCJf zA^FM-E|#Z3MZ#b12V;rI0~Gd=U;wW&>qn_x(l>9Tj*(Yvu$;Z~DTKY1S494K%pr%g zld{}pB4QRlX2;44O{6CdSW>S~ZK<9&aMz7SBbM``rZ^n4gYK%N>KVluMxL$2h9Nkanw+{HTarvZ#brXubRmRipVPOK09sS3?kW;{AhGJ4s7EiB)(bEKx0fMkus9q}eoKW!(-Eq$Uo7GPs8QIgqLylj> z@!bho z=9N38TVnZB;(rhEP8mUkX!2J~ki$OLOL5*g4K+wztxRe7pWUT3qVQt*q>occVtj-l z53{HISDY4dHsTTX6f}5x0L4Q1SLbdlL-nxvzX~2m;MC2a&Fe*;CrTy9?rhWm9d?%9ICl9!^LGq{Wvd9!jPZYZiCUaWmz6GX67vuo@H5*KR*_P zFi8p!k=(h z7oOAMO{jD%k$5cEG{bKn5Ic0>w_byDt2vatm)KAypY?N8dU;fGHz27Wo8@g)-u6ZR zzPAfpfY3`bx8<$E)eo{9s|oh!U%D`H$hu#q7cmle{`|R?VO#+evHzdI27Ml^Byr%R zPU<#(q)H(0LJ+57vPoL^)e9Xm4EZh=bR~n@9%OZ?fQXWzssq|T*(_UP1&8n7R z&2@EIvSioKs`sEQRbiR#c6M`i3E6c0NRwUHXVg4SvgB=c_*;fU^;S*FlJ$DO%x%ea zk`dPx?yITkg<|c4OhaAmGE`X}%U&i-uDRY-Wumc%OKy~7ZznIrAN|>y+H$+Tug!3J zGi7FfJ~!OebZx9i>F4(iQ3$6WJUok!0m>9h$j-s&d zW~!Mo7BSm>HT~Su|G=ivCbem_n{jeEBPhoB7K@9h#`Okkzp|kpTc?~Ior{RQE_1Zm zh%%mBw{vA4THe9gritHAk!jlX9hb-#g0OT&R?BUP<$x>Y`CrPO^M z{s8Sap8&4VXNbN5@q;`SR?EBZ(|qk_YOCgiUz7er7ceBm(A`-b#weyZQEEf$KOlvK z5JU?RfnO1pTSDZ)o`9*!w^-~v$j%3~6%{zv<4f%)O5e5UrrZ2yH_{O3qAlO0s$ppe zT%`rz9~ku1n*ZNDm_W#C?^Yk^v*Lu!6Hdj_K&h?Ujb|>k5gLjF;a8KGPalmM9@gz28v~RM%LQ9= z`$eZj;aXAF!FuinoA-#8Y{D7uyL}=e#smO*fG_#9*})ONK3UOyZlm@kdl2>NRtuGU zC-khPJqDbC_eDGHD(Rd%51xt;NJ;;OPIc{^3i|NT0BwYJl?Rx9SV0K}9ieqzY+SlW zb`PLkg+jUX7>mTE)JMNOZVvqeFb~irWDtlyz)2Z%TawTO2}028N*K+~CpssJAnupl z4yy%7X5|rssh8tE8Ao=~59m*R=CU$;!r?(xRh6Jsn#cCi7BoIr;9h%A-mQ4o8ch4j zsLJUybVm{w`TE223WDW_;lGz3%`g;W#&O3SNPv4;T%pr;u+UtoYO71=W@i+qSTW!4 zQ{Z$O5B3&X2Bp@V;9{xbJJzTGxIDmVWP~gT;PG;PF^OO3lUdEJ z6^lQ4g9|!|6G0WNxNH8QnENL z85kJU7eU1)4Bp9l=5+AIr>SzDT~IeM(~C>+5s6Z#WsPX$C>W~Y0y5%iU_xNeAZA9P zV_7|r{P-3lmS>Itwm{B$S)_8#ueRX@Ko{UjB?m4T$u!Q#h4ij+(ZyG-S!h9f_1o4B zXaIj6DLQyv4h(M8YwgF2RgN5E6(DpGXQ+g#Z_Lz@rV|m$_#RkVUu&hjjo^n~CqAgD zuf{iHZvmRabg%dQ?4(13Frj-ou>(5S7on%}S~Jr+=Yx&Pg=4(R>mdU(KMh`92#-yW z+Zom!(U{u?)TX=0vSaI7nUh9WZ`(zFN|;muH`KLw6kvM(S$w~uu&?NJG@$eP61p26 zzzL$qhWp^Sr9acMwb-4b6}|Sme*bF>nwC$X$e`|l>!Pa>xCW5(o)Xb~E?l`YYIyCI zABAY`mvW4K6lUutxVO#9^-F^q_EB|Xx3EFE#pG!NxrYTVCC^Ks! zh91~lnlgN9h8Gx_+__ZaSB@W)uo+bLxFJRsGzYdb>Tq+0TgXo_^f39=0XF`lT5PN3 zmX#Gs29t*tT3$P)^Oo!pVx4^MpnNYGHE>JyCzzXtkcL_m0C8 zH;g!%l8RrMuNAx2+?ET|TuAh8Fb(ggSY53vuAC1Y(0F-fI8zXe)tSxy3|Vg!~Y>QN<8I4(?M zq+CEFQs%i@fV9&w9*j02`f-S0v^CTXQ&315V#$f78o!qwbSRv=CbYcfM~sJ`zB_Sd zky^#qEb!i0a^xalL!ZCjUvNcfxN8UjvmtrRq-B0gJL(3#%3UOr`Nrp5zeR@Lz+`qhAw&gh z3%`(9?7;87pL%|+QXThqHyk6W3A12bWszuMk$rgJeq6$bxInbEdVaoa;;5)2;9l2^ zPOka82i9RaV8yyRPqg$6#Npzk+K@olCC*XwEVr={BKQ-E*6HfOIV=*}gMClg|Efx` zJ`-!y5y6)8>!6uJG}|a2Z~f7a&O*k~2sMxP4O;O0MoJWXi3n!mRZgPpPz=)OQZc=| zj$`XX@MOzjG(hRGzT@UQ{+tqfb@RTF7oi6jytI_ZLy~@Ax&SuoT-^#2?~9s!xUX5} z|AdaA4*yWaNXSBmvwrg>t>fz;jXc}-fT0(AE z7eB=$ZnCA30u|h=11nGL+bnJUYD8;6l}Q-??jHZ>rMR?Al1hQIq!5)$ibEBeANC zGY0PJ)D{R|3W?ETQ1i5zt}ZKPxQA z@wvIA?3$UWitPw1`o;ly3w6iwE&=@3M>1|jy1DhX25L8-q{B`L!~i8x@HgX5Ycr9~ zRdVyA^W@PXWCB>a=96}hejnbC8%LN}_E4o02aNgRv(BdW z*;B6N+p2hM5H)n1lO*V3AY)j(U*Qq=v}iq{_ezve8^@d3mzyy8_aLqbMxI8>iFk8< zBj&0EdFL)q!1*@`JawvmWH~<<;hq>>>pNjZ41C1ZifzZ9ehY1cO~u^t3u^wxO)3(Z zJ&InU6a=a&WYpb6ZXz{^5I#gLcs~w0Yw=)Yh};dRS;9h1@ao)l#BUm+{J`SH(Qb%Y|Qc_@T`WzJ*e&mIcybM7LYPQVj>`2m0@uYK@N(Dnb>c zX!lUKf{Ic9Q9}KVK)VOPe^u%IZbdc9BaMRfWcOv0{caa7P{+^5-rFxM?{J=t7MRuy zE91~uqE#F?MyoPD=j;YkbL|$}+@O;>tp@wN@<+mwc>nU$WL>FJVO?9ML zG-0|ZQCEOgw`JO6uFH)l>zF&;DckN5@9h=fi9(99(vFq)ZcK4kvw4anWTd_VVdHV#8H| zgCg&%$x6<}I!@J!hPhJQ)LzM_Xg{@5ouVyZyW%F2?sbH4vfnR{wysZ2_f6($LT`Qa zm6sPbqgy$>S4ybS%Bchv{Gf2{PoKxXd+me#2Gen+#6t7GS#Yc`F%$p>xH;*Qf1d82 zyC3C4;Dx;Pa{qQ8{-t3r<6x{%pk$x${!hLfV(i=gkh6b#J^mhtoWME~`F<|^H^}~c z{U>~R=SC6V|2PPa2nLcc7SHC9e2oAvqm*6@$L4$j6cPF?8cXx-6clX<~ z=eJX5&YbQ)o}R9*s;BO)+hNLzU(iuVPyhe`x{S1xDgXdi_V#5)LVP>ZTbKR)?FZgT zQbrx=?c;@H8v1q&bW;5y2`C>U+Xn!s05Vb%>OTyQGQchPy$i3D2zk<{;NEIT&?Be+D3tR1SIQsC^4AdfJdr-o&b3zefXvp&duKqPktGr&4b2hk*pEP=o zEr@LYbALLMI9bWa@HThd;cG9{SN$a!#MTo&1O0zYoWObw2UWM`hqKLGDdPXMT0|Dh zI^5209sk3q4tXFF*0Y$g$JzhST2O>CR}5|R|7oVJZ>x+xP*;=Jl2rar%bpnnmi#ZH zM4v7*P$*VsVQ9XgOlSpTeihOA|JN~91`*VnE8pMz)dWfKC>Kj1Tg~jD2>iH$+5Br{ z*t5N9;wSlSSQ0#4sw$(H@uHqo@yfq5l&ZlzINFVPn8o(BUge)oWzPXu2#>u^RgUUL z_3+kRk&@#btIb>)B1-*#|L)?PO}{wrtUr32(eO_MnTQX~@M;dk8FNj$$V=z`>PSbx z{_gj#oXhtG`FXPX(-k(M>8wh4sLOG7TT|mL!G}aTYrYE)vPy*>1}bw-?e_RZZo!gt<6 zb%`HX(+(*_d9D=@K1Xfu+y13V9s(IQ8vIMI5!bX`jN5g?A5Khs$yglxi_2g()Bn|U zb^V>rQ^C4(Sv6cj;duJYNXpk@jZ&(}gW1Ur(<0;1v8-2?aXNN(Eyfr%1;2!hM~s2# z6ep8KqJ@e=?lP?}uTK@Yg#&|1io1;kUi*`dhrg*+OD#EgDAHycSkQKRU#4WMaz61` z-UxM|9n8uwB{G*e+mF?}9;fjpNvsGS%+j}V$^AJBH?s+GKBfH>j+dw)kS@tyjgC9xqG{; zQoI6R!KQ8CHM04-0B6ftsny%)WW#t92BmGQT+{PmQ`2^e2aD!g$~erVGBg*KIIB{< zlu1W2jTU1&GYH`9=6(ZKx}St|tLJG>ggwGdo=ZuSCHmGp zh2z6_a|OdjbJVj7eP2lV2Cv+I8ZYiG7B@QEPU+p0bkAQkqHc$lWJTyannzAA--yK| zGO6f|jyrx69v^P|xUehxxA`OK{%ljwllc?sAX-*y|66iVp>kshS{^S~7YUAP#>;S- zTXY_pxe;owS!fE*T4c)v`U}VbVy@2V;Dr+9u%5wOe&AW4P43xlrxuGpv(z zPieh+r(_=WsYP#p*leyXpxWlSFM<)ZQb)B4_GQ}q5YgYcSn;}e@}upDq1SoPh;9oF zA~ab={>nBtMCRN$c`#|ES!6fU$;9{Jdf#zN+rYJ{0Z!+mr)!dumoWI$E@spLV3g}*1-YpuyA#HoHS_{I)oX;)-=YtFvN40LooeGCL zlZ79@K3^8q?DPS?&X0RmP?q_&TkU>#-(Hz_$u5M`j$pX3L#SSEa)ukr`1XBFzm2JY zk_X?u{1*n1XF}Hg_iJw{YC`S97I3e6rqk^_cD3uU>%F*l^ydlCgE+l>8nq_|S-88@ zxNF(fxa)5o$YZ8ANBb_RonFNs(NI>MW`i-`8}|_&@>CwpRc(ibf|FZaIm=v^%?DM@ zGVp1M-H2^#qh918>${Ml?E@kGDx=&M5wTef;}NLAP4bJ-? z{oi$}>1TDJ8bu8cn*3*htd%>FhtoshAo=-I^Q9V+_benx=(TWUh;FAW8q7(_J>uTE0MBfk+=Z_NV}{hyS@ zqu-m4Z($tm?zP!eXXgBB@UUy=#lDKGz3M)yq54anxc7xT&f*^odkXPrB)dH0YCOyL zP=6f#^07W*s(rP|vqCqE`Vlw%wAh#V&A%01{$!S|D_jXP{ zO|k(KnW5rY4xT!eL~~Qy>f7`fil8Zy+JX$+Y`V#xLie zr`{!Skp}V>?=c7L-vPd|2#01_kGwZ4d#}<0qwvJY{@&=YCvN1EA>gL@!m;mi9KMOS zgRv?Yaaus$TM6MXk zq%mFyWEhQ{tK5$6Njk*7_YVVsY`ek2Uj%f|Q)}pG1DY zJXfsB{>uaNqgBCm?><+qN1!dADY`u@wb?7bP|Sui`e3#oh)mQ~m>Vlyp0fIxVwQ}B znd~mPsJr3o2llp)c$;5UBZp;qM623{ysXK>T}!-oW^Q*)ADNe4{@ciCv;8K-OWf%h zAo67f<^}+3+}blP zhxNy2+@~qO*Oe5r&bfb@3?0wsR2fGy4;(0b72zYs?U4Y#K6No)6b&Dts!cVifCTb* zi^@E2`dX~vOibBW0VI|y4SvSDY$_@TX($~_cu`t=OI2m1YCBI-`VuH1uGP1!3numf zjH-E|E#(8)%$gug5W*MGuYg%~jR3}mf&5Qf4Jf7dV66$)ikq^$qzllq)ICKTueHI* zCK6nu)txwFvA@jD`=lP`P!O&LF21tU!PL|c{IzZbCQ+Lb)WRP|P^x!0NJSzxVuLOy z?Lv0+{NFYHuPx;Hm4eC^^3wh12`72=f5C0Hz_p`nJQCEpb&&@^NGi~f5svkbAOCM_ z!T(d7u<{ADQExIp>sqYMR+@(vKmqJM?T_-uzl% zZCZ!IBCm}z!DjrevbMk*yxQnq8daTZuFj5QNzh3$_5{oLA~E{56QsQ$ghv5Eb`G^5C$CsIh)sa#2|4FC@A z>m9M6*~qB&Md?uD;DgH6#t%ozIoSEO&yEDvujm~ECy~wXCvN@%)v9NDK6aU>Pp$5D zJGjs0q8EIpo#PEzp7-5#dk2fw73h{AeV)q0;l7Doy zw8(({JR4&=f+CXZzO}Xz{ zfvV=`+XB{e<%tCfX$O%(FPD7Tr9RIO4?Z=-Cz@d=KzDPs<$Aj;M0l2?+U~yZ+PE*H zLQ`LEPxt5kwR)QMMa&ETzSZMX)hzxr&kXdO*hf&dnJrC0%zi4;RM2347=N8&5P#>f z+Tva_%OM6@KI8g_4sqV-L4H;Q!0l3k2pakTD&<^)oDZBH&QW3eVuBLjvG#rNC0tBr z-w5R*Q{lx1oE}i*De83>bG$+&H~2;1Hr4v>HIkHX2wzLj0ej%W2XW#e^Gh_vj7isc zy7&Sh0|dqxn9ToYrZy@B(4NGuz3mr!Q31X7{v+AxTNZlbo+)+gR(LrIFRnKL#Vk5T3zsT%PGY=eQLwG5|?$yH2S5x-~T?UZ<^3wCa zy!`k3z&%Tgbh3xI=E8Dwly7yK6hxZu^lOWzJG(LkForh4U0}jjxxTtoZHxSpC3Ty>KWe?N+a^v{MQ)(?jK=i(seh}kv3&&yPo~}Kn&pSwj{ZU zJLeo>@P=-e>OV@(kk+UCZKS?^8=uM!gJ&nj{N%!J ze)NarBcPB7*4sZ&3>8!acoQJpM^T*x)y3#GR@A_m#-YYD{(yWa-} zMvW%QiQgb|Q4YhQ)f6o^i`KDzv;LwJdnen;hJUi_vN3DD+a*i*E<5H)$JdZ9!NFbZQ|jq8&htkSYvxk z=yYWMZtEbR+3mD^bO^Ebg5q|SU$gNai&nl|_h7|W1N;s9WNDX!pWT0Z!f;tF6&!I| zUmgy1eK-4~m8uau)7}8IIIlI8^TfezweRzxVV(PR^Xl_=-otmykFK{XZq^WP3K;-8z2r=vR{MiS z<9aYDjgT^J@yP1a4xeg)Jn>@&T`|9l2-@N6qwg!5p;k0)Dux$o+xCA~W3@ytt!g1u zOy!o*9;cUw#h9Yr@V=1%em1k>i{i{}#;~^UjoV2!vtKlC&}VIy8yqCrzZOrHTYXF{ ztaGAh7o11dgYPofd%Y?YL#9FzoA+np`}ZT)Yn$0Hwxqm?=|U^-gXgNEt=U7%r#1ms zhw~1x6c#v5oGF0Mpx9j}rm%NEt~KL*$zbLAyh(J>MH$2D&*fIG_PPin024*|s;>Q9 z-ZHt!l2eJ_6VHGCc)M3U5}t3ge5+ngFRj&DTYmw7t)|2BDKsnz6-D3xnb@@qB+|up zM(^Qw>Or)^kA35NU7GJx26I`#lA| z6-OV;$@M9D%iT~49Jn)vz^>}NjGW6{9;1YrOTYd3 zW+~rdJd-38Yw#pNs2?pkQpk0%w72u3wu`gYc3He&+|a9vc*Lp!ag7G6Acid#{l{!+ zOA2k5*XM$zuB_`r!`CJ~_wB@3w|tchUCz(>36H~a6%R=c&+V^|Vi}wVeqf5w7BPfl zV8r$tX+_FtS*BbbK_=kZrRDPca6Q#oJO-)sFW7y*3Z4j8Dlr@?8DmY8X;(aEv5a)Y zvRTpuVSjr|fyFmqyioovSB-Lo5w_xSdy?V0Dt5tv1C!kG*Gr^)z3ZQBbh5agt#89O z`Np7h_y#0`CNl?7?hSo!n^%#GDsZr!<$%DP^7}My!>u9VA7|NKZvjWh`T6NAL@dGm za))lxMp0kL(iLGa!TlPYonpQohXw0^L9 zu5zX7jpsW1E54U~-R59odc0#>EN}47^lL*B%9V`1behVvCc~WW{GrCsn#w2`Vv(`a3$e{mD-O>Z)I2Q4VsW zMRCFzlqdW?b}ctLxs1sXwbRKZZOz$y_Q4bvaNbjv{f=#l-jSD1X-U4)o=j5su^M9b z?;Q297kT5?9w-FyzZ$V>y7R}0<#4W;dJf}&`8DI z@(wm|N+(0F1VJ0zm8ooV+?MU+prjNV`CPOmtDs(GWbpbHR=Qf?ceX@{QC&%HtKM3L z4=G#>uRXWVkGF(R@r;7(PCN4Mug|wU@3&VKe+?0nA}!GT7Eg+Vb5fv2onJEz3LqNM z_PHeCixL524wF)P!H#m_RzlLiAzV3YWwZsrWqWP0^z1s=)_iR-P+ zgI$T%TWczIJ4razTQBI$YSP8eqjis2zAx_jefZ4LiOW-f4}w@U+UD3SZrYUd?JJ-B zs`rnVpT`Q?@N3%wF?64qxUqqlKcNCVHfKoUU6^QGJR_7lmQUPbPwcwTnDRk!E5(05 z#Tmto=iw~PVv*oNWxjqEGk8m)2F7aX=D=u{ki@dD^}#FK%8LOSCK4_C1!-~L?e->q zkx=ac2Qyolzna%EIy70#)Y{JCRwQF1wD1Dd!Tuqy0*WoV(S4zIt5*iV9v*j z8W!2qYl$wbUwc zQGu!z+61b2M6sq33lkF1kGr9KL<^tPJLA`JEpq>3@tmPC#qb98$B!zRRaH1b+ zDC(!JBzkXp;vzciA-~2g@O#kG4`O6e5vp2=$78#Awb5q8;t5ZW14%90IC0B)KAQLy z5Hp-9DHfxy`M;|6H+efKk)pB@3WJ0fr;#qujeq0Pp%*0Q6>}F>-9cyK+QEW00fKV< zJZOZz+pKb0X&fNL6f!SWtW~v~P z+h$%__6=JR5?mSPenxjcY24**_Sp#Zt*u>c4lFWMC3b+oNpoo`37-clr{Yh1!%)4- zRV!3nJWUlR!_YaLs~FdsfzDDs?|l(mT*`=ISxv)jf#PIq3?;`$E+CE1WI| z>HblZ&!^;Jxcmfd`m!z{qKr$Np01GgOS-bjp}lp(B#(d34nR-m%2 z>cE+e0Dk*5@f?%X)9bsk>V*#V>2m$AV6ai9IUK+gdlIA2 z3_%01?qK;lhj#U`Y~aavVv62DGP8_y`{l_H?6=|nIBb4yh2%96-734IApdjRVT6am z>59GFZF*ggAV4*}Y*wnxh6&a&o2VJs3YFkCMt)JrKf|$bjMg;3r2}*Exa?Caw4adT zx>hac%Jl`6BXC)P#_Y3wWD!0(v|s<&Fupa`bC-ye#Z)284`-{d&#NRySap>7XzJz% z1zOW8j1>iUqQMu5Blx#Z5!HqW`L=D>H^)ndJXC63ZlUhe1&H$B;m<6#Cyx4SlT=R> z>Z8bL;>|}cMqSdE3Lbj%Bx&GZ%C@+r z+mqx^B?0%cuC^you2}OuTYUr>lbZQhEc%ioAG+~IYM3t=?6rJA<@-JewKF~ffiuwu zTX@tjpmmPDL|g1mphx^qxK=yvK64LB9`ZR&`@>Adm5&)+WOiK+rxArHg*8UOXQAxG zPXhXW0;6es$*V6n_0{(4lE={>w+kJ&hpc!b!z458wE3XmM&3c5p>YnmGi;NW9Sf*7 zL${T9T6{ho7FzHeG@G4)yp+lvEVKH_H^Xt4M{BU$8@xT**jb{e0)bS7oASX~_Htu$ zC$pYL`?88pC;_ekaxm$@PYh_!aD9M6sN0C9bToy?)_^6u zpf4x1qr-_vMm>TQM74Rg&gPP8DI`%|q1RTLpaM>2ZGM_c!xm|^S*V7&_PzqLdMU0BxYy5ekp$8>jrb(69iB!EiAEYX!@E1pJ2hX2iS%RT`S?l1;O zrRip6XEia-8}jJhH8fOWR28xpI%IWaj2$~742No9z#$DYnEE@l=jYHEzuX+6KB7JH zfAGx<3WNawn~3It&nP*)jbkPnW|-L(JG%|+l9p>HpLxFAxI=5zE)Lz4Gh)w?l0Qfj zvLijFaTyAx#B>nk#RlfN@1$55tGdDcXn#JovnIsAAj4%)lqVIUxDx4Z`Ji4f!-8Z` zs7()y_q&pm@InY^qa9%iKv@DeIHiW1yCD2@6#rq@Q z8@^r}F3Q(`n_+sUjtNGr{K-fXkL)kT!k`NOClWdM@#8$4X9qZBy!>&KoGUx|=wHQ! zZ@KJ;SB5pRKMC<=kKI?Em{(H4h#2rbl8ZP#m;mTHH!)ashHX4}r7t-FA#8U|Eu8tw z8+CUzPXrlnfyfhi>VcMxVcI8tt-YtI9EwtqZS4f3;?_)~#T@vi&3zQZ;~1m92Ch}@MR4=Al!rmJx}*pOE>R-s)b396YX(b`>j14~k?Z=RAR+*}vL z$O-Q0xKi}J?*rtPE|lJ{!TE#;5p@vqi2-OHX_^2H0hl=ZZZUuR9Z|Hm8=;Cf)E1Sb z`$W{1cOo9}Ya60l$`t^@Da$xZu7=|#lP_i2NoOsLySG-8Q`-mXN<34E>v-NGUJQg zfc0s`D^W^}G?Gqz_CJ-qcde8344g!KKAC7=lUF_CF!3S5Y990EIO1ZT5awweej(B9 z#US`|Q~JPZdp(`^U+46E!Q8|6*v`UUS?UFAKv*+u`Mx6f9NVQ_wU%;Gm7e4N0hQb- z@Ls~S)kt4pLcPL3zozC%j8Zro_83q-#*RYfe}_AMy!}GjKU959x*d?;$;k~*46d-& z9$B!Y@I0zAO?zK^tI`tS(lJ^awKt_-sVICddtesD$f;8Mo3nEac3fo9X2+|!lb6`T z(@{U1isorX=Z?PiuUB;77g>iiFAhsmC^fD9XxDAlqPyX(VW?@V)y*=XX{3Twi z_ty0`KL@P_Xylm)>BRt?^6T(@VWHWSifo?&a_KPb9zgxXX?m9egkY|d9fu=KAdvP2 zYAB8Y>8D-lw+O-v!wf=34DFrn%wqt6{U&z-n-lo71JXPK$Z#h|V7-=^7csfO2;R47C3se%c2xrF@Fw z{@Zk8x=iI$ru(yh5FI|F$`fbfRh-;5Ze5rsa)=r%N8J%zIN7e(o_tCXV=7_I|4t?X z?5?_C;!p^8XVe8w*a#1VCB#>z2dj5hBl5#1;AjEddqma%7`F{k5@_pDfWg2e3Tr|M zh_-xWUBq*0Yw&3o5@QwQ{eluit#O=rhVD=ZEUt$eNz^ggo^j&+l*U7bnDR_n87Xc6 zDcZDXP8#qdSFWaInPSeasrhG zrkz`Z{X6fy?3s$G21IrvBQBymJ$zB!jzzw)T{` zXi)91InkMJ&m@m);|m$D?7TalC97_2D4v#I>RrxfR}^L_bE|E!FJ+^(UGiIo?o=V?;CE+^O=tBlP`gyW&&-VZ;wu4RmXq zu~tUieNy4g0f{}_fR7R=Jbac4rHRw!ePm&$sqy5pWxZW4d~J!^DgXoo8Gh6555@@L zl4rvVAQba&ED^9=pzRYibQZptBq_cX(~WZ(eCJz=*TW2;Qotg#sh_Hct%9l{IANoJ z7!Ct3yQ7blMZ(Fv^171c>&<~J4k&qW5>s0UA(6eT07Rl!B^LbB;TY_rsV6k^co954 zgn7sS2@>}J8tz@MAHK5OYn3RRw!3eKpgcQ(&$9iw56Lyf0*iY@2$1fMv6d=;YRN&CvJa zQRL^l6QuO-xuQK+HgmEVWCA378kj%vM+8XI-+b9YGftoK27u@gDBJvp;%Iqk!VDt^ zN%~m-{X#DRr+}ieQ0h5NHd@hrz&=sz-{46=ie0Y0RCLrwqG(K1gGl3B3+y=nQFuzZ zd1)W;9(=@w(2d)qLTasTWx&{#pY~T^*qu=vE~#sB_D6BT5T5QIT`ZHC0zd3odjO>$ z=HT87z+fmkUNrz!0MB=;9#(*`4%o=EM5ClYe+IAxZy>;GUAkJj)YCXZAN;heDyEjSy-2!04Qg=1V*zieNYT&MfGZ|gm>@|eC&l^yQ-U$!rd&Zz&HdV?N z(WCk6z^jFYDtc*BAx~uR0f2R8cH?(>ob> zVUnY3n%PL-Dyp`-D%>yipzh}YdedjC5o#w3oe%hC&P@zz=1qz@>C@Ghu9{y@s@|FI zz65X{2ViR6y5imY=XzAwSP?qWl;Sj|aM7`AN}=PL8q+zTR~q5IC#i@y1o0U% zqiR(oHx744mPxnNcb)=5L5Li`YBWvyf`0{wuVbR+$L2OKZT1z501YF_! z;qC#QpY6iWYvSAZd#HC?9S87bP$x0h6{x26oK59LzV%B!daYy5dLBYr?65pD=;JhH z+E+ndf)QN)E>Hw}Sp(m+P`@6X(9Lo3{v`oIDi`{?2RLAHx7@{sJ zviF?H!+&wzbqFqnSyaf>jgm@f%Yj53^I~q;1Qv3p7ur?pCMk8aZpO?5R3OyoG(Z=b z-vE^-$`K73`AbWS?|f%RShRoZJ2dplV6FoCwb7LVnFZuwGV{*`><<)Xq`&+%zvbSl zn@O&oLHzlR04;#Byo3QWj(lh&4}_9#szatWOOdt3$n=tMic*53?K0N^pkBC*qm6D3z~4?knp8{Lfl!H-0wlH`xL zYxF1560F96Ih+2yqHWei$FKeKP1`W|`hdwdgPV?CHq|SMJ^oI2OVCnb7fY2jP-c+c zJm)E+AX{n$wCvrFCzGwk+X&86YcCQ-oj_R%A1Aa4O~!h<>Ch@quHRuzNF?Ped>ClB zO)F+pL9mfpyhr1UqGZp;zZqi8XJcc$H4tJ-n9L$i<%{*x7aYhkRBmJ*@0oRG*bB_Y zoLtnF(F2Y6dQk{S5zzYCf+BDR$dt|)gYx@vkQyaW7?>N2fSjyYPLfX%S@to0zokP; zjQ?12s81~BNQg8RySd$OI>j4b)W(e`L^G0#Ge1*Nb4oBTe6Y#MYofsN4DS4eS!SS6@e=`OWwjXg}=Rc1t^wp zlEn32lHHX4@M{nzRhF~IjopXd{%EX?p9yGX6Ct5$2ruO}b)f?JCvU|u>uc+x;@3_x z78{eFzt@miM4FeJ6zSp04Zb$^Ij%%ny9_jBwGyq?mp7#?5`v7|Ph#kP=NV{DNuY!! zb7ovH&GjKZZ)gH7gUVcIBU}%Cew==9LbIHJHd2}Fx}ZCeI;l2cnA#NFm28^yo6F>} zdQcV5uzBFSQi=&b)#;$7OJMBb0y+@C5Ajx4IVlII*e6*jYJTy##cl}}!ocqNPCS|W zlL_ryWvfwFrUWzn4~hzv^ZHbyf2L);PR&4`#x&T!sbL^{<*hycUInZ@z->8NS0yoL+OsA# zvH>?7Zv|wJ(+om`Q$c;1fXC>3UjCVx%6tJd0`yCUzuHKuw6Rg)pkTFmEnq3sZe(yv z(M)e2_t{y~H$rmt&*&Y=8Wy3(Uy44$dbu6XKRvm5CZc)hwQ+dKK|}>J311ZYQJb=i zisdT>HpG&S;U4`w0i+0PI5Aii7pgv|0jOVO>VC88c>0n562wz{Tma}g+1gA{ej*+? z95lE3roGFDIQY`0u!$)6<*@LZ+7&MJ9r)uid=8#`=G{4*_8V_naygyKWIUqtGKx6V zVwSt(A^(Tn9X`IpHTD!6w;(wylW}Hvm3B=r1SdjKD}BJ2{-8l7yk=LVU> zNlC!89Sk839i$ym?E(M}1}B+2%?ZBEppLGp@0&Q#C2e75rJPe_B4hctA)~ZoqrX|s zDaFn;Sp-!oKU%+BXVMXuK%j(TGV_qgJBK7a4`o3cK9FxVT5z#uqASV1XN8J(amnuPlg_RBXo1;xp+K*IV%6#4^5 z9ov?o?p2$3TgyHAq9mPn_oGg$RmtfcND~-x#UR@$?|#~P`_0fmzIrTzKzL3)d0l8T zdngBGkDBloke`f1h65pBt1ZhP-E>#F4)&Qwup=Lc7<(>HIN*32ZI^CQqxqQ;{s7>L z6mF*Ayn7#*((?%_oCqLtng`5tw(sQ@2`B+bfz*n?AKhJ?efyB-(V7&yBerv-FqLP| z0l)5k(|_SxbAR9W_m$X6Q?~uWe)oAV0JMr@;wL0C4`(u5A5s_CZJ{pz%dp)+hbttq za+NjX7(08|3!Y8URak^PnYm-HWBO2Ys^=7V`f9K}lM(g~-oO7Q zjcWmzjya+{ZSpKs{H8TJ0G!_oHd~9G-loIlt<|QZ$v$T1^nH6TtqH!f`J7gLL4u>| z*hZH_w3eeYRUFy)9ixcodttKDDK5!FgF-H|dOGbhS?+-d0g-(7WVr{Jt2iHkw8FQb zA7sJ&RL1`1>%l25h{5c;+PLfvjUe>j4Iol$9NRC~6l1RE2tDav2K(9L!WgD3^n@l5 zSS%B|%!iEp9IF%wF?P9#N#W2Pb~_>i4h6*1bdLaPFa-?h6NQDX80T4q=nHQgU|D@6 z2@^P)B6-eyTk+u2G9Z+upAMKLRQv<2FBM{_`o3xxR;AcKpJGvIaF*G))<&qrR_eyS zUTWsEN_1pY3-s|!Oz)p#j6Ma|(CD=mo|cNb%2SDQh*R;<6^;HRIGr(R|1r%H9WM*nrC zn{~0#C-(<)tmVn267MKXH>xc0*|L=I*@X>`tUt~3J9MYtn{gtUICLsaB%nm>;&cLk z%Cf>^cg#b+)5i27nJCHfRRrCF)I4{_sPZQ&uYq^?lqxHe*{FJ>kmo4% z+WLX_SSFGjG=Acq(wVa+w=&gvUoS7 zegoB`AaxGACz+6)E;qzy!axaVa!E+}nLIqGlyjZmU5_42Gt`^ zJmeFp6J-Pii=y%lV!YGz2f`B{6W!ozH^Q^ECgx_h1gGNPA6veeO0+$rY!3}&_=`Z@$2Fht$e0EKKrt#LVdrWl63jAD=ZWj^31bK7>6+|~DG13O*Z`^{j5NGLnfNKp2_u@Tq7PmD zKMliWNV|F;)Op>`VQlOl;N-t)V=L;XFL%Yg5xo1inEK5)n@#I$?NM1Fs!j-%qkGviwM)F*T+KJyfn!ZdMHPLA**sN5B#ut8rfc&zVuixP=&}3;JES;Ruzk!Lcp#Y}|KRd-W$;{5dOo9EU%zM{6a#BPeojrtjA+Y4g-%=p_Z4a(L6zN}Q zMrcbal$oZz%3g{Q;BetsEzsaJ5_L4EX3LbtEH*HW3BphGy)ep(Ya{cLj>Y4#G&?r- zb^@!!;-IwFoIrAV@KJuv0|7~+{L6v{i~Ziq=_s9*hu4`CRt+L&$qKhWt>5D+Yf^dT!0~Fy8NB!ef^QlF?K( zIA(8=60t*|2De7J_Y~;@>H?MVi~vgYa*nq1CsKd{OJo(?1pVads0VfWU-}8+S2I(?TGB-YGvxEh1 zHKx-7p*FJe2J`UmJ?W`%aoC4xh6DXp;0GKZy8H3t$tkmc9sJr@Y11=m1KCy~K{VGA z`shJO9Thw*eky&1!EVtccra1IgsOFK_SX(gyTw`=t_L4~ox6dmJ?|bEDOuk!Zd?6;}y6MH?@bW-#Psw{i#uywIiu(gARwAW}*&I>W#g zWY~*gn*xjvI=Uxy!|uxf@uq!9;sJ?Abg?gd)-Q^LNbmUIsa(fmcmIqYw$0lx6(_W z#mF|Kosb-QsM7&@4EB8U(7K-E)9CF`yAiz5HRWh#oThBU&-{Dm1^~-G_`?sTP8VlqU$kizck|#odQTGv`|@^4L=`PPn7lq6i*%^s{7Or%YvHlS)v~j z-`9cE{MifyM-C#u@)#cA7S(Iy4!??aLtT+s1&jvRJ0Noe>Ri`v4pI6!&eK8N-c)3{ zHup<&@3Uw@<~PObXLN#bS$lM%Lz*NRH*rR=8UWXt%o9r-tDfgZ3g$7g}dx@4zQ%NfRxf@{4z#kQym8zKK3XM%VN}K*X=e_NI{?Pve)sAo>}~ zj>yx2hL`o5kfIECMM^+ej7E&))f`k|Uj1L92t^5&nJTcprxswKLrBHY0u@=seR#)@ z-EnO2QGOkr9a&QW!~SY+KMIIJ{S*1L7YIiPDs8>;a{$gkg<2fza;+<6r!`a8YM4@) z-+EjfB900!Bo=2ClmZzTimCv%%^CqOydu9mji@9{Ly_A{YRhU1-pbOKz@DCf67V-7 z{Xjd@`FZ$1oP!F;JD61U>lbO3~x4+=$Rjrfj zhyx&dQJ?6UiuB9Ev96yg2B$ty@V8_J$^2~0lKrsy`yaJ*v(!tMu7%|M`+0GJ_Z}R? z`+K+%xSCnc(AoF@LKFyP>M4J@6LxStq5}GqzG)V*82*0Eah(a1Y*(oZL&bPR(Zq6V z;#r1P#%z$R)wz)pOiB$2JtBdIe-R{6#8~@lL=vYxqwh=(7Q^XMg8+TsjVg8w#NQXV z)PzV7@$26~7^@D5X0Zuy&d~2n#zQ7@(6yC9-|HDc%v0L?GO+X^;nIg|9_5 zzVvL&9g`&yybyw$!~pzN{?h^A#Nc#l4wKhw>G~DIA42xX#KimKt3(&kEbsIH2L4}E za&J1;!gusMlv2~#Jh4C%xXVt*oC};cajU3GA=kwr7o!P()de+sCr1r`%51R9w;^gX zSJ8vbce~$j%dLZl$DZFL2?D6s74{+!i7pFPa;g@pNc2;GPh@dazS#Fuk+rsy%AYFT zlG+v3&FA@vksvGrdPXO8aWKUB1nsMHU#HYV9BaC|5-0N7f}5M7RrDC0Mn^Nf36JMQ zylAWxeiQQpOcrt0wGCh{QjD`XCVO^b>m+k%>UFdY9z0Z4bPj2R>1ef|(zn#t0wt=W zp&PNQDF78hVk9`q*Pj_u7rF~a{2HAoX}1kN2L#OGvaZOfD4qQ0ycE#ON@0iY#5@dS^q*dzi5Hrs~Jg*=En&^>qC4sLD!F<)j1^662a~pMcxg zVSJnjx(njK8JO4^C0wl_$mgW-d!CJYzR0RR(MU*@MYCr0?i%$%%ccJ?d?7>+lm9yZ zU62;dX8N&7cQfGT{M1x$!bDxQT@#(S^uqJSWYXG!@{QDbHp{JibEtGcNaeyOot>Ja z?fflVvpC@jRm;Y=v02TON*@o$@mAl=n?#w0|Cw|}q#dB!uAJ?n`MpIw)k7wUtb?K> zQtb1YLNIv`IsB~v1I#4DZ@nik$_0)9j}IG4FQElBWD$EpO9l|x14=pp!Rx&u9Sz(m z; z7#Id>+Rt@5n&ftwe1IuS9BOIkX5}C9dL*U5*LLk;KW)h`XU*1M{~(Hoe`RU!058M; zv02E`N9UxzOJA>s-Ur0f|AdC^<%@;+Yu*ZB@plWEzq1^@sgg*JKyHNBsoYGVo#Juh zhj1j_`TeISw}IUK-sIg%EUa!pIT0@Qk5t7kB`5uJ9H%3v*~5+SMkUJdR(TYA4_`m( zkODQ1czjfIW$7BFp6eewI`w>4lpitq5eBf|qh>o2JVU+V=doXbs9_y?8{P6$^ldq0 zwSdICpqdv5cF%U7={&VRg`tXDnAOM%do8^P9xdP*I@WE1fL#c8smUE+E7+Ohpn7arXSwRJEOPA*Q>Tm7Xs zDiaLzIdh(X6Sc#h{KPr~TsOEImQTy^@{LaQh9&2hF8;5|3||O%2$(FNUsyLyU%ptI zj#X=CX(+NPuWw;HO`W7ngMGNrxL@8IgpH>J-sRYL4F;~oD00)86VNjuBgazyA1#2l zGkulPv`EJ@Mg*z^YVGk=*;5G(fIdIDaJ+dfXA_SX!uy$* z?LQ4y0h%hUY{{36)}aichhRuqf z0%Cgj&obN2tU;9_!GCq+X!J-^OZzJA9D`PGqMyL2-yzf}Z zBojF|q#77%5NnsB8YpA8y)C7fH6YT@7>)aN`tPuT;Mx}0vTrU3Gi9%X{jzeMqT~N# z>MY}`dZRCY=?>{m$x9<3(gG^o-O}CNARsB-C0&F#bxLAtwf&i&2&XU12&lh1QF z=h=I&wZ6OAL3)DMjcsKx^djiZwqmzbmU5^543Kmr{#_UO>^q}6Ig@2H;VTL*Dzmv# zz`P>Qw~7ov@)JEGF}=&Z7qp$HtJ3 z6T>jOk0s2tH*2g-yB~F?!_(N)+KxpaeMx1@KyHLgHjkj5zF3W>hjaFkoGQV(!C@@~ zB}0}m^`M>R9xa7;tCO`7hGT}~Ij!364RX{Ie6psGH(D?-Vcimp8b)L|wt@e={9!58 z>w@zu_x3+6#h&Xbo?QF^>u3m}q^G>4aJgX}TV7yecQi7Xd& zMdmN9A^g-KdY|-ld*$)ElJM_l$y*A+3VVe5t^4t26H>VB{Z`X0FH9qjKh+Q=b(){o z<`1=n>_AoKr9t#z6>jK#9EwJ=?7qmDIUvS_ob-!KKvk`ao^cd+_WvDVRe%G`t@rw| z*6;MBj?qRG`SoDW)!yD^33zetw-T^wOHedFd`N3|31QJ}xuvlvv>}tqPs)7~WRe)!>^~hJD&5!HZ!B3+d0`Zg*Y}XsmT00B!H5b^tl!ss z;6_PpwI}0MT(J4g4CaL|r;!K^yHk~41c(y4@DL8jG65B#tUy{PYI__FF#dli6p$)x z(zrRLhX%`wi`sTp&`T{0(U=krZ--@fmP2;d0qM{LnR*}UAEc_{&CLmJ&WR#l`W(Cf zB*o+I;f~3nv0LJK(URN-j_GZ8j5O2% zN+&~*V%z$H={^#wDYD8mv~Pj-KhzC*2*!eep*syj*@5NuIWB99-w zBWgrtuLl;YovOO`#IBw<+o{0)QvyG&L6MrTOcApok#CJHG^kVnWRn9ILL00{cn;y8 zerV{Y7&Cmubx1f)LFU78H!ovz^-?7{RawnVlDMT8Aytr0v~;~=)4AFUE$`pg=61~{ z<*_P&sYpo#`?jc7=_)PQuf5UxtU4-D8{fQ=_&(~|h=0L@)3ustzB5c!!;=U~{7^BU zi1vh=8Bs!wcN(^v8u|GLm;~=^RCSU!McH9D=n6Fdz+-ny6BIbfN*#rPs9N{14zb?z zB-ns0hIgrahj*>-?IM^`ih@5I>*k1w@&Rr$4Bx9j*P0uD4(K@_M}r4i}*c6kx2oU(m5XmohtuNgax+LCuC96CM7h&1}J+eh_6-+0vZU z3SiLZFqqxRtt7u02$oId6~85WpIA%`8-A*efIg8W!eHHWd|lBdDZ&ii^ww8nblS*? z?A?Qh{M{&+%Sf=4yU9YIO}E`~Rq?HIS;Mj@BvDVGm#dEqNdZxCqWs%HOQ1a=NTVyE z5HFSBeFA7CGR4VqZ14_po+|R$AF}SemFW*}$J2+xRdR+Jg}m8+MM?Y~eoI;f*eT~K z_0^8N#&?%+8p!8w3LE{oCgtrB68RF2Irwdo*alq@IDKMES7}h&Obg{22w; z*_k4EwJ}rC-Kn0nercB^KL_&H9?5TSVZ{tuy}rL*06Z4&Wc&~#mV6>z%mDojWug}b z#!&m(2v}1P1k!5UDOGj?qpMJ||Jo^+Nitw;{F@3J4U8?Om^R`(+N9U+<=S%k>*y=Y zj(@Gc;wGqZNyboH%Gd3F$x%U3u*^Wg_dE5@8u-i?dsYI9LGaE{f80x0Pb(Z5-$iI_ z*7Etx*)b&V%Hi=k?r!{hGgdv{i4G%XBfIHKwAOkr4&SETMd@!OWg$>%7?ukD9sxw3 zq4RP43<$yfJ*tk@#xMy(oI%vi;I%FD)xKzotmS1h%eP8m9x>k&0gxeATn!~;$=i)e zz1N?frw8P$^7Zk!aS8~nbekH@Z1r=5CKCb=S8LPGD*%#?cRHF;iD3nue)b{2oiT)mU;BjNwUS!9tIF5fwZMuU7t>xM*s8@UJ@1SFp5WH zAgSZC!!&!h7=+AEa-=R)KjPGr_pWvb`Nyr^y-*&CZZJC2Bb}tQPe4IAJ{UmV@>RHh zqXfun|LK$*Vy%_pYtKu*6abfw^7bIVN7y}HD6di#gY7r@Q`W#`JsgorfqphGr_I~; zaUxTo{MlzCRzbC|Lj}~9+I9bciBGh}08&#XZol7(^rDsN7XsC-+vbOk*4av-I({DxU!{1Meq z+>zL=T~4#H)Tn(bLdp@cHv3f`EmZif3 zzJ`eU2=-X_Y`xue&QtZ{J09V0Me%8i&SmNlX5iahizJ>SX0cIU1F)!+GQ)WH3J+i* zshcuoLDc#k*+3SX5R;PjQ`C1WX8e6185^`it4~D$L{BdNQT$6sfFO8rEv0~Cp-dkf zatzuq?zR*~-GD?5g8E&N9~^_2`!o6}#BH~~j;;dK-5mp;?8(5R3-)sz0mI*6AR@09 zKTLs~R<_*gdzS#W5D)V|Uk!>}b76a?0;CCRyJ4Evr0SHfNU zA*@p6LAL2748@ICB0cl5q3mc*&hM(i7!BW~IQ}@nVHNBRkHC?xr}UXSF2I-1fy#Ae z(=JO=t92(ILq|0^f}M8$$=$A4SNL#m7*-TSx;q3=BuoXVeHyIhO}6^NIdhYSyaooq z{mNX<^crW>-}i5o#FI#S-6qdMD#-A`>UhtI?LeuW;H8NWP{a&3-=wFZ#nx7q0i(@? zBCEy?^os#ou<*0};8IzFP@Kc5*kP*GzKyYUBLI^S0KJ(naLlf97a%%ECGNcL;0vCq zIz5?#Y4wAn2Mv>o2%4fsAzAR7ehC7BIwWk@Xm3%$&Ls~8YanAMc)uBZ8ENqRF_}ec z%acjWyjVWxR+b0Pg=LwMWFAte5~qZ+ABFnth$@;Om_D!iE0dhre%re4>-Z*It6MB4 zvm`FlWOn)op#eHr`iBYY%9-#L!YZx3Gy-JbZeH5^t`^+al=ikn-R1m*+v&IOCk`;h zq zWjXYPXJ|lr;^qJkliOX-xuLB<*SZZ;HGDr@RN;BKy_O23&F`Z)KPIypm>4eD#G#93 zQCPNo*Kyb0bN=g=9DpEYLC>n!%XQlD4*(7FV1D!I?5^`)yZoRrT?gW)vif(X(n)jp z&Wuc!qF_1)PMCxcY8K0tM#%G_MrVA^%dvT_$Hi84I&18SA}rwszqy}`D7b>GMX4R9 zC;$7ADqUfoWW>moeSZ-Ws)|x`jNrfLE6&^o0Dm=8H&?Z`r z@->soS$?G31hk;7R_?Kz22H3mpkbH7tn~=-VUU&({kF_j%X8BEXLL3Xa zcxLqY?+wAg5-_#;-KvK0{_(`#|EPti*X|E4zwdevtX>1d{&gUyM9ycm20~HrbRP$@ zDlRSIUfrZHX?>|rRj{QmkgIZmoQ9wg?s~VkQ&k}vx-gP1w|P2m%*1i@4Yi^re<~C1 z!W^E5Sn~7pbiOn)PnT(aV4sqd>1ov%CB$S@=knYQ&UFON2joD{|Dm+md2fP*%;=M=40pq(?pkr! zv-KtE&-8hWlt=J@$8%z3~I z7Ua2Xw*N)`$iCyDC{x{zLqC_Ng#foR5|#x(qlD~z(0aU#pQ$nyND8$NbgFw0ycj^+ zCzng?ye;u-|C>|QM&Idm-SokpOG~H%+Uwv6Vie%l$7`c-m+5Gip{n<)VNX!zWSFF> zr#KCbM|guCNVC%5ZA4am1?3#P$@*{`aSslPLx%VRJBKgjhNQ^AqUhfkCB#^?~Y_n!-THFdH4V3JVoQDi=i*2gaE*o}ZuJwRSIp)t?JCTF)0)5XAG&*y{r^RnW`>+GpeRoKYM<|su2x9X_umQmcRg_0pK58LP-t)lPFP#WW>SV zzWEPgscuWHAP`9T>^OzugsZJD%cqd6Bjc{Rt;}R6#eYhQNE4=p@)1w6K}p zv2#d0!grH6BJgawX#u@B^%G3{3BDr>XYY;-Qh3Xzp!^{GE}6YhhR;0Ish^en|8?jV zxjZ68c)I~kKlOznK*vrXlv)45Hsjrh3S(E=Zp3B0xtf%gE<)6*|11wPNDQA)vrTY= zkJ>O$uz2E~0-i6`Jse>mzw=ja5!F&n{iF)=LmgGBjWB{-G|)>3m~F9CAhJ3dxZxq+1nNGk1S<0M&|8_1JL z-*ZI#^&9Os*Z_vjOlOZs&b7WOh<3>Zh@LUEn#Q7KcKAQ7Y}~5pHSw|*cojx;q}eG? zx3n)pt3_>$Z?M`@=nC=P(y|{CY6M!>JN^Bs1KUltUy$bBZu;Bw$PmJ@W~x=6c0Ad& z6Th!R(lylPV=8i$QRWUAhhGFS4+9BXfg+4Ci>4ToyfWl*mTOtCB*753fa5?#q}O9N zmLHW)lN~;hqsY|nIz8)Ui0rhEYIiUrf(90mXOp++jWqt>a@x?hnZ|gAa6~ZmHY<&C zx5q70|KjOnP{YVY(c^vx5P~p4-wZi)H5r>h?>VW$bGqRZ-sf1u@FFI{Sb3;BCXEuD z|Gj3|AqG{A;%!g<3E0RGb}&HbPlfS22lIBKEb7k&3{DCeHjmKC zqAcYz5fD*jz|$Xgw!Nn-Do<^io&``i*DyTz)EV#_d|inZ$aK<)v67Jl2b}^g`?-M( zXQQd-?r}7d?*dFJhBeTT5oFV!#{rbj-1hkWJVZw$#n;S-l+UhWFx$}>-O~Kw5-rSP zAj}3iz`)1V@+ufhcxr)m7yF2~bKCwAxmr$giqb0*Nn6EoW8E6cPSS!tkYPQ~Js#S> z(OA1r^toaDUHt1o>i=LUfl=<9vRY228CZ4#D6k32ZmQF2(**BUoqvv#Xl8A^oVusm zX7M|lS)35`g%VMgF}L#`$!r+FX%9w|G8hj;UHF{XuX1Sf+O05g3rF!{RZ?28Rx$Ih z@$8m;TXK>{az9#->zu4H9(b^y)*=53TW zQ1w<-AuK5tC3?d=f#@GGs1V*y6NE9ywt=W>W2Sfm5OXEGL7A0$t%ueg1R&zjNsgf5 ziFPKHA`7Y$1Z|iW_i~<7K*KYcFZzr5y~qGB!$P+yM(|?fh*Ph>Em|1)*tt`|Rm~$m zdZgv)*5{0d>U6*&%u%z`uU%M_!w#N_IzS1I<$-ToPWz+Fcwi4Qh@=|Ddeq4DU;q zXwKzQ@%sM#(pE0KAxtU=4~8j?+|+0=e9voR>>akL7A^ic0-ak`{0wG@3`NrtsPyO#QKX9E&>q)j5Xb)*XT z13$<4$tPGI#?UD?pnd;1v5_#3)T`x54g!#<&Nh>P8ci5;F7?)*l1sU>YBP|PIRUHxF875MRn@U}3L|BUa ziZ}=y2rS2vSn64tS#~*ym8wPZKmSBlXQ_;xg!BuM113`D>8v9|yPsaf z`7OOj7m6WV7ivi#drS^@kx@GB%M$4=?D@A6~F1g*kz*{3Q#Ea169J48Tpyn zy$`XE-7}0pWTDlC)7<3;nS!vohML)%WvUP#L1cvOmm}au1HV(4hldk}N5QHiViA`g z?5(6-e}pBZcK&%AIpuzS^Bj>qMY=(>J^a`o2qJePazq_t5HVrVT@M&(8q zCcVeypaoHtUVRgu*g9xaOwRfB8={_mlD-|$i~-X*ny2IASaXCd;ZrZ-u_T=-@ow zM-hGc@sve>CgC#Jz~1>>ds>cCDRceGQEC3HX~6jQYpRWT>yESm+n~H3@n5{NG$?|h zE73mlW~@4mV{O2H$y0>hn}xkOh>A=d)C!Wh?ty`K7$&N|t)aN|CUWc0!K9CZsbJgS z5!utapY}5SxEYHzin%SX6Gb~YxW^MmRd0=S7xz^%;(%+IW4>Ne9qa#7RH_vLE?Ex4 z?C(lTTKuFJt&VPq14DnJuR(ZivPRFC>VcBPw_zcf2wBmYAzY}pVbU`6Da_%=%d5rm zS?P1Kef63(x|ZW#h>U0-dnsRYeYM+RYj8YcbNJ)Oak{oEoADd@xkTL9P@UiACI!Pk zxV-pi<4*rvY)HIr_q}!yvTMEdKlrfKk?a{sDn*o=#E)db#fI;L6+k440&)SUY@R-B zX-{Og9E5OhFN`JG5x>KJG5i$mjl6*tsP~Ma2(x<53KNRH5A$s@N5nwmy%X9UNY_ya zG{)8FlM$c}Qt|t^8vwRa*RUhiVb_10kzqgRFvqFq@~d$EYw~HY6gd~4KtRpFz?_oE zd>~aE{a7Fjr?;6D4Yku;mdGH0>E92Ypd$yut`O8uNsguyAiL-;HfKetw`+^B6j`nT zZ%yNeDZ0eK*$UPG)3;Fhq4uM`#($^VQV1=k^ER1&?Dy9rs%iaNqTDt=;0>v1zTKY| z2S)jYe6oNGMT^0EXn>Udi5oyXVdM?xqlyOo$>Kd3eGZzV6>+#uB@>AAr|M0GX)lmv zQqw!SIUrQSj5Yj;)GVL#x-&VBklJWnwps0})3hfb>$m$w6yC4pG*R0qgEqLX*2oQ9g0|vG<8vM?yw2^ko!5DZWlEc0alms3_Y>oK$9dDp+9zq zkgm&p@_8VlioPW{&lQ2n~! z(@8q9oTO|39#XI@iYNiWLKJQoF{TJetIm#uo*etgRaC0r?0%O!^r99i79r0pNtzk^ zG+H9PaZwv+icA8bqta3W7hp_T2(LZc|5}~vmDYny6Tsi48zD8yT3Rcje-#Mg9jk#~ zisg!uTSj5)bnIo+YW2)$>ty^V2!U&@U!*bw7;%J@2mrO^Yw|TLq`FRZ=CQZ#;c5CY zjTYuD2TQe~JR+Tq^IKAVK{qxv=eOt>Nbu$(v|L}IY=YmJq&%}9Tz3VtK8z|D{#veY zPgP&ihNa(53UqBmgBx%cZK#qBmr6j;lmzVkF^F9x8&XTcn6aQ-i6D<(<+(-rmAUj0 zZe7>$uxuk-l@|lB8%_z}1!C-^F(QX0*IhHYqUh>VBaGhVlaBxK0&K>f-RfbM`_5tt z1JWS;%j0maT~>kmyfl}e)iJfu@$1qpR2J!(hu-n@l`Un_uctj|2a0XqksYC2*KiD$%+27z@p^CNHHd@dMgbNtmipfLK|$QYK8}3^9k~ zhr))8CPY|>zSo|wp%zqu@jQYwePuf+Un*H(z7+g&{<&y84wUY3Oh!e8@BEjqlClt$ z+eYKcXIWAR0R~c#Db3Sl9&1leVL@KN{ByocTWg?`z$Sly5}#^6h5&2kM|IU7fj)y7 z%lR)i#P^}`A4jw-wjcI#7Q04%SYlX{gOnaGG->a5mBB|>P_;=9TM;#L1>#irr>lNJL^tz=0%NWfMZD7AIBUg9W};%UVcBr6Bn=s-ceHw zF^78+H{dMY&PT!hCWWIyNAF-9DiiwBVmqhE@APaUn?w-7g>8gkh|nCbJ&=};dKVBp z7{h=O0fNkxGY}mCyw50NRGK1iG8jyG)~wi1pKTHh+yw$D75tY_ZBxv9Tkl0+|l$Fqn zlI~Id=PUg)P@T80vy&`?Wu*i?8GlOpolkAN+%eYl*uC`|-A&n-gyYt@TkDjO$zLWX zArT^@fHPz>mQ7-!g0gyr4FARDdp?I@ zSRinCNwRF?KD#Cr-vFREwcJ0uCUYeB6sunh58GDZ7~xjh{DeFo)|Sf5^|89xu_<>X zXj|aidC}Ml1i7Nvn5tG!MS!7JqIV@}AIhS=Ph&6Z33A z*V;;>lsGw~*X}WYO)g-}sq&>R4-_OpMyN-eK3H?#fFx9T2dbx**m~cN=r~_JI{#W> zjXK5>P6uhg7Jg@e;@#L6V6pPC!UnImzHAY8PVw78IirIC3xRq9U*4$kb65~B%IiqX|mTuW_3Ufe#@+4Rucn$S$;1}WNh(w?_?_eecJ6%<-1qOwql0F3wr;MScqDf`G z{P2GkFK(Cq#KEpi<2G8!PHekm?ekzEu>4##(Sg@^0Zf`Xd*ZQ^>Mbj9Zos?;fU~;e zhhb%`5GVx)>N?^hzGMe3*{vqb*~hw^7uh|NMjQh;9@WFLDs)N~sK&O)ld8VjuvOSr z`=J4tH4f=Pbs!v!NRe_vi++V8+@#9=XY-uBN_yHuepxWx$I?)QNYJ)4=BUXx(Yywo z#)G%3pA0|ecB?ZWE#e%d;smy?>ZUg}bz{ z3LZaU+Guyn)U$(B^TVns7m7AY^VDDXorl+6hHW_X44ho$N1JQOd+%hWOw6n-v*HJ=J2(h*$I)bf$h154?D5hD%|t3A7_F#F<+flEV7XV>6pf|c0U(%XSuKbP6f*FbkaphR=R(Y zZywkAS5;ik0HX4BeF>&A zX7yWoR?2Nr5qY1>Qi@)^Cu218M5wu>R8c?0axH&=QzVdeP>4$Z7L>XG#u!jG<VBA97)ZFFX`J`vL(a|1T#l!puehm;7)}9R*UoAH ze4ln60IBN$6U4u6it4yU_yj3q@OFXYADo^O$F!0&DQy$IWZYMv^Wv|i8oMyCK&l<)-%uQ_5a5M5 zg(<^Xj>1YADjxA6F5Hy<2%5|l3;s%BywtDvgjLdai?2!@nP=6}o+np^p!S7zK383i zDUWDv(R_09D*dk%LaG2lr`=`xW8gwHP<EOkSp zQc?c>7Xnsg)j}nm%>(T?N{fE-NLZw9(IYJc?Y;i%UKH&`+vPuLi0EATDv|WBxoVKX zUT@d=tGF^h{eDZvmfyAA_>T{hC6}|_SpDw!0Eur4Z8Q-dI;ROL4pbC9a<`)Zv_$`k z_{ysDd2A-#p(kY8q>8SJu1qp@G~riYyV6qWt9iw-KXysNqi3qwz(<5_;*(Vk-DI(M z{ay>zC8sTq^@1#%nrt$($waI&suc}T z|6Lf5?vM0ltWypDDKMs;=w$lE8^ue|{WVjtP@3-7G8IS_*lfe2Q}4HeX+Y2V#bCxW zns64?BIKdy9D$`-hoi|rpri_L-OysIB#u1wjm}E92G~VNfOOqUg5|MynUh}s{%*gI zR9RR;s}D^pzDbS~H@SNiKcuRA|4DM=-|Jn7&mb`0sjkp%;hH=vwQ5vvG2!qFk<_#Y zGj!D}Gw#&aqH9fQYnpxco$M(B4hdYU$>Caq{e+Ssuq!j8--6&gKb^pEH7~R~jx%!H zU@?!VVDQU_6!`#lte6L^F+=)2B^=9bGm>3+(bGK3l;(v3>q=~Dcww#PHSjG-m~YE= zjDU;DJ+K6zz`81o?ybsT3jWjw%XoiD?yI){6I7h}=VL#uY^om>?SNP^uiBOT#k~st za2`M5W&Vx03n^u#E-fWXw5cPocZHSgqkNX|wx`FY{)hvG`h3@x22HFKi&^U5M5OuLl`odtn}$4^#n+WdRCH8WtOqSr5FxIhlm`y|H+Pz8 z{g0qrs=`1FfT72BI7C6Y##So!`8bkiYOy`TG= z@#ts;$)aBmF5!8x z*tr66rX1R8%NF0){}Kbg>BI8b@#?3jNVbFMjNG*rqpZZ!!JZ`u zkkV30e?y-k`_>a)g{gGyqwZ7sL-I&GF(Y7|$FMUlF?n9a0DeW-vg2+5O|?x&(PLta6WXR8U%8kVs}n6dqhEuWkB-J>ZLB4}C}v$zz3z z%CEnh9VDplK^v8*4%pb+_(rzbQeN+#xq6wmN%~t~)*$dVP9WxlI?Vffq_1F$Y? zzqy>P>+Q+ux4mE3;~~9Hk@KZeyxzY^xa_V)d+ihx1xI<(nZ5w74tL)6h?7XDW(R^+ zckw+41ifhWi2LS0+rPEN`2+m_zeO2#@dvZTNA*VX-KvytVFUtIno1Jo{zHv2&j!D7 zB2iWaoEd;zCSeHY^dsl7U@AtejgX=1eCnt83`B?T1dTYv@U_kRc>W>tgVPLX1R(C--7)G|~ac*eySm<&c7d#mN19$z$_)pKhDP(p!N7oxM z7k?D#)WYv$Bf&yLXWKivMg7U!MXTH?D1bc)kL_)3u|yu=co8)(aHJjz+xIJr;NRK( z6I_2*p}~u=2keh|_&qOfGPA;cCGkwCR{CSz_fGGG;{5q)a?l0c-*`rET!UW#trhCe zY&>2q*VBvwY5ySO&wFXePhY7Ha*rXVuJY#)vBP=cwf(*C)aGZZE5oGz;=J?rIH{zQ zBl<+H7qLvV#F-O6?#sRcHs0&DQqY2jncr#vQK!hihsj#Q?x3D`EI-@8rB5;B0!7@F z_rVLdGxdH#52KM)p_j5N-=PoU@m(yJ1)Z2n=fsIxZsdqK@!;YmfIf`_WK;=t9!6hg zw0~0W<*+bkC4W~;NF8JzE_Y0UohKiL%zM6}INi)^?6v$I_zBqly!?0CvEmPx=u&j^ ze6@zBr90G{K-%W4T5M<<5Sg-$R-P-jv-+hrCP#&?#6Ret5As4)JF5IF!c{A%Obt%VN3=(^nZ3t6A`huTMiOtGisv@J4;~39S2MpLL0mH6yS1K9+AZgjz{Aa z=!!yQ4LGJ?b(}8-+_^uVb>@kFXwW`Sf2K?VVx_|ve5=@}q<=lE&2YWFUuh;Ys|pJ8 zNln+%=NT37kanr&2thbDab z0u})0(UBlT!mqVZZ#I;xS;zcg{GO0TgOcCZXy@tXsF+x-X_ccO=W&{j)9hkMAej~` zfT{QkeD2NppSCoih;n8x=(>r|rQU@tXpa%q6@NW%;UMr=al#k_KI?7l36H&vDQsHI zidJ2@zD(a2g@7$4k6mJi9RF`lu+Z6YZ6#|MtfD8;yHKgO5~RLJ_LaNMc8;Sx+;gXe zRjal@HjPUXDJ(UhqPo~faEj!%&Z(t+CM896-ff~pyeB09`%{?7?)^t#YN6RKO#XYs z7?=LAS2A%XPZAB-AvWi`d%+Sv>;LoB+r4{+u{EyFRwcg4{cQcWKUoS^acb{Q6c*v| zLIH^Y7*4AX}@>l7wR??roFwPRxm_AP(;Ir0Zgi~a^$idm9w zW7`C%k==4ebR;*)4^gWB{LjE;e&V%$T@(C2Rx19YE__Kk^ z0qU=t?u3nF={z!DMxvhrp@6yFFA!&DCeIoHyq^~H_ozIbS4Hg7$4uRop_U<>l!6`( zC6?1cLPB>{JtApyrWH#12!f0xwTgjq?hlI`8=2<4w_6k(<`XGu|4O(%i>`Z^PNOn6 zzix6VH(05?2xsuwciihIsqS=riYAe|*y?X6Gz69+Jf2JH?*nTkhWK}`&{o=<_vBxk z3+kC+dxe@=PL^uKd2JtY+O{9n>dfR`SSz&Z=oQ#3vlU)fuJ$HJZ%@kdQkVw<6M?-? zWoqU0syn@T^}yfex3ZTwwfqp~i(k5G#_xi_`1o)&0h<3~%>m{MN@&y7YGta^ETJmj zx5$>8iUoO0wF@%DVuj7Nd29r^%_rtOwPC&}NtDdKCMXCq0mWEnof3l98pFW1@zm(- zYmGF#C4EeQ{{(|o3Iw+^%U!a|s;O{_tg*YqA>1GQCTTg2v9;~%hhkq9#^j7KTT zlip$o_V0`>){?TW-nSHxr1GS}=AMy$$HK>PrkpYny%(GlI&^`{ur0}1s)_k5^rg3f z>^?&`NaGuoBgs?5$B#2T*NBB5Bn4kyC2Mqo^j1Bu|l$stf zM(Rt=$@gJBH1#1%hCADmVHAH+y<{B#~@58fij9_*umXli-Z?D_G#9?pG}@6Sf6tbkKj)u+#xCm*|MJY_3vMo{i5AH+vHE)VQt7p;J`}9xpI4OmyrExaCtzcZ(V` z%0N44KOtzRYaM!7i|&Oe1PsXE)|QYyofx#q`qehTY$kY_yHzb-P8=fojpgz$r52P}b z-@bbzS@r|u4^ydF@yvGCy1?_|>dzT6N5hE^k#fuX%@U;soqlfC*@mBo^uB%pSPJl+ z>Z_%Ka5Xr2Xx}KG&!cy|HlM;n5(p8QPdtm~f($QdU=Ez&Q*gtoKT6m1cuAkGw%G2X zyIHq|q!6&|>tgK(p2v5S&|vFUVpY`dOKkky%odU{>)z*dzNkeL7uRMgm*ph&@8Nd^ zr(kJDb5N%q@ka#EVC%tu{iH3WKe^)izK{)f#i>jA-aGay9qOXfrhVy!C7q?u(E`M` z!ZX@RJ#ICWLy471*m0FZ_+`hP-{qa%u*w%OpLgSeV909aJ?THoXU^c^lQfdWz1OF+ zCIT_!6{zj6!5)0j2sq(M8Jq*}46)yQ0rxQ^hIMAl#L7MfOip`20kX&wmb zVGm`4YQ8yqfFu>_zvji-_UtYG;=l&_>)A z!p29=xgMTice z1@Q~TzdvD=$2TM!m7f!S&ll?Npk6kj#QgWi`8Py#semViDJ-n;ouZWB<=%xMgR9C% zx*ArbK#BsC8ZwiSSp5+a{|3qOg~t%nzVB}uzvAoU{f)oI8zI^qPwTyh|AC1NCO~X* z5z=&G`V%2iP@KrBE>USSEzv>DEA4iMcD$W}vp9&06@g~BMl5{M`J8r4R(+~T-ZGF+ zcmM8`%f#s4Pg=jQt`E{2dV3RDdQDBFst^+udWdExQ*L@&rcqL`h3MCF&u^-thE!EC zHxmcnYaY5&-f*EA^-~hypedCBi{93XLc6@oc)PqJ)bO2-r7Vzt7l^PlVN-m;`#VZ4 zgZalOthZ+0v1422z&=QRq%<)9-zC#rz!S!60ruiI8x17*`FADCjfub;{K=1qbE1L2 zU;Od*1Z<*%l2XrWw+bveM#5W6SQbMG*?T|H*OFsoI=CfoP(i!BeRY`pLPO+34bgNS zhX13mbr)H&xuFZHn$Z)XxA^tF_P&7O9^6A?>E98Q8 z0;n^oqr_qq6sVC{`q6}W55|IqXVd?CG9&)G!*O~Y|vYjQ$MR}{FxYZg@3KR2teiG%WP8aVZ7qM*&rRI#qLEhi$ zkKDeG{W{(Id&G@%!}(dWrkejR*2f^zxp4Kc0_>%J`|qfK5uMDd1v z`wp%|iq-0H)_kV=y3ViOJ~?ize|dX+=Zg}|a(g&G8t=z<7r~2hwCtiGaN9TjhXh;p z2Vy~GnPyqD&;6|8;w*9=tpUry35}R`&DXG_qoY#BqcIZaabw@T!oHej0T?|pb2&|e z?@a#NuVMm2Tz-w3s#+SA#6u9;W9;+1txrzD-Dzui0Dlh6v{w!K2zIEkc`a=hO9JuO zQx$}tc>HEiskcH2F)ih6Mq&7t@Be!_=E{}D*vfUl>wm9;k+711OYL`}k)|OHtMOn= z1AfgaONb@`76m`aTr88LuOLHA1NV<*t<;)*5y}tGRMfhHscQ>}c`7|^bH2hJ9*RVv zv&dW^OS;E3NZzcR-tW;+$jaX;tt(heILksT24m4K+#rk1``3>ine|dJ+1S9nc`vpU zO0P{08-?{2KK+PNhEgJx)uf{PdK($o5|sTd{+;s38^#d=A(Ic7THML&NM3h|QqF{_ zWaa-L{@AlIv)|g<@s7`%xSbw$QdSH{fqiA$A0=5PnDh!_(aD5_3;tw+n9f?h%}J$3 zQ`ffH2psi|qO*(m7?4?)8B6WG9^MAwM4+zrR<8>K75vZ4B3pdm=+dZwqwCk;N^!(W zeUr;8RFK3fTtS>2l;n05ljVrh_|%K3oS2#n*Vwb=9b0=tT((1%aY4%Zl_hn$XssTx=5y@8zyr=3l1WsmTL z+bb|fwdtbx+oiJ_L3>Y{ctrG7Oi|`*cmh3IZG>USwg7UVs}IA2yrE+VDCB4`k{#>^ zfj4e>BP31oBZo(0mqj4Q4NMaBgMGo98To^$u6Kj2QP?As#Edpz?tI^(mH*Se+V@g9 zC`l+@i+FY9@Ny9QM*>+~n5r=ljof zZCs|W?fp&_H4womDdbrw|GCWsTO&qQRDf^5J^AdZ`mW`U#7?kVi#%?MG)@BK-gB1@K4ar_u~3tn0&rwFH(InQ^;RBap^y zT8UC6CZup@cEpdiG^0;3w(oe-wC8 z%y-+JEDWorXOM^0W0Jj}LVT9wPWY_cFL9#`uM7vvNekKVxr%PkH%z<4!;z?3`?bd4 zUP5}$wC1!4U`e*Z8Egz;7X)LD8 zN+_L4)^pZuv%1=LXoArCoS98`3^DgWygIC2&l_dpH=2arBAgx3k((( zhYpXR?%WLR32s-Fcdi$w8Dr=+ww=IOO4w5sHxFr1qS-GGg_!U6p5gia(qH8?E4O_? zxb0?>?d~6x@ntlEo~q$)8U* z*UoOUz~8|_ejkOa8rHypqtn9_cmAHK%8!IwpVxMS*t})PUPfAY$eIx}n2~ zaI6{807Dql)_9*XO$nhL<%G+K%L;oR!cK%nhgU)6QWM9;A;)K`gGB-CqlxS+)BaGo z%f+#)Lek*4#5Q66TGOPWhVp)(TX( zbsV2$_6nBl*E5%Q1}08+?mCNyMlc-p7?Hd3dWhdVPt!nnMp8Jp?c$C7q}3C${sN06 zYx|NuVlw}v4)6vYEOkxgoO7*L#KbR5#m+B8h|Y*o+02aeUhmi7R!SWS6%Q>iDRtVJ z>LwuKh36wMRSgCHa04Omsk`|)wnz&{BEcPpL%XMhi)LQ7>CZSSVq+Y@ng zLLpjzjhA5H;)N~d6dtT^^O@Cj2GiAkc`VVN47}o=GdVA{i3wu?U)!Rk%|sD+PsNcxBrW*w+g80`?`jeJc39_ z2uMn&fOL0L(wO3_v#oFR}9JUnm+?kag#=#qis~qJ8d4v82cySzI)yrha5@3 z%zJrwcGIChTb=Nh%S)_aL}!BsiTUHad{@R*^NSQEEWYnUKG%t_2MTf^G;p-&epS-+ zreasbTyLw^(DM=&W2`%i?}MM^IS0HD3uFGvt5#J+Ble}U@q!XdQ@QEcq)fXLjsXH| zsv(rmOy{OfnnY}xb=*=0fxkLkE-SkcCoQ9h#^rXz;%0OFJBuGKC!)-Q$7}+#N?p~5 zGOc;Ln_o#Zi9N^`z~DeWVI!&z>C7MhbLh1SlV0nxT_Cqieod`EvEQkHERD0#eQ; zyMzv*7K#~%Q|!2twP_6lv?7rx_0c?~4!+aJuVl~vSi*}7VM-Ce;?00`Bz2LJIX4OC z<%RaRdv@cU3C> zDjYbzhK)6;^>ok#mBO)sHTFFtR%(WF&D~>P1!?7aIoiRPQB8!?j#Q`B{mn z%-qpLl0~ie=^E%kEn%rfLmwR8>)1|a+^^>)kEnpl{JI!Og_WNthku*Z7m`XtT4`&7GkS%y$Jxv$w3mwf*=)Z3Da)$s&GXOla#;klKdDCb+`93mcOb)) zOYJQSzDx$4-Axv9SNQJ=$zikS^C#w9BTZt8TYlPaK9`9!Q zIcQ(#tV@Oy#-x_M&{<|5PE26f(*7s7rZ}6J)uG3Wf)fo&0F>|&51VZDsCgH4WaU(@ zg{~~f{=aNFOs!*@hc#OC>7&(hE>qd9pr3ywFlbF~-Q`a%1YPWXJLUyCPmr| zy?QgbvnAtS&k;t}UWhi+`N%#fSuep}nj%N3cCg(kpG02Dal7@huac`&>xhxpl~5z7 zSHK&4B=t`RjTzh3n~>^8MYl})1*u10*+=D%6SNMpq`3KB0gSE>KlC`0@5U#pjNpu# zIe4Jt(F>R%_!bACv}Fw(8bO~WmN0IUwFQ^*jWdH_9TEndCkWr|zg&*FU}P*;QrRWvlmHc|;1}KNSm<{QiKeG{pVd@Pp^z zX_2io-iMXvE=cxg$51NylsVF(9*S~o_^xRRWsBjQ`ooh8)E&l;MPJD}<_|7pvWgqI z@-BYGte^JBpCxqi^4M^z+xy5HeigpZ=~Ww@;X8c@ zsdm6>=Z#2z`L0R72{Xy?JY1YGly+4xBPp-m{_l?l>oY)!eCy&DqG<@#G+s>%n_jvT zkMqQ@P&jEu#^(IiVv~D&dST}~clYNm>M~9%3@ZB+<4ZO3<%=%Z86jAHNwMm5JmM`> zU$TOk-0|6xg;Kl=Y`HO;mi^VfmeVLNR;eXm2O?_%dt!tq>D@|Clo=^3QmKtj!?lP1d{zbh%axQPTp)3C0 zKWj$1mzMuk{s0;2=%8Z+-SC&+$tjkxjM{N>V}$=X|kr@rvM z$&`12V!0|JIFlapriq9>OxkEPnX*)&dzGC6C9^7Z=ZgD2^X%jr4qkcn+Re(74WHm| ztdHNzdZf;l(zf%~#iV9JO7S*mWsc3@QLbHIcB!le~ZVYWJGZ`^lE_KWp{sB5nf+fAwg7ti18lzxAJH zq^z?7vc3!XNL-79-(}hRyl!*TMhB~j)QZG=6+dNnL0?W4xH6V>_{SSi5^GFWUu)f> zeSWw33lk5{u+!)8Q(XS1@VziCIqIwcSQ^*{J4h>S|NQ7EUvtIIT%D4^n1G>)=dluJ=_IvLFD2M9D9780Z@?~}V_f0*j41bLMdlvma=J-tja*dIJkjRUY zupr{W>Ty^Rk{5w?uE8;?S{8tj!dfdSMD99|C>v$+%Ap@+4g8|X~tw874Jheku9O@W7cR$_~k zpO`b-kmjy-P$bQ!8(BH%`eo05gH>BQ)w93fcJY&RHdM<`qOICVM+d=VE63C))od6l z4=H%}4iN`IO+*w#YDf`=t^|CZ)DP1?k9@XfJ9$6I*VTiOiowH1dJwv~@l9H_-NgCc zou<03LbLiuLHx%TXwSX0D_eHyEP#CNGd0qD3LR_S_rHGSSOjqKk8PV!9qS5p&g@XE zj!ECqG(zqE7uFB+=3CjV?zKMSSYHjml-;)t5S*0JF2AHY-cNrFSQ{-(`R`r#?Vb+YDpw zfEbg?g*RV+DV{ICg98!WP;AmLEs>O>V1r(h>n1 zR2GwYF)z(Lao4u)T^=v_`phBf(gLuYy*!F`TldR^_~jenn6abReUlN#shRI2BL^H* zc#>Cw(MdWCC(6{zQ%195lJXL6r^D< zWJ2bBzs~0KFVQJ&{CX7qV5(5jH=8JvY;0SB_x9N=s9n!rtgeiuyw6~JrD@K-nVEi8 zMX~51%H}0O)s^3VLUPi3K*+lRKox1C0SSAk33?a%Gpo{6jOn&+ zP2@IN4UY!rn%7?3Cf^jH&ufqwbeoj)y)ULAmgzh#yHkZxhBj!kD8w(d`IK~0YZ@}| zPg_^&3kcMACiBY$DbQUZ&(K|nckhE}geb1l)}zs+5c-LRGeill4=~8a0=l?*`X&<3 z+6G@y1fBrz0-HgM4S$lyAVUnYs8{!?E9deh)CfcXSEq45+p516QNP~r@`H!w@$}e$ zmc+4a<_f&XU%1?kvncmo39qr8o9b>Q@q4=5arOYkQLb{9&~sh^8@?AzJ;9C@-)Vh8 zCw9cxtr2AJ>s0P6<`yAbEe($kpl3k^86fbJKYS^xfr^WU8z%HmB+a^ zamyNK=N7-BTkgC!Q$LG};Ab_YC2Nk>Jy0D|tv@nYtyv=wnJ{+d;oKoPlI+CK=$V1b zzil@bIQO;kjQ`@w`)^CYGxyLl?=L=;I*nr$t<;xe+Pr&RDQp>q&XZ)?_byUzxT*>= z1P!~qkxMh1N%~UP*|J?_hWgFk?{yEG=JhlyR*j9JXR_d#A0$_v{k#gjIJ*yb@hWuh zJ{IV|S!|}ZCuYV5HQgvDJxs$eE5yA+UBQhFmyXgh9Dy^07VcRHJ`&B5*vntEGdo}ooesA0vjU{+h>JwCkkKh-r|32? zUIt6K#o_{Ngj3wsjPL7xjD$I17$KW+D<=ImTYqfN&sxy2`FUbcD%U|;aG5ch1MkE< z`PpKQ@t9$^=(kih^hF?$pDU5Ibp)lf_pscS$5&ctX^~*{X_Jri&FuVwsGU@xvCZF= z)ll}H>L1*BJ>BUXe1@l+?|ct$@X&oklwr^nz^bnNS#K<9kUIha9Nt5`gU zz!;kmPl1sIN7SntnaPD8D-cb=hldpLz?*lbEMnZjJa#qMOii)XHd)ZDS&}3|WPA8L zQvbogLwA{kOU#T>KO?DRcMhZwrH9kW)Qn8C85ZhNr_mbOa^biC zXP;Hz!Pf^_oUCszTdWeNKj?XL^%-q8SB;I^VYlw(ou{Rg=;C5N=&fDP3#?|yoQooI zL%VGFd89X$DL0m9A2en{OW+oo!Di7!4hkoX03WJjoz4(ocTS7T;nMk(;YTzErOkA| z{o`(H=YHEa(Kl6sI^hh5^Y)3ktn>b$`5*)bPnPaLO_>_b^{QnO`XfRuW9IjF$9=P< z>Ye;pL05&F+s2P%XxbfOALrYTzFJ*IM)OSeu?T-X-N@v>$>O^>nXOR6FwXh*3UHD2kgxIcA^I{qty(uQwdxPTgm>0yl;0XDYm zuXpd&72+~ab3WkBpJrc_s>hoFgL6-Kq+#jT7d z6gDY!Aca=I=kjP9=aa#vqe)b)G!e|?@vXLK94?d}v(}|KRV(-8sZRN#io<*c^3GD;duHfPl*M?lm^AGR ze(5n1C7=qG++X$;nz3Dm?w-h?Ju`HW1o-|A&r(`}i4%vD-djFL)!I-uvUouag&ikx zog14U*iM3rZ;u^s?suLBziFL~ob6VAwW;@mMZ|c1A<;9ey(q(eKP9cdSd$Lg*cNDw zjDE?iu4_@VCm;BGisWp~8Mn<8TTUe(-gw?#)4st~gyrKTin z>*iw#<*nY0Kdm$vsFPXEqJgw`a3+1wv$f6XEJ%5o!ob&ewbF5IgSJyPnq8JEPHHjU zFIHrBY7Ps9m#RF9EkLE2A4KK8@q{fMrE)ZiR*49M+MSma%6_ zXR!QA1rbH!U~`MFv$)L95YJM6n@C0t4-B$-osWEW+@5*w z{(UMX9E*O&?!)Yya3%-B9ySNFy`ZWEE;z&=Lg3^>mv2&0c~$(^TG;%R=6<8DAQ+9yE}5`d0frWS@%!x$Xa?A(=e*b zvrn%JQ>@(M6jMw8G(_hho~9<|25eCdYDCFUQL0{?=F7Rn*Q!VT?2qiSVvxO;m71pt#YfH+5L4Wq0m1pA`>-JNt~|3T9` z#!+u`n`B(hoO<>TiP*ICNXte06=R4zAMc27bl$Q`e6gEWwRPLA&zeyrghk=!7$Fdg z_6kvYZjhW!xF8WiVfM2joz?iSa^?;;W3(bzB8H6)+vS?3wujq$*}QNc zSA)U@N;z$u+x?7$bHBo?mG#M`9*CZk-SF#hCNfY3AMlB)_u)@sS@?b1Wb27TP9{;3(tLqCpfNLoZ=+zyX~jQ#OF2!ibNb$PMt5&)l~H$iew1mDJ!8kh_wNvo$=>UJt7ZNVe2%*&RjHDunkx}@VhU!b5U zbbCt7eBa~!?NAxf>A4l5IB6(E>|33S#qu2AGu9S?m$^lrs;y%Q0m0@kQauxfX#3mf zR`WOm5qUmv+X0o$B>t#w-H2o+2&!c3L5X8?H@?`3f9CeY14Zlz>8wvttx78_vH3Pd zok436<9HHU7s-y!ZzpJIyIUVV{f4!9BHEmj-potrlOK)cfSiYD);8l+{Vx`uLNhcQ zJmbP~mvZu-KT!d?lCaD~_EC@GfX@hGPn5u*JAkobUE_A)!EK3R<0f0%(uZO*6l1$$ zBenO|0Pl71zhr{XK@cYArIwENJDiyW(}$UZ)8S0tyKu~ZrZKNc{o3*vb?f^QAg8fv zoph8U4{K^e?8Ve496`fFZ8 z^QxuakrvkI7#|41>|30SDB!TCMvls{vV8bv8=}JXk{={niHd>>D zAo^v!MgorCMils~8=XNsu!0oqsyC!U4pF?GE-}c<_cX%K^;ncX1}h;be}EH?nb{gm zm5m@^H#u6qc3Md1xDovR4V^-4qmad&3I2tJos=TBl)nw$N>fHZIY0V2x(lFkrpJXb zkz>jmzHnI{yFMp;nNf$13okirxV>G6E`DWr?y$%Fn;U^G@=wXP8ncY;V2_OLx35_n zzf~j@j%8QWa_T>xzuNSGXas+&sQt5mTs5;GDm+q8eTmPfP&8m1x46+sggI36SqD5_$TQe82nQfZFSogGCJpl9XQsWE zPGw74EcBz8bD@^Ux;>{twpMGcFDlCros43Y{IQp&q%zgn&}SO(UDy)w*1lCaPA92NwAK(KAUP~Z8L z9q{FFab6NR6z!hJHnzBgoqOVZ$`8lycL?~_zngY>%>VbT-7rHy)owOBzs_1o(bnx2 zNBkq~9s`u+ zC_F2R*^TQkYv;nb*k&(@5u@eL|QnO|No7;~Wd7MRn* zVTzM#ROl)L6+m{-ZJosw`9h<)IY5Wv{@8WuA)ym9fRaJj0@p${dGsP?697x|fTj>k z`}3X2A-r)uig(nb(Za^m6j#NikD)@b;-oZ_x4`0Ps29(G0oE@tHa&z6dWt!a$eejx z`(7aF0+c;T(?|f7#Q^r*PzdI`4FDoW4ZT??CXdF# zfPls|K6b5jiMSV5gU(T%@mK|wPT=cNz*Zn|7#tT+0&?y!Qb0x*{hJ9c|8VYOrX206F5*;pE_cqn#^hQ7P_<>3-x0=LMm z@56sxgUSH60od$I~-moU1k4`N=V_r&(gJiUCQe%jps2)HRi9#f{U+ z@MWXpu_z1`vXlgq)Up#UcJ-c2DT@Cxsm|t)I`DTUV{Si>eaq`2r|)$lE_?fUvrPg6 z9AmS#9@Xg7%aZP|*P|M`f!U-9Fzq}AhH5&e-at}SG?xGAXOMD-m-}D_e``FGp0?#| z#R1PU@blXk<-GVrINkeeEDjA0!RT+xRJl%LmNS!1TL_<C;GuQksHPtH;;CtX# z5-|Wowffr|1wHVEunGJaN&ffG@LOVtRYh|jmQj_-V;COut1VTVTnL2@f^El*S?ixE zFwW>Lr9wyd=9{5cr#o3IrogA1EWI=Wmht)^#MkZO#O7fX0c%n(;JZ814>MIfo+t+p zF2@?Nk>}P3zUNzmiMylD6`x4(NMeBUWAdH30tu{(L^NARFNtbLk;^tjkzi-XLfXL) zL!!XXv5`Y6NH5OG+zh zo_~(~U1{+216Kh58IQ~UXLMm}-`gGPJs04bGQm}X>D4K{afl1J-eNEPKL+<0Hl@zG#v+^H|Ck% zRIjPzs&o#*d(G2%oKa*r8znTw@ln_Iqh})sITzv`BLy@=5*c;O2Ac}A2*1Vr^Y!vP zYThRHblab+KJ6p4)3whJQRLQTAU*S|d5-}J{`1_}8(7)n5)yA*U;7bl;K?#EV<_@p z#8dtN^P^e}hyMMH)$xxgT>1-8AHc5(B zWDr>GelAbV1j3fIM|!mq6X^rc!4g(ls)8JaldQHIz|xFmoKys z>;;dhO>DY`_N5D|KMS7pyvD_oqQ$j7HyfGN_Z-y@>VD(*+lc+DZnB2MX=~&K9tXbx zX2=V;ztO-){4!9|Wcif+bU7-(IHwW-V0lPjrWXXMDM&bd`}T0;`{YEK@L2Fy6JdVH zrIad=gcct{s*J%T!`3Gmnto~R%L`Q+uO^~5&NB?uT=$isV_+!I^q=3|wqvE@QqGk? z+hg@(#}9uiEIHQu^vc&@fZ3-kTBFgBS&AzU=gGhq<K3gU4B>27rx)_!W?AgfmCb zp&^7%pfYlm4Rz+e&(zNvJ#X#@R%s4|0vTa$dNm*Q>E@eMBUC>`(122 zSX*eo;!}G)&GGqH7nU1b8|lHn?_7D)$*=b|uTj|qOu($Px&>s7IT8R5a+6|IdQXrjJ$+>R1+LvRc_8uY%Wi_GxGX0 zEQ+2&TO3pB6@+Vr?2zmQPFcAP;Y=d0fsclQI8Cpfi1Wl5P>p>BCr*4-D6Rb~gd?F8 zQgK@mG5#6ZJf&=r8FE>BOcQ$$V9m53H;a=hXx>AR90#)2<922^y<_&UpB8{jE;xdz zqcrk@qhsv&Dz6A`1J~*p?4!F=Y4HXM9U8CJjE8Wk+_hGGpS%fQ1_~VxI)nw{lcQ(5 zBAiCjcPAS7SUecLXn>P_M04MKTQ+4YP``}g_u5U^hisK_qe z;o<&jYbP5&>T+-P`goiEj>l*Hav#6(-e&qErqm<^L0r39K^Wo&DWQR@7J0TN9jWA> zJBJ(m?G%3_Qa3w8m>+|D5q|E{1)-E=TrL}Yawnx_`Z!iEvImAb@ zzob%ccJZ=)UaCwp|C*kCokvwCmmUl$1Yu&Plty9XI=doXB>WTP-oYhz!uSZ zxOViFLvL_G&%Guy5y>o&!RQP#>V#BdF#N<&RW@};*1%Nl#ie>~0-nbIP}89O;WHVu z$>134s~tl!iWKvfbdp2yvv*PqGa9UjU-6)-46PVbEN3xm&=1_%&Bh`EcX@)yqm3{jp>?srn3JK1GGKb4L4*+IB|r%KV!COrgoKal zcE`GEa&1|0w2UsJWMC#n|WF`ER*(U3{?q+_jvb>H=&qzkWC<4WBZ~N+cbZ%p-jPft!cgB>FzI)zROXlB= z7!ZHR2xycw<#mxKg?3c|4~kpW<lKD z@T^_!*%gf&u(@1dH@(FH78 zZXKR~S&~24WqS#@HIc&-H8OJWQ?ahPW^xRA1Sw~BvynGifD^q4-gz~FI{13n&jW-$ zFqA*@)azHD%+Y6T-mXXAIR3cAKM^L62|)xYM|M^|NEF|^`&Df$Ip6GLo<^t1qAnb) z0(*OaKHm(e_?*OTdVQlw^nww@nRM0D()4gIK*nq(5;Jx7zvNe$0S+Wc34k0W*~`9t zsIMV&B670{YMipw*E>DnGr{zH|%l1I}(#Nz5$vkUDG-if1bBegzSVA3{y*>mBzIJB69dGn+*5!oJV>PB3?-3#q@BWLkWL{jQV$iv z5(N)~rGugNKfHqU1T&-|KLNkvVwK48av$IQ9}(k0$~Aoj0XS{JqHjVbMHjd>bWDod zeM5%eXg*HmiB24@1)SBEOwh#gw9e{eG7? zTBos|CrY(Sgc?jF|kF&;P+6Mo~g_OYmv<-nSd@H5PXY?mNSe)tPyb zVAo*-tAVN(F)X14@oWpaOr$*=-AOf=GOA=t7oR+Av$t-GAn00gGXmnY@jUosPk z%kHLam>ahrOt=0vJeJAMuLX{>yQl+cxx8cT4(s}xE9pJ6 zbdfWI9)|;mjrVz}r5@y|Y`Y$=cGGe^92PXL?Wd9YvL7XNkfp|8^JT0Q@6%E(fz^^c z;NQL6nH)}$*D)Em9u#<2XZ2gC1j=YC_+&OmBPzEpuum2SqpA}dbod0k%;Z`sjDmsM zp_D*m?kUpo9$~L%P{m=vgiXDlu(ht%Viy#Yd zowGJeR64G=SoUM%G3;U1>vdfYRTJox|lYxcn&U&UX!WSrM`KGAv-zr+m@AiH*vb07FN6tH!t}~3pa=i&VWJl za#dJ)U&}#xg zJKg^d0PN??2vY9T4K_ME6SU#< z%3W@q)MCU>t`sQr1{O(x^O_K@x}naWSzr@ge?{dsb+V!s_YO(6pn?6@4ISJvENrZA z654IGhXh%C>}+TgJl4n*D*hcDG^Y7~zy2<)-F=;=G&q8{cuSNM$t79GyL{u>Ea=rh_%&{%;P zK$P;I@m}ym?GrqB=+QF!P8-0g>RAHk6yl`$u+ulc!aC`Uy!|7n-aTv;zAW%OO%+i9 z3^zvbF9Fz;6e|4)?E=jwHskyeQHKD8XtLfHQDYoz*CD@PJ`gPo1Rv&iT$YYTz&3l@ z2k9>ibpq%L0fYjYpU~X)^jT16;UdD$H?r?{9e^I@!9AxXpz1fRhP!ll)Bv1hYY>vTWr;UM6gVY%B|n?r3GJ2w;&+iL1EL=3cWLd^-xW-p zt`^K!9VgjakMhE^@d}h);7n>UgiLqP(=7K%+v4m#u1iQ)J)oz{MyAfInM>J)p7UUA%%dz>@wH@Q9EaoovIlqrx)X0YHd zrZiJIo{sk_kYKL{d)YvLfRCbpOliRhx&1I>qZGh(^1++_?*DssT!1`oYm75tvyWov znx}|78XEu$yhlssJ67CMFvo|40Y1^J=I}=!o%H_YyI24#xCoCDT4qcv^-#Y zBk}|~{6M!eef77-ugb6Ev6-PlJfCO*N?DP{>pG?_R-GeqN|tKt&kp5yWs#3IGdr0t ztK+!a^jfu4eN_9C1MOUgcPloX>VONU&B6!nL$x)w=tvJ;%n&3vv=a5$0%yx6^|8=C zw*~WaOer~8`r5r;8(7UPOPh{M>&)W5H83z<4g&=49Tzh?&<~4%%Q$GF9i#R-_#TD_ zz6`}SG$r;A=Pfnu4Ny)bOEwthL0DxWij5j=ikeIeE&^of+b7aQ3#Om zYFrJ3Q}@-b=dB0mA6?-pNz1S6$5J_&Bl`fh4+SK_c@l;OO?5mbT^da@i}7vE&j4I1 z5Z3)(H^XDCi@<6=V#rV~4*W*hQRGpCNvoyl-@kGLb#&WnO?)Nz4-kf>QkxHU>!r9;U+RuaZzrCZWihJ+^Wv?NdE?O`!L-cO5j)x zaRNPE4B^9x-8W+1C$e}Hs?ZC}(Fp=(aXrOUb=sQQ#{xP0J>Ma7&D3hBLORbh-OJ=k z?fMeAln;X)5K^#)69IfSkiu?Nme61_7&}wL18hwOlUQcH9((I0n}JEi@B<7=XYPb9Qm4W3>qvn6{|?mhy*Di@jcptWV^$O%#GjT z%6%tw{4k-)16IY#`6ie9^UyT%>k=dPe0ji~qi7%0{(6DWnnJI^RIF87;LLtZRT!W=4`X*87hVuaNKQo*4A9tqLG{9$?)eIlS-!usoDh4^VX- zw2f)+0Xoj0)q2qI$9jQE64WoqfpGI{+x_VL@4Y}G2psnR5peE{ZxxX_-&^ZF|(%-k1BD#ucT%Z2b*)D0r>~Gw6iwj|`|M12F zehD}5J?NZFyk(=>5f4$P*U%m!6l^zmO2I~uIpOr{!3vT1n$X!*ri9$>i)&PNqb(|~ z@P{76!lVeXC>D(I%u#KNm6d!?^H(*t!#76o_4Lp)u5)vIz zH4*2Toc3ObVk8v2M7`LZx&$vJ`VB-#+W|hzS)8G~!&Q>wW2#{TbdIGo%I;X$6)uud+{9p8%XcohpL?O7lG;#{85h8L4lC zC2ZH~V0zSxsh&(6R0jXyXH0O|)W;*z1UkRIRd8+4=)Cs&Y` zGc6}KsZHw2RIE{-qf|$(Sh4RIBb>5S;=A;~yhHsr|Nn6TRy&SX$*iQBuP)G4&b9w- zU_XaNBf`3<%pKP`qf@)h4@YTzI)}i<#P&f?+E`qhfuS55jnwm5G9nPBmmOpGME~C) z@Zm7RYq!US4A{1**hba#I1%O;fAV)RLdjA>Fm;{1`)4ML)Yak$`69?l^5DNU+zx$w z-PPj0ZR>tGb(B*adsz;l!2fSK^=rp%*`t3R zba2IR;L&`b_=0M5JTWETZSWb2#5!AFxQmk&D@=MVtgi2-OUC!yHQ`5pe})GKS675B zzN|c^7^++;g9x&eCI-D$GTM?tp8rbU7&r)6VRc)h38ERz7f9Tuke!Al&pflhn#XPP zmsOIZ4>!>5B7aU>y!0OAb+29iK=9odfT~3%8GA;oB&1@GWlBya z9aP%1x&RyTZF-~P{|e2~*x>z5?vAwE&Aw9Zl%b3}yCom|{F2z#f2s>OUT*{y>dT@; z_m;x*#;$l@r88oS3b9JObS({@QM5NwNSAhB`?Hec6d{c5dGo zO%|Q8`@{75iTmjCt16S82+xP+-;Zd?di4{H@w@C)H2G2;Z9(A~P}f`ZOZ+nHYI4W_ zIC{lrc!PC_vR(`4mVZP-aR%%fhF%SucSas_>z5h&SZL;k_B!70yVrQG_;J~Qtd{j*>}-&#?oulTbSW-^9Z8%{xX|7f1P2X_RWA z@o}jrqTG_Y9vERL=1pL9KM`+XrXmnhln3S5+^t z=UhpBWcLaVc=hg>%uxt8#?w_UNq87!XUeWDRO*BTQfo0LZ?E=mYMfRcxolYT6sd{O znyI+2PMrx&7e}}SygwAFO9MXaCqWXUP@1y&w&}uA{@E|}6pzvFf3MFIKMC{?C(_UX zC8xC@35!JwgURT<-@kh}LkBt#%Z`;fGI$vF-8DJ`l-@@D zZ3x9WDTs+%F;Zi)6duyf&!-f15}SjGJq8L9C5Vm0Gu*e5Q4u}Jxn1&Z{p%tLITZvR z=Nfsm^7?-Htbsa1sXke#(6j$QAFXi2+xWrUR_`nQ%$fNSmXctyFpWyKLu^U!1q`i> zKhZNwcdv#FYQ1uYt>T&AmCJKW06x-sgq4IYc@*M(Bysw|2@WC0U{z<~ZTLiG0jRmczu)`Hsp}4Bk^D114j3s>aN=c4G-{aP*5$D8m*J7U7gXsrWNHX! z@lM4nmg{=AxtQs3WO3O%(qdp3#`m}m^;Eb521@9$-j;YkBDq~RKV_!-CvIbXXahl~ z0B83VbKJa-H?keLx-TRfP!to&>s~?foTy$vSxcy>j z>||>DfimPNiEpZH@w#RBUn0W|S+uGY{eVNd_whge?J0eCVfV}ZWP}*?ig{3HlLx^z zDX2E(0&;+8Me`QH-r?o(PjpGIZc-264e1)O;s#t-Z5q-Id~SN75{e~o7N(5}ZMz#9 zp;n{h0CO|~ZHy-rP~qWTP5iM5$w;Ma$eNd7FkWOLojnULh3{!?BQ>Ul*^k?N4B+3B2mf4c2U8Jb?bt5*EkJ3EF%B0T0G zXwd`Z5Eqt@ll=8(b*!mWV?&e z#VehbLmzX=PL?Px~l5{c!01`UNaUaB;={4#wS2TyzVg=#8 zC!7wEI3{uyF><=@7=FCYnsnK0k8S zE3Ez&S4oaH~Mab`qOufk9^O7rK;bNG@6 z5Z_bKnPkD58wAodBr5eMfE*JC5-VAlsUPVis3Z{u>w>Px$^$Qt`$>E?hZ#2#=OVT< zJQZZ(X~;5tZi|;9x(qG@@$@18;Dn-ad)+0%-+XfQuIkwuN{~HlI~)6IlA?(X;l%gg z%LlN(i~a}^zrfu-+kDGK8}FMP`jd6aCW0S6pd73f_P(Q3Q?(N?hEVnXM%@8hmO)@e zY6AFlA5WgpT!>VRTeGD0K;^`?`gFS27m0LYy*5M)vgWY-J>c`ookEJ>(<_XA9_QTwBG*O0G7}M$;^MhD zT)Gp9_XWA$Ms+`N9L%|BHy*}TLyHc2$?E}S(p$h%gK&ua`p|>Vih3o?xz+Eb?@swi zpr?2}_4Se#lDPJY=Mn#2UPM3xSW&15q|Y_6CzBh`)Cf855VW%4iyN6ZblC6YvY@b% z24KyJk= zdjw%0X66(tRw9WNANWM`@ab=$eGZ$tfg7ZG449$Xc-v3F@BM#ty;VS!UATp-xC9g_ zK|&e{Y3c5e25A;0-61L6-Q6J4E!`o~9nvY?-FfEv_ul7RojWf8*EiSvX1wnh&!8v6 zXBtxBvjqnM^#N00aHC`FX7y&f$7|^c!?n|uHDHCcplaZcmfM!!E`wceK0&|7coJQl z9)c%TDY**kLVUBC{_=uY0BsmxW9C$1H)*3luE|Z>*j4{!%s`ImN#fg3z7)J=NzEu= zE+W|jxPYB(`!OMfkJf~E;gLiIbp|Z+Ba{6JSY~c(e|8e&5{L^myWwmH&nxCdE{n;C zAc#}_2BZb*I(2S;3@knZVN>bRAw%(t$GX`nBPKyWX!_ZpqO1T9ClO!mbI4qG6@5w` z@_?7*AbX4Yq$nnnj>~e4VoGjCWS+~PwfX^qNxH2Sf=}863MEnyl2kOFP7)WGa^qnM zcB#9x>!t8ZsN7mwRa2=*((9vDF8cd2lp1mhW;&LFk)T2a3U^Mt51*O|$x0NcXbQPj`Tfhdh^aO80I3 zOS&X4VctnHiGtxHAgkE>d|8bBNzC)%OY;x4N4MIgCXFuoUIRRg=uEbQE+)G%TVXEu z>^~Bs$^%MioO*~`*c8|$PRDOeYswz$;#R9)hRPhrSjTO%9?&O}ilMHzJa6llD8~=H z*4CcS%FU69Rmo$}q*mO#p&0LWQE1Y0W`3lC8J75P5fR_-f^rGow>FmvmE@}P`^)rv zrBCR0YWXBnz;Q#l#HUiSY*AO)lKVXij)L8aPq;6eZn#FykkaEaUBQYW9MAWE zYSk{5X*?aW{29-6t#ENouH-YdYdNEz_#Un8}YZ`i|`VV4Bf29%2{;s3u@iJdCwxwcYiEA|7KjL#l@lF z?y%{g4R$M(;@O$dC=dv~d+xsaxj%s)1R*#6y{%X+59MwLPJZ2K$ZAmTJN9SYH{i5n zk!bL-T{Y3tgIea4^AK6h>Kki2CAN=LTgFQ`800<6rX7Z&DQ!YLYxkV4f|6sYoX&DV z2&7mZzO_nPz;23oX%2DU(TKMzrcJ zmg(>(tV}hNqO556evMvtjd24KuWH)`Zi0C7Qskilk(5xwos{qddl#fG%3US;t<35a zbNI^dy*bz#dQ52bxukXq*18AD)}*(K3g%-0m|q`hOM~4HcCLd11!(C?!_AcA0Vv0R zJ@Gv~6OiL!mSn|YQGV(x92IXXRxPhx57)1M83m72OzvY%O_pF5rS_2|PL25+dVA#g zaobBZXq}a1AAv~xkB>e6?WxbW&%BOfUc8G5l6r;(MJ$e$4GDo>kLi(URp|ML5pYjg zohZU%!G(6=U_<rL*>%Gm*vX$WdWmRE!aYQ&ZC=h|r z@VcA_HHwWaIJT4y_JrOg3P0M&sA40N6KhAY*8(M5{WCQ5$S2AiG?I7k&@Zk-SA8W7 zKmWY#BW_0`@!3cybsDzwqjU2~=@k=*4- z8czV0UFlJcrsUH~JRfD=pT&LqRh`^08AD{L+Eh{MYehAePj0*gLOpxb@atl_-|7JQ z_bhmW%LW36lKcP;c$QI6fEh0x=vZoLy=ls>(4NchOVS+|zb-~|dQODgIW9$>f{59d zIjuHHT~9F>xmiC~M~Wr^>7CqFStpLsH_@pOCQeA0x*}|yuP@lIZU|<^na0yh*1oN5 z)0RWmv>G=75b?gZdYS~pO<6gwgyYYR0ud_1isAg;`yi{U1QP&-fPP?2L=NmMfcgC1 z&H3bZ^Xg04yLN@`YQ^(vJyGb%mfPKLZi9%Ez&z?D(Y%yh(Jg6075y9T@7D!x?6xI? zYAYIuWTL+1v5Js;u)`=bAph4x=n(OueKDPCTjrVkgVFQ3g)T}~eh-efTC|E=Gu0T^ z@^$4j`{N3>Uo~YweFn34UK~0hqjTdM$3g*YeKmUyQDUHYA5SSb-dm{<@}eWbzX2Ln z++q@kG^K!No$)4zvH5NTTX{?$6*}!fWu(C>qv=d+w$eOOi3L|+!LMI6U#1#6%-&m_=2Rpg|qY|RNC%DG*3_7g(T3DD>jwGea^mifs$%^Jb7(rXjv&q z%37iR%S|AQ*^YFo{pRwua*R(H@sBglOl#rHd-uzI&OVc2$~pX>qVG8n@!##xvssRk z40XA|)3D_14{~yseH&&`P93hR@qC(xr*;}vLzzfoJTOjR8Yjv@4_$TE>#N`Vbu)k8 z)4Ri*U&@E5&x`}?fjOKbEF-aUTQfI&H|y8Iitvf{0kn^wNeMI=K&{=)V@{;Q*LxzM zLEB){u{%m+J+9&h_lBZeCadL_LE(sWmY#{OhyCUV73Q@)xA8LX{EUpo@qn0;-@VQw z&nKqtza3;Vz}tn?et{@JU;>CC!YI-yE(uv5ziSyYPh)B?;R&ia+&tKDeaRM*Uf%l*55bp0W_mto<_S)@?1GrD(tA*0feD5AP|wG(79L z*`tPP>3U|juzr(^Og6Ez7j~0Iw6#nr(@)ZKDqcjIkJ`<>++EG?nR!#EbMD8%3^F(ggJgPdK93AUUbg^31F5zkv^}0I)?L|xNxxW$U=Hh)#E2#L zGnMYP1%JSs=8ULybYf4&4P7~$pWO+cS}T<_xKEBoOwW$=157d)Rb&F+P~1q6e|V`M zpZ`wkihYFFb}57al@Fz&`+d`V^RI|&*T%xpx?W6DPIRmypt-N;YzA3dwSGG!Yl)>X zpCIrk_$J|`z*At|!6n{p{N?NOwb2ieJbGsbVp4I{Vo2%->>nYoH;3rbQ?yB!QSk64 z{pR8@$o`!JCVzO%rjmT4=?76_62xC!n#FpYiYj(8O65C#+j(1%NP!Z#iqY*oW1@sN z-R}RInSJZh>axy!8ZCz4Zwwbi)Ejgak1>Mt4Jq_D3@PI~;4m?Wf49Z{SUzCsPf%c4 z0T<24-fM5J;EV6x=fOuDeg~=6tre4v#7~cqt5hH@?+3&b#ketV0)evJgFLcJ;GiI4 zHLr@9vME#GW$z>PB9F0nZZY}G@Hh5rBHp3~KN>aev-Q3Yd7lDHA%A4jJX-4ZzJ30v zTogy%$L+ZPD;GUlU<-lku(VB4F7+#O37L{{*6JHnqT1q_A~*y|Y*G+Cfr1Uk%TEY7 zraG7|E|$({5-_3-IaEoe7XdC)a?^*$uAUNxiVqP;&z`!w^zQc?fTB4BTV zHE35`>GCwrz8f`dCKPn?=HFJK2^3j7w~8O%z;4~e?sS^>_`tzQnGXT!1_2~m7#8Q45KP%AiRbifs5`9J*SfdN;t=0pn zh_w}@Cz8l1{kcJs*+;Y$(0Ef9dP9|CJ%Wd1y%={hU%k^T+If;m0zvLj-6g zVAW_dpN(;s!5$?`E?W_g_qoDFV)tNV+pzV{%`xWVAH<3c^``Tl|r~{)NpObE@^XQZ(xcmbk6g3q0V) zVN`Bt)rucTrpLN*52`lmOugZdjsZqQN+CRPnw;3PP|%Y1fBmkK-JLdL`?m%&9D0C& zE&bYuGz3Pz%ss}(vlj$Cdi|+4prS%+>K`Wjl|b+b=niH|$u$v(OYwVlk;E)`htfEi zH?(lLz?$WQ_-k@DPX@1P15buZz5WM}ohy-gg>ID_hfNSZp9^iupV`(1%C9Z1YvJq$ zgGr3fd(1(hWN~aXGjF#)P{qR{q{H|B`2B{=f^IO-u%LY)@<@aYUg=7xQ)JK0R7oewng-iBv zyojp&EnH~^1|5VrGpYvWqcNvoM+~B#-^63Lii7EMiz!6nOEG(QfUAo(x%0MniX$g} zO--sovvLToFoy_H*R8cYYW9rEWf-c^>xjZ1CgUlS%2tD=r3pV8?^yqm1hK!g}F>uuD7$Ev(aOe6Q6H$#;2XYw40UJzvr9ab42%c|9U9ChO4NoHX2U) zZ6M3}jYLb8_IT|P;iS0_Q`W}q;30f~cMb63s-}bvotp1gDOL~}&eh(5`j6RBAJ8vc zolKIg^(o5n8jcWg+UDGY`f4SRolldj;h{3Q9@I?tg9JEJ3Bm;FbC>O`zA4MIv$`nxpeN3^8Qf&y+TaA%BbdSRda6TH5<@;Gyt;dJ~KtsR~BIY z3k}0z?0Bm`m6k4WY*#6=B8)`H^Mro`vJ;I@Y{e<9On`;0a=~F*>k>E6i^k4+vMAoY z;;a+<>SY+mSnp3zuNf`cJ4qrIXq{?|r|FIK3_~*G(R@K{oB{XBzgJL+B-%});dkXE z+_&|CkW4D)^%NFUy}Di!do}us5?jTUfL9~|e{ZBHMO}kFOiA^Ae9YeVkqtxT48XaY zfB(v!PviRJVnilN8d2^0HwQ0!VHM}^_>3MlQO4cI!%;T&=VU`X0`(^*W~o2uSuNuv z(SzQZ%DnjwwzQA1+{cCQYvE-g{fhY@s`d90#_Vmk>RVxN{VzELJC!qK-JjZ}Sgy!| zXs`tRv8w}6&mIn158rFX#Gq7ZgxVKWyg8T1WnN96%qqgt|QCqSSB_s@seHx z!RwPAB1>*@iuJfN;&7f9NeBkW#f&1cH@fHTx6)|nR~~bpu;=Woa~aM9yj)_WXj3fi zg!x)t{tWHPNEh@=Z-rqZhlg>dtlp5X^dI88=$87Oe`DBs9F~Hc8UQ%986w2Wwk?cX ztJ%t~r6*_l9}MOq6ahd2qs}|}TgA~ClAef=}|n@?$0qhy4BYO@%pjv6i8bXzL~T-CJ}bR0W89KH(^A63?6P<6UJ^m zYf=)i#K#w8;6`;U_-uR*2+Yg{rA<4qn5I~QB;6hl2A{w%)%m^A>n@{7P^YvR2tE$1 z7nCLmyJpgJ?o$0@xOz#HtP;C5lXF@BES}`eJ&YT&#Tb!)RJq0=rPEC8g)|+I+69~$Ev{F!hpaq_ zAE>~kfNt%*L~jj)C*pa-&+tL5MoCy44U_l++Al&q_po?@6p}VX_Aev%lr8I=!x2pVvhs|T(U$<0!_Zf%;j>eZinjxvwpCEWNo!j#!Ok@wxI2T zADx*v0T$mJ`a&NYCpT}}8L;oFvyz3gYv7kfJg+q3Y_i#+Lp*>jkUPZO1|4ju&#BW97sHpE8s8iD7 zEgELjUKu}X|4$1r{QH*|eUz|u;&abwssstz;wTA3#;I{&>{6$phey3VH5TlG4oJQ5 zLlfGQQ)8y>RZAiH6CwJp;|?57kr-&vWyg^Y|cjWr~O+O)W@ z>VAuRCx`uLvF?a(v94)ry()9RmECEb-OkvaF-y}|Nb-831p!_V3f&;!YKPS6b2wc40jQ0-(CS9E% zbjcu*h9?u9zWV3TTKD(m>8?Yn5Z-Ha3L=(pzsL@r2&1W^U2B%sk5WNWA*RbTCPu%# zUqG|oL-W)9e^ohV5nRSRin}BBiQFOmbMnabFda)0q8N+duHtj=s;Ym3W{bWWhK1>b z%=RowvwEvu+>7X@%Ed&d~dmTxno}XlEfwGwGXNnFKt(_zt zJCJ}9gAnRZuoStiHMx{liMhlN#iwIFXlM(ryBasY-@Nm zb6v?~k&38f;zujQFVCqI3Vz}9xQTl_oreNaQsF153dD84>#S>T7t{>B(?HBsjbM1R zm=I4sJ351~k+B$3&;_naQF3Eoe87l@_=H4$%rnezsxubk7;6=>g*j0Bs6Fz~>V9l6 zZe^p3{0UwzQ6=udFA^FE)S;bIKK;D+`pX(Ix(H?|!<@MEYSJ*Q$q>r?>Mx${mgc*A z&5vo_>m zMaPMDj%UWZ-MX#v;jAfUY^sGp9Jx8H33ZwiMsMJn+d0meNjR(S(>U#z@;spEqR${9 zsq+<3Rx9GF#F8j|7k8Vo_n12rr7wp_b+RQz3l;dJploKulQgPv@T|p1({Ok+m1*~f zIhd@iK@eG{#Ksh&vxXb?p0Luu&s~H|h(n}vtSAQpJT@9a+=#)yF~e1uSSp_xptUK8 zQ?6r>zF-ubzuwb%ntQ7Ma9i_Oep)} zoEz`oPmCXyega(HexPALyy}~P5rbUlMDi{eQJ~4jZmmayJ}|dE>4j{G^LkfgD30$Y z?y3uL7ORyqt*6$Gsb)bQ4^F^bsb5qDsId|nyjR+6ciBz$t}1m09B&pC8Iq#Z zdsaJ=h`T8Y3cFXP~f@rrKNT>yNAOUg|_u>^bl3*z*p>;YSNu5x(BJ2D^=gl8e-oE*=WO~q57K$b|`u@0h%-H_Rl?p8iqJ^s2MUzIi@n2?4Oy<}uKi;?LEsD)H?hU@csSZB*vUL7X zq2J@)hHBpI5tWZF9++2Sv7>N0lDSOY6Fya0uyxt8@69W!ceT$={B+fMR%w3pq$kib zM}ki#YW_;_TmGJYpD)H0noh4d+3zcKTkM^7RoV?hA*h@BH%9SE*4*UL?(e%^d00cd zD)QCU*JpV`!2SlOJj84SDQmNdQetVkXHBi`&Bw^^xBSBpH@56XGcZWUh}gO5qn)oe z=+5C0L#y6GUlK+Ge-)n+Pt&Kp#(zG@P2}&cQ!d8ZP_4socSD&M=1#Rs|B;k7GJ-Be@(9Ipe~ZDLr8{ch=G5*k2nqQ)wblIT6!x;;#&Z&azooGc_Xi9; zeY@fRIxiEXhS_s!;w)wwWwe>EA_M!W#^(m3rj9oDcB+v3P;}}?SJCR-N=Zr;-;$NW zj2os%m6W9(opnKs#u?MuRhU#3y?T(2KCvu^wOjPQGhF8q<{XD_9Hs~J4e2L0=Cq$9 ziDI`td%CzNuGy?XC(Vb6zDk$+8!T16W9p7Nm&aXdtFz%oKV8?z{sWlUv*WfyQO_%% zMg^tPw&+kJZNKCSIh(2#yVRzpB|D#` zl4zw;wcpSe_d-<{X3J2n^u<9e&RyRTgZV>V!O&@Y+<<3+;iJU1ENyEw)1WvU5{*?++C4dq3mN z*T)i!-#4G<*+J`~xar$^Rd&6C(={6nUNxLJp?0}@dtH{3MkS&lia;Cs z-^kEh?EojM^E+?vEqj*GUiC`bKY0@;x-FLE@*b=hof&(W?3VM%s=A|&q5@uORhoRi z414I8G2OXqV&97mK!11IJxr$_-D&e=t!xrP6hxui$!a54n(l?1O04tvMW>O*H=%gt zakrbVr&l-oCoVK<`xzcjEDoQ`ngfsxnzulXvO839=0%D_H*x!cTurfZ!s6X!vb@H! z-{b(E@5GV9vm<1MXt-O9^$aPL+JiY7b9U>#q}r{kkiSJxb+gpWKc6G|Y3(M|3s?ZL z=hMT7Oqmp;2UOu))xar*$#wF+^g4rblpk8n8LH|= zA2$22-K+=fUMiPs3QE3XAW?n82Xfogb?KqWN!45?Vj%)nF#3|!A#bTG6rH%!^OZ+zlM|hk%zwI zMN@7OH21abMbsmf4@lVS?c_x2SoyIGWw$c0{_C=N5ZUpGMqj#mVWI1y)kF1c)5xvn z@DY(raU$gMVZ`ZaRI{N`$K&zJ7}FL^${-9N9{vWGA4vswLMlJFz^Gj&T^M9!R2I^O zImG(QBY$+nN?s1$>Bu6~(|u4?w~k$zDwBK~g}|gOurr)7<+uEfUawu`Q_R*hAD($x z=%R<%+n`nDt&6JZj0li+mv;-E#i4o#?{5MIWos-$n9;XPl5lM*L&WQ^c3PG-A@7FX z{R(v}k0F@KZxY}_CE_)c$<2Z^nM8NkPQS}X>7do9lNIyir7EHO0DqpqHCgnY$Ejb6 zPxUAU0b3c9T5VLDyvZTI&6$7c@$c3t1zaC#=|f|6qWKVODN#h~zH6!7l8Br}E?{kd z2QB=qY^Myd1-9W7mHbj(=hK|Asj@fR>(5OCwzIUBs@?NTmg+f6c)v)PpXiOZnIp_P zt^8ojFTZRV$5aj86~lPnM=O{0_uX=9y4ZkoZ_<%6rnfyYfL*&hSx(RUDxpTYXtAYU ziNjW&|IEL7*EPd*3NBEtp+{gNK*MSO-_(c zP&1g!{26elQYkega-O?6_eiJEBcKor$65}ehKGnw%;i|o-Lw&D8(Wn@={#KyOStMjXklb_#+%HFk6qiqzC^U%U8s6 zeteKKydQMNoq1atLmK4-WFaX|w+b3Da1eUDnfdOGv{oC_*S6ENFldk>dOPpecCY8Q zAe7`rCA#-L>Y`mJ+T6jGr{|m|bp^j->Q9j4clrjj< za&>SNFR#5+3l&5`02*zsRAR#GchtQR1l;TG-iiozFj*nY(G)@vumf@w4FNj7Quhx$ zr`c+JH#JClj)nzVfLo>^2m`Lv>k6@`5}228udJ-JSS%O-1NLX|BKkD^(yjVPm_`-g zt6-j-I4VW4%cErmP;!j{wcc0%>TM`FjOage*l$P4_>m)fO1vmIg-jQ z2dGMV#ln1`GZF&;AMC3L^gCrX ztgdvCktv@1^_s3y~T4b z8j-@d1$x*nH>=gys|riXH%k%M5n!_=PGJ^Fjf9SBG- zo%=Ow%;M>gWT-L)-GJzl4s^V#AbKG*kuIl;< z8ctL@ibG21Hi&*PQ*XOM`hA_2&8$4QiBZE{g#RS(fYXyLj3>zXtPv}j9Zdj94MY>o z)_+?wJq^})MuyelkA+^vmgmG0h*s^eNv#lslcFSEsG7oVZPkaHbCzZ|Tw#FyHb@0? zX!mfjiEcJKOf(crT?lE+w?xPhU7Q?}XwNg?gy<{)y&)VAG{Qa&6T=Coq;T2|5gA~g zI~!~LtRJ%137~qk6ej8>^$^KQ&CEii0C-pE)cwgw z>C-UC-i*(cs59RYK;`_}NRpFQ$BOhe14Z;614V?qNa{g(jRp#>&N89s^KG_4^*TP` z-q07Kal;D>6b_;+?NS z_M9G3&Ea59nL;}0D?3~=wWge_X`A-@Vpc`&j{+_DrVr~I#<@}ho2N%k ze+h`6S)_=di&MeK9?y1|R--;Flj06c%c%VUMrOvFj@ zP0Ys}g*u7dfhy`3g$*KJiUdnBnv6K!oP@Z>)!|~P^;V_ffSynCJ#mBy14%=igcfK8 zi2pPlqF*){@s)DC5neFmey{DOMzRs5T>bm{K`4WYNC8><@0e8gtK^pr0VT#oHkJ1g z1N3onL*e35(`l#dDt%gr3oZkwxvGEOJL=z_dGdU4z1%r4YA8misdYw&t=ZO{{h?ar zmXh#rNtKKh!u6vnwgo}g*}<<W7f+R)o-`jIF6)w1M{{ZKkC28kcUjg#78OZV-jOx(qSpul=h|j3HxS zShR>XAtU*9AKAdmEhzkkQ*6}6W#~W<_LZK7UAi}Z8V8%S8d|->wfv5~BeQzdRZ#WO zq$+*$afce=bTw>>2|?hZRai=Ud!rlIq;+*nrf>t=H++X{C~oRnaj*-F(!OsUqh+Oz z)72xdn0Zk#C)Y{mQZL)DWp7ZyjiG(iD9X7%8OF;M&+0fG=y{_1LrmK_v|dcy+vP_VE3qy>y3Op|XD#OO64>iT&S_VFX>d9IwROz-M_l8$=suhFW$#BH2VH%MI%! zz8#!5p{0f-w!VkQ>Cn}Nml#HGFg+qo?Dn&|$a-hvuF7^9b_kd5kYGREFY2VqGgr&35ti}T6-ZSM`YB*CNFw7}lQ+k-s z(LQQdi{qfLpON|_Nu--8zXS||o1#zr(0g-)jEO$97Pv}4j?X56V!)e}UzS=HWMELr z^%kJ=Cu+HlG!qoNC6C*#iEhnq8PP&Xb>uQJ5)h!Eo<-Apg0b9}zbyNznC8M{A}7n; zY9m0V(y*uO7Y}g=TK5MEtNlUIf7nF8_boriW@<2xPlqagMr-F_RDj7my@&Kjs%{0U;xzJZb2iIYdx_@5dko4nDxba+Bv3BlA8;2Gr5-sY$?KcsD>Gp{zrD#Q zrjPC_p6<)cbS0N3SDtu}NFf6bvG2g%YU;0nG$4bh^gkDukKD*4-qj`SISw(Xrk3(m zjrJyEGbX39$$!T_1xVg)hHtE7eF(U=V$M4})`$s7D%Jq!5Bt4gn;}E14%+g`_?h&Y zBBfgPz#*Lq>Jn!H4VL&Ng1MQIWn6Aq6-)Uu&%E&GY+;LY8Fbd}k2P+5&PFS{RHn#p z;wh9M<1mm@wP5MX4K~QAnQi`p6+;w)j=C5q&^Lo@e66Vr2rh1~pbl~li zK^laLTZw)ZkECa^o|T;a<=|>%=`+P0h;E`%9`S9yfc_4ZfGu#i;~~hd-o?4{d)e34 zqs9S)o5t|dKx6H&;_&Ng6rckSKqVraKD&(qR|qm9FphmaN_I;BgFfmdfdpI}(r;bt zk{(46SfgObhBjdpnTF$Wxyz%A23~6r~6*7p&ZXs>WE8HNkU`cvW)M&<@OCZ0c1zEvyX9O!3$fiwck0%P;w$)nf7_>>!Ma&8g}s2r z)8*1oz1qx@R9)0vMZ#Puh{c;U$`NdSQ-MStGchWY)p;$R)dK$w;3+TMyQ+S0#(a=> zB;p|Eci%U?Icz#ohzJINKjD&>AQA|6MJ&o=HPXC*)udo!PDVW1pv>HGFpjj5id(h8 zPZTC06!E)qMXUr|4`G;NAKo8@FmlKSY;JLOLScYxFj4|MhzoX;+nts8-Fg zWD#?k_J7~51Z+uD`1g14f8jE#f-7UuPU3y5q8of`C^jpj|G=N$WsaKq?TfIt0SA00 zV6MFt2H*1Jz{|HU)H7B7XXYJ${^2oXc6v8&9W@)8IFQZIlFaz2FppKgQHbUzVwxE2 z7ot?Tz`pU{7{`RSA3tx|xX;kq*s0@-0!14N?mNFz#qkt0x7%L;9t|!#c@UNV<`it8 zxgmttV=@Y0bqq)O<@)3u_CiX+yxSpIMI0TCyp#*^fB)=wfWStH?dfPsUEiq#-g@Ln zYh10ZKApIPc}b9|izx90?EB*FhWh-^_vIzHvJhdpfq;z?qsn)q&@G*kF_vWWVd{sV zufg^4KU^)j(lpYjOxPQl>7p@T^xt=kLUKHSS02;9F);9Ar1c}WPI{c>Bz2rKv$L#$f4?}k3Z{`EP%R7M## zip1%N_Exjfhs~>c&PT_IaD;}y`HKs@z_BQWM*sU#*i65}mI%Ze zTF>`%m8{*LiQjwnWjtlCQJN+V6;`^uu=RHP^tL+qznKHxz8+7LWu0GK4||BqhviB;T#?k~~-Q6SsY8}Yj)-^4|u`m0}5<9Wvi?ESg$N%Q8)oqq(yiQSrN`8elxxywHq(D*8 z$}Gzs~6j)8CQ{`1a88>m6=cc)24vpxGw2^xQ;blx~%X-5VUxJpA zY=pAX#CsaO6m4{IUN|bi_?u+VMO1&Hs3i~QG!DSi@|w8 z*sYDU8sR|-TTE;E{QQW{gMEp`f+NKat!6q(o-63_RjF3gn@9}rOc6s~Yx6z5(^mBGSbL+hiF%-&?e>wx_uM)pZs%?1kE$e6BBiGhHNH+e7juUt{_-$=a} zV=%mR$}}BVLS$b8wY$E*!V+$~Iu3M#uuTVb*|ivxEoI1+@KJU5bui-=mXXK%@zN?D z%gryFKh#A3zn2rN|1hZ+IVDJblr9i+C{m6_e{tJ8km*K}T6ZMb(WUqE%pAhfw-Ng9Ki zzy52K5)=FM{z8*#hUe47ucN)m0*b`TJ%C571YM{Bvp( z`dTLpR<#}0!B5x>&=sb2UaHj3Z$3Z4)?LnA{E_kIaB0@#@o?s(6>86NVY2_h5@M!Y zO1o8UMFLE@Eft7^m*FIwphZfhRheWl+n@pHj(94lx2>O>RE*Xf1UBilta?2-f~{u@ zGG=q)iuDsywy7w1j^V!2N#1dwb`@n7#({oOEx`FpK}g$Q|rX;q127 zex*VXmJ>jlmaTrq}j8BRE!+qvBgTuS}%^i)H8(=`yJw}IC71sp#SaMO6Kzsy|K3>g)f z7jGuedhqH;Fqjf7w8YlD79lNt*B>AMT#Fm$r;bW1Tc^|GsSVw2X`=SmAnRA^Ri>fM z7hUYS7sqC2%Q$B>_}t$XZhfs6YS--N2Eu9Hc({OB3XZyOC|_ww2W1f+KaG@0* zYq%TV>EQ6fMOT!GLIvh2!gF*I6;=Ez6pi~!$Or!Hx=g=I#BoaL$kVy(Mat$!x@$d~ z9m>g{mArUy6cV94r_{_NZZ z(`{<7uJbS4ovFNB5I!%YeRC}}Tk9&P_I{cHFYIESRbTW~ykvLCM7}Vdd2-Sxy9^7a z)Cl>8A5QF4+SR{i!z`kAkP`jemrJw>OegCz(l}1i!;*Oxr`@-~K8Q>xIs`vt5f=86 zOo=+BLX=mYSURN%K)`3QDhNSCw?c$TiTIl_d%=gE!oY8JuibUpA4G_*V?A zXg+7bV>!l|+rz)vld?`8I!Z3np#x-Nrrg0hy`S*c4f@faeN!ekW==4e<}FTT(>QQd zra>E8Ji5c*um+dN1MkyPL!N_qpTybHuzF+1v>^@c1P&kY9llUY0XR(zI8*Y{>cVCc z;*)Fa+*hb{V(7g%kbtWrOD)Q!`}@?SUC69&r)yssyRU&6bnGV)$9Ikrj|GP10$CYh zEV+IQVHXn0tnoaF7gEr=eU?rm_xeodlb@nF4r}oFn(`{87mM3Mzoc+}e%6?M<0lz^ zsy_b95m|U#7DumY{O{U#wfFt)J{6YJggV79oL6l1CH6{grXDEca~weMQeK*KYmx%$ zanh&xC}ScS7najB>2XP3iV-a`bN0YBkI>m46@6=AUOH|nb7Osef4HpJjGh<~YA^k+ z(@trpTl5N(EfIGTH@~VD*jtP#x!}ExY`&bG$;rg1-^oig0L~wmaC7OZND38*La4wT zFn6V9H_*U2BRpSt-+FiGs#9vQWSUzmg5E0)QJP3ee)w6_zYN>kmmkVYN4`QhavV>a zVjGw~xx)V`QdWe(!Kw>r(kbHT;xwS9vX>pnXC?#I?32g|C?}mX><|h&C-uI9)qEkl zg$z}a@zj+ddEqa14tWj)wnM8UR49zY{oerzkU0dsa8~e7Q;sm^xe?VQp}s%jn#TVE zKLIRH!ue(+aRUhAN3`On=b#Xfip=>6I+(^Wg~rKs`@d%=1^;JX&<VrEz^{|Hs zMcI;+0#I8FpvH5EpYp`#0i$FsFSio~JBuMG(8KKh6i|`t--GtgzW0$Q_QKLLVCa1w z!1~_#s4yVT1e-CC<1K@;0@M!QE6N6~l=S~SC-aG|G-kcnz{BXUI@r9H{(U1e0R=q( zJi33t&z@LP0%R2~HJVO~4iW@{K;m3BY2W(vcqcK$Zej%E{bRDDOC5rCP7cQD4~J3v zV3H`6aTnc8yBv!`1x^o22fe8O?J5#D3~g^bSn&(*#PtxsAwh( z2fa_hx8Db(mkg9L_a^bZh?>qD@wR)Vb^V}}zX1}Shd&m8uavoH1Bxq3{0F^WcjoJ? zSy}kQ%og?1n{t=d0z!1<1yp2|heh|zhX@wgg`=gd<`Ek~h(X6)+p_Tu+&;dE0r-3% zvOS!f?C$d5zZ{vVQjJ8kegKk>y}j6z0$vGPPCp2sw$Ha>0}XZ-i^a^SnSIOAvzL5l zgUpv-m8f$;G{z}-q<-MHV9@UgSa!iK-3QD=DG;n+aR(kdj!nignaPmW3i&-t6hJgW zD@X97P#RWzkp4>;0m%mW+4b#)>n`KFb@HFa>@-3#xMuHu9`nYO4WlmLJ<0U0tOv3k z|2g{G21xA2Zeph$n>MLZf3AY0wtoF{os))IFS(6GQ~`_0C1)URCJ{S30^=)x`g)F0 zY$}EIH*Sk|fNxO4ZOqSUyWYEVFVw~ldLTPTn#=W%Sv;zqw*z;=bNW3IvzLus3v{Q4 z)^mcc&C9OA&)S-VpMU+meCX-n0;AAf`O&Rn-&`28pgmPypnBj`V-%?oV9$y zp6NRA-827)9rW3hi&bil8^3LI&4r_~BRKbjUOBZHYo!bIm0sChrMogTuPwI-yKQyT z?BEXEA9Pn=Szk5WWgab{W}fh!us@x#9}%?)yS0a2r4jMz^R3*OJh?94i1e5;WsdCS z)Br%$X{6`fl1CMct5IRp zSCFl;ro&2e-`IJpCK)VxO%v9l5g_Q^8R1-b`7MpjG6m)wig-uKBgcpDHE(S-e+MSz zdLLzG_1Z`7e+^)k-rW|S4!@=Hs(A7xx^HjIx6)esinTsB>Ael-`LL(s-@2?{Rsf>k zf8HNDwZ#IkWjejbc#g#BS?1Gy*sd3eM9D;}SYba8O#zQHF>>v6Z z8DEJ&cSI=2;4O;`LHdrd{aZdZ+2(aS@LDJUGR)n(%!%kje_f}*4-FWP^r~eGrmMT; zHE$r+xX~F7&ID{ut$}ZuDZbSuMboo{7qjo+R~U3`;XXQL`qxg-vE|r}G>+i^JCCu$ zLinskKz}cX%d^%0Ej0Io?h=pq$j>!I-#Xc^%9RFv6J(=J=wHWHxp&`FkF~y#Q>`1- zx&~Ktxx}5J>D)C}3L3I=b-rv1cG>&!<1jo_ZTx0u&SoK2y{rQRxJ?7IO21;!NJ4I_ za$*^gBw7$Xq##A;gGR#cDAeQcBz@9!#Y?Kw7B2Bo;>-%iIp8t-sbzf_ouO{_*h)!! zEvlOv`{hnPh)|IPt<{e1 z5~sn2<(4yO4&&i?Wp8%!EApBMH$~OYz}?&Tb8|_R|LurzGe7?5H)jO|hHqPTZbZMQ zn|6>1XtF|H1jg>^CoUyhE*ixkvxf5MvoFR>OVE5jr4I*&ms(f$Jj&E$(hKQ&>v=vvG9xvk`hzBLflQUR3%&X+!RYIAc))y=sc2M-~arVgA#Qo|NIYZo;wo0 zKwT0<?sc7+W<3H#uuLNKgd5LjToh!muVtWxeqT_=Yr+U(ds1)#PZXF zTpMEm;F3YBqiD+NNej!Z04%ADqg2{uzvS7BY47Nzpb2r#8;}2oske@bGFtz)>F$&s zy1PMOXpmBn?vkOT1f;t=q$LNCk{Y_Zk&y0Ik(RFa;hgh**KaNUV8JYA*iY>J-21++ z4-;=`COrDnz9^G?sr#-IlPF5cY$}gPyH(1`$SkL7s^Zf}UMrh}rxMCe&pi?BJo@;D zBM&M6EV0ts3p?3%1Bq&#DNde`LEGXdHs7yhXIqq|1gZ>)9)=k%U1PL?6G(-|cFV>3 zK4}oL5!M-La^73Nx$Ar#@5_C5MW0cy;d61BOd8SQdG^WOWA9etkWt`g0(vB=J0Rjv z_LELYTKeIC#s7P*B7MzWoKqkAOg8ku^YoQzB5va?c0=E!BlM>R2U*7#;d5t(1>5Sc zg2VO_u3h|2{K6M~zCUog>Til1|14CSzE?A3vC}VBQQpJQulqD{*9_kQtn4^OMsaDY zK|$mA8Pl|J5JJ(Kez7PWe1x4;oyzP){#0Z<{yWV0ZiT;qKcQ*gpM%050o{r-+$ubp zK7CvZuj)UxhLMM`4ff#qOJEUK$K(csrV0by2DcMV{+3+4SwCev*J1wBq5%_6;Xc(Rho?Tu1e7L`{n9|O& z;BJ(#qM{1<+5JPl?WO(eP)v($fs_{!Dr1RnIQZ9%dC2kj6Xb}t!MOEPtz0^yF@#xm zgdIw3f!KpdJj}&_UBO}?gT#5v9dJ7~D+dH1JH#*(bvoIC zJOZxD^jXSLIFz99;CtwhBYN;%Q`h5!L51G)bgInHsqP*AL*hRnBV_6D<5#gsKuXzs z*7I3$C`hIfFH)!me_wsn{ETo*50B%p9 z!vRfwa6W>=Tm?_DiC6JwlPm|T1kzVI7=eBj1kaPNj-VE9G`m<%~jLy)<1k9Vp=(%j7U=gy846OMzKy)Wrs3nGADtB8_y2C}gn=SB!?Z=iPhOG@Do=PfGGhQ|l zY$;w&W~K-2hz}|SoR}Wlm10L_q=*O9X8?1zqK5MLn-RK+vV|fmL=Fo&3qFkW zjEbO=?+@`zS#fyF^B0ri8j%Sx_eymibyX;A_b?XPs@vrxZ#|-cvfZHPlX-f`UG`Tb zL{V;ZIZDBH6v0VgQD4rfI;GmFnpT^|TQ3_Db`2DEUC+Bpjd$d6un|(kVglHqvEF&DZ63_;P5K%X&W+1rf0Ub{=~@yHsUyfqTz8^%#ZiI3Te#P6jh={ z0^URd^{<;Ci`!lawq%~cDLhvZj1ARD;-}Kr2^!pT_>NMyU?`PKSgdqv4{k8}R-fE4 zaiowNw`64{?rwsPNTdjjra<{ks?2+Q9H}6F3eoi_$meONU3jK~U#}Q^5 z14a=raxE$<(g3O)S(goL6D`Z*eDFuc$@9tc(~s{FCenx#2jBC8VNz`Zw)9o+=_(v- zmpX*&G9#pikHhiEu}0e&{=zMZ)~#rc7^2k_?H3=wtoZt_S0%S)GTR)ARdZ7GHXWI$ z1mGdE|GjgTE_a}s&lo!i7(2+-=6}nP32cc^R8G`5L801KFa;*#LbMNFu#C!s_!_W+ zs6dzwk(MYIT4jt$P)*BgU`%zmbfgJY{H7uY$pc8vV=)6UPms?_I$&!_w&!y97)$QK z7I2(A_HYcsI_YUsLNW-n@n+E_ggx8cx9IA(;>su{wc8Y|5^}F5*bICkr9vePn(Oq& zaO4a`2L`#A+Ne}2k?)Ib%m=J`G}PDBa$-Gh_If_XQGN5QDK4*s-10@$>{uR@CyO8e zD0CAOk&|jizZ>z6x?9w^QM(b-xY!;GO*PL|hUzpWAe#kld8!SR$>#N62z8bB-PP=0 z@4!8OrV|%AGJNd?y(2>-e9CQRcg9S6vn~T{4XNo4vwP@@c&;iA{((Btj>zFAW553cbEe~TdoMn) zQz9xKKKgnthPo3E;?7I9$&{Fmgv~xVvi{0dbXxKuvYRB&oCNVpKfaku-|sG`jm{{W zv|!3p*&Va6R#YgQ(FC70+Gaw825p3rNL0>8Wm4OLQi6K^LkA|zt)dLs=IA*eFEG=B z{$bkn%f8HPvF(6MwlU>XrHF}5baOVp^OT3Mo0YEcfkuc%>cxVKw72o!#vD6}_*KZd z2;;Bq)2?u-IBC;JaEFJ)2lukI1TXD2Gt_ z1pd8)32peE;oW-Q8R^$P{Vd4;%wP=tl7D%_y^Z+hAEiKOrV>UOsef*PZpL6pm1GfG ze+<|_+1`sV*lMA37`0YpVi;+_R&*7KPaaK7wFC54)oR+~5f(y9;TGMd7KW&oQ!{2O zrTIq|4`PJ02(oJJkM>iCMWiGl$uLhEGhsl9n-bp}zTvAq@~TqzcT+L3FS5rylNNpG zMR!n#p?)E7nBt;fGF8uHtxs3z@?+8L{7qLCim|~C8pz$rP!2RZ{p-@Whk-?ZHH^q$I$JtXt z6P@F%Tv4|Vqv}gQnP8O~ye%Neje**^s_k||To6askJO(skSJ?jFu8ghj)rjF%036d zEhXVC0ISOS>55JaLwEgn(Q&2oEi4A`i%1SUEONuvSCfpZw?EQ zB6?5bqiV_O-b9;hjmJ8oQRu3g=y4i_?|5dj*L4}9n^xrsqMu5j`^UfL>vYsmVIthi zSRoB)TXjh4kZ%wjqUnz*!|dSKd62A6NjgMu51$Vl|4f#|iq+6Eon!6J`KV|W9$iRk z=u?{Xa`v1=&sn7rXOW(8AIf`3b~NL-Dq}oN6zKMa?+>*h(_++h7S|b<4O7JT8boOR zFh)wGSf*GG(93-nSOCT1JIUp3qNw}lC*Yj2HERISZno3;-+g(l75cY9F*m4uJz5{? zkP#FUO>v4vdLDX@2=G|Z*gK>Cex&`d`YBW>>?_D+AEeZu7IMRz2`1?XO-ocv{21K4 zBR+cc>exU7fp^DZQ;9N$jcPEo-(sLp=B>5o2LB~c)>-~-)`>~NA!3ZH>p89jW#*zp zt;qP?9EHd)xUgB*eUV&bEvqLWDnA)am1^c<%6G)Hz7EtwAx>-;G4i9ms>To+Yr-1x z!Z)$9%cC-H$c4cjo+=?;9(u_MeYx#ZGN)LCw?Jv|NR0_%>D&blHp?Eb4P(c2#EiC0 zth4Piv&_usghV-PG%yd-GI`dEEJPYul%ANbHg7 zrFMx4c`p>FTEax(glYc#Xb&UF+T2+`D4HNd$No+vId0JXx>sTSiDSJwsjYQL z&*#Wb>+r(-`)87VcY2=iB)-R?8fp1!HXYX37IB*rN~Pf5$OClN1cqZxgagS8=Q=QAqYOI`ym(ABB+sVB?M!lzgpB1mn&t6Fx6;P9rjb!^E;pu?J#wu%D< zVv85aCeC~O`oq?a6Rbd_PYV@nb+!X#z{HUDi=tQY74uxIT^{@1%<;R%}G52!gPkND=JQ=Br5(U%6)T(b2h0Z-=DEu4xH>`Sl zVigW{sxb;I%@2G~gfPjt#W49pzaW1HTJ0N+kJIA*-VNe=Ih$*Sy$;3UVbYegfiIQd z$k~kYAW`EB%DSbV5OP-#c_kO{`xiLt|9SzOi%^!o{jIS&b6srf!8Hf>DH}IOkjubH zO4nfXkyt9rN=eI2c`&L(XP$jJASNAKw5_+A-`479G6{n5N%G%1|3_)Nigca|=zcb9!Q8LHlhj7jN)dV;|@{NZX|x%)E5HHWuOT*BIl& zzlg#GtB?;$y?eKaR&=z#783e4Z8oy5U|-^u@W&j#laNWy8?B4nmI*EjR|_NAj7-I( zzxz=+pb+UHUN_vwUZX5RVFspb7$5g}2tm(%U;BWFMWtL@#n;=fXCd;zYNT%J-v-!O zI-!;(-~u=@i?vAYLt+*Eq#27ND@wiuz=tc%Vo3dYGw2(a$L5Gn>THsCa*!H?no<=B zk;wQInL!w~Q2o3q#j^Ozb0{U)EbSfi%U1?W940)HWh=~uK8tV##6PN_c%(BaMB16h zZip^#PZ74f9>Y|fSPBXz&b}xbHz95ekz9IM6gtLs6gO+9Cx?Hc2onW~05ilbGn9u` z2G2#$?-RXV`+=j7m;c{@1&!sb1eFI+D_N}v%t0Ot_)-vajL@!cB~sB zPNC0675F?t@Li(wB06TbK5CZE#D@~b!6bagl!9xqWzgHd*B~$@=}Auj|Pqb zJ)6X}UHy_WUixs1M*pMc_kig}F=NMltQT$!UNl;#Vv96~i*Ec_gc{Dy0>0+c&;W7@ zi~ElLAoj%^kk($QK)8CF{agz&OH*C=c(`_HgfwY#Wk>-HZktF%f=O1o~(J|4Tt`aIqxT!%KKc!u)6 zdJptidsfJmJM~-enn}xuXGCYXbLc>nfrj?489bmYJP{NGIE(0i{IkvrJo~;6o1mfx zY;<|?SwN>!F%d{4a)k0Eobh`&eI#iBNb{v)#N^7e+#Zw&M8=7u$K>f0L31}Nlyw_{ zBAHv&(sS++kP=m4xDR2&ZM^nm=9jEZ?EyPC3Gm()eUV-nfet~**$2&rxM*Zz$5mFR_{q~u{?c}G^y9f1A<8hKHA;ZTZAP`v`wQ+)BCHFAV>cr|SkGZ_eV_wVmfg)ah1Ex}M81p7!{E{#M&fw1pS2#E{4p`@$8bz%Z@Jtv-$t#p2L{S1Blhj7)Q@JGrXUaCn?0a&b*+6f*FAJ) z;w)!$NPuQ!E!3kv*Q}~Yoki#^bv_8)JI@c2_fB{iH@ov~-sz`*)$Ac2HM}G0D}!wl z%Mk>qF)9r38aNHoA1}6hxHvK@e}C*8<2;J{88DuwSG^@Psm->$h$&|P%;w}(biN7u zK~a=(7%|#)1GU~LQru$XN+i@uETO5S8OAYrX$!WPXKEpOb;Ep_yuZ!K!?C<4vOXdB zS3xje>GkIh8pkKNGnze>`X=v31n@xl!YoD5_EeJC0`^hRX@~;5EAS}T}OMm z0hW&5EoDzFY7+e6kn8-UmCrKd05L>TFZt^iY4ABfry0PDs8>eGh5cZA?o_9F$&pdOu2)8kYr0FP{t( zPgiKPIUL;h`FZ-Im>T&j(jgZN>|v_0Lnjhm*C`LlW7Lh-{~Wrt zxR8>JKSMkItcRda@jwK3woCSdzx{;etqd-%_k~Q9Y?l{jguit`LpV}Vs_T6E=RZV8 zneXLiqjb2kwI22|ou(K{D>|nC5FgzuJ)%YgiuZ5_x4Kyo*~-U6padJ+u;Eyox$cPf zBf;BRZg;n%W?Ee1koA@honYw0if;>-uf3=m%p8HunukqzsURNhgZs1>i`r?k_0P@R zTo&CW%pp8{(CrdktO?vdjJm*hU?(SWdKRAJCc@L^MK^y{$}e&GfqpoA(W#!IjO%}$ zY-2msUF?eS)G=+NBUiR@?~{~-)eCzRrKP*J=@bG6E3_}!vpwTn#ulR(@C^5{_dSOh zk4+{yV+EtUG6WKt_sxVpng}Bb9hza6(^4uX^yeJBS0U<03uhI$=`en_C z$p}A2Kd-Tn%ABs38^evrKzX}>k44`%rv@TRy=Knk!2-!UZLy#;KRuJ-{be-#eM)Qb zYwbFA=x!i75Jb-uBJ`Ftl075`8I==Wj*d7Rk4L&*;T8`oKd=Sx8(*{7>NS5;uzSuzl`cv#?Uj_m1z#XA9dfvo9aW!iOzXWl!2`? zj;(V-prR^=#-9yJed93fTwvL`;}uEz(Xkn_**jfE>s&+`!cuRN|8J`@LVPvH z_z5QkGX1F=UIqSUM&S;B0mVk&oy!fPw#AtErvLB>{9OO;phE$4r-uOw)gwv*9U*Jf z4BGwS61I3^5F>axJLV~?U+(7rMQ?LtEun}HCwYp~OeUA--G{pP;9N4mT4`}4#bKpa z++i+Qe;5Kwnx_cIPU95!9AhR_zZJbhkHOE9_SMncqV6v2#Y{toevuDf0}%#M)ch6F z^CjE-+uh!aFoG1g-*4;m>Qlyn7yRn>NVj>gO|r{YL$c_!{Adg*=FDLKUg$`0dUkrR z24Z%(_dv8`;br%~9(a&Pq3U2JlO8;eTOHZ~s>}V80G+(1(mSyWsGI=)9RPC<72W@ z?GA9i&vWArc?;APeef77^C6n=%E2|iC{Ezn4vKym^@zldEunb&BOpW+hO1GBVpUPe zy*gr)BNS#AVs((rY|;}3@w3=}ixD>^EPFP(1^n+pe5mI!)*)V5N<S8MTUIjwSQe;Enq zbiFokMU%QL?ivokeoaAhqw@L@)d^f6<0ZX6087&O$fE!8IEY%9zK&23O56=MAI6Qr z*Mg+h_YuC{n8{c+!Yjd;otytDGf5Teri+&c)LIZ6KF1kfyFN`t)CMfAq6#i|<<*$q z0nI{h9YPv8HN`w~C_T22)k~c8ZtJYA7S{cubbhGwP?E?Q=H@XNKju-DaF}t7kBdvo zj2G7h@Y&{~%>eLc3_lWxWQLsK1Y`@SHfY%)4IrExOf+phq%!;0wmD7>8}Rx{3~7Ax zyKglW^!2babXR+-S3N-x7IVF^DEnBEU<9(@)YiqJc$iH7H{5Juqbs~h&zt0; zGsZs(9@`Hqzs0M6Q!EI~GoFWm3zsb8T<6KpOK^@?6+Eo-*FtOR_v^|6RV}GKBOc#2 z*W!RjY40L;lPs@OJMGAJ2|v(5W`K1<|2h1BqIZTd?WWfHNi{~u+Jt?p{L5DU+-d$HAOT1(e+c$wK1jEIXF9(n+1t5xc~0QU9<{< zJzJIzkwWcYn|sr;^yV*d9Cgd!h;Er*(>#`2!Lfy@z4B-Pi@Xr_-PN47=gXD!WNogP zTGOoLws7o+w149}Hyhh2G9sSWLs#>hV!osM_R>d{-@VCze?Y+x*VK9@0o;-$n|rX z%Ht1nqJf3_v+ zYfWo_huhm$U>zD+Bp4crKZ&y~Zy?}1=^7b^5&V0b|3cIcN3>5k+lICkf^_yJj8dku zj!+;X)cPNWdk<_flVq5wKg)HC98U+0jDhON9H^b&%Fh<8CE5?SwISoG(r!7l*W}JH zabeMpBBO$*ueRynqC5^jk!iu(h;HJS(z0<1l|W)n?xy*QwpXWS`L8h zE*XhTxWTSz@oWbYLRHNd%ZT1T-$3$%KaeIlY#|3>&6558cOBbA^*40MrPW?fi)xU5 z-FyG~;Iq^e>>Q|-KQ zkH9xP^-}j@^`A8DOU)wb#Aw`y=$3u#KhymO2N=_yEO(HY`v$lmzZ!vdS7R3g(afRa z5QW`=6^`x98y<;MSNtq?V&>DGvJ^=-CWJ(7i_1cI5QAO`dI~6oEv5NC8<%EDiidp& zRG7A$n$3yMMXN!w5rlSjCJQhGoKVzR@u$pn`!GTTuI|1>W~bL%a0v_&=;pLhZ{W7V zeYZW2AB5}K$GNj`pcJGePL)?sU6C*{g1x{vg}2t!AJOsrPw8NK&?&zqZ8B3+fgzy2 zQ1eMRK*9clLXwUL&bMFaEt@~Lr^)j-*bzkI0Cio?!}KdCU%q?$k<~$r3f2h_`}DH6 zN;uHAcUgg{c@5ZwQs3zB?d~NI&Q9*5&S2zbgp2+S)!}PX;SDycwj~Mzq2+r;Z0^j) zdWfb`ECH2>hgZ(HXygxb)iW=h^i7qT1Y?y7%`fwu}p>H%JN0LF&!Iw2`4cM5rwG^-@5qVm7}D4~GI5#Bx=%t|CY3`(B=blsd*iYBKB z;)Du%3#u1`ViDTxf)AP4KfRr*6Z}et$Bp2)46Eh6Xn_ZhRNrUHLWy-Xy+%`arHZ8lG-8 zJD)yoaCo2c2dY#U6QLTgajJxaKqha1KB;nph-2yE7W$vFbF*9=Cl>FuIGGGAzK&64 z`1lc(U^0Hd^Vd|tmEwQy{&+)46fw7gCwyLmzKdth zaVULMuDv@oOCr8l->YW11RG=1{%Xy!ud_u9s>{>&NHbK8dU z&L3&9Ybtl3_PBcT{psiIz5cJ0>F`jW+)wN6Q-ERK?V9k8%$?2=BI*Czn2f7KWoPt! zUp5aUJ)4}aLUAXx5hU2ubW?nmhPw}Sb1$ZT;Ay8 zYqay@Lxex^*`@__|ACCM%nDKfw-?r~}BO}r` zMP_yx)j390BNHhUEhx<|o_<`v9@@s*a_Jx5J5kC^=kP`^O-J(fiEnK?F(Q-pPV=7K z2lXP+uvRtso^P9&pB8=nt`=_;VPZRk5`;YHck*ZZ{8OHmF3=T&ruFLpNE9SKrt#Qb zMpxi6UEUd{``zr6DJCwBDNBu`d%lYoF=h!^Ry4mGwaikWe*e3ZYtxjJuX>k$6^x2m zzEYV;8bI%RLZXoikGqWMvHRn39O#l#Pvm-IpOyWwb)J|5ubY-lb4!8MLk|N^rn?n!Pihh8?s)5ShPai#w~lPLvDX88G-9OQ2YpHx&_m0J zCZCfWy8QQLnloJi&)^07)-%teTf{iS3CUY$qpNAV!j8~421T?`VA}Zoau>Nw?v%iO z$3a)^e{Owem_f_v9aW#sp-6{cKrWw!U*7Nu${~O&X)|Nf>Engn8b9>@ zLRGNc!0s-YcaRBB=D=SGk#<}B>A7udEzWlOK2 zgeS*LFyaavG|G3L2EM{L#{TQqy~SrA%Vm`Petk%VsUOnV!Zmv$^ZgN0^v{-2+@+fK zI4QjT>f%+)YN>V5@bB}8L|6TE$b&bhg8J;SWJqE#>yfh#Lv?tr*hPyjp~mCQYDEL? z+;POm@RUc_pJgTk4lD_yKn^p(s92XVS0bL?3pC7xGy@=Pm#~x_A5*{Vk`K1L(coi+ zK#{7w(bQxhbn)Og9CAb)WE34}XW(W#WZQ5d@PF`)AnB?(bwVo3hw(Fo7?0gwtfuc@ z5`c%PUzC5T2HI>R^(TIXZ-GE)FwP5*jS60%BMxGDq34V=qDEq~mEXSryq9P>8}$|M zIdpZNE_!UrxK&kNaB?1i;`x&g+@o;;T0e7v*??XiT%P(P*bT~l8?7|@! zjq+Lzf1DG+3}ojDaX<{6%)Me;GCZpV)ffeboW? zz;7-?kH4v`7ex_zN>7X(YxQI|PcZjuU{n5z6AtxE)-L=l0_yY=0} zK1YWN3s76gf%c#c??<*>SBgnT?@a^P#}*uiL-6cU{)Y$gAqQdlc%~dNDI7vuFbT_( z?F2!&d|AF*@ z1mN)YR)FiV;A+TdLAM7l#PfOlQ5F4sqcr~G5HT9;FSl7v`)Jh@J;&#{H2SdU>sU{h zxbwnOopDWJuppSfj5~R$wqiV8q6w0}@1=8QC!|a@Ly)@z+1?hwoy`CzXE~xY{_tyH z=s%d`LE?zuTL3C1Q^Y2S!?<3OhrIX=Q96g)ud|w#XFnjFz4OQ1H=}6-H2}BUzn75w z1#}9Jz3{r!xs@hmg)J$afuaQ+D)HHE2eJcmJ5xzTb#6b_(JsGPeOw|0Y!Yn&649h7 zm37v;H7!H_Lm!`C7tR$qlqG8pK3FZJ*?nPCDhNilKAbdm{rmZ|;hQY))KcmtGlLFS zWLCZWe24W;S@oO;u1X261b{vnn>TLrTRB`NU`+t|QGCva^n!tZ9UCcyNfStk1dl4& z?}!N&YwCzDIToUD7&Od#(mBn2>+GQR*cuhAyYB9(5s0%}NCg1(k@ZJZ>z>g$^Nn;C z9aRItavRbuATxZJI)&>!`FuI8Hk;K*XGnzA)48_G!8Cx|-T$>AEDhTW+V}`y!H$MZ zVBx+EA|KAr|-8nxC z9WlqW%1ma22BhO?etQd_S^ue+d&|X(Qpn5q{D?@@WqX&*oz+H3<9YJPQQ`xK5fi(x z14aeAW0f5b@(FKBNrWFRezUhy!2Rt_CSU^zKAqzKS+AB7{vy7){qgIE!}I6jR9Z}7 zBLTT+5-z$6)vmZqqIkgGUj+rA(-LfEz&+iCMz2(i9o4p;D0QCEV3q0eE|XYip=V8O zWC{Dw(DmP6ADRebL8Jc@^-^Zs$L*=yU8dd%mS=ZLaA>rPidACWJ&yJ~{yi{N%Vy*! z<;GOuZx7%uGwjIvEA9-=^*<=8IkDHRpi9U8WhwP+G5TqxtH5<2zf*J8=rQ`?an2J9 zT^x`<4o))qX*5`G=iGLpYQKnuTcRp*)GkiHE!0;H!NOFmR%1n%=67m!*D)w8C;rUg ze|(VnY+5pINR&2Yjp(BSEQ5{?61uLwQ;K@*6HmQ(Y{pP??Yr{$0+Ol~?n+{Q2qU$> z?{9noum7o--ar0j9NSab=_O+OuOCulUQc50IoeZ$_H9aVMn>i_En;L_}KAfcNJLE~J=tVaYAYm!GUNQRs0`wq7Tf1B_R z=AMyR5|4dJvY(_dyNGMXIY^*NS0$cCiZxF?$L^2Y{>?Y5`MC9?mBpt;Dq+dKst2M3^b|%*@0k?HFQp`uI>6H-Dcxar1Fmm-)U6lCld1Kj<+qoQ!V>X zm!oM@uOF{a%{LaxOym{*Ni`$}NP4waKj#^Ky2^f?8_l1pa5rY7^%nq5K54@)UhvFT-L<9MOQ;Qe4r&ivram(L1Tov?-%ZMMjTMut^okL zK2Pr%iw-mrX1hEE$-{WH-9D*%h}u$a8TqQ;?yk4EQ?||TVo=5e(6L_54cF?M@x!0x zS}R55%_m%uuo~&7SiRY(`HX=g3cwVdY|bz2s!(2 zZKyka$11tdm0LF=7BJ|MFERBz!N#Q}m7_QisKOWYF1MAiL_?Z}$@pUuiLe7U6Z|R{ zSm)kXr;W-e+8pEw@wO4Wc-dlUPJVUv)N~02=}qAc5+SPw<5`8$bG@c%U3SVNKlJnC z5M5(_&wBjK78YN`q40*{caZ#8JsS=L{|j3W=og_>9v_ma8v|4CZ=ZoH(?OL<8$CJtLG*H^09P0$~XV-bYTw&q%~_D^y8+pl8KWPgv(NF-weV!PlZ+Z5W`D?xx6Rtpz>qw1xpM~H1S$1INj(%yrBt-WT9H#tK z_Tk~tgeSuBKhw4tf_w~78UR19AVMIq|M}4)8sMdQ%&?D&1`8l*svGDBs$^>&CH2nB zRpk3uqwNYKWi3?GA6)*j!=(vV&>nWugZK~!<-F*z)M=~t*btKNl|*f|Pl108B!q;9 z9BvqA8d<#PI`b2lo`6TdHwHWM>Umm7nlGm3pXL>!>CrQ|Ni`l^k&@{ zSIQT5-BEx+O-?bV9xZk{@aVm4efE9q2sHo_4`^@xnahJ1Unb$G(Du6#_jJW}b_qt# zng1Th;T^P9|NEmluZs^}CmsEf`X-@K>?VirtJ!FL`FRWW0i6k&q@NzX68eiTV|B&v zKGGZz6V141mAx#4bdmi3714|UKM2%PDLEG1WU*pu0+DZ-4YxYYoq~q z@F+DcC66D-cFprKUCAv&gXX|K*!4A-WF~<91%qA`5PTb};g^^HL^C&(4f^=;UI{=F z|NWU$@jr_(g%V`~0l*q*oQ6y^zNgY}#zuZ*${L{JQge_Re|qO1F1_*{csd0RFMqi> zjL!t=yaN5-pt-Eo%xYNO=Su@BycR5YB^=MWmn@SevtZ-QQ?)v6jVU7)1v_Y;X6rYK;{1bXq#zTnLNeogn;NvnKeV+1Uv z=|I{Tde*enC;-x^+yXIPFM#66xX#5n=mi%W4TMKT5@!6*sut^I8P@f5S?xNnZ!_}Z z#U*Q)v}sUEAK_)G{9T@q1rE82EOA3i1@h#9m_p1&8XR|WP^ix)mdv-EDZbBKSfMa`4Y)Zv&5VR?_Xk6 zcan2OTzZ>ofs?b*U=lE`<~==470B|r?kb6TodetZR@T<&a`ga1Tj&4it@1>|ZQ?MS z%57@$z4Okl%(Sah;w$b_KT^Pr^X|%*@2!8>4u_&WzSLz2+B4~)vq-%krcrYM=;vYp zF0QkiV*^m-Xb!!a%}+BR+oy*EsWCtZM+*QkNd$~;1{=Fs-4DCT4q| z$Z6Q9^pa;kZ|Fq)P@4b#S8O$o9ZYXB;|(pNo(I0G0byQ%-J z_4|CwwbyRaEU9oA2S0K}w-2NPi}rxFdM;e7hXJRjpCMro zzXux7gG{RD$Y^=@l27XYRWY8jb_17;ub;XysB+tN6RAsAAT{H1y0@@FUW+0j|8ei} zY3;<{W~5d(lC3+Z+kNr7`tkh>{>lfGH)k&tJZxW5(<|KfADt+_N_n z{Txskpn5m$*xLAi21-@_zpNcCKfatN#5|*EY^*-G4;tdhD{#^8O-reQh&mt6$Lav0 zpXUgL9Q3f9>;0!}cFD+fgi*)7KX@6a538^}=HlA9GFT2D05qjNIw*#ioRs7Mz`f_v zw2Bn4D+;!q(MnWEJ_RT5pbA^`quu@pc%ld5v_~85gXftey=E!y6T`k>!;v%nc{~Yt zHr)S_=X97%qm~b-eG^d{%Ez>vY#-EwL9~TR(z+-#N;bc0ik94O}up zey{^$lch{bYGOD8)-lu(QI!+Uk@B8lMDxXQKWfZq~SlY(!0X%}Q83l`sJ;R>pp^ zz1redB?vz=5ybNct3bXe8WX|&<7`PBaY=jYziZ_4M zP1R24Bs2^$$#jdf$S0rx=3L7@6)m7>1_l;k2rNZpa)wbKLXeZga0r{|t06MZ#G7Vl z+c>uQXFc4U%NO76fZ-7R2`@Sr@Z+$gCg9n>f;Tu{#(GHidx6I z*)O~Okg!4Ld@8?zxptJ%JH`44DLI6KXm4_#fje62(MligulJRD)5&8miH5CI{q%Ya zpHDv1uol_QmU!$a`QcY$y%@dSWopVCp)Zv55+`rQCU+xg*keSYgxD<1NwiR)cgPiKX1OaMpe>^)N}hjA z*+yo2bI9{zLfBBMU1=*+#_;PmbfO6YYw157G7>%b0pJItIi#!+EyevgY~fd`r#Ztm zA>oyVO_O%IXJ<^Va3>%x@z59xS>P1({00cjb@)dQqA;MTA?83JU;`I z8dEyfsjG7Bie;vJmk)$-g7kBH%+dOFdEE9w0jO~e3b+=G6#5ey_`~`yOPSBICVLLE znxKyv@5 zVT(yyOIXegs*E0OEypqB^-@M?tFW95&pSdEREuxI9}EO!@lYc!je&JG-8_r)Gs^;UYh=o$6OOIF6`9Tr0H!bpl{$XW zLj4wi?X>>8Sc~5vmw|Rx>I1~FI>stRmM^>>?cq_UMHP%%)@!C zT}4oyU!O$T3kH?gf)4sDYCh&??hUd?=?3|tDd*aqPmtm!#jSXZFmI?wwHX7?BjM^a z?~ydaffe>4V60_0Z2Fi|tEFL!b&<8n*CUO&ityCcaS@nYxOjJi>=DH!ofx}|MSwh# zEZ2kdE&mm`zcNy?e&}?(aC;~7f}ajWP97{R|F&D>Eto;kT-p_fV)HPdqx$;r>+j6( z$C*np%w)q}{R2|I>u1Y@$VrW+|0V_y|C zin#ERx41O3!T~NDsi;-a9FxXnf&{Nk63AZpwQ^~LvAq*9fuosTltD?R=H4O=5Rpju~(9*V;pJfaBCSuRa*8gaUmLp zoKrK{%)tOg0KV>!UfIss3}i991=1_n3@GNlv!cdY-Hbby`K@6Te#NV5J{~;w+C9s1 z*bSmfAYsK2k)S&2K{z8%dF)RBuaVE~R(_}2YtZO=vz(fBGi{;4kf?_c3ESrA2C^v$ z#PNKX;R&Xg65mdjJIW{P_7~8WCV&J=v-KG|&iq zBwhkDsGvfigE|5_D4)^5rH=C5>(^UR161%1Ydgp9R$m1k+UO~P2!c==?9g1#)}NPe z$*!SF2rutUR28*1wyxZb3C}q_%3j@`|L8<<;kExcIPUhd=1E5_BYGkndLmdFFCW5* zHcAhQyY}%`ATX_wp}|e1**?2PFh_`j;Xyc;MAk__YY=L?ZtkU<_Xq z5wmFgU-MT)JzGf!%&KpAfBfb`ze$0UuaG(j( z;O;s@0uVfK9rV)kR0hy2HF$QZKH7FN)3X>zm|M~lD6zZ@9^h_N>01`G8Yy>2cMtrE zngZ9@clI-Db=5Mt#V?|Y@C#dNiYDWmSEjG;cL5gM-2DxaM*1kTPU32g(a0*kzpT7L zZ6RQBqwmoJq;!pI-qreh3}wbu(Uc>j$;biUVGW28(CE_AvDR_UaBQ_41l=o4N1%y3Tc-bKd9N?>Ft z?5EZ3O|$Yq*+7F)Hf}oak_7s|h^oANs(9fjI=O?T=bvK?LZmR>*10E78ayI4OK<6L zXK)L$|%uHsIZok^ivXXme;X1qD<&SClaJK)c`B72e^ef8FaMK9VjKU}MC$2tu~ z(iUjh=0$q?eJx^e?WI@qVh>{BDjomQhvKrh^S`IPfbO;No+TX^Iw(vb#p zr-6z(tD;{^^VTP=<4++UIXN5tY}R;(6KyfrX%!|hTRB@`!iAL5gOWg4uVDQyrhnS4 z>!h#LtlZqh;NE+4B+6Xi?=RCuY2*!wwh66uO9{o>yru7X4C-`~%BOFP$zZ-A4yu{A0g+~(ULl%!pzP*7X{9`xWWc7?J6`!K_yF^JWNfHepW@&T;c!cQOSOHk z9)A0;f{2S#iwd(|-D&iV5q7QG2cKYwKudFeMgSE*#3+CE`4o=%5ns9C@0Q;u$wvIw!8 zZenlYXAAGuxq{DubN)58O2Bo1-^_cCY0R28jk93e>o{sdV9c*d`%YPGLwoH*K1p85 zT>ifefShH06!lp?rY9{+otPqFNwBAD=hdLLH;+-Z){FB`clx4lZ5k?uE~`czpja;M zri4ssZUqTAAI!bdZb+mP=~>+NC0RH3Gm{tmOp+jSTa|GAO70(La}y08(+Y#;44Q$F zjVsNK_WMqYR_9eFIq7$6EVFXFjxAON4q)-$h8oNbt!>Y&aE5Ex)srRhNrFm-Uq%FO;IZIeOP8_W7@yG0+Ug!_3byZ^xq6>Ads0!-;*nqrde zB3Wh00&MAs;v0Es?cTK|ARsziovq(AC6H}c_>iU)S*>%wC~o(s1!BQ2_qk)2;!4$f zQ=nh+zBKpgu`x8HU{3>?%%-7VJ zJiDTNmAg5u`eia{;lOqC?`8TdtFAVN2Y*Nl1~l4748DCG4II>+Cos)6J==Nwgi&>U zOgPBIm=|*mW%;$lb17V_##1Oz-t7xNbmH32<7D7htq?Sih?=u^Wiz@IiVvSz$m&61 zRB~uxEg(I}JjAVoejHt~8<>~k=^kc`sHxv=E;oGl z!E^R}aA?WQyLF&4l5q@H+B;^S&`~@VGTIhX+39K{M_HOkEEP(;^6tm!D<4z%D;i$n z_0L@Mrs+o>6J&RDoGhs_YE1~2pd=F{ z9zpRq+AqoKzDDC1RR+3LJ^8Gh^7Aa1&(VL%j zahmlmU#yJS7d|%^@0!I3tTs%3Iw|izuJ?1lDdg^#z^Tvm46vgH)(_?SykvRyN~PfM zzH*9{tPA-#RZht{_v7;)w9RZb_RR7p3{pWcR;t;tN-frN$UV~$fEit$`S$S(8SZrNqkiH z*JotHPV;TYrVB_{^A14WNKuj!U&?Aj%Pl>LTDF*ixmgVtPo2pum#S?4ZZ&H91}Z%H zK_>lSn|6V=B1`=@)0Yi=hBY$H0+~=sgIL4yW)Bt?0mm8Sbsluob+p|R^^d_3q&8mP zLZ}hXKF}V&!oW-MVlr6bu))O+!OBK#%JH2^X^ZS?IKPm+J39q`wLOwyQC z$oq{r=rdMn%uN<)VGxc17pm|8_}*@j!hMb-;Cln5Lid5=#roa>@OI&P!grK3JvJOL z@(6yMV%`}U_BnPV;NM^PLC;kEaz|%>KU&v{|Ify3=JUocgPLw>zg!{O7pMoUbinUF zPt!bk^e=9K34*sNWS_2(BkzM(wJa8)mmiQ}2bZ-^oAMqab6XojN$nE|8{YHD|SFiG)R6MJ2OB;WXdST+V)6NwqxVxro z84d8l0{iz!-TAg3^k0h|Os35k%)W~r-{`+s_!^^(g3F@EG85}ad>hnUr}fwCDlqiJ zs&w%!WiOX+*#CNYasD?Bh05ue>OUQ^&yY7bwf7qFaCk~T@!_}rhx^q7wc@T21Iy?> zakW0z2kPmaf?@|--wkaUK9U2gnaAD_0DP5yFZWvjvOT97gxql$6ARW6i%LPwKR{7#s2qyM-nGocUGN@nDu|Z0f&Hl z07!Kr0RByY!rDgI6Z8yo#tf@qOCKkGw@tc`<}9c6EGP4<=Z)T?GKTDLpN&vVa%=as zd@@K#%fi6t(7r* zlCISEMO!&f^`G1Jo#?6cf(+LOyZUC5ltm58jnS5pU8^tbH#YWqBuu>ZH^=p7#rsPB zu8hP8n_`aY%|h#s(j5)h>wg1QRMoouA!Q0@0{z#2KiwjXZN0!cIR!-Q1EYBT_WhbO*X6PG zU%44An4`5%_(b37$X!nD0GfH7RsbO&DCnwL2`&sQZeTE=hQx)Ls76c{biGnppX$o=4`nQH!Ga<6vdRGaLBEb562{5QghWolF`>PB5 z>(<2o@*@ZcxLZr~E44ja0S^MjJ=_L19CF7;z!U@|TZy&Cz&q?Fauqicefu-dQ0Q|w zSfeVHil&#=F)s%euRX^k8R3^;a0&}gX`?5V6qlhpgv`%M*0U8ExzbWJ&v18khVBGzw~;0~ZkrOlBnQp28lD0Qtj=saHfjPUvM=UqTa zZxPT6CJstnNSt5!C{K<=L0C%f;y!;xjugZuCknRdMV0r#S?|iOua~#*fqpuYuvous z?3Xrh=E!ie|0NfKKj+y7}E9s`!%B|!3;tY_kp|FLhbmKBBq zqeg=dMh&DkEz5ypvC=&-(bc^8#bI@+L_pi7ZsL6~ny{M|eKiy$D~`+INd;GNUSdv0 z9;@&E#4W10y~0LFN#GCIVta!KDS}pU@B-2T-I@H-*U4Dqy1+zApkIJN@^{A?oCK1} zVPk`z40_A=%xQEJl+iMfTizJU&mqK1xe=%3Le07oFf@%S>7tlFheNF+EUgN*YyD!9ha%X)34C&%i7;T-`k>AE7U<-8 z0k{RrYb%GqH8TW&GA+;o-}upV-*Lrp2!OMP|EPG&Th3E0eZls$v|5;z1Ox{a+}x_u zUB~pBTjV}CEp+Zp*_LxQv>eSxwD#i>tNCDEjMUftJ5R7%wvZ`W7}p<2KlbD)#yuo^_67CTvK*$WDFbfTGpFZy6dW=%VdpfZOgrXak*V_dII*aj2? zPkz(@Ex_(x{uUm9FH7P1{4)~`^vO#(EAnn+yPZ_9&jm2=-ak;N%@#9 zsoEPrRdBCQaF7GXXJ<}^R`5k6k7={Soh?u!Fd*DAw69}>p?xrD?0hDb>gu2| z?fY8W8O3oQ?mvO`y(2M|36Dtl|z zsyGvLf zxhb}RRiLEe)_u=iv~%$d7bj{k5GW#c0m@>#yIA==zPd&7A|SEHV}MpLetGbf(RXol zbEd9RV)qLLmpDCZ#b%+9j3K%5-060UUM}G6E)8QqHpK(bgzTUB=6A#;UJGl*mQh8% zyTp@QxZ!fA>ch0LB!?1vT`YURDf9q7NiLWn$C#1wtLyZO?bJ`;EwIcd(??Y5bc*Sp>d=5 zUyA_reZJU*TAN)i@@|OVTIO_@7$sDH{Sd1U>IEuq&MV)T+4h-`nvT3wP}bZ6jtQSH z6XK|JfVS%yTOWY!MiFRIE-uEa>lSXAJ;CJqdY`q43Ue+~Y85j7V2!U)P{4^?N}dS_t9$6k@n=8wJ5bO3_*SgPpICSTO6tWG zWU9d{!LeWc#VCgv5!D`~1yZwyMfOy(wjatNC)*-mRr{ooO)Z2&5OYNQjoG;|M}tKv zp>G}AZ@tc_29>=qF}uL4|LH?DYC(m5R1ag%nMs-@o--Eq$8?-<% z)nX86t}YGS-_{PGicyoLLx?%W<9-p{@aK?~L?o2z`7_56F>>jZ@jMD8(MgYeMAUZC zN$0@9=m_aMYlAShk)R$UoXPxU@6p0(=Wors19tQtBc#rbD5!_xX+EJQ-vP0!Zc9JG zrlKnrp=!p(-MV;L^Zhnx2gvla=?ArRbYt6r5>f!pn+=p#pFK!`Xkq}?s6|)`0RN)* z-0%ow+{2Ol!opBVDiUi5^5esl;2%biyU20C(^{Szg%y=;dh>@%^AFg^tR`(rp+Cid zjBTTo%+p6V9^IRwLbxzLtYC;)|M)PXyH8>cPbU0)qX)p}Nd?-d%mK zzsBHvY&EW^HRv;_c9<>OyMhXgcqR~{E>pMLdXQHklTFx{Dx_@8UkJRfmAthCAv6g1 z;|_`n7^>}%nTYTx46-MKO16wN44_#$i?w>Im_H{(`;5r*iogbMWuN9Y% zBunl&w!Pe)?+7nE2o3g7eS0vV&u=sl0wtIALyaL&7A>rEQQ$6QS;3QUo`1GBUs6`X z{h?%cYBnoIV*)jh$hkXY&Po-MCV+0A)3_cz6({_TP1HXo9qY-s$ilspjacw@LmSjJ z`$DNwtnrt1rE*cogol1`b_z22N~YH%o^iJfcaeyPl&Kx{l3Ub-&Z@giIFv}KJbtE= zh{wk}-3BTZ8wtO|h24FnK-bNh26grR=C!>S_gz-9?HO8y3}3Wa;*tcky{7MbIKWF% zON$2L<&No+V9o>_NLyt@f8WWV zz{lp#ieN$l^7<6R~>9yz|=tJSWVTO{7tpSS@(sgwLw^!sAKR;=b43TP9ej)3PRF89M$cpE4KD; z-VwvIVJ-!+9aQQcJ*LpsT!mw*cOO$avOu;pWht?A#;}jSRl>7!~f3 zLX2O3@@Ko8 zm;+euySIDJ6_|vaa=(v5@~=*~2bQx*^gfLEO{rHV|E5CkWb zc?g#KvX=&056I&=HHmVp^qBm}HjQc>&1U*!SZ`?B8SzsaI6l2@E<^tt;WiUn`3_3< zRP7Qr-vR0MD2u2ti+?t(^$|t=>+Q1K3S=`Mh^xNWgyYlA-TZ){B+!+J%m!u3wN6|_ zlGDUBIHU;5!wQ3fdd{9(1XCa7OBE`tts2H04Vio+DJ?L-<$X;6#K7SV3}2%exZQO{iT+D^ z@^C?(^nY%JO03j5>Zndr{6;#ujZWv`2P3x_+$#1N zyDzM~#iI(%E9s<&*8W~egHLXCu=Be$7#E9)iNz%)Q9IFw9{#%bI)`C(%KUIWBtCxA zO>K4Rogt}tkU*Hlrs2!zG4=P}_8X%XUf*5EyFoDzghh{knMb>V=^$4D`IxZHhyqA? zbg%)NQJ>TApSglhK|+vMSh%k3T0+4;J#P_zoWBTq^j(Cxxs}6d__tOXjPWX8@+`bF z6%n3@a@}9i`1S zz$Djqetxz9W!VmOH)Dr^D^%g6YKl>z{1jrHwdLyWSk{U#~Y0 z9g7eSQOg=Tw0E9urL40Q)uvf}YPrK&o-DZ$8+d#vE)^ri zkTA*K96x!@-jZQb^Co7}Y3TS~#L~Cy@z1(y>oB*k&QH6_yz^S>-qJMG*KeCMWR<=` zo`|oj)Xch%y;>{Q%2yIFYli{>5aa;)a|UeD2b)qV$YlW?3;G9MqPb#f-3RUrrcc%I z19HQN3-7u-(U(ebeUSHvR8ur8$4WTm@IFJI;?3(Nf*G!U;`WmsZ{G|jeXB^nq3?~<9=HCxx)b@OwaB5t zHF%IF} z#E-GbDYg?0t6x*myg8W(@JSM=QP>zDsOd0MaFh85ElT5_vqLI8XTAS)gBF{=4m`Z9 z{*+kQ6E|Lk<`NN^0ePY8U?i^s6AFq(a91nD-uecRLc~;i^Zy`||62y71Y3j6G5|XK zibF0pB^|I07xbtM4`zd^F>#LyM(w|q%_fa8$gUN;K`08~FjvGEkPhrXGrbS>^;>+J zA{nKc=kR|af$fB2kptXIyhT=ReSdX0A3QC1{wWh+2;}6gRjRW-r=|6}C7{1ZafR6! z?*9~fqD~1+&j>RX9T`p)Ckn`m$2=pb!#7rpMwPISo{pA*eqc)c94lQX&}}? z|M_C7ZJDNU#;XCbPp`LsOfbA41-D%W99g|w=T+8N4Y2SM|DbQXkW6?m!)kXs>HdKj z|Am+Fg8|@4DK)UWvj8YqGM?lZO-RuhMN`{&?M&=~2*JY;p+#B{DWT zef{CcwQ8r4JQli z%?Fb~-_jER?wq=(%p`=9k}Gs?C>4cbeq5kJmPdfiZ-a4vVdNR9B)S$r2&C7Z8Vps) zb_7O1P4YTg2^R%kIls(f^~Z+%KrWY0WX3U&NBp zgAZtrSWj1%ZcJ4v>y|uW&hj}aI`KvC?GLLfgXXye2GC~h|G}W%#kxo%CjbBsVm8zJ z`!2MA53;A@0PYTMh>OP5tAf10%4SrndLT>6bTVrCdP%-Xlc#{q2!}O*20;gs8lZJA zDeE+6_J59r%y|SArQ(9YHukBH^{=BWB!C2?dsYMdR%11ww@z-@s#nGezq}Q3F!?bX zLCFcnDjuafb$=i=5Y(=I&QbXF_YDK0>;2NhIFA2k7N2aDS%9ITBl0V_y$ z+nnkKEvx@}p|KEH=9?`sHW&Ve4S~szW`WwJ20B077l_4t&T7dMPXBDjtZ<*ufv)aG z&|r>5ixfc?njq=`AV?ch%qd9eIGAnp`VMo-c}<&*fQD_egf5W1(Osp0)s2z&^pEC! z6d*i`1hMAe?V#m63E)5zOmT|{AeOAxiMVC z)7>w{Kv?7VDH~Q17UutYNWRkLVCu_x{DQ@`y zD+}P*1nsLj2~=bn6aG##{3bm5`uaV|w^dWSKo2Y@Ag=8ikMfY>Su<r*)p7tH`2 zvP#kmop=*MFZymAI1o7QUomx(y+KmJ%$^(!jq?YSD9{J@R=5p!>insi*Tp$w)SLoizib?ew|fev zn){7o6wNuYS>$^j=o-K`5RN483R@1PU~qj5i5fCa#j5gVn=1tMZd5 z6YR3O>f0x0zXwM_!%^&Y=*QDtfLqATyj8f$xO#;U8U`}CrO$W)_wv!BVbXcLj+G2> zBArq zU!FW{C*oHCcR$)f7S&!P>mWRFJC}{1_eNert3Dc*S z@@X6?HPn;6zkBZYv4e(Q2|%ejd3%LfK0Ohs1{GsK$&TS;`_BSwXY3jqfv#QgYXHQ_ znviMAmho=ImxAv8#)C0K0qY^wQIZ(<4qkj@F1)FYG7bn}RC^L1G7S;Ed77->_tJa# zg@pD`u)Y#EHtclpYS>)1X2kg0>FOzAY#|y~`STESnT8WYPL1FZ0*iMCCm$)FD7oD2 z2HW-RW9V>G>*XeU)!xL~krEg70%rAMamawmR0~!LE9U58?jVLBt$#5)Fi@ubcCrmL^(wZ!oP>K1->%ajwo7d;wkjd4=X5> z1f$Q9+4Q4Fwbg{0dITbrkKYF$hQ4%Lbjy{#4wrX8ga3B_kobmy2|r>b-iH{f(NSC~3lZwggchemb14(_k*@Kax#KjoRk zj{52K;g)P{+AtM~`H@11O&w(wnR)toy(=G|ZRW+R^(5Pd^Ex8idlI>OvwY8spud0v zPZ^B}>1wiLr)Q;&8%TNgCb(c{pw0Sk6s?JlLGp%cq^wtU`_%1oNJ?@m_;H(9ebbkD{qJ3j$P$=SG?>2TP=A+?|*aY9NSY=+4Dm>$yRPf2}wkX!)|94@-kyMI>!`$?8k znN+PQrON_0DLAy7-St3$$p@RmevOm7O!HXDfR|!TRjH4o{O@cXM#F@cUq}P~(zx}R z4mk$|8z6y-&>f2Z3azbr;Fz}%!@Uq_P;O$xWns?`YKM(I^#AVwU6$+o)Uo6B9By@$ z@Qe{hFZTer=tx5P%!=r*Qk_~m^sgmu58HP4_fr`~+Eeojci24Q+5A3Xt0ywzD?w_i2BvA!bGc3d|!P%T4Y!2MvfI4fsib!y9kx1(1sBN%2~V&(RxVo;gRxD%9G zONc6cYZhutNl#}^7|UHL`gLoB+emBN>KH!rPER|u7z6Q26Y$Vi^nkPF|H(kW^Eb($ z5YmNWk$)z@e*eDV(D1PN+ULzs?Ukp%N8xr)KJACcue)nzH<#cz?XJ;)f*$s7u6c(v(HarG7u`-=V_1nK7tM9FMHK(cV zu#L2W|0ta``BG!p@_kAh6ivX%uQMu^oU*lfvc^8eW`k|QAK&~pyO*VGq>^85BGDxr z@n1Rh4|Xb~WbeiPO9%d&irhro|4j-uWo-Tb_mAd$aVnqABoei%?m@smMOigO*~6y+ F{|`p*^y&Zr literal 0 HcmV?d00001 diff --git a/docs/security/architecture.md b/docs/security/architecture.md new file mode 100644 index 0000000000..828fcc0360 --- /dev/null +++ b/docs/security/architecture.md @@ -0,0 +1,81 @@ +--- +title: Security Architecture +icon: material/wallpaper +--- + +!!! warning + + This security architecture is still a work in progress. Comments and feedbacks are welcome. [Discuss it on Github](https://github.com/roddhjav/apparmor.d/discussions/1013) + +## Preliminaries + +

+ +**The best is the enemy of the good.** + +
+ +The architecture presented here can be seen as a general overview of what any modern Linux security construction may want to achieve. + +Example of current Linux distribution implementing something similar with various use case in mind are: + +
+ +- :material-package:   **[ClipOS](https://clip-os.org/en/)** +- :material-ubuntu:   **[Ubuntu Core](https://ubuntu.com/core)** +- :material-fedora:   **[Fedora Atomic Desktops](https://fedoraproject.org/atomic-desktops/)** +- :material-fedora:   **[Fedora Core OS](https://fedoraproject.org/coreos/)** +- :material-atom:   **[Particle OS](https://github.com/systemd/particleos)** +- :material-train-car-flatbed-car:   **[Flatcar OS](https://www.flatcar.org/)** +- :simple-opensuse:   **[openSUSE MicroOS](https://get.opensuse.org/microos/)** +- :simple-opensuse:   **[](https://)** + +
+ +A careful reader would have noticed that the common ground among these distributions is to be constituted of a fully immutable core system. If such a construction is probably the future of Linux, as of today it can raise some usability concerns (cf [rule :material-numeric-6-circle:](#user-freedom "User freedom.")). Therefore, the current project propose a pragmatic long term solution: + +1. We acknowledge the end goal need to be fully compatible with system that respect 100% of the security model presented here. +2. We stay compatible with a *"classic"* Linux construction (i.e. without immutable core), and try to implement as mush as we can on classic distribution. It is considered as a transitional state. + +## Security Architecture + +As attacker usually comes from the top (a high level application) and goes down to the core system, we present the security architecture similarly. + +1. **In application sandboxing:** separation of privilege, least privilege principle, within different process of the application itself. It can be implemented using tools such as: Landlock, bwrap, and Apparmor. +The purpose is to separate highly privileged code from the rest of the application. + +1. **Application sandboxing:** Isolate the application from the rest of the system with tools such as. In this context, "sandboxing" does not refer to a special technology, but to the general concept. It can be implemented in various ways: trough VM (Qemu/KVM, Firecracker, Cloudhypervisor, Kata Containers), or container (Docker, gVisor, Flatpak, Snap) with different level of isolation and integration with the rest of the system. + +1. **Confined user:** The user is confined in its own environment. Limiting what they can do **[:material-police-badge-outline:{ .pg-red }](../full-system-policy.md "Only for Full System Policy (FSP)")**. + +1. **System confinement:** separation of privilege, the least privilege principle, within all part of the core system. For example, Gnome is constituted by about 50 small services running in the background. Each of them are confined independently with granular access to other part of the DE. + +
+ ![_security-implementation-architecture](arch1.png#only-light) + ![_security-implementation-architecture](arch2.png#only-dark) +
Overview of the security architecture
+
+ +## Security Levels + +As `apparmor.d` can be used in multiple security model, it provides different mode to fit into the following **proposed** security target. + +**`default`** + +This confinement level can be summarized as *the most we can do without requiring user configuration*. It provides a good level of security for most use cases while requiring minimal configuration from the user. It is suitable for general purpose use. The goal with this level is that the end user should not be aware of AppArmor and its configuration. + +- Principle of least privilege applied +- Strict Principle Of Least Astonishment (POLA) + +**`strict`** + +Stronger confinement for applications. Suitable for more sensitive use cases. This level includes a few sublevel depending on how the user want to configure it. + +**`fsp`** + +Full System Policy confinement for applications. Suitable for very high security use cases. + +**`extreme`** + +Maximum confinement for applications. Suitable for the most extreme security use cases. This level may break some applications and require significant user and application configuration as well as patching some applications to work properly. +The goal is to provide a kind of Multi Category Security (MCS) using apparmor on top of the FSP model. diff --git a/docs/security/ecosystem.md b/docs/security/ecosystem.md new file mode 100644 index 0000000000..1323c68215 --- /dev/null +++ b/docs/security/ecosystem.md @@ -0,0 +1,79 @@ +--- +title: Ecosystem +icon: simple/linux +--- + +## Use cases & users + +Linux's user can be anyone from novices that does not know they are running Linux and that have no idea that AppArmor exist to the most advanced power user that want full control over their devices. + +In opposition of other operating system such as Windows or macOS, Linux can be used in a wide variety of application and use case such as: an OS for embedded device, a mobile OS, a workstation, a gaming console, a server, a global fleet of servers. + +The ecosystem is so open that there is no compatibility requirements that define Linux in any way. Particularity in terms of: + +1. **Diversity:** They are a wide range of package managers, sandboxing & virtualization tools, init system, display server, Desktop environment. +3. **Users:** *everyone* +2. **Use case:** *everything* +4. **Location:** *everywhere* + +This diversity is a strength of Linux but also a challenge when trying to define a security model that can fit all these use cases while being easy to use and understand by everyone. + +## Ecosystem + +**Architecture** + +Despite its diversity, only two major system architecture exists in the Linux ecosystem: + +1. **Purposed built systems** such as embedded systems or servers that are designed to run a limited set of tasks and thus that can *easily* support strict and limited security policies. +2. **General purpose systems** such as desktops Linux that are designed to run anything, anyhow. + +We note there is trend in the Linux world toward purposed built systems even for desktop usage. + +**Security consideration** + +Due to the diversity of use case and users in the Linux ecosystem, no particular security requirements/ minimum standard can be assumed for applications or users. However, some general hypothesis can be made: + +- Open ecosystem, immense, enforced by package maintainer and distributions +- Any language present, secure or not, past and future +- No rules in software quality +- No rules in security requirements +- The packages are mostly installed from *"trusted source"* +- Distribution repository are well known trusted source +- Software usually do not want to spy on you. Still some do it. +- Continuously find new security vulnerabilities + +## Stakeholders + +In the Linux ecosystem, there are many stakeholders having some kind of power over the system. These stakeholders can be: + +- **The end user:** the person using the device. +- **The device owner:** the company/university/organization owning the device. In case of a personal device, the end user is also the device owner. +- **The Linux vendor:** The Linux distribution +- **The device manufacturer:** The hardware manufacturers providing firmware and drivers +- **Third party app developer/companies:** Other proprietary software company that may run on the device + +These stakeholders may have different requirements and objectives regarding the security of the system. For example, the end user may want to protect their privacy, while the device owner may want to ensure that the device is used for work purposes only. + +## Requirements + +From the above, we can derive the following requirements to apply on our security model. + +#### Rqr :material-numeric-1-circle: - User Freedom. + +: Explicitly supports extreme personalization[^1] + +[^1]: It does not mean the personalization has to be easy to do, just that it must be possible. + +#### Rqr :material-numeric-2-circle: - User Privacy + +: The system should be at the service of the end user in its goal to protect its privacy. The system should not be at the service of the developer, the distributor or a third party application. + +#### Rqr :material-numeric-3-circle: - Principle Of Least Astonishment (POLA) + +: A component of a system should behave in a way that most users will expect it to behave, and therefore not astonish or surprise users. + +#### Rqr :material-numeric-4-circle: - No strict compatibility + +: Whatever application you have, the system should find a way to run it. Native, containerized, virtualized, emulated, etc.[^2] + +[^2]: Some way may be explicitly blocked, but other way should be available. diff --git a/docs/security/hardening.md b/docs/security/hardening.md new file mode 100644 index 0000000000..6b09721aee --- /dev/null +++ b/docs/security/hardening.md @@ -0,0 +1,30 @@ +--- +title: Security Hardening +icon: material/bandage +--- + +A careful reader would have noticed that these sections do not mention anything about security hardening, whilst it is a common thing in modern secure system. + +
+ +**What is the problem with security hardening?** + +
+ +In one sentence, *It is the opposite of security by design.* Security hardening means retrofitting security controls onto an existing system, while *secure by design* means building security into the architecture from the beginning. + +Hardening a system usually means installing a set of security tools and configurations on top of an existing system because they look cool, secure or trendy. The problem is that when doing so, you usually do not have a clear idea of what you are trying to achieve, what are the threats you are trying to mitigate, and what are the trade-offs you are making. + +!!! tip "To sum up" + + Hardening is like adding additional reinforcement to a bridge because after finishing it, you realized it could be dangerous. It would have been way better to design the bridge with more structural support in mind from the start. + +**Example** + +- Instead of disabling some kernel modules, it is better to build the kernel without the module at all in such a way that even if an attacker manage to load the module, it would not be possible. + +- Instead of disabling USB storage devices because they could be used to exfiltrate data, it would be way better to design the system in such a way that even if a USB storage device is connected, it cannot be used to exfiltrate data. + +In other words, it is way more secure, and stable to design a system with security in mind from the start, rather than trying to patch it afterwards. + +This is why these sections focus on the complex question of *what do you want to achieve?* rather than the simpler question of *how to harden your system?*. diff --git a/docs/security/index.md b/docs/security/index.md new file mode 100644 index 0000000000..0babd4ea3c --- /dev/null +++ b/docs/security/index.md @@ -0,0 +1,64 @@ +--- +title: Security +--- + +There are over 50000 Linux packages and even more applications. It is simply not possible to write an AppArmor profile for all of them. Therefore, a question arises: + +
+ +**What to confine, how, and why?** + +
+ +The security model presented here help us to scope the security policies within the broader context of system security and privacy. + +This section presents the security model considered for the profiles in `apparmor.d`. Despite that this security model looks at Linux security in general, we are only focusing on the threats, model, and implementation within the scope of AppArmor. + +!!! warning + + This security model is still a work in progress. Comments and feedbacks are welcome. [Discuss it on Github](https://github.com/roddhjav/apparmor.d/discussions/1013) + +
+ +- :simple-linux:   **[:material-numeric-1-circle-outline: Ecosystem Review](ecosystem.md)** + + --- + + What are Linux based systems used for? By whom and how? + +- :material-bomb:   **[:material-numeric-2-circle-outline: Threat model](threat.md)** + + --- + + The list of threats the :material-numeric-1-circle-outline: Ecosystem is continuously facing. + +- :material-security:   **[:material-numeric-3-circle-outline: Security Model](model.md)** + + --- + + Given the :material-numeric-1-circle-outline: Ecosystem and the :material-numeric-2-circle-outline: Threat model, what are the rules that should be enforced? + +- :material-source-commit-local:   **[:material-numeric-4-circle-outline: Security Implementation](architectureimplementation.md)** + + --- + + How AppArmor is used to enforce part of the :material-numeric-3-circle-outline: Security Model? + +
+ + +!!! quote "Security Model" + + A computer security model is a scheme for specifying and enforcing security policies. A security model may be founded upon a formal model of access rights, a model of computation, a model of distributed computing, or no particular theoretical grounding at all. + + *Source: [Wikipedia](https://en.wikipedia.org/wiki/Computer_security_model)* + +!!! example "References" + + 1. [The Android Platform Security Model (2023)](https://arxiv.org/pdf/1904.05572v3.pdf) + 1. [ClipOS](https://docs.clip-os.org/) - A security OS made by the ANSSI (the French NIST) and used for sensitive French government related activities. + 1. [Spectrum](https://spectrum-os.org) - A step towards usable secure computing + 1. [QubesOS](https://www.qubes-os.org/) - A reasonably secure operating system + 1. [Whonix](https://www.whonix.org/) – An anonymous operating system + 1. [Kairos](https://kairos.io) + diff --git a/docs/security/model.md b/docs/security/model.md new file mode 100644 index 0000000000..88c5511dd9 --- /dev/null +++ b/docs/security/model.md @@ -0,0 +1,12 @@ +--- +title: Security Model +icon: material/security +--- + +Given the **[:material-numeric-1-circle-outline: Ecosystem](ecosystem.md)** context and the **[:material-numeric-2-circle-outline: Threat model](threat.md)** explained in the previous sections, this section presents the security model that should ideally be enforced. + +It covers the basic principles, rules and objectives to consider when building a secure system. It may be changed to fit into use case and threat model modification or specific needs. + +!!! warning "Work in progress" + + This security model is not yet properlly defined. Comments and feedbacks are welcome. [Discuss it on Github](https://github.com/roddhjav/apparmor.d/discussions/1013) diff --git a/docs/security/threat.md b/docs/security/threat.md new file mode 100644 index 0000000000..f3c8e30e3e --- /dev/null +++ b/docs/security/threat.md @@ -0,0 +1,37 @@ +--- +title: Threat model +icon: material/bomb +--- + +The importance of the threat depends on the use case & application. For example the fact that *adversaries can get physical access to device* is a bigger concern on mobile & embedded device than on a server or even on a VM. +However, these remain valid anyway. + +## Modularity + +Across the linux ecosystem, treats can varies. As such not all threats are relevant to all users and some threats only matter for some security models. As such the underlying implementation should be modular enough to allow selection of the relevant threats and to enforce a given security model even if it lead to a trade off in terms of usability. + +## Threats + +!!! warning "Work in progress" + + This threats are not yet properlly defined. Comments and feedbacks are welcome. [Discuss it on Github](https://github.com/roddhjav/apparmor.d/discussions/1013) + +### `PA` Physical access + +Adversaries can get physical access to the devices. + +### `C` Communication + +Network communication is untrusted + +### `P` Platform + +The Linux system can be targeted. + +### `UI` User interaction + +Many stakeholders in the ecosystem can act as supply chain attack vectors. + +## Out of scope + +Some threats are considered out of scope for various reasons. diff --git a/zensical.toml b/zensical.toml index f6f652dfc8..b835f361c8 100644 --- a/zensical.toml +++ b/zensical.toml @@ -44,6 +44,20 @@ nav = [ "recovery.md", ] }, ] }, + { "Security" = [ + { "Security" = [ + "security/index.md", + ] }, + { "Security Model" = [ + "security/ecosystem.md", + "security/threat.md", + "security/model.md", + ] }, + { "Implementation" = [ + "security/architecture.md", + "security/hardening.md", + ] }, + ] }, { "Development" = [ { "Development" = [ "development/index.md", From 2a2161f9e7519aaa340ac34187d50b6f452246f5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 01:11:54 +0100 Subject: [PATCH 1318/1736] docs: add the new abstraction section. --- .gitlab-ci.yml | 1 + docs/abstractions/.template/app.md | 7 +++++++ docs/abstractions/.template/attached.md | 14 ++++++++++++++ docs/abstractions/.template/common.md | 7 +++++++ docs/abstractions/.template/core.md | 7 +++++++ docs/abstractions/.template/dbus.md | 8 ++++++++ docs/abstractions/.template/dev.md | 7 +++++++ docs/abstractions/.template/flatpak.md | 9 +++++++++ docs/abstractions/.template/generic.md | 7 +++++++ docs/abstractions/.template/mapping.md | 9 +++++++++ docs/abstractions/.template/sys.md | 7 +++++++ docs/abstractions/.template/udev.md | 7 +++++++ zensical.toml | 22 ++++++++++++++++++++++ 13 files changed, 112 insertions(+) create mode 100644 docs/abstractions/.template/app.md create mode 100644 docs/abstractions/.template/attached.md create mode 100644 docs/abstractions/.template/common.md create mode 100644 docs/abstractions/.template/core.md create mode 100644 docs/abstractions/.template/dbus.md create mode 100644 docs/abstractions/.template/dev.md create mode 100644 docs/abstractions/.template/flatpak.md create mode 100644 docs/abstractions/.template/generic.md create mode 100644 docs/abstractions/.template/mapping.md create mode 100644 docs/abstractions/.template/sys.md create mode 100644 docs/abstractions/.template/udev.md diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 5abf6128ea..4560767d41 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -191,6 +191,7 @@ pages: GIT_DEPTH: 0 script: - pip install -r requirements.txt + - bash dists/docstring.sh - zensical build --site-dir public artifacts: paths: diff --git a/docs/abstractions/.template/app.md b/docs/abstractions/.template/app.md new file mode 100644 index 0000000000..1bf125b422 --- /dev/null +++ b/docs/abstractions/.template/app.md @@ -0,0 +1,7 @@ +--- +title: App abstractions +tags: + - abstractions + - app + - layer 3 +--- diff --git a/docs/abstractions/.template/attached.md b/docs/abstractions/.template/attached.md new file mode 100644 index 0000000000..3f4adea181 --- /dev/null +++ b/docs/abstractions/.template/attached.md @@ -0,0 +1,14 @@ +--- +title: Attached abstractions +tags: + - abstractions + - attached + - special +--- + +These abstractions are used to manage special rule when re-attached paths are enabled. +When they are needed, they are **automatically** included in the profile as a drop-in replacement of the standard abstraction. See the [Re-attached path section](../development/internal.md#re-attached-path) for more details. + +!!! danger "Must not be used" + + The following abstractions must not be used manually. diff --git a/docs/abstractions/.template/common.md b/docs/abstractions/.template/common.md new file mode 100644 index 0000000000..cec62a18c6 --- /dev/null +++ b/docs/abstractions/.template/common.md @@ -0,0 +1,7 @@ +--- +title: Common abstractions +tags: + - abstractions + - common + - layer 2 +--- diff --git a/docs/abstractions/.template/core.md b/docs/abstractions/.template/core.md new file mode 100644 index 0000000000..d72bdf426b --- /dev/null +++ b/docs/abstractions/.template/core.md @@ -0,0 +1,7 @@ +--- +title: Core abstractions +tags: + - abstractions + - core + - layer 0 +--- diff --git a/docs/abstractions/.template/dbus.md b/docs/abstractions/.template/dbus.md new file mode 100644 index 0000000000..89f1bcaf31 --- /dev/null +++ b/docs/abstractions/.template/dbus.md @@ -0,0 +1,8 @@ +--- +title: Dbus abstractions +tags: + - abstractions + - dbus + - system +--- + diff --git a/docs/abstractions/.template/dev.md b/docs/abstractions/.template/dev.md new file mode 100644 index 0000000000..e83cdb167e --- /dev/null +++ b/docs/abstractions/.template/dev.md @@ -0,0 +1,7 @@ +--- +title: Dev abstractions +tags: + - abstractions + - dev + - system +--- diff --git a/docs/abstractions/.template/flatpak.md b/docs/abstractions/.template/flatpak.md new file mode 100644 index 0000000000..5bca9b91a2 --- /dev/null +++ b/docs/abstractions/.template/flatpak.md @@ -0,0 +1,9 @@ +--- +title: Flatpak abstractions +tags: + - abstractions + - flatpak + - system +--- + +These abstractions should only be used by the flatpak profiles. They provide the necessary rules to run Flatpak applications confined with AppArmor. They are designed to very closely match the [Flatpak Sandbox Permissions](https://docs.flatpak.org/en/latest/sandbox-permissions.html). Therefore, they are different to they host equivalents, as flatpak apps do not have access to the full host filesystem. diff --git a/docs/abstractions/.template/generic.md b/docs/abstractions/.template/generic.md new file mode 100644 index 0000000000..1d12b9ccb2 --- /dev/null +++ b/docs/abstractions/.template/generic.md @@ -0,0 +1,7 @@ +--- +title: Generic abstractions +tags: + - abstractions + - generic + - system +--- diff --git a/docs/abstractions/.template/mapping.md b/docs/abstractions/.template/mapping.md new file mode 100644 index 0000000000..844daf35c8 --- /dev/null +++ b/docs/abstractions/.template/mapping.md @@ -0,0 +1,9 @@ +--- +title: Mapping abstractions +tags: + - abstractions + - flatpak + - mapping +--- + +These abstractions should only be used in Full System Policy mode when a user is confined. See the [User Confinement section](../development/internal.md#user-confinement) for more details. diff --git a/docs/abstractions/.template/sys.md b/docs/abstractions/.template/sys.md new file mode 100644 index 0000000000..a81828ce71 --- /dev/null +++ b/docs/abstractions/.template/sys.md @@ -0,0 +1,7 @@ +--- +title: Sys abstractions +tags: + - abstractions + - sys + - system +--- diff --git a/docs/abstractions/.template/udev.md b/docs/abstractions/.template/udev.md new file mode 100644 index 0000000000..8b4a90ad32 --- /dev/null +++ b/docs/abstractions/.template/udev.md @@ -0,0 +1,7 @@ +--- +title: Udev abstractions +tags: + - abstractions + - udev + - system +--- diff --git a/zensical.toml b/zensical.toml index b835f361c8..9bfbd4e6cb 100644 --- a/zensical.toml +++ b/zensical.toml @@ -82,6 +82,28 @@ nav = [ "development/autopkgtest.md", ] }, ] }, + { "Abstractions" = [ + { "Abstractions" = [ + "abstractions/index.md", + ] }, + { "Layers" = [ + "abstractions/core.md", + "abstractions/generic.md", + "abstractions/common.md", + "abstractions/app.md", + ] }, + { "System" = [ + "abstractions/dbus.md", + "abstractions/sys.md", + "abstractions/udev.md", + "abstractions/dev.md", + ] }, + { "Specialized" = [ + "abstractions/flatpak.md", + "abstractions/attached.md", + "abstractions/mapping.md", + ] }, + ] }, ] # Navigation structure From 5c7ddc8876c09745aafbb71e4fb49e8b1edbe744 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 01:18:31 +0100 Subject: [PATCH 1319/1736] fix: linter fixes. --- apparmor.d/abstractions/devtools | 2 +- apparmor.d/abstractions/tests | 2 +- apparmor.d/groups/cups/cups-backend-ipp | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/devtools b/apparmor.d/abstractions/devtools index 585614f04e..20dc59c693 100644 --- a/apparmor.d/abstractions/devtools +++ b/apparmor.d/abstractions/devtools @@ -38,7 +38,7 @@ owner @{user_state_dirs}/*@{devtools}*/** rwlk, /tmp/ r, - owner @{tmp}/ r, + owner @{tmp}/ r, owner @{tmp}/*@{devtools}* rw, owner @{tmp}/*@{devtools}*/ rw, owner @{tmp}/*@{devtools}*/** rwlk, diff --git a/apparmor.d/abstractions/tests b/apparmor.d/abstractions/tests index a8f0b2ec94..d31f154fb7 100644 --- a/apparmor.d/abstractions/tests +++ b/apparmor.d/abstractions/tests @@ -5,7 +5,7 @@ # Common temporary tests directories used by autopkgtest. # -# !!! warning +# !!! warning # # Do not use it manually, It is automatically included in the base abstraction # when the 'test' prebuild flag is set. diff --git a/apparmor.d/groups/cups/cups-backend-ipp b/apparmor.d/groups/cups/cups-backend-ipp index 7529ecb1a6..05eeb35f03 100644 --- a/apparmor.d/groups/cups/cups-backend-ipp +++ b/apparmor.d/groups/cups/cups-backend-ipp @@ -24,7 +24,7 @@ profile cups-backend-ipp @{exec_path} { # network (receive,send,setopt) inet stream peer=(port=631), signal receive set=term peer=cups-backend-implicitclass, - signal receive set=term peer=cupsd, + signal receive set=term peer=cupsd, unix type=stream peer=(label=cups-backend-implicitclass), From 5938689f572d989ea666ae1450d080402a8940c4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 01:19:47 +0100 Subject: [PATCH 1320/1736] feat(abs): add initial version of bus/session/org.openprinting.PrintBackend --- .../bus/session/org.openprinting.PrintBackend | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.openprinting.PrintBackend diff --git a/apparmor.d/abstractions/bus/session/org.openprinting.PrintBackend b/apparmor.d/abstractions/bus/session/org.openprinting.PrintBackend new file mode 100644 index 0000000000..a53b40acdf --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.openprinting.PrintBackend @@ -0,0 +1,50 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/ + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=print-backends-cups), + dbus send bus=session path=/ + interface=org.openprinting.PrintBackend + member=GetAllOptions + peer=(name=@{busname}, label=print-backends-cups), + dbus send bus=session path=/ + interface=org.openprinting.PrintBackend + member=GetAllPrinters + peer=(name=@{busname}, label=print-backends-cups), + dbus send bus=session path=/ + interface=org.openprinting.PrintBackend + member=getChoiceTranslation + peer=(name=@{busname}, label=print-backends-cups), + dbus send bus=session path=/ + interface=org.openprinting.PrintBackend + member=getDefaultPrinter + peer=(name=@{busname}, label=print-backends-cups), + dbus send bus=session path=/ + interface=org.openprinting.PrintBackend + member=getGroupTranslation + peer=(name=@{busname}, label=print-backends-cups), + dbus send bus=session path=/ + interface=org.openprinting.PrintBackend + member=getOptionTranslation + peer=(name=@{busname}, label=print-backends-cups), + dbus send bus=session path=/ + interface=org.openprinting.PrintBackend + member=getPrinterState + peer=(name=@{busname}, label=print-backends-cups), + dbus send bus=session path=/ + interface=org.openprinting.PrintBackend + member=isAcceptingJobs + peer=(name=@{busname}, label=print-backends-cups), + dbus send bus=session path=/ + interface=org.openprinting.PrintBackend + member=printSocket + peer=(name=@{busname}, label=print-backends-cups), + + include if exists + +# vim:syntax=apparmor From b3dadbd39a1dbccafa3cb45712ed9c6a06945e5f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 01:27:49 +0100 Subject: [PATCH 1321/1736] fix: zensical build command. --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 4560767d41..0de81fcfe9 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -192,7 +192,7 @@ pages: script: - pip install -r requirements.txt - bash dists/docstring.sh - - zensical build --site-dir public + - zensical build --strict artifacts: paths: - public From f914f22355f989e3ad061776bd250eee7cf54156 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 01:31:51 +0100 Subject: [PATCH 1322/1736] docs: improve abstraction docstring. --- apparmor.d/abstractions/base-strict | 2 +- apparmor.d/abstractions/bus/session/org.freedesktop.Secret | 2 ++ .../bus/system/org.freedesktop.Avahi.AddressResolver | 2 +- .../abstractions/bus/system/org.freedesktop.systemd1.Manager | 1 + apparmor.d/abstractions/common/systemd | 5 +++++ apparmor.d/abstractions/flatpak/devices/all | 2 +- apparmor.d/abstractions/fontconfig-cache | 2 +- 7 files changed, 12 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 1543c3d730..557edda0bd 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -14,7 +14,7 @@ # - owner only access to some files in `@{PROC}/@{pid}/` # - denied lttng # -# !!! warning +# !!! warning # # Do not use it manually, It automatically replaces the base abstraction in # profiles when the base-strict prebuild feature is enabled (default). diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret index 3ef8bb34e1..27b36f4ce7 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret @@ -4,6 +4,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Provide full access to the secret-service API: +# # - https://standards.freedesktop.org/secret-service/) # # The secret-service allows managing (add/delete/lock/etc) collections and @@ -16,6 +17,7 @@ # applications may query. Because AppArmor does not mediate member data, # typical and recommended usage of the API does not allow for application # isolation. For details, see: +# # - https://standards.freedesktop.org/secret-service/ch03.html # diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver index f6a1a251cd..283e33dde3 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver @@ -2,7 +2,7 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Address resolving +# Avahi Address resolving abi , diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1.Manager b/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1.Manager index 5dd7cdbbd9..2b06c45a7d 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1.Manager +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.systemd1.Manager @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # libnss-systemd (D-Bus portion from nameservice abstraction) +# # Also allow lookups for systemd-exec's DynamicUsers via D-Bus # https://www.freedesktop.org/software/systemd/man/systemd.exec.html diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index f4a10076ef..5695f13d97 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -5,6 +5,11 @@ abi , +# !!! warning +# +# This abstraction should only be used by profiles in the systemd software suite. +# + ptrace read peer=@{p_systemd}, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/abstractions/flatpak/devices/all b/apparmor.d/abstractions/flatpak/devices/all index 1e72b85dff..5138e2ea59 100644 --- a/apparmor.d/abstractions/flatpak/devices/all +++ b/apparmor.d/abstractions/flatpak/devices/all @@ -3,7 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Flatpack 'all' devices gives full access to the system. +# Flatpack `all` devices gives full access to the system. # To limit this, we explicitly list the devices allowed, using the abstractions # for common devices. # diff --git a/apparmor.d/abstractions/fontconfig-cache b/apparmor.d/abstractions/fontconfig-cache index 92d90a49b7..bcd2e3a743 100644 --- a/apparmor.d/abstractions/fontconfig-cache +++ b/apparmor.d/abstractions/fontconfig-cache @@ -7,7 +7,7 @@ # # !!! quote "" # -# ``` +# ```sh # fc-cache -f -v # ``` # From 448fc5868e9b524e6be9c87927fb6600cf02c514 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 01:33:07 +0100 Subject: [PATCH 1323/1736] fix: issue in gitlab-ci --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 0de81fcfe9..8dada16cba 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -192,7 +192,7 @@ pages: script: - pip install -r requirements.txt - bash dists/docstring.sh - - zensical build --strict + - zensical build --strict artifacts: paths: - public From 0c14cc42b249608695406b861f81c26fe1ccf3d9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 01:42:31 +0100 Subject: [PATCH 1324/1736] ci: move site to public. --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8dada16cba..acbaff94de 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -193,6 +193,7 @@ pages: - pip install -r requirements.txt - bash dists/docstring.sh - zensical build --strict + - mv site public artifacts: paths: - public From dd9710267c2a1ee03ab0808176733de2564800fe Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 02:00:57 +0100 Subject: [PATCH 1325/1736] docs: add some missing pages. --- docs/abstractions/index.md | 126 +++++++++++++++++++++++++++++++++++++ zensical.toml | 1 - 2 files changed, 126 insertions(+), 1 deletion(-) create mode 100644 docs/abstractions/index.md diff --git a/docs/abstractions/index.md b/docs/abstractions/index.md new file mode 100644 index 0000000000..723fff009b --- /dev/null +++ b/docs/abstractions/index.md @@ -0,0 +1,126 @@ +--- +title: Abstractions +tags: + - abstractions +--- + +Abstractions enable resources from one profile to be shared with another and with the system. The table below lists currently supported interfaces, with links to further details for each interface. + +This project and the official apparmor-profiles project provide a large selection of abstractions to be included in profiles. They should always be used as they target wide compatibility across hardware and distributions while only allowing the bare minimum access. + +!!! example + + For instance, to allow download directory access instead of read and write permissions: + ```sh + owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw, + ``` + + You should write: + ```sh + include + ``` + +!!! warning + + https://snapcraft.io/docs/supported-interfaces + +find apparmor.d/abstractions/ -maxdepth 1 -type f | wc -l + +## Architecture + +Abstraction are structured in layers as follows: + +
+ +- **[Layer 0](core.md)** + + --- + + For core atomic functionalities. + + --- + + *This resource uses* `mesa`, `openssl`, `bash-strict`, `gtk-strict`... + +- **[Layer 1](generic.md)** + + --- + + For generic access. + + --- + + *This program needs this resource.* `nameservice-strict`, `authentication`, ... + +- **[Layer 2](kind.md)** + + --- + + For common kind of program. + + --- + + *This program kind is* a game, an electron app + +- **[Layer 3](app.md)** + + --- + + For application + + --- + + *This program is* `sudo`, `firefox` + +
+ +## System abstractions + +In addition to the above layers, there are abstractions that provide access to system specific part of the system resources. + +To use the terminology detailed earlier, these abstractions are `layer -1` + +
+ +- **[Dbus](dbus.md)** + + --- + + Specific to a dbus interface + + --- + + *This interfaces needs* `bus/system/org.freedesktop.ModemManager1` ... + +- **[sys](sys.md)** + + --- + + sys filesystem access + + --- + + *This program needs/has this resource.* `sys/input`, `sys/hmon`, ... + +- **[udev](udev.md)** + + --- + + For udev device access + + --- + + *This program kind is* `udev/input` + +- **[dev](dev.md)** + + --- + + For device access + + --- + + *This program kind is* `/dev/input` + +
+ diff --git a/zensical.toml b/zensical.toml index 9bfbd4e6cb..a112ce2435 100644 --- a/zensical.toml +++ b/zensical.toml @@ -72,7 +72,6 @@ nav = [ "development/recommendations.md", ] }, { "Packages" = [ - "development/overview.md", "development/build.md", ] }, { "Tests" = [ From 1ea13b2931bd772d6360bcce80e255cbd66e057d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 17:49:05 +0100 Subject: [PATCH 1326/1736] fix: make some aa toolings happy. Fix #1004 --- apparmor.d/groups/gnome/yelp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index 2388d7cb9d..467c715629 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -10,7 +10,7 @@ include profile yelp @{exec_path} flags=(attach_disconnected) { include include - include # FIXME: In namespace> + include # FIXME: In namespace include include From 617c06d1cd63cce508bc8c098139e7214f08f002 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 18:12:58 +0100 Subject: [PATCH 1327/1736] fix(profile): integration with uncommon software. fix #1011 --- apparmor.d/groups/cups/cupsd | 2 ++ apparmor.d/groups/virt/dockerd | 1 + apparmor.d/profiles-s-z/update-initramfs | 1 + 3 files changed, 4 insertions(+) diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 557ade6d00..350336e4bd 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -80,6 +80,8 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{lib}/cups/monitor/* rix, @{lib}/cups/notifier/* rPx, + /usr/share/brother/Printers/*/cupswrapper/lpdwrapper rPUx, + /usr/share/cups/{,**} r, /usr/share/poppler/{,**} r, /usr/share/ppd/{,**} r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index aa89239d22..002e7cedf7 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -87,6 +87,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { /{,**} rwl, #aa:only apt @{att}@{lib}/containerd/** rw, + @{att}/var/lib/containerd/** rw, @{att}/var/lib/docker/{,**} rwk, /etc/docker/{,**} r, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index 50f11caea5..ef53dd7701 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -32,6 +32,7 @@ profile update-initramfs @{exec_path} { @{bin}/dpkg-trigger rPx, @{bin}/ischroot rPx, + @{bin}/limine-mkinitcpio rPUx, @{bin}/linux-version rPx, @{sbin}/mkinitramfs rPx, From d400b7669a6d829c9c9cf7ee7636210ecf938bd1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 18:16:30 +0100 Subject: [PATCH 1328/1736] fix(profile): allow more modern Hyprland to start. fix #993 --- apparmor.d/groups/kde/sddm | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index ad5fc299e0..67c062bad6 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -97,6 +97,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/kwin_wayland rPx, @{bin}/labwc rPx, @{bin}/sddm-greeter{,-qt6} rPx, + @{bin}/start-hyprland rPUx, @{bin}/startlxqt rPx, @{bin}/startlxqtwayland rPx, @{bin}/startplasma-wayland rPx, From acaeb70708341c8a7afe9d08c428017c9d7f005a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 21:29:13 +0100 Subject: [PATCH 1329/1736] feat(profile): chromium new tmp location. --- apparmor.d/abstractions/common/chromium | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index afa15c04b4..23ab71f135 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -37,14 +37,14 @@ owner @{user_share_dirs}/.@{domain}.@{rand6} rw, @{tmp}/ r, - owner @{tmp}/.@{domain}.@{rand6} rw, - owner @{tmp}/.@{domain}.@{rand6}/ rw, - owner @{tmp}/.@{domain}.@{rand6}/*.@{image_ext} rw, - owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie rw, - owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket rw, - owner @{tmp}/.@{domain}.scoped_dir.@{rand6}/ rw, - owner @{tmp}/.@{domain}.scoped_dir.@{rand6}/SingletonCookie rw, - owner @{tmp}/.@{domain}.scoped_dir.@{rand6}/SingletonSocket rw, + owner @{tmp}/{,.}@{domain}.@{rand6} rw, + owner @{tmp}/{,.}@{domain}.@{rand6}/ rw, + owner @{tmp}/{,.}@{domain}.@{rand6}/*.@{image_ext} rw, + owner @{tmp}/{,.}@{domain}.@{rand6}/SingletonCookie rw, + owner @{tmp}/{,.}@{domain}.@{rand6}/SingletonSocket rw, + owner @{tmp}/{,.}@{domain}.scoped_dir.@{rand6}/ rw, + owner @{tmp}/{,.}@{domain}.scoped_dir.@{rand6}/SingletonCookie rw, + owner @{tmp}/{,.}@{domain}.scoped_dir.@{rand6}/SingletonSocket rw, owner @{tmp}/scoped_dir@{rand6}/ rw, owner @{tmp}/scoped_dir@{rand6}/SingletonCookie rw, owner @{tmp}/scoped_dir@{rand6}/SingletonSocket rw, From 7a7cbf3aea7280b4e3d70bf32000c105230254c4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 21:34:08 +0100 Subject: [PATCH 1330/1736] feat(abs): small abstraction upgrade. --- apparmor.d/abstractions/app/flatpak | 7 ++++++- apparmor.d/abstractions/bus/session/org.freedesktop.Secret | 5 +++++ .../bus/session/org.freedesktop.portal.Desktop | 5 +++++ .../bus/session/org.freedesktop.portal.Settings | 5 +++++ apparmor.d/abstractions/devtools | 3 +++ apparmor.d/abstractions/flatpak/devices/all | 3 +++ apparmor.d/abstractions/gvfs-metadata | 3 +++ apparmor.d/groups/apparmor/aa-notify | 7 ++++--- apparmor.d/groups/virt/dockerd | 1 + 9 files changed, 35 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak index f94caa4cbb..e08d788d3b 100644 --- a/apparmor.d/abstractions/app/flatpak +++ b/apparmor.d/abstractions/app/flatpak @@ -87,6 +87,8 @@ capability dac_override, capability dac_read_search, + unix (bind listen) type=seqpacket addr=@@{hex}, + unix type=seqpacket peer=(label=dbus-session), unix type=seqpacket peer=(label=fbwrap), unix type=seqpacket peer=(label=flatpak-portal), @@ -195,6 +197,10 @@ # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, + # Allow reading file descriptor info + owner @{PROC}/@{pid}/fdinfo/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/ r, @{PROC}/@{pid}/cpuset r, @{PROC}/@{pid}/fd/ r, @@ -231,7 +237,6 @@ owner @{PROC}/@{pid}/comm rk, owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/sessionid r, diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret index 27b36f4ce7..0694ca9479 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret @@ -41,6 +41,11 @@ # org.freedesktop.Secret + dbus send bus=session path=/org/freedesktop/secrets/collection/** + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label=gnome-keyring-daemon), + dbus send bus=session path=/org/freedesktop/secrets{,/**} interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop index 7b1cae94a2..97c4c2f3e6 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop @@ -78,6 +78,11 @@ member=Close peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + dbus receive bus=session path=/org/freedesktop/portal/desktop/** + interface=org.freedesktop.portal.Request + member=Response + peer=(name=@{busname}, label=xdg-desktop-portal), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings index 01cf21c46a..f14872a7fa 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings @@ -14,6 +14,11 @@ member=ReadAll peer=(name=@{busname}, label=xdg-desktop-portal), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=SettingChanged + peer=(name=@{busname}, label=xdg-desktop-portal), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/devtools b/apparmor.d/abstractions/devtools index 20dc59c693..def31f614d 100644 --- a/apparmor.d/abstractions/devtools +++ b/apparmor.d/abstractions/devtools @@ -12,6 +12,9 @@ abi , + /usr/share/*@{devtools}*/ r, + /usr/share/*@{devtools}*/** r, + owner @{HOME}/.*@{devtools}* rw, owner @{HOME}/.*@{devtools}*/ rw, owner @{HOME}/.*@{devtools}*/** rwlk, diff --git a/apparmor.d/abstractions/flatpak/devices/all b/apparmor.d/abstractions/flatpak/devices/all index 5138e2ea59..b5e3dc7576 100644 --- a/apparmor.d/abstractions/flatpak/devices/all +++ b/apparmor.d/abstractions/flatpak/devices/all @@ -30,6 +30,9 @@ @{sys}/devices/@{pci}/ r, @{sys}/devices/** k, + @{sys}/devices/system/cpu/cpufreq/ r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor w, + owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/uid_map r, diff --git a/apparmor.d/abstractions/gvfs-metadata b/apparmor.d/abstractions/gvfs-metadata index a27cf2dd45..d2fb4120c2 100644 --- a/apparmor.d/abstractions/gvfs-metadata +++ b/apparmor.d/abstractions/gvfs-metadata @@ -9,6 +9,9 @@ owner @{user_share_dirs}/gvfs-metadata/root r, owner @{user_share_dirs}/gvfs-metadata/root-@{hex8}.log r, + owner @{user_share_dirs}/gvfs-metadata/home r, + owner @{user_share_dirs}/gvfs-metadata/home-@{hex8}.log r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 617ef9aa73..7ac24d9af2 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -47,9 +47,10 @@ profile aa-notify @{exec_path} flags=(attach_disconnected) { owner @{tmp}/@{word8} rw, owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, - @{PROC}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/cmdline r, + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mounts r, profile open { include diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 002e7cedf7..bfda7af7b5 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -113,6 +113,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/cpuset.cpus.effective r, @{sys}/fs/cgroup/cpuset.mems.effective r, @{sys}/fs/cgroup/system.slice/docker.service/cpu.max r, + @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, From d3c39806a39363310bf9e355dcf2993fc39c04bb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 21:41:54 +0100 Subject: [PATCH 1331/1736] feat(profile): small profiles upgrade. --- apparmor.d/groups/gnome/gnome-music | 1 + apparmor.d/groups/gnome/gnome-shell | 2 ++ apparmor.d/groups/gnome/org.gnome.NautilusPreviewer | 1 + apparmor.d/groups/kde/okular | 10 +++++----- apparmor.d/groups/kde/plasmashell | 1 + apparmor.d/groups/kde/systemsettings | 6 ++---- apparmor.d/groups/network/iwd | 2 ++ apparmor.d/groups/ubuntu/software-properties-dbus | 9 +++------ apparmor.d/groups/ubuntu/software-properties-gtk | 1 + apparmor.d/groups/virt/cockpit-bridge | 2 ++ apparmor.d/profiles-g-l/gtk-update-icon-cache | 1 + apparmor.d/profiles-g-l/libreoffice | 2 +- 12 files changed, 22 insertions(+), 16 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index ccd52c22ce..c3023750e3 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -10,6 +10,7 @@ include profile gnome-music @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 8f9d127dc8..d429e07b7e 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -365,6 +365,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/systemd/sessions/ r, @{run}/systemd/sessions/* r, + @{run}/polkit/agent-helper.socket rw, + @{run}/udev/tags/seat/ r, @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index 64a8236ec0..8424a09138 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -56,6 +56,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { profile gstreamer { include include + include include if exists } diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index e2074795e2..42f83483d0 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -56,21 +56,21 @@ profile okular @{exec_path} { owner @{user_config_dirs}/kwalletrc r, owner @{user_config_dirs}/okular-generator-popplerrc r, owner @{user_config_dirs}/okularpartrc rw, - owner @{user_config_dirs}/okularpartrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/okularpartrc.@{rand6} rwl, owner @{user_config_dirs}/okularpartrc.lock rwk, owner @{user_config_dirs}/okularrc rw, - owner @{user_config_dirs}/okularrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/okularrc.@{rand6} rwl, owner @{user_config_dirs}/okularrc.lock rwk, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r, owner @{user_share_dirs}/okular/ rw, - owner @{user_share_dirs}/okular/** rwlk -> @{user_share_dirs}/okular/**, + owner @{user_share_dirs}/okular/** rwlk, owner @{user_share_dirs}/user-places.xbel r, owner @{user_state_dirs}/#@{int} rw, owner @{user_state_dirs}/okularstaterc rw, - owner @{user_state_dirs}/okularstaterc.@{rand6} rwlk -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/okularstaterc.@{rand6} rwlk, owner @{user_state_dirs}/okularstaterc.lock rwk, owner @{tmp}/@{hex12}@{h} w, # when opening pdf files as attchments in Thunderbird @@ -81,7 +81,7 @@ profile okular @{exec_path} { owner @{tmp}/okular.@{rand6} rwl -> /tmp/#@{int}, owner @{run}/user/@{uid}/#@{int} rw, - owner @{run}/user/@{uid}/okular@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/okular@{rand6}.@{int}.kioworker.socket rwl, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index bb643a1de3..3079d502f6 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -199,6 +199,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/wallpapers/{,**} rw, owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/kickerstaterc r, owner @{user_state_dirs}/plasma/* r, owner @{user_state_dirs}/plasmashellstaterc rw, owner @{user_state_dirs}/plasmashellstaterc.@{rand6} rwl, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 91a0f9d136..c66ac6824c 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -84,8 +84,7 @@ profile systemsettings @{exec_path} { owner @{user_cache_dirs}/kinfocenter/{,**} rwlk, owner @{user_cache_dirs}/ksvg-elements{,.@{rand6}} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/ksvg-elements.lock rwlk, - owner @{user_cache_dirs}/plasma_theme_*.kcache rw, - owner @{user_cache_dirs}/plasma-svgelements r, + owner @{user_cache_dirs}/plasma* rw, owner @{user_cache_dirs}/systemsettings/ rw, owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, @@ -93,8 +92,7 @@ profile systemsettings @{exec_path} { owner @{user_config_dirs}/*rc r, owner @{user_config_dirs}/autostart/ r, owner @{user_config_dirs}/{P,p}lasma* r, - owner @{user_config_dirs}/plasma-workspace/env/ r, - owner @{user_config_dirs}/plasma-workspace/shutdown/ r, + owner @{user_config_dirs}/plasma*/{,**} r, owner @{user_config_dirs}/powerdevilrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/powerdevilrc.lock rwk, owner @{user_config_dirs}/device_automounter_kcmrc.lock rwk, diff --git a/apparmor.d/groups/network/iwd b/apparmor.d/groups/network/iwd index c9aa299916..015791f5bb 100644 --- a/apparmor.d/groups/network/iwd +++ b/apparmor.d/groups/network/iwd @@ -26,6 +26,8 @@ profile iwd @{exec_path} { @{exec_path} mr, @{sbin}/resolvconf rPx, + /etc/udev/hwdb.bin r, + /etc/iwd/{,**} r, /var/lib/iwd/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 72e016573a..8f3cce65c3 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -11,10 +11,11 @@ profile software-properties-dbus @{exec_path} { include include include + include include include - #aa:dbus own bus=system name=com.ubuntu.SoftwareProperties + #aa:dbus own bus=system name=com.ubuntu.SoftwareProperties path=/ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -25,11 +26,6 @@ profile software-properties-dbus @{exec_path} { member=Introspect peer=(name=@{busname}, label=software-properties-gtk), - dbus receive bus=system path=/ - interface=com.ubuntu.SoftwareProperties - member=Reload - peer=(name=@{busname}, label=software-properties-gtk), - @{exec_path} mr, @{python_path} rix, @@ -38,6 +34,7 @@ profile software-properties-dbus @{exec_path} { @{bin}/lsb_release rPx, /etc/apt/apt.conf.d/10periodic w, + /etc/apt/sources.list.d/{,*} rw, /etc/apt/sources.list{,.save} rw, /usr/share/python-apt/{,**} r, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 96e83b2819..229e8d577b 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -20,6 +20,7 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=com.canonical.UbuntuAdvantage label=ubuntu-advantage-desktop-daemon #aa:dbus talk bus=system name=com.ubuntu.SoftwareProperties path=/ label=software-properties-dbus + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd @{exec_path} mr, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 292558abf7..7841088c1e 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -55,6 +55,8 @@ profile cockpit-bridge @{exec_path} { @{bin}/test ix, @{bin}/file ix, + @{bin}/virt-xml-validate PUx, + @{bin}/chage Px, @{sbin}/dmidecode Px, @{bin}/findmnt Px, diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index 74d684a252..a7eeaf92f7 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -11,6 +11,7 @@ include profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { include include + include capability fowner, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 06affc4d27..9e8840b017 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -113,7 +113,7 @@ profile libreoffice @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw, owner @{run}/user/@{uid}/#@{int} rw, - owner @{run}/user/@{uid}/soffice.bin??????.{4,6}.kioworker.socket l -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/soffice.bin@{rand6}.@{d}.kioworker.socket l -> @{run}/user/@{uid}/#@{int}, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, From c2db52e75c549e6387105286898be25574cbae8c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 21:45:27 +0100 Subject: [PATCH 1332/1736] feat(abs): add the backlight abstraction. --- apparmor.d/abstractions/backlight | 42 +++++++++++++++++++ apparmor.d/groups/freedesktop/upowerd | 14 +------ apparmor.d/groups/freedesktop/xorg | 4 +- apparmor.d/groups/gnome/gsd-power | 18 +------- apparmor.d/groups/kde/kauth-backlighthelper | 12 +----- .../groups/lxqt/lxqt-config-powermanagement | 13 +----- apparmor.d/groups/systemd/systemd-backlight | 17 +------- .../groups/xfce/xfpm-power-backlight-helper | 12 +----- apparmor.d/profiles-g-l/light | 12 +----- 9 files changed, 52 insertions(+), 92 deletions(-) create mode 100644 apparmor.d/abstractions/backlight diff --git a/apparmor.d/abstractions/backlight b/apparmor.d/abstractions/backlight new file mode 100644 index 0000000000..b351bbfef4 --- /dev/null +++ b/apparmor.d/abstractions/backlight @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow adjusting brightness of backlight and LEDs + + abi , + + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) + + @{sys}/class/ r, + @{sys}/class/backlight/ r, + @{sys}/class/leds/ r, + + @{sys}/devices/**/backlight/**/actual_brightness rw, + @{sys}/devices/**/backlight/**/brightness rw, + @{sys}/devices/**/backlight/**/brightness_hw_changed r, + @{sys}/devices/**/backlight/**/enabled r, + @{sys}/devices/**/backlight/**/max_brightness rw, + @{sys}/devices/**/backlight/**/type r, + @{sys}/devices/**/backlight/**/uevent r, + + @{sys}/devices/@{pci}/drm/card@{int}/**/actual_brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/brightness_hw_changed r, + @{sys}/devices/@{pci}/drm/card@{int}/**/enabled r, + @{sys}/devices/@{pci}/drm/card@{int}/**/max_brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/type r, + @{sys}/devices/@{pci}/drm/card@{int}/**/uevent r, + + @{sys}/devices/**/leds/**/actual_brightness rw, + @{sys}/devices/**/leds/**/brightness rw, + @{sys}/devices/**/leds/**/brightness_hw_changed r, + @{sys}/devices/**/leds/**/enabled r, + @{sys}/devices/**/leds/**/max_brightness rw, + @{sys}/devices/**/leds/**/type r, + @{sys}/devices/**/leds/**/uevent r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index fbac9dd9c2..d95f53b39d 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -11,10 +11,12 @@ include profile upowerd @{exec_path} flags=(attach_disconnected) { include include + include include include include include + include capability net_admin, capability sys_admin, @@ -39,35 +41,23 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) @{run}/udev/data/+serio:* r, # for serial mice @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features - @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c116:@{int} r, # for ALSA @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/bus/hid/devices/ r, - @{sys}/class/input/ r, - @{sys}/class/leds/ r, @{sys}/class/power_supply/ r, @{sys}/class/sound/ r, @{sys}/devices/ r, - @{sys}/devices/**/capabilities/* r, - @{sys}/devices/**/leds/**/brightness rw, - @{sys}/devices/**/leds/**/brightness_hw_changed r, - @{sys}/devices/**/leds/**/max_brightness r, @{sys}/devices/**/power_supply/**/* r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/misc/uhid/*/input/input@{int}/name r, - - /dev/input/event* r, include if exists } diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index c75db9e0e3..a7e493c435 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -13,6 +13,7 @@ include @{exec_path} += @{lib}/xorg/Xorg{,.wrap} profile xorg @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -116,9 +117,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{sys}/class/{tty,input,drm}/ r, @{sys}/class/power_supply/ r, @{sys}/devices/@{pci}/ r, - @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness r, - @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/brightness rw, @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/@{pci}/resource@{int} rw, @{sys}/devices/**/{uevent,name,id,config} r, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 57633c0c96..0ee2867410 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -10,6 +10,7 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -46,28 +47,13 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/backlight/ r, - - @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/brightness rw, + @{sys}/devices/@{pci}/class r, - @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, - @{sys}/devices/**/leds/**/{,max_,actual_}brightness rw, - @{sys}/devices/**/leds/**/{uevent,type,enabled} r, - @{sys}/devices/**/leds/**/brightness_hw_changed r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/kde/kauth-backlighthelper b/apparmor.d/groups/kde/kauth-backlighthelper index 84684fa522..6f56c332f7 100644 --- a/apparmor.d/groups/kde/kauth-backlighthelper +++ b/apparmor.d/groups/kde/kauth-backlighthelper @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}backlighthelper profile kauth-backlighthelper @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -22,17 +23,6 @@ profile kauth-backlighthelper @{exec_path} flags=(attach_disconnected) { /usr/share/icu/@{int}.@{int}/*.dat r, - @{sys}/class/backlight/ r, - @{sys}/class/leds/ r, - @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/lxqt/lxqt-config-powermanagement b/apparmor.d/groups/lxqt/lxqt-config-powermanagement index a3da6c9a91..891ba9899b 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-powermanagement +++ b/apparmor.d/groups/lxqt/lxqt-config-powermanagement @@ -10,28 +10,17 @@ include @{exec_path} = @{bin}/lxqt-config-powermanagement profile lxqt-config-powermanagement @{exec_path} { include + include include include @{exec_path} mr, - /etc/machine-id r, - owner @{user_config_dirs}/lxqt/#@{int} rw, owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.lock rwk, owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.@{rand6} rw, owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, - @{sys}/class/leds/ r, - @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, - @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, - owner /tmp/@{int} r, /dev/tty rw, diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight index c1d283c943..8e4b96f23a 100644 --- a/apparmor.d/groups/systemd/systemd-backlight +++ b/apparmor.d/groups/systemd/systemd-backlight @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/systemd/systemd-backlight profile systemd-backlight @{exec_path} flags=(attach_disconnected) { include + include include ptrace read peer=@{p_systemd}, @@ -20,29 +21,13 @@ profile systemd-backlight @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/backlight/*backlight* rw, - @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. - @{run}/udev/data/+leds:*backlight* r, # For keyboard backlights, mouse LEDs, etc. @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{sys}/bus/ r, @{sys}/bus/pci/devices/ r, - @{sys}/class/ r, - @{sys}/class/backlight/ r, @{sys}/devices/@{pci}/ r, - @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/brightness rw, @{sys}/devices/@{pci}/class r, - @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, - @{sys}/devices/@{pci}/uevent r, - @{sys}/devices/**/leds/**/{,max_,actual_}brightness rw, - @{sys}/devices/**/leds/**/{uevent,type,enabled} r, - @{sys}/devices/**/leds/**/brightness_hw_changed r, include if exists } diff --git a/apparmor.d/groups/xfce/xfpm-power-backlight-helper b/apparmor.d/groups/xfce/xfpm-power-backlight-helper index 236028f2e8..bfc58840bb 100644 --- a/apparmor.d/groups/xfce/xfpm-power-backlight-helper +++ b/apparmor.d/groups/xfce/xfpm-power-backlight-helper @@ -9,21 +9,11 @@ include @{exec_path} = @{bin}/xfpm-power-backlight-helper profile xfpm-power-backlight-helper @{exec_path} { include + include include @{exec_path} mr, - @{sys}/class/backlight/ r, - @{sys}/class/leds/ r, - @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, - @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, - include if exists } diff --git a/apparmor.d/profiles-g-l/light b/apparmor.d/profiles-g-l/light index 89279f6ed0..2687894573 100644 --- a/apparmor.d/profiles-g-l/light +++ b/apparmor.d/profiles-g-l/light @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/light profile light @{exec_path} { include + include @{exec_path} mr, @@ -21,17 +22,6 @@ profile light @{exec_path} { owner @{user_config_dirs}/light/ rw, owner @{user_config_dirs}/light/** rw, - @{sys}/class/backlight/ r, - @{sys}/class/leds/ r, - @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/brightness rw, - @{sys}/devices/**/leds/**/{,max_,actual_}brightness rw, - @{sys}/devices/**/leds/**/{uevent,type,enabled} r, - @{sys}/devices/**/leds/**/brightness_hw_changed r, - # file_inherit owner /dev/tty@{u8} rw, owner @{HOME}/.xsession-errors w, From 33a4c5ab12fff78a1c1ddcef83988fab42fde98e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 21:47:19 +0100 Subject: [PATCH 1333/1736] build: cleanup the flags manifests --- dists/flags/debian.flags | 7 +++++++ dists/flags/main.flags | 12 ------------ dists/flags/ubuntu.flags | 29 ++++++++++++++++++++++++++++- dists/flags/whonix.flags | 39 ++++++++++++++++++++++++++++++++------- 4 files changed, 67 insertions(+), 20 deletions(-) diff --git a/dists/flags/debian.flags b/dists/flags/debian.flags index 5e29c01538..47069fabaa 100644 --- a/dists/flags/debian.flags +++ b/dists/flags/debian.flags @@ -1,16 +1,23 @@ apt-helper complain +apt-methods-sqv complain +deb-systemd-helper complain +deb-systemd-invoke complain +debconf-escape complain dhclient complain dhclient-script complain dpkg complain dpkg-architecture complain dpkg-buildflags complain dpkg-checkbuilddeps complain +dpkg-db-backup complain dpkg-deb complain dpkg-divert complain dpkg-genbuildinfo complain dpkg-genchanges complain +dpkg-maintscript-helper complain dpkg-preconfigure complain dpkg-query complain +dpkg-scripts complain dpkg-split complain dpkg-status complain dpkg-trigger complain diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 9c07f7a12c..1d8575e796 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -22,7 +22,6 @@ akonadi_notes_agent complain akonadi_sendlater_agent complain akonadi_unifiedmailbox_agent complain anacron complain -apt-methods-sqv complain at complain atd complain auditctl attach_disconnected,complain @@ -70,9 +69,6 @@ cups-notifier-rss complain cups-pk-helper-mechanism complain cupsd attach_disconnected,complain ddcutil complain -deb-systemd-helper complain -deb-systemd-invoke complain -debconf-escape complain decibels complain dino attach_disconnected,complain discord attach_disconnected,complain @@ -83,13 +79,6 @@ dmsetup complain dockerd attach_disconnected,complain dolphin complain downloadhelper complain -dpkg-db-backup complain -dpkg-maintscript-helper complain -dpkg-script-apparmor complain -dpkg-script-kmod complain -dpkg-script-linux complain -dpkg-script-systemd complain -dpkg-scripts complain dracut-install complain drkonqi complain drkonqi-coredump-cleanup complain @@ -403,7 +392,6 @@ wechat-appimage attach_disconnected,complain wg-quick complain whoopsie complain whoopsie-preferences complain -wsdd complain xdg-dbus-proxy attach_disconnected,complain xdg-desktop-icon complain xdg-desktop-portal-kde complain diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index 2374988d59..3ef91cb190 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -1,28 +1,55 @@ apport attach_disconnected,complain apport-checkreports complain apport-gtk complain -apt_news attach_disconnected,complain apt-esm-hook complain apt-esm-json-hook complain apt-helper complain +apt-methods-sqv complain +apt_news attach_disconnected,complain check-new-release-gtk complain +debconf-escape complain +deb-systemd-helper complain +deb-systemd-invoke complain +dhclient complain +dhclient-script complain do-release-upgrade complain +dpkg-architecture complain +dpkg-buildflags complain +dpkg-checkbuilddeps complain +dpkg complain +dpkg-db-backup complain +dpkg-deb complain +dpkg-divert complain dpkg-genbuildinfo complain +dpkg-genchanges complain +dpkg-maintscript-helper complain +dpkg-preconfigure complain +dpkg-query complain +dpkg-scripts complain +dpkg-split complain +dpkg-status complain +dpkg-trigger complain +dpkg-vendor complain esm_cache complain fanctl attach_disconnected,complain hwe-support-status complain +ifup complain list-oem-metapackages complain livepatch-notification complain +macchanger complain notify-reboot-required complain package-data-downloader complain package-system-locked attach_disconnected,complain release-upgrade-motd complain +run-parts complain software-properties-gtk attach_disconnected,complain ubuntu-advantage complain ubuntu-advantage-notification complain ubuntu-distro-info complain ubuntu-fan-net attach_disconnected,complain ubuntu-report complain +unattended-upgrade attach_disconnected,complain +unattended-upgrade-shutdown attach_disconnected,complain update-manager attach_disconnected,complain update-motd-fsck-at-reboot complain update-motd-updates-available complain diff --git a/dists/flags/whonix.flags b/dists/flags/whonix.flags index dc984d6906..7b0ddf6e13 100644 --- a/dists/flags/whonix.flags +++ b/dists/flags/whonix.flags @@ -1,19 +1,44 @@ anondate complain apt-helper complain +apt-methods-sqv complain +debconf-escape complain +deb-systemd-helper complain +deb-systemd-invoke complain +dhclient complain +dhclient-script complain +dpkg-architecture complain +dpkg-buildflags complain +dpkg-checkbuilddeps complain +dpkg complain +dpkg-db-backup complain +dpkg-deb complain +dpkg-divert complain dpkg-genbuildinfo complain -msgcollector complain +dpkg-genchanges complain +dpkg-maintscript-helper complain +dpkg-preconfigure complain +dpkg-query complain +dpkg-scripts complain +dpkg-split complain +dpkg-status complain +dpkg-trigger complain +dpkg-vendor complain +ifup complain +macchanger complain msgcollector-br-add complain +msgcollector complain msgcollector-generic-gui-message complain msgcollector-striphtml complain -msgdispatcher complain msgdispatcher-autostart complain +msgdispatcher complain msgdispatcher-delete complain msgdispatcher-dispatch complain open-link-confirmation complain -pam_faillock_not_if_x complain pam-abort-on-locked-password complain +pam_faillock_not_if_x complain pam-info complain rads complain +run-parts complain sdwdate attach_disconnected,complain sdwdate-clock-jump complain sdwdate-gui complain @@ -23,17 +48,17 @@ sensible-browser complain systemcheck-canary complain timesanitycheck complain tor-bootstrap-check complain -tor-consensus-valid-after complain torbrowser attach_disconnected,complain torbrowser-glxtest complain torbrowser-plugin-container complain torbrowser-start complain torbrowser-updater complain torbrowser-updater-permission-fix complain -torbrowser-updater-permission-fix complain torbrowser-vaapitest complain torbrowser-wrapper complain -torbrowser-wrapper complain +tor-consensus-valid-after complain +unattended-upgrade attach_disconnected,complain +unattended-upgrade-shutdown attach_disconnected,complain +whonix-firewalld complain whonix-firewall-edit complain whonix-firewall-restarter complain -whonix-firewalld complain From 1996f9660756682297b9745acbd60edebe105de7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 22:21:04 +0100 Subject: [PATCH 1334/1736] doc: minor cleanup. --- apparmor.d/abstractions/app/chromium | 3 +- apparmor.d/tunables/multiarch.d/programs | 15 ++++++-- docs/development/abstractions.md | 2 +- docs/development/guidelines.md | 45 ++++++++++++------------ docs/development/workflow.md | 3 -- 5 files changed, 38 insertions(+), 30 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index b2e13643bf..6bc5eeb6a6 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -8,9 +8,10 @@ # NEEDS-VARIABLE: config_dirs # NEEDS-VARIABLE: cache_dirs + # A full set of rules for all chromium based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the -# header of the calling profile. Example: AAA +# header of the calling profile. # # !!! quote "[apparmor.d/groups/browsers/chromium](https://github.com/roddhjav/apparmor.d/blob/e979fe05b06f525e5a65c767b4eabe5600147355/apparmor.d/groups/browsers/chromium#L10-L14)" # diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 4a912a7134..9dc79230f0 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -4,10 +4,10 @@ # Define some some commonly used programs. This is not an exhaustive list. # It is meant to label programs to easily provide access in profiles. - +# # All variables that refer to a program name should have the `_name` suffix. # variables that refer to a list of progran should have the `_names` suffix. -# @{sh}, @{shells}, and @{coreutils} are the only exceptions. +# `@{sh}`, `@{shells}`, and `@{coreutils}` are the only exceptions. # Default distribution shells @{sh} = sh bash dash @@ -28,7 +28,16 @@ @{coreutils} += which{,.debianutils} # Various development tools -@{devtools} = ansible cargo gem go{,-*} just node npm pip pyright python ruby +# +# It is mostly used to easily define folder access in development tools profiles, +# not to allow execution. +# +# !!! warning +# +# Sensitive tools like git/ssh/gpg should not be included in `@{devtools}`. +# This should only contains core development tools like compilers, analysis tools, linters, debuggers etc. +# +@{devtools} = ansible cargo dlv gem go{,-*} just node npm pip pyright python ruby @{devtools} += rust typescript yarn # Python interpreters diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md index cd82f5d219..3121e742b3 100644 --- a/docs/development/abstractions.md +++ b/docs/development/abstractions.md @@ -243,7 +243,7 @@ A minimal set of rules for all electron based UI applications. It works as a *fu ### **`common/game`** -Core set of resources for any games on Linux. Runtimes such as sandboxing, wine, proton, game launchers should use this abstraction. +Core set of resources for any games on Linux. Runtimes such as sandboxing, wine, proton, game launchers should use this abstraction. This abstraction uses the following tunables: diff --git a/docs/development/guidelines.md b/docs/development/guidelines.md index 98948dc36e..76e0e0aee9 100644 --- a/docs/development/guidelines.md +++ b/docs/development/guidelines.md @@ -4,9 +4,9 @@ title: Guidelines ## Common structure -AppArmor profiles can be written without any specific guidelines. However, when you work with over 1500 profiles, you need a common structure among all the profiles. +AppArmor profiles can be written without any specific guidelines. However, when you work with over 1500 profiles, you need a common structure among all the profiles. -The logic behind it is that if a rule is present in a profile, it should only be in one place, making it easier to review profiles. +The logic behind it is that if a rule is present in a profile, it should only be in one place, making it easier to review profiles. For example, if a program needs to run executable binaries then the rules allowing it can only be in a specific rule block (just after the `@{exec_path} mr,` rule). It is therefore easy to ensure some profile features such as: @@ -15,16 +15,15 @@ For example, if a program needs to run executable binaries then the rules allowi It also improves compatibility and makes personalization easier thanks to the use of more variables. -## Guidelines +!!! danger "Why does it matter?" -!!! note + The structure presented below is more important than it looks. Without this it would be easy to miss some rules when reviewing profiles, making the whole system more opaque and less secure. - This profile guideline is still evolving, feel free to propose improvements - as long as they do not vary too much from the existing rules. +## Guidelines In order to ensure a common structure across the profiles, all new profile **must** follow the guidelines presented here. -The rules in the profile should be sorted in the rule ***block*** as follows: +The rules in the profile should be written in *blocks* of same rule type. Each *block* should be sorted in the profile as follows: | Order | Name | Example | |:-----:|:----:|:-------:| @@ -53,29 +52,30 @@ This rule order is taken from AppArmor with minor changes as we tend to: - Divide the file block into multiple subcategories - Put the block with the longer rules (`files`, `dbus`) after the other blocks -### The file block +### File sub-blocks -The file block should be sorted as follows: +The file block is usually the longest block in a profile. It should be written in sub-blocks of identical file types. +The file sub blocks **must** be sorted as follows. | Order | Description | Example | Link | |:-----:|:-----------:|:-------:|:------:| | **1** | The entry point of the profile | `@{exec_path} mr,` | [:octicons-link-external-24:](https://github.com/roddhjav/apparmor.d/blob/2e4788c51ef73798c0ac94993af3cd769723e8e4/apparmor.d/groups/gnome/gdm#L67) | -| **2** | The binaries and library required | `@{bin}/`, `@{lib}/`, `/opt/`. It is the only place where you can have `mr`, `rix`, `rPx`, `rUx`, `rPUX` rules. | [:octicons-link-external-24:](https://github.com/roddhjav/apparmor.d/blob/2e4788c51ef73798c0ac94993af3cd769723e8e4/apparmor.d/groups/gnome/gdm#L69-L76) | -| **3** | The shared resources | `/usr/share` | [:octicons-link-external-24:](https://github.com/roddhjav/apparmor.d/blob/2e4788c51ef73798c0ac94993af3cd769723e8e4/apparmor.d/groups/network/NetworkManager#L111-L120) | -| **4** | The system configuration | `/etc` | [:octicons-link-external-24:](https://github.com/roddhjav/apparmor.d/blob/2e4788c51ef73798c0ac94993af3cd769723e8e4/apparmor.d/groups/network/NetworkManager#L111-L120) | -| **5** | The system data | `/`, `/var`, `/boot` | [:octicons-link-external-24:](https://github.com/roddhjav/apparmor.d/blob/2e4788c51ef73798c0ac94993af3cd769723e8e4/apparmor.d/groups/gnome/tracker-extract#L83-L93) | -| **6** | The user data | `owner @{HOME}/` | [:octicons-link-external-24:](https://github.com/roddhjav/apparmor.d/blob/2e4788c51ef73798c0ac94993af3cd769723e8e4/apparmor.d/groups/gnome/tracker-extract#L96-L98) | -| **7** | The user configuration, cache and dotfiles | `@{user_cache_dirs}`, `@{user_config_dirs}`, `@{user_share_dirs}` | [:octicons-link-external-24:](https://github.com/roddhjav/apparmor.d/blob/2e4788c51ef73798c0ac94993af3cd769723e8e4/apparmor.d/groups/browsers/firefox#L179-L202) | -| **8** | Temporary and runtime data | `/tmp/`, `@{run}/`, `/dev/shm/` | [:octicons-link-external-24:]() | -| **9** | Sys files | `@{sys}/` | [:octicons-link-external-24:]() | -| **10** | Proc files | `@{PROC}/` | [:octicons-link-external-24:]() | -| **11** | Dev files | `/dev/` | [:octicons-link-external-24:]() | -| **12** | Deny rules | `deny` | [:octicons-link-external-24:]() | +| **2** | The binaries and library required | `@{bin}/`, `@{lib}/`, `/opt/`. It is the only place where you can have `mr`, `rix`, `rPx`, `rUx`, `rPUX` rules. | [:octicons-link-external-24:](https://github.com/roddhjav/apparmor.d/blob/2e4788c51ef73798c0ac94993af3cd769723e8e4/apparmor.d/groups/gnome/gdm#L69-L76) | +| **3** | The shared resources | `/usr/share` | [:octicons-link-external-24:](https://github.com/roddhjav/apparmor.d/blob/2e4788c51ef73798c0ac94993af3cd769723e8e4/apparmor.d/groups/network/NetworkManager#L111-L120) | +| **4** | The system configuration | `/etc` | [:octicons-link-external-24:](https://github.com/roddhjav/apparmor.d/blob/2e4788c51ef73798c0ac94993af3cd769723e8e4/apparmor.d/groups/network/NetworkManager#L111-L120) | +| **5** | The system data | `/`, `/var`, `/boot` | [:octicons-link-external-24:](https://github.com/roddhjav/apparmor.d/blob/2e4788c51ef73798c0ac94993af3cd769723e8e4/apparmor.d/groups/gnome/tracker-extract#L83-L93) | +| **6** | The user data | `owner @{HOME}/` | [:octicons-link-external-24:](https://github.com/roddhjav/apparmor.d/blob/2e4788c51ef73798c0ac94993af3cd769723e8e4/apparmor.d/groups/gnome/tracker-extract#L96-L98) | +| **7** | The user configuration, cache and dotfiles | `@{user_cache_dirs}`, `@{user_config_dirs}`, `@{user_share_dirs}` | [:octicons-link-external-24:](https://github.com/roddhjav/apparmor.d/blob/2e4788c51ef73798c0ac94993af3cd769723e8e4/apparmor.d/groups/browsers/firefox#L179-L202) | +| **8** | Temporary and runtime data | `/tmp/`, `@{run}/`, `/dev/shm/` | [:octicons-link-external-24:]() | +| **9** | Sys files | `@{sys}/` | [:octicons-link-external-24:]() | +| **10** | Proc files | `@{PROC}/` | [:octicons-link-external-24:]() | +| **11** | Dev files | `/dev/` | [:octicons-link-external-24:]() | +| **12** | Deny rules | `deny` | [:octicons-link-external-24:]() | -### The dbus block +### Dbus block -The dbus block should be sorted as follows: +Dbus rules must be written in a dedicated block just before the file block. The dbus block **must** be sorted as follows: - The system bus should be sorted *before* the session bus - The bind rules should be sorted *after* send & receive rules @@ -87,6 +87,7 @@ dbus send bus=session path=/org/freedesktop/DBus member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), ``` + If there is no predictable label it can be omitted. ### Profile rules diff --git a/docs/development/workflow.md b/docs/development/workflow.md index 7cc7c5616b..adabbe9c9b 100644 --- a/docs/development/workflow.md +++ b/docs/development/workflow.md @@ -119,9 +119,6 @@ just dev - Install the profile to `/etc/apparmor.d/` - Load the profile by restarting the AppArmor service. - -More advanced development, like editing the abstractions or working over multiple profiles at the same time requires installing the full development package. - For this individual profile installation to work, the full package needs to be installed, regardless of the installation method ([dev](#development-package) or [stable](../install.md)). ## Program Profiling From d7b40a917121931348f17f25615ddc9e662fc4e2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 22:32:09 +0100 Subject: [PATCH 1335/1736] test(vm): update image definitions. --- tests/cloud-init/archlinux.yml | 5 +++++ tests/cloud-init/debian.yml | 10 ++++++++++ tests/cloud-init/debian13-gnome.user-data.yml | 2 ++ tests/cloud-init/debian13-kde.user-data.yml | 2 ++ .../cloud-init/debian13-server.user-data.yml | 4 ++++ tests/cloud-init/debian13-test.user-data.yml | 1 + .../cloud-init/ubuntu25.10-test.user-data.yml | 20 ------------------- 7 files changed, 24 insertions(+), 20 deletions(-) delete mode 100644 tests/cloud-init/ubuntu25.10-test.user-data.yml diff --git a/tests/cloud-init/archlinux.yml b/tests/cloud-init/archlinux.yml index d7fe78afc2..8662fc2ea9 100644 --- a/tests/cloud-init/archlinux.yml +++ b/tests/cloud-init/archlinux.yml @@ -26,6 +26,7 @@ gnome-packages: &gnome-packages - git - htop - just + - linux-firmware - man - pass - python-notify2 @@ -61,6 +62,7 @@ kde-packages: &kde-packages - git - htop - just + - linux-firmware - man - pass - python-notify2 @@ -97,6 +99,7 @@ lxqt-packages: &lxqt-packages - git - htop - just + - linux-firmware - man - pass - python-notify2 @@ -130,6 +133,7 @@ xfce-packages: &xfce-packages - git - htop - just + - linux-firmware - man - pass - python-notify2 @@ -165,6 +169,7 @@ cosmic-packages: &cosmic-packages - git - htop - just + - linux-firmware - man - pass - python-notify2 diff --git a/tests/cloud-init/debian.yml b/tests/cloud-init/debian.yml index ec9729df6b..c035f86ea6 100644 --- a/tests/cloud-init/debian.yml +++ b/tests/cloud-init/debian.yml @@ -84,3 +84,13 @@ kde-packages: &kde-packages - task-kde-desktop - plasma-workspace-wayland - terminator + +desktop-runcmd: &desktop-runcmd + # Enable auditd systemd socket + - systemctl enable systemd-journald-audit.socket + + # Install the default kernel and remove the cloud one + - apt install linux-image-amd64 linux-headers-amd64 + - apt remove --purge linux-image-$(uname -r) + - apt autoremove --purge + - update-grub diff --git a/tests/cloud-init/debian13-gnome.user-data.yml b/tests/cloud-init/debian13-gnome.user-data.yml index 6b2080c466..2533afee84 100644 --- a/tests/cloud-init/debian13-gnome.user-data.yml +++ b/tests/cloud-init/debian13-gnome.user-data.yml @@ -2,6 +2,8 @@ packages: *gnome-packages +runcmd: *desktop-runcmd + write_files: - *shared-directory # Setup shared directory - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-kde.user-data.yml b/tests/cloud-init/debian13-kde.user-data.yml index cf2d6a9893..2540ad46c4 100644 --- a/tests/cloud-init/debian13-kde.user-data.yml +++ b/tests/cloud-init/debian13-kde.user-data.yml @@ -2,6 +2,8 @@ packages: *kde-packages +runcmd: *desktop-runcmd + write_files: - *shared-directory # Setup shared directory - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-server.user-data.yml b/tests/cloud-init/debian13-server.user-data.yml index bf95ccd18f..9e40454a66 100644 --- a/tests/cloud-init/debian13-server.user-data.yml +++ b/tests/cloud-init/debian13-server.user-data.yml @@ -2,6 +2,10 @@ packages: *core-packages +runcmd: + # Enable auditd systemd socket + - systemctl enable systemd-journald-audit.socket + write_files: - *shared-directory # Setup shared directory - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-test.user-data.yml b/tests/cloud-init/debian13-test.user-data.yml index d3e088b072..57dba4089d 100644 --- a/tests/cloud-init/debian13-test.user-data.yml +++ b/tests/cloud-init/debian13-test.user-data.yml @@ -10,6 +10,7 @@ packages: - vim runcmd: + - systemctl enable systemd-journald-audit.socket - /usr/bin/setup-testbed - apt-get update diff --git a/tests/cloud-init/ubuntu25.10-test.user-data.yml b/tests/cloud-init/ubuntu25.10-test.user-data.yml deleted file mode 100644 index 1d20baf79b..0000000000 --- a/tests/cloud-init/ubuntu25.10-test.user-data.yml +++ /dev/null @@ -1,20 +0,0 @@ -#cloud-config - -packages: - - apparmor-profiles - - apparmor-utils - - auditd - - debian-keyring - - htop - - libpam-apparmor - - qemu-guest-agent - - vim - -runcmd: - - /usr/bin/setup-testbed - - apt-get update - -write_files: - - *systemd-netword # Network configuration for server - - *disable-printk-ratelimit # Disable printk rate limiting - - *setup-testbed # Autopkgtest setup-testbed script From 9313161aa970cb3de1954248cc2a1e8fa1845a9f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 22:56:15 +0100 Subject: [PATCH 1336/1736] test(packer): update imgae gen scripts to last changes. --- Justfile | 6 +++++- dists/docker.sh | 1 + tests/packer/builds.pkr.hcl | 4 ++-- tests/packer/init.sh | 7 ++++++- tests/packer/variables.pkr.hcl | 4 ++++ 5 files changed, 18 insertions(+), 4 deletions(-) diff --git a/Justfile b/Justfile index 49c6b431f0..6dac571e64 100644 --- a/Justfile +++ b/Justfile @@ -229,7 +229,11 @@ build-dpkg: (_ensure_pkgdest) if dpkg-vendor --is Ubuntu; then suffix="ubuntu1~$(lsb_release -sr)" elif dpkg-vendor --is Debian; then - suffix="1+deb$(lsb_release -sr)" + if [[ "$(lsb_release -sc)" == "forky" ]]; then + suffix="1+deb14" + else + suffix="1+deb$(lsb_release -sr)" + fi fi dch --urgency=medium --newversion="$version-$suffix" --distribution=`lsb_release -sc` --controlmaint "Release $version-$suffix" dpkg-buildpackage -b -d {{ if sign == "true" { "--sign-key=" + gpgkey } else { "--no-sign" } }} diff --git a/dists/docker.sh b/dists/docker.sh index 580fcf4549..595bf0de89 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -74,6 +74,7 @@ build_in_docker_makepkg() { build_in_docker_dpkg() { local img dist="$1" target="$1" release="$2" + [[ "$release" == 14 ]] && release="forky" if [[ "$dist" == whonix ]]; then dist=debian fi diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index 1e34c6416b..ed71819ad7 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -3,7 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only locals { - name = "${var.prefix}${var.dist}${var.release}-${var.flavor}" + name = "${var.prefix}${var.dist}${var.release}-${var.flavor}" osinfo = "${var.dist}${var.release}" } @@ -60,7 +60,7 @@ build { "${path.cwd}/tests/packer/src/", "${path.cwd}/tests/packer/init.sh", "${path.cwd}/tests/packer/clean.sh", - "${path.cwd}/.pkg/${var.dist}/${var.release}/", + "${path.cwd}/.pkg/", ] } diff --git a/tests/packer/init.sh b/tests/packer/init.sh index 225b1c2410..d6a04ebc60 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -32,7 +32,12 @@ main() { sudo -u "$SUDO_USER" pipx install rust-just sudo -u "$SUDO_USER" pipx ensurepath fi - dpkg -i $SRC/*.deb || true + if dpkg-vendor --is Ubuntu; then + suffix="ubuntu1~$(lsb_release -sr)" + elif dpkg-vendor --is Debian; then + suffix="1+deb$(lsb_release -sr)" + fi + dpkg -i $SRC/*-"${suffix}"*.deb || true ;; opensuse*) diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index 7c96c2c7d8..b56b5406cb 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -103,6 +103,10 @@ variable "DM" { img_url = "https://cdimage.debian.org/images/cloud/trixie/latest/debian-13-genericcloud-amd64.qcow2" img_checksum = "https://cdimage.debian.org/images/cloud/trixie/latest/SHA512SUMS" } + "debian14" : { + img_url = "https://cdimage.debian.org/images/cloud/forky/daily/latest/debian-14-genericcloud-amd64-daily.qcow2" + img_checksum = "https://cdimage.debian.org/images/cloud/forky/daily/latest/SHA512SUMS" + } "ubuntu24.04" : { img_url = "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img" img_checksum = "https://cloud-images.ubuntu.com/noble/current/SHA256SUMS" From 40d8ed766d0f5e4a5fa5902d1be8cb79242bf1f1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 4 Feb 2026 23:37:23 +0100 Subject: [PATCH 1337/1736] feat(profile): internally handle xdg-settings in electron based profiles Also cleanup some on these profiles. --- apparmor.d/groups/network/mullvad-gui | 2 -- apparmor.d/profiles-a-f/cider | 18 ------------------ apparmor.d/profiles-a-f/discord | 4 +--- apparmor.d/profiles-a-f/element-desktop | 5 +---- apparmor.d/profiles-a-f/freetube | 4 ---- apparmor.d/profiles-g-l/linuxqq | 3 +-- apparmor.d/profiles-m-r/protonmail | 13 +++---------- apparmor.d/profiles-s-z/session-desktop | 2 +- apparmor.d/profiles-s-z/signal-desktop | 6 ------ apparmor.d/profiles-s-z/spotify | 1 - apparmor.d/profiles-s-z/superproductivity | 4 +--- apparmor.d/profiles-s-z/vesktop | 3 --- apparmor.d/profiles-s-z/wechat-appimage | 5 ----- apparmor.d/profiles-s-z/wechat-universal | 2 -- 14 files changed, 8 insertions(+), 64 deletions(-) diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index f5c165bdad..b4967031cd 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -26,9 +26,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { network netlink raw, @{exec_path} mrix, - @{sh_path} rix, - @{bin}/gsettings rPx, @{open_path} rPx -> child-open-browsers, @{att}@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider index 88411ceed7..a6e5dd9dbf 100644 --- a/apparmor.d/profiles-a-f/cider +++ b/apparmor.d/profiles-a-f/cider @@ -29,28 +29,10 @@ profile cider @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{lib_dirs}/ r, - @{lib_dirs}/** r, - @{lib_dirs}/libffmpeg.so mr, @{lib_dirs}/chrome-sandbox rPx, - @{bin}/xdg-settings rPx, - - owner @{user_config_dirs}/sh.cider.genten/ rw, - owner @{user_config_dirs}/sh.cider.genten/** rwk, owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_@{arch}/libwidevinecdm.so mr, - @{PROC}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/ r, - @{PROC}/@{pid}/task/@{tid}/status r, - @{PROC}/sys/fs/inotify/max_user_watches r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/statm r, - include if exists } diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 2663bf64a7..a2505d449f 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -17,11 +17,11 @@ include profile discord @{exec_path} flags=(attach_disconnected) { include include + include include include include include - include network inet dgram, network inet6 dgram, @@ -35,7 +35,6 @@ profile discord @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/chrome-sandbox rix, @{bin}/lsb_release rPx, - @{bin}/xdg-mime rPx, @{open_path} rPx -> child-open-strict, /etc/ r, @@ -53,7 +52,6 @@ profile discord @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/discord-ipc-@{int} rw, owner @{PROC}/@{pid}/mem r, - owner @{PROC}/@{pid}/task/@{tid}/comm r, deny ptrace read, diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 036d78ad25..c449be3fb2 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -17,7 +17,6 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -31,9 +30,7 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - #aa:stack X xdg-settings - @{bin}/xdg-settings rPx -> element-desktop//&xdg-settings, - @{open_path} Px -> child-open-strict, + @{open_path} rPx -> child-open-strict, /usr/share/webapps/element/{,**} r, diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 6a3cf69448..81bc40a6ea 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -36,12 +36,8 @@ profile freetube @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - #aa:stack X xdg-settings - @{bin}/xdg-settings rPx -> freetube//&xdg-settings, @{open_path} rPx -> child-open-strict, - deny @{sys}/devices/@{pci}/usb@{int}/** r, - include if exists } diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index 5a204d219b..a3b236ea71 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -31,9 +31,8 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) { @{sh_path} r, @{bin}/{,e}grep rix, @{lib_dirs}/resources/app/{,**} m, - @{open_path} rPx -> child-open-strict, - /etc/machine-id r, + @{open_path} rPx -> child-open-strict, @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/utmp r, diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index a36c8b5e65..dd74ae0e3b 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -24,19 +24,12 @@ profile protonmail @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - ptrace read peer=protonmail//&xdg-settings, + # I need a proof for this, it is not common for such a program + # io_uring sqpoll, @{exec_path} mrix, - #aa:stack X xdg-settings - @{bin}/xdg-settings rPx -> protonmail//&xdg-settings, - @{open_path} Px -> child-open, - - owner @{user_config_dirs}/ibus/bus/ r, - - @{sys}/devices/@{pci}/boot_vga r, - - owner @{tmp}/gtkprint_ppd_@{rand6} rw, + @{open_path} rPx -> child-open-strict, include if exists } diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index 9e55d72045..266ac00be0 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -29,7 +29,7 @@ profile session-desktop @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/resources/app.asar.unpacked/ts/webworker/workers/node/**.node mr, - @{open_path} rPx -> child-open-strict, + @{open_path} rPx -> child-open-strict, deny / r, deny @{HOME}/ r, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index a2e572cf76..eef6cca852 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -33,14 +33,8 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - ptrace read peer=signal-desktop//&xdg-settings, - @{exec_path} mrix, - @{lib_dirs}/chrome-sandbox rPx, - - #aa:stack X xdg-settings - @{bin}/xdg-settings rPx -> signal-desktop//&xdg-settings, @{open_path} rPx -> child-open-strict, @{att}@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index dda33df12f..8ad6c86353 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -48,7 +48,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} mr, - @{bin}/{,e}grep rix, @{open_path} rPx -> child-open-strict, diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index f37d3801a3..2293cc6f58 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -35,10 +35,8 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { @{bin}/gdbus rix, @{bin}/speech-dispatcher rPx, @{bin}/which{,.debianutils} rix, - @{open_path} rPx -> child-open-strict, - #aa:stack X xdg-settings - @{bin}/xdg-settings rPx -> superproductivity//&xdg-settings, + @{open_path} rPx -> child-open-strict, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop index 5232ffde78..eaced30326 100644 --- a/apparmor.d/profiles-s-z/vesktop +++ b/apparmor.d/profiles-s-z/vesktop @@ -43,9 +43,6 @@ profile vesktop @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/usb@{int}/**/interface r, - @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner /dev/ r, deny /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 335860d075..5f437fc18a 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -37,10 +37,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dirname rix, @{bin}/fusermount{,3} Cx -> fusermount, - @{bin}/{m,g,}awk rix, @{bin}/lsblk Px, - @{bin}/mkdir rix, - @{bin}/readlink rix, @{bin}/xdg-user-dir rix, @{bin}/ip rix, @{lib_dirs}/wechat-appimage.AppImage ix, @@ -54,8 +51,6 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, @{tmp}/.mount_wechat@{word6}/AppRun ix, - /etc/machine-id r, - @{HOME}/.xwechat/{,**} rwk, owner @{user_documents_dirs}/xwechat_files/{,**} rwk, diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index d9750c7b22..29d845bc37 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -33,14 +33,12 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) { @{bin}/bwrap rix, @{bin}/ln ix, @{bin}/lsblk Px, - @{bin}/mkdir ix, @{bin}/sed ix, @{bin}/xdg-user-dir rix, @{lib}/wechat-appimage.AppImage ix, @{open_path} Px -> child-open-strict, /etc/lsb-release r, - /etc/machine-id r, owner @{user_documents_dirs}/WeChat_Data/{,**} rwk, owner @{HOME}/.xwechat/{,**} rwk, From 23256ac54e155897c00f8578a40449d6faf22f5d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 5 Feb 2026 00:05:54 +0100 Subject: [PATCH 1338/1736] feat(profile): add common/xdg - Less deduplication in core xdg toolings - Simplify electron abs, ix due to nnp flag. --- apparmor.d/abstractions/common/electron | 10 ++++ apparmor.d/abstractions/common/xdg | 60 ++++++++++++++++++++++ apparmor.d/groups/freedesktop/xdg-email | 22 +------- apparmor.d/groups/freedesktop/xdg-mime | 41 ++------------- apparmor.d/groups/freedesktop/xdg-open | 17 +----- apparmor.d/groups/freedesktop/xdg-settings | 35 +------------ apparmor.d/groups/network/mullvad-gui | 2 - apparmor.d/profiles-g-l/linuxqq | 1 - apparmor.d/profiles-s-z/signal-desktop | 2 - apparmor.d/profiles-s-z/superproductivity | 2 - apparmor.d/profiles-s-z/wechat-universal | 1 - 11 files changed, 78 insertions(+), 115 deletions(-) create mode 100644 apparmor.d/abstractions/common/xdg diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 55444a0889..c3d26083ba 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -25,6 +25,7 @@ abi , include + include include include include @@ -32,6 +33,9 @@ include include + @{bin}/xdg-mime rix, + @{bin}/xdg-settings rix, + @{bin}/electron rix, @{bin}/electron@{int} rix, @{lib}/electron@{int}/{,**} r, @@ -53,6 +57,11 @@ owner @{cache_dirs}/ rw, owner @{cache_dirs}/** rwlk, + # For direct integration with xdg-mime and xdg-settings + owner @{user_config_dirs}/mimeapps.list{,.new} rw, + owner @{user_config_dirs}/xfce4/helpers.rc{,.@{rand6}} rw, + owner @{user_share_dirs}/applications/{,**} rw, + owner @{user_config_dirs}/electron-flags.conf r, owner @{tmp}/.@{domain}.chrome_*.@{rand6}/{,**} rw, @@ -67,6 +76,7 @@ owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*-@{int}.scope/memory.high r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*-@{int}.scope/memory.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r, # This is an information leak owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/abstractions/common/xdg b/apparmor.d/abstractions/common/xdg new file mode 100644 index 0000000000..99087cb84e --- /dev/null +++ b/apparmor.d/abstractions/common/xdg @@ -0,0 +1,60 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Minimal set of rules for XDG utilities like xdg-mime, xdg-settings, etc. + + abi , + + include + include + + #aa:only apparmor>=4.1 + priority=-1 @{sh_path} mrix, + + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/cut rix, + @{bin}/env rix, + @{bin}/file rix, + @{bin}/head rix, + @{bin}/mkdir rix, + @{bin}/mktemp rix, + @{bin}/mv rix, + @{bin}/readlink rix, + @{bin}/realpath rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/sleep rix, + @{bin}/sort rix, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/tr rix, + @{bin}/umask rix, + @{bin}/uname rix, + @{bin}/wc rix, + + # To set/get DE information + @{bin}/gconftool{,-2} ix, + @{bin}/gio ix, + @{bin}/gnomevfs-info ix, + @{bin}/gvfs-info ix, + @{bin}/kde{,4}-config ix, + @{bin}/kfile ix, + @{bin}/kmimetypefinder{,5} ix, + @{bin}/ktraderclient{,5} ix, + @{bin}/kwriteconfig{,5,6} ix, + @{bin}/qtpaths ix, + @{bin}/qtxdg-mat ix, + + / r, + + @{PROC}/version r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-email b/apparmor.d/groups/freedesktop/xdg-email index 30db08f329..f95c73bd91 100644 --- a/apparmor.d/groups/freedesktop/xdg-email +++ b/apparmor.d/groups/freedesktop/xdg-email @@ -10,34 +10,16 @@ include @{exec_path} = @{bin}/xdg-email profile xdg-email @{exec_path} flags=(attach_disconnected) { include - include - include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/{m,g,}awk ix, - @{bin}/basename ix, - @{bin}/cat ix, - @{bin}/cut ix, - @{bin}/readlink ix, - @{bin}/realpath ix, - @{bin}/sed ix, - @{bin}/tail ix, - @{bin}/tr ix, - @{bin}/uname ix, - - # To get DE information - @{bin}/kde{,4}-config ix, - @{bin}/gconftool{,-2} ix, - @{bin}/qtxdg-mat ix, - @{bin}/dbus-send Cx -> bus, @{bin}/gdbus Cx -> bus, @{bin}/kreadconfig{,5} Px, @{bin}/xdg-mime Px, @{bin}/xprop Px, + @{open_path} Px -> child-open-email, @{thunderbird_path} Px, diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 0db78f7e8d..921dc99e8a 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -10,62 +10,27 @@ include @{exec_path} = @{bin}/xdg-mime profile xdg-mime @{exec_path} flags=(attach_disconnected) { include - include - include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/{m,g,}awk ix, - @{bin}/basename ix, - @{bin}/cat ix, - @{bin}/cut ix, - @{bin}/file ix, - @{bin}/head ix, - @{bin}/mkdir ix, - @{bin}/mv ix, - @{bin}/readlink ix, - @{bin}/realpath ix, - @{bin}/rm ix, - @{bin}/sed ix, - @{bin}/touch ix, - @{bin}/tr ix, - @{bin}/umask ix, - @{bin}/uname ix, - - # To query DE information - @{bin}/gio ix, - @{bin}/gnomevfs-info ix, - @{bin}/gvfs-info ix, - @{bin}/kde{,4}-config ix, - @{bin}/kfile ix, - @{bin}/kmimetypefinder{,5} ix, - @{bin}/ktraderclient{,5} ix, - @{bin}/qtpaths ix, - @{bin}/qtxdg-mat ix, - @{bin}/dbus-send Cx -> bus, @{bin}/kbuildsycoca{,5} Px, @{bin}/mimetype Px, @{bin}/vendor_perl/mimetype Px, @{bin}/xprop Px, - owner @{user_config_dirs}/mimeapps.list w, + owner @{user_config_dirs}/mimeapps.list{,.new} rw, owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r, - @{PROC}/version r, - - /dev/tty rw, - # file_inherit deny /opt/*/** r, deny owner @{user_config_dirs}/*/** rw, deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, - profile bus flags=(complain) { + profile bus flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open index d737fd2672..e906a96827 100644 --- a/apparmor.d/groups/freedesktop/xdg-open +++ b/apparmor.d/groups/freedesktop/xdg-open @@ -13,26 +13,11 @@ include profile xdg-open @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + include include @{exec_path} r, - # xdg-open internal commands - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/basename ix, - @{bin}/cat ix, - @{bin}/cut ix, - @{bin}/env ix, - @{bin}/readlink ix, - @{bin}/realpath ix, - @{bin}/sed ix, - @{bin}/tr ix, - @{bin}/uname ix, - - # To get DE information - @{bin}/kde{,4}-config ix, - @{bin}/dbus-send Cx -> bus, @{bin}/gdbus Cx -> bus, @{bin}/xprop Px, diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index fbd12945fc..2fb7db155c 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -10,37 +10,10 @@ include @{exec_path} = @{bin}/xdg-settings profile xdg-settings @{exec_path} flags=(attach_disconnected) { include - include - include + include @{exec_path} r, - @{sh_path} mr, - @{bin}/{,e}grep rix, - @{bin}/basename rix, - @{bin}/cat ix, - @{bin}/cut rix, - @{bin}/head ix, - @{bin}/mkdir ix, - @{bin}/mktemp ix, - @{bin}/mv ix, - @{bin}/readlink ix, - @{bin}/realpath rix, - @{bin}/rm ix, - @{bin}/sed ix, - @{bin}/sleep ix, - @{bin}/sort ix, - @{bin}/touch ix, - @{bin}/tr ix, - @{bin}/uname ix, - @{bin}/wc ix, - - # To set/get DE information - @{bin}/gconftool{,-2} ix, - @{bin}/kde{,4}-config ix, - @{bin}/kwriteconfig{,5,6} ix, - @{bin}/qtxdg-mat ix, - @{bin}/dbus-send Cx -> bus, @{bin}/kreadconfig{,5} Px, @{bin}/xdg-mime Px, @@ -49,11 +22,7 @@ profile xdg-settings @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/xfce4/helpers.rc{,.@{rand6}} rw, owner @{user_share_dirs}/applications/{,**} rw, - @{PROC}/version r, - - owner /dev/pts/@{u16} rw, - - profile bus flags=(complain) { + profile bus flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index b4967031cd..ad90ed3664 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -29,8 +29,6 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-browsers, - @{att}@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/mullvad-vpn rw, /dev/tty rw, diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index a3b236ea71..caafdd40cc 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -34,7 +34,6 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-strict, - @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/utmp r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index eef6cca852..5de577f143 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -37,8 +37,6 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-strict, - @{att}@{run}/systemd/inhibit/@{int}.ref rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 2293cc6f58..959dffc163 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -38,8 +38,6 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-strict, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - owner @{run}/user/@{uid}/speech-dispatcher/speechd.sock rw, include if exists diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 29d845bc37..dacbc6e41e 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -44,7 +44,6 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.xwechat/{,**} rwk, owner @{HOME}/.sys1og.conf rw, - @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/utmp r, @{PROC}/@{pid}/net/route r, From 7eefa7d56f35ee5a669f35908e93f8eac2bf6828 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 5 Feb 2026 00:19:20 +0100 Subject: [PATCH 1339/1736] Release version 0.4903 --- PKGBUILD | 15 ++++++++++++++- debian/changelog | 6 ++++++ dists/apparmor.d.spec | 2 +- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index 5d55b12c26..920421a0eb 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -9,7 +9,7 @@ pkgname=( # apparmor.d-base # apparmor.d-tools ) -pkgver=0.4902 +pkgver=0.4903 pkgrel=1 pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') @@ -35,6 +35,19 @@ build() { } package_apparmor.d() { + # depends+=('apparmor.d-base' 'apparmor.d-tools') cd "$srcdir/$pkgbase" just destdir="$pkgdir" install } + +# package_apparmor.d-base() { +# pkgdesc="$pkgdesc (base abstractions, tunables, and booleans)" +# cd "$srcdir/$pkgbase" +# just destdir="$pkgdir" install-base +# } + +# package_apparmor.d-tools() { +# pkgdesc="$pkgdesc (userland toolings)" +# cd "$srcdir/$pkgbase" +# just destdir="$pkgdir" install-tools +# } diff --git a/debian/changelog b/debian/changelog index 1aba877a87..2177159806 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +apparmor.d (0.4903-1) stable; urgency=medium + + * Release apparmor.d v0.4903 + + -- Alexandre Pujol Thu, 05 Feb 2026 00:19:20 +0100 + apparmor.d (0.4902-1) stable; urgency=medium * Release apparmor.d v0.4902 diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index a25d0c560f..ae7fa9dfb2 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -7,7 +7,7 @@ # Warning: for development only, use https://build.opensuse.org/package/show/home:cboltz/apparmor.d for production use. Name: apparmor.d -Version: 0.4902 +Version: 0.4903 Release: 1%{?dist} Summary: Set of over 1500 AppArmor profiles License: GPL-2.0-only From dcbafc3277802c4760098203635ca5b37734e06d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 5 Feb 2026 13:25:32 +0100 Subject: [PATCH 1340/1736] feat(profile): restrict gvfsd profiles a bit. Replace deprecated freedesktop abs by more modern alternative. --- apparmor.d/groups/gvfs/gvfsd-archive | 1 - apparmor.d/groups/gvfs/gvfsd-dav | 1 - apparmor.d/groups/gvfs/gvfsd-mtp | 1 - apparmor.d/groups/gvfs/gvfsd-recent | 2 +- apparmor.d/groups/gvfs/gvfsd-sftp | 4 ++-- apparmor.d/groups/gvfs/gvfsd-smb | 1 - apparmor.d/groups/gvfs/gvfsd-trash | 2 +- 7 files changed, 4 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive index 5d72f2aaa2..a1f0e8c172 100644 --- a/apparmor.d/groups/gvfs/gvfsd-archive +++ b/apparmor.d/groups/gvfs/gvfsd-archive @@ -12,7 +12,6 @@ profile gvfsd-archive @{exec_path} { include include include - include include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index bf1144a0bc..705db09ad0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -13,7 +13,6 @@ profile gvfsd-dav @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index a280071053..2b8206f472 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -15,7 +15,6 @@ profile gvfsd-mtp @{exec_path} { include include include - include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 85822b6f44..b0d1972ef0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -12,8 +12,8 @@ profile gvfsd-recent @{exec_path} { include include include - include include + include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 8c91c29136..ae5358014f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -11,9 +11,9 @@ include profile gvfsd-sftp @{exec_path} { include include - include include - include + include + include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 906bef2c8b..34c098192e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -13,7 +13,6 @@ profile gvfsd-smb @{exec_path} { include include include - include network netlink raw, network inet stream, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index ac47b5cd8e..96955bed35 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -12,7 +12,7 @@ profile gvfsd-trash @{exec_path} { include include include - include + include include include From 091824339d69931f343f14c625b6b4dae917d55b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 5 Feb 2026 13:27:10 +0100 Subject: [PATCH 1341/1736] fix(profile): ensure dbus-session can handle path in sbin. --- apparmor.d/groups/bus/dbus-session | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 29e97fd0b3..8d7419c190 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -54,6 +54,7 @@ profile dbus-session flags=(attach_disconnected) { @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx -> dbus-accessibility, @{bin}/** PUx, + @{sbin}/** PUx, @{lib}/** PUx, @{user_share_dirs}/*/** PUx, /usr/share/*/** PUx, From cc00f379da3856ebc6f6da1cd43af38d9a5d0ada Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 5 Feb 2026 13:54:04 +0100 Subject: [PATCH 1342/1736] feat(profile): add initial version of vscode profile. --- apparmor.d/abstractions/app/code-extension | 27 +++ apparmor.d/groups/code/code | 194 +++++++++++++++++++++ apparmor.d/groups/code/code-extension-ltex | 54 ++++++ apparmor.d/groups/code/code-extensions | 82 +++++++++ apparmor.d/groups/code/code-shells | 73 ++++++++ dists/ignore/main.ignore | 3 +- 6 files changed, 432 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/abstractions/app/code-extension create mode 100644 apparmor.d/groups/code/code create mode 100644 apparmor.d/groups/code/code-extension-ltex create mode 100644 apparmor.d/groups/code/code-extensions create mode 100644 apparmor.d/groups/code/code-shells diff --git a/apparmor.d/abstractions/app/code-extension b/apparmor.d/abstractions/app/code-extension new file mode 100644 index 0000000000..cd28aff4ca --- /dev/null +++ b/apparmor.d/abstractions/app/code-extension @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs + + abi , + + network netlink raw, + + signal receive peer=code, + + unix (send receive) type=stream peer=(label=code), + + @{lib_dirs}/** mr, + + # Allow writting logs to vscode + owner @{config_dirs}/logs/{,**} w, + + # file_inherit + deny /usr/share/code/*.bin r, + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/code/code b/apparmor.d/groups/code/code new file mode 100644 index 0000000000..bca1844eb0 --- /dev/null +++ b/apparmor.d/groups/code/code @@ -0,0 +1,194 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# !!! warning +# +# This profile is **not** installed by default as it breaks the POLA principle +# in the way to **will** cause some extension to not work: all extension +# that require privilege access to the system, like docker, kubernetes, +# remote ssh, VM, etc... will not work with this profile. +# +# **Architecture** +# +# The `code` profile stack define a "world" with generic rules of what should be +# allowed in an IDE and what is not: +# +# - **Allowed:** compilation, running code, debugging, git, ssh, network access, etc... +# in `@{user_projects_dirs}` +# - **Not allowed:** access to hardware, access to other users data, etc... +# +# We also ensure vscode can start a shell and we **confine** this shell to limit +# it to the same development related tasks. **Therefore, tasks such as installing +# system dependencies will not work.** +# + +abi , + +include + +@{name} = code{,-oss} vscode{,-oss} +@{config} = Code Code?-?OSS Code?-?Insiders +@{domain} = org.chromium.Chromium +@{lib_dirs} = @{lib}/@{name} /usr/share/@{name} +@{config_dirs} = @{HOME}/.@{name} @{user_config_dirs}/@{config} +@{ext_dirs} = @{config_dirs}/extensions +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} +profile code @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + ptrace read, + + signal send peer=claude, + signal send peer=code-extension-*, + signal send peer=code-extensions, + signal send peer=code-shells, + signal send peer=git, + signal send peer=gitstatusd, + + @{exec_path} mrix, + + @{bin}/rg rix, + @{bin}/env mr, + @{ldd_path} mrix, + @{lib_dirs}/** mr, + @{sh_path} r, + + # Extensions + priority=-10 /** Px -> code-extensions, + # # TODO: owner /** Px + + @{bin}/git Px, + @{open_path} Cx -> open, + + @{lib_dirs}/{,resources/}app/node_modules/** ix, + priority=1 @{lib_dirs}/{,resources/}app/node_modules/**/vsce-sign rCx -> sign, + + owner @{ext_dirs}/*/** mr, + owner @{ext_dirs}/anthropic.claude-code-*/** Px -> claude, + owner @{ext_dirs}/valentjn.vscode-ltex-*/** Px -> code-extension-ltex, + + # Terminal + # Some extension may need to run shells command directly. These command would also + # run trhough this shell profile, and may be limited by it. It is a feature. + @{shells_path} Px -> code-shells, + + /opt/ r, + + /etc/shells r, + /etc/lsb-release r, + + owner @{HOME}/ r, + owner @{HOME}/.claude/{,**} rw, + owner @{HOME}/@{XDG_SSH_DIR}/config r, + + owner @{user_config_dirs}/git/config r, + owner @{user_config_dirs}/git/ignore r, + + owner @{user_projects_dirs}/ r, + owner @{user_projects_dirs}/** rwkl, + + owner @{user_cache_dirs}/Microsoft/ rw, + owner @{user_cache_dirs}/Microsoft/** rwlk, + owner @{user_cache_dirs}/typescript/ rw, + owner @{user_cache_dirs}/typescript/** rwlk, + + owner @{run}/user/@{uid}/@{name}-*.sock w, + owner @{run}/user/@{uid}/git-graph-askpass-@{rand32}.sock w, + + /var/tmp/ r, + + owner @{tmp}/@{name}-*/ rw, + owner @{tmp}/@{name}-*/** rwlk, + owner @{tmp}/@{user}-code-*/{,**} rw, + owner @{tmp}/exthost-@{hex6}.cpuprofile w, + owner @{tmp}/mcp-@{rand6}/{,**} rw, + owner @{tmp}/node-compile-cache/{,**} rw, + owner @{tmp}/ovsx-@{rand6}/{,**} rw, + owner @{tmp}/tmp-@{int}-@{rand12}/ w, + + @{PROC}/loadavg r, + @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/clear_refs w, + owner @{PROC}/@{pid}/comm w, + + /dev/ptmx rw, + + deny dbus send bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(label=bluetoothd), + + profile sign { + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + unix type=stream peer=(label=code), + + @{lib_dirs}/** mr, + + owner @{HOME}/.dotnet/corefx/cryptography/{,**} rw, + + owner @{config_dirs}/CachedExtensionVSIXs/* rk, + + owner @{tmp}/.@{domain}.@{rand6} rw, + owner @{tmp}/cdotnet-diagnostic-*-socket rw, + owner @{tmp}/clr-debug-pipe-* rw, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + include if exists + } + + profile open { + include + include + include + + @{browsers_path} Px, + @{file_explorers_path} Px, + @{bin}/snap Px, + @{bin}/flatpak Px, + + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix, + + owner @{user_projects_dirs}/** rw, + + include + owner @{user_share_dirs}/gvfs-metadata/* r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/code/code-extension-ltex b/apparmor.d/groups/code/code-extension-ltex new file mode 100644 index 0000000000..06616e3dc0 --- /dev/null +++ b/apparmor.d/groups/code/code-extension-ltex @@ -0,0 +1,54 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = code{,-oss} vscode{,-oss} +@{config} = Code Code?-?OSS Code?-?Insiders +@{config_dirs} = @{HOME}/.@{name} @{user_config_dirs}/@{config} +@{ext_dirs} = @{config_dirs}/extensions +@{lib_dirs} = @{ext_dirs}/valentjn.vscode-ltex-*/ + +@{exec_path} = @{lib_dirs}/** +profile code-extension-ltex @{exec_path} flags=(attach_disconnected) { + include + include + include + + network inet stream, + network inet6 stream, + + @{exec_path} mix, + + @{sh_path} ix, + @{bin}/dirname ix, + @{bin}/env r, + @{bin}/uname ix, + + owner @{HOME}/ r, + owner @{HOME}/.languagetool/{,**} r, + + owner @{user_projects_dirs}/ r, + owner @{user_projects_dirs}/**/ r, + + /tmp/ r, + owner @{tmp}/hsperfdata_@{user}/ rw, + owner @{tmp}/hsperfdata_@{user}/@{int} rwk, + owner @{tmp}/jansi-*-libjansi.so rwm, + owner @{tmp}/jansi-*-libjansi.so.lck rw, + + @{PROC}/cgroups r, + @{PROC}/@{pid}/net/if_inet6 r, + @{PROC}/@{pid}/net/ipv6_route r, + owner @{PROC}/@{pid}/coredump_filter rw, + owner @{PROC}/@{pid}/mountinfo r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/code/code-extensions b/apparmor.d/groups/code/code-extensions new file mode 100644 index 0000000000..4a5a8cdec8 --- /dev/null +++ b/apparmor.d/groups/code/code-extensions @@ -0,0 +1,82 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{devtools} += rust-analyzer harper-ls proc-macro-srv + +@{name} = code{,-oss} vscode{,-oss} +@{config} = Code Code?-?OSS Code?-?Insiders +@{config_dirs} = @{HOME}/.@{name} @{user_config_dirs}/@{config} +@{ext_dirs} = @{config_dirs}/extensions +@{lib_dirs} = @{ext_dirs}/ + +@{exec_path} = @{lib_dirs}/** +profile code-extensions @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + + ptrace trace peer=code-extensions, + + unix type=stream peer=(label=code-shells), + unix type=stream peer=(label=git), + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnitFileState + peer=(name=org.freedesktop.systemd1, label=unconfined), + + @{exec_path} mrix, + @{sh_path} rix, + + @{bin}/* r, + + @{bin}/aa-log Px, + @{bin}/git Px, + @{bin}/htop Px, + @{bin}/journalctl Px, + @{bin}/lscpu Px, + @{bin}/ps Px, + + owner @{lib_dirs}/{,**/}__pycache__/ w, + owner @{lib_dirs}/{,**/}__pycache__/**.pyc{,*} w, + + owner @{user_config_dirs}/git/* r, + + owner @{user_projects_dirs}/ r, + owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, + + @{sys}/devices/system/node/ r, + + @{PROC}/@{pid}/net/if_inet6 r, + @{PROC}/@{pid}/net/ipv6_route r, + @{PROC}/@{pid}/net/tcp r, + @{PROC}/sys/net/core/somaxconn r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/coredump_filter rw, + owner @{PROC}/@{pid}/statm r, + + /tmp/ r, + owner @{tmp}/hsperfdata_@{user}/ rw, + owner @{tmp}/hsperfdata_@{user}/@{int} rwk, + owner @{tmp}/jansi-*-libjansi.so rwm, + owner @{tmp}/jansi-*-libjansi.so.lck rw, + owner @{tmp}/proc-macro-*/ w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/code/code-shells b/apparmor.d/groups/code/code-shells new file mode 100644 index 0000000000..0bf4ef2a1a --- /dev/null +++ b/apparmor.d/groups/code/code-shells @@ -0,0 +1,73 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{devtools} += rust-analyzer harper-ls proc-macro-srv + +@{name} = code{,-oss} vscode{,-oss} +@{config} = Code Code?-?OSS Code?-?Insiders +@{config_dirs} = @{HOME}/.@{name} @{user_config_dirs}/@{config} +@{ext_dirs} = @{config_dirs}/extensions +@{lib_dirs} = @{ext_dirs}/ + +profile code-shells flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + signal send set=term peer=gitstatusd, + + ptrace read peer=git, + ptrace read peer=child-pager, + + @{shells_path} mrix, + + # TODO: Work in progress. This will be restricted later. + file, + + # Handle shell prompts, out of scope, thus unconfined + @{bin}/starship Cx -> helper, + + # Give glycin higher priority than `@{bin}/bwrap ix` got in the development abs + priority=10 @{bin}/bwrap Px -> :glycin:bwrap, + + # Well known programs used in shells, when we also have specific profiles for them + @{bin}/claude Px, + @{bin}/git Px, + @{bin}/htop Px, + @{bin}/ps Px, + @{bin}/aa-log Px, + /opt/claude-code/bin/claude Px, + + # Well known shells tools + priority=1 @{user_cache_dirs}/gitstatus/gitstatusd{,-*} Px, + priority=1 /usr/share/zsh-theme-powerlevel{9,10}k/gitstatus/usrbin/gitstatusd{,-*} Px, + + owner @{user_projects_dirs}/ r, + owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, + + profile helper { + include + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index de1049f9ca..2b40a82580 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -9,7 +9,8 @@ apparmor.d/groups/_full man # Work in progress profiles -apparmor.d/groups/steam +apparmor.d/groups/code apparmor.d/groups/cosmic +apparmor.d/groups/steam dunst plasma-discover From ff2e9c0bfd75bc28d04a48603eb4eefd277ba4b0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 5 Feb 2026 14:12:16 +0100 Subject: [PATCH 1343/1736] feat(profile): initial profile for claude code. --- apparmor.d/profiles-a-f/claude | 241 +++++++++++++++++++++++++++++++++ dists/ignore/main.ignore | 1 + 2 files changed, 242 insertions(+) create mode 100644 apparmor.d/profiles-a-f/claude diff --git a/apparmor.d/profiles-a-f/claude b/apparmor.d/profiles-a-f/claude new file mode 100644 index 0000000000..66db73bb31 --- /dev/null +++ b/apparmor.d/profiles-a-f/claude @@ -0,0 +1,241 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# !!! warning +# +# This profile is **not** installed by default as it breaks the POLA principle +# in the way it **will** break some cappabilities of claude. +# +# **Architecture** +# +# Similar to `code` and `code-extensions`, the `claude` profile stack define a "world" +# with generic rules of what should be allowed for an AI assistant and what is not. + +abi , + +include + +@{code_name} = code{,-oss} vscode{,-oss} +@{code_config} = Code Code?-?OSS Code?-?Insiders +@{code_config_dirs} = @{HOME}/.@{code_name} @{user_config_dirs}/@{code_config} +@{code_ext_dirs} = @{code_config_dirs}/extensions + +@{exec_path} = @{bin}/claude /opt/claude-code/bin/claude +@{exec_path} += @{user_share_dirs}/claude/versions/@{version} +@{exec_path} += @{code_ext_dirs}/anthropic.claude-code-*/resources/native-binary/claude +profile claude @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + signal send set=term peer=git, + signal receive set=term peer=code, + + unix (send receive) type=stream peer=(label=code), + unix (send receive) type=stream peer=(label=git), + + @{exec_path} mrix, + + @{bin}/git Px, + @{open_path} Px -> child-open-strict, + @{shells_path} Cx -> shell, + + @{bin}/env m, + @{bin}/rg ix, + @{bin}/uname ix, + @{bin}/which{,.debianutils} rix, + + # Nodes + @{bin}/node rix, + @{lib}/node_modules/npm/bin/npm-cli.js rix, + @{lib}/node_modules/npm/bin/npx-cli.js rix, + /usr/share/nodejs/npm/bin/npm-cli.js rix, + + # TODO: should transition to a dev/plugin profile, not the shell one + priority=-1 /** Cx -> shell, + + owner @{HOME}/ r, + owner @{HOME}/.claude.* rw, + owner @{HOME}/.claude.*/{,**} rw, + owner @{HOME}/.claude/ rw, + owner @{HOME}/.claude/** rwkl -> @{HOME}/.claude/**, + owner @{HOME}/.npm/_cacache/{,**} rw, + owner @{HOME}/.npm/_logs/{,**} rw, + owner @{HOME}/.npm/_npx/{,**} rw, + + # TODO: deny this as self update is an abberation + owner @{user_bin_dirs}/claude w, + owner @{user_bin_dirs}/claude.tmp.* rw, + + owner @{user_lib_dirs}/node_modules/{,**} r, + + owner @{user_projects_dirs}/ r, + owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, + + owner @{user_cache_dirs}/claude/{,**} rw, + owner @{user_cache_dirs}/claude-cli-nodejs/ rw, + owner @{user_cache_dirs}/claude-cli-nodejs/** rwkl, + + owner @{user_state_dirs}/claude/{,**} rw, + + owner @{user_config_dirs}/git/ignore r, + owner @{user_config_dirs}/git/config r, + + owner @{user_share_dirs}/claude/{,**} rw, + + /tmp/ r, + owner @{tmp}/.@{hex16}-@{int8}.node mrw, + owner @{tmp}/claude{,-*} rw, + owner @{tmp}/claude{,-*}/{,**} rw, + owner @{tmp}/node-compile-cache/** rwlk, + owner @{tmp}/playwright-artifacts-@{rand6}/{,**} rw, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-*-@{int}.scope/memory.high r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-*-@{int}.scope/memory.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + @{PROC}/version r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/statm r, + + # Safety mechanisms + deny @{bin}/ssh x, + deny /etc/machine-id r, + deny / r, + deny /home/ r, + + # file_inherit + deny owner @{code_config_dirs}/logs/{,**} w, + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + + profile shell flags=(attach_disconnected) { + include + include + include + include + include + include + + capability sys_ptrace, + + # network inet6 stream port=1024-66666, # failed af match, MPC only + + network netlink raw, + + ptrace read, + + unix (send receive) type=stream peer=(label=claude), + + signal receive set=int peer=claude, + + priority=1 @{bin}/dpkg-query Px, + priority=1 @{bin}/flatpak Px -> claude//flatpak, + priority=1 @{bin}/git Px, + priority=1 @{bin}/journalctl Px, + priority=1 @{ldd_path} Px -> claude//ldd, + + owner @{HOME}/.claude/projects/*/@{uuid}.jsonl r, + owner @{HOME}/.claude/shell-snapshots/* rw, + + owner @{code_config_dirs}/logs/{,**} w, + + owner @{user_projects_dirs}/ r, + owner @{user_projects_dirs}/** rwk, + + owner @{tmp}/claude-* w, + owner @{tmp}/claude-shell/ rw, + owner @{tmp}/claude-shell/** mix, + owner @{tmp}/claude-shell/** rwlk -> @{tmp}/claude/**, + owner @{tmp}/claude{,-code}/ r, + owner @{tmp}/claude{,-code}/** mix, + owner @{tmp}/claude{,-code}/** rwlk -> @{tmp}/claude/**, + + @{PROC}/ r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/tty/drivers r, + owner @{PROC}/@{pid}/environ r, # This raise the sys_ptrace capability requirement, only allowed on user processes + owner @{PROC}/@{pid}/loginuid r, + + # Safety mechanisms + deny @{bin}/poweroff x, + deny @{bin}/reboot x, + deny @{bin}/rm x, + deny @{bin}/rmdir x, + deny @{bin}/shutdown x, + deny @{bin}/ssh x, + deny /home/ r, + deny owner @{HOME}/ r, + + # file_inherit + deny /etc/debuginfod/ r, + deny owner @{code_config_dirs}/logs/{,**} w, + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + + include if exists + } + + profile flatpak { + include + + unix (send receive) type=stream peer=(label=claude), + + # Only runs: `flatpak --installations` + @{bin}/flatpak mr, + + # file_inherit + deny network netlink raw, + deny owner @{HOME}/.claude/** r, + deny owner @{code_config_dirs}/logs/** w, + deny owner @{user_projects_dirs}/** r, + deny owner @{user_config_dirs}/** r, + deny owner @{code_config_dirs}/logs/{,**} w, + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + + include if exists + } + + profile ldd { + include + include + include + + unix (send receive) type=stream peer=(label=claude), + + @{ldd_path} mrix, + + @{bin}/* mr, + @{sbin}/* mr, + @{lib}/** mr, + + # file_inherit + deny network netlink raw, + deny owner @{HOME}/.claude/** r, + deny owner @{code_config_dirs}/logs/** w, + deny owner @{user_projects_dirs}/** r, + deny owner @{user_config_dirs}/** r, + deny owner @{code_config_dirs}/logs/{,**} w, + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index 2b40a82580..27a272325c 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -12,5 +12,6 @@ man apparmor.d/groups/code apparmor.d/groups/cosmic apparmor.d/groups/steam +claude dunst plasma-discover From 94a1ce42313f7aa6e36db1013a63c4ed8837f6e4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 5 Feb 2026 16:55:11 +0100 Subject: [PATCH 1344/1736] ci: minor tweak to gitlab-ci. --- .gitlab-ci.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index acbaff94de..78a8f2df83 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -179,7 +179,7 @@ preprocess-opensuse: - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null -# Deploy the documentation +# Deploy the documentation # ------------------------ pages: @@ -193,9 +193,8 @@ pages: - pip install -r requirements.txt - bash dists/docstring.sh - zensical build --strict - - mv site public artifacts: paths: - - public + - site rules: - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH From b7f5395eb32e092d8ead2866c86044d48802bba3 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Thu, 5 Feb 2026 20:34:48 +0000 Subject: [PATCH 1345/1736] Remove trailing whitespace in start-hyprland --- apparmor.d/profiles-s-z/start-hyprland | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 apparmor.d/profiles-s-z/start-hyprland diff --git a/apparmor.d/profiles-s-z/start-hyprland b/apparmor.d/profiles-s-z/start-hyprland new file mode 100644 index 0000000000..04df715a38 --- /dev/null +++ b/apparmor.d/profiles-s-z/start-hyprland @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 You +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/start-hyprland +profile start-hyprland @{exec_path} { + include + + signal receive set=term peer=sddm, + signal send set=term peer=hyprland, + + @{bin}/Hyprland rPx, + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor From 0770e60de3e1a3ac5d8ec1d840935a573e2910fc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 7 Feb 2026 15:26:44 +0100 Subject: [PATCH 1346/1736] feat(profile): stop putting gstreamer plugin in subprofiles Plugins or not need the same kind of access. Thus the separation is useless. --- apparmor.d/abstractions/app/firefox | 11 +--- apparmor.d/groups/children/gstreamer | 56 ------------------- apparmor.d/groups/freedesktop/pulseaudio | 11 +--- apparmor.d/groups/gnome/decibels | 10 +--- apparmor.d/groups/gnome/gjs | 53 +----------------- apparmor.d/groups/gnome/gnome-boxes | 10 +--- apparmor.d/groups/gnome/gnome-clocks | 10 +--- apparmor.d/groups/gnome/gnome-contacts | 15 +---- apparmor.d/groups/gnome/gnome-control-center | 10 +--- apparmor.d/groups/gnome/localsearch | 27 +-------- .../groups/gnome/org.gnome.NautilusPreviewer | 11 +--- apparmor.d/groups/gnome/showtime | 10 +--- 12 files changed, 13 insertions(+), 221 deletions(-) delete mode 100644 apparmor.d/groups/children/gstreamer diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 4c9d77038e..7aa5ce1102 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -36,7 +36,7 @@ include include include - include + include include include include @@ -78,8 +78,6 @@ @{lib_dirs}/pingsender rPx, @{lib_dirs}/plugin-container rPx, - @{gstreamer_path} rCx -> gstreamer, - # Desktop integration @{bin}/lsb_release rPx, @@ -186,13 +184,6 @@ deny @{run}/user/@{uid}/gnome-shell-disable-extensions w, deny @{PROC}/pressure/* r, - profile gstreamer { - include - include - - include if exists - } - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/children/gstreamer b/apparmor.d/groups/children/gstreamer deleted file mode 100644 index 5e473ed19d..0000000000 --- a/apparmor.d/groups/children/gstreamer +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Confine gstreamer related processes. - -# Note: This profile does not specify an attachment path because it is -# intended to be used only via "Px -> gstreamer" exec transitions from other profiles. - -abi , - -include - -profile gstreamer flags=(attach_disconnected,complain) { - include - include - include - include - include - include - include - include - include - include - include - include - - network (bind create getattr setopt getopt) netlink raw, - - dbus receive bus=session path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - - @{gstreamer_path} mr, - - /usr/share/ladspa/rdf/{,**} r, - - owner @{DESKTOP_HOME}/.nv/ w, - owner @{DESKTOP_HOME}/.nv/ComputeCache/ w, - owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, - owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, - - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - - @{sys}/devices/**/uevent r, - - @{PROC}/devices r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 295f59a5b8..74bb5d628f 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -24,7 +24,7 @@ profile pulseaudio @{exec_path} { include include include - include + include include include include @@ -60,8 +60,6 @@ profile pulseaudio @{exec_path} { @{lib}/@{multiarch}/pulse/gconf-helper rix, @{lib}/pulse-*/modules/*.so mr, - @{gstreamer_path} Cx -> gstreamer, - /usr/share/ladspa/rdf/{,*} r, /usr/share/pulseaudio/{,**} r, @@ -99,13 +97,6 @@ profile pulseaudio @{exec_path} { # file_inherit owner /dev/tty@{u8} rw, - profile gstreamer { - include - include - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/gnome/decibels b/apparmor.d/groups/gnome/decibels index 2b966f8f86..2bb38dfd59 100644 --- a/apparmor.d/groups/gnome/decibels +++ b/apparmor.d/groups/gnome/decibels @@ -11,7 +11,7 @@ profile decibels @{exec_path} { include include include - include + include include @{exec_path} mr, @@ -19,7 +19,6 @@ profile decibels @{exec_path} { @{bin}/gjs-console rix, @{open_path} rPx -> child-open-help, - @{gstreamer_path} Cx -> gstreamer, /usr/share/org.gnome.Decibels/{,**} r, @@ -31,13 +30,6 @@ profile decibels @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - profile gstreamer { - include - include - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index 331e6ab764..9fe3731543 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -10,6 +10,7 @@ # to run it as executable with a specific script. # # This currently concerns: +# # - gnome-extension-ding (used to not be started as a module) # - org.gnome.ScreenSaver (simple dbus service) # - org.gnome.Shell.Extensions (full UI app, requires gnome-strict, graphics, ...) @@ -41,7 +42,7 @@ profile gjs @{exec_path} flags=(attach_disconnected) { include include include - include + include unix type=stream peer=(label=gnome-shell), @@ -77,8 +78,6 @@ profile gjs @{exec_path} flags=(attach_disconnected) { @{bin}/gnome-control-center Px, @{bin}/nautilus Px, - @{gstreamer_path} Cx -> gstreamer, - /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} Px, @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} Px, @@ -122,54 +121,6 @@ profile gjs @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/* r, - profile gstreamer { - include - include - include - include - include - include - include - include - include - include - include - include - include - - network (bind create getattr setopt getopt) netlink raw, - network receive netlink raw, - - unix (bind listen) type=seqpacket addr=@@{hex}, - - dbus receive bus=session path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - - /usr/share/ladspa/rdf/{,**} r, - /usr/share/poppler/{,**} r, - - owner @{DESKTOP_HOME}/.nv/ w, - owner @{DESKTOP_HOME}/.nv/ComputeCache/ w, - owner @{DESKTOP_HOME}/.nv/ComputeCache/** rwk, - owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, - owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, - - owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, - owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, - - /tmp/ r, - /var/tmp/ r, - - @{sys}/devices/**/uevent r, - - @{PROC}/devices r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 9c46527989..f3523d510b 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -15,7 +15,7 @@ profile gnome-boxes @{exec_path} { include include include - include + include include include include @@ -35,7 +35,6 @@ profile gnome-boxes @{exec_path} { @{bin}/qemu-img rix, @{bin}/virsh rCx -> virsh, @{bin}/virtqemud rPUx, - @{gstreamer_path} Cx -> gstreamer, /usr/share/ladspa/rdf/{,*} r, /usr/share/osinfo/{,**} r, @@ -98,13 +97,6 @@ profile gnome-boxes @{exec_path} { include if exists } - profile gstreamer { - include - include - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index 3a7df96f01..6aad86f762 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -11,7 +11,7 @@ profile gnome-clocks @{exec_path} flags=(attach_disconnected) { include include include - include + include include include @@ -22,14 +22,6 @@ profile gnome-clocks @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{open_path} rPx -> child-open-help, - @{gstreamer_path} Cx -> gstreamer, - - profile gstreamer { - include - include - - include if exists - } include if exists } diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index 90ed07096b..0c3d7db0e8 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -10,7 +10,7 @@ include profile gnome-contacts @{exec_path} { include include - include + include include include @@ -23,23 +23,12 @@ profile gnome-contacts @{exec_path} { #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon @{exec_path} mr, + @{open_path} Px -> child-open-help, - @{gstreamer_path} Cx -> gstreamer, owner @{user_cache_dirs}/evolution/addressbook/{,**} r, owner @{user_share_dirs}/folks/relationships.ini r, - profile gstreamer { - include - include - - network netlink raw, - - @{sys}/class/ r, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index b4f37f4b92..8d6cc771b1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -16,7 +16,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -100,7 +100,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/language-tools/language2locale rix, /usr/share/language-tools/language-options rPUx, - @{gstreamer_path} Cx -> gstreamer, @{open_path} rPx -> child-open-any, /snap/*/@{int}/**.@{icon_ext} r, @@ -226,13 +225,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include if exists } - profile gstreamer { - include - include - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index dddefa3fbc..b8fb5a0732 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -17,7 +17,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -38,8 +38,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{gstreamer_path} Cx -> gstreamer, - @{lib}/localsearch-extractor-3 ix, # nnp /usr/share/localsearch3/{,**} r, @@ -74,29 +72,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - profile gstreamer { - include - include - include - include - include - include - include - include - - network (bind create getattr setopt getopt) netlink raw, - network receive netlink raw, - - /usr/share/ladspa/rdf/{,**} r, - /usr/share/poppler/{,**} r, - - # No access to camera and microphone devices - deny /dev/video@{int} rw, - deny /dev/media@{int} rw, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index 8424a09138..01b9454dbf 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -15,7 +15,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -26,7 +26,6 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { @{bin}/gjs-console r, @{open_path} rPx -> child-open-any, - @{gstreamer_path} Cx -> gstreamer, /usr/share/ladspa/rdf/{,**} r, /usr/share/sushi/org.gnome.NautilusPreviewer.*.gresource r, @@ -53,14 +52,6 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { /dev/ r, - profile gstreamer { - include - include - include - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/gnome/showtime b/apparmor.d/groups/gnome/showtime index 74995108c9..bca2a451ad 100644 --- a/apparmor.d/groups/gnome/showtime +++ b/apparmor.d/groups/gnome/showtime @@ -22,14 +22,13 @@ profile showtime @{exec_path} flags=(attach_disconnected) { include include include - include + include include include @{exec_path} mr, @{open_path} Px -> child-open-help, - @{gstreamer_path} Cx -> gstreamer, /usr/share/xml/iso-codes/{,**} r, @@ -40,13 +39,6 @@ profile showtime @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, - profile gstreamer { - include - include - - include if exists - } - include if exists } From b170cd1260c5938c415a2c1b2efa0bc1efd1cf53 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 7 Feb 2026 15:32:24 +0100 Subject: [PATCH 1347/1736] feat(profile): improve some inline documentation. --- apparmor.d/abstractions/app/chromium | 5 +-- apparmor.d/abstractions/common/electron | 16 ++++++---- apparmor.d/groups/_full/sd | 22 +++++++------ apparmor.d/groups/_full/sd-mount | 16 +++++----- apparmor.d/groups/_full/sd-umount | 16 +++++----- apparmor.d/groups/_full/sdu | 22 +++++++------ apparmor.d/groups/_full/systemd | 41 ++++++++++++++++--------- apparmor.d/groups/_full/systemd-user | 17 ++++++---- 8 files changed, 90 insertions(+), 65 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 6bc5eeb6a6..c20c73dbb2 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -8,7 +8,6 @@ # NEEDS-VARIABLE: config_dirs # NEEDS-VARIABLE: cache_dirs - # A full set of rules for all chromium based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the # header of the calling profile. @@ -167,6 +166,9 @@ owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, + # Allow reading of smaps_rollup, which is a summary of the memory use of a process + owner @{PROC}/@{pid}/smaps_rollup r, + # Reads of oom_adj and oom_score_adj are safe owner @{PROC}/@{pid}/oom_adj r, owner @{PROC}/@{pid}/oom_score_adj r, @@ -196,7 +198,6 @@ owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/mem r, - owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index c3d26083ba..6f70dd7704 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -81,6 +81,16 @@ # This is an information leak owner @{PROC}/@{pid}/mountinfo r, + # Provide statistical information about our own and other processes/threads + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/@{tid}/status r, + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + # Allow listing file descriptors for resource monitoring + owner @{PROC}/@{pid}/fd/ r, + # Allow reading of smaps_rollup, which is a summary of the memory use of a process owner @{PROC}/@{pid}/smaps_rollup r, @@ -93,18 +103,12 @@ owner @{PROC}/@{pid}/task/@{tid}/comm rw, @{PROC}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/version r, @{PROC}/version_signature r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/stat r, # gvfs-metadata contains user-specific data that should not be readable by apps deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index bd64fdf525..9645a8f717 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -4,16 +4,18 @@ #aa:lint ignore=too-wide -# Part of the systemd (as PID 1) profile. - -# sd is a profile for SystemD-executor run as root, it is used to run all services -# files and to encapsulate stacked services profiles (hence the short name). -# It aims at reducing the size of the systemd profile. - -# Only use this profile with a fully configured system. Otherwise it **WILL** -# break your computer. See https://apparmor.pujol.io/full-system-policy/. - -# Distributions and other programs can add rules in the usr/sd.d directory +# *Part of the `systemd` (as PID 1) profile.* +# +# `sd` is a profile for **S**ystem**D**-executor run as root, it is used to run +# all services files and to encapsulate stacked services profiles (hence the +# short name). +# +# It aims at reducing the size of the `systemd` profile. +# +# !!! info +# +# Distributions and other programs can add rules in the `usr/sd.d` directory +# abi , diff --git a/apparmor.d/groups/_full/sd-mount b/apparmor.d/groups/_full/sd-mount index 1572a8f6de..a0b962b3de 100644 --- a/apparmor.d/groups/_full/sd-mount +++ b/apparmor.d/groups/_full/sd-mount @@ -2,14 +2,14 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Part of the systemd (as PID 1) profile. - -# sd-mount is a subprofile of sd responsible to handle mounting operation. - -# Only use this profile with a fully configured system. Otherwise it **WILL** -# break your computer. See https://apparmor.pujol.io/full-system-policy/. - -# Distributions and other programs can add rules in the usr/sd-mount.d directory +# *Part of the `systemd` (as PID 1) profile.* +# +# `sd-mount` is a subprofile of `sd` responsible to handle mounting operation. +# +# !!! info +# +# Distributions and other programs can add rules in the `usr/sd-mount.d` directory +# abi , diff --git a/apparmor.d/groups/_full/sd-umount b/apparmor.d/groups/_full/sd-umount index e5d67f0a95..c0518d1d35 100644 --- a/apparmor.d/groups/_full/sd-umount +++ b/apparmor.d/groups/_full/sd-umount @@ -2,14 +2,14 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Part of the systemd (as PID 1) profile. - -# sd-umount is a subprofile of sd responsible to handle unmounting operation. - -# Only use this profile with a fully configured system. Otherwise it **WILL** -# break your computer. See https://apparmor.pujol.io/full-system-policy/. - -# Distributions and other programs can add rules in the usr/sd-umount.d directory +# *Part of the `systemd` (as PID 1) profile.* +# +# `sd-umount` is a subprofile of `sd` responsible to handle unmounting operation. +# +# !!! info +# +# Distributions and other programs can add rules in the `usr/sd-umount.d` directory +# abi , diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index 51b2325ea6..65921a3ba2 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -2,16 +2,18 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Part of the systemd-user profile. - -# sdu is a profile for SystemD-executor run as User, it is used to run all services -# files and to encapsulate stacked services profiles (hence the short name). -# It aims at reducing the size of the systemd-user profile. - -# Only use this profile with a fully configured system. Otherwise it **WILL** -# break your computer. See https://apparmor.pujol.io/full-system-policy/. - -# Distributions and other programs can add rules in the usr/sdu.d directory +# *Part of the `systemd-user` profile.* +# +# `sdu` is a profile for **S**ystem**D**-executor run as **U**ser, it is used to +# run all services files and to encapsulate stacked services profiles (hence the +# short name). +# +# It aims at reducing the size of the `systemd-user` profile. +# +# !!! info +# +# Distributions and other programs can add rules in the `usr/sdu.d` directory +# abi , diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index e3b654cdb5..a770b75d6c 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -5,13 +5,19 @@ # Profile for systemd (PID 1), it does not specify an attachment path because # it is directly loaded by systemd. - -# Only use this profile with a fully configured system. Otherwise it **WILL** -# break your computer. See https://apparmor.pujol.io/full-system-policy/. - -# Distributions and other programs can add rules in the usr/systemd.d directory - +# +# !!! danger +# +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. +# +# !!! info +# +# Distributions and other programs can add rules in the `usr/systemd.d` directory +# # Overall architecture of the systemd profiles: +# +# ``` # systemd # PID 1, entrypoint, requires "Early policy" # ├── systemd # To restart itself # ├── systemd-generators-* # Systemd system and environment generators @@ -29,21 +35,26 @@ # ├── Px -> # Any user service without profile defined in the unit file (see systemd/full/systemd) # ├── &* # Stacked user service as defined in the unit file (see systemd/full/systemd) # └── sdu//systemctl # Internal user systemctl - +# ``` +# # Advantages: +# # - Differentiate systemd (PID 1) and `system --user` # - Keep `systemd` and systemd-user as mininal as possible, and transition to less privileged profiles. # - Allow the executor profiles to handle stacked profiles. # - Most additions need to be done in the `sd`/`sdu` profile, not in `systemd`/`systemd-user`. # - Dedicated `sd-mount` profile for most mount from the unit services. - - -# TODO: rework this to get a controlled environment: -# - No global allow anymore: in high security environments, we must manage the list -# of program/service that can be started by systemd and ensure that they are all -# listed and confined. Programs not listed will not be able to start. -# - Outside common systemd service, the list may have to be automatically -# generated at install time, in `/etc/apparmor.d/usr/systemd.d/exec` +# +# !!! warning "Work in Progress" +# +# This profile stack can be changed to provide a more controlled environment: +# +# - No global allow anymore: in high security environments, we must manage the list +# of program/service that can be started by systemd and ensure that they are all +# listed and confined. Programs not listed will not be able to start. +# - Outside common systemd service, the list may have to be automatically +# generated at install time, in `/etc/apparmor.d/usr/systemd.d/exec` +# abi , diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 1164c05889..057076e5f0 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -6,12 +6,17 @@ # Profile for 'systemd --user', not PID 1 but the user manager for any UID. # It does not specify an attachment path because it is intended to be used only -# via "px -> systemd-user" exec transitions from the `systemd` profile. - -# Only use this profile with a fully configured system. Otherwise it **WILL** -# break your computer. See https://apparmor.pujol.io/full-system-policy/. - -# Distributions and other programs can add rules in the usr/systemd-user.d directory +# via `px -> systemd-user` exec transitions from the `systemd` profile. +# +# !!! danger +# +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. +# +# !!! info +# +# Distributions and other programs can add rules in the `usr/systemd-user.d` directory +# abi , From 9b6d527a5b410ba3225536140dd05c90b1fa9630 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 7 Feb 2026 15:42:06 +0100 Subject: [PATCH 1348/1736] feat(profile): small improvment to debian profiles. fix #1016 --- apparmor.d/groups/apt/apt-methods-sqv | 6 ++++-- apparmor.d/groups/apt/dpkg | 1 + apparmor.d/profiles-a-f/dig | 2 ++ apparmor.d/profiles-m-r/needrestart | 2 ++ apparmor.d/profiles-m-r/needrestart-iucode-scan-versions | 1 + 5 files changed, 10 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/apt/apt-methods-sqv b/apparmor.d/groups/apt/apt-methods-sqv index c53ff5925d..bc663e2443 100644 --- a/apparmor.d/groups/apt/apt-methods-sqv +++ b/apparmor.d/groups/apt/apt-methods-sqv @@ -28,8 +28,10 @@ profile apt-methods-sqv @{exec_path} { /usr/share/keyrings/ r, /usr/share/keyrings/*.{gpg,pgp,asc} r, - /etc/apt/trusted.gpg.d/ r, - /etc/apt/trusted.gpg.d/*.{gpg,asc} r, + /etc/apt/keyrings/ r, + /etc/apt/keyrings/*.{gpg,asc} r, + /etc/apt/trusted.gpg r, + /etc/apt/trusted.gpg.d/{,*.{gpg,asc}} r, owner /var/lib/apt/lists/{,**} r, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index b23e36e25a..2874cb14ee 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -28,6 +28,7 @@ profile dpkg @{exec_path} { @{bin}/cat ix, @{bin}/deb-systemd-helper Px, @{bin}/deb-systemd-invoke Px, + @{bin}/diff ix, @{bin}/rm ix, @{bin}/dpkg-deb px, diff --git a/apparmor.d/profiles-a-f/dig b/apparmor.d/profiles-a-f/dig index a8b482788e..916123ddc5 100644 --- a/apparmor.d/profiles-a-f/dig +++ b/apparmor.d/profiles-a-f/dig @@ -30,6 +30,8 @@ profile dig @{exec_path} { /tmp/batch_mode.dig r, + @{sys}/kernel/mm/transparent_hugepage/enabled r, + owner @{PROC}/@{pids}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 45f89c13de..85edcbee35 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -27,6 +27,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, + @{bin}/which{,.debianutils} rix, @{bin}/who rPx, @{lib}/needrestart/* rPx, @{python_path} rix, @@ -41,6 +42,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /etc/shadow r, / r, + /att/**/ r, @{efi}/ r, @{efi}/* r, /opt/*/** r, diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index d7cc57d1a5..ad8b119274 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -16,6 +16,7 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{bin}/{,e}grep rix, @{bin}/bsdtar rix, @{bin}/cat rix, + @{bin}/find rix, @{sbin}/iucode_tool rix, /usr/share/misc/ r, From e10549006bfe5b979c60482127b5a9ef36d3b370 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 7 Feb 2026 15:54:09 +0100 Subject: [PATCH 1349/1736] feat(abs): revisit the common editor profile. --- apparmor.d/abstractions/app/editor | 28 ++++++++++-------------- apparmor.d/tunables/multiarch.d/programs | 2 +- 2 files changed, 13 insertions(+), 17 deletions(-) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index b33dbc7f4d..bcf3dd65ae 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -10,34 +10,30 @@ include @{sh_path} rix, - @{bin}/nvim mrix, - @{bin}/sensible-editor mr, - @{bin}/vim* mrix, + @{editor_path} mrix, @{bin}/which{,.debianutils} rix, /usr/share/doc/{,**} r, - /usr/share/nvim/{,**} r, + /usr/share/@{editor_names}/{,**} r, /usr/share/terminfo/** r, - /usr/share/vim/{,**} r, - /etc/vim/{,**} r, - /etc/vimrc r, - /etc/xdg/nvim/* r, + /etc/@{editor_names}/{,**} r, + /etc/@{editor_names}rc r, + /etc/xdg/@{editor_names}/* r, owner @{HOME}/.selected_editor r, owner @{HOME}/.vim/{after/,}spell/{,**} rw, - owner @{HOME}/.vim/** r, - owner @{HOME}/.viminf@{c}{,.tmp} rw, - owner @{HOME}/.vimrc r, + owner @{HOME}/.@{editor_names}/** r, + owner @{HOME}/.@{editor_names}{,.tmp} rw, + owner @{HOME}/.@{editor_names}rc r, owner @{HOME}/ r, owner @{user_cache_dirs}/ r, - owner @{user_cache_dirs}/vim/{,**} rw, - owner @{user_config_dirs}/vim/{,**} r, - owner @{user_state_dirs}/nvim/{,**} rw, - owner @{user_config_dirs}/nvim/{,**} rw, + owner @{user_cache_dirs}/@{editor_names}/{,**} rw, + owner @{user_config_dirs}/@{editor_names}/{,**} rw, + owner @{user_state_dirs}/@{editor_names}/{,**} rw, - owner @{run}/user/@{uid}/nvim.* rw, + owner @{run}/user/@{uid}/@{editor_names}.* rw, include if exists diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 9dc79230f0..4c306eab3c 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -48,7 +48,7 @@ @{open_names} = exo-open xdg-open gio kde-open gio-launch-desktop # Editors -@{editor_names} = sensible-editor vim{,.*} vim-nox11 nvim nano +@{editor_names} = nano nvim sensible-editor vim* @{editor_ui_names} = gnome-text-editor gedit mousepad # Pager From b042bce79e910f7037af269de01b79db4de8b1fd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 7 Feb 2026 18:37:25 +0100 Subject: [PATCH 1350/1736] fix: simple ci fix. --- .gitlab-ci.yml | 3 ++- apparmor.d/groups/code/code | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 78a8f2df83..8babe0cb54 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -193,8 +193,9 @@ pages: - pip install -r requirements.txt - bash dists/docstring.sh - zensical build --strict + - mv site public artifacts: paths: - - site + - public rules: - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH diff --git a/apparmor.d/groups/code/code b/apparmor.d/groups/code/code index bca1844eb0..d872c08d98 100644 --- a/apparmor.d/groups/code/code +++ b/apparmor.d/groups/code/code @@ -6,7 +6,7 @@ # # This profile is **not** installed by default as it breaks the POLA principle # in the way to **will** cause some extension to not work: all extension -# that require privilege access to the system, like docker, kubernetes, +# that require privilege access to the system, like docker, kubernetes, # remote ssh, VM, etc... will not work with this profile. # # **Architecture** From b3b832cb3a5a8878238a6ad56e284e876a1ff078 Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Sat, 7 Feb 2026 10:09:30 +0100 Subject: [PATCH 1351/1736] discord: allow autostart .desktop creation Discord can enable autostart in "Linux settings" --- apparmor.d/profiles-a-f/discord | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index a2505d449f..d2e630e3fc 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -44,6 +44,7 @@ profile discord @{exec_path} flags=(attach_disconnected) { owner @{user_pictures_dirs}/{,**} rwl, owner @{config_dirs}/@{version}/modules/** m, + owner @{user_config_dirs}/autostart/discord.desktop rw, owner "@{tmp}/Discord Crashes/" rw, owner @{tmp}/discord.sock rw, From 18fa7c182b241a818da6f794626a6e4df340a9c6 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sat, 7 Feb 2026 19:23:48 +0000 Subject: [PATCH 1352/1736] Remove trailing whitespace on line 15 of start-hyprland --- apparmor.d/profiles-s-z/start-hyprland | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/start-hyprland b/apparmor.d/profiles-s-z/start-hyprland index 04df715a38..0fda42a09b 100644 --- a/apparmor.d/profiles-s-z/start-hyprland +++ b/apparmor.d/profiles-s-z/start-hyprland @@ -12,7 +12,7 @@ profile start-hyprland @{exec_path} { signal receive set=term peer=sddm, signal send set=term peer=hyprland, - + @{bin}/Hyprland rPx, @{exec_path} mr, From c872aade1b77aef26dd0e908a57f0b1204eb6dd1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 7 Feb 2026 21:04:10 +0100 Subject: [PATCH 1353/1736] feat(profile): update umu game stack. --- apparmor.d/abstractions/app/umu | 19 +++++++++++++++++-- apparmor.d/abstractions/wine | 4 ++++ apparmor.d/groups/umu/umu-run | 4 ++++ 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/umu b/apparmor.d/abstractions/app/umu index 6f813eb8eb..f7a403844d 100644 --- a/apparmor.d/abstractions/app/umu +++ b/apparmor.d/abstractions/app/umu @@ -6,8 +6,9 @@ abi , include - include + include include + include network inet dgram, network inet stream, @@ -18,6 +19,7 @@ signal (send receive) peer=umu-bwrap, signal (send receive) peer=umu-bwrap//&umu-game, signal (send receive) peer=umu-game, + signal (send receive) peer=umu-run, unix type=seqpacket peer=(label=umu-bwrap), unix type=stream peer=(label=umu-bwrap), @@ -52,6 +54,7 @@ @{bin}/steam-runtime-launcher-interface-@{int} ix, @{bin}/steam-runtime-system-info ix, @{bin}/steam-runtime-urlopen ix, + @{bin}/zenity ix, @{python_path} rix, @{run}/host/@{bin}/localedef ix, @{run}/host/@{sbin}/ldconfig ix, @@ -65,7 +68,8 @@ @{steam_share_dirs}/compatibilitytools.d/ r, @{steam_share_dirs}/compatibilitytools.d/*/ r, @{steam_share_dirs}/compatibilitytools.d/*/** mrix, # TODO: -> &wine ?, with namespace - + @{steam_share_dirs}/compatibilitytools.d/*/**.msi k, + @{runtime_dirs}/pressure-vessel/@{bin}/** ix, @{runtime_dirs}/pressure-vessel/@{lib}/** mr, @{runtime_dirs}/umu-shim rix, @@ -73,6 +77,8 @@ @{run}/host/@{lib}/**.dll m, @{run}/host/@{lib}/**.so* m, + /usr/share/zenity/{,**} r, + owner @{lib}/ r, owner /usr/local/lib/ r, owner /usr/local/lib/**/ r, @@ -85,15 +91,22 @@ owner /var/cache/fontconfig/** rwl, owner @{HOME}/.steam/steam.pid r, + owner @{HOME}/steam-@{int}.log rw, owner @{att}@{run}/user/@{uid}/bus rw, owner @{att}@{run}/user/@{uid}/pulse/native rw, + owner @{att}@{run}/user/@{uid}/wayland-@{int} rw, + + owner @{steam_share_dirs}/ r, + owner @{steam_share_dirs}/compatibilitytools.d/{,**/}__pycache__/ w, + owner @{steam_share_dirs}/compatibilitytools.d/{,**/}__pycache__/**.pyc.@{u64} w, owner @{runtime_dirs}/pressure-vessel/lib/@{multiarch}/steam-runtime-tools-0/libcap.so.2 mr, owner @{runtime_dirs}/var/tmp-@{rand6}/.ref rw, owner @{att}@{runtime_dirs}/var/tmp-@{rand6}/.ref rw, # file_inherit + @{user_share_dirs}/umu/steamrt3/VERSIONS.txt r, @{user_share_dirs}/umu/steamrt3/var/tmp-@{rand6}/usr/.ref rw, @{att}@{user_share_dirs}/umu/steamrt3/var/tmp-@{rand6}/usr/.ref rw, @@ -104,8 +117,10 @@ owner @{wineprefix_dirs}/ rw, owner @{wineprefix_dirs}/** rwk, + /tmp/ r, owner @{tmp}/pressure-vessel-libs-@{rand6}/{,**} rwlk, owner @{tmp}/pressure-vessel-locales-@{rand6}/{,**} rwlk, + owner @{tmp}/umu_crashreports/{,**} rw, @{run}/host/fonts-cache/{,**} r, @{run}/host/fonts/{,**} r, diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine index 6d93f70d33..58245a663c 100644 --- a/apparmor.d/abstractions/wine +++ b/apparmor.d/abstractions/wine @@ -16,7 +16,11 @@ owner @{tmp}/.wine-@{uid}/server-*/lock rwk, owner @{tmp}/.wine-@{uid}/server-*/socket rw, owner @{tmp}/.wine-@{uid}/server-*/tmpmap-@{hex8} mrw, + owner @{att}/@{tmp}/.wine-@{uid}/server-*/socket rw, + + owner @{tmp}/@{word8} rw, owner @{tmp}/protonfixes_test.log w, + owner @{tmp}/protonfixes-gtk-@{word8}/{,**} rw, owner /dev/shm/wine-@{hex6}-fsync rw, owner /dev/shm/wine-@{hex6}@{h}-fsync rw, diff --git a/apparmor.d/groups/umu/umu-run b/apparmor.d/groups/umu/umu-run index 435d62333f..2e325134e3 100644 --- a/apparmor.d/groups/umu/umu-run +++ b/apparmor.d/groups/umu/umu-run @@ -34,6 +34,10 @@ profile umu-run @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + signal send peer=umu-bwrap, + signal send peer=umu-bwrap//&umu-game, + signal send peer=umu-game, + @{exec_path} mr, @{sh_path} r, From 74f33c3a40640775c983b7cf210d53fd6fe90717 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 8 Feb 2026 18:56:07 +0100 Subject: [PATCH 1354/1736] feat(profile): update cockpit profiles. --- apparmor.d/groups/virt/cockpit-askpass | 4 ++++ apparmor.d/groups/virt/cockpit-bridge | 17 ++++++++++++----- apparmor.d/groups/virt/cockpit-session | 1 + apparmor.d/groups/virt/cockpit-ws | 6 +++++- apparmor.d/groups/virt/virtnetworkd | 4 +++- apparmor.d/groups/virt/virtnodedevd | 2 ++ 6 files changed, 27 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/virt/cockpit-askpass b/apparmor.d/groups/virt/cockpit-askpass index b46a415ac3..d55edfc9a3 100644 --- a/apparmor.d/groups/virt/cockpit-askpass +++ b/apparmor.d/groups/virt/cockpit-askpass @@ -11,8 +11,12 @@ profile cockpit-askpass @{exec_path} { include include + unix (send receive) type=stream peer=(label=cockpit-bridge), + @{exec_path} mr, + owner @{PROC}/@{pid}/mounts r, + include if exists } diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 7841088c1e..662556059a 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -11,6 +11,7 @@ profile cockpit-bridge @{exec_path} { include include include + include include include include @@ -33,6 +34,8 @@ profile cockpit-bridge @{exec_path} { ptrace read, + unix (send receive) type=stream peer=(label=cockpit-askpass), + signal send set=term peer=cockpit-pcp, signal send set=term peer=dbus-daemon, signal send set=term peer=journalctl, @@ -41,21 +44,23 @@ profile cockpit-bridge @{exec_path} { signal (send receive) set=term peer=cockpit-bridge//sudo, #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus - #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd + #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd #aa:dbus talk bus=system name=org.freedesktop.systemd1 label=@{p_systemd} #aa:dbus talk bus=system name=org.libvirt label=libvirt-dbus @{exec_path} mr, + @{python_path} ix, @{bin}/cat ix, @{bin}/date ix, + @{bin}/file ix, @{bin}/find ix, @{bin}/ip ix, - @{python_path} ix, @{bin}/test ix, - @{bin}/file ix, - @{bin}/virt-xml-validate PUx, + @{bin}/virt-xml PUx, + @{bin}/virt-xml-validate PUx, @{bin}/chage Px, @{sbin}/dmidecode Px, @@ -121,10 +126,12 @@ profile cockpit-bridge @{exec_path} { /dev/ptmx rw, - profile sudo { + profile sudo flags=(attach_disconnected) { include include + unix (send receive) type=stream peer=(label=cockpit-bridge), + signal (send receive) set=(cont hup term) peer=cockpit-bridge, @{bin}/cockpit-bridge Px, diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index ec85b0230c..eaeb5c0544 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -61,6 +61,7 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /var/lib/lastlog/lastlog2.db rwk, /var/lib/lastlog/lastlog2.db-journal rw, + @{run}/systemd/io.systemd.Login rw, @{att}@{run}/systemd/sessions/*.ref rw, @{run}/cockpit/* r, diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index d4fb299fe7..adbb8c46a7 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -22,9 +22,13 @@ profile cockpit-ws @{exec_path} flags=(attach_disconnected) { /usr/share/pixmaps/{,**} r, /usr/share/plymouth/{,**} r, - @{run}/cockpit/session rw, + @{run}/cockpit/session rw, + @{att}@{run}/cockpit/session rw, + @{run}/cockpit/wsinstance/https@@{hex64}.sock r, + @{att}@{run}/systemd/userdb/io.systemd.Machine rw, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd index 63e1314a94..8f73661525 100644 --- a/apparmor.d/groups/virt/virtnetworkd +++ b/apparmor.d/groups/virt/virtnetworkd @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/virtnetworkd profile virtnetworkd @{exec_path} flags=(attach_disconnected) { include + include + include include network netlink raw, @@ -39,7 +41,7 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/node/node@{int}/meminfo r, owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 5d782b4a28..1a7b62e1e6 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/virtnodedevd profile virtnodedevd @{exec_path} flags=(attach_disconnected) { include + include + include include include include From 667283177f46c5d42d21deba6cb53e3ce4429f48 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 8 Feb 2026 18:57:08 +0100 Subject: [PATCH 1355/1736] fix: linter issue. --- apparmor.d/abstractions/app/umu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/umu b/apparmor.d/abstractions/app/umu index f7a403844d..b97053cfb8 100644 --- a/apparmor.d/abstractions/app/umu +++ b/apparmor.d/abstractions/app/umu @@ -69,7 +69,7 @@ @{steam_share_dirs}/compatibilitytools.d/*/ r, @{steam_share_dirs}/compatibilitytools.d/*/** mrix, # TODO: -> &wine ?, with namespace @{steam_share_dirs}/compatibilitytools.d/*/**.msi k, - + @{runtime_dirs}/pressure-vessel/@{bin}/** ix, @{runtime_dirs}/pressure-vessel/@{lib}/** mr, @{runtime_dirs}/umu-shim rix, From 00c37ea5e06ff733127886deb567ffa2649b4f22 Mon Sep 17 00:00:00 2001 From: skarpinis Date: Sun, 8 Feb 2026 18:32:43 +0000 Subject: [PATCH 1356/1736] Add AppArmor profile start-hyprland (#1015) * Remove trailing whitespace in start-hyprland * Remove trailing whitespace on line 15 of start-hyprland --- apparmor.d/profiles-s-z/start-hyprland | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 apparmor.d/profiles-s-z/start-hyprland diff --git a/apparmor.d/profiles-s-z/start-hyprland b/apparmor.d/profiles-s-z/start-hyprland new file mode 100644 index 0000000000..0fda42a09b --- /dev/null +++ b/apparmor.d/profiles-s-z/start-hyprland @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 You +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/start-hyprland +profile start-hyprland @{exec_path} { + include + + signal receive set=term peer=sddm, + signal send set=term peer=hyprland, + + @{bin}/Hyprland rPx, + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor From ad199d6ddecbf2f276d106f1d643920da9ba2e1a Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sun, 8 Feb 2026 19:08:31 +0000 Subject: [PATCH 1357/1736] start-hyprland adjustment --- apparmor.d/groups/kde/sddm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 67c062bad6..477682c7f7 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -97,7 +97,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/kwin_wayland rPx, @{bin}/labwc rPx, @{bin}/sddm-greeter{,-qt6} rPx, - @{bin}/start-hyprland rPUx, + @{bin}/start-hyprland rPx, @{bin}/startlxqt rPx, @{bin}/startlxqtwayland rPx, @{bin}/startplasma-wayland rPx, From 2d68b1cc9172f8e8bd5c4f727da44a70072b96d9 Mon Sep 17 00:00:00 2001 From: skarpinis Date: Sun, 8 Feb 2026 20:24:30 +0000 Subject: [PATCH 1358/1736] sddm adjustment (#1020) * Remove trailing whitespace in start-hyprland * Remove trailing whitespace on line 15 of start-hyprland * start-hyprland adjustment --- apparmor.d/groups/kde/sddm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 67c062bad6..477682c7f7 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -97,7 +97,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/kwin_wayland rPx, @{bin}/labwc rPx, @{bin}/sddm-greeter{,-qt6} rPx, - @{bin}/start-hyprland rPUx, + @{bin}/start-hyprland rPx, @{bin}/startlxqt rPx, @{bin}/startlxqtwayland rPx, @{bin}/startplasma-wayland rPx, From fe7e768c047747c7254290af6baee667bfa70199 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Mon, 9 Feb 2026 09:17:17 +0000 Subject: [PATCH 1359/1736] Minor fix for u2f --- apparmor.d/abstractions/devices-u2f | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/devices-u2f b/apparmor.d/abstractions/devices-u2f index e823d76e40..8ae8dccdc9 100644 --- a/apparmor.d/abstractions/devices-u2f +++ b/apparmor.d/abstractions/devices-u2f @@ -21,7 +21,7 @@ @{sys}/devices/**/usb@{int}/**/report_descriptor r, # Allow raw access HDI (Human Interface Devices) wich is how U2F devices are exposed - /dev/hidraw@{int} rw, + /dev/hidraw@{int} rwk, include if exists From 1074442b46c0693b0545f715b4445a6a61382253 Mon Sep 17 00:00:00 2001 From: moisesmsf Date: Mon, 9 Feb 2026 06:23:02 -0300 Subject: [PATCH 1360/1736] Missing dot (little typo fix) (#1021) --- docs/full-system-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index b3ebc240a6..7a87649091 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -159,7 +159,7 @@ In an even more secure environment, it can also be used to strictly limit the li !!! note "Profile requirement" - To work as intended, all privileged services **must** have a profile For a given distribution, the list of these services can be found under: + To work as intended, all privileged services **must** have a profile. For a given distribution, the list of these services can be found under: ``` /usr/lib/systemd/system/*.service /usr/lib/systemd/system-environment-generators/* From 81ba94e983a359b768ea379909b134c23b2e5678 Mon Sep 17 00:00:00 2001 From: skarpinis Date: Mon, 9 Feb 2026 09:24:09 +0000 Subject: [PATCH 1361/1736] Minor fix (#1022) * Minor fix for u2f --- apparmor.d/abstractions/devices-u2f | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/devices-u2f b/apparmor.d/abstractions/devices-u2f index e823d76e40..8ae8dccdc9 100644 --- a/apparmor.d/abstractions/devices-u2f +++ b/apparmor.d/abstractions/devices-u2f @@ -21,7 +21,7 @@ @{sys}/devices/**/usb@{int}/**/report_descriptor r, # Allow raw access HDI (Human Interface Devices) wich is how U2F devices are exposed - /dev/hidraw@{int} rw, + /dev/hidraw@{int} rwk, include if exists From d13e73bed5938555622c0a7caa39e72e5b6063d2 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Tue, 10 Feb 2026 22:36:26 +0100 Subject: [PATCH 1362/1736] Mullvad (#1018) * Update mullvad-gui Adding necessary paths * Update mullvad-setup Adding path in @{lib} * Update mullvad-gui Adding gesettings * Update mullvad-gui * Update mullvad-setup * Update mullvad-gui * Update apparmor.d/groups/network/mullvad-gui Remove trailing whitespace Co-authored-by: Alex --------- Co-authored-by: Alex --- apparmor.d/groups/network/mullvad-gui | 9 +++++---- apparmor.d/profiles-m-r/mullvad-setup | 4 ++-- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index ad90ed3664..92853bf1f8 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -6,13 +6,13 @@ abi , include -@{name} = Mullvad?VPN +@{name} = Mullvad?VPN mullvad-vpn @{domain} = org.chromium.Chromium -@{lib_dirs} = /opt/@{name} +@{lib_dirs} = /opt/@{name} @{lib}/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} -@{exec_path} = @{lib_dirs}/mullvad-gui +@{exec_path} = @{lib_dirs}/mullvad-gui @{bin}/mullvad-vpn profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include include @@ -26,8 +26,9 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { network netlink raw, @{exec_path} mrix, + @{bin}/gsettings rPx, - @{open_path} rPx -> child-open-browsers, + @{open_path} rPx -> child-open-browsers, @{run}/mullvad-vpn rw, diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index 4c34dee55f..974af1c115 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -6,8 +6,8 @@ abi , include -@{exec_path} = /opt/Mullvad*/resources/mullvad-setup -profile mullvad-setup @{exec_path} { +@{exec_path} = /opt/Mullvad*/resources/mullvad-setup @{lib}/mullvad-vpn/mullvad-setup +profile mullvad-setup @{exec_path} { include include From 294c4a7cec5d9fc1c32ffbe40da4ede4bc193ff2 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Wed, 11 Feb 2026 18:09:41 +0000 Subject: [PATCH 1363/1736] Minor adj for Nvidia --- apparmor.d/groups/virt/containerd | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 1726b53036..cc0d23e098 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -65,6 +65,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /etc/cni/{,**} r, /etc/cni/net.d/ rw, /etc/containerd/*.toml r, + /etc/cdi/*.yaml r, /opt/containerd/{,**} rw, From 44e71440092641ce0f879510038a59f26e38218d Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Wed, 11 Feb 2026 19:02:59 +0000 Subject: [PATCH 1364/1736] hyprland profile adj --- apparmor.d/groups/hyprland/hyprland | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index a9d976dd42..cfb3e25c8f 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -21,6 +21,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { network netlink raw, signal send, + signal receive set=term peer=start-hyprland, ptrace read, From 7f59872909299946432e74a872eb5a913bf3cd95 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Wed, 11 Feb 2026 19:21:29 +0000 Subject: [PATCH 1365/1736] docker-proxy minor changes --- apparmor.d/groups/virt/docker-proxy | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index 9a8cbe3794..0b51f2e481 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -22,6 +22,8 @@ profile docker-proxy @{exec_path} { @{exec_path} mr, @{PROC}/sys/net/core/somaxconn r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/cgroup r, include if exists } From a95e1a65074a48191fa62afd1d04047f8799ec27 Mon Sep 17 00:00:00 2001 From: skarpinis Date: Wed, 11 Feb 2026 21:21:47 +0000 Subject: [PATCH 1366/1736] Minor tweak (#1024) * Minor adj for Nvidia * hyprland profile adj * docker-proxy minor changes --- apparmor.d/groups/hyprland/hyprland | 1 + apparmor.d/groups/virt/containerd | 1 + apparmor.d/groups/virt/docker-proxy | 2 ++ 3 files changed, 4 insertions(+) diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index a9d976dd42..cfb3e25c8f 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -21,6 +21,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { network netlink raw, signal send, + signal receive set=term peer=start-hyprland, ptrace read, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 1726b53036..cc0d23e098 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -65,6 +65,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /etc/cni/{,**} r, /etc/cni/net.d/ rw, /etc/containerd/*.toml r, + /etc/cdi/*.yaml r, /opt/containerd/{,**} rw, diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index 9a8cbe3794..0b51f2e481 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -22,6 +22,8 @@ profile docker-proxy @{exec_path} { @{exec_path} mr, @{PROC}/sys/net/core/somaxconn r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/cgroup r, include if exists } From b4d7427a70d1f46a170e0b265f542fe5cd3a13cd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Feb 2026 22:27:51 +0100 Subject: [PATCH 1367/1736] feat(abs): small update to core abstractions. --- apparmor.d/abstractions/bus-session | 3 ++- .../bus/system/org.freedesktop.NetworkManager | 5 +++++ .../bus/system/org.freedesktop.login1 | 5 +++++ apparmor.d/abstractions/development | 2 +- apparmor.d/abstractions/devices-usb-read | 19 ++++++++++--------- apparmor.d/abstractions/flatpak/devices/all | 2 +- apparmor.d/abstractions/fontconfig-cache | 1 + .../abstractions/fontconfig-cache-write | 2 +- apparmor.d/abstractions/gstreamer | 1 + 9 files changed, 27 insertions(+), 13 deletions(-) diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index a714d8fcdb..410dcb7238 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -4,7 +4,8 @@ abi , - unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/session, + unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/session, # dbus-daemon + unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/user, # dbus-broker dbus send bus=session path=/{,org/freedesktop/{dbus,DBus}} interface=org.freedesktop.DBus diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager index 600f509958..754c02d09e 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.NetworkManager @@ -77,6 +77,11 @@ member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged} peer=(name=@{busname}, label=NetworkManager), + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=state + peer=(name=@{busname}, label=NetworkManager), + # NetworkManager.Connection dbus receive bus=system path=/org/freedesktop/NetworkManager/*/@{int} diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.login1 b/apparmor.d/abstractions/bus/system/org.freedesktop.login1 index 8af3efeb1a..0241333e4e 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.login1 @@ -16,6 +16,11 @@ # DBus.Properties: receive property changed events dbus receive bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=systemd-logind), + + dbus receive bus=system path=/org/freedesktop/login1{,/session/**} interface=org.freedesktop.DBus.Properties member=PropertiesChanged peer=(name=@{busname}, label="@{p_systemd_logind}"), diff --git a/apparmor.d/abstractions/development b/apparmor.d/abstractions/development index eae07691af..40ca462cd9 100644 --- a/apparmor.d/abstractions/development +++ b/apparmor.d/abstractions/development @@ -68,9 +68,9 @@ # Allow listing file descriptors for resource monitoring owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fd/@{int} rw, @{PROC}/sys/kernel/osrelease r, - owner @{PROC}/@{pid}/fd/@{int} rw, include if exists diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read index cd095672bf..6bc067245f 100644 --- a/apparmor.d/abstractions/devices-usb-read +++ b/apparmor.d/abstractions/devices-usb-read @@ -13,18 +13,19 @@ @{sys}/bus/ r, @{sys}/bus/usb/ r, @{sys}/bus/usb/devices/ r, - @{sys}/devices/@{pci}/uevent r, - @{sys}/devices/@{pci_bus}/uevent r, @{sys}/devices/**/uevent r, @{sys}/devices/**/usb@{int}/ r, - @{sys}/devices/**/usb@{int}/{,*/}bConfigurationValue r, - @{sys}/devices/**/usb@{int}/{,*/}busnum r, - @{sys}/devices/**/usb@{int}/{,*/}descriptors r, - @{sys}/devices/**/usb@{int}/{,*/}devnum r, - @{sys}/devices/**/usb@{int}/{,*/}manufacturer r, - @{sys}/devices/**/usb@{int}/{,*/}product r, - @{sys}/devices/**/usb@{int}/{,*/}serial r, + @{sys}/devices/**/usb@{int}/{,**/}bcdDevice r, + @{sys}/devices/**/usb@{int}/{,**/}bConfigurationValue r, + @{sys}/devices/**/usb@{int}/{,**/}bInterfaceNumber r, + @{sys}/devices/**/usb@{int}/{,**/}busnum r, + @{sys}/devices/**/usb@{int}/{,**/}descriptors r, + @{sys}/devices/**/usb@{int}/{,**/}devnum r, + @{sys}/devices/**/usb@{int}/{,**/}manufacturer r, + @{sys}/devices/**/usb@{int}/{,**/}product r, + @{sys}/devices/**/usb@{int}/{,**/}serial r, + @{sys}/devices/**/usb@{int}/{,**/}speed r, # Udev data about usb devices (~equal to content of lsusb -v) @{run}/udev/data/+usb:* r, # Identifies all USB devices diff --git a/apparmor.d/abstractions/flatpak/devices/all b/apparmor.d/abstractions/flatpak/devices/all index b5e3dc7576..014c931fa6 100644 --- a/apparmor.d/abstractions/flatpak/devices/all +++ b/apparmor.d/abstractions/flatpak/devices/all @@ -31,7 +31,7 @@ @{sys}/devices/** k, @{sys}/devices/system/cpu/cpufreq/ r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor w, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/abstractions/fontconfig-cache b/apparmor.d/abstractions/fontconfig-cache index bcd2e3a743..7cdfa55947 100644 --- a/apparmor.d/abstractions/fontconfig-cache +++ b/apparmor.d/abstractions/fontconfig-cache @@ -60,6 +60,7 @@ owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, # {,.NEW,.LCK,.TMP-*} r, owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW r, owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} r, + owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-reindex@{d}-@{int} rk, # This is to create .uuid file containing an UUID at a font directory. The UUID will be used to # identify the font directory and is used to determine the cache filename if available. diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write index 6252c24921..ba54fdd792 100644 --- a/apparmor.d/abstractions/fontconfig-cache-write +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -52,7 +52,7 @@ owner @{HOME}/.fontconfig/CACHEDIR.TAG.TMP-@{rand6} w, owner @{user_cache_dirs}/fontconfig/ w, - owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} wl, + owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} wlk, owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.LCK wl, owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW w, owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index a192cc4663..fe43f8a030 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -16,6 +16,7 @@ @{lib}/frei0r-@{int}/*.so mr, /usr/share/gstreamer-1.0/presets/Gst*Enc.prs r, + /usr/share/ladspa/rdf/{,**} r, /usr/share/xml/iso-codes/*.xml r, /etc/openni2/OpenNI.ini r, From 2d883ef366729ee6d59fc7ab186063a6c2f94231 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Feb 2026 22:37:36 +0100 Subject: [PATCH 1368/1736] feat(profile): small update to some profiles. --- apparmor.d/groups/apt/dpkg-buildflags | 2 ++ apparmor.d/groups/apt/dpkg-genchanges | 1 + apparmor.d/groups/code/code | 10 ++++---- apparmor.d/groups/firewall/nft | 3 +++ apparmor.d/groups/freedesktop/xdg-dbus-proxy | 3 ++- .../groups/freedesktop/xdg-desktop-portal-gtk | 2 +- apparmor.d/groups/gnome/gjs | 10 ++++---- apparmor.d/groups/gnome/gnome-extension-ding | 6 ++--- apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/gsd-media-keys | 5 ++++ apparmor.d/groups/gvfs/gvfsd | 1 + apparmor.d/groups/snap/snap | 2 ++ apparmor.d/groups/ssh/ssh-agent | 3 +++ apparmor.d/groups/systemd/systemd-machined | 12 +++++++--- apparmor.d/groups/systemd/systemd-resolved | 1 + .../ubuntu/ubuntu-advantage-notification | 1 + apparmor.d/groups/ubuntu/update-notifier | 1 + apparmor.d/groups/utils/blkid | 2 ++ apparmor.d/profiles-a-f/claude | 23 +++++++++++++++---- .../profiles-m-r/protonmail-bridge-core | 11 ++++----- apparmor.d/profiles-s-z/virt-manager | 2 +- 21 files changed, 74 insertions(+), 28 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-buildflags b/apparmor.d/groups/apt/dpkg-buildflags index d6fdfacfb4..9667689e4c 100644 --- a/apparmor.d/groups/apt/dpkg-buildflags +++ b/apparmor.d/groups/apt/dpkg-buildflags @@ -28,6 +28,8 @@ profile dpkg-buildflags @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/dpkg/buildflags.conf r, + owner @{user_build_dirs}/**/debian/{,**} r, + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-genchanges b/apparmor.d/groups/apt/dpkg-genchanges index 7c7ad1681e..965ee9f6e3 100644 --- a/apparmor.d/groups/apt/dpkg-genchanges +++ b/apparmor.d/groups/apt/dpkg-genchanges @@ -25,6 +25,7 @@ profile dpkg-genchanges @{exec_path} flags=(complain) { # For package building owner @{user_build_dirs}/** rw, + owner @{user_pkg_dirs}/** rw, include if exists } diff --git a/apparmor.d/groups/code/code b/apparmor.d/groups/code/code index d872c08d98..66f333c3e6 100644 --- a/apparmor.d/groups/code/code +++ b/apparmor.d/groups/code/code @@ -48,6 +48,8 @@ profile code @{exec_path} flags=(attach_disconnected) { include include include + include + network inet dgram, network inet6 dgram, @@ -74,7 +76,6 @@ profile code @{exec_path} flags=(attach_disconnected) { # Extensions priority=-10 /** Px -> code-extensions, - # # TODO: owner /** Px @{bin}/git Px, @{open_path} Cx -> open, @@ -98,6 +99,7 @@ profile code @{exec_path} flags=(attach_disconnected) { owner @{HOME}/ r, owner @{HOME}/.claude/{,**} rw, + owner @{HOME}/.copilot/{,**} rw, owner @{HOME}/@{XDG_SSH_DIR}/config r, owner @{user_config_dirs}/git/config r, @@ -133,9 +135,9 @@ profile code @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, deny dbus send bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(label=bluetoothd), + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(label=bluetoothd), profile sign { include diff --git a/apparmor.d/groups/firewall/nft b/apparmor.d/groups/firewall/nft index 4099e1d562..97b149bb6a 100644 --- a/apparmor.d/groups/firewall/nft +++ b/apparmor.d/groups/firewall/nft @@ -28,6 +28,9 @@ profile nft @{exec_path} flags=(attach_disconnected) { /etc/nftables.conf r, /etc/nftables/{,**} r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/net/netlink r, + @{PROC}/@{pid}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index 17cb86b4f6..59a12bba3b 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -26,8 +26,9 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { signal receive set=int peer=flatpak-portal, # By design xdg-dbus-proxy proxies and filters dbus communication from flatpak - # apps to the system. Thus, it can manage the full session bus. + # apps to the system. Thus, it can manage the full system and session buses. dbus bus=session, + dbus bus=system, @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 69588b942a..24f092e72e 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -29,7 +29,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Settings label=xdg-desktop-portal + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Settings path=/org/freedesktop/portal/desktop label=xdg-desktop-portal dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Inhibit diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index 9fe3731543..da09e51a49 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -30,8 +30,10 @@ profile gjs @{exec_path} flags=(attach_disconnected) { include # Only needed by org.gnome.Shell.Extensions + include include include + include include # Only needed by gnome-extension-ding @@ -42,7 +44,8 @@ profile gjs @{exec_path} flags=(attach_disconnected) { include include include - include + + network netlink raw, unix type=stream peer=(label=gnome-shell), @@ -82,8 +85,8 @@ profile gjs @{exec_path} flags=(attach_disconnected) { @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} Px, /usr/share/gnome-shell/{,**} r, - /usr/share/xkeyboard-config-2/{,**} r, /usr/share/thumbnailers/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, owner @{HOME}/ r, @@ -116,9 +119,6 @@ profile gjs @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/ r, - /dev/dri/ r, - deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index acc85f442a..6cb2a84473 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -51,10 +51,10 @@ profile gnome-extension-ding @{exec_path} { @{share_dirs}/{,**} r, /usr/share/thumbnailers/{,*.thumbnailer} r, - owner @{user_desktop_dirs}/ r, - owner @{user_templates_dirs}/ r, + owner @{user_desktop_dirs}/{,**} r, + owner @{user_templates_dirs}/{,**} r, - owner @{user_share_dirs}/nautilus/scripts/ r, + owner @{user_share_dirs}/nautilus/scripts/{,**} r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index d429e07b7e..7ca2cc0458 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -27,6 +27,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 0a747a72c0..3bdafb5bce 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -37,6 +37,11 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=@{busname}), + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}), + dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=PowerOff diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index e3e3edfaea..af6ba0761e 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -14,6 +14,7 @@ profile gvfsd @{exec_path} { include signal receive set=usr1 peer=pacman, + signal receive set=usr1 peer=pacman//pkill, #aa:dbus own bus=session name=org.gtk.vfs.Daemon #aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index b1379160ad..308b454e2f 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -43,6 +43,7 @@ profile snap @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=io.snapcraft.Settings #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.* + #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snapd-desktop-integration.snapd-desktop-integration #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @@ -97,6 +98,7 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/snap.*/ w, owner @{run}/user/@{uid}/snapd-session-agent.socket rw, owner @{run}/user/@{uid}/systemd/notify rw, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index c7814bc116..b86c303571 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -24,6 +24,9 @@ profile ssh-agent @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/ rw, owner @{HOME}/@{XDG_SSH_DIR}/* r, + owner @{HOME}/@{XDG_SSH_DIR}/agent/ rw, + owner @{HOME}/@{XDG_SSH_DIR}/agent/* rw, + owner @{HOME}/.xsession-errors w, owner @{user_projects_dirs}/**/ssh/{,*} r, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index ff08812f93..0648cf56a4 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/systemd/systemd-machined profile systemd-machined @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include include + include include include - include capability chown, capability dac_override, @@ -37,9 +38,11 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected,mediate_deleted ptrace read peer=@{p_systemd}, ptrace read peer=libvirtd, + ptrace read peer=mkosi, ptrace read peer=systemd-nspawn, unix type=stream addr=@@{udbus}/bus/systemd-machine/system, + unix type=stream addr=@@{udbus}/bus/systemd-machine/user, #aa:dbus own bus=system name=org.freedesktop.machine1 @@ -47,8 +50,6 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected,mediate_deleted @{exec_path} mr, - /etc/machine-id r, - / r, @{att}/ r, @@ -59,10 +60,15 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected,mediate_deleted owner @{run}/systemd/nspawn/locks/ w, owner @{run}/systemd/nspawn/locks/** rwk, + owner @{run}/user/@{uid}/systemd/machines/{,**} rwl, + owner @{run}/user/@{uid}/systemd/notify w, + @{run}/systemd/machine/{,**} rwl, @{run}/systemd/machines/{,**} rwl, @{run}/systemd/resolve.hook/{,**} rwl, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/systemd-machined.service/memory.pressure rw, + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/gid_map r, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index cebae13eea..da30097baa 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -39,6 +39,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { @{run}/systemd/netif/io.systemd.Network rw, @{att}@{run}/systemd/netif/io.systemd.Network rw, + @{att}@{run}/systemd/resolve.hook/io.systemd.Network rw, @{run}/systemd/netif/links/* r, @{run}/systemd/resolve.hook/{,**} rw, @{run}/systemd/resolve/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index 9e907e872f..421a005fc8 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -11,6 +11,7 @@ profile ubuntu-advantage-notification @{exec_path} { include include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 31e4c14881..c752934e20 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -12,6 +12,7 @@ profile update-notifier @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/utils/blkid b/apparmor.d/groups/utils/blkid index 457b2d199b..3653d0d8da 100644 --- a/apparmor.d/groups/utils/blkid +++ b/apparmor.d/groups/utils/blkid @@ -45,6 +45,8 @@ profile blkid @{exec_path} flags=(attach_disconnected) { /dev/.blkid.tab{,-@{rand6}} rw, /dev/blkid.tab.old rwl -> /dev/blkid.tab, + /tmp/tmp.@{rand10}/mkinitramfs_*/cryptroot/crypttab w, + owner /dev/tty@{u8} rw, # file_inherit diff --git a/apparmor.d/profiles-a-f/claude b/apparmor.d/profiles-a-f/claude index 66db73bb31..2116e89dee 100644 --- a/apparmor.d/profiles-a-f/claude +++ b/apparmor.d/profiles-a-f/claude @@ -22,6 +22,7 @@ include @{code_ext_dirs} = @{code_config_dirs}/extensions @{exec_path} = @{bin}/claude /opt/claude-code/bin/claude +@{exec_path} += @{user_bin_dirs}/claude @{exec_path} += @{user_share_dirs}/claude/versions/@{version} @{exec_path} += @{code_ext_dirs}/anthropic.claude-code-*/resources/native-binary/claude profile claude @{exec_path} flags=(attach_disconnected) { @@ -67,9 +68,7 @@ profile claude @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.claude.*/{,**} rw, owner @{HOME}/.claude/ rw, owner @{HOME}/.claude/** rwkl -> @{HOME}/.claude/**, - owner @{HOME}/.npm/_cacache/{,**} rw, - owner @{HOME}/.npm/_logs/{,**} rw, - owner @{HOME}/.npm/_npx/{,**} rw, + owner @{HOME}/.npm/{,**} rw, # TODO: deny this as self update is an abberation owner @{user_bin_dirs}/claude w, @@ -104,10 +103,12 @@ profile claude @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*-@{uuid}.scope/memory.high r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-*-@{int}.scope/memory.high r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-*-@{int}.scope/memory.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{PROC}/sys/vm/mmap_min_addr r, @{PROC}/version r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/statm r, @@ -140,12 +141,13 @@ profile claude @{exec_path} flags=(attach_disconnected) { unix (send receive) type=stream peer=(label=claude), - signal receive set=int peer=claude, + signal receive peer=claude, priority=1 @{bin}/dpkg-query Px, priority=1 @{bin}/flatpak Px -> claude//flatpak, priority=1 @{bin}/git Px, priority=1 @{bin}/journalctl Px, + priority=1 @{bin}/ps Px, priority=1 @{ldd_path} Px -> claude//ldd, owner @{HOME}/.claude/projects/*/@{uuid}.jsonl r, @@ -156,6 +158,7 @@ profile claude @{exec_path} flags=(attach_disconnected) { owner @{user_projects_dirs}/ r, owner @{user_projects_dirs}/** rwk, + owner @{tmp}/*/{,**} rwlk, owner @{tmp}/claude-* w, owner @{tmp}/claude-shell/ rw, owner @{tmp}/claude-shell/** mix, @@ -164,7 +167,11 @@ profile claude @{exec_path} flags=(attach_disconnected) { owner @{tmp}/claude{,-code}/** mix, owner @{tmp}/claude{,-code}/** rwlk -> @{tmp}/claude/**, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, + @{PROC}/ r, + @{PROC}/version_signature r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, @{PROC}/sys/kernel/pid_max r, @@ -179,8 +186,16 @@ profile claude @{exec_path} flags=(attach_disconnected) { deny @{bin}/rmdir x, deny @{bin}/shutdown x, deny @{bin}/ssh x, + deny /etc/dpkg/dpkg.cfg r, + deny /etc/dpkg/dpkg.cfg.d/{,**} r, + deny /etc/pacman.conf r, + deny /etc/pacman.d/{,**} r, + deny /etc/rpm/{,**} r, + deny /var/lib/pacman/** r, + deny /var/lib/rpm/{,**} r, deny /home/ r, deny owner @{HOME}/ r, + deny owner @{HOME}/@{XDG_GPG_DIR}/*.conf r, # file_inherit deny /etc/debuginfod/ r, diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index fc6102c6f9..3e80688dbc 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -15,9 +15,10 @@ include profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { include include + include include - include include + include network inet dgram, network inet6 dgram, @@ -46,11 +47,9 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { owner @{tmp}/bridge@{int} rw, - @{PROC}/ r, - @{PROC}/1/cgroup r, - @{PROC}/sys/net/core/somaxconn r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/mountinfo r, + @{PROC}/ r, + @{PROC}/1/cgroup r, + @{PROC}/sys/net/core/somaxconn r, deny owner @{user_passwordstore_dirs}/** r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index e8f7d8d934..73e85726ef 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -79,9 +79,9 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/virt-manager/{,**} rw, # User VM images + @{user_vm_dirs}/{,**} rw, owner @{user_share_dirs}/ r, owner @{user_share_dirs}/libvirt/{,**} rw, - owner @{user_vm_dirs}/{,**} rw, owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, From 57e4c3160ba30a5d2960ab5b7a8ce711811767bf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Feb 2026 22:39:32 +0100 Subject: [PATCH 1369/1736] build: instead of fully replacing flags, only set profile mode. - This simplify the dist/flags directory - Allow to enforce profiles in otherwise complain system. --- cmd/prebuild/main.go | 3 -- pkg/builder/profile-mode.go | 90 +++++++++++++++++++++++++++++++++++++ pkg/prebuild/cli/cli.go | 3 ++ 3 files changed, 93 insertions(+), 3 deletions(-) create mode 100644 pkg/builder/profile-mode.go diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index f50853478e..b05e29a3d4 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -93,9 +93,6 @@ func main() { // Set distribution specificities Add(configure.NewConfigure()). - // Set flags as definied in dist/flags - Add(configure.NewSetFlags()). - // Overwrite dummy upstream profile Add(configure.NewOverwrite(false)). diff --git a/pkg/builder/profile-mode.go b/pkg/builder/profile-mode.go new file mode 100644 index 0000000000..544c55441d --- /dev/null +++ b/pkg/builder/profile-mode.go @@ -0,0 +1,90 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "fmt" + "regexp" + "slices" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/tasks" +) + +var ( + regProfileName = regexp.MustCompile(`(?m)^profile\s+(\S+)\s+`) + profileModes = []string{ + "enforce", "complain", "kill", "default_allow", "unconfined", "prompt", + } +) + +type ProfileMode struct { + tasks.BaseTask + modes map[string]string +} + +// NewProfileMode creates a new ProfileMode builder. +func NewProfileMode() *ProfileMode { + modes := make(map[string]string) + for _, name := range []string{"main", tasks.Distribution} { + for profile, flags := range prebuild.Flags.Read(name) { + if len(flags) > 0 { + modes[profile] = flags[0] + } + } + } + return &ProfileMode{ + BaseTask: tasks.BaseTask{ + Keyword: "profile-mode", + Msg: "Build: set modes (complain, enforce...) as definied in dist/flags", + }, + modes: modes, + } +} + +func (b ProfileMode) Apply(opt *Option, profile string) (string, error) { + matches := regProfileName.FindStringSubmatch(profile) + if matches == nil { + return profile, nil + } + + name := matches[1] + mode, present := b.modes[name] + if !present { + return profile, nil + } + if !slices.Contains(profileModes, mode) { + return profile, fmt.Errorf("unknown profile mode: %s", mode) + } + + return setMode(profile, mode) +} + +func setMode(profile string, mode string) (string, error) { + flags := []string{} + matches := regFlags.FindStringSubmatch(profile) + if len(matches) != 0 { + flags = strings.Split(matches[1], ",") + } + + // Remove all conflicting mode flags + flags = slices.DeleteFunc(flags, func(f string) bool { + return slices.Contains(profileModes, f) + }) + + // "enforce" is the default (no mode flag needed), otherwise add the mode + if mode != "enforce" { + flags = append(flags, mode) + } + + // Remove all flags definition, then set the new flags + profile = regFlags.ReplaceAllLiteralString(profile, "") + if len(flags) > 0 { + flagsStr := " flags=(" + strings.Join(flags, ",") + ") {\n" + profile = regProfileHeader.ReplaceAllLiteralString(profile, flagsStr) + } + return profile, nil +} diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 53bf0016db..e21704ea7e 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -125,6 +125,9 @@ func Configure(r *runtime.Runners) *runtime.Runners { r.RBAC = true } + // Set modes (complain, enforce...) as definied in dist/flags + r.Builders.Add(builder.NewProfileMode()) + if abi != nilABI { r.ABI = abi } From f3c7deec9a559c44bea4c9621414742d1ccd9854 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Feb 2026 22:43:52 +0100 Subject: [PATCH 1370/1736] build: update flags manifest to profile mode manifest. --- .../systemd-generator-fstab | 2 +- dists/flags/arch.flags | 4 +- dists/flags/debian.flags | 4 +- dists/flags/main.flags | 282 +++++++++--------- dists/flags/ubuntu.flags | 18 +- dists/flags/whonix.flags | 8 +- 6 files changed, 160 insertions(+), 158 deletions(-) diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-fstab b/apparmor.d/groups/systemd-generators/systemd-generator-fstab index 5dcc4cb5be..c2e86205ed 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-fstab +++ b/apparmor.d/groups/systemd-generators/systemd-generator-fstab @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/system-generators/systemd-fstab-generator -profile systemd-generator-fstab @{exec_path} { +profile systemd-generator-fstab @{exec_path} flags=(attach_disconnected) { include include diff --git a/dists/flags/arch.flags b/dists/flags/arch.flags index 8910bb2805..a50c0b3a07 100644 --- a/dists/flags/arch.flags +++ b/dists/flags/arch.flags @@ -1,4 +1,4 @@ aurpublish complain makepkg complain -mkinitcpio attach_disconnected,complain -pacman attach_disconnected,complain +mkinitcpio complain +pacman complain diff --git a/dists/flags/debian.flags b/dists/flags/debian.flags index 47069fabaa..f270d9e4c0 100644 --- a/dists/flags/debian.flags +++ b/dists/flags/debian.flags @@ -25,5 +25,5 @@ dpkg-vendor complain ifup complain macchanger complain run-parts complain -unattended-upgrade attach_disconnected,complain -unattended-upgrade-shutdown attach_disconnected,complain +unattended-upgrade complain +unattended-upgrade-shutdown complain diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 1d8575e796..ca3ef12544 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -1,8 +1,11 @@ -# Common profile flags definition for all distributions -# File format: one profile by line using the format: ' ' +# Common profile mode for all distributions +# File format: one profile mode by line using the format: ' ' -systemd attach_disconnected,mediate_deleted,complain -systemd-user attach_disconnected,mediate_deleted,complain +# FSP only +systemd complain +systemd-user complain +sd complain +sdu complain akonadi_akonotes_resource complain akonadi_archivemail_agent complain @@ -24,9 +27,9 @@ akonadi_unifiedmailbox_agent complain anacron complain at complain atd complain -auditctl attach_disconnected,complain -auditd attach_disconnected,complain -augenrules attach_disconnected,complain +auditctl complain +auditd complain +augenrules complain avahi-autoipd complain avahi-browse complain avahi-publish complain @@ -39,13 +42,13 @@ cc-remote-login-helper complain cctk complain cockpit-askpass complain cockpit-bridge complain -cockpit-certificate-ensure attach_disconnected,complain +cockpit-certificate-ensure complain cockpit-certificate-helper complain cockpit-desktop complain -cockpit-session attach_disconnected,complain +cockpit-session complain cockpit-ssh complain -cockpit-tls attach_disconnected,complain -cockpit-ws attach_disconnected,complain +cockpit-tls complain +cockpit-ws complain cockpit-wsinstance-factory complain cups-backend-beh complain cups-backend-bluetooth complain @@ -67,16 +70,16 @@ cups-notifier-dbus complain cups-notifier-mailto complain cups-notifier-rss complain cups-pk-helper-mechanism complain -cupsd attach_disconnected,complain +cupsd complain ddcutil complain decibels complain -dino attach_disconnected,complain -discord attach_disconnected,complain +dino complain +discord complain discord-chrome-sandbox complain DiscoverNotifier complain -dkms attach_disconnected,complain +dkms complain dmsetup complain -dockerd attach_disconnected,complain +dockerd complain dolphin complain downloadhelper complain dracut-install complain @@ -84,41 +87,41 @@ drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain ephy-profile-migrator complain -epiphany attach_disconnected,complain +epiphany complain epiphany-webapp-provider complain evolution-user-prompter complain -fail2ban-client attach_disconnected,complain -fail2ban-server attach_disconnected,complain -fapp attach_disconnected,mediate_deleted,complain -fbwrap attach_disconnected,mediate_deleted,complain +fail2ban-client complain +fail2ban-server complain +fapp complain +fbwrap complain fdisk complain filezilla complain finalrd complain -firewall-applet attach_disconnected,complain +firewall-applet complain firewall-config complain flameshot complain -flatpak attach_disconnected,mediate_deleted,complain +flatpak complain flatpak-oci-authenticator complain -flatpak-session-helper attach_disconnected,mediate_deleted,complain +flatpak-session-helper complain flatpak-session-helper-app complain -flatpak-system-helper attach_disconnected,mediate_deleted,complain +flatpak-system-helper complain flatpak-validate-icon complain fuse-overlayfs complain gdk-pixbuf-thumbnailer complain gdm-generate-config complain gdm-runtime-config complain -gdm-session attach_disconnected,complain +gdm-session complain gdm-xsession complain gmenudbusmenuproxy complain gnome-browser-connector-host complain -gnome-control-center attach_disconnected,complain +gnome-control-center complain gnome-control-center-goa-helper complain gnome-disk-image-mounter complain -gnome-extension-gsconnect attach_disconnected,complain +gnome-extension-gsconnect complain gnome-extension-manager complain gnome-initial-setup complain gnome-remote-desktop-daemon complain -gnome-session-service attach_disconnected,complain +gnome-session-service complain grub-bios-setup complain grub-editenv complain grub-file complain @@ -127,7 +130,7 @@ grub-glue-efi complain grub-kbdcomp complain grub-macbless complain grub-menulst2cfg complain -grub-mkconfig attach_disconnected,complain +grub-mkconfig complain grub-mkdevicemap complain grub-mkfont complain grub-mkimage complain @@ -140,24 +143,24 @@ grub-mkstandalone complain grub-mount complain grub-multi-install complain grub-ntldr-img complain -grub-probe attach_disconnected,complain +grub-probe complain grub-reboot complain grub-render-label complain grub-script-check complain grub-set-default complain grub-syslinux2cfg complain -gsd-printer attach_disconnected,complain +gsd-printer complain gsd-wwan complain -gvfsd-dav attach_disconnected,complain -gvfsd-wsdd attach_disconnected,complain +gvfsd-dav complain +gvfsd-wsdd complain hostnamectl complain -hyprctl attach_disconnected,complain -hyprlock attach_disconnected,complain -hyprpaper attach_disconnected,complain +hyprctl complain +hyprlock complain +hyprpaper complain hyprpicker complain hyprpm complain ibus-engine-table complain -ibus-memconf attach_disconnected,complain +ibus-memconf complain im-launch complain iwctl complain iwd complain @@ -172,12 +175,12 @@ kauth-kded-smart-helper complain kauth-kinfocenter-dmidecode-helper complain kcminit complain kconf_update complain -kde-powerdevil attach_disconnected,mediate_deleted,complain +kde-powerdevil complain kde-systemd-start-condition complain kded complain kdestroy complain kdump_mem_estimator complain -kdump-config attach_disconnected,complain +kdump-config complain kdump-tools-init complain,attach_disconnected kernel complain kernel-install complain @@ -188,64 +191,64 @@ kio_http_cache_cleaner complain kiod complain kioworker complain klist complain -konsole attach_disconnected,mediate_deleted,complain +konsole complain kscreen_backend_launcher complain kscreen_osd_service complain -ksmserver attach_disconnected,mediate_deleted,complain +ksmserver complain ksplashqml complain -kwin_wayland attach_disconnected,mediate_deleted,complain +kwin_wayland complain kwin_wayland_wrapper complain kwin_x11 complain landscape-sysinfo complain landscape-sysinfo.wrapper complain -language-validate attach_disconnected,complain +language-validate complain last complain lastlog complain -libreoffice attach_disconnected,complain,mediate_deleted +libreoffice complain libvirt-dbus complain -libvirtd attach_disconnected,complain -lightdm attach_disconnected,complain +libvirtd complain +lightdm complain lightdm-session complain linux-check-removal complain linux-update-symlinks complain locale-gen complain -localectl attach_disconnected,complain -localsearch attach_disconnected,complain +localectl complain +localsearch complain localsearch-control complain localsearch-writeback complain -login attach_disconnected,complain +login complain loginctl complain -low-memory-monitor attach_disconnected,complain -lsfd attach_disconnected,complain -lslocks attach_disconnected,complain -lsns attach_disconnected,complain -lvm attach_disconnected,complain +low-memory-monitor complain +lsfd complain +lslocks complain +lsns complain +lvm complain lvmconfig complain lvmdump complain lvmpolld complain man complain mate-notification-daemon complain -mdadm attach_disconnected,complain +mdadm complain mdadm-mkconf complain -ModemManager attach_disconnected,complain -mount attach_disconnected,complain -multipath attach_disconnected,complain +ModemManager complain +mount complain +multipath complain multipathd complain needrestart-hook complain needrestart-notify complain needrestart-restart complain -netplan attach_disconnected,complain -networkctl attach_disconnected,complain +netplan complain +networkctl complain networkd-dispatcher complain nm-openvpn-service-openvpn-helper complain nm-priv-helper complain nmcli complain nvidia-detector complain nvidia-persistenced complain -ollama attach_disconnected,complain -os-prober attach_disconnected,complain +ollama complain +os-prober complain pam_kwallet_init complain -passimd attach_disconnected,complain +passimd complain pkla-admin-identities complain pkla-check-authorization complain pkttyagent complain @@ -253,51 +256,51 @@ plank complain plasma_waitforname complain plasma-browser-integration-host complain plasma-discover complain -plasmashell attach_disconnected,mediate_deleted,complain +plasmashell complain plymouth complain -plymouth-set-default-theme attach_disconnected,complain +plymouth-set-default-theme complain plymouthd complain -polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted +polkit-kde-authentication-agent complain pollinate complain -ptyxis attach_disconnected,complain -ptyxis-agent attach_disconnected,complain +ptyxis complain +ptyxis-agent complain pycompile complain qdbus complain -remmina attach_disconnected,complain +remmina complain run-parts complain runuser complain rustdesk complain sdcv complain -sddm attach_disconnected,mediate_deleted,complain -sddm-greeter attach_disconnected,mediate_deleted,complain -secure-time-sync attach_disconnected,complain +sddm complain +sddm-greeter complain +secure-time-sync complain sftp-server complain sing-box complain -slirp4netns attach_disconnected,complain -snap attach_disconnected,complain +slirp4netns complain +snap complain snap-device-helper complain snap-discard-ns complain snap-failure complain -snap-seccomp attach_disconnected,complain +snap-seccomp complain snap-update-ns complain snapd complain snapd-apparmor complain -snapshot attach_disconnected,complain +snapshot complain speech-dispatcher complain sshd-auth complain ssservice complain startplasma complain -startx attach_disconnected,complain -steam attach_disconnected,mediate_deleted,complain -steam-fossilize attach_disconnected,complain -steam-game-native attach_disconnected,complain -steam-game-proton attach_disconnected,complain -steam-gameoverlayui attach_disconnected,complain -steam-launch attach_disconnected,complain -steam-launcher attach_disconnected,complain -steam-runtime attach_disconnected,complain -steamerrorreporter attach_disconnected,complain -strawberry attach_disconnected,mediate_deleted,complain +startx complain +steam complain +steam-fossilize complain +steam-game-native complain +steam-game-proton complain +steam-gameoverlayui complain +steam-launch complain +steam-launcher complain +steam-runtime complain +steamerrorreporter complain +strawberry complain sulogin complain swtpm complain swtpm_ioctl complain @@ -306,56 +309,55 @@ swtpm_setup complain sysstat-sa complain sysstat-sadc complain systemd-ask-password complain -systemd-binfmt attach_disconnected,complain +systemd-binfmt complain systemd-cgls complain systemd-cgtop complain -systemd-cryptsetup attach_disconnected,complain -systemd-dissect attach_disconnected,complain +systemd-cryptsetup complain +systemd-dissect complain systemd-escape complain -systemd-generator-bless-boot attach_disconnected,complain -systemd-generator-cloud-init attach_disconnected,complain -systemd-generator-cryptsetup attach_disconnected,complain -systemd-generator-debug attach_disconnected,complain -systemd-generator-ds-identify attach_disconnected,complain +systemd-generator-bless-boot complain +systemd-generator-cloud-init complain +systemd-generator-cryptsetup complain +systemd-generator-debug complain +systemd-generator-ds-identify complain systemd-generator-environment-arch complain systemd-generator-environment-flatpak complain -systemd-generator-environment-snapd attach_disconnected,complain -systemd-generator-friendly-recovery attach_disconnected,complain -systemd-generator-fstab attach_disconnected,complain -systemd-generator-getty attach_disconnected,complain -systemd-generator-gpt-auto attach_disconnected,complain -systemd-generator-hibernate-resume attach_disconnected,complain -systemd-generator-import attach_disconnected,complain -systemd-generator-integritysetup attach_disconnected,complain -systemd-generator-openvpn attach_disconnected,complain -systemd-generator-ostree attach_disconnected,complain -systemd-generator-rc-local attach_disconnected,complain -systemd-generator-run attach_disconnected,complain -systemd-generator-snapd attach_disconnected,complain -systemd-generator-ssh attach_disconnected,complain -systemd-generator-sshd-socket attach_disconnected,complain -systemd-generator-system-update attach_disconnected,complain -systemd-generator-sysv attach_disconnected,complain -systemd-generator-tpm2 attach_disconnected,complain -systemd-generator-user-autostart attach_disconnected,complain -systemd-generator-user-environment attach_disconnected,complain -systemd-generator-veritysetup attach_disconnected,complain -systemd-homed attach_disconnected,complain +systemd-generator-environment-snapd complain +systemd-generator-friendly-recovery complain +systemd-generator-fstab complain +systemd-generator-getty complain +systemd-generator-gpt-auto complain +systemd-generator-hibernate-resume complain +systemd-generator-import complain +systemd-generator-integritysetup complain +systemd-generator-openvpn complain +systemd-generator-ostree complain +systemd-generator-rc-local complain +systemd-generator-run complain +systemd-generator-snapd complain +systemd-generator-ssh complain +systemd-generator-sshd-socket complain +systemd-generator-system-update complain +systemd-generator-sysv complain +systemd-generator-tpm2 complain +systemd-generator-user-autostart complain +systemd-generator-user-environment complain +systemd-generator-veritysetup complain +systemd-homed complain systemd-homework complain -systemd-inhibit attach_disconnected,complain -systemd-initctl attach_disconnected,complain -systemd-journald attach_disconnected,mediate_deleted +systemd-inhibit complain +systemd-initctl complain systemd-mount complain -systemd-network-generator attach_disconnected,complain +systemd-network-generator complain systemd-portabled complain systemd-sleep-tlp complain systemd-socket-proxyd complain -systemd-udevd attach_disconnected,complain -systemd-user-sessions attach_disconnected,complain -systemd-userwork attach_disconnected,complain +systemd-udevd complain +systemd-user-sessions complain +systemd-userwork complain systemsettings complain telegram-desktop complain -totem attach_disconnected,complain +totem complain tracker-writeback complain ucf complain ucfq complain @@ -368,38 +370,38 @@ udev-fido_id complain udev-hdparm complain udev-probe-bcache complain udisksctl complain -udisksd attach_disconnected,complain +udisksd complain ufw complain update-catalog complain update-grub complain update-info-dir complain update-secureboot-policy complain update-shells complain -userdbctl attach_disconnected,complain -utempter attach_disconnected,complain +userdbctl complain +utempter complain veracrypt complain -virt-manager attach_disconnected,complain -virtinterfaced attach_disconnected,complain +virt-manager complain +virtinterfaced complain virtiofsd complain,attach_disconnected virtlockd complain virtnetworkd complain,attach_disconnected -virtnodedevd attach_disconnected,complain -virtsecretd attach_disconnected,complain -virtstoraged attach_disconnected,complain -waybar attach_disconnected,complain -wechat attach_disconnected,complain -wechat-appimage attach_disconnected,complain +virtnodedevd complain +virtsecretd complain +virtstoraged complain +waybar complain +wechat complain +wechat-appimage complain wg-quick complain whoopsie complain whoopsie-preferences complain -xdg-dbus-proxy attach_disconnected,complain +xdg-dbus-proxy complain xdg-desktop-icon complain xdg-desktop-portal-kde complain xdg-desktop-portal-rewrite-launchers complain -xdg-desktop-portal-validate-icon attach_disconnected,complain +xdg-desktop-portal-validate-icon complain xdm-xsession complain xembedsniproxy complain -xfce-session attach_disconnected,complain +xfce-session complain xsettingsd complain zpool complain diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index 3ef91cb190..21485a53cb 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -1,11 +1,11 @@ -apport attach_disconnected,complain +apport complain apport-checkreports complain apport-gtk complain apt-esm-hook complain apt-esm-json-hook complain apt-helper complain apt-methods-sqv complain -apt_news attach_disconnected,complain +apt_news complain check-new-release-gtk complain debconf-escape complain deb-systemd-helper complain @@ -31,7 +31,7 @@ dpkg-status complain dpkg-trigger complain dpkg-vendor complain esm_cache complain -fanctl attach_disconnected,complain +fanctl complain hwe-support-status complain ifup complain list-oem-metapackages complain @@ -39,18 +39,18 @@ livepatch-notification complain macchanger complain notify-reboot-required complain package-data-downloader complain -package-system-locked attach_disconnected,complain +package-system-locked complain release-upgrade-motd complain run-parts complain -software-properties-gtk attach_disconnected,complain +software-properties-gtk complain ubuntu-advantage complain ubuntu-advantage-notification complain ubuntu-distro-info complain -ubuntu-fan-net attach_disconnected,complain +ubuntu-fan-net complain ubuntu-report complain -unattended-upgrade attach_disconnected,complain -unattended-upgrade-shutdown attach_disconnected,complain -update-manager attach_disconnected,complain +unattended-upgrade complain +unattended-upgrade-shutdown complain +update-manager complain update-motd-fsck-at-reboot complain update-motd-updates-available complain update-notifier complain diff --git a/dists/flags/whonix.flags b/dists/flags/whonix.flags index 7b0ddf6e13..77ce5492a8 100644 --- a/dists/flags/whonix.flags +++ b/dists/flags/whonix.flags @@ -39,7 +39,7 @@ pam_faillock_not_if_x complain pam-info complain rads complain run-parts complain -sdwdate attach_disconnected,complain +sdwdate complain sdwdate-clock-jump complain sdwdate-gui complain sdwdate-start complain @@ -48,7 +48,7 @@ sensible-browser complain systemcheck-canary complain timesanitycheck complain tor-bootstrap-check complain -torbrowser attach_disconnected,complain +torbrowser complain torbrowser-glxtest complain torbrowser-plugin-container complain torbrowser-start complain @@ -57,8 +57,8 @@ torbrowser-updater-permission-fix complain torbrowser-vaapitest complain torbrowser-wrapper complain tor-consensus-valid-after complain -unattended-upgrade attach_disconnected,complain -unattended-upgrade-shutdown attach_disconnected,complain +unattended-upgrade complain +unattended-upgrade-shutdown complain whonix-firewalld complain whonix-firewall-edit complain whonix-firewall-restarter complain From 581f7234fb80a179500c42e5313577b647099707 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Feb 2026 22:49:11 +0100 Subject: [PATCH 1371/1736] doc: update profile mode section. --- docs/development/workflow.md | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/docs/development/workflow.md b/docs/development/workflow.md index adabbe9c9b..f00b57e4a8 100644 --- a/docs/development/workflow.md +++ b/docs/development/workflow.md @@ -172,21 +172,15 @@ After 2 or 3 iterations, you should have a working profile. ## Development Settings -### Profile flags +### Profile mode -Flags for all profiles in this project are tracked under the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory. It is used for profile that are not considered stable. Files in this directory should respect the following format: ` `, flags should be comma separated. +Mode for all profiles (`complain`, `enforce`...) in this project are tracked under the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory. It is used for profile that are not considered stable. Files in this directory should respect the following format: ` `. For instance, to move `adb` in *complain* mode, edit **[`dists/flags/main.flags`](https://github.com/roddhjav/apparmor.d/blob/main/dists/flags/main.flags)** and add the following line: ```sh adb complain ``` -Beware, flags defined in this file overwrite flags in the profile. So you may need to add other flags. Example for `gnome-shell`: -```sh -gnome-shell attach_disconnected,mediate_deleted,complain -``` - - ### Ignore profiles It can be handy to not install a profile for a given distribution. Profiles and directories to ignore are tracked under the [`dists/ignore`](https://github.com/roddhjav/apparmor.d/tree/main/dists/ignore) directory. Files in this directory should respect the following format: ``. One ignore by line. It can be a profile name or a directory to ignore (relative to the project root). From 3916036b408f6d9f324e964a3c50d10c3c574a7a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Feb 2026 22:53:39 +0100 Subject: [PATCH 1372/1736] Release apparmor.d v0.4904 --- PKGBUILD | 2 +- debian/changelog | 6 ++++++ dists/apparmor.d.spec | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index 920421a0eb..16f2909094 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -9,7 +9,7 @@ pkgname=( # apparmor.d-base # apparmor.d-tools ) -pkgver=0.4903 +pkgver=0.4904 pkgrel=1 pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') diff --git a/debian/changelog b/debian/changelog index 2177159806..1694bfe358 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +apparmor.d (0.4904-1) stable; urgency=medium + + * Release apparmor.d v0.4904 + + -- Alexandre Pujol Wed, 11 Feb 2026 22:53:39 +0100 + apparmor.d (0.4903-1) stable; urgency=medium * Release apparmor.d v0.4903 diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index ae7fa9dfb2..63d4da9bc3 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -7,7 +7,7 @@ # Warning: for development only, use https://build.opensuse.org/package/show/home:cboltz/apparmor.d for production use. Name: apparmor.d -Version: 0.4903 +Version: 0.4904 Release: 1%{?dist} Summary: Set of over 1500 AppArmor profiles License: GPL-2.0-only From b9e6abcc92f8908f646675ed573b8ce3897f32e3 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Thu, 12 Feb 2026 11:55:36 +0000 Subject: [PATCH 1373/1736] small update to some profiles --- apparmor.d/groups/polkit/polkit-agent-helper | 4 +++- apparmor.d/groups/xfce/thunar | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index e35ff2599c..5c87e843d5 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -52,7 +52,9 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { @{run}/faillock/@{user} rwk, - @{PROC}/1/cgroup r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index 8342374494..d39fc26c26 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -15,6 +15,7 @@ profile thunar @{exec_path} flags=(attach_disconnected) { include include include + include Date: Thu, 12 Feb 2026 12:17:22 +0000 Subject: [PATCH 1374/1736] Fix: missing >. --- apparmor.d/groups/xfce/thunar | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index d39fc26c26..09f8caa5a6 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -15,7 +15,7 @@ profile thunar @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, From 7dac31ce50421c82e8b4afb23fd64b14e4d28cd4 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Thu, 12 Feb 2026 13:41:41 +0000 Subject: [PATCH 1375/1736] few more tweaks --- apparmor.d/groups/network/NetworkManager | 1 + apparmor.d/groups/systemd/systemd-sleep | 2 ++ apparmor.d/groups/xfce/thunar | 1 + apparmor.d/groups/xfce/thunar-volman | 1 + 4 files changed, 5 insertions(+) diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 1de7ee2638..7ca655007a 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -185,6 +185,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/module/compression r, @{sys}/module/nf_*/initstate r, + @{sys}/module/af_alg/uevent r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index 0400b18472..91aa4e84e5 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -38,6 +38,8 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { @{sys}/power/state rw, + @{PROC}/sys/fs/nr_open r, + include if exists } diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index 09f8caa5a6..86fd06a749 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -16,6 +16,7 @@ profile thunar @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman index 41e098548e..4405d4d003 100644 --- a/apparmor.d/groups/xfce/thunar-volman +++ b/apparmor.d/groups/xfce/thunar-volman @@ -12,6 +12,7 @@ profile thunar-volman @{exec_path} { include include include + include network netlink raw, From bea196b718d7b0e6a7122d5a5c9a77366687b1e7 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Thu, 12 Feb 2026 19:57:53 +0000 Subject: [PATCH 1376/1736] hyprland profile --- apparmor.d/groups/hyprland/hyprland | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index cfb3e25c8f..f0e477b167 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -30,6 +30,8 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { /usr/share/hypr{,land}/{,*} r, /usr/share/libinput/{,*} r, + /etc/os-release r, + owner @{user_cache_dirs}/hyprland/{,**} rw, owner @{user_config_dirs}/hypr/** r, owner @{user_share_dirs}/hyprpm/** mr, From bec35d8f4f3fe38ff1f4f4d4b3dd1594c01dbadc Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Thu, 12 Feb 2026 20:12:55 +0000 Subject: [PATCH 1377/1736] include consoles --- apparmor.d/profiles-s-z/sbctl | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index a4fdbac88c..5d93bcc093 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -10,6 +10,7 @@ include profile sbctl @{exec_path} { include include + include capability dac_read_search, capability linux_immutable, From 34102ecc997b843e162f7d267b9a54cc358343b3 Mon Sep 17 00:00:00 2001 From: skarpinis Date: Fri, 13 Feb 2026 14:32:09 +0000 Subject: [PATCH 1378/1736] Fix typo in workflow documentation --- docs/development/workflow.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/development/workflow.md b/docs/development/workflow.md index f00b57e4a8..f5bb7b0bc7 100644 --- a/docs/development/workflow.md +++ b/docs/development/workflow.md @@ -6,7 +6,7 @@ title: Workflow
-- :material-file-document:   **[Write a blanck profile](#add-a-blank-profile)** +- :material-file-document:   **[Write a blank profile](#add-a-blank-profile)**
From 424ebcd359f4039eab9e1da81ca99a9173da88db Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Fri, 13 Feb 2026 21:36:54 +0000 Subject: [PATCH 1379/1736] added cgroup read --- apparmor.d/groups/xfce/thunar | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index 86fd06a749..feb7207d47 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -57,6 +57,7 @@ profile thunar @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/cgroup r, # Silence non user's data deny @{efi}/{,**} r, From 3faf8bad38875530e3accacb128bd8e11869aac5 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sat, 14 Feb 2026 14:59:19 +0000 Subject: [PATCH 1380/1736] fix for chrome --- apparmor.d/groups/hyprland/hyprland | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index f0e477b167..8c42d5b6d5 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -43,6 +43,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/hypr/{,**} rw, owner @{att}/dev/shm/.org.chromium.Chromium.@{rand6} rw, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner /dev/shm/.com.google.Chrome.@{rand6} rw, @{run}/systemd/sessions/@{int} r, From 3325580ba9450f47385732d1fb7f91d05fd386cc Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sat, 14 Feb 2026 18:39:29 +0000 Subject: [PATCH 1381/1736] small change added --- apparmor.d/groups/virt/containerd | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index cc0d23e098..63fcc503c2 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -65,6 +65,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /etc/cni/{,**} r, /etc/cni/net.d/ rw, /etc/containerd/*.toml r, + /etc/cdi/ r, /etc/cdi/*.yaml r, /opt/containerd/{,**} rw, From 3c03ccbcfc4bf0fd1e9cc52fa13a302ad7876cc6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 14 Feb 2026 22:49:06 +0100 Subject: [PATCH 1382/1736] refractor(profile): move all code extension to the code group. --- .../groups/code/code-extension-git-askpass | 40 +++++++++++++++++++ .../groups/code/code-extension-git-editor | 34 ++++++++++++++++ 2 files changed, 74 insertions(+) create mode 100644 apparmor.d/groups/code/code-extension-git-askpass create mode 100644 apparmor.d/groups/code/code-extension-git-editor diff --git a/apparmor.d/groups/code/code-extension-git-askpass b/apparmor.d/groups/code/code-extension-git-askpass new file mode 100644 index 0000000000..a590fe0156 --- /dev/null +++ b/apparmor.d/groups/code/code-extension-git-askpass @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = code{,-oss} vscode{,-oss} +@{config} = Code Code?-?OSS Code?-?Insiders +@{config_dirs} = @{HOME}/.@{name} @{user_config_dirs}/@{config} +@{ext_dirs} = @{config_dirs}/extensions +@{lib_dirs} = @{lib}/code/extensions/git + +@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh @{lib}/code/extensions/git/dist/ssh-askpass.sh +profile code-extension-git-askpass @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/cat rix, + @{bin}/mktemp rix, + @{bin}/rm rix, + @{lib}/electron@{int}/electron rix, + + /usr/share/terminfo/** r, + + owner @{tmp}/tmp.@{rand10} rw, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/code/code-extension-git-editor b/apparmor.d/groups/code/code-extension-git-editor new file mode 100644 index 0000000000..2fb50b2f6f --- /dev/null +++ b/apparmor.d/groups/code/code-extension-git-editor @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = code{,-oss} vscode{,-oss} +@{config} = Code Code?-?OSS Code?-?Insiders +@{config_dirs} = @{HOME}/.@{name} @{user_config_dirs}/@{config} +@{ext_dirs} = @{config_dirs}/extensions +@{lib_dirs} = @{lib}/code/extensions/git + +@{exec_path} = @{lib}/code/extensions/git/dist/git-editor.sh +profile code-extension-git-editor @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{lib}/electron@{int}/electron rix, + + owner @{run}/user/@{uid}/vscode-git-@{hex}.sock rw, + + @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 7d74c59b36da224744604e7674c2ec56a8757a6b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 14 Feb 2026 22:51:21 +0100 Subject: [PATCH 1383/1736] feat(abs): electron: generalize @{domain} folder Needed in recent electron as in chromium. --- apparmor.d/abstractions/common/electron | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 6f70dd7704..f885091b98 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -64,7 +64,7 @@ owner @{user_config_dirs}/electron-flags.conf r, - owner @{tmp}/.@{domain}.chrome_*.@{rand6}/{,**} rw, + owner @{tmp}/.@{domain}.*/{,**} rw, @{att}@{run}/systemd/inhibit/@{int}.ref rw, From 21c42c05d95b1e0715566222a1275f85f611a133 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 14 Feb 2026 23:01:52 +0100 Subject: [PATCH 1384/1736] feat(profile): minor update to various profiles. --- apparmor.d/groups/apt/dpkg-buildflags | 1 + apparmor.d/groups/apt/dpkg-vendor | 1 + apparmor.d/groups/bluetooth/bluetoothd | 12 +++++++ apparmor.d/groups/code/code | 2 +- apparmor.d/groups/freedesktop/boltd | 2 +- .../groups/freedesktop/xdg-desktop-portal-gtk | 9 +++-- apparmor.d/groups/gnome/gcr-ssh-agent | 2 +- apparmor.d/groups/gnome/gnome-control-center | 3 +- apparmor.d/groups/gnome/gnome-session-service | 1 + apparmor.d/groups/gnome/gnome-weather | 3 +- apparmor.d/groups/gnome/loupe | 8 ++--- apparmor.d/groups/systemd/systemd-dissect | 6 ++-- apparmor.d/groups/virt/virtiofsd | 16 +++++---- apparmor.d/profiles-a-f/claude | 1 + .../profiles-a-f/code-extension-git-askpass | 33 ------------------- .../profiles-a-f/code-extension-git-editor | 25 -------------- apparmor.d/profiles-a-f/fractal | 2 ++ apparmor.d/profiles-a-f/fuse-overlayfs | 2 +- apparmor.d/profiles-s-z/snapshot | 9 +++++ apparmor.d/profiles-s-z/spotify | 2 -- apparmor.d/profiles-s-z/update-ca-trust | 1 + apparmor.d/profiles-s-z/vlc | 10 ++++++ apparmor.d/tunables/multiarch.d/programs | 2 +- 23 files changed, 72 insertions(+), 81 deletions(-) delete mode 100644 apparmor.d/profiles-a-f/code-extension-git-askpass delete mode 100644 apparmor.d/profiles-a-f/code-extension-git-editor diff --git a/apparmor.d/groups/apt/dpkg-buildflags b/apparmor.d/groups/apt/dpkg-buildflags index 9667689e4c..16db9158ab 100644 --- a/apparmor.d/groups/apt/dpkg-buildflags +++ b/apparmor.d/groups/apt/dpkg-buildflags @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/dpkg-buildflags profile dpkg-buildflags @{exec_path} flags=(attach_disconnected) { include + include include @{exec_path} r, diff --git a/apparmor.d/groups/apt/dpkg-vendor b/apparmor.d/groups/apt/dpkg-vendor index 70d2199f22..800332d818 100644 --- a/apparmor.d/groups/apt/dpkg-vendor +++ b/apparmor.d/groups/apt/dpkg-vendor @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/dpkg-vendor profile dpkg-vendor @{exec_path} { include + include include @{exec_path} r, diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index 2cd032bc67..2d088bd3b9 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -25,6 +25,18 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { network netlink raw, #aa:dbus own bus=system name=org.bluez path=/{,**} + #aa:dbus talk bus=system name=org.mpris.MediaPlayer2.Player path=/{,**} label=mpris-proxy + + # Missing rules from the directive above as these one are not standard + # Part of abstractions/bus/system/org.bluez + dbus send bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=org.bluez, label="@{p_bluetoothd}"), + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name=@{busname}, label="@{p_bluetoothd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/code/code b/apparmor.d/groups/code/code index 66f333c3e6..965308e196 100644 --- a/apparmor.d/groups/code/code +++ b/apparmor.d/groups/code/code @@ -50,7 +50,6 @@ profile code @{exec_path} flags=(attach_disconnected) { include include - network inet dgram, network inet6 dgram, network inet stream, @@ -67,6 +66,7 @@ profile code @{exec_path} flags=(attach_disconnected) { signal send peer=gitstatusd, @{exec_path} mrix, + @{PROC}/self/exe mrix, @{bin}/rg rix, @{bin}/env mr, diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/groups/freedesktop/boltd index b1737a1808..5a8cafa1d6 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -17,7 +17,7 @@ profile boltd @{exec_path} flags=(attach_disconnected) { network netlink raw, - #aa:dbus own bus=system name=org.freedesktop.bolt + #aa:dbus own bus=system name=org.freedesktop.bolt1 path=/org/freedesktop/bolt @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 24f092e72e..086f8ac6d8 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -41,8 +41,13 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Settings - peer=(name=@{busname}), + interface=org.freedesktop.impl.portal.Inhibit + member=Inhibit + peer=(name=@{busname}, label=xdg-desktop-portal), + dbus receive bus=session path=/org/freedesktop/portal/desktop/request/** + interface=org.freedesktop.impl.portal.Request + member=Close + peer=(name=@{busname}, label=xdg-desktop-portal), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gcr-ssh-agent b/apparmor.d/groups/gnome/gcr-ssh-agent index e09c598b5c..c69076b960 100644 --- a/apparmor.d/groups/gnome/gcr-ssh-agent +++ b/apparmor.d/groups/gnome/gcr-ssh-agent @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/gcr-ssh-agent -profile gcr-ssh-agent @{exec_path} { +profile gcr-ssh-agent @{exec_path} flags=(attach_disconnected) { include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 8d6cc771b1..5a159bb440 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -51,8 +51,9 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.bluez label=bluetoothd #aa:dbus talk bus=system name=org.cups.cupsd.Notifier label=cups-notifier-dbus #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" - #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd + #aa:dbus talk bus=system name=org.freedesktop.bolt1 path=/org/freedesktop/bolt label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord + #aa:dbus talk bus=system name=org.freedesktop.fwupd path=/ label=fwupd #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index c9c193b90b..e76d358510 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -57,6 +57,7 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { profile open { include + include @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr, @{lib}/gio-launch-desktop mr, diff --git a/apparmor.d/groups/gnome/gnome-weather b/apparmor.d/groups/gnome/gnome-weather index fe2bf69b2c..9202be590f 100644 --- a/apparmor.d/groups/gnome/gnome-weather +++ b/apparmor.d/groups/gnome/gnome-weather @@ -7,9 +7,10 @@ abi , include @{exec_path} = @{bin}/gnome-weather /usr/share/org.gnome.Weather/org.gnome.Weather -profile gnome-weather @{exec_path} { +profile gnome-weather @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 203691fed8..ab0bb68052 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -32,10 +32,10 @@ profile loupe @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 1bbb918586..0c1a9a9beb 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -19,7 +19,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { mount -> /tmp/dissect-@{rand6}/, mount fstype=tmpfs options=(rw nodev) rootfs -> @{run}/systemd/dissect-root/, - mount options=(ro nodev) /dev/loop* -> @{run}/systemd/dissect-root/{,**/}, + mount options=(ro nodev) @{att}/dev/loop* -> @{run}/systemd/dissect-root/{,**/}, mount options=(rw nodev) -> /mnt/*/, mount options=(rw rshared rslave) -> /, @@ -51,9 +51,11 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/mountinfo r, + /dev/loop* rwk, + @{att}/dev/loop* wk, + /dev/btrfs-control rw, /dev/loop-control rwk, - /dev/loop* rwk, /dev/mapper/control w, include if exists diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index 87e2296853..e13c7f6b83 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -29,15 +29,18 @@ profile virtiofsd @{exec_path} flags=(attach_disconnected) { mount options=(rw, nosuid, nodev, noexec, relatime) -> @{PROC}, mount options=(rw, rslave) -> /, - mount options=(rw, rbind) -> @{user_publicshare_dirs}/, - mount options=(rw, rbind) -> @{user_vm_dirs}/, - mount options=(rw, rbind) -> @{user_vmshare_dirs}/, + mount options=(rw, rbind) -> @{user_projects_dirs}/{,**/}, + mount options=(rw, rbind) -> @{user_publicshare_dirs}/{,**/}, + mount options=(rw, rbind) -> @{user_vm_dirs}/{,**/}, + mount options=(rw, rbind) -> @{user_vmshare_dirs}/{,**/}, umount /, - pivot_root @{user_publicshare_dirs}/, # TODO: -> pivoted, - pivot_root @{user_vm_dirs}/, - pivot_root @{user_vmshare_dirs}/, + # TODO: -> pivoted + pivot_root oldroot=@{user_projects_dirs}/{,**/} @{user_projects_dirs}/{,**/}, + pivot_root oldroot=@{user_publicshare_dirs}/{,**/} @{user_publicshare_dirs}/{,**/}, + pivot_root oldroot=@{user_vm_dirs}/{,**/} @{user_vm_dirs}/{,**/}, + pivot_root oldroot=@{user_vmshare_dirs}/{,**/} @{user_vmshare_dirs}/{,**/}, signal (receive) set=term peer=libvirtd, @@ -48,6 +51,7 @@ profile virtiofsd @{exec_path} flags=(attach_disconnected) { / r, /var/lib/libvirt/qemu/*/fs@{int}-fs.sock rw, + @{user_projects_dirs}/{,**} r, @{user_publicshare_dirs}/{,**} r, @{user_vm_dirs}/{,**} r, @{user_vmshare_dirs}/{,**} r, diff --git a/apparmor.d/profiles-a-f/claude b/apparmor.d/profiles-a-f/claude index 2116e89dee..41b4a70b77 100644 --- a/apparmor.d/profiles-a-f/claude +++ b/apparmor.d/profiles-a-f/claude @@ -143,6 +143,7 @@ profile claude @{exec_path} flags=(attach_disconnected) { signal receive peer=claude, + priority=1 @{bin}/man Px, priority=1 @{bin}/dpkg-query Px, priority=1 @{bin}/flatpak Px -> claude//flatpak, priority=1 @{bin}/git Px, diff --git a/apparmor.d/profiles-a-f/code-extension-git-askpass b/apparmor.d/profiles-a-f/code-extension-git-askpass deleted file mode 100644 index 674432b2ef..0000000000 --- a/apparmor.d/profiles-a-f/code-extension-git-askpass +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh @{lib}/code/extensions/git/dist/ssh-askpass.sh -profile code-extension-git-askpass @{exec_path} { - include - - network inet dgram, - network inet6 dgram, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/cat rix, - @{bin}/mktemp rix, - @{bin}/rm rix, - @{lib}/electron@{int}/electron rix, - - /usr/share/terminfo/** r, - - owner @{tmp}/tmp.@{rand10} rw, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/code-extension-git-editor b/apparmor.d/profiles-a-f/code-extension-git-editor deleted file mode 100644 index 8e56ac3aa5..0000000000 --- a/apparmor.d/profiles-a-f/code-extension-git-editor +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/code/extensions/git/dist/git-editor.sh -profile code-extension-git-editor @{exec_path} { - include - - @{exec_path} mr, - - @{sh_path} rix, - @{lib}/electron@{int}/electron rix, - - @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 17a978100e..8c54b0deb0 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -12,10 +12,12 @@ profile fractal @{exec_path} flags=(attach_disconnected) { include include include + include include include include include + include network inet dgram, network inet stream, diff --git a/apparmor.d/profiles-a-f/fuse-overlayfs b/apparmor.d/profiles-a-f/fuse-overlayfs index cd1c5fe775..fca8e28ae7 100644 --- a/apparmor.d/profiles-a-f/fuse-overlayfs +++ b/apparmor.d/profiles-a-f/fuse-overlayfs @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/fuse-overlayfs -profile fuse-overlayfs @{exec_path} { +profile fuse-overlayfs @{exec_path} flags=(attach_disconnected) { include capability chown, diff --git a/apparmor.d/profiles-s-z/snapshot b/apparmor.d/profiles-s-z/snapshot index 3e48a4bc7e..9713880ce8 100644 --- a/apparmor.d/profiles-s-z/snapshot +++ b/apparmor.d/profiles-s-z/snapshot @@ -21,6 +21,15 @@ profile snapshot @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Snapshot + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Camera + member=AccessCamera + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Camera + member=OpenPipeWireRemote + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 8ad6c86353..a0e8edff5d 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -64,8 +64,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, - owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, - @{sys}/devices/@{pci_bus}/uevent r, @{PROC}/@{pid}/net/unix r, diff --git a/apparmor.d/profiles-s-z/update-ca-trust b/apparmor.d/profiles-s-z/update-ca-trust index c0f220919b..8cd9e918a9 100644 --- a/apparmor.d/profiles-s-z/update-ca-trust +++ b/apparmor.d/profiles-s-z/update-ca-trust @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/update-ca-trust profile update-ca-trust @{exec_path} { include + include include capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index c0f279cb6f..f5d3090871 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -38,6 +38,7 @@ profile vlc @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{open_path} rPx -> child-open-help, @{bin}/xdg-screensaver rPx, + @{bin}/proxy Cx -> proxy, /usr/share/vlc/{,**} r, @@ -86,6 +87,15 @@ profile vlc @{exec_path} flags=(attach_disconnected,mediate_deleted) { deny @{lib}/@{multiarch}/vlc/{,**} w, deny @{user_share_dirs}/gvfs-metadata/{*,} r, + profile proxy { + include + include + + @{bin}/proxy mr, + + include if exists + } + include if exists } diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 4c306eab3c..4d0ec36a2a 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -38,7 +38,7 @@ # This should only contains core development tools like compilers, analysis tools, linters, debuggers etc. # @{devtools} = ansible cargo dlv gem go{,-*} just node npm pip pyright python ruby -@{devtools} += rust typescript yarn +@{devtools} += rust typescript yarn docker # Python interpreters @{python_version} = 3 3.[0-9] 3.1[0-9] From c9db7a4f6a669b5973f6ef35f708a72576a42e13 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 14 Feb 2026 23:08:42 +0100 Subject: [PATCH 1385/1736] feat(abs): add the cgroup-limits abs. --- apparmor.d/abstractions/cgroup-limits | 24 ++++++++++++++++++++++++ apparmor.d/groups/pacman/aurpublish | 1 + apparmor.d/profiles-g-l/libreoffice | 1 + 3 files changed, 26 insertions(+) create mode 100644 apparmor.d/abstractions/cgroup-limits diff --git a/apparmor.d/abstractions/cgroup-limits b/apparmor.d/abstractions/cgroup-limits new file mode 100644 index 0000000000..674da97a9b --- /dev/null +++ b/apparmor.d/abstractions/cgroup-limits @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow reading CPU and memory limits from cgroup hierarchy + + abi , + + @{sys}/fs/cgroup/user.slice/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/memory.max r, + + @{sys}/fs/cgroup/cpu.max r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + owner @{PROC}/@{pid}/cgroup r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index 8e89dbf629..373077f2c6 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/aurpublish/*.hook profile aurpublish @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 9e8840b017..61d498848f 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -13,6 +13,7 @@ profile libreoffice @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include From 01d7d300034095ac78bb1d9429cecfde8d421735 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 15 Feb 2026 16:55:26 +0100 Subject: [PATCH 1386/1736] Fix check.sh As mentioned in https://github.com/roddhjav/apparmor.d/pull/1018#issuecomment-3884698006 --- tests/check.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/check.sh b/tests/check.sh index de3b976365..3fe5261765 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -176,7 +176,7 @@ readonly ABS="abstractions" readonly ABS_DANGEROUS=(dbus dbus-session dbus-system dbus-accessibility user-tmp) declare -A ABS_DEPRECATED=( ["nameservice"]="nameservice-strict" - ["bash"]="shell" + ["bash"]="shells" ["X"]="X-strict" ["gtk"]="gtk-strict" ["dbus-accessibility-strict"]="bus-accessibility" From 9a11b7de3503434ce4e4be9ac69718d50563c833 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Thu, 19 Feb 2026 17:51:34 +0100 Subject: [PATCH 1387/1736] Docs usage.md: better listing of processes with ps --- docs/usage.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/usage.md b/docs/usage.md index c9d19bad83..eacf33ffb1 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -66,12 +66,14 @@ gnome-shell (complain) user /usr/bin/gnome-shell ps (complain) user ps auxZ ``` -??? info "Hide the kernel thread in `ps`" - - To hide the kernel thread in `ps` use `ps auxZ | grep -v '\[.*\]'`. You can +??? info "Display the process hierarchy and hide the kernel thread in `ps`" + + In order to list above processes with displaying the process hierarchy you can, alternatively, use `ps auxfZ`. + + To hide the kernel thread in `ps` use `LIBPROC_HIDE_KERNEL=1 ps auxfZ`. You can add an alias in your shell: ```sh - alias p="ps auxZ | grep -v '\[.*\]'" + alias p="LIBPROC_HIDE_KERNEL=1 ps auxfZ" ``` From c69aabeecff06ff4fbda73ee29bdc159d4255cf9 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Thu, 19 Feb 2026 17:34:56 +0100 Subject: [PATCH 1388/1736] Update mullvad-gui: allow for autostarting mullvad --- apparmor.d/groups/network/mullvad-gui | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 92853bf1f8..67a06955f6 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -30,6 +30,8 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-browsers, + owner @{user_config_dirs}/autostart/mullvad-vpn.desktop rw, + @{run}/mullvad-vpn rw, /dev/tty rw, From 718d32a27fff9efa2596f037a4006998c49ef182 Mon Sep 17 00:00:00 2001 From: skarpinis Date: Tue, 24 Feb 2026 13:12:07 +0000 Subject: [PATCH 1389/1736] (feat) small fix (#1039) --- apparmor.d/groups/kde/kioworker | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index dc97add93a..8bd9a68695 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -75,7 +75,7 @@ profile kioworker @{exec_path} { # Silence non user's data deny @{efi}/{,**} r, - deny /etc/{,**} r, + deny /etc/{,**} w, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, From 20ace564c2e698792a150cab811d260f8ebf5251 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Tue, 24 Feb 2026 17:49:59 +0000 Subject: [PATCH 1390/1736] feat(profile): minor update to various profiles. --- apparmor.d/abstractions/app/chromium | 5 +++-- apparmor.d/abstractions/fontconfig-cache | 1 + apparmor.d/groups/browsers/chrome | 2 ++ apparmor.d/groups/freedesktop/colord | 2 ++ apparmor.d/groups/network/NetworkManager | 2 +- apparmor.d/groups/pacman/mkinitcpio | 3 +++ apparmor.d/groups/systemd/busctl | 1 + apparmor.d/profiles-m-r/mpv | 3 +++ apparmor.d/profiles-m-r/nmap | 2 ++ 9 files changed, 18 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index c20c73dbb2..0692731d30 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -120,7 +120,8 @@ owner @{config_dirs}/** rwk, owner @{config_dirs}/WidevineCdm/*/_platform_specific/linux_*/libwidevinecdm.so mrw, - owner @{cache_dirs}/{,**} rw, + owner @{cache_dirs}/ rw, + owner @{cache_dirs}/** rwk, owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/menus/applications-merged/ r, @@ -138,7 +139,7 @@ /tmp/ r, /var/tmp/ r, - owner @{tmp}/.@{domain}.*/{,**} rw, + owner @{tmp}/{,.}@{domain}.*/{,**} rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, owner @{tmp}/cache/Default/ rw, owner @{tmp}/cache/Default/** rwk, diff --git a/apparmor.d/abstractions/fontconfig-cache b/apparmor.d/abstractions/fontconfig-cache index 7cdfa55947..2b6729f97b 100644 --- a/apparmor.d/abstractions/fontconfig-cache +++ b/apparmor.d/abstractions/fontconfig-cache @@ -61,6 +61,7 @@ owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW r, owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} r, owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-reindex@{d}-@{int} rk, + owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{int} r, # This is to create .uuid file containing an UUID at a font directory. The UUID will be used to # identify the font directory and is used to determine the cache filename if available. diff --git a/apparmor.d/groups/browsers/chrome b/apparmor.d/groups/browsers/chrome index 9c11f0a4a2..66e6a6ceb4 100644 --- a/apparmor.d/groups/browsers/chrome +++ b/apparmor.d/groups/browsers/chrome @@ -20,6 +20,8 @@ profile chrome @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.mpris.MediaPlayer2.chrome path=/org/mpris/MediaPlayer2 + ptrace trace peer=chrome, + @{exec_path} mrix, @{bin}/man rPUx, # For "chrome --help" diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 093260732f..29675a8f00 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -28,6 +28,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{lib}/colord-sane ix, + /opt/brother/scanner/** r, + /etc/machine-id r, /etc/sane.d/{,**} r, /etc/snmp/snmp.conf r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 7ca655007a..4533295150 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -161,6 +161,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/uevent r, @{sys}/devices/virtual/**/net/{,**} r, @{sys}/devices/virtual/net/{,**} r, + @{sys}/module/af_alg/uevent r, @{PROC}/@{pids}/stat r, @{PROC}/1/environ r, @@ -185,7 +186,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/module/compression r, @{sys}/module/nf_*/initstate r, - @{sys}/module/af_alg/uevent r, include if exists } diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index ada7ce5a5a..99f58de66a 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -66,6 +66,9 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/vconsole.conf r, /usr/share/kbd/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, + /usr/share/pixmaps/archlinux-logo.png r, + /usr/share/X11/locale/ r, /usr/share/plymouth/*.png r, /usr/share/plymouth/plymouthd.defaults r, /usr/share/plymouth/themes/{,**} r, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 9d42178052..64a446d5b9 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -67,6 +67,7 @@ profile busctl @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/stat r, @{PROC}/1/status r, + @{PROC}/sys/fs/nr_open r, include if exists } diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index e3ddb40fce..5cbd596a3b 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -40,6 +40,8 @@ profile mpv @{exec_path} { /etc/mpv/** r, /etc/samba/smb.conf r, + /usr/share/p11-kit/modules/{,*} r, + /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -64,6 +66,7 @@ profile mpv @{exec_path} { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad diff --git a/apparmor.d/profiles-m-r/nmap b/apparmor.d/profiles-m-r/nmap index 348c3ac0e8..6f011d89e7 100644 --- a/apparmor.d/profiles-m-r/nmap +++ b/apparmor.d/profiles-m-r/nmap @@ -15,6 +15,8 @@ profile nmap @{exec_path} { capability net_bind_service, capability net_raw, + capability dac_override, + capability dac_read_search, network inet dgram, network inet6 dgram, From 143b87766c7ccf099a4954faed1feb0d988d0203 Mon Sep 17 00:00:00 2001 From: skarpinis Date: Wed, 25 Feb 2026 16:56:11 +0000 Subject: [PATCH 1391/1736] feat(profile): minor update to various profiles. (#1041) --- apparmor.d/abstractions/app/chromium | 5 +++-- apparmor.d/abstractions/fontconfig-cache | 1 + apparmor.d/groups/browsers/chrome | 2 ++ apparmor.d/groups/freedesktop/colord | 2 ++ apparmor.d/groups/network/NetworkManager | 2 +- apparmor.d/groups/pacman/mkinitcpio | 3 +++ apparmor.d/groups/systemd/busctl | 1 + apparmor.d/profiles-m-r/mpv | 3 +++ apparmor.d/profiles-m-r/nmap | 2 ++ 9 files changed, 18 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index c20c73dbb2..0692731d30 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -120,7 +120,8 @@ owner @{config_dirs}/** rwk, owner @{config_dirs}/WidevineCdm/*/_platform_specific/linux_*/libwidevinecdm.so mrw, - owner @{cache_dirs}/{,**} rw, + owner @{cache_dirs}/ rw, + owner @{cache_dirs}/** rwk, owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/menus/applications-merged/ r, @@ -138,7 +139,7 @@ /tmp/ r, /var/tmp/ r, - owner @{tmp}/.@{domain}.*/{,**} rw, + owner @{tmp}/{,.}@{domain}.*/{,**} rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, owner @{tmp}/cache/Default/ rw, owner @{tmp}/cache/Default/** rwk, diff --git a/apparmor.d/abstractions/fontconfig-cache b/apparmor.d/abstractions/fontconfig-cache index 7cdfa55947..2b6729f97b 100644 --- a/apparmor.d/abstractions/fontconfig-cache +++ b/apparmor.d/abstractions/fontconfig-cache @@ -61,6 +61,7 @@ owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW r, owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} r, owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-reindex@{d}-@{int} rk, + owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{int} r, # This is to create .uuid file containing an UUID at a font directory. The UUID will be used to # identify the font directory and is used to determine the cache filename if available. diff --git a/apparmor.d/groups/browsers/chrome b/apparmor.d/groups/browsers/chrome index 9c11f0a4a2..66e6a6ceb4 100644 --- a/apparmor.d/groups/browsers/chrome +++ b/apparmor.d/groups/browsers/chrome @@ -20,6 +20,8 @@ profile chrome @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.mpris.MediaPlayer2.chrome path=/org/mpris/MediaPlayer2 + ptrace trace peer=chrome, + @{exec_path} mrix, @{bin}/man rPUx, # For "chrome --help" diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 093260732f..29675a8f00 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -28,6 +28,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{lib}/colord-sane ix, + /opt/brother/scanner/** r, + /etc/machine-id r, /etc/sane.d/{,**} r, /etc/snmp/snmp.conf r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 7ca655007a..4533295150 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -161,6 +161,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/uevent r, @{sys}/devices/virtual/**/net/{,**} r, @{sys}/devices/virtual/net/{,**} r, + @{sys}/module/af_alg/uevent r, @{PROC}/@{pids}/stat r, @{PROC}/1/environ r, @@ -185,7 +186,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/module/compression r, @{sys}/module/nf_*/initstate r, - @{sys}/module/af_alg/uevent r, include if exists } diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index ada7ce5a5a..99f58de66a 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -66,6 +66,9 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/vconsole.conf r, /usr/share/kbd/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, + /usr/share/pixmaps/archlinux-logo.png r, + /usr/share/X11/locale/ r, /usr/share/plymouth/*.png r, /usr/share/plymouth/plymouthd.defaults r, /usr/share/plymouth/themes/{,**} r, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 9d42178052..64a446d5b9 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -67,6 +67,7 @@ profile busctl @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/stat r, @{PROC}/1/status r, + @{PROC}/sys/fs/nr_open r, include if exists } diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index e3ddb40fce..5cbd596a3b 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -40,6 +40,8 @@ profile mpv @{exec_path} { /etc/mpv/** r, /etc/samba/smb.conf r, + /usr/share/p11-kit/modules/{,*} r, + /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -64,6 +66,7 @@ profile mpv @{exec_path} { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad diff --git a/apparmor.d/profiles-m-r/nmap b/apparmor.d/profiles-m-r/nmap index 348c3ac0e8..6f011d89e7 100644 --- a/apparmor.d/profiles-m-r/nmap +++ b/apparmor.d/profiles-m-r/nmap @@ -15,6 +15,8 @@ profile nmap @{exec_path} { capability net_bind_service, capability net_raw, + capability dac_override, + capability dac_read_search, network inet dgram, network inet6 dgram, From cf2377939b28344a9a8d9b835b056d326cbb4eae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 25 Feb 2026 23:46:31 +0100 Subject: [PATCH 1392/1736] feat(profile): minor flatpak improvement. --- apparmor.d/abstractions/app/flatpak | 3 ++- apparmor.d/groups/flatpak/fbwrap | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak index e08d788d3b..a9f5788a24 100644 --- a/apparmor.d/abstractions/app/flatpak +++ b/apparmor.d/abstractions/app/flatpak @@ -87,7 +87,8 @@ capability dac_override, capability dac_read_search, - unix (bind listen) type=seqpacket addr=@@{hex}, + unix (bind listen) type=seqpacket addr=@@{hex}@{hex}, + unix (bind listen) type=seqpacket addr=@*, unix type=seqpacket peer=(label=dbus-session), unix type=seqpacket peer=(label=fbwrap), diff --git a/apparmor.d/groups/flatpak/fbwrap b/apparmor.d/groups/flatpak/fbwrap index 2b9dc7efb6..2045b7c446 100644 --- a/apparmor.d/groups/flatpak/fbwrap +++ b/apparmor.d/groups/flatpak/fbwrap @@ -25,8 +25,9 @@ profile fbwrap flags=(attach_disconnected,mediate_deleted) { # Required by the xdg-dbus-proxy stack # By design xdg-dbus-proxy proxies and filters dbus communication from flatpak - # apps to the system. Thus, it can manage the full session bus. + # apps to the system. Thus, it can manage the full system and session buses. dbus bus=session, + dbus bus=system, dbus send bus=accessibility path=/ interface=org.freedesktop.DBus From 5583a49e81dadfa99d9d3ba2b8ca8bc0936ae66e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 25 Feb 2026 23:49:46 +0100 Subject: [PATCH 1393/1736] feat(abs): improve core dbus abs. --- .../bus/session/org.freedesktop.ScreenSaver | 5 ++++ ...rg.freedesktop.impl.portal.PermissionStore | 5 ++++ .../session/org.freedesktop.portal.Desktop | 13 +++++++--- .../bus/session/org.mpris.MediaPlayer2.Player | 2 +- .../system/org.freedesktop.Avahi.EntryGroup | 25 +++++++++++++++++++ 5 files changed, 45 insertions(+), 5 deletions(-) create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.EntryGroup diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver index 056b7f935e..dc1fe68f9e 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver @@ -11,6 +11,11 @@ member={Inhibit,UnInhibit} peer=(name=org.freedesktop.ScreenSaver), + dbus send bus=session path=/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit} + peer=(label=gsd-screensaver-proxy), + dbus send bus=session path=/org/freedesktop/ScreenSaver interface=org.freedesktop.ScreenSaver member={GetActive,GetActiveTime,Lock,SetActive} diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/session/org.freedesktop.impl.portal.PermissionStore index e43fcd284a..55d5487b56 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.impl.portal.PermissionStore +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.impl.portal.PermissionStore @@ -21,6 +21,11 @@ member=Lookup peer=(name=org.freedesktop.impl.portal.PermissionStore, label=xdg-permission-store), + dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.impl.portal.PermissionStore + member=Changed + peer=(name=@{busname}, label=xdg-permission-store), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop index 97c4c2f3e6..f9c1dda2cd 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop @@ -45,34 +45,39 @@ member={Read,ReadAll} peer=(name=@{busname}, label=xdg-desktop-portal), + # portal.Registry + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.host.portal.Registry member=Register peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), - dbus receive bus=session path=/org/freedesktop/portal/desktop/** - interface=org.freedesktop.portal.Request - member=Response - peer=(name=@{busname}, label=xdg-desktop-portal), + # portal.Inhibit dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Inhibit member={StateChanged,CreateMonitor} peer=(name=@{busname}, label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Inhibit member=CreateMonitor peer=(name=@{busname}, label=xdg-desktop-portal), + # portal.Session + dbus send bus=session path=/org/freedesktop/portal/desktop/session/** interface=org.freedesktop.portal.Session member=Close peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + dbus receive bus=session path=/org/freedesktop/portal/desktop/session/** interface=org.freedesktop.impl.portal.Session member=Close peer=(name=@{busname}, label=xdg-desktop-portal), + # portal.Request + dbus send bus=session path=/org/freedesktop/portal/desktop/request/** interface=org.freedesktop.portal.Request member=Close diff --git a/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player index 0f30e208a6..d1e6ca0185 100644 --- a/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player +++ b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player @@ -33,7 +33,7 @@ dbus receive bus=session path=/org/mpris/MediaPlayer2 interface=org.mpris.MediaPlayer2.Player - member={Seeked,Next,Play,PlayPause,Pause} + member={Seeked,Previous,Next,Play,PlayPause,Pause} peer=(name=@{busname}), # https://specifications.freedesktop.org/mpris-spec/latest/Player_Interface.html#Signal:Seeked diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.EntryGroup b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.EntryGroup new file mode 100644 index 0000000000..d1a758f995 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.EntryGroup @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Domain browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server2 + member=EntryGroupNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/EntryGroup@{int} + interface=org.freedesktop.Avahi.EntryGroup + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client4/EntryGroup@{int} + interface=org.freedesktop.Avahi.EntryGroup + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor From 7bfc780437eb120e5258c896e9a0b74496600808 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 25 Feb 2026 23:50:39 +0100 Subject: [PATCH 1394/1736] feat(abs): restrict mount option on all bwrap. --- apparmor.d/abstractions/bwrap | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/bwrap b/apparmor.d/abstractions/bwrap index e841f38793..c2924fd841 100644 --- a/apparmor.d/abstractions/bwrap +++ b/apparmor.d/abstractions/bwrap @@ -28,8 +28,8 @@ mount options=(rw rbind) -> /newroot/{,**}, mount options=(rw rbind) /tmp/newroot/ -> /tmp/newroot/, + mount options=(rw silent make-rslave) /, mount options=(rw silent rprivate) -> /oldroot/, - mount options=(rw silent rslave) -> /, mount fstype=devpts options=(rw nosuid noexec) devpts -> /newroot/dev/pts/, mount fstype=proc options=(rw nosuid nodev noexec) proc -> /newroot/@{PROC}/, mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /newroot/{,**}, From 49887e539a9b870920e7086b018cb99c130d085d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 25 Feb 2026 23:52:23 +0100 Subject: [PATCH 1395/1736] feat(abs): various dev improvments. --- apparmor.d/abstractions/development | 7 +++++++ apparmor.d/abstractions/zsh | 11 +++++++++++ 2 files changed, 18 insertions(+) diff --git a/apparmor.d/abstractions/development b/apparmor.d/abstractions/development index 40ca462cd9..bafee4f7ce 100644 --- a/apparmor.d/abstractions/development +++ b/apparmor.d/abstractions/development @@ -37,10 +37,13 @@ /etc/*@{devtools}*/{,**} r, /etc/debuginfod/{,**} r, /etc/inputrc r, + /etc/shells r, owner @{HOME}/.local/ r, owner @{user_lib_dirs}/ r, + owner /dev/shm/sem.@{rand6} w, + owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner @{tmp}/cc@{rand6}* rw, owner @{tmp}/GMfifo@{int} rw, @@ -70,7 +73,11 @@ owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/@{int} rw, + @{PROC}/@{pid}/statm r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/version_signature r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/environ r, include if exists diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index 7c734a45bb..483497094a 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -17,6 +17,9 @@ /etc/zsh/* r, + /home/ r, + + owner @{HOME}/ r, owner @{HOME}/.zcompdump-* rw, owner @{HOME}/.zsh_history rw, owner @{HOME}/.zsh_history.LOCK rwk, @@ -28,12 +31,16 @@ owner @{HOME}/.oh-my-zsh/log/update.lock/ w, owner @{user_cache_dirs}/oh-my-zsh/{,**} r, + owner @{user_cache_dirs}/oh-my-zsh/completions/* rw, + owner @{user_cache_dirs}/p10k-@{user}/{,**} rw, owner @{user_cache_dirs}/p10k-dump-@{user}.zsh{,.*} rw, owner @{user_cache_dirs}/p10k-instant-prompt-@{user}.zsh{,.*} rw, owner @{user_config_dirs}/zsh/.zcompdump-* rw, + owner @{user_config_dirs}/zsh/.zcompdump-*.lock/ rw, owner @{user_config_dirs}/zsh/{,**} r, + owner @{user_config_dirs}/zsh/ohmyzsh/cache/** rw, owner @{user_share_dirs}/zsh/history rw, owner @{user_share_dirs}/zsh/history.LOCK rwk, @@ -42,6 +49,10 @@ owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo rw, owner @{tmp}/gitstatus.POWERLEVEL9K.*.lock rwk, + owner @{tmp}/@{user}-code-zsh/.zcompdump-* rw, + owner @{tmp}/@{user}-code-zsh/.zsh* r, + owner @{tmp}/zsh@{rand6} w, + @{PROC}/version r, owner @{PROC}/@{pid}/loginuid r, From 6d4c165eb978752304f0c5abfd0cafab1ce5a71b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 25 Feb 2026 23:53:14 +0100 Subject: [PATCH 1396/1736] feat(profile): improve apparmor internal profiles. --- apparmor.d/groups/apparmor/aa-log | 2 ++ apparmor.d/groups/apparmor/aa-notify | 10 ++++++++-- tests/sbin.list | 1 - 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log index d4af439899..9657018630 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -19,6 +19,8 @@ profile aa-log @{exec_path} flags=(attach_disconnected) { @{bin}/journalctl rCx -> journalctl, + /usr/share/tcltk/{,**} r, + /var/log/audit/* r, /var/log/syslog* r, diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 7ac24d9af2..232d4e1e10 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -6,13 +6,14 @@ abi , include -@{exec_path} = @{sbin}/aa-notify +@{exec_path} = @{bin}/aa-notify profile aa-notify @{exec_path} flags=(attach_disconnected) { include include include include include + include include capability setgid, @@ -39,7 +40,12 @@ profile aa-notify @{exec_path} flags=(attach_disconnected) { /etc/apparmor.d/{,**} r, /etc/apparmor/*.conf r, - /var/log/audit/audit.log r, + /var/lib/snapd/apparmor/snap-confine/ r, + /var/lib/snapd/apparmor/snap-confine/cap-bpf r, + + /var/log/audit/* r, + /var/log/syslog* r, + /var/log/kern.log r, owner @{HOME}/.inputrc r, owner @{HOME}/.terminfo/@{int}/dumb r, diff --git a/tests/sbin.list b/tests/sbin.list index 1043ac6b3d..0475a28d08 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -11,7 +11,6 @@ aa-genprof aa-load aa-logprof aa-mergeprof -aa-notify aa-remove-unknown aa-status aa-teardown From 7244ce7f943d45765442cb9da05f1d5b816912e6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 25 Feb 2026 23:55:01 +0100 Subject: [PATCH 1397/1736] feat(profile): improve apt specific profiles. --- apparmor.d/groups/apt/apt | 5 ----- apparmor.d/groups/apt/dpkg-preconfigure | 1 + 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 5f80eedaf8..a0e982e528 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -58,11 +58,6 @@ profile apt @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name="{:*,org.freedesktop.DBus}"), - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=Inhibit - peer=(name=org.freedesktop.login1, label=systemd-logind), - @{exec_path} mr, @{python_path} mr, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 363c109b69..03fb7d27b8 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -34,6 +34,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/head ix, @{bin}/host Px, @{bin}/hostname ix, + @{bin}/infocmp ix, @{bin}/locale ix, @{bin}/readlink ix, @{bin}/realpath ix, From 9b0af1935cd63300e98b53b4beb60972636a9d53 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 25 Feb 2026 23:56:16 +0100 Subject: [PATCH 1398/1736] feat(profile): improve code & claude. --- apparmor.d/groups/code/code | 17 ++++++++-- apparmor.d/groups/code/code-shells | 52 +++++++++++++++++++++++------- apparmor.d/profiles-a-f/claude | 50 +++++++++++++++++++++------- 3 files changed, 94 insertions(+), 25 deletions(-) diff --git a/apparmor.d/groups/code/code b/apparmor.d/groups/code/code index 965308e196..3d572adce4 100644 --- a/apparmor.d/groups/code/code +++ b/apparmor.d/groups/code/code @@ -36,7 +36,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} -profile code @{exec_path} flags=(attach_disconnected) { +profile code @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -127,6 +127,8 @@ profile code @{exec_path} flags=(attach_disconnected) { owner @{tmp}/ovsx-@{rand6}/{,**} rw, owner @{tmp}/tmp-@{int}-@{rand12}/ w, + @{sys}/kernel/mm/transparent_hugepage/enabled r, + @{PROC}/loadavg r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/clear_refs w, @@ -158,10 +160,21 @@ profile code @{exec_path} flags=(attach_disconnected) { owner @{config_dirs}/CachedExtensionVSIXs/* rk, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, # file_inherit + owner @{tmp}/.@{domain}.@{rand6} rw, - owner @{tmp}/cdotnet-diagnostic-*-socket rw, + owner @{tmp}/{,c}dotnet-diagnostic-*-socket rw, owner @{tmp}/clr-debug-pipe-* rw, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/level r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/size r, + @{sys}/devices/system/node/ r, + @{sys}/fs/cgroup/user.slice/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-code-*.scope/memory.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/memory.max r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/code/code-shells b/apparmor.d/groups/code/code-shells index 0bf4ef2a1a..7da4550468 100644 --- a/apparmor.d/groups/code/code-shells +++ b/apparmor.d/groups/code/code-shells @@ -21,8 +21,10 @@ profile code-shells flags=(attach_disconnected) { include include include + include include include + include network inet dgram, network inet stream, @@ -30,41 +32,69 @@ profile code-shells flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal send set=term peer=gitstatusd, + signal send peer=gitstatusd, + signal send peer=git, ptrace read peer=git, ptrace read peer=child-pager, @{shells_path} mrix, - # TODO: Work in progress. This will be restricted later. - file, - - # Handle shell prompts, out of scope, thus unconfined - @{bin}/starship Cx -> helper, - # Give glycin higher priority than `@{bin}/bwrap ix` got in the development abs priority=10 @{bin}/bwrap Px -> :glycin:bwrap, - # Well known programs used in shells, when we also have specific profiles for them + # Well known programs used in shells, when we also have specific profiles for + # them and want to allow them, event if they need more/different permissions + # than what is allowed in this profile. + @{bin}/aa-log Px, @{bin}/claude Px, + @{bin}/docker Ux, # TODO Px, + @{bin}/dpkg-query Px, @{bin}/git Px, @{bin}/htop Px, + @{bin}/ip Px, + @{bin}/journalctl Px, + @{bin}/man Px, + @{bin}/nproc Px, @{bin}/ps Px, - @{bin}/aa-log Px, + @{bin}/ssh Px, + @{bin}/top Px, + @{bin}/uptime Px, + @{bin}/w Px, /opt/claude-code/bin/claude Px, + # Handle shell prompts, out of scope, thus unconfined + @{bin}/starship Cx -> starship, + # Well known shells tools priority=1 @{user_cache_dirs}/gitstatus/gitstatusd{,-*} Px, priority=1 /usr/share/zsh-theme-powerlevel{9,10}k/gitstatus/usrbin/gitstatusd{,-*} Px, + owner @{config_dirs}/User/globalStorage/**/ r, + owner @{user_projects_dirs}/ r, owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, - profile helper { + owner @{user_config_dirs}/git/*config r, + + profile starship { include + include + include + + @{bin}/starship mr, + + owner @{user_cache_dirs}/starship/ rw, + owner @{user_cache_dirs}/starship/** rw, + owner @{user_config_dirs}/starship.toml r, + + owner @{user_projects_dirs}/**/.git/{,**} r, + + @{sys}/class/power_supply/ r, + + owner @{PROC}/@{pid}/cgroup r, - include if exists + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/claude b/apparmor.d/profiles-a-f/claude index 41b4a70b77..469aeebf4a 100644 --- a/apparmor.d/profiles-a-f/claude +++ b/apparmor.d/profiles-a-f/claude @@ -28,6 +28,7 @@ include profile claude @{exec_path} flags=(attach_disconnected) { include include + include include include @@ -42,6 +43,7 @@ profile claude @{exec_path} flags=(attach_disconnected) { unix (send receive) type=stream peer=(label=code), unix (send receive) type=stream peer=(label=git), + deny unix (send receive) type=stream peer=(label=ssh), @{exec_path} mrix, @@ -97,20 +99,23 @@ profile claude @{exec_path} flags=(attach_disconnected) { owner @{tmp}/node-compile-cache/** rwlk, owner @{tmp}/playwright-artifacts-@{rand6}/{,**} rw, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, + @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*-@{uuid}.scope/memory.high r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-*-@{int}.scope/memory.high r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-*-@{int}.scope/memory.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*-@{uuid}.scope/memory.* r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-*-@{int}.scope/memory.* r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, @{PROC}/sys/vm/mmap_min_addr r, @{PROC}/version r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, # Safety mechanisms @@ -134,7 +139,10 @@ profile claude @{exec_path} flags=(attach_disconnected) { capability sys_ptrace, # network inet6 stream port=1024-66666, # failed af match, MPC only - + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, network netlink raw, ptrace read, @@ -143,23 +151,29 @@ profile claude @{exec_path} flags=(attach_disconnected) { signal receive peer=claude, - priority=1 @{bin}/man Px, priority=1 @{bin}/dpkg-query Px, priority=1 @{bin}/flatpak Px -> claude//flatpak, priority=1 @{bin}/git Px, priority=1 @{bin}/journalctl Px, + priority=1 @{bin}/man PUx, priority=1 @{bin}/ps Px, - priority=1 @{ldd_path} Px -> claude//ldd, + priority=1 @{bin}/ssh Px -> claude//ssh, + priority=1 @{ldd_path} rPx -> claude//ldd, - owner @{HOME}/.claude/projects/*/@{uuid}.jsonl r, + owner @{HOME}/.claude/ r, + owner @{HOME}/.claude/projects/{,**} r, owner @{HOME}/.claude/shell-snapshots/* rw, owner @{code_config_dirs}/logs/{,**} w, + owner @{user_config_dirs}/gh/*.yml r, + owner @{user_config_dirs}/git/*config r, owner @{user_projects_dirs}/ r, - owner @{user_projects_dirs}/** rwk, + owner @{user_projects_dirs}/** rwlk, + /var/tmp/@{word8} rw, owner @{tmp}/*/{,**} rwlk, + owner @{tmp}/@{word8} rw, owner @{tmp}/claude-* w, owner @{tmp}/claude-shell/ rw, owner @{tmp}/claude-shell/** mix, @@ -168,17 +182,20 @@ profile claude @{exec_path} flags=(attach_disconnected) { owner @{tmp}/claude{,-code}/** mix, owner @{tmp}/claude{,-code}/** rwlk -> @{tmp}/claude/**, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-code-@{int}.scope/memory.* r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/vte-spawn-@{uuid}.scope/memory.* r, @{PROC}/ r, - @{PROC}/version_signature r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, @{PROC}/sys/kernel/pid_max r, @{PROC}/tty/drivers r, + @{PROC}/version_signature r, owner @{PROC}/@{pid}/environ r, # This raise the sys_ptrace capability requirement, only allowed on user processes owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/stat r, # Safety mechanisms deny @{bin}/poweroff x, @@ -186,7 +203,6 @@ profile claude @{exec_path} flags=(attach_disconnected) { deny @{bin}/rm x, deny @{bin}/rmdir x, deny @{bin}/shutdown x, - deny @{bin}/ssh x, deny /etc/dpkg/dpkg.cfg r, deny /etc/dpkg/dpkg.cfg.d/{,**} r, deny /etc/pacman.conf r, @@ -206,6 +222,15 @@ profile claude @{exec_path} flags=(attach_disconnected) { include if exists } + profile ssh { + include + include + + @{bin}/ssh mr, + + include if exists + } + profile flatpak { include @@ -222,6 +247,7 @@ profile claude @{exec_path} flags=(attach_disconnected) { deny owner @{user_config_dirs}/** r, deny owner @{code_config_dirs}/logs/{,**} w, deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + deny owner /tmp/claude-@{uid}/*/tasks/* rw, include if exists } From 915a96b0a28f791eacb14c29c777b03dc208a5d7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 25 Feb 2026 23:57:40 +0100 Subject: [PATCH 1399/1736] feat(profile): simplify dbus stack for some xdg profiles. --- apparmor.d/groups/freedesktop/boltd | 1 + .../groups/freedesktop/xdg-desktop-portal | 17 ++++++++++++++++- .../groups/freedesktop/xdg-desktop-portal-gnome | 3 +++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/groups/freedesktop/boltd index 5a8cafa1d6..cf1539a8a2 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -17,6 +17,7 @@ profile boltd @{exec_path} flags=(attach_disconnected) { network netlink raw, + #aa:dbus own bus=system name=org.freedesktop.bolt #aa:dbus own bus=system name=org.freedesktop.bolt1 path=/org/freedesktop/bolt @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index bdecef6e47..b3c7e3d8d2 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -60,11 +60,26 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Background path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gnome - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal.GlobalShortcuts path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gtk #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Settings + member={Read,ReadAll} + peer=(name=@{busname}, label=xdg-desktop-portal-*), + + dbus send bus=session path=/org/freedesktop/portal/desktop/request/** + interface=org.freedesktop.impl.portal.Request + member=Close + peer=(name=@{busname}), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Secret + member=RetrieveSecret + peer=(name=@{busname}, label=gnome-keyring-daemon), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index aca213f32c..ef6015157a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -36,6 +36,9 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label="gvfs-*-volume-monitor" + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.FileChooser, + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Background member=RunningApplicationsChanged From b810e44f7639d6d69d8b0a4b66b0ed840abf1530 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 26 Feb 2026 00:02:11 +0100 Subject: [PATCH 1400/1736] feat(profile): add back some missing attached flags. --- apparmor.d/groups/gnome/gdm-session | 2 +- apparmor.d/groups/gnome/ptyxis | 2 +- apparmor.d/groups/pacman/makepkg | 6 +++--- apparmor.d/profiles-m-r/man | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index c3a705cca1..b9ddbe2146 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/{,gdm/}gdm-{x,wayland}-session -profile gdm-session @{exec_path} { +profile gdm-session @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 5fb2f145cb..c1cc75d24e 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/ptyxis -profile ptyxis @{exec_path} { +profile ptyxis @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index feed4edd9d..9330def1de 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/makepkg -profile makepkg @{exec_path} { +profile makepkg @{exec_path} flags=(attach_disconnected) { include include include @@ -39,7 +39,7 @@ profile makepkg @{exec_path} { deny capability sys_ptrace, deny ptrace read, - profile gpg { + profile gpg flags=(attach_disconnected) { include include include @@ -81,7 +81,7 @@ profile makepkg @{exec_path} { include if exists } - profile sudo { + profile sudo flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man index c60325742e..22ad3a134e 100644 --- a/apparmor.d/profiles-m-r/man +++ b/apparmor.d/profiles-m-r/man @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/man -profile man @{exec_path} { +profile man @{exec_path} flags=(attach_disconnected) { include include From 91a4f6725d5ab6228002983e43d59c76f701c161 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 26 Feb 2026 00:06:39 +0100 Subject: [PATCH 1401/1736] build: update overwrite list. --- dists/overwrite | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/dists/overwrite b/dists/overwrite index da6ba97fe9..b9002175b2 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -33,14 +33,22 @@ unix-chkpwd # They can be multiple justification for keeping our profiles here, or or the contrary using upstream ones: # - Keep ours: If we/they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile # - Drop ours: when upstream profiles is better (see pkg/prebuild/prepare/configure.go) +# +# It is more and more common that these profiles simply present incompatibilies with apparmor.d in general. fusermount3 hostname # Has @{bin} defined in header, would conflict with apparmor.d's @{bin} tunables lsblk lsusb openvpn +pollinate remmina systemd-detect-virt # Missing integration with @{p_systemd} transmission +usr.bin.papers +usr.bin.passt wg-quick who +# Cannot be used as libreoffice handle this path. Conflict with apparmor.d due to a missing abi version. +usr.lib.libreoffice.program.soffice.bin + From a3caffd61851cc30967f4241aac78cdb07aa1017 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 26 Feb 2026 00:07:20 +0100 Subject: [PATCH 1402/1736] tests: update sbin list --- tests/sbin.list | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/sbin.list b/tests/sbin.list index 0475a28d08..45e493fca1 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -134,6 +134,8 @@ cracklib-update crda create-cracklib-dict criticalstat-bpfcc +criu +criu-ns cron cryptdisks_start cryptdisks_stop @@ -155,6 +157,7 @@ dcstat-bpfcc ddns-confgen deadlock-bpfcc debugfs +debugreiserfs decode delpart deluser @@ -225,6 +228,8 @@ exitsnoop-bpfcc exiwhat ext4dist-bpfcc ext4slower-bpfcc +f2fs_io +f2fscrypt f2fsslower-bpfcc faillock fanatic @@ -235,6 +240,7 @@ fatresize fbtest fdformat fdisk +fibmap.f2fs filefrag filegone-bpfcc filelife-bpfcc @@ -254,6 +260,7 @@ fsck.exfat fsck.ext2 fsck.ext3 fsck.ext4 +fsck.f2fs fsck.fat fsck.minix fsck.msdos @@ -284,6 +291,7 @@ getpcaps getsysinfo getweb gnome-menus-blacklist +gnuchroot gpart gparted gpartedbin @@ -473,6 +481,7 @@ mount.nfs4 mount.ntfs mount.ntfs-3g mount.smb3 +mount.veracrypt mountsnoop-bpfcc mountstats mpathpersist @@ -529,6 +538,7 @@ pam_timestamp_check pam-auth-update pam-config paperconfig +parse.f2fs parted partprobe partx @@ -599,11 +609,14 @@ readahead-bpfcc readprofile realm regdbdump +reiserfsck +reiserfstune remove-default-ispell remove-default-wordlist remove-shell request-key reset-trace-bpfcc +resize_reiserfs resize2fs resizepart resolvconf @@ -700,6 +713,7 @@ statsnoop.bt status sudo_logsrvd sudo_sendlog +sudo_sendlog.ws sulogin swapin.bt swaplabel @@ -831,6 +845,7 @@ virtiostat-bpfcc virtlockd virtlogd visudo +visudo.ws vmcore-dmesg vncsession vpddecode From 39e2f22f03ef6067f17c307604f6f35777764c59 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 26 Feb 2026 00:13:07 +0100 Subject: [PATCH 1403/1736] feat(profile): minor global update. --- apparmor.d/groups/gnome/gnome-system-monitor | 2 ++ apparmor.d/groups/gnome/localsearch | 5 ++++ apparmor.d/groups/gnome/ptyxis-agent | 1 + apparmor.d/groups/gnome/yelp | 7 +++++ apparmor.d/groups/procps/ps | 9 +++++-- apparmor.d/groups/systemd/systemd-dissect | 2 +- .../groups/systemd/systemd-nsresourcework | 1 + apparmor.d/groups/utils/nproc | 27 +++++++++++++++++++ apparmor.d/profiles-a-f/fwupdmgr | 1 + apparmor.d/profiles-g-l/git | 1 + apparmor.d/profiles-m-r/pidof | 1 + apparmor.d/profiles-m-r/rg | 1 + apparmor.d/profiles-s-z/virt-manager | 1 + apparmor.d/profiles-s-z/whoopsie-preferences | 2 ++ 14 files changed, 58 insertions(+), 3 deletions(-) create mode 100644 apparmor.d/groups/utils/nproc diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index a31fa30a41..327937ed99 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -38,6 +38,8 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { /usr/share/byobu/desktop/{,**} r, /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, + /etc/fstab r, + / r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index b8fb5a0732..7914817515 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -13,6 +13,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -72,6 +73,10 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + # No access to camera and microphone devices + deny /dev/video@{int} rw, + deny /dev/media@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 1278555f62..e316a72d3e 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -18,6 +18,7 @@ profile ptyxis-agent @{exec_path} flags=(attach_disconnected) { include signal send set=hup peer=@{p_systemd}, + signal send set=kill, ptrace read, diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index 467c715629..3cf8cb2ec4 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -12,8 +12,13 @@ profile yelp @{exec_path} flags=(attach_disconnected) { include include # FIXME: In namespace include + include include + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, network netlink raw, #aa:dbus own bus=accessibility name=org.gnome.Yelp @@ -39,6 +44,8 @@ profile yelp @{exec_path} flags=(attach_disconnected) { # owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, # owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, + owner @{att}@{run}/user/@{uid}/wayland-@{int} rw, + @{sys}/firmware/acpi/pm_profile r, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/procps/ps b/apparmor.d/groups/procps/ps index e7aae7e38e..256b5e334a 100644 --- a/apparmor.d/groups/procps/ps +++ b/apparmor.d/groups/procps/ps @@ -48,8 +48,6 @@ profile ps @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.xsession-errors w, owner /dev/tty@{u8} rw, - deny @{user_share_dirs}/gvfs-metadata/* r, - # While commands like 'ps', 'ip netns identify ', 'ip netns pids foo', etc # trigger a 'ptrace trace' denial, they aren't actually tracing other # processes. Unfortunately, the kernel overloads trace such that the LSMs are @@ -60,6 +58,13 @@ profile ps @{exec_path} flags=(attach_disconnected) { deny ptrace trace, deny ptrace read, + # file_inherit + deny network netlink raw, + deny unix (send receive) type=stream, + deny /usr/share/** r, + deny owner @{user_config_dirs}/*/logs/{,**} rw, + deny owner @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 0c1a9a9beb..b152a5c543 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -21,7 +21,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { mount fstype=tmpfs options=(rw nodev) rootfs -> @{run}/systemd/dissect-root/, mount options=(ro nodev) @{att}/dev/loop* -> @{run}/systemd/dissect-root/{,**/}, mount options=(rw nodev) -> /mnt/*/, - mount options=(rw rshared rslave) -> /, + mount options=(rw rshared make-rslave) /, umount @{run}/systemd/dissect-root/, diff --git a/apparmor.d/groups/systemd/systemd-nsresourcework b/apparmor.d/groups/systemd/systemd-nsresourcework index 60fca2117c..9c271d9163 100644 --- a/apparmor.d/groups/systemd/systemd-nsresourcework +++ b/apparmor.d/groups/systemd/systemd-nsresourcework @@ -10,6 +10,7 @@ include profile systemd-nsresourcework @{exec_path} flags=(attach_disconnected) { include + capability net_admin, capability sys_resource, signal send set=usr2 peer=systemd-nsresourced, diff --git a/apparmor.d/groups/utils/nproc b/apparmor.d/groups/utils/nproc new file mode 100644 index 0000000000..3900ba2c9d --- /dev/null +++ b/apparmor.d/groups/utils/nproc @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/nproc +profile nproc @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mr, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + owner @{PROC}/@{pid}/cgroup r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 925fe24be3..2a457f0a34 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -34,6 +34,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { @{bin}/dbus-launch Cx -> bus, @{bin}/pkttyagent Px, + /usr/share/glib-2.0/gdb/{,**} r, /usr/share/gvfs/remote-volume-monitors/{,**} r, /usr/share/terminfo/** r, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index f3db216534..eab7be9a6c 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -98,6 +98,7 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.gitconfig* rw, owner @{HOME}/.netrc r, + owner @{HOME}/.claude/plugins/marketplaces/** rwlk, owner @{user_config_dirs}/git/{,*} rw, # GPG diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof index 5deb13d3e6..61845b2454 100644 --- a/apparmor.d/profiles-m-r/pidof +++ b/apparmor.d/profiles-m-r/pidof @@ -23,6 +23,7 @@ profile pidof @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, + @{PROC}/@{pids}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/profiles-m-r/rg b/apparmor.d/profiles-m-r/rg index 073ffad22e..c5047b8294 100644 --- a/apparmor.d/profiles-m-r/rg +++ b/apparmor.d/profiles-m-r/rg @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/rg profile rg @{exec_path} { include + include capability dac_override, capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 73e85726ef..38778dab9e 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -20,6 +20,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/whoopsie-preferences b/apparmor.d/profiles-s-z/whoopsie-preferences index a852cfe573..6665c8fbb2 100644 --- a/apparmor.d/profiles-s-z/whoopsie-preferences +++ b/apparmor.d/profiles-s-z/whoopsie-preferences @@ -34,6 +34,8 @@ profile whoopsie-preferences @{exec_path} { include include + capability net_admin, + include if exists } From 55d1fb1bed17755e3121d945b1bc4f9b57f59998 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 26 Feb 2026 00:13:57 +0100 Subject: [PATCH 1404/1736] feat(abs): add login-observe abs. --- apparmor.d/abstractions/login-observe | 36 +++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 apparmor.d/abstractions/login-observe diff --git a/apparmor.d/abstractions/login-observe b/apparmor.d/abstractions/login-observe new file mode 100644 index 0000000000..8f6286a8c2 --- /dev/null +++ b/apparmor.d/abstractions/login-observe @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Check login session observe & login session control + + abi , + + dbus receive bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={SessionNew,UserNew,SeatNew} + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + + dbus receive bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={SessionRemoved,UserRemoved,SeatRemoved} + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + + dbus receive bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={PrepareForShutdow,PrepareForSleep} + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={ListSeats,ListSessions,ListUsers} + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={GetSeat,GetSessions,GetSessionByPID,GetUsers} + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + + include if exists + +# vim:syntax=apparmor From 619eba044f5507407d5b21c6df1e8542fad0aba6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 26 Feb 2026 00:22:38 +0100 Subject: [PATCH 1405/1736] feat(profile): improve dbus rules in a few profiles. --- .../bus/session/org.freedesktop.portal | 20 +++++++++++ .../session/org.freedesktop.portal.Inhibit | 14 ++++++++ apparmor.d/abstractions/gnome-base | 5 +++ apparmor.d/groups/gnome/deja-dup-monitor | 4 +++ apparmor.d/groups/gnome/gnome-control-center | 1 + apparmor.d/groups/gnome/gnome-shell | 35 +++++++++---------- apparmor.d/groups/gnome/nautilus | 1 + apparmor.d/groups/gnome/papers | 1 + apparmor.d/groups/gvfs/gvfsd-admin | 1 + apparmor.d/groups/virt/cockpit-bridge | 1 + apparmor.d/profiles-a-f/fwupd | 1 + apparmor.d/profiles-m-r/mpris-proxy | 8 ++--- apparmor.d/profiles-m-r/passimd | 2 +- 13 files changed, 70 insertions(+), 24 deletions(-) create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.portal create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.portal.Inhibit diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal b/apparmor.d/abstractions/bus/session/org.freedesktop.portal new file mode 100644 index 0000000000..2470a9c910 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.portal @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow access to xdg-desktop-portal and xdg-document-portal +# +# !!! warning "TODO" +# +# This should be restricted by a lot, however, the risk of breaking things is +# is also really important. Thus, for now we globally allow full talk access +# over the org.freedesktop.portal.* name to xdg-desktop-portal +# + + abi , + + #aa:dbus talk bus=session name=org.freedesktop.portal.* label=xdg-desktop-portal + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Inhibit b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Inhibit new file mode 100644 index 0000000000..e3b22814f2 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Inhibit @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Inhibit + member=QueryEndResponse + peer=(name=@{busname}, label=xdg-desktop-portal), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-base b/apparmor.d/abstractions/gnome-base index b0dd35b29f..87d39879c5 100644 --- a/apparmor.d/abstractions/gnome-base +++ b/apparmor.d/abstractions/gnome-base @@ -9,6 +9,11 @@ include include + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={ListNames,RequestName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + # DBus.Introspectable: allow introspection from gnome-shell dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index e614b517a9..748ca94966 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -32,6 +32,10 @@ profile deja-dup-monitor @{exec_path} { interface=org.gtk.Actions member=Activate peer=(name=org.gnome.DejaDup), + dbus receive bus=session path=/org/gnome/DejaDup + interface=org.gtk.Actions + member=Changed + peer=(name=@{busname}, label=unconfined), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 5a159bb440..b9ced7f175 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -44,6 +44,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gnome.SessionManager label="@{p_gnome_session}" #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*" #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.Shell.Extensions label=gjs #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 7ca2cc0458..22946f7ae6 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -62,16 +62,16 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=com.canonical.{U,u}nity - #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/{unity,dbusmenu}} + #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,**} #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting #aa:dbus own bus=session name=com.rastersoft.dingextension #aa:dbus own bus=session name=org.ayatana.NotificationItem #aa:dbus own bus=session name=org.freedesktop.a11y.Manager #aa:dbus own bus=session name=org.gnome.Shell - #aa:dbus own bus=session name=org.gtk.Actions path=/** + #aa:dbus own bus=session name=org.gtk.Actions path=/{,**} #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications - #aa:dbus own bus=session name=org.kde.StatusNotifierItem path=/ + #aa:dbus own bus=session name=org.kde.StatusNotifierItem path=/{,**} #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher # owning not strictly needed, but it simplifies things @@ -103,6 +103,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding #aa:dbus talk bus=session name=org.freedesktop.background.Monitor label=xdg-desktop-portal #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" @@ -173,23 +174,14 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { member={Start,End} peer=(name=@{busname}), + # FIXME: must be included in the talk dbus directive + dbus send bus=system path=/net/reactivated/Fprint/Manager + interface=net.reactivated.Fprint.Manager + member=GetDefaultDevice + peer=(name=net.reactivated.Fprint), + + # Needed as a dbus server to administrate the mpris interface include #aa:lint ignore=abstractions - dbus send bus=system path=/{,org/freedesktop/DBus} - interface=org.freedesktop.DBus - member={ListNames,RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - dbus send bus=system path=/{,org/freedesktop/DBus} - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - dbus send bus=session path=/{,org/freedesktop/DBus} - interface=org.freedesktop.DBus - member={ListNames,RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session path=/{,org/freedesktop/DBus} - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), # Missing rules from the directive above as these one are not standard # Part of abstractions/bus/system/org.freedesktop.NetworkManager @@ -212,6 +204,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { member=Introspect peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=system path=/org/freedesktop/UPower/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=@{busname}, label=power-profiles-daemon), + @{exec_path} mr, @{bin}/unzip rix, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 2448a0dc33..9fe8071956 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -10,6 +10,7 @@ include profile nautilus @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 3dee66d3b9..922d6ae7b3 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/papers profile papers @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index e10c5da5c6..38dfb39e09 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -11,6 +11,7 @@ include profile gvfsd-admin @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 662556059a..c28b144f62 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -16,6 +16,7 @@ profile cockpit-bridge @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 360a1b6a3d..7f8ea87bc6 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -41,6 +41,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.fwupd path=/ #aa:dbus talk bus=system name=org.bluez.GattCharacteristic1 label=bluetoothd + #aa:dbus talk bus=system name=org.freedesktop.Passim path=/ label=passimd #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy index c41e8958d3..4ffa9a4128 100644 --- a/apparmor.d/profiles-m-r/mpris-proxy +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -16,10 +16,10 @@ profile mpris-proxy @{exec_path} { #aa:dbus own bus=session name=org.mpris.MediaPlayer2 #aa:dbus own bus=system name=org.mpris.MediaPlayer2.Player path=/{,**} - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=ListNames - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.mpris.MediaPlayer2.*, label="*"), # DBus.Introspectable: allow introspection from gnome-shell dbus receive bus=session path=/ diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index c2dd3677f9..6c59152b50 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -11,6 +11,7 @@ profile passimd @{exec_path} flags=(attach_disconnected) { include include include + include include include @@ -21,7 +22,6 @@ profile passimd @{exec_path} flags=(attach_disconnected) { network netlink raw, #aa:dbus own bus=system name=org.freedesktop.Passim path=/ - #aa:dbus talk bus=system name=org.freedesktop.Avahi.EntryGroup path=/ label=@{p_avahi_daemon} @{exec_path} mr, From 9f2f4de48b089bb64c20fbb007f83b92258ab712 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 26 Feb 2026 00:31:33 +0100 Subject: [PATCH 1406/1736] fix(profile): directive orderring in boltd. --- apparmor.d/groups/freedesktop/boltd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/groups/freedesktop/boltd index cf1539a8a2..48130a9a00 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -17,8 +17,8 @@ profile boltd @{exec_path} flags=(attach_disconnected) { network netlink raw, - #aa:dbus own bus=system name=org.freedesktop.bolt #aa:dbus own bus=system name=org.freedesktop.bolt1 path=/org/freedesktop/bolt + #aa:dbus own bus=system name=org.freedesktop.bolt @{exec_path} mr, From 310915ca7f4249a897870156a92943f10c7f210d Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Thu, 26 Feb 2026 09:53:46 +0000 Subject: [PATCH 1407/1736] (feat): minor tweaks --- apparmor.d/groups/browsers/brave | 2 ++ apparmor.d/groups/hyprland/hyprland | 1 + apparmor.d/groups/virt/libvirtd | 7 +++++++ apparmor.d/groups/xfce/thunar-volman | 2 +- apparmor.d/profiles-g-l/kmod | 2 ++ 5 files changed, 13 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 4c38e0ce5d..3b5156b555 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -24,6 +24,8 @@ profile brave @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.mpris.MediaPlayer2.brave path=/org/mpris/MediaPlayer2 + ptrace trace peer=brave, + @{exec_path} mrix, @{bin}/man rPUx, # For "brave --help" diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 8c42d5b6d5..1d6c4697cc 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -29,6 +29,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { /usr/share/hypr{,land}/{,*} r, /usr/share/libinput/{,*} r, + /usr/share/file/misc/magic.mgc r, /etc/os-release r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 944805d861..9113436946 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -305,6 +305,13 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { include include + capability sys_module, + + @{sys}/module/compression r, + @{sys}/module/iommufd/initstate r, + @{sys}/module/irqbypass/initstate r, + @{sys}/module/vfio/initstate r, + include if exists } diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman index 4405d4d003..2f5b298c3d 100644 --- a/apparmor.d/groups/xfce/thunar-volman +++ b/apparmor.d/groups/xfce/thunar-volman @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/thunar-volman -profile thunar-volman @{exec_path} { +profile thunar-volman @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 5a77c4cf68..3495865e30 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -62,6 +62,8 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{sys}/module/{,**} r, + @{PROC}/kallsyms r, + /dev/tty@{u8} rw, deny @{user_share_dirs}/gvfs-metadata/* r, From 3f434274632b1810edd0b65a1419dc3994c18043 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 26 Feb 2026 16:00:38 +0100 Subject: [PATCH 1408/1736] feat(abs): improve core dbus abs again. --- .../abstractions/bus/session/org.gtk.Actions | 14 +++++++++----- .../bus/system/org.cups.cupsd.Notifier | 2 +- .../bus/system/org.freedesktop.UDisks2 | 12 ++++++++++++ .../bus/system/org.freedesktop.UPower | 2 +- apparmor.d/groups/gnome/gdm-session-worker | 5 +++++ .../groups/gnome/gnome-extension-gsconnect | 10 ++++++++++ apparmor.d/groups/gnome/nautilus | 5 ----- apparmor.d/groups/network/NetworkManager | 17 ----------------- 8 files changed, 38 insertions(+), 29 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Actions b/apparmor.d/abstractions/bus/session/org.gtk.Actions index 986c028052..5a6edc3ad1 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.Actions +++ b/apparmor.d/abstractions/bus/session/org.gtk.Actions @@ -4,19 +4,23 @@ abi , + # DBus.Properties: read properties from the interface + dbus receive bus=session interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=@{busname}, label=gnome-shell), - dbus receive bus=session - interface=org.gtk.Actions - member={Activate,DescribeAll,SetState}, + # org.gtk.Application dbus send bus=session + interface=org.gtk.Application + member={CommandLine,DescribeAll} + peer=(label=@{profile_name}), + + dbus receive bus=session interface=org.gtk.Actions - member=DescribeAll - peer=(name=org.gnome.Nautilus), + member={Activate,DescribeAll,SetState}, dbus send bus=session interface=org.gtk.Actions diff --git a/apparmor.d/abstractions/bus/system/org.cups.cupsd.Notifier b/apparmor.d/abstractions/bus/system/org.cups.cupsd.Notifier index ffc5e6f482..154a28a855 100644 --- a/apparmor.d/abstractions/bus/system/org.cups.cupsd.Notifier +++ b/apparmor.d/abstractions/bus/system/org.cups.cupsd.Notifier @@ -6,7 +6,7 @@ dbus receive bus=system path=/org/cups/cupsd/Notifier interface=org.cups.cupsd.Notifier - member=ServerStarted + member={ServerStarted,ServerStopped} peer=(name=@{busname}, label=cups-notifier-dbus), dbus receive bus=system path=/org/cups/cupsd/Notifier diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 index 4c6ba8c590..3ecbf11d4b 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 @@ -54,6 +54,18 @@ member=Completed peer=(label=udisksd), + # UDisks2.Manager + + dbus send bus=system path=/org/freedesktop/UDisks2/Manager + interface=org.freedesktop.UDisks2.Manager + member=Can* + peer=(label=udisksd), + + dbus send bus=system path=/org/freedesktop/UDisks2/Manager + interface=org.freedesktop.UDisks2.Manager + member=EnableModule + peer=(label=udisksd), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower index 78baaf1b7e..92ad15f1e2 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower @@ -43,7 +43,7 @@ peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), dbus send bus=system path=/org/freedesktop/UPower - interface=org.freedesktop.DBus.Properties + interface=org.freedesktop.UPower member={GetDisplayDevice,GetCriticalAction} peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 31f8fcba30..05fdc40af9 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -57,6 +57,11 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { member={*Session,CreateSessionWithPIDFD} peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + dbus send bus=system path=/org/freedesktop/home1 + interface=org.freedesktop.home1.Manager + member=GetUserRecordByName + peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), + @{exec_path} mrix, @{bin}/gnome-keyring-daemon rPx, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 63e9aaa063..fa3d44cbdf 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -44,6 +44,16 @@ profile gnome-extension-gsconnect @{exec_path} flags=(attach_disconnected) { member=BecomeMonitor peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}), + + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}), + dbus eavesdrop bus=session, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 9fe8071956..8d7b03e094 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -71,11 +71,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.Application member=Open, - dbus send bus=session path=/org/gnome/Nautilus - interface=org.gtk.Application - member={CommandLine,DescribeAll} - peer=(name=org.gnome.Nautilus, label=nautilus), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 4533295150..28c08c273a 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -47,23 +47,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" - - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}), - - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label=gnome-control-center), - - - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label=nm-online), - dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher member=Action2 From dcc343ca7a1e4fdcc407ba5e6d4abd3b1f9c149d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 26 Feb 2026 22:52:34 +0100 Subject: [PATCH 1409/1736] tests(autopkgtest): update workflow to last changes. --- Justfile | 2 +- dists/docker.sh | 2 +- pkg/prebuild/cli/cli.go | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Justfile b/Justfile index 6dac571e64..fe3ad1845c 100644 --- a/Justfile +++ b/Justfile @@ -515,7 +515,7 @@ autopkgtest osinfo: autopkgtest-update dist release: just up {{dist}}{{release}} test || true just package {{dist}} {{release}} test - scp {{sshopt}} {{pkgdest}}/{{dist}}/{{release}}/{{pkgname}}_*.deb \ + scp {{sshopt}} {{pkgdest}}/{{pkgname}}_*.deb \ {{username}}@`just _get_ip {{dist}}{{release}} test`:/home/{{username}}/Projects/ ssh {{sshopt}} {{username}}@`just _get_ip {{dist}}{{release}} test` \ sudo dpkg -i /home/{{username}}/Projects/{{pkgname}}_*.deb diff --git a/dists/docker.sh b/dists/docker.sh index 595bf0de89..5ce985bde4 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -82,7 +82,7 @@ build_in_docker_dpkg() { # Adjustments for test flavor if [[ "$FLAVOR" == "test" ]]; then - sed -i -e "s/just complain/just complain-test/" "$VOLUME/$PKGNAME/debian/rules" + sed -i -e "s;just build=.build/complain complain;just build=.build/complain complain-test;" "$VOLUME/$PKGNAME/debian/rules" fi if _exist "$img"; then diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index e21704ea7e..5767e06726 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -203,11 +203,11 @@ func Configure(r *runtime.Runners) *runtime.Runners { func Prebuild(r *runtime.Runners) { logging.Step("Building apparmor.d profiles for %s", tasks.Distribution) - logging.Success("AppArmor ABI targeted: %d", r.ABI) - logging.Success("AppArmor version targeted: %.1f", r.Version) if r.Test { logging.Warning("Test mode enabled") } + logging.Success("AppArmor ABI targeted: %d", r.ABI) + logging.Success("AppArmor version targeted: %.1f", r.Version) if fsp { logging.Success("Full system policy enabled") } From bc05290e2b656133480a2de9e41878f0a209bab8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 27 Feb 2026 00:17:47 +0100 Subject: [PATCH 1410/1736] feat(profile): minor profile update. --- apparmor.d/groups/apt/apt-cache | 2 +- .../freedesktop/xdg-desktop-portal-gnome | 2 ++ apparmor.d/groups/gnome/deja-dup-monitor | 6 +--- apparmor.d/groups/gnome/gjs | 16 ++++++++-- apparmor.d/groups/gnome/gnome-control-center | 4 +++ apparmor.d/groups/gnome/gnome-initial-setup | 32 ++++++++++++------- apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/grub/grub-editenv | 8 +++++ apparmor.d/groups/network/NetworkManager | 5 +-- apparmor.d/groups/network/netplan-generate | 7 +++- apparmor.d/groups/polkit/polkitd | 1 + apparmor.d/groups/procps/htop | 3 ++ apparmor.d/groups/snap/snap-update-ns | 2 ++ apparmor.d/groups/snap/snapd | 1 + .../systemd-generator-ds-identify | 2 ++ apparmor.d/groups/systemd/systemd-resolved | 2 +- .../groups/virt/cockpit-certificate-helper | 3 +- apparmor.d/profiles-a-f/claude | 9 ++++++ apparmor.d/profiles-m-r/initramfs-hooks | 1 + apparmor.d/profiles-m-r/multipathd | 1 + apparmor.d/profiles-s-z/spice-vdagent | 1 + apparmor.d/profiles-s-z/whoopsie-preferences | 6 +--- 22 files changed, 85 insertions(+), 30 deletions(-) diff --git a/apparmor.d/groups/apt/apt-cache b/apparmor.d/groups/apt/apt-cache index afd34f7e5d..ea6eb2fa27 100644 --- a/apparmor.d/groups/apt/apt-cache +++ b/apparmor.d/groups/apt/apt-cache @@ -23,7 +23,7 @@ profile apt-cache @{exec_path} { /var/lib/dpkg/** r, /var/lib/dpkg/lock{,-frontend} rwk, - /var/cache/apt/ r, + /var/cache/apt/ rw, /var/cache/apt/** rwk, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index ef6015157a..366ea10412 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -30,6 +30,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.impl.portal.FileChooser path=/org/freedesktop/portal/desktop #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Settings path=/org/freedesktop/portal/desktop label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell @@ -66,6 +67,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter/applications/{,**} r, /usr/share/thumbnailers/{,**} r, + /snap/*/@{uid}/**.@{icon_ext} r, /var/lib/flatpak/app/*/@{arch}/ r, /var/lib/flatpak/repo/config r, /var/lib/flatpak/runtime/*/@{arch}/ r, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index 748ca94966..58dee447f9 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -28,14 +28,10 @@ profile deja-dup-monitor @{exec_path} { #aa:dbus own bus=session name=org.gnome.DejaDup.Monitor #aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup - dbus send bus=session path=/org/gnome/DejaDup - interface=org.gtk.Actions - member=Activate - peer=(name=org.gnome.DejaDup), dbus receive bus=session path=/org/gnome/DejaDup interface=org.gtk.Actions member=Changed - peer=(name=@{busname}, label=unconfined), + peer=(name=@{busname}, label=deja-dup), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index da09e51a49..3071d0304d 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -37,13 +37,13 @@ profile gjs @{exec_path} flags=(attach_disconnected) { include # Only needed by gnome-extension-ding - include include include include include include include + include network netlink raw, @@ -64,14 +64,23 @@ profile gjs @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus* peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - #aa:dbus own bus=session name=org.gnome.Shell.Screencast + #aa:dbus own bus=session name=org.freedesktop.Notifications + #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.ArchiveManager1 label=file-roller - #aa:dbus own bus=session name=org.freedesktop.Notifications + # Only needed by org.gnome.ScreenSaver #aa:dbus own bus=session name=org.gnome.ScreenSaver + + # Only needed by org.gnome.Shell.Extensions #aa:dbus own bus=session name=org.gnome.Shell.Extensions + + # Only needed by org.gnome.Shell.Notifications #aa:dbus own bus=session name=org.gnome.Shell.Notifications + # Only needed by org.gnome.Shell.Screencast + #aa:dbus own bus=session name=org.gnome.Shell.Screencast + @{exec_path} mrix, # gnome-extension-ding @@ -115,6 +124,7 @@ profile gjs @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index b9ced7f175..22cf2d666d 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -123,6 +123,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{etc_ro}/security/pwquality.conf.d/{,**} r, /etc/machine-info r, /etc/rygel.conf r, + /etc/xdg/autostart/ r, + /etc/xdg/autostart/*.desktop r, /etc/fstab r, /etc/machine-id r, @@ -132,6 +134,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /var/cache/samba/ rw, /var/lib/AccountsService/icons/* r, + /usr/share/snapd/*.svg r, + / r, owner @{HOME}/.cat_installer/ca.pem r, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index e21e2a752a..21ced2481b 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -17,6 +17,7 @@ profile gnome-initial-setup @{exec_path} { include include include + include network inet dgram, network inet6 dgram, @@ -26,6 +27,12 @@ profile gnome-initial-setup @{exec_path} { #aa:dbus own bus=session name=org.gnome.InitialSetup + #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell + + #aa:only ubuntu + #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences + + #aa:only ubuntu dbus send bus=system path=/com/canonical/UbuntuAdvantage/Manager interface=org.freedesktop.DBus.Properties member=Get @@ -33,20 +40,22 @@ profile gnome-initial-setup @{exec_path} { @{exec_path} mr, - @{bin}/df rPx, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/locale rix, - @{bin}/lsb_release rPx, - @{bin}/lscpu rPx, - @{bin}/lspci rPx, - @{bin}/systemd-detect-virt rPx, - @{bin}/ubuntu-advantage rPx, - @{bin}/xrandr rPx, + @{bin}/df Px, + @{bin}/dpkg Px -> child-dpkg, #aa:only apt + @{bin}/locale rix, + @{bin}/lsb_release Px, + @{bin}/lsblk Px, + @{bin}/lscpu Px, + @{bin}/lspci Px, + @{bin}/systemd-detect-virt Px, + @{bin}/ubuntu-advantage Px, #aa:only ubuntu + @{bin}/xrandr Px, @{lib}/gnome-initial-setup-goa-helper rix, @{ldd_path} rix, /usr/share/gnome-initial-setup/{,**} r, + /usr/share/thumbnailers/{,**} r, /usr/share/xml/iso-codes/{,**} r, @{etc_ro}/security/pwquality.conf r, @@ -58,8 +67,8 @@ profile gnome-initial-setup @{exec_path} { /var/log/installer/telemetry r, #aa:only ubuntu #aa:only ubuntu - owner @{user_cache_dirs}/ubuntu-report/ rw, - owner @{user_cache_dirs}/ubuntu-report/* rw, + owner @{user_cache_dirs}/ubuntu-report/{,**} rw, + owner @{user_cache_dirs}/ubuntu-insights/{,**} rw, owner @{user_config_dirs}/gnome-initial-setup-done w, owner @{user_config_dirs}/gnome-initial-setup-done.@{rand6} rw, @@ -85,6 +94,7 @@ profile gnome-initial-setup @{exec_path} { @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 22946f7ae6..3feaa1f8fc 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -428,6 +428,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv index e827ff93c9..8996d165d6 100644 --- a/apparmor.d/groups/grub/grub-editenv +++ b/apparmor.d/groups/grub/grub-editenv @@ -10,12 +10,20 @@ include profile grub-editenv @{exec_path} { include include + include + + capability sys_admin, @{exec_path} mr, @{efi}/grub/grubenv rw, @{efi}/grub/grubenv.new rw, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/devices r, + + /dev/mapper/control rw, + include if exists } diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 28c08c273a..2d3af3c771 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -78,10 +78,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sbin}/nft rix, @{sbin}/xtables-legacy-multi rix, - @{sbin}/dnsmasq rPx, @{bin}/kmod rCx -> kmod, @{bin}/netconfig rPUx, - @{sbin}/resolvconf rPx, @{bin}/resolvectl rPx, @{bin}/systemctl rCx -> systemctl, @{lib}/{,NetworkManager/}nm-daemon-helper rPx, @@ -92,6 +90,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/{,NetworkManager/}nm-openvpn-service rPx, @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, + @{lib}/netplan/configure rPx, + @{sbin}/dnsmasq rPx, + @{sbin}/resolvconf rPx, /usr/share/netplan/netplan.script rPx, @{lib}/netplan/@{int2}-network-manager-all.yaml w, diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate index 64bc431823..dd7b05c94e 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan-generate @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/netplan/generate +@{exec_path} = @{lib}/netplan/generate @{lib}/netplan/configure profile netplan-generate @{exec_path} flags=(attach_disconnected) { include include @@ -31,6 +31,11 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) { @{run}/NetworkManager/system-connections/ rw, @{run}/NetworkManager/system-connections/* rw, + @{run}/systemd/generator.late/*.service.d/ w, + @{run}/systemd/generator.late/*.service.d/*netplan.conf* rw, + @{run}/systemd/generator.late/netplan-* rw, + @{run}/systemd/generator.late/systemd-networkd.service.wants/ w, + @{run}/systemd/generator.late/systemd-networkd.service.wants/netplan-*.service rw, @{run}/systemd/generator/multi-user.target.wants/ w, @{run}/systemd/generator/multi-user.target.wants/systemd-networkd.service w, @{run}/systemd/generator/netplan.stamp w, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index 7517ad5e48..6776fedd5f 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -49,6 +49,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { # Vendor rules /usr/share/polkit-1/rules.d/ r, /usr/share/polkit-1/rules.d/*.rules r, + /usr/share/polkit-1/rules.d/*.rules.example r, # Vendor policies /usr/share/polkit-1/actions/ r, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index 7da2462d1d..416686e61f 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -76,6 +76,7 @@ profile htop @{exec_path} flags=(attach_disconnected) { @{PROC}/ r, @{PROC}/diskstats r, @{PROC}/loadavg r, + @{PROC}/locks r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, @@ -123,6 +124,8 @@ profile htop @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, owner @{PROC}/@{pid}/cpuset r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/smaps_rollup r, /dev/tty@{u8} rw, diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 30f52ae175..9ae71af494 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -72,10 +72,12 @@ profile snap-update-ns @{exec_path} { @{sys}/fs/cgroup/{,**/} r, @{sys}/fs/cgroup/system.slice/snap.*.service/cgroup.freeze rw, + @{sys}/fs/cgroup/system.slice/snapd.service/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.scope/cgroup.freeze rw, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw, @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/mountinfo r, @{PROC}/cmdline r, @{PROC}/version r, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index ef8c124bf0..e0e7a0213f 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -165,6 +165,7 @@ profile snapd @{exec_path} { @{sys}/fs/cgroup/*.slice/{,**/} r, @{sys}/fs/cgroup/*.slice/**/cgroup.procs r, @{sys}/fs/cgroup/cgroup.controllers r, + @{sys}/fs/cgroup/system.slice/snapd.service/cpu.max r, @{sys}/kernel/kexec_loaded r, @{sys}/kernel/security/apparmor/.notify r, @{sys}/kernel/security/apparmor/features/{,**} r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify index daa877efe4..f4c679f13e 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify @@ -28,6 +28,8 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { @{run}/cloud-init/{,.}ds-identify.* rw, @{run}/cloud-init/cloud.cfg rw, + @{sys}/class/*/ r, + @{sys}/devices/**/name r, @{sys}/devices/virtual/dmi/id/chassis_asset_tag r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_serial r, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index da30097baa..79ef0a85ee 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -11,10 +11,10 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { include include include + include include include include - include capability net_bind_service, capability net_raw, diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper index 303fd074c7..6cd122a7f9 100644 --- a/apparmor.d/groups/virt/cockpit-certificate-helper +++ b/apparmor.d/groups/virt/cockpit-certificate-helper @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/cockpit/cockpit-certificate-helper profile cockpit-certificate-helper @{exec_path} { include + include include @{exec_path} mr, @@ -25,7 +26,7 @@ profile cockpit-certificate-helper @{exec_path} { @{bin}/tr rix, /etc/machine-id r, - /etc/cockpit/ws-certs.d/* w, + /etc/cockpit/ws-certs.d/* rw, owner @{run}/cockpit/certificate-helper/{,**} rw, diff --git a/apparmor.d/profiles-a-f/claude b/apparmor.d/profiles-a-f/claude index 469aeebf4a..0737969e15 100644 --- a/apparmor.d/profiles-a-f/claude +++ b/apparmor.d/profiles-a-f/claude @@ -115,6 +115,7 @@ profile claude @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/vm/mmap_min_addr r, @{PROC}/version r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, @@ -225,9 +226,17 @@ profile claude @{exec_path} flags=(attach_disconnected) { profile ssh { include include + include @{bin}/ssh mr, + owner @{user_projects_dirs}/**/ssh/{,*} r, + owner @{user_projects_dirs}/**/config r, + + owner @{PROC}/@{pid}/fd/ r, + + deny owner @{HOME}/@{XDG_SSH_DIR}/{,**} rwlk, + include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 8ab846b710..4da0cc82f5 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -48,6 +48,7 @@ profile initramfs-hooks @{exec_path} { /usr/share/*/ r, /usr/share/*/initramfs/{,**} r, /usr/share/initramfs-tools/{,**} r, + /usr/share/pixmaps/*.png r, /usr/share/plymouth/{,**} r, /etc/console-setup/{,**} r, diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd index a4e419d976..e146395884 100644 --- a/apparmor.d/profiles-m-r/multipathd +++ b/apparmor.d/profiles-m-r/multipathd @@ -35,6 +35,7 @@ profile multipathd @{exec_path} { @{sys}/bus/ r, @{sys}/class/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/platform/**/recovery_tmo w, @{PROC}/devices r, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index f1c4d0da0d..9bb084a8cd 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -18,6 +18,7 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/apparmor.d/profiles-s-z/whoopsie-preferences b/apparmor.d/profiles-s-z/whoopsie-preferences index 6665c8fbb2..200653f0db 100644 --- a/apparmor.d/profiles-s-z/whoopsie-preferences +++ b/apparmor.d/profiles-s-z/whoopsie-preferences @@ -10,17 +10,13 @@ include profile whoopsie-preferences @{exec_path} { include include + include include capability net_admin, #aa:dbus own bus=system name=com.ubuntu.WhoopsiePreferences - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=polkitd), - @{exec_path} mr, @{bin}/systemctl Cx -> systemctl, From 3261bb028f0e9bcd346bf8f14986a714436e500d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 27 Feb 2026 11:28:39 +0100 Subject: [PATCH 1411/1736] build: sudo-rs replace sudo on recent Ubuntu. --- apparmor.d/abstractions/app/sudo-rs | 2 ++ apparmor.d/profiles-s-z/su-rs | 26 ++++++++++++++++++++++++++ apparmor.d/profiles-s-z/sudo-rs | 5 +++++ cmd/prebuild/main.go | 4 ++-- pkg/configure/configure.go | 7 +++++++ 5 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 apparmor.d/profiles-s-z/su-rs diff --git a/apparmor.d/abstractions/app/sudo-rs b/apparmor.d/abstractions/app/sudo-rs index 987dc3732c..c20a9c358c 100644 --- a/apparmor.d/abstractions/app/sudo-rs +++ b/apparmor.d/abstractions/app/sudo-rs @@ -37,6 +37,8 @@ /etc/machine-id r, + @{run}/systemd/io.systemd.Login rw, + owner @{run}/sudo-rs/ w, owner @{run}/sudo-rs/ts/ w, owner @{run}/sudo-rs/ts/@{uid} rwk, diff --git a/apparmor.d/profiles-s-z/su-rs b/apparmor.d/profiles-s-z/su-rs new file mode 100644 index 0000000000..e198ea9c9a --- /dev/null +++ b/apparmor.d/profiles-s-z/su-rs @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/su-rs @{lib}/cargo/bin/su + #aa:only ubuntu +@{exec_path} += @{bin}/su + +profile su-rs @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{sbin}/nologin Px, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sudo-rs b/apparmor.d/profiles-s-z/sudo-rs index bd4c2d985b..c8027cfdcf 100644 --- a/apparmor.d/profiles-s-z/sudo-rs +++ b/apparmor.d/profiles-s-z/sudo-rs @@ -7,6 +7,9 @@ abi , include @{exec_path} = @{bin}/sudo-rs @{lib}/cargo/bin/sudo + #aa:only ubuntu +@{exec_path} += @{bin}/sudo + profile sudo-rs @{exec_path} { include include @@ -26,6 +29,8 @@ profile sudo-rs @{exec_path} { @{lib}/** PUx, /opt/*/** PUx, /snap/snapd/@{int}@{bin}/snap rPUx, + @{user_bin_dirs}/** PUx, + @{user_share_dirs}/pipx/venvs/*/bin/* rPUx, include if exists } diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index b05e29a3d4..b5a60d09f5 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -38,9 +38,9 @@ func configInit() *tasks.TaskConfig { c.Version = 4.0 case "questing": c.ABI = 4 - c.Version = 5.0 + c.Version = 4.0 case "resolute": - c.ABI = 4 + c.ABI = 5 c.Version = 5.0 } diff --git a/pkg/configure/configure.go b/pkg/configure/configure.go index a74358a6d8..f668076ca5 100644 --- a/pkg/configure/configure.go +++ b/pkg/configure/configure.go @@ -97,6 +97,13 @@ func (p Configure) Apply() ([]string, error) { "free", "nslookup", } + // Ubuntu uses sudo-rs as sudo implementation. + if tasks.Distribution == "ubuntu" { + remove = append(remove, + "su", // su-rs is the new su + "sudo", // sudo-rs is the new sudo + ) + } if err := p.removeFiles(remove); err != nil { return res, err } From cbf3a7c41c75be8434c7e8fae91025a1e7dc8c46 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 27 Feb 2026 15:45:09 +0100 Subject: [PATCH 1412/1736] test(cloud-init): debian: ensure the desktop kernel is really installed on desktop VM. --- tests/cloud-init/debian.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/tests/cloud-init/debian.yml b/tests/cloud-init/debian.yml index c035f86ea6..1a7d701b8c 100644 --- a/tests/cloud-init/debian.yml +++ b/tests/cloud-init/debian.yml @@ -90,7 +90,10 @@ desktop-runcmd: &desktop-runcmd - systemctl enable systemd-journald-audit.socket # Install the default kernel and remove the cloud one - - apt install linux-image-amd64 linux-headers-amd64 - - apt remove --purge linux-image-$(uname -r) - - apt autoremove --purge - - update-grub + - | + export DEBIAN_FRONTEND=noninteractive + apt install -y linux-image-amd64 linux-headers-amd64 + echo "linux-image-$(uname -r) linux-image-$(uname -r)/prerm/removing-running-kernel boolean false" | debconf-set-selections + apt remove -y --purge linux-image-$(uname -r) + apt autoremove -y --purge + update-grub From 306d8ed9e3ebd73742ce30c81804ea59deba5750 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 27 Feb 2026 15:46:13 +0100 Subject: [PATCH 1413/1736] tests(packer): ensure the user is part of the admin group. --- tests/cloud-init/common.yml | 1 + tests/packer/builds.pkr.hcl | 2 ++ 2 files changed, 3 insertions(+) diff --git a/tests/cloud-init/common.yml b/tests/cloud-init/common.yml index 28ce9f1481..180460ef05 100644 --- a/tests/cloud-init/common.yml +++ b/tests/cloud-init/common.yml @@ -7,6 +7,7 @@ users: - name: ${username} plain_text_passwd: ${password} shell: /bin/bash + groups: ["${group}"] ssh_authorized_keys: - ${ssh_key} lock_passwd: false diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index ed71819ad7..6d8ab6d474 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -5,6 +5,7 @@ locals { name = "${var.prefix}${var.dist}${var.release}-${var.flavor}" osinfo = "${var.dist}${var.release}" + group = contains(["debian", "ubuntu"], var.dist) ? "sudo" : "wheel" } source "qemu" "default" { @@ -40,6 +41,7 @@ source "qemu" "default" { password = var.password ssh_key = file(var.ssh_publickey) hostname = regex_replace(local.name, "\\.", "") + group = local.group } ), file("${path.cwd}/tests/cloud-init/${regex_replace(local.osinfo, "[0-9.]*$", "")}.yml"), From e1d9c8e35c0d06b24bb60aea6de20ef3b6a4c529 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 27 Feb 2026 17:57:22 +0100 Subject: [PATCH 1414/1736] test(packer): better aliases, cleanup pkg install. --- tests/packer/init.sh | 5 ----- tests/packer/src/.bash_aliases | 6 +++--- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/tests/packer/init.sh b/tests/packer/init.sh index d6a04ebc60..91fc1c85b0 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -27,11 +27,6 @@ main() { ;; debian | ubuntu) - if [[ $VERSION_ID == "24.04" || $VERSION_ID == 12 ]]; then - apt-get purge -y just || true - sudo -u "$SUDO_USER" pipx install rust-just - sudo -u "$SUDO_USER" pipx ensurepath - fi if dpkg-vendor --is Ubuntu; then suffix="ubuntu1~$(lsb_release -sr)" elif dpkg-vendor --is Debian; then diff --git a/tests/packer/src/.bash_aliases b/tests/packer/src/.bash_aliases index 2580556fd7..8a11708b3f 100644 --- a/tests/packer/src/.bash_aliases +++ b/tests/packer/src/.bash_aliases @@ -14,9 +14,9 @@ alias c='clear' alias du='du -hs' alias l='ll -h' alias ll='ls -alFh' -alias p="ps auxZ | grep -v '\[.*\]'" -alias pf="ps auxfZ | grep -v '\[.*\]'" -alias pu="ps auxZ | grep -v '\[.*\]' | grep unconfined" +alias p="LIBPROC_HIDE_KERNEL=1 ps auxZ" +alias pf="LIBPROC_HIDE_KERNEL=1 ps auxfZ" +alias pu="LIBPROC_HIDE_KERNEL=1 ps auxZ | grep unconfined" alias u='up 1' alias uu='up 2' alias uuu='up 3' From 74afc1e837eb8dbd889e54ab0c61a48ce1ba67f5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 27 Feb 2026 20:05:53 +0100 Subject: [PATCH 1415/1736] feat(abs): various dbus improvments. --- .../bus/session/org.freedesktop.Notifications | 9 +++- .../bus/system/org.freedesktop.GeoClue2 | 45 ++++++++++++++++--- .../bus/system/org.freedesktop.UDisks2 | 6 +-- apparmor.d/abstractions/gnome-base | 1 + apparmor.d/groups/polkit/polkit-agent-helper | 7 ++- 5 files changed, 56 insertions(+), 12 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications index b47b766520..c5b520f224 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications @@ -4,7 +4,14 @@ abi , - #aa:dbus common bus=session name=org.freedesktop.Notifications label="@{pp_notification}" + # DBus.Introspectable: allow clients to introspect the service + + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label="@{pp_notification}"), + + # org.freedesktop.Notifications dbus send bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.Notifications diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 index 32998be15a..b697137f94 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 @@ -4,27 +4,58 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" + # DBus.Properties: read properties from the interface dbus send bus=system path=/org/freedesktop/GeoClue2/Manager - interface=org.freedesktop.GeoClue2.Manager - member=AddAgent - peer=(name="@{busname}", label="@{p_geoclue}"), + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label="@{p_geoclue}"), + + dbus send bus=system path=/org/freedesktop/GeoClue2/Client/@{int} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label="@{p_geoclue}"), + + # DBus.Properties: receive property changed events + + dbus receive bus=system path=/org/freedesktop/GeoClue2 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label="@{p_geoclue}"), + + dbus receive bus=system path=/org/freedesktop/GeoClue2/Client/@{int} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label="@{p_geoclue}"), + + dbus receive bus=system path=/org/freedesktop/GeoClue2/Manager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label="@{p_geoclue}"), + + # DBus.Properties: allow clients to set properties dbus send bus=system path=/org/freedesktop/GeoClue2/Client/@{int} interface=org.freedesktop.DBus.Properties member=Set - peer=(name=@{busname}, label=geoclue), + peer=(name=@{busname}, label="@{p_geoclue}"), + + # GeoClue2 + + dbus send bus=system path=/org/freedesktop/GeoClue2/Manager + interface=org.freedesktop.GeoClue2.Manager + member=AddAgent + peer=(name="@{busname}", label="@{p_geoclue}"), dbus send bus=system path=/org/freedesktop/GeoClue2/Client/@{int} interface=org.freedesktop.GeoClue2.Client member=Start - peer=(name=@{busname}, label=geoclue), + peer=(name=@{busname}, label="@{p_geoclue}"), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.GeoClue2.Manager member={GetClient,DeleteClient} - peer=(name=@{busname}, label=geoclue), + peer=(name=@{busname}, label="@{p_geoclue}"), include if exists diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 index 3ecbf11d4b..50fd9f606a 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UDisks2 @@ -6,12 +6,12 @@ # DBus.Properties: read properties from the interface - dbus send bus=system path=/ + dbus send bus=system path=/{,/org/freedesktop/UDisks2} interface=org.freedesktop.DBus.Properties - member=Get + member={Get,GetAll} peer=(label=udisksd), - dbus send bus=system path=/org/freedesktop/UDisks2/Manager + dbus send bus=system path=/org/freedesktop/UDisks2{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} peer=(label=udisksd), diff --git a/apparmor.d/abstractions/gnome-base b/apparmor.d/abstractions/gnome-base index 87d39879c5..c7bc3db752 100644 --- a/apparmor.d/abstractions/gnome-base +++ b/apparmor.d/abstractions/gnome-base @@ -7,6 +7,7 @@ abi , include + include include dbus send bus=system path=/org/freedesktop/DBus diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index 5c87e843d5..086ee87781 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -40,9 +40,14 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member=AuthenticationAgentResponse2 + member=AuthenticationAgentResponse{2,3} peer=(name=@{busname}, label="@{p_polkitd}"), + dbus send bus=system path=/org/freedesktop/home1 + interface=org.freedesktop.home1.Manager + member=GetUserRecordByName + peer=(name=org.freedesktop.home1, label=systemd-homed), + @{exec_path} mr, #aa:only apparmor>=4.1 From 038d178079a8d1507d05324fba1dddf92422e0b7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 27 Feb 2026 20:25:23 +0100 Subject: [PATCH 1416/1736] refractor(aa): rename j2 template to gotmpl. --- pkg/aa/template.go | 6 +++--- pkg/aa/templates/{apparmor.j2 => apparmor.gotmpl} | 0 pkg/aa/templates/{condition.j2 => condition.gotmpl} | 0 pkg/aa/templates/{hat.j2 => hat.gotmpl} | 0 pkg/aa/templates/{profile.j2 => profile.gotmpl} | 0 pkg/aa/templates/rule/{abi.j2 => abi.gotmpl} | 0 pkg/aa/templates/rule/{alias.j2 => alias.gotmpl} | 0 pkg/aa/templates/rule/{all.j2 => all.gotmpl} | 0 pkg/aa/templates/rule/{boolean.j2 => boolean.gotmpl} | 0 pkg/aa/templates/rule/{capability.j2 => capability.gotmpl} | 0 .../rule/{change_profile.j2 => change_profile.gotmpl} | 0 pkg/aa/templates/rule/{comment.j2 => comment.gotmpl} | 0 pkg/aa/templates/rule/{dbus.j2 => dbus.gotmpl} | 0 pkg/aa/templates/rule/{file.j2 => file.gotmpl} | 0 pkg/aa/templates/rule/{include.j2 => include.gotmpl} | 0 pkg/aa/templates/rule/{io_uring.j2 => io_uring.gotmpl} | 0 pkg/aa/templates/rule/{mount.j2 => mount.gotmpl} | 0 pkg/aa/templates/rule/{mqueue.j2 => mqueue.gotmpl} | 0 pkg/aa/templates/rule/{network.j2 => network.gotmpl} | 0 pkg/aa/templates/rule/{pivot_root.j2 => pivot_root.gotmpl} | 0 pkg/aa/templates/rule/{ptrace.j2 => ptrace.gotmpl} | 0 pkg/aa/templates/rule/{qualifier.j2 => qualifier.gotmpl} | 0 pkg/aa/templates/rule/{rlimit.j2 => rlimit.gotmpl} | 0 pkg/aa/templates/rule/{signal.j2 => signal.gotmpl} | 0 pkg/aa/templates/rule/{unix.j2 => unix.gotmpl} | 0 pkg/aa/templates/rule/{userns.j2 => userns.gotmpl} | 0 pkg/aa/templates/rule/{variable.j2 => variable.gotmpl} | 0 pkg/aa/templates/{rules.j2 => rules.gotmpl} | 0 28 files changed, 3 insertions(+), 3 deletions(-) rename pkg/aa/templates/{apparmor.j2 => apparmor.gotmpl} (100%) rename pkg/aa/templates/{condition.j2 => condition.gotmpl} (100%) rename pkg/aa/templates/{hat.j2 => hat.gotmpl} (100%) rename pkg/aa/templates/{profile.j2 => profile.gotmpl} (100%) rename pkg/aa/templates/rule/{abi.j2 => abi.gotmpl} (100%) rename pkg/aa/templates/rule/{alias.j2 => alias.gotmpl} (100%) rename pkg/aa/templates/rule/{all.j2 => all.gotmpl} (100%) rename pkg/aa/templates/rule/{boolean.j2 => boolean.gotmpl} (100%) rename pkg/aa/templates/rule/{capability.j2 => capability.gotmpl} (100%) rename pkg/aa/templates/rule/{change_profile.j2 => change_profile.gotmpl} (100%) rename pkg/aa/templates/rule/{comment.j2 => comment.gotmpl} (100%) rename pkg/aa/templates/rule/{dbus.j2 => dbus.gotmpl} (100%) rename pkg/aa/templates/rule/{file.j2 => file.gotmpl} (100%) rename pkg/aa/templates/rule/{include.j2 => include.gotmpl} (100%) rename pkg/aa/templates/rule/{io_uring.j2 => io_uring.gotmpl} (100%) rename pkg/aa/templates/rule/{mount.j2 => mount.gotmpl} (100%) rename pkg/aa/templates/rule/{mqueue.j2 => mqueue.gotmpl} (100%) rename pkg/aa/templates/rule/{network.j2 => network.gotmpl} (100%) rename pkg/aa/templates/rule/{pivot_root.j2 => pivot_root.gotmpl} (100%) rename pkg/aa/templates/rule/{ptrace.j2 => ptrace.gotmpl} (100%) rename pkg/aa/templates/rule/{qualifier.j2 => qualifier.gotmpl} (100%) rename pkg/aa/templates/rule/{rlimit.j2 => rlimit.gotmpl} (100%) rename pkg/aa/templates/rule/{signal.j2 => signal.gotmpl} (100%) rename pkg/aa/templates/rule/{unix.j2 => unix.gotmpl} (100%) rename pkg/aa/templates/rule/{userns.j2 => userns.gotmpl} (100%) rename pkg/aa/templates/rule/{variable.j2 => variable.gotmpl} (100%) rename pkg/aa/templates/{rules.j2 => rules.gotmpl} (100%) diff --git a/pkg/aa/template.go b/pkg/aa/template.go index ddb58bbaad..ddd74fc24e 100644 --- a/pkg/aa/template.go +++ b/pkg/aa/template.go @@ -18,8 +18,8 @@ var ( // The current indentation level IndentationLevel = 0 - //go:embed templates/*.j2 - //go:embed templates/rule/*.j2 + //go:embed templates/*.gotmpl + //go:embed templates/rule/*.gotmpl tmplFiles embed.FS // The functions available in the template @@ -151,7 +151,7 @@ func generateTemplates(names []Kind) map[Kind]*template.Template { res := make(map[Kind]*template.Template, len(names)) base := template.New("").Funcs(tmplFunctionMap) base = template.Must(base.ParseFS(tmplFiles, - "templates/*.j2", "templates/rule/*.j2", + "templates/*.gotmpl", "templates/rule/*.gotmpl", )) for _, name := range names { t := template.Must(base.Clone()) diff --git a/pkg/aa/templates/apparmor.j2 b/pkg/aa/templates/apparmor.gotmpl similarity index 100% rename from pkg/aa/templates/apparmor.j2 rename to pkg/aa/templates/apparmor.gotmpl diff --git a/pkg/aa/templates/condition.j2 b/pkg/aa/templates/condition.gotmpl similarity index 100% rename from pkg/aa/templates/condition.j2 rename to pkg/aa/templates/condition.gotmpl diff --git a/pkg/aa/templates/hat.j2 b/pkg/aa/templates/hat.gotmpl similarity index 100% rename from pkg/aa/templates/hat.j2 rename to pkg/aa/templates/hat.gotmpl diff --git a/pkg/aa/templates/profile.j2 b/pkg/aa/templates/profile.gotmpl similarity index 100% rename from pkg/aa/templates/profile.j2 rename to pkg/aa/templates/profile.gotmpl diff --git a/pkg/aa/templates/rule/abi.j2 b/pkg/aa/templates/rule/abi.gotmpl similarity index 100% rename from pkg/aa/templates/rule/abi.j2 rename to pkg/aa/templates/rule/abi.gotmpl diff --git a/pkg/aa/templates/rule/alias.j2 b/pkg/aa/templates/rule/alias.gotmpl similarity index 100% rename from pkg/aa/templates/rule/alias.j2 rename to pkg/aa/templates/rule/alias.gotmpl diff --git a/pkg/aa/templates/rule/all.j2 b/pkg/aa/templates/rule/all.gotmpl similarity index 100% rename from pkg/aa/templates/rule/all.j2 rename to pkg/aa/templates/rule/all.gotmpl diff --git a/pkg/aa/templates/rule/boolean.j2 b/pkg/aa/templates/rule/boolean.gotmpl similarity index 100% rename from pkg/aa/templates/rule/boolean.j2 rename to pkg/aa/templates/rule/boolean.gotmpl diff --git a/pkg/aa/templates/rule/capability.j2 b/pkg/aa/templates/rule/capability.gotmpl similarity index 100% rename from pkg/aa/templates/rule/capability.j2 rename to pkg/aa/templates/rule/capability.gotmpl diff --git a/pkg/aa/templates/rule/change_profile.j2 b/pkg/aa/templates/rule/change_profile.gotmpl similarity index 100% rename from pkg/aa/templates/rule/change_profile.j2 rename to pkg/aa/templates/rule/change_profile.gotmpl diff --git a/pkg/aa/templates/rule/comment.j2 b/pkg/aa/templates/rule/comment.gotmpl similarity index 100% rename from pkg/aa/templates/rule/comment.j2 rename to pkg/aa/templates/rule/comment.gotmpl diff --git a/pkg/aa/templates/rule/dbus.j2 b/pkg/aa/templates/rule/dbus.gotmpl similarity index 100% rename from pkg/aa/templates/rule/dbus.j2 rename to pkg/aa/templates/rule/dbus.gotmpl diff --git a/pkg/aa/templates/rule/file.j2 b/pkg/aa/templates/rule/file.gotmpl similarity index 100% rename from pkg/aa/templates/rule/file.j2 rename to pkg/aa/templates/rule/file.gotmpl diff --git a/pkg/aa/templates/rule/include.j2 b/pkg/aa/templates/rule/include.gotmpl similarity index 100% rename from pkg/aa/templates/rule/include.j2 rename to pkg/aa/templates/rule/include.gotmpl diff --git a/pkg/aa/templates/rule/io_uring.j2 b/pkg/aa/templates/rule/io_uring.gotmpl similarity index 100% rename from pkg/aa/templates/rule/io_uring.j2 rename to pkg/aa/templates/rule/io_uring.gotmpl diff --git a/pkg/aa/templates/rule/mount.j2 b/pkg/aa/templates/rule/mount.gotmpl similarity index 100% rename from pkg/aa/templates/rule/mount.j2 rename to pkg/aa/templates/rule/mount.gotmpl diff --git a/pkg/aa/templates/rule/mqueue.j2 b/pkg/aa/templates/rule/mqueue.gotmpl similarity index 100% rename from pkg/aa/templates/rule/mqueue.j2 rename to pkg/aa/templates/rule/mqueue.gotmpl diff --git a/pkg/aa/templates/rule/network.j2 b/pkg/aa/templates/rule/network.gotmpl similarity index 100% rename from pkg/aa/templates/rule/network.j2 rename to pkg/aa/templates/rule/network.gotmpl diff --git a/pkg/aa/templates/rule/pivot_root.j2 b/pkg/aa/templates/rule/pivot_root.gotmpl similarity index 100% rename from pkg/aa/templates/rule/pivot_root.j2 rename to pkg/aa/templates/rule/pivot_root.gotmpl diff --git a/pkg/aa/templates/rule/ptrace.j2 b/pkg/aa/templates/rule/ptrace.gotmpl similarity index 100% rename from pkg/aa/templates/rule/ptrace.j2 rename to pkg/aa/templates/rule/ptrace.gotmpl diff --git a/pkg/aa/templates/rule/qualifier.j2 b/pkg/aa/templates/rule/qualifier.gotmpl similarity index 100% rename from pkg/aa/templates/rule/qualifier.j2 rename to pkg/aa/templates/rule/qualifier.gotmpl diff --git a/pkg/aa/templates/rule/rlimit.j2 b/pkg/aa/templates/rule/rlimit.gotmpl similarity index 100% rename from pkg/aa/templates/rule/rlimit.j2 rename to pkg/aa/templates/rule/rlimit.gotmpl diff --git a/pkg/aa/templates/rule/signal.j2 b/pkg/aa/templates/rule/signal.gotmpl similarity index 100% rename from pkg/aa/templates/rule/signal.j2 rename to pkg/aa/templates/rule/signal.gotmpl diff --git a/pkg/aa/templates/rule/unix.j2 b/pkg/aa/templates/rule/unix.gotmpl similarity index 100% rename from pkg/aa/templates/rule/unix.j2 rename to pkg/aa/templates/rule/unix.gotmpl diff --git a/pkg/aa/templates/rule/userns.j2 b/pkg/aa/templates/rule/userns.gotmpl similarity index 100% rename from pkg/aa/templates/rule/userns.j2 rename to pkg/aa/templates/rule/userns.gotmpl diff --git a/pkg/aa/templates/rule/variable.j2 b/pkg/aa/templates/rule/variable.gotmpl similarity index 100% rename from pkg/aa/templates/rule/variable.j2 rename to pkg/aa/templates/rule/variable.gotmpl diff --git a/pkg/aa/templates/rules.j2 b/pkg/aa/templates/rules.gotmpl similarity index 100% rename from pkg/aa/templates/rules.j2 rename to pkg/aa/templates/rules.gotmpl From ce94eac020c1e994c6d5b7699ac2d0bd11c16fe2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 27 Feb 2026 20:43:04 +0100 Subject: [PATCH 1417/1736] feat: enable glycin namespace on apparmor 5.0 Older version will remain on the child profile hack. See #996 #966 --- apparmor.d/abstractions/gtk-strict | 14 +++++++++++--- apparmor.d/abstractions/gtk.d/complete | 14 +++++++++++--- apparmor.d/groups/browsers/epiphany | 5 +++++ apparmor.d/groups/browsers/firefox | 5 +++-- apparmor.d/groups/children/glycin | 5 ++--- apparmor.d/groups/flatpak/fbwrap | 5 +++++ .../freedesktop/xdg-desktop-portal-validate-icon | 7 ++++++- apparmor.d/groups/gnome/gnome-desktop-thumbnailers | 7 ++++++- apparmor.d/namespaces/glycin/bwrap | 1 - apparmor.d/profiles-a-f/foliate | 13 +++++++++---- apparmor.d/profiles-s-z/thunderbird | 7 +++---- 11 files changed, 61 insertions(+), 22 deletions(-) diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict index 62dcd7244c..2e77fd15a9 100644 --- a/apparmor.d/abstractions/gtk-strict +++ b/apparmor.d/abstractions/gtk-strict @@ -9,14 +9,22 @@ include include + #aa:only apparmor<5.0 unix type=stream peer=(label=glycin), unix type=stream peer=(label=glycin//loaders), - signal send set=kill peer=glycin, - - #aa:only apparmor>=4.1 priority=-1 @{bin}/bwrap Px -> glycin, + #aa:only apparmor>=5.0 + # Need to be allowed for all peer because from the host namespace we do not + # see the glycin namespace. This is showned by 'peer=(label=---)' in the logs. + # + # As of today, we cannot specify the ns scope and view of the peer. + # See: https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorPolicyView + unix (send receive) type=seqpacket, # peer=(label=---), # file_inherit + unix (send receive) type=stream, # peer=(label=---), # file_inherit + priority=-10 @{bin}/bwrap Px -> :glycin:bwrap, + @{lib}/{,@{multiarch}/}gtk-2.0/{,**} mr, @{lib}/{,@{multiarch}/}gtk-3.0/{,**} mr, @{lib}/{,@{multiarch}/}gtk-4.0/{,**} mr, diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 0fc6c3f1cf..0f62599733 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -7,14 +7,22 @@ include include + #aa:only apparmor<5.0 unix type=stream peer=(label=glycin), unix type=stream peer=(label=glycin//loaders), - signal send set=kill peer=glycin, - - #aa:only apparmor>=4.1 priority=-1 @{bin}/bwrap Px -> glycin, + #aa:only apparmor>=5.0 + # Need to be allowed for all peer because from the host namespace we do not + # see the glycin namespace. This is showned by 'peer=(label=---)' in the logs. + # + # As of today, we cannot specify the ns scope and view of the peer. + # See: https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorPolicyView + unix (send receive) type=seqpacket, # peer=(label=---), # file_inherit + unix (send receive) type=stream, # peer=(label=---), # file_inherit + priority=-10 @{bin}/bwrap Px -> :glycin:bwrap, + @{lib}/{,@{multiarch}/}gtk*/** mr, /usr/share/glycin-loaders/{,**} r, diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index b71dccb82c..5bb766c8c6 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -35,8 +35,13 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { @{bin}/bwrap rix, @{lib}/epiphany/ephy-profile-migrator PUx, + + #aa:only apparmor<5.0 @{lib}/glycin-loaders/@{d}+/glycin-* Px -> epiphany//&glycin//loaders, + #aa:only apparmor>=5.0 + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> epiphany//&:glycin:loaders, + /usr/share/enchant*/{,**} r, owner @{HOME}/.ephy-download-@{rand6} rw, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 4cd08e7b6a..c9c1669890 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -16,7 +16,7 @@ include @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} profile firefox @{exec_path} flags=(attach_disconnected) { include - include #aa:only apparmor>=4.1 + include #aa:only apparmor<5.0 include include include @@ -39,8 +39,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, - #aa:only apparmor>=4.1 + #aa:only apparmor<5.0 # glycin-loaders sandboxed profile stack + include @{bin}/bwrap Px -> firefox//&glycin, @{lib}/glycin-loaders/@{d}+/glycin-* Px -> firefox//&glycin//&glycin//loaders, diff --git a/apparmor.d/groups/children/glycin b/apparmor.d/groups/children/glycin index a650ea9aad..cac18c592c 100644 --- a/apparmor.d/groups/children/glycin +++ b/apparmor.d/groups/children/glycin @@ -12,7 +12,7 @@ abi , include -profile glycin flags=(attach_disconnected,complain) { +profile glycin flags=(attach_disconnected) { include include @@ -29,7 +29,6 @@ profile glycin flags=(attach_disconnected,complain) { deny network inet6 dgram, deny network inet stream, deny network inet6 stream, - deny /usr/share/icons/** r, deny /usr/share/nvidia/** r, deny owner @{HOME}/.*/** rw, deny owner /tmp/*/** w, @@ -38,7 +37,7 @@ profile glycin flags=(attach_disconnected,complain) { deny /dev/shm/** rw, deny /dev/dri/* rw, - profile loaders flags=(attach_disconnected,complain) { + profile loaders flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/flatpak/fbwrap b/apparmor.d/groups/flatpak/fbwrap index 2045b7c446..58c504237f 100644 --- a/apparmor.d/groups/flatpak/fbwrap +++ b/apparmor.d/groups/flatpak/fbwrap @@ -40,8 +40,13 @@ profile fbwrap flags=(attach_disconnected,mediate_deleted) { @{sbin}/ldconfig Cx -> &fbwrap//ldconfig, @{bin}/xdg-dbus-proxy Px -> fbwrap//&xdg-dbus-proxy, + + #aa:only apparmor<5.0 priority=2 @{lib}/glycin-loaders/@{d}+/glycin-* Px -> fbwrap//&glycin//loaders, + #aa:only apparmor>=5.0 + priority=2 @{lib}/glycin-loaders/@{d}+/glycin-* Px -> fbwrap//&:glycin:loaders, + priority=1 /app/bin/** Px -> fbwrap//&fapp, priority=1 @{lib}/** Px -> fbwrap//&fapp, priority=1 @{HOME}/.var/app/@{appid}/** Px -> fbwrap//&fapp, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon index 5f4d702c52..766673d8b7 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon @@ -17,7 +17,12 @@ profile xdg-desktop-portal-validate-icon @{exec_path} flags=(attach_disconnected @{exec_path} mrix, @{bin}/bwrap ix, - @{lib}/glycin-loaders/@{d}+/glycin-* Px -> xdg-desktop-portal-validate-icon//bwrap//&glycin//loaders, + + #aa:only apparmor<5.0 + @{lib}/glycin-loaders/@{d}+/glycin-* Cx -> foliate//&glycin//loaders, + + #aa:only apparmor>=5.0 + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> xdg-desktop-portal-validate-icon//&:glycin:loaders, owner @{tmp}/icon@{rand6} r, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index bc7b2cbc35..b9c1f23b12 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -17,7 +17,12 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { signal receive set=kill peer=nautilus, @{bin}/*-thumbnailer Cx -> &gnome-desktop-thumbnailers//thumbnailer, - @{lib}/glycin-loaders/@{d}+/glycin-* Px -> gnome-desktop-thumbnailers//&glycin//loaders, + + #aa:only apparmor<5.0 + @{lib}/glycin-loaders/@{d}+/glycin-* Cx -> gnome-desktop-thumbnailers//&glycin//loaders, + + #aa:only apparmor>=5.0 + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> gnome-desktop-thumbnailers//&:glycin:loaders, /usr/share/poppler/{,**} r, diff --git a/apparmor.d/namespaces/glycin/bwrap b/apparmor.d/namespaces/glycin/bwrap index 58f374d196..b15ab34e56 100644 --- a/apparmor.d/namespaces/glycin/bwrap +++ b/apparmor.d/namespaces/glycin/bwrap @@ -45,7 +45,6 @@ profile :glycin:bwrap flags=(attach_disconnected) { deny network inet6 dgram, deny network inet stream, deny network inet6 stream, - priority=-1 deny /usr/share/** r, deny owner @{HOME}/.*/** rw, deny owner /tmp/*/** w, deny /opt/*/** rw, diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index 4445d62ef3..a95c7dc8ea 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -29,12 +29,17 @@ profile foliate @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/bwrap rix, - @{bin}/gjs-console rix, - @{bin}/speech-dispatcher rPx, - @{open_path} rPx -> child-open-help, + @{bin}/bwrap rix, + @{bin}/gjs-console rix, + @{bin}/speech-dispatcher Px, + @{open_path} Px -> child-open-help, + + #aa:only apparmor<5.0 @{lib}/glycin-loaders/@{d}+/glycin-* Cx -> foliate//&glycin//loaders, + #aa:only apparmor>=5.0 + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> foliate//&:glycin:loaders, + /usr/share/com.github.johnfactotum.Foliate/{,**} r, owner @{user_books_dirs}/{,**} r, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 561b242981..cead62dad2 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -15,13 +15,10 @@ include @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} profile thunderbird @{exec_path} flags=(attach_disconnected) { include - include #aa:only apparmor>=4.1 include include include - signal (send receive) set=kill peer=glycin//&thunderbird, - #aa:dbus own bus=session name=org.mozilla.thunderbird @{exec_path} mrix, @@ -29,8 +26,10 @@ profile thunderbird @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/glxtest rPx -> thunderbird//&thunderbird-glxtest, @{lib_dirs}/vaapitest rPx -> thunderbird//&thunderbird-vaapitest, - #aa:only apparmor>=4.1 + #aa:only apparmor<5.0 # glycin-loaders sandboxed profile stack + include + signal (send receive) set=kill peer=glycin//&thunderbird, @{bin}/bwrap Px -> thunderbird//&glycin, @{lib}/glycin-loaders/@{d}+/glycin-* Px -> thunderbird//&glycin//&glycin//loaders, From fd716d317db654222150eb475cc287c15d8804b2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 27 Feb 2026 20:55:56 +0100 Subject: [PATCH 1418/1736] feat(profile): minor upgrade to various profiles. --- apparmor.d/groups/flatpak/flatpak-portal | 1 + apparmor.d/groups/freedesktop/plymouthd | 9 ++-- apparmor.d/groups/gnome/decibels | 3 +- apparmor.d/groups/gnome/gjs | 2 - apparmor.d/groups/gnome/gnome-boxes | 2 +- apparmor.d/groups/gnome/gnome-calculator | 2 + apparmor.d/groups/gnome/gnome-contacts | 2 +- apparmor.d/groups/gnome/gnome-control-center | 13 +---- apparmor.d/groups/gnome/gnome-maps | 4 +- apparmor.d/groups/gnome/gnome-shell | 3 +- apparmor.d/groups/gnome/gnome-software | 2 + apparmor.d/groups/gnome/gnome-tour | 2 +- apparmor.d/groups/gnome/yelp | 2 + apparmor.d/groups/gpg/gpg-agent | 4 ++ apparmor.d/groups/pacman/mkinitcpio | 1 + apparmor.d/groups/virt/virtstoraged | 7 ++- apparmor.d/profiles-a-f/borg | 3 +- apparmor.d/profiles-a-f/fwupdmgr | 5 +- apparmor.d/profiles-m-r/nvidia-smi | 2 + apparmor.d/profiles-m-r/packagekitd | 54 +++++++++++--------- apparmor.d/profiles-m-r/qemu-ga | 1 + apparmor.d/profiles-s-z/spotify | 2 - 22 files changed, 70 insertions(+), 56 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index d99d62f64f..ef12284709 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -40,6 +40,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { /usr/share/xdg-desktop-portal/portals/{,*.portal} r, + / r, owner /att/**/ r, owner @{att}/.flatpak-info r, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 139b8e557d..e5b292b3fd 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -25,11 +25,11 @@ profile plymouthd @{exec_path} { network netlink raw, - signal (send) peer=unconfined, - signal (send) set=(rtmin+23) peer=@{p_systemd}, - signal (send) set=(rtmin+23) peer=systemd-shutdown, + signal send peer=unconfined, + signal send set=(rtmin+23) peer=@{p_systemd}, + signal send set=(rtmin+23) peer=systemd-shutdown, - ptrace (read) peer=plymouth, + ptrace read peer=plymouth, unix type=stream addr="@/org/freedesktop/plymouthd", unix type=stream peer=(addr="@/org/freedesktop/plymouthd"), @@ -44,6 +44,7 @@ profile plymouthd @{exec_path} { /etc/vconsole.conf r, /var/lib/plymouth/{,**} rw, + /var/log/boot.log w, /var/log/plymouth-*.log w, @{run}/initramfs/usr/share/fonts/{,**} r, diff --git a/apparmor.d/groups/gnome/decibels b/apparmor.d/groups/gnome/decibels index 2bb38dfd59..ff8a244634 100644 --- a/apparmor.d/groups/gnome/decibels +++ b/apparmor.d/groups/gnome/decibels @@ -7,11 +7,12 @@ abi , include @{exec_path} = @{bin}/decibels @{bin}/org.gnome.Decibels -profile decibels @{exec_path} { +profile decibels @{exec_path} flags=(attach_disconnected) { include include include include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index 3071d0304d..15112d40c1 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -129,8 +129,6 @@ profile gjs @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, - deny @{user_share_dirs}/gvfs-metadata/* r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index f3523d510b..d60a9b193f 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gnome-boxes -profile gnome-boxes @{exec_path} { +profile gnome-boxes @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 3bbe854744..59ca8ac359 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -33,6 +33,8 @@ profile gnome-calculator @{exec_path} flags=(attach_disconnected) { /usr/share/p11-kit/modules/{,*} r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index 0c3d7db0e8..eb194299e0 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gnome-contacts -profile gnome-contacts @{exec_path} { +profile gnome-contacts @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 22cf2d666d..b6c690204b 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -86,7 +86,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{bin}/tecla rPx, - @{bin}/bwrap rCx -> bwrap, + # glycin @{bin}/gkbd-keyboard-display rPx, @{bin}/gnome-software rPx, @{bin}/passwd rPx, @@ -213,17 +213,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - profile bwrap flags=(attach_disconnected) { - include - include - - signal receive set=kill peer=gnome-control-center, - - @{lib}/glycin-loaders/@{d}+/glycin-* Px -> gnome-control-center//bwrap//&glycin//loaders, - - include if exists - } - profile pkexec { include include diff --git a/apparmor.d/groups/gnome/gnome-maps b/apparmor.d/groups/gnome/gnome-maps index 7058573910..de1a53018c 100644 --- a/apparmor.d/groups/gnome/gnome-maps +++ b/apparmor.d/groups/gnome/gnome-maps @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gnome-maps /usr/share/gnome-maps/org.gnome.Maps -profile gnome-maps @{exec_path} { +profile gnome-maps @{exec_path} flags=(attach_disconnected) { include include include @@ -24,7 +24,7 @@ profile gnome-maps @{exec_path} { @{open_path} rPx -> child-open-help, - audit @{bin}/gjs-console rix, + @{bin}/gjs-console r, owner @{user_pictures_dirs}/** rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 3feaa1f8fc..35575e2b72 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -477,8 +477,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace read peer=gnome-shell, - @{bin}/pkexec mr, - /usr/local/bin/batteryhealthchargingctl{,-@{user}} rPx, @{bin}/batteryhealthchargingctl{,-@{user}} rPx, @@ -506,6 +504,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/** PUx, @{bin}/** PUx, + @{sbin}/** PUx, /opt/*/** PUx, /usr/share/*/** PUx, /usr/local/bin/** PUx, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 7adadb0809..cad0fdb49b 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -92,6 +92,7 @@ profile gnome-software @{exec_path} flags=(attach_disconnected,mediate_deleted) /var/tmp/flatpak-cache-*/** rwkl, /var/tmp/#@{int} rw, + owner @{HOME}/.var/ rw, owner @{HOME}/.var/app/{,**} rw, owner @{user_download_dirs}/*.flatpakref r, @@ -126,6 +127,7 @@ profile gnome-software @{exec_path} flags=(attach_disconnected,mediate_deleted) owner @{run}/user/@{uid}/.flatpak/{,**} rwl, owner @{run}/user/@{uid}/.flatpak/**/*.ref rwk, owner @{run}/user/@{uid}/app/{,*/} rw, + owner @{run}/user/@{uid}/systemd/private rw, owner /dev/shm/flatpak-com.*/ rw, owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw, diff --git a/apparmor.d/groups/gnome/gnome-tour b/apparmor.d/groups/gnome/gnome-tour index 8ae95f4a08..30fed1139e 100644 --- a/apparmor.d/groups/gnome/gnome-tour +++ b/apparmor.d/groups/gnome/gnome-tour @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gnome-tour -profile gnome-tour @{exec_path} { +profile gnome-tour @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index 3cf8cb2ec4..283004c153 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -15,6 +15,8 @@ profile yelp @{exec_path} flags=(attach_disconnected) { include include + capability dac_override, + network inet dgram, network inet stream, network inet6 dgram, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 8d754e8843..70f3acef2e 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -63,6 +63,10 @@ profile gpg-agent @{exec_path} { owner @{tmp}/**/{.,}gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{tmp}/**/{.,}gnupg/sshcontrol r, + owner /tmp/ostree-gpg-@{rand6}/{,*/}private-keys-v1.d/ rw, + owner /tmp/ostree-gpg-@{rand6}/{,*/}private-keys-v1.d/@{hex}.key rw, + owner /tmp/ostree-gpg-@{rand6}/{,*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + #aa:only pacman owner /etc/pacman.d/gnupg/ rw, owner /etc/pacman.d/gnupg/*.conf r, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 99f58de66a..12d7b71408 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -111,6 +111,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/efi/fw_platform_size r, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r, diff --git a/apparmor.d/groups/virt/virtstoraged b/apparmor.d/groups/virt/virtstoraged index 74509f49b4..4c5eba7fb4 100644 --- a/apparmor.d/groups/virt/virtstoraged +++ b/apparmor.d/groups/virt/virtstoraged @@ -11,6 +11,8 @@ include @{exec_path} = @{bin}/virtstoraged profile virtstoraged @{exec_path} flags=(attach_disconnected) { include + include + include include capability dac_read_search, @@ -46,9 +48,10 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/common/ rw, owner @{run}/user/@{uid}/libvirt/common/system.token rwk, - owner @{run}/user/@{uid}/libvirt/virtstoraged* w, - owner @{run}/user/@{uid}/libvirt/virtstoraged.pid rwk, owner @{run}/user/@{uid}/libvirt/storage/{,**} rwk, + owner @{run}/user/@{uid}/libvirt/virtstoraged-sock rw, + owner @{run}/user/@{uid}/libvirt/virtstoraged.pid rwk, + owner @{run}/user/@{uid}/libvirt/virtstoraged* w, owner @{run}/libvirt/common/system.token rwk, owner @{run}/libvirt/storage/{,**} rwk, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index e2f055abcb..d8a7e42272 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -27,13 +27,14 @@ profile borg @{exec_path} { @{exec_path} r, @{bin}/ r, - @{python_path} r, + @{python_path} rix, @{bin}/{,@{multiarch}-}ld.bfd rix, @{bin}/cat rix, @{sbin}/ldconfig rix, @{bin}/uname rix, @{bin}/ip rix, + @{bin}/gzip rix, @{bin}/ccache rCx -> ccache, @{bin}/fusermount{,3} rCx -> fusermount, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 2a457f0a34..b4c220f813 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -12,9 +12,9 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include + include include capability sys_nice, @@ -64,6 +64,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { profile bus flags=(attach_disconnected) { include include + include if exists } diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index d0618c379b..9be8571308 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -12,6 +12,8 @@ profile nvidia-smi @{exec_path} { include include + signal receive set=int peer=gnome-shell, # FIXME: shell extension only + @{exec_path} mr, @{PROC}/devices r, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index e639fb66ea..6cf6646819 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -42,9 +42,9 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/gpgconf rCx -> gpg, - @{bin}/gpgsm rCx -> gpg, + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/gpgconf Cx -> gpg, + @{bin}/gpgsm Cx -> gpg, @{sh_path} rix, @{bin}/cp rix, @@ -52,37 +52,40 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/gdbus rix, @{bin}/gzip rix, @{bin}/id rix, - @{sbin}/ldconfig rix, + @{sbin}/ldconfig rix, # TODO: rCx @{bin}/repo2solv rix, @{bin}/tar rix, @{bin}/test rix, @{bin}/touch rix, - @{bin}/appstreamcli rPx, - @{bin}/fc-cache rPx, - @{bin}/glib-compile-schemas rPx, - @{bin}/install-info rPx, - @{bin}/ischroot rPx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-inhibit rPx, - @{bin}/update-desktop-database rPx, - @{lib}/cnf-update-db rPx, + @{bin}/appstreamcli Px, + @{bin}/fc-cache Px, + @{bin}/glib-compile-schemas Px, + @{bin}/install-info Px, + @{bin}/ischroot Px, + @{bin}/systemctl Cx -> systemctl, + @{bin}/systemd-inhibit Px, + @{bin}/update-desktop-database Px, + @{lib}/cnf-update-db Px, #aa:only pacman - @{bin}/arch-audit rPx, - /usr/share/libalpm/scripts/* rPx, + @{bin}/arch-audit Px, + /usr/share/libalpm/scripts/* Px, #aa:only apt - @{bin}/dpkg rPx -> child-dpkg, - @{lib}/apt/methods/* rPx, + @{bin}/apt-listchanges Px, + @{bin}/dpkg Px, + @{lib}/apt/methods/* Px, + @{lib}/needrestart/apt-pinvoke Px, + @{sbin}/dpkg-preconfigure Px, #aa:only opensuse - @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile - @{bin}/rpm rPUx, - @{bin}/rpmdb2solv rPUx, + @{lib}/zypp/plugins/appdata/InstallAppdata PUx, # TODO: write the profile + @{bin}/rpm PUx, + @{bin}/rpmdb2solv PUx, #aa:only ubuntu - @{lib}/update-notifier/update-motd-updates-available rPx, + @{lib}/update-notifier/update-motd-updates-available Px, #aa:lint ignore=too-wide # Install/update packages @@ -95,11 +98,16 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { /usr/** rwlk -> /usr/**, /var/** rwlk -> /var/**, + owner @{tmp}/packagekit* rw, + + #aa:only arch + owner @{tmp}/alpm_*/{,**} rw, + + #aa:only apt /tmp/apt-changelog-@{rand6}/ w, /tmp/apt-changelog-@{rand6}/*.changelog rw, - owner @{tmp}/alpm_*/{,**} rw, + /tmp/apt-dpkg-install-@{rand6}/ rw, owner @{tmp}/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw, - owner @{tmp}/packagekit* rw, @{att}@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 270339b961..e477ac2b86 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -37,6 +37,7 @@ profile qemu-ga @{exec_path} flags=(attach_disconnected) { capability net_admin, + unix type=stream addr=@@{udbus}/bus/poweroff/system, unix type=stream addr=@@{udbus}/bus/shutdown/, unix type=stream addr=@@{udbus}/bus/shutdown/system, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index a0e8edff5d..c87abaec98 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -36,9 +36,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Secret From b8274b26d452289a8f24ab6767f98b1417337e2c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 27 Feb 2026 21:12:57 +0100 Subject: [PATCH 1419/1736] feat(profile): add initial profile for resources. --- apparmor.d/abstractions/base-strict | 1 + apparmor.d/abstractions/base.d/complete | 1 + apparmor.d/profiles-m-r/resources | 151 ++++++++++++++++++++++++ 3 files changed, 153 insertions(+) create mode 100644 apparmor.d/profiles-m-r/resources diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 557edda0bd..4c77388c6a 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -47,6 +47,7 @@ signal receive peer=btop, signal receive peer=htop, signal receive peer=pkill, + signal receive peer=resources//kill, signal receive peer=top, signal receive set=(cont,term,kill,stop) peer=gnome-system-monitor, diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 4c6f3be7c3..bff6036e91 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -19,6 +19,7 @@ signal receive peer=btop, signal receive peer=htop, signal receive peer=pkill, + signal receive peer=resources//kill, signal receive peer=top, signal receive set=(cont,term,kill,stop) peer=gnome-system-monitor, diff --git a/apparmor.d/profiles-m-r/resources b/apparmor.d/profiles-m-r/resources new file mode 100644 index 0000000000..dc6f0dd006 --- /dev/null +++ b/apparmor.d/profiles-m-r/resources @@ -0,0 +1,151 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/resources +profile resources @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + + #aa:dbus own bus=session name=net.nokyan.Resources + + @{exec_path} mr, + + @{bin}/lscpu Px, + @{bin}/pkexec Cx -> pkexec, + @{bin}/udevadm Cx -> udevadm, + @{lib}/resources/resources-adjust Cx -> adjust, + @{lib}/resources/resources-kill Cx -> kill, + @{lib}/resources/resources-processes Cx -> processes, + + /snap/*/@{uid}/**.@{icon_ext} r, + /usr/share/misc/*.ids r, + /usr/share/resources/{,**} r, + + owner @{user_cache_dirs}/flatpak/system-cache/ r, + + @{sys}/block/ r, + @{sys}/class/*/ r, + @{sys}/devices/@{pci}/ata@{int}/ r, + @{sys}/devices/@{pci}/ata@{int}/**/model r, + @{sys}/devices/@{pci}/ata@{int}/**/sata_spd r, + @{sys}/devices/@{pci}/current_link_speed r, + @{sys}/devices/@{pci}/current_link_width r, + @{sys}/devices/@{pci}/ip_discovery/**/major r, + @{sys}/devices/@{pci}/max_link_speed r, + @{sys}/devices/@{pci}/max_link_width r, + @{sys}/devices/**/block/**/address r, + @{sys}/devices/**/block/**/model r, + @{sys}/devices/**/block/**/queue/rotational r, + @{sys}/devices/**/block/**/removable r, + @{sys}/devices/**/block/**/ro r, + @{sys}/devices/**/block/**/size r, + @{sys}/devices/**/block/**/stat r, + @{sys}/devices/**/net/*/address r, + @{sys}/devices/**/net/*/speed r, + @{sys}/devices/**/statistics/rx_bytes r, + @{sys}/devices/**/statistics/tx_bytes r, + + @{PROC}/devices r, + @{PROC}/uptime r, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/nvidia-caps/nvidia-cap@{int} r, + + profile processes { + include + include + include + + capability sys_ptrace, + + ptrace read, + + @{lib}/resources/resources-processes mr, + + @{PROC}/ r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/fdinfo/@{int} r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/status r, + owner @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/fdinfo/ r, + owner @{PROC}/@{pid}/io r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/task/@{tid}/comm w, + + /dev/nvidia-caps/nvidia-cap@{int} r, + + include if exists + } + + profile adjust { + include + + capability sys_nice, + + @{lib}/resources/resources-adjust mr, + + owner @{PROC}/@{pid}/task/ r, + + include if exists + } + + profile kill { + include + + capability kill, + + signal send, + + @{lib}/resources/resources-kill mr, + + include if exists + } + + profile udevadm { + include + + @{bin}/udevadm mr, + + /etc/udev/udev.conf r, + + @{run}/udev/data/+dmi:* r, # for motherboard info + + @{sys}/devices/virtual/dmi/id/uevent r, + + include if exists + } + + profile pkexec { + include + include + + ptrace read peer=resources, + + @{lib}/resources/resources-adjust Px -> resources//adjust, + @{lib}/resources/resources-kill Px -> resources//kill, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor From e9d5b73cd6eb8a13acd7e652a4a4f39bd11309f2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 27 Feb 2026 22:01:16 +0100 Subject: [PATCH 1420/1736] fix: keep compatibility with apparmor 4.0 --- apparmor.d/abstractions/gtk-strict | 1 + apparmor.d/abstractions/gtk.d/complete | 1 + apparmor.d/groups/flatpak/fbwrap | 1 + 3 files changed, 3 insertions(+) diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict index 2e77fd15a9..f4ec448aee 100644 --- a/apparmor.d/abstractions/gtk-strict +++ b/apparmor.d/abstractions/gtk-strict @@ -9,6 +9,7 @@ include include + #aa:only apparmor>=4.1 #aa:only apparmor<5.0 unix type=stream peer=(label=glycin), unix type=stream peer=(label=glycin//loaders), diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 0f62599733..703c0b3c2a 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -7,6 +7,7 @@ include include + #aa:only apparmor>=4.1 #aa:only apparmor<5.0 unix type=stream peer=(label=glycin), unix type=stream peer=(label=glycin//loaders), diff --git a/apparmor.d/groups/flatpak/fbwrap b/apparmor.d/groups/flatpak/fbwrap index 58c504237f..773cdafadb 100644 --- a/apparmor.d/groups/flatpak/fbwrap +++ b/apparmor.d/groups/flatpak/fbwrap @@ -41,6 +41,7 @@ profile fbwrap flags=(attach_disconnected,mediate_deleted) { @{sbin}/ldconfig Cx -> &fbwrap//ldconfig, @{bin}/xdg-dbus-proxy Px -> fbwrap//&xdg-dbus-proxy, + #aa:only apparmor>=4.1 #aa:only apparmor<5.0 priority=2 @{lib}/glycin-loaders/@{d}+/glycin-* Px -> fbwrap//&glycin//loaders, From 9466aea23cebc336291aeb6b54c8a8c3dfdd9e10 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 27 Feb 2026 23:10:18 +0100 Subject: [PATCH 1421/1736] feat(abs): ensure glycin cache directories can be created. --- apparmor.d/abstractions/gtk-strict | 8 ++++++++ apparmor.d/abstractions/gtk.d/complete | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict index f4ec448aee..3da1ad24d9 100644 --- a/apparmor.d/abstractions/gtk-strict +++ b/apparmor.d/abstractions/gtk-strict @@ -69,6 +69,14 @@ owner @{user_cache_dirs}/gtkrc r, owner @{user_cache_dirs}/gtkrc-2.0 r, + owner @{user_cache_dirs}/glycin/ w, + owner @{user_cache_dirs}/glycin/usr/ w, + owner @{user_cache_dirs}/glycin/usr/lib/ w, + owner @{user_cache_dirs}/glycin/usr/lib/glycin-loaders/ w, + owner @{user_cache_dirs}/glycin/usr/lib/glycin-loaders/@{d}+/ w, + owner @{user_cache_dirs}/glycin/usr/lib/glycin-loaders/@{d}+/glycin-svg/ w, + owner @{user_cache_dirs}/glycin/usr/lib/glycin-loaders/@{d}+/glycin-svg/fontconfig/ w, + owner @{user_config_dirs}/gtk-2.0/ rw, owner @{user_config_dirs}/gtk-2.0/gtkfilechooser.ini* rw, diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 703c0b3c2a..5e5b503a9c 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -38,6 +38,14 @@ owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini r, owner @{user_config_dirs}/gtk-{3,4}.0/window_decorations.css r, + owner @{user_cache_dirs}/glycin/ w, + owner @{user_cache_dirs}/glycin/usr/ w, + owner @{user_cache_dirs}/glycin/usr/lib/ w, + owner @{user_cache_dirs}/glycin/usr/lib/glycin-loaders/ w, + owner @{user_cache_dirs}/glycin/usr/lib/glycin-loaders/@{d}+/ w, + owner @{user_cache_dirs}/glycin/usr/lib/glycin-loaders/@{d}+/glycin-svg/ w, + owner @{user_cache_dirs}/glycin/usr/lib/glycin-loaders/@{d}+/glycin-svg/fontconfig/ w, + owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, # vim:syntax=apparmor From e5ee7b0d602b10053e93cb4a80365975d723ea7d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 27 Feb 2026 23:23:45 +0100 Subject: [PATCH 1422/1736] feat(profile): update kde profiles. --- .../groups/freedesktop/xdg-desktop-portal-kde | 2 +- apparmor.d/groups/kde/DiscoverNotifier | 2 +- apparmor.d/groups/kde/baloo | 2 +- apparmor.d/groups/kde/gmenudbusmenuproxy | 2 +- apparmor.d/groups/kde/kaccess | 2 +- apparmor.d/groups/kde/kactivitymanagerd | 4 +- apparmor.d/groups/kde/kded | 4 +- apparmor.d/groups/kde/ksplashqml | 2 +- apparmor.d/groups/kde/kwin_wayland | 8 ++- apparmor.d/groups/kde/pam_kwallet_init | 2 + apparmor.d/groups/kde/plasmashell | 5 +- apparmor.d/groups/kde/sddm | 69 +++++++++++++++++++ apparmor.d/groups/kde/systemsettings | 9 +-- apparmor.d/groups/kde/xembedsniproxy | 10 +-- 14 files changed, 98 insertions(+), 25 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index d9720a6fa3..d1ccfc0081 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -8,7 +8,7 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-kde @{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-kde -profile xdg-desktop-portal-kde @{exec_path} { +profile xdg-desktop-portal-kde @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 6fa7e736d2..cb86ce2cd1 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -8,7 +8,7 @@ include @{exec_path} = @{lib}/DiscoverNotifier @{exec_path} += @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier -profile DiscoverNotifier @{exec_path} { +profile DiscoverNotifier @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 0679374a6b..827ef78f48 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -8,7 +8,7 @@ include @{exec_path} = @{bin}/baloo_file @{lib}/{,kf6/}baloo_file @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloo_file -profile baloo @{exec_path} { +profile baloo @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index dbca9fcf51..13ea86e5be 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gmenudbusmenuproxy -profile gmenudbusmenuproxy @{exec_path} { +profile gmenudbusmenuproxy @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 1aeaeba747..2f709ebeb9 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/kaccess -profile kaccess @{exec_path} { +profile kaccess @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index 87c4c58c88..03602ce668 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -8,7 +8,7 @@ include @{exec_path} = @{lib}/kactivitymanagerd @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kactivitymanagerd -profile kactivitymanagerd @{exec_path} { +profile kactivitymanagerd @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -45,6 +45,8 @@ profile kactivitymanagerd @{exec_path} { owner @{user_share_dirs}/kservices{5,6}/{,**} r, owner @{user_share_dirs}/user-places.xbel r, + owner @{user_state_dirs}/kactivitymanagerdstaterc r, + owner @{tmp}/kmail2.@{rand6} r, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 2944e7ddac..78f55ad13c 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/kded5 @{bin}/kded6 -profile kded @{exec_path} { +profile kded @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include #aa:only apt include @@ -173,7 +173,6 @@ profile kded @{exec_path} { owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk, @{run}/mount/utab r, - @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/user/@{uid}/gvfs/ r, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kded{5,6}*kioworker.socket rwl, @@ -186,6 +185,7 @@ profile kded @{exec_path} { @{run}/udev/data/b8:@{int} r, # for /dev/sd* @{run}/udev/data/b259:@{int} r, # Block Extended Major + @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{PROC}/ r, @{PROC}/@{pids}/cmdline/ r, diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index 770625988d..dcd6c281fc 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/ksplashqml -profile ksplashqml @{exec_path} { +profile ksplashqml @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index da8d3626d7..921a863d34 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -63,9 +63,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/pipewire/client.conf.d/ r, /etc/xdg/** r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - / r, owner @{HOME}/ r, @@ -112,6 +109,8 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/kscreen/* r, owner @{user_share_dirs}/kwin/scripts/{,**} r, + owner @{run}/user/@{uid}/pipewire-@{int} rw, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, @{att}@{run}/systemd/inhibit/@{int}.ref rw, @@ -150,8 +149,11 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { profile at-spi { include + include include + unix bind type=stream addr=@@{udbus}/bus/busctl/busctl, + @{sh_path} r, @{bin}/busctl rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/kde/pam_kwallet_init b/apparmor.d/groups/kde/pam_kwallet_init index 764917a1f1..84aa2f5786 100644 --- a/apparmor.d/groups/kde/pam_kwallet_init +++ b/apparmor.d/groups/kde/pam_kwallet_init @@ -18,6 +18,8 @@ profile pam_kwallet_init @{exec_path} { /dev/tty rw, + owner @{run}/user/@{uid}/kwallet5.socket rw, + include if exists } diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 3079d502f6..11e971e6fd 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/plasmashell -profile plasmashell @{exec_path} flags=(mediate_deleted) { +profile plasmashell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -204,6 +204,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_state_dirs}/plasmashellstaterc rw, owner @{user_state_dirs}/plasmashellstaterc.@{rand6} rwl, owner @{user_state_dirs}/plasmashellstaterc.lock rwk, + owner @{user_state_dirs}/UserFeedback.org.kde.plasmashell rw, + owner @{user_state_dirs}/UserFeedback.org.kde.plasmashell.@{rand6} rwl, + owner @{user_state_dirs}/UserFeedback.org.kde.plasmashell.lock rwk, /tmp/.mount_nextcl@{rand6}/{,*} r, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 477682c7f7..22ff544473 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -179,6 +179,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/#@{int} rw, owner @{tmp}/sddm-auth* rw, + @{run}/systemd/io.systemd.Login rw, @{att}@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, @{run}/faillock/@{user} rwk, @@ -204,6 +205,64 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /dev/tty@{u8} rw, /dev/tty rw, + profile shell { + include + include + include + + ptrace read, + + @{shells_path} mrix, + + @{bin}/{,e}grep rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/date rix, + @{bin}/dirname rix, + @{bin}/disable-paste rix, + @{bin}/find rix, + @{bin}/id rix, + @{bin}/locale rix, + @{bin}/manpath rix, + @{bin}/mktemp rix, + @{bin}/pidof rix, + @{bin}/readlink rix, + @{bin}/realpath rix, + @{bin}/sed rix, + @{bin}/tr rix, + @{bin}/tty rix, + @{bin}/uname rix, + @{bin}/xargs rix, + @{bin}/xdm r, + @{bin}/xmodmap rix, + @{bin}/zoxide rix, + @{sbin}/checkproc rix, + + @{bin}/flatpak Px, + @{bin}/pacman Px -> sddm//pacman, + + @{bin}/startplasma-wayland rPx, + @{bin}/startplasma-x11 rPx, + + @{lib}/plasma-dbus-run-session-if-needed rix, + @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix, + + /usr/share/sddm/scripts/{,**} r, + + /etc/debuginfod/{,*} r, + + owner @{user_share_dirs}/sddm/wayland-session.log w, + owner @{user_share_dirs}/sddm/xorg-session.log w, + + @{PROC}/ r, + @{PROC}/@{pids}/ r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pid}/fd/ r, + + include if exists + } + profile systemctl { include include @@ -231,6 +290,16 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { include if exists } + profile pacman { + include + + @{bin}/pacman mr, + + /var/lib/pacman/local/{,**} r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index c66ac6824c..5b8f4ef4bb 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/systemsettings -profile systemsettings @{exec_path} { +profile systemsettings @{exec_path} flags=(attach_disconnected) { include include include @@ -45,6 +45,8 @@ profile systemsettings @{exec_path} { @{lib}/bup/cmd/bup rPUx, #aa:exec kioworker + /usr/share/i18n/locales/{,*} r, + /usr/share/iso-codes/json/*.json r, /usr/share/kcm_networkmanagement/{,**} r, /usr/share/kcm_recentFiles/{,**} r, /usr/share/kcmkeys/{,*.kksrc} r, @@ -55,14 +57,13 @@ profile systemsettings @{exec_path} { /usr/share/kservicetypes5/{,**} r, /usr/share/kwin/{,**} r, /usr/share/kxmlgui5/systemsettings/systemsettingsui.rc r, + /usr/share/libwacom/{,**} r, /usr/share/plasma/{,**} r, - /usr/share/i18n/locales/{,*} r, - /usr/share/iso-codes/json/*.json r, /usr/share/sddm/themes/{,**} r, /usr/share/solid/{,**} r, /usr/share/systemsettings/{,**} r, - /usr/share/wallpapers/{,**} r, /usr/share/thumbnailers/{,**} r, + /usr/share/wallpapers/{,**} r, /etc/fstab r, /etc/machine-id r, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 5c36f579ef..85e0c22594 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -7,20 +7,14 @@ abi , include @{exec_path} = @{bin}/xembedsniproxy -profile xembedsniproxy @{exec_path} { +profile xembedsniproxy @{exec_path} flags=(attach_disconnected) { include - include - include include + include include - include - include @{exec_path} mr, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - owner @{tmp}/xauth_@{rand6} r, owner @{run}/user/@{uid}/iceauth_@{rand6} r, From f6ec878c15bb3df03d9196d6809f5501508112b4 Mon Sep 17 00:00:00 2001 From: skarpinis Date: Sat, 28 Feb 2026 12:02:56 +0000 Subject: [PATCH 1423/1736] Minor tweaks (#1044) * feat(profile): minor update to various profiles. * (feat): minor tweaks --- apparmor.d/groups/browsers/brave | 2 ++ apparmor.d/groups/hyprland/hyprland | 1 + apparmor.d/groups/virt/libvirtd | 7 +++++++ apparmor.d/groups/xfce/thunar-volman | 2 +- apparmor.d/profiles-g-l/kmod | 2 ++ 5 files changed, 13 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 4c38e0ce5d..3b5156b555 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -24,6 +24,8 @@ profile brave @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.mpris.MediaPlayer2.brave path=/org/mpris/MediaPlayer2 + ptrace trace peer=brave, + @{exec_path} mrix, @{bin}/man rPUx, # For "brave --help" diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 8c42d5b6d5..1d6c4697cc 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -29,6 +29,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { /usr/share/hypr{,land}/{,*} r, /usr/share/libinput/{,*} r, + /usr/share/file/misc/magic.mgc r, /etc/os-release r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 944805d861..9113436946 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -305,6 +305,13 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { include include + capability sys_module, + + @{sys}/module/compression r, + @{sys}/module/iommufd/initstate r, + @{sys}/module/irqbypass/initstate r, + @{sys}/module/vfio/initstate r, + include if exists } diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman index 4405d4d003..2f5b298c3d 100644 --- a/apparmor.d/groups/xfce/thunar-volman +++ b/apparmor.d/groups/xfce/thunar-volman @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/thunar-volman -profile thunar-volman @{exec_path} { +profile thunar-volman @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 5a77c4cf68..3495865e30 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -62,6 +62,8 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{sys}/module/{,**} r, + @{PROC}/kallsyms r, + /dev/tty@{u8} rw, deny @{user_share_dirs}/gvfs-metadata/* r, From b798a575a913e87026bf62da98beac9558d22544 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sat, 28 Feb 2026 18:26:59 +0000 Subject: [PATCH 1424/1736] (feat): fix dockerd & run-parts --- apparmor.d/groups/virt/docker-proxy | 6 +++++- apparmor.d/groups/virt/dockerd | 2 ++ apparmor.d/profiles-m-r/run-parts | 6 ++++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index 0b51f2e481..77ca60f238 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -6,13 +6,15 @@ abi , include -@{exec_path} = @{bin}/docker-proxy +@{exec_path} = @{bin}/docker-proxy @{sbin}/docker-proxy #aa:lint ignore=sbin profile docker-proxy @{exec_path} { include capability net_admin, capability net_bind_service, + network inet dgram, + network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, @@ -25,6 +27,8 @@ profile docker-proxy @{exec_path} { @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/cgroup r, + owner /dev/pts/0 rw, + include if exists } diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index bfda7af7b5..66e22c5aa5 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -67,6 +67,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sbin}/apparmor_parser rPx, + @{sbin}/docker-proxy rPx, @{bin}/containerd rPx, @{bin}/docker-init rCx -> init, @{lib}/docker/docker-init rCx -> init, @@ -150,6 +151,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { capability net_raw, network inet raw, + network inet6 dgram, network inet6 raw, network netlink raw, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 27fe70ad02..938eca2760 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -15,6 +15,8 @@ profile run-parts @{exec_path} { include capability mknod, + capability net_admin, + capability sys_ptrace, @{exec_path} mrix, @@ -24,6 +26,7 @@ profile run-parts @{exec_path} { @{bin}/date rix, @{bin}/nice rix, @{bin}/snapper rix, + @{bin}/systemctl rPx, /usr/share/update-notifier/notify-reboot-required rPx, /usr/share/update-notifier/notify-updates-outdated rPx, @@ -70,6 +73,8 @@ profile run-parts @{exec_path} { /etc/network/if-down.d/openvpn rPUx, /etc/network/if-down.d/resolvconf rPUx, /etc/network/if-down.d/wpasupplicant rPUx, + /etc/network/if-down.d/resolved rPUx, + /etc/network/if-down.d/clamav-freshclam-ifupdown rPUx, /etc/hostapd/ifupdown.sh rPUx, /etc/macchanger/ifupdown.sh rPUx, @@ -105,6 +110,7 @@ profile run-parts @{exec_path} { /etc/network/if-up.d/resolved rPUx, /etc/network/if-up.d/ubuntu-fan rPx, /etc/network/if-up.d/wpasupplicant rPUx, + /etc/network/if-up.d/clamav-freshclam-ifupdown rPUx, # Motd /etc/update-motd.d/ r, From 321343d89765c9b93b64fe318d4a4f7fd138f172 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sat, 28 Feb 2026 18:39:55 +0000 Subject: [PATCH 1425/1736] tests: update sbin list --- tests/sbin.list | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/sbin.list b/tests/sbin.list index 45e493fca1..2cbe66d0bc 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -178,6 +178,7 @@ dosfsck dosfslabel dpkg-preconfigure dpkg-reconfigure +docker-proxy drsnoop-bpfcc dump.exfat dump.f2fs From c131c682aeb8e2c4bce7421ae81a128668ec6a78 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sat, 28 Feb 2026 20:01:46 +0000 Subject: [PATCH 1426/1736] (feat): add missing #aa:lint --- apparmor.d/groups/virt/dockerd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 66e22c5aa5..168585da33 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -71,7 +71,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/containerd rPx, @{bin}/docker-init rCx -> init, @{lib}/docker/docker-init rCx -> init, - @{bin}/docker-proxy rPx, + @{bin}/docker-proxy rPx, #aa:lint ignore=sbin @{bin}/tini-static rCx -> tini, @{bin}/git rCx -> git, @{bin}/kmod rCx -> kmod, From 140a0f655f3e83566077360f70c9b51e0a986f87 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sat, 28 Feb 2026 21:56:20 +0000 Subject: [PATCH 1427/1736] (feat): corrected few profiles. --- apparmor.d/groups/virt/docker-proxy | 3 +-- apparmor.d/profiles-m-r/run-parts | 2 -- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index 77ca60f238..e2cc400204 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/docker-proxy @{sbin}/docker-proxy #aa:lint ignore=sbin profile docker-proxy @{exec_path} { include + include capability net_admin, capability net_bind_service, @@ -27,8 +28,6 @@ profile docker-proxy @{exec_path} { @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/cgroup r, - owner /dev/pts/0 rw, - include if exists } diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 938eca2760..1bc6a51167 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -15,8 +15,6 @@ profile run-parts @{exec_path} { include capability mknod, - capability net_admin, - capability sys_ptrace, @{exec_path} mrix, From 357a82ae6a1d134c248ecbe50ac927baad2d587f Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Mon, 2 Mar 2026 22:24:45 +0100 Subject: [PATCH 1428/1736] Gparted update (#1019) * Update gparted * Update gpartedbin 1. Adding @{lib}/{,gparted/}gpartedbin to @{exec_path} 2. Adding various helper executables 3. Adding sub-profile bus * Update app/bus abstraction DENIED gpartedbin//bus file_mmap @{bin}/dbus-launch comm=dbus-launch requested_mask=r denied_mask=r * Update gparted Remove the @{run}/udev/data/... rules in the udevadm child profile. * Update gpartedbin Remove the /dev/urandom and @{lib}/gconv ... rules. * Update gpartedbin Changing @{sbin} to @{bin} for `exfatfsck, mkexfatfs and mkudffs` as they are "not in sbin.list" according to `just check`. * Update gpartedbin fixing line 100 and 102 * Update gparted Adding the `cgroup-limits` abs. * Update gpartedbin line 102 once more * Update apparmor.d/profiles-g-l/gparted --------- Co-authored-by: Alex --- apparmor.d/abstractions/app/bus | 2 +- apparmor.d/profiles-g-l/gparted | 3 +++ apparmor.d/profiles-g-l/gpartedbin | 27 +++++++++++++++++++++++---- 3 files changed, 27 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/app/bus b/apparmor.d/abstractions/app/bus index 619a899f1a..fa87d9911a 100644 --- a/apparmor.d/abstractions/app/bus +++ b/apparmor.d/abstractions/app/bus @@ -10,7 +10,7 @@ include include - @{bin}/dbus-launch mix, + @{bin}/dbus-launch mrix, @{bin}/dbus-send mrix, @{bin}/dbus-daemon Px -> dbus-session, diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index 69a93d1505..a15bf732e1 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -11,6 +11,7 @@ include profile gparted @{exec_path} flags=(attach_disconnected) { include include + include ptrace read, @@ -45,6 +46,8 @@ profile gparted @{exec_path} flags=(attach_disconnected) { /usr/local/bin/ r, /usr/local/sbin/ r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gparted@@{hex32}.service/cpu.max r, + @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index a30cf17abc..642cb60863 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/gpartedbin +@{exec_path} = @{sbin}/gpartedbin @{lib}/{,gparted/}gpartedbin profile gpartedbin @{exec_path} flags=(attach_disconnected) { include include @@ -35,9 +35,10 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { @{sbin}/hdparm rPx, @{bin}/kmod rPx, - @{bin}/mount rCx -> mount, - @{bin}/udevadm rCx -> udevadm, - @{bin}/umount rCx -> umount, + @{bin}/dbus-launch rCx -> bus, + @{bin}/mount rCx -> mount, + @{bin}/udevadm rCx -> udevadm, + @{bin}/umount rCx -> umount, @{sbin}/btrfs rPx, @{sbin}/btrfstune rPx, @@ -46,13 +47,18 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { @{sbin}/dumpe2fs rPx, @{sbin}/e2fsck rPx, @{sbin}/e2image rPx, + @{sbin}/e2label rPx, + @{bin}/exfatfsck rix, + @{sbin}/fatlabel rPx, @{sbin}/fsck.* rPUx, @{sbin}/lvm rPUx, @{sbin}/mdadm rPUx, @{sbin}/mke2fs rPx, @{sbin}/mkfs.* rPUx, + @{bin}/mkexfatfs rix, @{sbin}/mkntfs rPx, @{sbin}/mkswap rPx, + @{bin}/mkudffs rix, @{bin}/mtools rPx, @{bin}/ntfsinfo rPx, @{sbin}/ntfslabel rPx, @@ -74,16 +80,29 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { owner @{tmp}/gparted-*/ rw, + @{run}/blkid/blkid.tab r, @{run}/mount/utab r, + @{run}/user/@{uid}/xauth_@{rand6} r, + + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gparted@@{hex32}.service/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, @{PROC}/devices r, @{PROC}/partitions r, @{PROC}/swaps r, @{PROC}/version r, + @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + profile bus { + include + include + + include if exists + } + profile mount { include include From 512751f969bd6f1af8a16da7fde1363e122b5c4a Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sat, 28 Feb 2026 18:26:59 +0000 Subject: [PATCH 1429/1736] (feat): fix dockerd & run-parts --- apparmor.d/groups/virt/docker-proxy | 6 +++++- apparmor.d/groups/virt/dockerd | 2 ++ apparmor.d/profiles-m-r/run-parts | 6 ++++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index 0b51f2e481..77ca60f238 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -6,13 +6,15 @@ abi , include -@{exec_path} = @{bin}/docker-proxy +@{exec_path} = @{bin}/docker-proxy @{sbin}/docker-proxy #aa:lint ignore=sbin profile docker-proxy @{exec_path} { include capability net_admin, capability net_bind_service, + network inet dgram, + network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, @@ -25,6 +27,8 @@ profile docker-proxy @{exec_path} { @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/cgroup r, + owner /dev/pts/0 rw, + include if exists } diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index bfda7af7b5..66e22c5aa5 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -67,6 +67,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sbin}/apparmor_parser rPx, + @{sbin}/docker-proxy rPx, @{bin}/containerd rPx, @{bin}/docker-init rCx -> init, @{lib}/docker/docker-init rCx -> init, @@ -150,6 +151,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { capability net_raw, network inet raw, + network inet6 dgram, network inet6 raw, network netlink raw, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 27fe70ad02..938eca2760 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -15,6 +15,8 @@ profile run-parts @{exec_path} { include capability mknod, + capability net_admin, + capability sys_ptrace, @{exec_path} mrix, @@ -24,6 +26,7 @@ profile run-parts @{exec_path} { @{bin}/date rix, @{bin}/nice rix, @{bin}/snapper rix, + @{bin}/systemctl rPx, /usr/share/update-notifier/notify-reboot-required rPx, /usr/share/update-notifier/notify-updates-outdated rPx, @@ -70,6 +73,8 @@ profile run-parts @{exec_path} { /etc/network/if-down.d/openvpn rPUx, /etc/network/if-down.d/resolvconf rPUx, /etc/network/if-down.d/wpasupplicant rPUx, + /etc/network/if-down.d/resolved rPUx, + /etc/network/if-down.d/clamav-freshclam-ifupdown rPUx, /etc/hostapd/ifupdown.sh rPUx, /etc/macchanger/ifupdown.sh rPUx, @@ -105,6 +110,7 @@ profile run-parts @{exec_path} { /etc/network/if-up.d/resolved rPUx, /etc/network/if-up.d/ubuntu-fan rPx, /etc/network/if-up.d/wpasupplicant rPUx, + /etc/network/if-up.d/clamav-freshclam-ifupdown rPUx, # Motd /etc/update-motd.d/ r, From 546e291dee7877ba09038c521749ada593ee694b Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sat, 28 Feb 2026 18:39:55 +0000 Subject: [PATCH 1430/1736] tests: update sbin list --- tests/sbin.list | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/sbin.list b/tests/sbin.list index 45e493fca1..2cbe66d0bc 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -178,6 +178,7 @@ dosfsck dosfslabel dpkg-preconfigure dpkg-reconfigure +docker-proxy drsnoop-bpfcc dump.exfat dump.f2fs From f9dfe2f4b5603859af5a204510ecf17874126ee0 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sat, 28 Feb 2026 20:01:46 +0000 Subject: [PATCH 1431/1736] (feat): add missing #aa:lint --- apparmor.d/groups/virt/dockerd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 66e22c5aa5..168585da33 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -71,7 +71,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/containerd rPx, @{bin}/docker-init rCx -> init, @{lib}/docker/docker-init rCx -> init, - @{bin}/docker-proxy rPx, + @{bin}/docker-proxy rPx, #aa:lint ignore=sbin @{bin}/tini-static rCx -> tini, @{bin}/git rCx -> git, @{bin}/kmod rCx -> kmod, From 563def0a0290d96a8c21d755ed1dadb8a053d2fa Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sat, 28 Feb 2026 21:56:20 +0000 Subject: [PATCH 1432/1736] (feat): corrected few profiles. --- apparmor.d/groups/virt/docker-proxy | 3 +-- apparmor.d/profiles-m-r/run-parts | 2 -- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index 77ca60f238..e2cc400204 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/docker-proxy @{sbin}/docker-proxy #aa:lint ignore=sbin profile docker-proxy @{exec_path} { include + include capability net_admin, capability net_bind_service, @@ -27,8 +28,6 @@ profile docker-proxy @{exec_path} { @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/cgroup r, - owner /dev/pts/0 rw, - include if exists } diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 938eca2760..1bc6a51167 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -15,8 +15,6 @@ profile run-parts @{exec_path} { include capability mknod, - capability net_admin, - capability sys_ptrace, @{exec_path} mrix, From dfcc284b2b26bd730d505b9dec6f0953e3d8d943 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Mar 2026 22:34:45 +0100 Subject: [PATCH 1433/1736] feat(abs): improve desktop integration on chromium Similar change has been done on electron based app to handle xdg-settings with nnp flag. Allow to open any UI app. --- apparmor.d/abstractions/app/chromium | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 0692731d30..83c4415a79 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -77,13 +77,13 @@ @{lib_dirs}/chrome-sandbox rPx, # Desktop integration - @{bin}/lsb_release rPx, - @{bin}/xdg-desktop-menu rPx, - @{bin}/xdg-email rPx, - @{bin}/xdg-icon-resource rPx, - @{bin}/xdg-mime rPx, - @{bin}/xdg-open rPx -> child-open, - @{bin}/xdg-settings rPx, + @{bin}/lsb_release Px, + @{bin}/xdg-desktop-menu Px -> &xdg-desktop-menu, + @{bin}/xdg-email Px, + @{bin}/xdg-icon-resource Px -> &xdg-icon-resource, + @{bin}/xdg-mime rix, + @{bin}/xdg-open Px -> child-open-any, + @{bin}/xdg-settings rix, # Installing/removing extensions, applications, and stacked xdg menus @{sh_path} rix, @@ -126,6 +126,7 @@ owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/menus/applications-merged/*.menu rw, + owner @{user_config_dirs}/mimeapps.list{,.new} rw, # For importing data (bookmarks, cookies, etc) from Firefox # owner @{HOME}/.mozilla/firefox/profiles.ini r, From ea54f47fc6cc127ae5fea5e6ca61ffd7678583e3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Mar 2026 22:36:09 +0100 Subject: [PATCH 1434/1736] feat(abs): improve core dbus abstractions. --- .../abstractions/bus/session/org.gtk.Actions | 10 ++++++++++ .../bus/system/org.freedesktop.Avahi.EntryGroup | 16 +++++++++++++--- .../bus/system/org.freedesktop.hostname1 | 7 +++++++ .../bus/system/org.freedesktop.timedate1 | 13 ++++++++++++- 4 files changed, 42 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Actions b/apparmor.d/abstractions/bus/session/org.gtk.Actions index 5a6edc3ad1..7ba4e13ad2 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.Actions +++ b/apparmor.d/abstractions/bus/session/org.gtk.Actions @@ -22,10 +22,20 @@ interface=org.gtk.Actions member={Activate,DescribeAll,SetState}, + dbus receive bus=session + interface=org.gtk.Actions + member=CommandLine + peer=(label=@{profile_name}), + dbus send bus=session interface=org.gtk.Actions member=Changed, + dbus receive bus=session + interface=org.gtk.Actions + member=Changed + peer=(label=@{profile_name}), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.EntryGroup b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.EntryGroup index d1a758f995..af799007dd 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.EntryGroup +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.EntryGroup @@ -6,17 +6,27 @@ abi , + dbus send bus=system path=/Client@{int}/EntryGroup@{int} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server2 member=EntryGroupNew peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), +# dbus send bus=system path=/Client@{int}/EntryGroup@{int} +# interface=org.freedesktop.Avahi.EntryGroup +# member=Free +# peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + dbus send bus=system path=/Client@{int}/EntryGroup@{int} interface=org.freedesktop.Avahi.EntryGroup - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + member={AddService,AddServiceSubtype,Commit,Reset} + peer=(name=@{busname}, label="@{p_avahi_daemon}"), - dbus receive bus=system path=/Client4/EntryGroup@{int} + dbus receive bus=system path=/Client@{int}/EntryGroup@{int} interface=org.freedesktop.Avahi.EntryGroup peer=(name=@{busname}, label="@{p_avahi_daemon}"), diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/system/org.freedesktop.hostname1 index 09df023df1..06078bd52c 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.hostname1 @@ -23,6 +23,13 @@ member=PropertiesChanged peer=(name=@{busname}, label=systemd-hostnamed), + # DBus.Introspectable: allow clients to introspect the service + + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=systemd-hostnamed), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/system/org.freedesktop.timedate1 index 309e7618dc..af15e2552b 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.timedate1 @@ -4,11 +4,22 @@ abi , + # DBus.Properties: read properties from the interface + dbus send bus=system path=/org/freedesktop/timedate1 interface=org.freedesktop.DBus.Properties - member=GetAll + member={Get,GetAll} + peer=(name=@{busname}, label=systemd-timedated), + + # DBus.Introspectable: allow clients to introspect the service + + dbus send bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.DBus.Introspectable + member=Introspect peer=(name=@{busname}, label=systemd-timedated), + # org.freedesktop.timedate1 + dbus send bus=system path=/org/freedesktop/timedate1 interface=org.freedesktop.timedate1 member=SetTimezone From 8a283aca94dbe48b8b8f278d41c8326d5bef9e7c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Mar 2026 22:37:50 +0100 Subject: [PATCH 1435/1736] feat(tunable): revisit DE user to make them condition aware. This is not yet enabled. Only preparation work. --- apparmor.d/tunables/multiarch.d/system-users | 107 +++++++++++++------ 1 file changed, 76 insertions(+), 31 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 94f5a59f5f..68ef78cddf 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -4,36 +4,81 @@ # Define some extra paths for some commonly used system user -# Full path of the GDM configuration directories -@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/{,home/}{,gdm-}greeter/ -@{gdm_cache_dirs}=@{GDM_HOME}/.cache/ -@{gdm_config_dirs}=@{GDM_HOME}/.config/ @{GDM_HOME}/seat@{int}/config/ -@{gdm_local_dirs}=@{GDM_HOME}/.local/ -@{gdm_share_dirs}=@{GDM_HOME}/.local/share/ -@{gdm_state_dirs}=@{GDM_HOME}/.local/state/ @{GDM_HOME}/seat@{int}/state/ - -# Full path of the SDDM configuration directories -@{SDDM_HOME}=/var/lib/sddm/ -@{sddm_cache_dirs}=@{SDDM_HOME}/.cache/ -@{sddm_config_dirs}=@{SDDM_HOME}/.config/ -@{sddm_local_dirs}=@{SDDM_HOME}/.local/ -@{sddm_share_dirs}=@{SDDM_HOME}/.local/share/ -@{sddm_state_dirs}=@{SDDM_HOME}/.local/state/ - -# Full path of the LIGHTDM configuration directories -@{LIGHTDM_HOME}=/var/lib/lightdm/ -@{lightdm_cache_dirs}=@{LIGHTDM_HOME}/.cache/ -@{lightdm_config_dirs}=@{LIGHTDM_HOME}/.config/ -@{lightdm_local_dirs}=@{LIGHTDM_HOME}/.local/ -@{lightdm_share_dirs}=@{LIGHTDM_HOME}/.local/share/ -@{lightdm_state_dirs}=@{LIGHTDM_HOME}/.local/state/ - -# Full path of all DE configuration directories -@{DESKTOP_HOME}=@{GDM_HOME} @{SDDM_HOME} @{LIGHTDM_HOME} -@{desktop_cache_dirs}=@{gdm_cache_dirs} @{sddm_cache_dirs} @{lightdm_cache_dirs} -@{desktop_config_dirs}=@{gdm_config_dirs} @{sddm_config_dirs} @{lightdm_config_dirs} -@{desktop_local_dirs}=@{gdm_local_dirs} @{sddm_local_dirs} @{lightdm_local_dirs} -@{desktop_share_dirs}=@{gdm_share_dirs} @{sddm_share_dirs} @{lightdm_share_dirs} -@{desktop_state_dirs}=@{gdm_state_dirs} @{sddm_state_dirs} @{lightdm_state_dirs} +@{DESKTOP_HOME}="" +@{desktop_cache_dirs}="" +@{desktop_config_dirs}="" +@{desktop_local_dirs}="" +@{desktop_share_dirs}="" +@{desktop_state_dirs}="" + +# if "gnome" in @{DE} { + + # Full path of the GDM configuration directories + @{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/home/gdm-greeter/ @{run}/gdm{,3}/home/gnome-initial-setup/ + @{gdm_cache_dirs}=@{GDM_HOME}/.cache/ + @{gdm_config_dirs}=@{GDM_HOME}/.config/ @{GDM_HOME}/seat@{int}/config/ + @{gdm_local_dirs}=@{GDM_HOME}/.local/ + @{gdm_share_dirs}=@{GDM_HOME}/.local/share/ + @{gdm_state_dirs}=@{GDM_HOME}/.local/state/ @{GDM_HOME}/seat@{int}/state/ + + @{DESKTOP_HOME}+=@{GDM_HOME} + @{desktop_cache_dirs}+=@{gdm_cache_dirs} + @{desktop_config_dirs}+=@{gdm_config_dirs} + @{desktop_local_dirs}+=@{gdm_local_dirs} + @{desktop_share_dirs}+=@{gdm_share_dirs} + @{desktop_state_dirs}+=@{gdm_state_dirs} + +# } else if "kde" in @{DE} { + + # Full path of the SDDM configuration directories + @{SDDM_HOME}=/var/lib/sddm/ + @{sddm_cache_dirs}=@{SDDM_HOME}/.cache/ + @{sddm_config_dirs}=@{SDDM_HOME}/.config/ + @{sddm_local_dirs}=@{SDDM_HOME}/.local/ + @{sddm_share_dirs}=@{SDDM_HOME}/.local/share/ + @{sddm_state_dirs}=@{SDDM_HOME}/.local/state/ + + @{DESKTOP_HOME}+=@{SDDM_HOME} + @{desktop_cache_dirs}+=@{sddm_cache_dirs} + @{desktop_config_dirs}+=@{sddm_config_dirs} + @{desktop_local_dirs}+=@{sddm_local_dirs} + @{desktop_share_dirs}+=@{sddm_share_dirs} + @{desktop_state_dirs}+=@{sddm_state_dirs} + +# } else if "xfce" in @{DE} { + + # Full path of the LIGHTDM configuration directories + @{LIGHTDM_HOME}=/var/lib/lightdm/ + @{lightdm_cache_dirs}=@{LIGHTDM_HOME}/.cache/ + @{lightdm_config_dirs}=@{LIGHTDM_HOME}/.config/ + @{lightdm_local_dirs}=@{LIGHTDM_HOME}/.local/ + @{lightdm_share_dirs}=@{LIGHTDM_HOME}/.local/share/ + @{lightdm_state_dirs}=@{LIGHTDM_HOME}/.local/state/ + + @{DESKTOP_HOME}+=@{LIGHTDM_HOME} + @{desktop_cache_dirs}+=@{lightdm_cache_dirs} + @{desktop_config_dirs}+=@{lightdm_config_dirs} + @{desktop_local_dirs}+=@{lightdm_local_dirs} + @{desktop_share_dirs}+=@{lightdm_share_dirs} + @{desktop_state_dirs}+=@{lightdm_state_dirs} + +# } else if "cosmic" in @{DE} { + +# # Full path of the Cosmic configuration directories +# @{COSMIC_HOME}=/var/lib/cosmic-greeter/ +# @{cosmic_cache_dirs}=@{COSMIC_HOME}/.cache/ +# @{cosmic_config_dirs}=@{COSMIC_HOME}/.config/ +# @{cosmic_local_dirs}=@{COSMIC_HOME}/.local/ +# @{cosmic_share_dirs}=@{COSMIC_HOME}/.local/share/ +# @{cosmic_state_dirs}=@{COSMIC_HOME}/.local/state/ + +# @{DESKTOP_HOME}+=@{COSMIC_HOME} +# @{desktop_cache_dirs}+=@{cosmic_cache_dirs} +# @{desktop_config_dirs}+=@{cosmic_config_dirs} +# @{desktop_local_dirs}+=@{cosmic_local_dirs} +# @{desktop_share_dirs}+=@{cosmic_share_dirs} +# @{desktop_state_dirs}+=@{cosmic_state_dirs} + +# } # vim:syntax=apparmor From c349a38deb646df0aac4226d50853215623c8023 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Mar 2026 22:40:52 +0100 Subject: [PATCH 1436/1736] fix(profile): revert sudo/sudo-rs selection. Due to how the prebuilt system work, it is actually not working as expected. It wil be revisited later. --- apparmor.d/profiles-s-z/su-rs | 2 -- apparmor.d/profiles-s-z/sudo-rs | 2 -- pkg/configure/configure.go | 12 ++++++------ 3 files changed, 6 insertions(+), 10 deletions(-) diff --git a/apparmor.d/profiles-s-z/su-rs b/apparmor.d/profiles-s-z/su-rs index e198ea9c9a..e16505b6f2 100644 --- a/apparmor.d/profiles-s-z/su-rs +++ b/apparmor.d/profiles-s-z/su-rs @@ -7,8 +7,6 @@ abi , include @{exec_path} = @{bin}/su-rs @{lib}/cargo/bin/su - #aa:only ubuntu -@{exec_path} += @{bin}/su profile su-rs @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/sudo-rs b/apparmor.d/profiles-s-z/sudo-rs index c8027cfdcf..1c30208778 100644 --- a/apparmor.d/profiles-s-z/sudo-rs +++ b/apparmor.d/profiles-s-z/sudo-rs @@ -7,8 +7,6 @@ abi , include @{exec_path} = @{bin}/sudo-rs @{lib}/cargo/bin/sudo - #aa:only ubuntu -@{exec_path} += @{bin}/sudo profile sudo-rs @{exec_path} { include diff --git a/pkg/configure/configure.go b/pkg/configure/configure.go index f668076ca5..2cfbe4a814 100644 --- a/pkg/configure/configure.go +++ b/pkg/configure/configure.go @@ -98,12 +98,12 @@ func (p Configure) Apply() ([]string, error) { "nslookup", } // Ubuntu uses sudo-rs as sudo implementation. - if tasks.Distribution == "ubuntu" { - remove = append(remove, - "su", // su-rs is the new su - "sudo", // sudo-rs is the new sudo - ) - } + // if tasks.Distribution == "ubuntu" { + // remove = append(remove, + // "su", // su-rs is the new su + // "sudo", // sudo-rs is the new sudo + // ) + // } if err := p.removeFiles(remove); err != nil { return res, err } From d3deac2ad3976edde1ca6e8115c464d6adb07429 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Mar 2026 22:42:09 +0100 Subject: [PATCH 1437/1736] feat(profile): improve dev process. --- apparmor.d/abstractions/development | 2 +- apparmor.d/groups/code/code | 6 +++--- apparmor.d/groups/code/code-shells | 1 + apparmor.d/profiles-a-f/claude | 4 +--- 4 files changed, 6 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/development b/apparmor.d/abstractions/development index bafee4f7ce..72ac1a2829 100644 --- a/apparmor.d/abstractions/development +++ b/apparmor.d/abstractions/development @@ -42,7 +42,7 @@ owner @{HOME}/.local/ r, owner @{user_lib_dirs}/ r, - owner /dev/shm/sem.@{rand6} w, + owner /dev/shm/sem.* rwl, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner @{tmp}/cc@{rand6}* rw, diff --git a/apparmor.d/groups/code/code b/apparmor.d/groups/code/code index 3d572adce4..e9e25e5db6 100644 --- a/apparmor.d/groups/code/code +++ b/apparmor.d/groups/code/code @@ -58,10 +58,10 @@ profile code @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace read, + unix (send receive) type=stream peer=(label=code-*), + signal send peer=claude, - signal send peer=code-extension-*, - signal send peer=code-extensions, - signal send peer=code-shells, + signal send peer=code-*, signal send peer=git, signal send peer=gitstatusd, diff --git a/apparmor.d/groups/code/code-shells b/apparmor.d/groups/code/code-shells index 7da4550468..93b6ac9a2b 100644 --- a/apparmor.d/groups/code/code-shells +++ b/apparmor.d/groups/code/code-shells @@ -76,6 +76,7 @@ profile code-shells flags=(attach_disconnected) { owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, owner @{user_config_dirs}/git/*config r, + owner @{user_config_dirs}/git/ignore r, profile starship { include diff --git a/apparmor.d/profiles-a-f/claude b/apparmor.d/profiles-a-f/claude index 0737969e15..162b1d1aa7 100644 --- a/apparmor.d/profiles-a-f/claude +++ b/apparmor.d/profiles-a-f/claude @@ -173,9 +173,7 @@ profile claude @{exec_path} flags=(attach_disconnected) { owner @{user_projects_dirs}/** rwlk, /var/tmp/@{word8} rw, - owner @{tmp}/*/{,**} rwlk, - owner @{tmp}/@{word8} rw, - owner @{tmp}/claude-* w, + owner @{tmp}/* rwlk, owner @{tmp}/claude-shell/ rw, owner @{tmp}/claude-shell/** mix, owner @{tmp}/claude-shell/** rwlk -> @{tmp}/claude/**, From 18280362edbebe87d8cb4949cc0ef1abe078f084 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Mar 2026 22:46:45 +0100 Subject: [PATCH 1438/1736] feat(abs): bwrap: restrict mount options. Also mr bwrap so that profile won't need it anymore. --- apparmor.d/abstractions/bwrap | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/apparmor.d/abstractions/bwrap b/apparmor.d/abstractions/bwrap index c2924fd841..6caf2c12a9 100644 --- a/apparmor.d/abstractions/bwrap +++ b/apparmor.d/abstractions/bwrap @@ -13,7 +13,7 @@ # A profile using this abstraction still needs to set: # # - the flag: `attach_disconnected` -# - bwrap execution: `@{bin}/bwrap ix,` or memory mapping `@{bin}/bwrap mr,` +# - bwrap execution: `@{bin}/bwrap ix,` is needed. abi , @@ -26,14 +26,15 @@ network netlink raw, - mount options=(rw rbind) -> /newroot/{,**}, - mount options=(rw rbind) /tmp/newroot/ -> /tmp/newroot/, - mount options=(rw silent make-rslave) /, - mount options=(rw silent rprivate) -> /oldroot/, - mount fstype=devpts options=(rw nosuid noexec) devpts -> /newroot/dev/pts/, - mount fstype=proc options=(rw nosuid nodev noexec) proc -> /newroot/@{PROC}/, - mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /newroot/{,**}, - mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /tmp/, + mount options=(rw rbind) -> /newroot/{,**}, + mount options=(rw rbind) /tmp/newroot/ -> /tmp/newroot/, + mount fstype=devpts options=(rw nosuid noexec) devpts -> /newroot/dev/pts/, + mount fstype=proc options=(rw nosuid nodev noexec) proc -> /newroot/@{PROC}/, + mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /newroot/{,**}, + mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /tmp/, + + mount options=(rw silent make-rslave) /, + mount options=(rw silent make-rprivate) /oldroot/, remount /newroot/{,**}, @@ -46,6 +47,8 @@ pivot_root oldroot=/newroot/ /newroot/, pivot_root oldroot=/tmp/oldroot/ /tmp/, + @{bin}/bwrap mr, + owner /newroot/{,**} w, owner /tmp/newroot/ w, From 43270eac6e2b8db16e7b96e5ae1b1ee6d0a202ed Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Mar 2026 22:51:36 +0100 Subject: [PATCH 1439/1736] feat(abs): fontconfig-cache-write add link creation. --- .../abstractions/fontconfig-cache-write | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write index ba54fdd792..2d3eefe32a 100644 --- a/apparmor.d/abstractions/fontconfig-cache-write +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -13,29 +13,29 @@ owner /var/cache/fontconfig/CACHEDIR.TAG w, owner /var/cache/fontconfig/CACHEDIR.TAG.LCK wl, owner /var/cache/fontconfig/CACHEDIR.TAG.NEW w, - owner /var/cache/fontconfig/CACHEDIR.TAG.TMP-@{rand6} w, + owner /var/cache/fontconfig/CACHEDIR.TAG.TMP-@{rand6} wl, owner /var/cache/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d} wl, owner /var/cache/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.LCK wl, owner /var/cache/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.NEW w, - owner /var/cache/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner /var/cache/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} wl, owner /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} wl, owner /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.LCK wl, owner /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW w, - owner /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} wl, owner @{gdm_cache_dirs}/fontconfig/ w, owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} wl, owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.LCK wl, owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW w, - owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} wl, owner @{gdm_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.NEW w, - owner @{gdm_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner @{gdm_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} wl, owner @{gdm_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d} wl, owner @{gdm_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.LCK wl, owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG w, owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.LCK wl, owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.NEW w, - owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.TMP-@{rand6} w, + owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.TMP-@{rand6} wl, owner @{HOME}/.fontconfig/ w, owner @{HOME}/.fontconfig/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} wl, @@ -49,21 +49,21 @@ owner @{HOME}/.fontconfig/CACHEDIR.TAG w, owner @{HOME}/.fontconfig/CACHEDIR.TAG.LCK wl, owner @{HOME}/.fontconfig/CACHEDIR.TAG.NEW w, - owner @{HOME}/.fontconfig/CACHEDIR.TAG.TMP-@{rand6} w, + owner @{HOME}/.fontconfig/CACHEDIR.TAG.TMP-@{rand6} wl, owner @{user_cache_dirs}/fontconfig/ w, owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} wlk, owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.LCK wl, owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW w, - owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} wl, owner @{user_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.NEW w, - owner @{user_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner @{user_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} wl, owner @{user_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d} wl, owner @{user_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.LCK wl, owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG w, owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG.LCK wl, owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG.NEW w, - owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG.TMP-@{rand6} w, + owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG.TMP-@{rand6} wl, include if exists From d1d68496239af110b8fee3f4befae2a89b8f3a3f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Mar 2026 22:52:02 +0100 Subject: [PATCH 1440/1736] feat(abs): generalize input abs. --- apparmor.d/abstractions/input | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/input b/apparmor.d/abstractions/input index 5cba80d16d..8e9bc96acb 100644 --- a/apparmor.d/abstractions/input +++ b/apparmor.d/abstractions/input @@ -13,14 +13,15 @@ # https://www.kernel.org/doc/Documentation/input/event-codes.txt @{sys}/devices/**/input@{int}/capabilities/* r, - @{sys}/devices/**/input/ r, @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/event@{int}/ r, - @{sys}/devices/**/input@{int}/event@{int}/uevent r, @{sys}/devices/**/input@{int}/{,**/}properties r, @{sys}/devices/**/input@{int}/{,**/}uevent r, + @{sys}/devices/**/input@{int}/event@{int}/ r, + @{sys}/devices/**/input@{int}/event@{int}/uevent r, + @{sys}/devices/**/input@{int}/id/ r, @{sys}/devices/**/input@{int}/id/product r, @{sys}/devices/**/input@{int}/id/vendor r, + @{sys}/devices/**/input/ r, @{sys}/devices/virtual/input/mice/uevent r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad From 542c379484c05a70e665f615ed05db0d254c220b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Mar 2026 22:53:57 +0100 Subject: [PATCH 1441/1736] feat(abs): minor abs improvements. --- apparmor.d/abstractions/common/gnome | 6 ++++++ apparmor.d/abstractions/dconf.d/complete | 2 ++ apparmor.d/abstractions/flatpak/shared/network | 3 ++- apparmor.d/abstractions/flatpak/sockets/ssh-auth | 2 ++ apparmor.d/abstractions/mesa.d/complete | 8 ++++---- apparmor.d/abstractions/path | 3 +++ apparmor.d/abstractions/tpm | 2 ++ apparmor.d/abstractions/webkit | 4 ++++ apparmor.d/abstractions/zsh | 2 +- 9 files changed, 26 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index 674632d1b9..e27a307981 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -30,7 +30,13 @@ owner @{user_state_dirs}/@{profile_name}/** rwlk, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/cgroup r, + + # Provide statistical information about our own process owner @{PROC}/@{pid}/stat r, + + # Per man(5) proc, the kernel enforces that a thread may only modify its comm + # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/abstractions/dconf.d/complete b/apparmor.d/abstractions/dconf.d/complete index df67986f19..b5aca50b74 100644 --- a/apparmor.d/abstractions/dconf.d/complete +++ b/apparmor.d/abstractions/dconf.d/complete @@ -3,7 +3,9 @@ # SPDX-License-Identifier: GPL-2.0-only /usr/share/dconf/profile/gdm r, + /usr/share/dconf/profile/gnome-initial-setup r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gnome-initial-setup/initial-setup-dconf-defaults r, @{DESKTOP_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/abstractions/flatpak/shared/network b/apparmor.d/abstractions/flatpak/shared/network index 3749ac0d41..39180e6852 100644 --- a/apparmor.d/abstractions/flatpak/shared/network +++ b/apparmor.d/abstractions/flatpak/shared/network @@ -12,7 +12,8 @@ network inet stream, network inet6 stream, - @{run}/systemd/resolve/io.systemd.Resolve rw, + @{run}/systemd/resolve/io.systemd.Resolve rw, + @{att}@{run}/systemd/resolve/io.systemd.Resolve rw, owner @{run}/host/monitor/gai.conf r, owner @{run}/host/monitor/host.conf r, diff --git a/apparmor.d/abstractions/flatpak/sockets/ssh-auth b/apparmor.d/abstractions/flatpak/sockets/ssh-auth index 3d05b2c654..4eb81e4887 100644 --- a/apparmor.d/abstractions/flatpak/sockets/ssh-auth +++ b/apparmor.d/abstractions/flatpak/sockets/ssh-auth @@ -7,6 +7,8 @@ owner @{run}/flatpak/ssh-auth r, + owner @{att}@{run}/user/@{uid}/gcr/ssh rw, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index e28987e09e..a2de919808 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -11,8 +11,8 @@ /var/cache/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, /var/cache/mesa_shader_cache/ rw, /var/cache/mesa_shader_cache/@{hex2}/ rw, - /var/cache/mesa_shader_cache/@{hex2}/@{hex38} rw, - /var/cache/mesa_shader_cache/@{hex2}/@{hex38}.tmp rwk, + /var/cache/mesa_shader_cache/@{hex2}/@{hex} rw, + /var/cache/mesa_shader_cache/@{hex2}/@{hex}.tmp rwk, /var/cache/mesa_shader_cache/index rw, /var/cache/mesa_shader_cache/marker rw, @@ -26,8 +26,8 @@ owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, owner @{desktop_cache_dirs}/mesa_shader_cache/ rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/ rw, - owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38} rw, - owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38}.tmp rwk, + owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex} rw, + owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex}.tmp rwk, owner @{desktop_cache_dirs}/mesa_shader_cache/index rw, owner @{desktop_cache_dirs}/mesa_shader_cache/marker rw, diff --git a/apparmor.d/abstractions/path b/apparmor.d/abstractions/path index dee241b292..b549bad5f2 100644 --- a/apparmor.d/abstractions/path +++ b/apparmor.d/abstractions/path @@ -18,6 +18,9 @@ @{user_bin_dirs}/ r, + /opt/cuda/bin/ r, + /var/lib/flatpak/exports/bin/ r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/tpm b/apparmor.d/abstractions/tpm index 5306cd48bd..4f91162005 100644 --- a/apparmor.d/abstractions/tpm +++ b/apparmor.d/abstractions/tpm @@ -8,6 +8,8 @@ abi , + @{sys}/class/tpmrm/ r, + /dev/tpm@{int} rw, /dev/tpmrm@{int} rw, diff --git a/apparmor.d/abstractions/webkit b/apparmor.d/abstractions/webkit index c9a2752503..77cf80fc64 100644 --- a/apparmor.d/abstractions/webkit +++ b/apparmor.d/abstractions/webkit @@ -14,6 +14,8 @@ @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, owner /bindfile@{rand6} rw, + + owner /.flatpak-info r, owner @{att}/.flatpak-info r, owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, @@ -21,6 +23,8 @@ owner @{run}/user/@{uid}/.flatpak/ w, owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, + owner @{att}@{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/ w, owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index 483497094a..ada5bde937 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -51,7 +51,7 @@ owner @{tmp}/@{user}-code-zsh/.zcompdump-* rw, owner @{tmp}/@{user}-code-zsh/.zsh* r, - owner @{tmp}/zsh@{rand6} w, + owner @{tmp}/zsh@{rand6} rw, @{PROC}/version r, owner @{PROC}/@{pid}/loginuid r, From 042024c9275c8aa0311d9be31b23d947717a4018 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Mar 2026 22:54:27 +0100 Subject: [PATCH 1442/1736] feat(abs): lttng: extend deny to link. --- apparmor.d/abstractions/lttng | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/lttng b/apparmor.d/abstractions/lttng index 7f9a1e1331..eb266f0ddf 100644 --- a/apparmor.d/abstractions/lttng +++ b/apparmor.d/abstractions/lttng @@ -14,13 +14,13 @@ abi , - deny @{run}/shm/lttng-ust-@{int} rw, - deny owner @{run}/shm/lttng-ust-@{int}-@{uid} rw, - deny owner @{run}/shm/lttng-ust-@{int}-@{int} rw, + deny @{run}/shm/lttng-ust-@{int} rwl, + deny owner @{run}/shm/lttng-ust-@{int}-@{uid} rwl, + deny owner @{run}/shm/lttng-ust-@{int}-@{int} rwl, - deny /dev/shm/lttng-ust-wait-@{int} rw, - deny owner /dev/shm/lttng-ust-wait-@{int}-@{int} rw, - deny owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, + deny /dev/shm/lttng-ust-wait-@{int} rwl, + deny owner /dev/shm/lttng-ust-wait-@{int}-@{int} rwl, + deny owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rwl, include if exists From 06e88cf1d7da3e99d9d97a7c19ceaecda098a182 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Mar 2026 23:00:06 +0100 Subject: [PATCH 1443/1736] feat(profile): minor update to a few profiles. --- apparmor.d/groups/apt/apt | 3 ++- apparmor.d/groups/filesystem/fsck.btrfs | 4 ++++ apparmor.d/groups/filesystem/udisksd | 1 + apparmor.d/groups/flatpak/flatpak | 3 ++- apparmor.d/groups/flatpak/flatpak-system-helper | 6 ++++++ apparmor.d/groups/freedesktop/accounts-daemon | 1 + apparmor.d/groups/freedesktop/xwayland | 1 + apparmor.d/profiles-a-f/dkms-autoinstaller | 5 ++++- apparmor.d/profiles-a-f/file-roller | 1 + apparmor.d/profiles-g-l/gsettings | 1 + apparmor.d/profiles-g-l/linux-check-removal | 2 ++ apparmor.d/profiles-m-r/rsyslogd | 2 ++ 12 files changed, 27 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index a0e982e528..e47df7010e 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -120,8 +120,9 @@ profile apt @{exec_path} flags=(attach_disconnected) { #aa:only whonix @{lib}/uwt/uwtwrapper rix, - /usr/share/xml/iso-codes/{,**} r, + /usr/share/doc/*/changelog.Debian.gz r, /usr/share/language-selector/data/pkg_depends r, + /usr/share/xml/iso-codes/{,**} r, /etc/apt/sources.list rwk, /etc/machine-id r, diff --git a/apparmor.d/groups/filesystem/fsck.btrfs b/apparmor.d/groups/filesystem/fsck.btrfs index 512265788b..52109e7bc2 100644 --- a/apparmor.d/groups/filesystem/fsck.btrfs +++ b/apparmor.d/groups/filesystem/fsck.btrfs @@ -16,6 +16,10 @@ profile fsck.btrfs @{exec_path} { @{sh_path} rix, /etc/fstab r, + /etc/nsswitch.conf r, + /etc/passwd r, + + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 9f3105830e..8be3e06506 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -97,6 +97,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { /etc/libblockdev/{,**} r, /etc/nvme/* r, + /var/lib/udisks2/ w, /var/lib/udisks2/{,**} r, /var/lib/udisks2/mounted-fs{,*} rw, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index b691180455..750812496c 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -9,7 +9,7 @@ include @{appid} = @{word}.@{word}.@{word}{,.@{word}} @{exec_path} = @{bin}/flatpak -profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) { +profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -153,6 +153,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{PROC}/modules r, @{PROC}/sys/fs/pipe-max-size r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 99127e85f9..cf907e5eb3 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -144,6 +144,12 @@ profile flatpak-system-helper @{exec_path} flags=(attach_disconnected,mediate_de owner @{tmp}/ostree-gpg-@{rand6}/ r, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, + @{run}/user/@{uid}/gnupg/ r, + @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, + @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw, + @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, + @{run}/user/@{uid}/gnupg/S.scdaemon rw, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index a03b557444..eaf3faf7cc 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -24,6 +24,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { ptrace read peer=unconfined, #aa:dbus own bus=system name=org.freedesktop.Accounts + #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 4f9fa42d61..20bec4efbe 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -34,6 +34,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { / r, + owner @{desktop_cache_dirs}/nvidia/ w, owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller index 2d799987ff..d499fefee3 100644 --- a/apparmor.d/profiles-a-f/dkms-autoinstaller +++ b/apparmor.d/profiles-a-f/dkms-autoinstaller @@ -15,13 +15,14 @@ profile dkms-autoinstaller @{exec_path} { @{exec_path} rm, @{sh_path} rix, - @{sbin}/dkms rPx, @{bin}/echo rix, @{bin}/plymouth rix, @{bin}/readlink rix, @{bin}/run-parts rCx -> run-parts, @{bin}/systemctl rCx -> systemctl, @{bin}/tput rix, + @{bin}/uname rix, + @{sbin}/dkms rPx, # For shell pwd / r, @@ -41,6 +42,8 @@ profile dkms-autoinstaller @{exec_path} { include include + capability net_admin, + include if exists } diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 083f648e49..d112105702 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -11,6 +11,7 @@ profile file-roller @{exec_path} flags=(attach_disconnected) { include include include + include include #aa:dbus own bus=session name=org.gnome.ArchiveManager1 diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 1a0bd30425..52d65b063b 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -29,6 +29,7 @@ profile gsettings @{exec_path} flags=(attach_disconnected) { deny owner /.cache/ w, deny owner @{user_config_dirs}/[^d]*/** rw, # all but dconf deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + deny /dev/dri/* rw, include if exists } diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index f2895299f2..ac0219c6e6 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -18,6 +18,8 @@ profile linux-check-removal @{exec_path} { /etc/shadow r, + @{PROC}/1/environ r, + include if exists } diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 22d5b679ce..464f1821d2 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -37,6 +37,8 @@ profile rsyslogd @{exec_path} { /var/spool/rsyslog/ r, /var/spool/rsyslog/** rw, + @{run}/systemd/sessions/ r, + owner @{run}/rsyslogd.pid{,.tmp} rwk, owner @{run}/systemd/journal/syslog w, From 48ed666c972bf8de8638315f37058903b47ab015 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Mar 2026 23:02:46 +0100 Subject: [PATCH 1444/1736] feat(profile): update some gnome profiles. --- apparmor.d/groups/gnome/evolution-addressbook-factory | 5 ++++- apparmor.d/groups/gnome/evolution-calendar-factory | 2 ++ apparmor.d/groups/gnome/evolution-source-registry | 9 ++++++--- apparmor.d/groups/gnome/gdm-session-worker | 1 + apparmor.d/groups/gnome/gjs | 4 ++++ apparmor.d/groups/gnome/gnome-control-center | 2 -- apparmor.d/groups/gnome/gnome-shell-calendar-server | 2 +- apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/gnome/gsd-a11y-settings | 1 + apparmor.d/groups/gnome/gsd-smartcard | 1 + apparmor.d/groups/gnome/gsd-sound | 1 + apparmor.d/groups/gnome/showtime | 11 ----------- 12 files changed, 22 insertions(+), 18 deletions(-) diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 50fadf10ac..c9b40ac080 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -68,8 +68,11 @@ profile evolution-addressbook-factory @{exec_path} { /usr/share/icu/@{int}.@{int}/*.dat r, - owner @{user_share_dirs}/evolution/{,**} rwk, + owner @{desktop_cache_dirs}/evolution/addressbook/{,**} rwk, + owner @{desktop_share_dirs}/evolution/{,**} rwk, + owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk, + owner @{user_share_dirs}/evolution/{,**} rwk, @{PROC}/sys/kernel/osrelease r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index a6fb8b493b..af6a31d766 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -67,6 +67,8 @@ profile evolution-calendar-factory @{exec_path} { @{exec_path} mr, @{exec_path}-subprocess rix, + owner @{desktop_share_dirs}/evolution/{,**} rwk, + owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 0732646b5e..4b7e9c2a36 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,6 +10,7 @@ include profile evolution-source-registry @{exec_path} { include include + include include include include @@ -48,13 +49,15 @@ profile evolution-source-registry @{exec_path} { @{exec_path} mr, + owner @{desktop_cache_dirs}/evolution/{,**} rwk, + owner @{desktop_share_dirs}/evolution/{,**} rwk, + owner @{user_cache_dirs}/evolution/{,**} rwk, + owner @{user_config_dirs}/evolution/{,**/} w, owner @{user_config_dirs}/evolution/sources/{,*} rw, owner @{user_share_dirs}/evolution/{,**} r, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - owner @{user_config_dirs}/evolution/{,**/} w, owner @{user_share_dirs}/evolution/{,**/} w, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, @{PROC}/sys/kernel/osrelease r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 05fdc40af9..d24c732195 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -114,6 +114,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/ w, + @{run}/systemd/home/@{user}.dont-suspend w, @{run}/systemd/io.systemd.Login rw, @{run}/cockpit/active.issue r, diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index 15112d40c1..96a8f276ae 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -97,6 +97,10 @@ profile gjs @{exec_path} flags=(attach_disconnected) { /usr/share/thumbnailers/{,**} r, /usr/share/xkeyboard-config-2/{,**} r, + owner @{desktop_cache_dirs}/nvidia/ w, + owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, + owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, + owner @{HOME}/ r, owner @{user_cache_dirs}/gjs_repl_history rw, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index b6c690204b..d34183bd09 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -211,8 +211,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /dev/ r, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - profile pkexec { include include diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 37bb7b3742..172c4d5972 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/{,gnome-shell/}gnome-shell-calendar-server -profile gnome-shell-calendar-server @{exec_path} { +profile gnome-shell-calendar-server @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index cad0fdb49b..69de84dcda 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -38,6 +38,7 @@ profile gnome-software @{exec_path} flags=(attach_disconnected,mediate_deleted) #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper #aa:dbus talk bus=system name=org.freedesktop.fwupd path=/ label=fwupd #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/{,**} label="@{p_packagekitd}" + #aa:dbus talk bus=system name=org.freedesktop.sysupdate1 label=systemd-sysupdate dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 9424a4d953..f11dd16498 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -10,6 +10,7 @@ include profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index f5ad21e12b..4b398a9c10 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -10,6 +10,7 @@ include profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index d1a3ed497c..9b5bde636b 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -11,6 +11,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/showtime b/apparmor.d/groups/gnome/showtime index bca2a451ad..3fbe2e6ac3 100644 --- a/apparmor.d/groups/gnome/showtime +++ b/apparmor.d/groups/gnome/showtime @@ -2,17 +2,6 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Consider the following structure in order to support MLS: -# :user:showtime Normal user profile; no MLS -# :user//media:showtime -# :user//work:showtime -# :user//anonymous:showtime - -# TODO: have simimar structure than selinux with s0, s0:c0,c1 ... -# :user:showtime s0 -# :user//media:showtime s0:c0,c1 -# :user//work:showtime s0:c2,c3 - abi , include From 17e9621862188231c4117cd0f5157b79ac6dfebf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Mar 2026 23:07:09 +0100 Subject: [PATCH 1445/1736] feat(profile): minor update to core systemd profiles. --- apparmor.d/groups/polkit/polkit-agent-helper | 3 ++- apparmor.d/groups/polkit/polkitd | 3 +++ .../systemd-generator-bless-boot | 3 +++ .../systemd-generator-debug | 4 ++++ .../systemd-generator-environment-flatpak | 2 ++ .../systemd-generator-gpt-auto | 21 +++++++++++++++++-- .../systemd-generator-veritysetup | 4 ++++ apparmor.d/groups/systemd/journalctl | 3 ++- apparmor.d/groups/systemd/systemd-coredump | 1 + apparmor.d/groups/systemd/systemd-cryptsetup | 6 +++++- apparmor.d/groups/systemd/systemd-journald | 2 +- apparmor.d/groups/systemd/systemd-localed | 2 +- apparmor.d/groups/systemd/systemd-logind | 2 +- apparmor.d/groups/systemd/systemd-random-seed | 3 ++- .../systemd/systemd-tty-ask-password-agent | 1 + apparmor.d/groups/systemd/systemd-udevd | 1 + 16 files changed, 52 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index 086ee87781..f8a81871e5 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -55,7 +55,8 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.xsession-errors w, - @{run}/faillock/@{user} rwk, + @{run}/faillock/@{user} rwk, + @{att}@{run}/systemd/home/@{user}.dont-suspend w, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index 6776fedd5f..c74d40a048 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -59,6 +59,9 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { /var/lib/polkit{,-1}/localauthority/{,**} r, owner /var/lib/polkit{,-1}/.cache/ rw, + @{run}/polkit-1/rules.d/ r, + @{run}/polkit-1/rules.d/*.policy r, + @{att}@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}@{run}/systemd/userdb/io.systemd.Home rw, @{att}@{run}/systemd/userdb/io.systemd.Machine rw, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot b/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot index 88c1d3ad42..8a9d460250 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot +++ b/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot @@ -15,6 +15,9 @@ profile systemd-generator-bless-boot @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{run}/systemd/generator.early/basic.target.wants/ w, + @{run}/systemd/generator.early/basic.target.wants/systemd-bless-boot.service w, + @{PROC}/@{pid}/cgroup r, include if exists diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-debug b/apparmor.d/groups/systemd-generators/systemd-generator-debug index d0ec3f82ea..a038e823e2 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-debug +++ b/apparmor.d/groups/systemd-generators/systemd-generator-debug @@ -15,6 +15,10 @@ profile systemd-generator-debug @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{run}/credentials/@encrypted/ r, + @{run}/credentials/@system/ r, + @{run}/systemd/generator.early/systemd-repart.service w, + @{PROC}/@{pid}/cgroup r, include if exists diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak b/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak index 7d0e91e79c..cc67056d70 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak +++ b/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak @@ -20,6 +20,8 @@ profile systemd-generator-environment-flatpak @{exec_path} { /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, + /root/.cache/ w, + /dev/tty rw, include if exists diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto index 55dd48a191..00ee4ad979 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto @@ -24,15 +24,32 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) { /usr/ r, /home/ r, + @{run}/systemd/generator.late/*.mount.wants/ w, + @{run}/systemd/generator.late/*.mount.wants/systemd-growfs*.service w, + @{run}/systemd/generator.late/*.mount.wants/systemd-pcrfs*.service w, + @{run}/systemd/generator.late/*.mount.wants/systemd-validatefs@*.service w, @{run}/systemd/generator.late/**.{,auto}mount w, @{run}/systemd/generator.late/**.swap w, - @{run}/systemd/generator.late/home.mount.wants/ w, - @{run}/systemd/generator.late/swap.target.wants/ w, + @{run}/systemd/generator.late/cryptsetup.target.requires/ w, + @{run}/systemd/generator.late/cryptsetup.target.requires/systemd-cryptsetup@*.service w, + @{run}/systemd/generator.late/dev-disk-by*.device.wants/ w, + @{run}/systemd/generator.late/dev-disk-by*.device.wants/systemd-cryptsetup@*.service w, + @{run}/systemd/generator.late/dev-mapper-*.device.d/ w, + @{run}/systemd/generator.late/dev-mapper-*.device.d/.#*.conf@{hex16} rw, + @{run}/systemd/generator.late/dev-mapper-*.device.d/*.conf w, + @{run}/systemd/generator.late/dev-mapper-*.device.requires/ w, + @{run}/systemd/generator.late/dev-mapper-*.device.requires/systemd-cryptsetup@*.service w, @{run}/systemd/generator.late/local-fs.target.d/ w, @{run}/systemd/generator.late/local-fs.target.d/*.conf w, @{run}/systemd/generator.late/local-fs.target.requires/ w, @{run}/systemd/generator.late/local-fs.target.wants/ w, + @{run}/systemd/generator.late/swap.target.wants/ w, + @{run}/systemd/generator.late/systemd-cryptsetup@*.service w, + @{run}/systemd/generator/local-fs.target.wants/ w, + @{run}/systemd/generator/local-fs.target.wants/systemd-fsck*.service w, + @{sys}/firmware@{efi}/efivars/LoaderTpm2ActivePcrBanks-@{uuid} r, + @{sys}/firmware@{efi}/efivars/StubPcrKernelImage-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup index 9cdb1c1574..cfada4595d 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup +++ b/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup @@ -15,6 +15,10 @@ profile systemd-generator-veritysetup @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{run}/systemd/generator/systemd-veritysetup@*.service w, + @{run}/systemd/generator/veritysetup.target.requires/ w, + @{run}/systemd/generator/veritysetup.target.requires/systemd-veritysetup@*.service w, + @{PROC}/@{pid}/cgroup r, include if exists diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index d8305a5dca..f17da0e624 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -38,8 +38,9 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /etc/machine-id r, - /var/lib/systemd/catalog/database rw, + /var/lib/systemd/catalog/ w, /var/lib/systemd/catalog/.#database* rw, + /var/lib/systemd/catalog/database rw, /var/log/dmesg w, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 4ac0e9f16c..822b0c2908 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -63,6 +63,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fdinfo/@{int} r, + @{PROC}/@{pids}/gid_map r, @{PROC}/@{pids}/limits r, @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup index 8db69581f8..790cd10bb6 100644 --- a/apparmor.d/groups/systemd/systemd-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-cryptsetup @@ -9,9 +9,10 @@ include @{exec_path} = @{bin}/systemd-cryptsetup @{lib}/systemd/systemd-cryptsetup profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) { include - include include + include include + include capability dac_read_search, capability ipc_lock, @@ -35,6 +36,9 @@ profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) { @{sys}/fs/ r, @{run}/systemd/ask-password/ r, + @{run}/systemd/tpm2-pcr-signature.json r, + + @{sys}/firmware@{efi}/efivars/LoaderTpm2ActivePcrBanks-@{uuid} r, @{PROC}/devices r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index c18e8a9515..086eab8308 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -35,7 +35,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted /etc/systemd/journald.conf r, /etc/systemd/journald.conf.d/{,**} r, - @{run}/log/ rw, + /{run,var}/log/ w, /{run,var}/log/journal/ rw, /{run,var}/log/journal/@{hex32}/ rw, /{run,var}/log/journal/@{hex32}/* rwl -> /{run,var}/log/journal/@{hex32}/#@{int}, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index b8eff4b42f..640d61c254 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -19,7 +19,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.locale1 dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager - member=Reload + member={Reload,RestartUnit} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 761f3e24cf..d36bc66638 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -140,7 +140,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,mediate_deleted) /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, /dev/tty@{u8} rw, - /dev/shm/{,**/} rw, + /dev/shm/{,**} rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-random-seed b/apparmor.d/groups/systemd/systemd-random-seed index 263ccca022..400de0c9c1 100644 --- a/apparmor.d/groups/systemd/systemd-random-seed +++ b/apparmor.d/groups/systemd/systemd-random-seed @@ -19,7 +19,8 @@ profile systemd-random-seed @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, - /var/lib/systemd/ r, + /var/lib/ w, + /var/lib/systemd/ rw, /var/lib/systemd/random-seed rw, @{PROC}/sys/kernel/random/poolsize r, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index fa6c14dafa..8d0cf72eff 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -28,6 +28,7 @@ profile systemd-tty-ask-password-agent @{exec_path} flags=(attach_disconnected) signal receive set=(term cont winch) peer=makepkg//sudo, signal receive set=(term cont winch) peer=role_*, signal receive set=(term cont winch) peer=rpm, + signal receive set=(term cont winch) peer=systemd-run, @{exec_path} mrix, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index b84d31d0ce..f904120443 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -102,6 +102,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { /etc/systemd/network/@{int2}-*.link r, / r, + /usr/ r, @{run}/credentials/systemd-udev-load-credentials.service/ r, @{run}/modprobe.d/ r, From 8938c8fa7e1cd63b096a54cdc918ebfe17541f93 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Mar 2026 23:10:48 +0100 Subject: [PATCH 1446/1736] feat(profile): initial support for encrypted home in systemd-homed. --- apparmor.d/groups/systemd/systemd-homed | 42 +++++++++++++++++----- apparmor.d/groups/systemd/systemd-homework | 21 ++++++++--- 2 files changed, 50 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index b96f2ae281..ee8dd57af9 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -35,11 +35,15 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { network inet6 raw, network netlink raw, - mount -> @{run}/systemd/user-home-mount/, - mount options=(rw private) -> @{run}/systemd/user-home-mount/, - mount options=(rw rslave) -> @{run}/, + mount -> @{run}/systemd/user-home-mount/, + mount options=(rw bind) @{run}/systemd/user-home-mount/@{user}/ -> @{HOME}/, + mount options=(rw make-rslave) @{run}/, + mount options=(rw move) -> @{run}/systemd/user-home-mount/@{user}/, + mount options=(rw private) -> @{run}/systemd/user-home-mount/, + umount @{HOME}/, umount @{run}/systemd/user-home-mount/, + umount @{run}/systemd/user-home-mount/@{user}/, signal (send receive) set=kill peer=systemd-homed//&systemd-homework, @@ -47,28 +51,45 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { unix bind type=dgram addr=@@{udbus}, unix bind type=stream addr=@@{udbus}/bus/systemd-homed/system, + unix receive type=dgram addr=@@{int}@{int} peer=(label=systemd-homework), #aa:dbus own bus=system name=org.freedesktop.home1 #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd @{exec_path} mr, - @{lib}/systemd/systemd-homework rPx -> &systemd-homework, - @{sbin}/mkfs.btrfs rPx, - @{sbin}/mkfs.fat rPx, - @{sbin}/mke2fs rPx, + @{lib}/systemd/systemd-homework Px -> systemd-homed//&systemd-homework, + @{sbin}/mkfs.fat Px, + @{sbin}/mke2fs Px, + # nnp + @{bin}/fsck.* rix, + @{bin}/mkfs.* ix, + + /etc/fstab r, /etc/machine-id r, - /etc/systemd/homed.conf r, + /etc/security/pwquality.conf r, + /etc/security/pwquality.conf.d/{,**} r, /etc/skel/{,**} r, + /etc/systemd/homed.conf r, /var/cache/systemd/home/{,**} rw, /var/lib/systemd/home/{,**} rw, + @{att}/ r, + @{att}/@{HOMEDIRS}/@{user}.home rw, + / r, @{HOMEDIRS}/ r, @{HOMEDIRS}/* rw, @{HOMEDIRS}/*.homedir/ rw, + @{HOMEDIRS}/@{user}.home k, + + @{HOME}/ rw, + @{HOME}/.#.identity-blob@{hex16}/ rw, + @{HOME}/.#.identity@{hex16} rw, + @{HOME}/.identity rw, + @{HOME}/.identity-blob/ w, @{run}/ r, @{run}/cryptsetup/{,*} rwk, @@ -84,6 +105,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/uevent_seqnum r, @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/setgroups w, @{PROC}/devices r, @{PROC}/pressure/* r, @{PROC}/swaps r, @@ -94,11 +116,13 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/uid_map w, + @{att}/dev/loop@{int} rw, + /dev/btrfs-control rw, /dev/loop-control rwk, - /dev/loop@{int} rw, /dev/mapper/control rw, /dev/mqueue/ r, /dev/shm/ r, + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-homework b/apparmor.d/groups/systemd/systemd-homework index b81c196f84..da98d38f6e 100644 --- a/apparmor.d/groups/systemd/systemd-homework +++ b/apparmor.d/groups/systemd/systemd-homework @@ -16,20 +16,25 @@ profile systemd-homework @{exec_path} flags=(attach_disconnected) { userns, capability chown, + capability dac_read_search, capability fowner, capability fsetid, capability setfcap, capability setgid, capability setuid, capability sys_admin, + capability sys_ptrace, capability sys_resource, network netlink raw, - mount options=(rw rslave) -> @{run}/, - mount -> @{run}/systemd/user-home-mount/, + mount -> @{run}/systemd/user-home-mount/, + mount options=(rw bind) @{run}/systemd/user-home-mount/@{user}/ -> @{HOME}/, + mount options=(rw make-rslave) @{run}/, + mount options=(rw move) -> @{run}/systemd/user-home-mount/@{user}/, umount @{run}/systemd/user-home-mount/, + umount @{run}/systemd/user-home-mount/@{user}/, signal (send receive) set=kill peer=systemd-homed//&systemd-homework, @@ -37,18 +42,23 @@ profile systemd-homework @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sbin}/fsck rix, # no new privs + @{sbin}/mke2fs rPx, @{sbin}/mkfs.btrfs rPx, @{sbin}/mkfs.fat rPx, - @{sbin}/mke2fs rPx, /etc/machine-id r, /etc/skel/{,**} r, + /etc/fstab r, /var/cache/systemd/home/{,**} rw, @{HOMEDIRS}/ r, @{HOMEDIRS}/.#homework@{user}.* rw, - @{HOMEDIRS}/@{user}.home rw, + @{HOMEDIRS}/@{user}.home rwk, + + @{HOME}/ r, + @{HOME}/.identity r, @{run}/ r, @{run}/cryptsetup/ r, @@ -57,7 +67,10 @@ profile systemd-homework @{exec_path} flags=(attach_disconnected) { @{run}/systemd/user-home-mount/@{user}/{,**} rw, @{sys}/fs/ r, + @{sys}/devices/**/b24[0-9]:@{int}/read_ahead_kb r, # for dynamic assignment range 240 + @{sys}/devices/**/b25[0-4]:@{int}/read_ahead_kb r, # to 254 + @{PROC}/@{pid}/setgroups w, @{PROC}/devices r, @{PROC}/swaps r, @{PROC}/sys/fs/nr_open r, From a69d430a44c18b2cd4cf0396dd8b162e4e40d467 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Mar 2026 23:12:12 +0100 Subject: [PATCH 1447/1736] feat(profile): improve virt based profiles. --- apparmor.d/groups/virt/cockpit-bridge | 2 +- apparmor.d/groups/virt/cockpit-ws | 3 ++- apparmor.d/groups/virt/dockerd | 4 ++-- apparmor.d/groups/virt/libvirt-dbus | 3 ++- apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/groups/virt/virtiofsd | 2 +- apparmor.d/groups/virt/virtsecretd | 1 + 7 files changed, 10 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index c28b144f62..8c58931058 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -18,7 +18,6 @@ profile cockpit-bridge @{exec_path} { include include include - include include include @@ -46,6 +45,7 @@ profile cockpit-bridge @{exec_path} { #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd #aa:dbus talk bus=system name=org.freedesktop.systemd1 label=@{p_systemd} #aa:dbus talk bus=system name=org.libvirt label=libvirt-dbus diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index adbb8c46a7..45521bffa9 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -25,7 +25,8 @@ profile cockpit-ws @{exec_path} flags=(attach_disconnected) { @{run}/cockpit/session rw, @{att}@{run}/cockpit/session rw, - @{run}/cockpit/wsinstance/https@@{hex64}.sock r, + @{run}/cockpit/wsinstance/https@@{hex64}.sock r, + @{att}@{run}/cockpit/wsinstance/https@@{hex64}.sock w, @{att}@{run}/systemd/userdb/io.systemd.Machine rw, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 168585da33..8102271cf7 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -39,8 +39,8 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { mount /tmp/containerd-mount@{int}/, mount /var/lib/docker/**/, mount options=(rw bind) -> @{run}/docker/netns/*, - mount options=(rw rprivate) -> /.pivot_root@{int}/, - mount options=(rw rslave) -> /, + mount options=(rw make-rprivate) /.pivot_root@{int}/, + mount options=(rw make-rslave) /, remount /tmp/containerd-mount@{int10}/, remount /var/lib/docker/**/, diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index 8604dd7e77..c8ddb7ed4e 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{sbin}/libvirt-dbus -profile libvirt-dbus @{exec_path} { +profile libvirt-dbus @{exec_path} flags=(attach_disconnected) { include include include @@ -36,6 +36,7 @@ profile libvirt-dbus @{exec_path} { @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, owner @{run}/user/@{uid}/libvirt/libvirt-sock rw, + owner @{run}/user/@{uid}/libvirt/virtqemud-sock rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node*/meminfo r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 9113436946..5c07911f4e 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -61,7 +61,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { network packet dgram, network packet raw, - mount options=(rw, rslave) -> /, + mount options=(rw, make-rslave) /, mount options=(rw, nosuid) -> @{run}/libvirt/qemu/*.dev/, # Libvirt provides any mounts under /dev to qemu namespaces diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index e13c7f6b83..63dba4113d 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -27,7 +27,7 @@ profile virtiofsd @{exec_path} flags=(attach_disconnected) { mount options=(rw, bind) @{PROC}/1/fd/ -> @{PROC}, mount options=(rw, nosuid, nodev, noexec, relatime) -> @{PROC}, - mount options=(rw, rslave) -> /, + mount options=(rw, make-rslave) /, mount options=(rw, rbind) -> @{user_projects_dirs}/{,**/}, mount options=(rw, rbind) -> @{user_publicshare_dirs}/{,**/}, diff --git a/apparmor.d/groups/virt/virtsecretd b/apparmor.d/groups/virt/virtsecretd index 5b8b10cc91..07da1abbe1 100644 --- a/apparmor.d/groups/virt/virtsecretd +++ b/apparmor.d/groups/virt/virtsecretd @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/virtsecretd profile virtsecretd @{exec_path} flags=(attach_disconnected) { include + include include network netlink raw, From c52c8026063636513f252878d20f5b6ea231f87a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Mar 2026 23:14:53 +0100 Subject: [PATCH 1448/1736] feat(profile): add a few small profiles. --- apparmor.d/groups/utils/lsclocks | 21 +++++++++++++++++++++ apparmor.d/groups/utils/lsirq | 21 +++++++++++++++++++++ apparmor.d/groups/utils/lsmem | 23 +++++++++++++++++++++++ apparmor.d/groups/utils/sleep | 23 +++++++++++++++++++++++ 4 files changed, 88 insertions(+) create mode 100644 apparmor.d/groups/utils/lsclocks create mode 100644 apparmor.d/groups/utils/lsirq create mode 100644 apparmor.d/groups/utils/lsmem create mode 100644 apparmor.d/groups/utils/sleep diff --git a/apparmor.d/groups/utils/lsclocks b/apparmor.d/groups/utils/lsclocks new file mode 100644 index 0000000000..e2ca714722 --- /dev/null +++ b/apparmor.d/groups/utils/lsclocks @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsclocks +profile lsclocks @{exec_path} { + include + include + + @{exec_path} mr, + + /dev/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lsirq b/apparmor.d/groups/utils/lsirq new file mode 100644 index 0000000000..884ebb0b02 --- /dev/null +++ b/apparmor.d/groups/utils/lsirq @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsirq +profile lsirq @{exec_path} { + include + include + + @{exec_path} mr, + + @{PROC}/interrupts r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lsmem b/apparmor.d/groups/utils/lsmem new file mode 100644 index 0000000000..97013e1ace --- /dev/null +++ b/apparmor.d/groups/utils/lsmem @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsmem +profile lsmem @{exec_path} { + include + include + + @{exec_path} mr, + + @{sys}/devices/system/memory/ r, + @{sys}/devices/system/memory/block_size_bytes r, + @{sys}/devices/system/memory/memory@{int}/{,*} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/sleep b/apparmor.d/groups/utils/sleep new file mode 100644 index 0000000000..9b507bfa04 --- /dev/null +++ b/apparmor.d/groups/utils/sleep @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/sleep +profile sleep @{exec_path} flags=(attach_disconnected) { + include + + signal receive set=term, + + @{exec_path} mr, + + # file_inherit + deny owner /dev/pts/@{u8} rw, + + include if exists +} + +# vim:syntax=apparmor From f0cd41b7ba3bffeb92d5c53221f3dd34c18b7a81 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Mar 2026 23:18:39 +0100 Subject: [PATCH 1449/1736] tests(linter): look for more rule too large. --- tests/check.sh | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 3fe5261765..b956f08c5a 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -258,13 +258,15 @@ _check_equivalent() { done } -readonly TOOWIDE=('/**' '/tmp/**' '/var/tmp/**' '@{tmp}/**' '/etc/**' '/dev/shm/**' '@{run}/user/@{uid}/**') +readonly TOOWIDE=('/' '/tmp/' '/var/tmp/' '@{tmp}/' '/etc/' '/dev/shm/' '@{run}/user/@{uid}/') _check_too_wide() { _is_enabled too-wide || return 0 - for pattern in "${TOOWIDE[@]}"; do - if [[ "$line" == *" $pattern "* ]]; then - _warn too-wide "$file:$line_number" "rule too wide: '$pattern'" - fi + for path in "${TOOWIDE[@]}"; do + for pattern in "$path/**" "$path/*" "$path/{,**}"; do + if [[ "$line" == *" $pattern "* ]]; then + _warn too-wide "$file:$line_number" "rule too wide: '$pattern'" + fi + done done } From 9e7f87f7d0e277084acebb4616fa9ff5c00c3bea Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Mar 2026 23:25:38 +0100 Subject: [PATCH 1450/1736] feat(profile): finish remove :* in dbus rules. --- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/freedesktop/pulseaudio | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/gnome/evolution-calendar-factory | 8 ++++---- apparmor.d/groups/gnome/evolution-source-registry | 8 ++++---- apparmor.d/groups/gnome/gnome-shell-calendar-server | 8 ++++---- apparmor.d/groups/gnome/gnome-terminal-server | 2 +- apparmor.d/groups/gnome/goa-daemon | 4 ++-- apparmor.d/groups/gnome/gsd-a11y-settings | 2 +- apparmor.d/groups/gnome/gsd-datetime | 2 +- apparmor.d/groups/gnome/gsd-disk-utility-notify | 2 +- apparmor.d/groups/gnome/gsd-printer | 2 +- apparmor.d/groups/gnome/gsd-rfkill | 2 +- apparmor.d/groups/gnome/gsd-screensaver-proxy | 2 +- apparmor.d/groups/gnome/gsd-sharing | 2 +- apparmor.d/groups/gnome/gsd-smartcard | 2 +- apparmor.d/groups/gnome/gsd-sound | 2 +- apparmor.d/groups/gnome/tracker-miner | 2 +- apparmor.d/groups/network/networkd-dispatcher | 2 +- tests/check.sh | 1 + 20 files changed, 30 insertions(+), 29 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index e47df7010e..3388f987a5 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -56,7 +56,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { dbus send bus=system interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="{:*,org.freedesktop.DBus}"), + peer=(name="{@{busname},org.freedesktop.DBus}"), @{exec_path} mr, @{python_path} mr, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 74bb5d628f..39386e3509 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -47,7 +47,7 @@ profile pulseaudio @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index b3c7e3d8d2..ca9208313a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -83,7 +83,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index af6a31d766..38952781a5 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -30,7 +30,7 @@ profile evolution-calendar-factory @{exec_path} { dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* @@ -38,7 +38,7 @@ profile evolution-calendar-factory @{exec_path} { dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties @@ -47,7 +47,7 @@ profile evolution-calendar-factory @{exec_path} { dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=evolution-source-registry), + peer=(name=@{busname}, label=evolution-source-registry), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties @@ -62,7 +62,7 @@ profile evolution-calendar-factory @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 4b7e9c2a36..847266ee4c 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -29,10 +29,10 @@ profile evolution-source-registry @{exec_path} { dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} interface={org.freedesktop.DBus.ObjectManager,org.freedesktop.DBus.Properties} - peer=(name=:*), + peer=(name=@{busname}), dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} interface=org.gnome.evolution.dataserver.Source{,.*} - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} interface=org.freedesktop.DBus.Properties peer=(name=org.freedesktop.DBus), @@ -40,12 +40,12 @@ profile evolution-source-registry @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus send bus=session path=/org/gnome/OnlineAccounts interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=goa-daemon), + peer=(name=@{busname}, label=goa-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 172c4d5972..1b7ecc7798 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -18,21 +18,21 @@ profile gnome-shell-calendar-server @{exec_path} flags=(attach_disconnected) { dbus (send receive) bus=session path=/org/gnome/evolution/dataserver/{,**} interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=evolution-*), + peer=(name=@{busname}, label=evolution-*), dbus (send receive) bus=session path=/org/gnome/evolution/dataserver/{,**} interface=org.gnome.evolution.dataserver.Calendar* - peer=(name=:*, label=evolution-*), + peer=(name=@{busname}, label=evolution-*), dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=evolution-source-registry), + peer=(name=@{busname}, label=evolution-source-registry), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 763c27c03c..119e3fb808 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -25,7 +25,7 @@ profile gnome-terminal-server @{exec_path} { dbus receive bus=session path=/org/gnome/Terminal/SearchProvider interface=org.gnome.Shell.SearchProvider2 - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index bb570bc133..9dab608d63 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -27,11 +27,11 @@ profile goa-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/gnome/Identity interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=goa-identity-service), + peer=(name=@{busname}, label=goa-identity-service), dbus send bus=session path=/org/gnome/Identity/Manager interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=goa-identity-service), + peer=(name=@{busname}, label=goa-identity-service), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index f11dd16498..d4d3d0ba1b 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -32,7 +32,7 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 9559602246..d42ec792bd 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -32,7 +32,7 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index bb3b40e4ec..cb3e278290 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -19,7 +19,7 @@ profile gsd-disk-utility-notify @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index 16b326da6a..6f2182a3b3 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -24,7 +24,7 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 3e1fc98fef..ecced2e7d5 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -26,7 +26,7 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index 650b21a7e3..5cd94906ba 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -22,7 +22,7 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index b45e79e221..6eda58485b 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -29,7 +29,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/3 interface=org.freedesktop.NetworkManager.VPN.Connection diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 4b398a9c10..38fd0a1829 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -26,7 +26,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 9b5bde636b..7bd86e92d9 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -25,7 +25,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 753fe59de0..51421c74d3 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -37,7 +37,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.Tracker3.Endpoint member=Query - peer=(name=:*, label=nautilus), + peer=(name=@{busname}, label=nautilus), @{exec_path} mr, diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index 24d746f014..1e748f00a4 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -16,7 +16,7 @@ profile networkd-dispatcher @{exec_path} { dbus receive bus=system path=/org/freedesktop/network1{,/link/*} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label="@{p_systemd_networkd}"), + peer=(name=@{busname}, label="@{p_systemd_networkd}"), @{exec_path} mr, diff --git a/tests/check.sh b/tests/check.sh index b956f08c5a..f4eda3ea1d 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -360,6 +360,7 @@ declare -A TUNABLES=( # Some system glob [":not.active.yet"]="@{busname}" [":1.[0-9]*"]="@{busname}" + ["peer=\([^)]*:\*[^)]*\)"]="@{busname}" ["(@\{bin\}|/usr/bin)/(|ba|da)sh "]="@{sh_path}" ["@\{lib\}/modules/[^/*]+/"]="@{lib}/modules/*/" ) From 1eee40b2d7574957ab4931be255cb2ea71dd0256 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Mar 2026 23:28:35 +0100 Subject: [PATCH 1451/1736] fix(profile): forgot removing a :* in dbus rule. --- apparmor.d/groups/gnome/tracker-miner | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 51421c74d3..876004d133 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -33,7 +33,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=:*, label=nautilus), + peer=(name=@{busname}, label=nautilus), dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.Tracker3.Endpoint member=Query From 44e2ca47c713f92d989c72bc6ed4442576e29aa8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 3 Mar 2026 21:39:43 +0100 Subject: [PATCH 1452/1736] feat(abs): simplify firefox base. --- apparmor.d/abstractions/app/firefox | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 7aa5ce1102..f932694a63 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -26,6 +26,7 @@ include include include + include include include include @@ -37,6 +38,7 @@ include include include + include include include include @@ -124,8 +126,6 @@ owner @{tmp}/tmpaddon rw, owner @{tmp}/tmpaddon-@{int} r, - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner /dev/shm/org.chromium.@{rand6} rw, owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, owner /dev/shm/wayland.mozilla.ipc.@{int} rw, @@ -180,7 +180,6 @@ deny dbus send bus=system path=/org/freedesktop/hostname1, deny /tmp/MozillaUpdateLock-* w, deny owner @{HOME}/.* r, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny @{run}/user/@{uid}/gnome-shell-disable-extensions w, deny @{PROC}/pressure/* r, From c37c4fa24557c7f6990d287b236ad33bb3b75e32 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 3 Mar 2026 21:45:19 +0100 Subject: [PATCH 1453/1736] feat(abs): minor abs update. --- .../abstractions/bus/session/org.kde.StatusNotifierItem | 4 ++-- apparmor.d/abstractions/desktop | 1 + apparmor.d/abstractions/gnome-strict | 1 + apparmor.d/abstractions/kde-strict | 1 + apparmor.d/abstractions/path | 1 + apparmor.d/abstractions/zsh | 6 +++--- 6 files changed, 9 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem index ca41a54ebf..5b98e25384 100644 --- a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem @@ -2,8 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - # Own a StatusNotifierItem name. It gives ownership on any StatusNotifierItem - # names +# Own a StatusNotifierItem name. It gives ownership on any StatusNotifierItem names abi , @@ -12,6 +11,7 @@ include dbus bind bus=session name=org.kde.StatusNotifierItem-@{int}, + dbus bind bus=session name=org.kde.StatusNotifierItem-@{int}-@{int}, dbus receive bus=session path=/StatusNotifierItem interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index d0f90c8dd2..7cff72f3d0 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -16,6 +16,7 @@ include include include + include #aa:only ubuntu include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 2af4749287..4e12b1f8c7 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -9,6 +9,7 @@ include include include + include #aa:only ubuntu include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 0f11fc098a..228eae4d49 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -9,6 +9,7 @@ include include include + include #aa:only ubuntu include include include diff --git a/apparmor.d/abstractions/path b/apparmor.d/abstractions/path index b549bad5f2..9e636e280a 100644 --- a/apparmor.d/abstractions/path +++ b/apparmor.d/abstractions/path @@ -18,6 +18,7 @@ @{user_bin_dirs}/ r, + /snap/bin/ r, /opt/cuda/bin/ r, /var/lib/flatpak/exports/bin/ r, diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index ada5bde937..699b797221 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -37,8 +37,8 @@ owner @{user_cache_dirs}/p10k-dump-@{user}.zsh{,.*} rw, owner @{user_cache_dirs}/p10k-instant-prompt-@{user}.zsh{,.*} rw, - owner @{user_config_dirs}/zsh/.zcompdump-* rw, - owner @{user_config_dirs}/zsh/.zcompdump-*.lock/ rw, + owner @{user_config_dirs}/zsh/.zcompdump* rw, + owner @{user_config_dirs}/zsh/.zcompdump*.lock/ rw, owner @{user_config_dirs}/zsh/{,**} r, owner @{user_config_dirs}/zsh/ohmyzsh/cache/** rw, @@ -49,7 +49,7 @@ owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo rw, owner @{tmp}/gitstatus.POWERLEVEL9K.*.lock rwk, - owner @{tmp}/@{user}-code-zsh/.zcompdump-* rw, + owner @{tmp}/@{user}-code-zsh/.zcompdump* rw, owner @{tmp}/@{user}-code-zsh/.zsh* r, owner @{tmp}/zsh@{rand6} rw, From efc6cf22169a21a71346934c8771a868aa84ea3b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 3 Mar 2026 21:51:16 +0100 Subject: [PATCH 1454/1736] feat(profile): various small profile update. --- apparmor.d/groups/apparmor/aa-notify | 1 + apparmor.d/groups/bus/dbus-accessibility | 1 + apparmor.d/groups/freedesktop/xdg-document-portal | 2 +- apparmor.d/groups/freedesktop/xdg-user-dirs-update | 3 ++- apparmor.d/groups/gnome/evolution-source-registry | 3 +++ apparmor.d/groups/gnome/gnome-control-center-print-renderer | 2 +- apparmor.d/groups/gnome/gnome-disks | 1 + apparmor.d/groups/gnome/gnome-session | 1 + apparmor.d/groups/gnome/gnome-shell | 2 ++ apparmor.d/groups/gnome/gnome-shell-calendar-server | 1 + apparmor.d/groups/gvfs/gvfsd-fuse | 2 ++ apparmor.d/groups/kde/kwalletd | 1 + apparmor.d/groups/snap/snap | 3 ++- apparmor.d/groups/usb/usbguard-applet-qt | 6 +----- apparmor.d/profiles-a-f/baobab | 3 +++ apparmor.d/profiles-s-z/virt-manager | 1 + 16 files changed, 24 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 232d4e1e10..81f564ce96 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -33,6 +33,7 @@ profile aa-notify @{exec_path} flags=(attach_disconnected) { @{sbin}/ r, /usr/share/apparmor/** r, + /usr/share/tcltk/** r, /usr/share/terminfo/** r, @{etc_ro}/inputrc r, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 6dc0872823..ca431950ca 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -11,6 +11,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 1bad0eb954..4a90aa6748 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -73,7 +73,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { capability dac_override, capability setuid, - mount options=(rw, rprivate) -> /, + mount options=(rw, make-rprivate) /, mount options=(rw, rbind) @{run}/user/@{uid}/ -> /, mount fstype=fuse.portal -> @{run}/user/@{uid}/doc/, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update index 09c66d6ac7..70f6d27889 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update @@ -15,7 +15,8 @@ profile xdg-user-dirs-update @{exec_path} { @{exec_path} mr, owner @{desktop_config_dirs}/ rw, - owner @{desktop_config_dirs}/user-dirs.dirs{,*} rw, + owner @{desktop_config_dirs}/user-dirs.dirs rw, + owner @{desktop_config_dirs}/user-dirs.dirs@{rand6} rw, owner @{desktop_config_dirs}/user-dirs.locale rw, owner @{DESKTOP_HOME}/@{XDG_DESKTOP_DIR}/ rw, owner @{DESKTOP_HOME}/@{XDG_DOCUMENTS_DIR}/ rw, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 847266ee4c..b70d39f933 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -49,6 +49,9 @@ profile evolution-source-registry @{exec_path} { @{exec_path} mr, + owner /var/lib/gdm/seat@{int}/config/evolution/sources/ r, + owner /var/lib/gdm/seat@{int}/config/evolution/sources/system-proxy.source r, + owner @{desktop_cache_dirs}/evolution/{,**} rwk, owner @{desktop_share_dirs}/evolution/{,**} rwk, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 37bf83267b..21ebd1f3de 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/gnome-control-center-print-renderer -profile gnome-control-center-print-renderer @{exec_path} { +profile gnome-control-center-print-renderer @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-disks b/apparmor.d/groups/gnome/gnome-disks index 129ff13d8e..9df8822bd4 100644 --- a/apparmor.d/groups/gnome/gnome-disks +++ b/apparmor.d/groups/gnome/gnome-disks @@ -15,6 +15,7 @@ profile gnome-disks @{exec_path} { include #aa:dbus own bus=session name=org.gnome.DiskUtility + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 70049450b8..e70f142ba3 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -10,6 +10,7 @@ include profile gnome-session @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 35575e2b72..a6eb2fd3bf 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -57,6 +57,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Owned by gnome-shell + include #aa:lint ignore=abstractions + #aa:dbus own bus=session name=org.gnome.keyring.SystemPrompter #aa:dbus own bus=session name=org.gnome.Mutter #aa:dbus own bus=session name=org.gnome.Shell diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 1b7ecc7798..80b9fe79f2 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -10,6 +10,7 @@ include profile gnome-shell-calendar-server @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 809a2a2814..6aed209e64 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -42,6 +42,8 @@ profile gvfsd-fuse @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse), + /etc/machine-id r, + include if exists } diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index 0a685d8e54..a34c76fd4a 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -21,6 +21,7 @@ profile kwalletd @{exec_path} { #aa:dbus own bus=session name=org.freedesktop.secrets #aa:dbus own bus=session name=org.kde.kwalletd5 + #aa:dbus own bus=session name=org.kde.kwalletd6 @{exec_path} mr, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 308b454e2f..53cc857247 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -60,8 +60,9 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} mr, - @{bin}/mount rix, @{bin}/getent rix, + @{bin}/mount rix, + @{bin}/zenity rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/usb/usbguard-applet-qt b/apparmor.d/groups/usb/usbguard-applet-qt index 558b9093c3..c483a00ea7 100644 --- a/apparmor.d/groups/usb/usbguard-applet-qt +++ b/apparmor.d/groups/usb/usbguard-applet-qt @@ -11,9 +11,8 @@ include profile usbguard-applet-qt @{exec_path} { include include - include include - include + include include include @@ -22,9 +21,6 @@ profile usbguard-applet-qt @{exec_path} { @{exec_path} mr, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - owner @{user_config_dirs}/USBGuard/ rw, owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#@{int}, diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab index 2060184982..c49241f51d 100644 --- a/apparmor.d/profiles-a-f/baobab +++ b/apparmor.d/profiles-a-f/baobab @@ -9,10 +9,13 @@ include @{exec_path} = @{bin}/baobab profile baobab @{exec_path} flags=(attach_disconnected) { include + include include include include + #aa:dbus own bus=session name=org.gnome.baobab + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 38778dab9e..9b23e513ba 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -34,6 +34,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + unix type=stream peer=(label=libvirt-*), unix type=stream peer=(label=libvirtd), #aa:dbus own bus=session name=org.virt-manager.virt-manager From cc25e263e8f9aa5024247a1dabb6b335a73079a4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 3 Mar 2026 22:02:14 +0100 Subject: [PATCH 1455/1736] Release apparmor.d v0.4905 --- PKGBUILD | 4 ++-- debian/changelog | 6 ++++++ dists/apparmor.d.spec | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index 16f2909094..de26eac56e 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -9,13 +9,13 @@ pkgname=( # apparmor.d-base # apparmor.d-tools ) -pkgver=0.4904 +pkgver=0.4905 pkgrel=1 pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') url="https://github.com/roddhjav/apparmor.d" license=('GPL-2.0-only') -depends=('apparmor>=4.1.3') +depends=('apparmor>=4.1.6') makedepends=('go' 'rsync' 'just') prepare() { diff --git a/debian/changelog b/debian/changelog index 1694bfe358..53b2064e48 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +apparmor.d (0.4905-1) stable; urgency=medium + + * Release apparmor.d v0.4905 + + -- Alexandre Pujol Tue, 03 Mar 2026 22:02:14 +0100 + apparmor.d (0.4904-1) stable; urgency=medium * Release apparmor.d v0.4904 diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index 63d4da9bc3..5578f39fd5 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -7,7 +7,7 @@ # Warning: for development only, use https://build.opensuse.org/package/show/home:cboltz/apparmor.d for production use. Name: apparmor.d -Version: 0.4904 +Version: 0.4905 Release: 1%{?dist} Summary: Set of over 1500 AppArmor profiles License: GPL-2.0-only From 03e079fdf62e996d1dfd3b7752287528a3462933 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Wed, 4 Mar 2026 15:17:20 +0000 Subject: [PATCH 1456/1736] (feat): variuos profile tweaks --- apparmor.d/groups/apparmor/aa-log | 2 ++ apparmor.d/groups/children/child-open-any | 1 + apparmor.d/groups/children/glycin | 3 +++ apparmor.d/groups/filesystem/btrfs | 3 +++ apparmor.d/groups/gvfs/gvfsd-mtp | 11 +++++++++++ apparmor.d/profiles-g-l/glxinfo | 2 ++ apparmor.d/profiles-g-l/gparted | 5 +++++ apparmor.d/profiles-g-l/gpartedbin | 5 +++++ apparmor.d/profiles-g-l/hexchat | 1 + 9 files changed, 33 insertions(+) diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log index 9657018630..966b5045ec 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -24,6 +24,8 @@ profile aa-log @{exec_path} flags=(attach_disconnected) { /var/log/audit/* r, /var/log/syslog* r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/kitty-@{int6}-0.scope/cpu.max r, + /dev/tty@{u8} rw, profile journalctl { diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any index 446627e854..9c8a43b76d 100644 --- a/apparmor.d/groups/children/child-open-any +++ b/apparmor.d/groups/children/child-open-any @@ -15,6 +15,7 @@ profile child-open-any flags=(attach_disconnected,mediate_deleted) { include include include + include @{bin}/** PUx, @{lib}/** PUx, diff --git a/apparmor.d/groups/children/glycin b/apparmor.d/groups/children/glycin index cac18c592c..4993da79fa 100644 --- a/apparmor.d/groups/children/glycin +++ b/apparmor.d/groups/children/glycin @@ -36,6 +36,9 @@ profile glycin flags=(attach_disconnected) { deny @{sys}/devices/system/** r, deny /dev/shm/** rw, deny /dev/dri/* rw, + deny @{att}/dev/tty@{u8} rw, + + owner @{PROC}/@{pid}/mountinfo r, profile loaders flags=(attach_disconnected) { include diff --git a/apparmor.d/groups/filesystem/btrfs b/apparmor.d/groups/filesystem/btrfs index 776fc87e82..c7eb029118 100644 --- a/apparmor.d/groups/filesystem/btrfs +++ b/apparmor.d/groups/filesystem/btrfs @@ -33,6 +33,8 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { /srv/ r, /usr/local/ r, /var/ r, + /var/log/ r, + /var/tmp/ r, @{MOUNTS}/ r, @{MOUNTS}/ext2_saved/ rw, @{MOUNTS}/ext2_saved/image rw, @@ -50,6 +52,7 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{run}/snapper-tools-*/ r, @{run}/snapper-tools-@{rand6}/@/.snapshots/@{int}/snapshot r, + @{run}/BtrfsAssistant/@{uuid}/ r, @{sys}/fs/btrfs/@{uuid}/** r, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 2b8206f472..60716b68b1 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -22,12 +22,23 @@ profile gvfsd-mtp @{exec_path} { @{exec_path} mr, + /usr/share/mime/aliases r, + /usr/share/mime/generic-icons r, + /usr/share/mime/globs2 r, + /usr/share/mime/icons r, + /usr/share/mime/magic r, + /usr/share/mime/mime.cache r, + /usr/share/mime/subclasses r, + owner @{HOME}/ r, owner @{HOME}/** rw, owner @{MOUNTS}/** rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/@{pci_bus}/uevent r, + include if exists } diff --git a/apparmor.d/profiles-g-l/glxinfo b/apparmor.d/profiles-g-l/glxinfo index eea7b6050d..16b6e83627 100644 --- a/apparmor.d/profiles-g-l/glxinfo +++ b/apparmor.d/profiles-g-l/glxinfo @@ -19,6 +19,8 @@ profile glxinfo @{exec_path} { @{exec_path} mr, + owner @{PROC}/@{pid}/task/@{tid}/comm w, + include if exists } diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index a15bf732e1..db1085dfc8 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -13,6 +13,8 @@ profile gparted @{exec_path} flags=(attach_disconnected) { include include + capability dac_read_search, + ptrace read, @{exec_path} r, @@ -47,6 +49,9 @@ profile gparted @{exec_path} flags=(attach_disconnected) { /usr/local/sbin/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gparted@@{hex32}.service/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/*/cpu.max r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 642cb60863..0140d28ffb 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -15,6 +15,7 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_override, capability dac_read_search, @@ -86,6 +87,9 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gparted@@{hex32}.service/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/*/cpu.max r, @{PROC}/devices r, @{PROC}/partitions r, @@ -146,6 +150,7 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { include include include + include include if exists } diff --git a/apparmor.d/profiles-g-l/hexchat b/apparmor.d/profiles-g-l/hexchat index 5493955440..afc182a0cc 100644 --- a/apparmor.d/profiles-g-l/hexchat +++ b/apparmor.d/profiles-g-l/hexchat @@ -42,6 +42,7 @@ profile hexchat @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/cgroup r, # file_inherit owner /dev/tty@{u8} rw, From 7e97e628c8a2f18bfa77fe662c2ceefdc85877dd Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Wed, 4 Mar 2026 20:04:38 +0000 Subject: [PATCH 1457/1736] feat(profile): was not enough. --- apparmor.d/groups/apparmor/aa-log | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log index 966b5045ec..0991d8bb26 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -24,7 +24,7 @@ profile aa-log @{exec_path} flags=(attach_disconnected) { /var/log/audit/* r, /var/log/syslog* r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/kitty-@{int6}-0.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/*.scope/cpu.max r, /dev/tty@{u8} rw, From 1f5a16dd1d019dab8fa36a4eb35a6c13b118abe2 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Wed, 4 Mar 2026 21:28:12 +0000 Subject: [PATCH 1458/1736] feat(profile) all corrected. --- apparmor.d/abstractions/app/bwrap-glycin | 2 ++ apparmor.d/abstractions/app/open | 1 + apparmor.d/groups/children/child-open-any | 1 - apparmor.d/groups/children/glycin | 2 -- apparmor.d/groups/gvfs/gvfsd-mtp | 12 ++---------- apparmor.d/profiles-g-l/gparted | 4 ++-- apparmor.d/profiles-g-l/gpartedbin | 4 ++-- 7 files changed, 9 insertions(+), 17 deletions(-) diff --git a/apparmor.d/abstractions/app/bwrap-glycin b/apparmor.d/abstractions/app/bwrap-glycin index f93af58651..0b2165c88e 100644 --- a/apparmor.d/abstractions/app/bwrap-glycin +++ b/apparmor.d/abstractions/app/bwrap-glycin @@ -40,6 +40,8 @@ owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, + owner @{PROC}/@{pid}/mountinfo r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index fdb89d4ec8..e735e34ffc 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -8,6 +8,7 @@ abi , include + include # We cannot use `@{open_path} mrix,` here because it includes: # @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any index 9c8a43b76d..446627e854 100644 --- a/apparmor.d/groups/children/child-open-any +++ b/apparmor.d/groups/children/child-open-any @@ -15,7 +15,6 @@ profile child-open-any flags=(attach_disconnected,mediate_deleted) { include include include - include @{bin}/** PUx, @{lib}/** PUx, diff --git a/apparmor.d/groups/children/glycin b/apparmor.d/groups/children/glycin index 4993da79fa..1c1ebea733 100644 --- a/apparmor.d/groups/children/glycin +++ b/apparmor.d/groups/children/glycin @@ -38,8 +38,6 @@ profile glycin flags=(attach_disconnected) { deny /dev/dri/* rw, deny @{att}/dev/tty@{u8} rw, - owner @{PROC}/@{pid}/mountinfo r, - profile loaders flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 60716b68b1..4ee6f705f9 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -17,27 +17,19 @@ profile gvfsd-mtp @{exec_path} { include include include + include network netlink raw, @{exec_path} mr, - /usr/share/mime/aliases r, - /usr/share/mime/generic-icons r, - /usr/share/mime/globs2 r, - /usr/share/mime/icons r, - /usr/share/mime/magic r, - /usr/share/mime/mime.cache r, - /usr/share/mime/subclasses r, - owner @{HOME}/ r, owner @{HOME}/** rw, owner @{MOUNTS}/** rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - @{sys}/devices/@{pci}/uevent r, - @{sys}/devices/@{pci_bus}/uevent r, + @{sys}/devices/**/uevent r, include if exists } diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index db1085dfc8..501ee09daf 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -50,8 +50,8 @@ profile gparted @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gparted@@{hex32}.service/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/*/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-*-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-*-@{int}.scope/*/cpu.max r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 0140d28ffb..314140ffc6 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -88,8 +88,8 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gparted@@{hex32}.service/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/*/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-*-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-*-@{int}.scope/*/cpu.max r, @{PROC}/devices r, @{PROC}/partitions r, From dcf70ab10bc25b7398d380727db5be78ceb43323 Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Thu, 5 Mar 2026 21:26:34 +0100 Subject: [PATCH 1459/1736] Update xdg-desktop-portal-kde ALLOWED xdg-desktop-portal-kde link owner @{run}/user/@{uid}/#298 info="Failed name lookup - deleted entry" comm=xdg-desktop-por requested_mask=l denied_mask=l error=-2 ALLOWED xdg-desktop-portal-kde link owner @{run}/user/@{uid}/xdg-desktop-portal-kdenTuoOM.24.kioworker.socket -> @{run}/user/@{uid}/#298 comm=xdg-desktop-por requested_mask=l denied_mask=l DENIED xdg-desktop-portal-kde link owner @{user_config_dirs}/#@{int8} info="Failed name lookup - deleted entry" comm=xdg-desktop-por requested_mask=l denied_mask=l error=-2 DENIED xdg-desktop-portal-kde link owner @{user_config_dirs}/kdeglobals.QVPUKO -> @{user_config_dirs}/#@{int8} comm=xdg-desktop-por requested_mask=l denied_mask=l --- apparmor.d/groups/freedesktop/xdg-desktop-portal-kde | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index d1ccfc0081..39150d283c 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -8,7 +8,7 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-kde @{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-kde -profile xdg-desktop-portal-kde @{exec_path} flags=(attach_disconnected) { +profile xdg-desktop-portal-kde @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -44,12 +44,14 @@ profile xdg-desktop-portal-kde @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/xdg-desktop-portal-kde/{,**} rwl, + owner @{user_config_dirs}/#@{int8} rw, owner @{user_config_dirs}/autostart/org.kde.*.desktop r, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kbookmarkrc r, owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, + owner @{user_config_dirs}/kdeglobals.@{rand6} rwl, owner @{user_share_dirs}/user-places.xbel r, @@ -59,7 +61,8 @@ profile xdg-desktop-portal-kde @{exec_path} flags=(attach_disconnected) { owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.lock rwk, owner @{run}/user/@{uid}/#@{int} rw, - owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rwl, + owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.@{int}.socket rwl, + owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.@{int}.kioworker.socket rwl, owner @{PROC}/@{pid}/mountinfo r, From 16878bb1447ab4f84413ca25f3ce3be4355b829e Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Fri, 6 Mar 2026 07:34:11 +0000 Subject: [PATCH 1460/1736] feat(profile): kde profiles. --- apparmor.d/groups/freedesktop/pipewire | 2 ++ .../freedesktop/polkit-kde-authentication-agent | 1 + .../groups/freedesktop/xdg-desktop-portal-kde | 1 + apparmor.d/groups/kde/dolphin | 5 +++++ apparmor.d/groups/kde/gmenudbusmenuproxy | 5 ++++- apparmor.d/groups/kde/kaccess | 1 + apparmor.d/groups/kde/kded | 3 +++ apparmor.d/groups/kde/kiod | 1 + apparmor.d/groups/kde/kioworker | 10 ++++++++++ apparmor.d/groups/kde/konsole | 1 + apparmor.d/groups/kde/kwin_wayland | 13 +++++++++++++ apparmor.d/groups/kde/plasmashell | 4 ++++ apparmor.d/groups/kde/startplasma | 3 ++- apparmor.d/groups/kde/xembedsniproxy | 2 ++ apparmor.d/groups/network/NetworkManager | 1 + apparmor.d/groups/systemd/systemd-udevd | 1 + apparmor.d/profiles-s-z/unix-chkpwd | 2 ++ 17 files changed, 54 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 5dd45e1907..96e40e6974 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -53,6 +53,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, owner @{run}/user/@{uid}/pulse/pid rw, + owner @{run}/user/@{uid}/pipewire-0-manager w, + owner @{run}/user/@{uid}/xauth_@{rand6} r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 0ce2729a31..5f3ffccb07 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -40,6 +40,7 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, + owner @{user_config_dirs}/Kvantum/{,**} r, owner @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/ rw, owner @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/** rwk, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index d1ccfc0081..c110ca3eee 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -50,6 +50,7 @@ profile xdg-desktop-portal-kde @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, + owner @{user_config_dirs}/Kvantum/{,**} r, owner @{user_share_dirs}/user-places.xbel r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index a0f61403f7..3e42a96a4b 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -50,6 +50,7 @@ profile dolphin @{exec_path} { /usr/share/misc/termcap r, /usr/share/templates/{,*.desktop} r, /usr/share/thumbnailers/{,**} r, + /usr/share/color-schemes/{,**} r, /etc/fstab r, /etc/exports r, @@ -58,6 +59,8 @@ profile dolphin @{exec_path} { /etc/xdg/dolphinrc r, /etc/xdg/ui/ui_standards.rc r, + /var/lib/samba/usershare/ r, + # Full access to user's data / r, /*/ r, @@ -79,6 +82,8 @@ profile dolphin @{exec_path} { owner @{user_state_dirs}/#@{int} rwk, owner @{user_state_dirs}/dolphinstaterc{,.@{rand6}} rwl -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/UserFeedback.org.kde.dolphin.lock k, + owner @{user_state_dirs}/UserFeedback.org.kde.dolphin.@{rand6} l -> @{user_state_dirs}/#@{int}, owner @{user_share_dirs}/dolphin/ rw, owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index 13ea86e5be..651ef4a908 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gmenudbusmenuproxy -profile gmenudbusmenuproxy @{exec_path} flags=(attach_disconnected) { +profile gmenudbusmenuproxy @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -25,6 +25,9 @@ profile gmenudbusmenuproxy @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gtk-{2,3}.0/#@{int} rw, owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.@{rand6}} rwl, owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk, + owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock.rmlock rwk, + + /dev/tty r, include if exists } diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 2f709ebeb9..390ee7806e 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -24,6 +24,7 @@ profile kaccess @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kaccessrc r, + owner @{user_config_dirs}/Kvantum/** r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 78f55ad13c..10c8b0a095 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -156,6 +156,8 @@ profile kded @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, owner @{user_config_dirs}/xsettingsd/{,**} rw, + owner @{user_config_dirs}/kcmfonts r, + owner @{user_config_dirs}/Kvantum/** r, owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/kcookiejar/#@{int} rw, @@ -168,6 +170,7 @@ profile kded @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/remoteview/ r, owner @{user_share_dirs}/services5/{,**} r, owner @{user_share_dirs}/user-places.xbel r, + owner @{user_share_dirs}/aurorae/themes/Layan/* r, owner @{user_state_dirs}/#@{int} rw, owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk, diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index cc1554ad7c..0cc90c06dc 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -23,6 +23,7 @@ profile kiod @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksslcertificatemanager.lock rwk, + owner @{user_config_dirs}/Kvantum/** r, /etc/fstab r, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 8bd9a68695..c57f57223d 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -41,6 +41,7 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, + @{bin}/kcmshell6 rPUx, @{bin}/alts ix, @{bin}/gs{,.bin} rCx -> gs, @@ -53,11 +54,14 @@ profile kioworker @{exec_path} { /usr/share/org.kde.syntax-highlighting/{,**} r, /usr/share/remoteview/{,*} r, /usr/share/thumbnailers/{,**} r, + /usr/share/wallpapers/{,**} r, /etc/fstab r, /etc/xdg/kioslaverc r, /etc/xdg/menus/{,**} r, + owner /var/cache/samba/gencache.tdb w, + # Full access to user's data / r, /*/ r, @@ -84,9 +88,12 @@ profile kioworker @{exec_path} { owner @{HOME}/@{XDG_DESKTOP_DIR}/.directory l -> @{HOME}/@{XDG_DESKTOP_DIR}/#@{int}, owner @{user_cache_dirs}/kio_http/* rwl, + owner @{user_cache_dirs}/samba/gencache.tdb k, owner @{user_config_dirs}/kio_httprc r, owner @{user_config_dirs}/menus/{,**} r, + owner @{user_config_dirs}/libaccounts-glib/accounts.db k, + owner @{user_config_dirs}/libaccounts-glib/accounts.db-shm k, owner @{user_share_dirs}/baloo/index rw, owner @{user_share_dirs}/baloo/index-lock rwk, @@ -98,10 +105,13 @@ profile kioworker @{exec_path} { owner @{tmp}/#@{int} rw, @{run}/mount/utab r, + @{run}/sshd.pid r, + @{run}/utmp r, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int}, owner @{run}/user/@{uid}/kioworker*.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + @{PROC}/cmdline r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index d6b1a59ae7..09d96b18a3 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -63,6 +63,7 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/menus/{,**} r, owner @{user_config_dirs}/session/** rwlk, + owner @{user_config_dirs}/Kvantum/{,**} r, owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/konsole/ rw, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 921a863d34..045fd02aed 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -29,6 +29,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal receive set=term peer=sddm, signal receive set=(kill, term) peer=kwin_wayland_wrapper, signal send set=(kill, term) peer=xwayland, + signal send set=term peer=unconfined, unix type=stream peer=(label=xkbcomp), unix type=stream peer=(label=xwayland), @@ -63,6 +64,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/pipewire/client.conf.d/ r, /etc/xdg/** r, + owner /var/lib/plasmalogin/.cache/{,**} rw, + owner /var/lib/plasmalogin/.config/{,**} rwk, + owner /var/lib/plasmalogin/.config/breezerc.@{rand6} rwl -> /var/lib/plasmalogin/.config/#@{int}, + / r, owner @{HOME}/ r, @@ -105,9 +110,17 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/menus/** r, owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/session/* r, + owner @{user_config_dirs}/breezerc w, + owner @{user_config_dirs}/breezerc.@{rand6} rw, + owner @{user_config_dirs}/breezerc.lock rwk, + owner @{user_config_dirs}/Kvantum/{,**} r, + owner @{user_config_dirs}/breezerc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_share_dirs}/kscreen/* r, owner @{user_share_dirs}/kwin/scripts/{,**} r, + owner @{user_share_dirs}/kwin/effects/{,**} r, + owner @{user_share_dirs}/aurorae/themes/{,**} r, + owner @{user_share_dirs}/plasma/desktoptheme/{,**} r, owner @{run}/user/@{uid}/pipewire-@{int} rw, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 11e971e6fd..24146986b2 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -172,6 +172,10 @@ profile plasmashell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/networkmanagement.notifyrc r, owner @{user_config_dirs}/PlasmaUserFeedback r, owner @{user_config_dirs}/plasma* rwlk, + owner @{user_config_dirs}/kscreenlockerrc r, + owner @{user_config_dirs}/Kvantum/{,**} r, + + @{user_share_dirs}/plasma/** rPUx, owner @{user_share_dirs}/*/sessions/ r, owner @{user_share_dirs}/#@{int} rw, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index e2e964989c..175eeb9bbd 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -65,6 +65,7 @@ profile startplasma @{exec_path} { owner @{user_config_dirs}/startkderc r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, + owner @{user_config_dirs}/plasma-workspace/env/qt-media-backend.sh r, owner link @{user_config_dirs}/kdeglobals -> @{user_config_dirs}/#@{int}, owner @{user_share_dirs}/color-schemes/{,**} r, @@ -79,7 +80,7 @@ profile startplasma @{exec_path} { @{PROC}/sys/kernel/random/boot_id r, - /dev/tty r, + /dev/tty rw, /dev/tty@{u8} rw, include if exists diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 85e0c22594..e76068b5b4 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -21,6 +21,8 @@ profile xembedsniproxy @{exec_path} flags=(attach_disconnected) { @{run}/user/@{uid}/xauth_@{rand6} rl, + /dev/tty r, + include if exists } diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 2d3af3c771..34bff43dd5 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -27,6 +27,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { capability setgid, capability setuid, capability sys_chroot, + capability bpf, network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index f904120443..3ea11c22dc 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -57,6 +57,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{bin}/ddcutil rPx, @{bin}/input-remapper-control rPUx, + @{bin}/pktsetup rPUx, @{bin}/kmod rCx -> kmod, @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, @{bin}/snap rPx, diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 14f1177b36..1aac851866 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -29,6 +29,8 @@ profile unix-chkpwd @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{u8} rw, + /dev/pts/2 rw, # file_inherit + include if exists } From a632e3e578f28e0b9daecdbf16448dd0d40acc48 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Fri, 6 Mar 2026 07:54:57 +0000 Subject: [PATCH 1461/1736] feat(syntax): correction. --- apparmor.d/groups/kde/kaccess | 2 +- apparmor.d/groups/kde/kded | 2 +- apparmor.d/groups/kde/kiod | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 390ee7806e..4d3d55cef6 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -24,7 +24,7 @@ profile kaccess @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kaccessrc r, - owner @{user_config_dirs}/Kvantum/** r, + owner @{user_config_dirs}/Kvantum/{,**} r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 10c8b0a095..0b51ad700d 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -157,7 +157,7 @@ profile kded @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, owner @{user_config_dirs}/xsettingsd/{,**} rw, owner @{user_config_dirs}/kcmfonts r, - owner @{user_config_dirs}/Kvantum/** r, + owner @{user_config_dirs}/Kvantum/{,**} r, owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/kcookiejar/#@{int} rw, diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index 0cc90c06dc..c0ec1bd539 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -23,7 +23,7 @@ profile kiod @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksslcertificatemanager.lock rwk, - owner @{user_config_dirs}/Kvantum/** r, + owner @{user_config_dirs}/Kvantum/{,**} r, /etc/fstab r, From c53791ae7a817243657ccd30632716f31ddd4ebc Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Fri, 6 Mar 2026 02:15:16 +0100 Subject: [PATCH 1462/1736] pipewire: fix profile for 1.6.0 DENIED pipewire unlink owner @{run}/user/@{uid}/pipewire-0-manager comm=pipewire requested_mask=d denied_mask=d --- apparmor.d/groups/freedesktop/pipewire | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 5dd45e1907..c09d038f4f 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -50,6 +50,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { @{run}/snapd.socket rw, owner @{run}/user/@{uid}/pipewire-@{int} rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, owner @{run}/user/@{uid}/pulse/pid rw, From 0ab209b765d9d0941f9776f8ae6f862681940ee4 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sat, 28 Feb 2026 18:26:59 +0000 Subject: [PATCH 1463/1736] (feat): fix dockerd & run-parts --- apparmor.d/groups/virt/docker-proxy | 2 ++ apparmor.d/profiles-m-r/run-parts | 2 ++ 2 files changed, 4 insertions(+) diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index e2cc400204..c01275efdd 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -28,6 +28,8 @@ profile docker-proxy @{exec_path} { @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/cgroup r, + owner /dev/pts/0 rw, + include if exists } diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 1bc6a51167..938eca2760 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -15,6 +15,8 @@ profile run-parts @{exec_path} { include capability mknod, + capability net_admin, + capability sys_ptrace, @{exec_path} mrix, From d3dccad4a4e7ad365a5ee3bae46a1b93fe76b6ce Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sat, 28 Feb 2026 21:56:20 +0000 Subject: [PATCH 1464/1736] (feat): corrected few profiles. --- apparmor.d/groups/virt/docker-proxy | 2 -- apparmor.d/profiles-m-r/run-parts | 2 -- 2 files changed, 4 deletions(-) diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index c01275efdd..e2cc400204 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -28,8 +28,6 @@ profile docker-proxy @{exec_path} { @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/cgroup r, - owner /dev/pts/0 rw, - include if exists } diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 938eca2760..1bc6a51167 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -15,8 +15,6 @@ profile run-parts @{exec_path} { include capability mknod, - capability net_admin, - capability sys_ptrace, @{exec_path} mrix, From b050669bcc387ec4d27b8584c7c7ab52df66fea5 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Wed, 4 Mar 2026 15:17:20 +0000 Subject: [PATCH 1465/1736] (feat): variuos profile tweaks --- apparmor.d/groups/apparmor/aa-log | 2 ++ apparmor.d/groups/children/child-open-any | 1 + apparmor.d/groups/children/glycin | 3 +++ apparmor.d/groups/filesystem/btrfs | 3 +++ apparmor.d/groups/gvfs/gvfsd-mtp | 11 +++++++++++ apparmor.d/profiles-g-l/glxinfo | 2 ++ apparmor.d/profiles-g-l/gparted | 5 +++++ apparmor.d/profiles-g-l/gpartedbin | 5 +++++ apparmor.d/profiles-g-l/hexchat | 1 + 9 files changed, 33 insertions(+) diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log index 9657018630..966b5045ec 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -24,6 +24,8 @@ profile aa-log @{exec_path} flags=(attach_disconnected) { /var/log/audit/* r, /var/log/syslog* r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/kitty-@{int6}-0.scope/cpu.max r, + /dev/tty@{u8} rw, profile journalctl { diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any index 446627e854..9c8a43b76d 100644 --- a/apparmor.d/groups/children/child-open-any +++ b/apparmor.d/groups/children/child-open-any @@ -15,6 +15,7 @@ profile child-open-any flags=(attach_disconnected,mediate_deleted) { include include include + include @{bin}/** PUx, @{lib}/** PUx, diff --git a/apparmor.d/groups/children/glycin b/apparmor.d/groups/children/glycin index cac18c592c..4993da79fa 100644 --- a/apparmor.d/groups/children/glycin +++ b/apparmor.d/groups/children/glycin @@ -36,6 +36,9 @@ profile glycin flags=(attach_disconnected) { deny @{sys}/devices/system/** r, deny /dev/shm/** rw, deny /dev/dri/* rw, + deny @{att}/dev/tty@{u8} rw, + + owner @{PROC}/@{pid}/mountinfo r, profile loaders flags=(attach_disconnected) { include diff --git a/apparmor.d/groups/filesystem/btrfs b/apparmor.d/groups/filesystem/btrfs index 776fc87e82..c7eb029118 100644 --- a/apparmor.d/groups/filesystem/btrfs +++ b/apparmor.d/groups/filesystem/btrfs @@ -33,6 +33,8 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { /srv/ r, /usr/local/ r, /var/ r, + /var/log/ r, + /var/tmp/ r, @{MOUNTS}/ r, @{MOUNTS}/ext2_saved/ rw, @{MOUNTS}/ext2_saved/image rw, @@ -50,6 +52,7 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{run}/snapper-tools-*/ r, @{run}/snapper-tools-@{rand6}/@/.snapshots/@{int}/snapshot r, + @{run}/BtrfsAssistant/@{uuid}/ r, @{sys}/fs/btrfs/@{uuid}/** r, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 2b8206f472..60716b68b1 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -22,12 +22,23 @@ profile gvfsd-mtp @{exec_path} { @{exec_path} mr, + /usr/share/mime/aliases r, + /usr/share/mime/generic-icons r, + /usr/share/mime/globs2 r, + /usr/share/mime/icons r, + /usr/share/mime/magic r, + /usr/share/mime/mime.cache r, + /usr/share/mime/subclasses r, + owner @{HOME}/ r, owner @{HOME}/** rw, owner @{MOUNTS}/** rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/@{pci_bus}/uevent r, + include if exists } diff --git a/apparmor.d/profiles-g-l/glxinfo b/apparmor.d/profiles-g-l/glxinfo index eea7b6050d..16b6e83627 100644 --- a/apparmor.d/profiles-g-l/glxinfo +++ b/apparmor.d/profiles-g-l/glxinfo @@ -19,6 +19,8 @@ profile glxinfo @{exec_path} { @{exec_path} mr, + owner @{PROC}/@{pid}/task/@{tid}/comm w, + include if exists } diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index a15bf732e1..db1085dfc8 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -13,6 +13,8 @@ profile gparted @{exec_path} flags=(attach_disconnected) { include include + capability dac_read_search, + ptrace read, @{exec_path} r, @@ -47,6 +49,9 @@ profile gparted @{exec_path} flags=(attach_disconnected) { /usr/local/sbin/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gparted@@{hex32}.service/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/*/cpu.max r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 642cb60863..0140d28ffb 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -15,6 +15,7 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_override, capability dac_read_search, @@ -86,6 +87,9 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gparted@@{hex32}.service/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/*/cpu.max r, @{PROC}/devices r, @{PROC}/partitions r, @@ -146,6 +150,7 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { include include include + include include if exists } diff --git a/apparmor.d/profiles-g-l/hexchat b/apparmor.d/profiles-g-l/hexchat index 5493955440..afc182a0cc 100644 --- a/apparmor.d/profiles-g-l/hexchat +++ b/apparmor.d/profiles-g-l/hexchat @@ -42,6 +42,7 @@ profile hexchat @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/cgroup r, # file_inherit owner /dev/tty@{u8} rw, From fb775a0c48f5ca89d6499e098c95ee8bd1ad8a78 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Wed, 4 Mar 2026 20:04:38 +0000 Subject: [PATCH 1466/1736] feat(profile): was not enough. --- apparmor.d/groups/apparmor/aa-log | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log index 966b5045ec..0991d8bb26 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -24,7 +24,7 @@ profile aa-log @{exec_path} flags=(attach_disconnected) { /var/log/audit/* r, /var/log/syslog* r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/kitty-@{int6}-0.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/*.scope/cpu.max r, /dev/tty@{u8} rw, From 5c9aafd0cca051ace89b533b69927a49a78fd51f Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Wed, 4 Mar 2026 21:28:12 +0000 Subject: [PATCH 1467/1736] feat(profile) all corrected. --- apparmor.d/abstractions/app/bwrap-glycin | 2 ++ apparmor.d/abstractions/app/open | 1 + apparmor.d/groups/children/child-open-any | 1 - apparmor.d/groups/children/glycin | 2 -- apparmor.d/groups/gvfs/gvfsd-mtp | 12 ++---------- apparmor.d/profiles-g-l/gparted | 4 ++-- apparmor.d/profiles-g-l/gpartedbin | 4 ++-- 7 files changed, 9 insertions(+), 17 deletions(-) diff --git a/apparmor.d/abstractions/app/bwrap-glycin b/apparmor.d/abstractions/app/bwrap-glycin index f93af58651..0b2165c88e 100644 --- a/apparmor.d/abstractions/app/bwrap-glycin +++ b/apparmor.d/abstractions/app/bwrap-glycin @@ -40,6 +40,8 @@ owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, + owner @{PROC}/@{pid}/mountinfo r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index fdb89d4ec8..e735e34ffc 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -8,6 +8,7 @@ abi , include + include # We cannot use `@{open_path} mrix,` here because it includes: # @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any index 9c8a43b76d..446627e854 100644 --- a/apparmor.d/groups/children/child-open-any +++ b/apparmor.d/groups/children/child-open-any @@ -15,7 +15,6 @@ profile child-open-any flags=(attach_disconnected,mediate_deleted) { include include include - include @{bin}/** PUx, @{lib}/** PUx, diff --git a/apparmor.d/groups/children/glycin b/apparmor.d/groups/children/glycin index 4993da79fa..1c1ebea733 100644 --- a/apparmor.d/groups/children/glycin +++ b/apparmor.d/groups/children/glycin @@ -38,8 +38,6 @@ profile glycin flags=(attach_disconnected) { deny /dev/dri/* rw, deny @{att}/dev/tty@{u8} rw, - owner @{PROC}/@{pid}/mountinfo r, - profile loaders flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 60716b68b1..4ee6f705f9 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -17,27 +17,19 @@ profile gvfsd-mtp @{exec_path} { include include include + include network netlink raw, @{exec_path} mr, - /usr/share/mime/aliases r, - /usr/share/mime/generic-icons r, - /usr/share/mime/globs2 r, - /usr/share/mime/icons r, - /usr/share/mime/magic r, - /usr/share/mime/mime.cache r, - /usr/share/mime/subclasses r, - owner @{HOME}/ r, owner @{HOME}/** rw, owner @{MOUNTS}/** rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - @{sys}/devices/@{pci}/uevent r, - @{sys}/devices/@{pci_bus}/uevent r, + @{sys}/devices/**/uevent r, include if exists } diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index db1085dfc8..501ee09daf 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -50,8 +50,8 @@ profile gparted @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gparted@@{hex32}.service/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/*/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-*-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-*-@{int}.scope/*/cpu.max r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 0140d28ffb..314140ffc6 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -88,8 +88,8 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gparted@@{hex32}.service/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/*/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-*-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-*-@{int}.scope/*/cpu.max r, @{PROC}/devices r, @{PROC}/partitions r, From c803144fe39ecd3664e6f57d7f54990c7625d87c Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Fri, 6 Mar 2026 07:34:11 +0000 Subject: [PATCH 1468/1736] feat(profile): kde profiles. --- apparmor.d/groups/freedesktop/pipewire | 2 ++ .../freedesktop/polkit-kde-authentication-agent | 1 + .../groups/freedesktop/xdg-desktop-portal-kde | 1 + apparmor.d/groups/kde/dolphin | 5 +++++ apparmor.d/groups/kde/gmenudbusmenuproxy | 5 ++++- apparmor.d/groups/kde/kaccess | 1 + apparmor.d/groups/kde/kded | 3 +++ apparmor.d/groups/kde/kiod | 1 + apparmor.d/groups/kde/kioworker | 10 ++++++++++ apparmor.d/groups/kde/konsole | 1 + apparmor.d/groups/kde/kwin_wayland | 13 +++++++++++++ apparmor.d/groups/kde/plasmashell | 4 ++++ apparmor.d/groups/kde/startplasma | 3 ++- apparmor.d/groups/kde/xembedsniproxy | 2 ++ apparmor.d/groups/network/NetworkManager | 1 + apparmor.d/groups/systemd/systemd-udevd | 1 + apparmor.d/profiles-s-z/unix-chkpwd | 2 ++ 17 files changed, 54 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index c09d038f4f..0fb8fbc63c 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -54,6 +54,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, owner @{run}/user/@{uid}/pulse/pid rw, + owner @{run}/user/@{uid}/pipewire-0-manager w, + owner @{run}/user/@{uid}/xauth_@{rand6} r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 0ce2729a31..5f3ffccb07 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -40,6 +40,7 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, + owner @{user_config_dirs}/Kvantum/{,**} r, owner @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/ rw, owner @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/** rwk, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 39150d283c..1e38713686 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -52,6 +52,7 @@ profile xdg-desktop-portal-kde @{exec_path} flags=(attach_disconnected,mediate_d owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, owner @{user_config_dirs}/kdeglobals.@{rand6} rwl, + owner @{user_config_dirs}/Kvantum/{,**} r, owner @{user_share_dirs}/user-places.xbel r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index a0f61403f7..3e42a96a4b 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -50,6 +50,7 @@ profile dolphin @{exec_path} { /usr/share/misc/termcap r, /usr/share/templates/{,*.desktop} r, /usr/share/thumbnailers/{,**} r, + /usr/share/color-schemes/{,**} r, /etc/fstab r, /etc/exports r, @@ -58,6 +59,8 @@ profile dolphin @{exec_path} { /etc/xdg/dolphinrc r, /etc/xdg/ui/ui_standards.rc r, + /var/lib/samba/usershare/ r, + # Full access to user's data / r, /*/ r, @@ -79,6 +82,8 @@ profile dolphin @{exec_path} { owner @{user_state_dirs}/#@{int} rwk, owner @{user_state_dirs}/dolphinstaterc{,.@{rand6}} rwl -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/UserFeedback.org.kde.dolphin.lock k, + owner @{user_state_dirs}/UserFeedback.org.kde.dolphin.@{rand6} l -> @{user_state_dirs}/#@{int}, owner @{user_share_dirs}/dolphin/ rw, owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index 13ea86e5be..651ef4a908 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gmenudbusmenuproxy -profile gmenudbusmenuproxy @{exec_path} flags=(attach_disconnected) { +profile gmenudbusmenuproxy @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -25,6 +25,9 @@ profile gmenudbusmenuproxy @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gtk-{2,3}.0/#@{int} rw, owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.@{rand6}} rwl, owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk, + owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock.rmlock rwk, + + /dev/tty r, include if exists } diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 2f709ebeb9..390ee7806e 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -24,6 +24,7 @@ profile kaccess @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kaccessrc r, + owner @{user_config_dirs}/Kvantum/** r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 78f55ad13c..10c8b0a095 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -156,6 +156,8 @@ profile kded @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, owner @{user_config_dirs}/xsettingsd/{,**} rw, + owner @{user_config_dirs}/kcmfonts r, + owner @{user_config_dirs}/Kvantum/** r, owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/kcookiejar/#@{int} rw, @@ -168,6 +170,7 @@ profile kded @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/remoteview/ r, owner @{user_share_dirs}/services5/{,**} r, owner @{user_share_dirs}/user-places.xbel r, + owner @{user_share_dirs}/aurorae/themes/Layan/* r, owner @{user_state_dirs}/#@{int} rw, owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk, diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index cc1554ad7c..0cc90c06dc 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -23,6 +23,7 @@ profile kiod @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksslcertificatemanager.lock rwk, + owner @{user_config_dirs}/Kvantum/** r, /etc/fstab r, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 8bd9a68695..c57f57223d 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -41,6 +41,7 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, + @{bin}/kcmshell6 rPUx, @{bin}/alts ix, @{bin}/gs{,.bin} rCx -> gs, @@ -53,11 +54,14 @@ profile kioworker @{exec_path} { /usr/share/org.kde.syntax-highlighting/{,**} r, /usr/share/remoteview/{,*} r, /usr/share/thumbnailers/{,**} r, + /usr/share/wallpapers/{,**} r, /etc/fstab r, /etc/xdg/kioslaverc r, /etc/xdg/menus/{,**} r, + owner /var/cache/samba/gencache.tdb w, + # Full access to user's data / r, /*/ r, @@ -84,9 +88,12 @@ profile kioworker @{exec_path} { owner @{HOME}/@{XDG_DESKTOP_DIR}/.directory l -> @{HOME}/@{XDG_DESKTOP_DIR}/#@{int}, owner @{user_cache_dirs}/kio_http/* rwl, + owner @{user_cache_dirs}/samba/gencache.tdb k, owner @{user_config_dirs}/kio_httprc r, owner @{user_config_dirs}/menus/{,**} r, + owner @{user_config_dirs}/libaccounts-glib/accounts.db k, + owner @{user_config_dirs}/libaccounts-glib/accounts.db-shm k, owner @{user_share_dirs}/baloo/index rw, owner @{user_share_dirs}/baloo/index-lock rwk, @@ -98,10 +105,13 @@ profile kioworker @{exec_path} { owner @{tmp}/#@{int} rw, @{run}/mount/utab r, + @{run}/sshd.pid r, + @{run}/utmp r, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int}, owner @{run}/user/@{uid}/kioworker*.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + @{PROC}/cmdline r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index d6b1a59ae7..09d96b18a3 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -63,6 +63,7 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/menus/{,**} r, owner @{user_config_dirs}/session/** rwlk, + owner @{user_config_dirs}/Kvantum/{,**} r, owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/konsole/ rw, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 921a863d34..045fd02aed 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -29,6 +29,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal receive set=term peer=sddm, signal receive set=(kill, term) peer=kwin_wayland_wrapper, signal send set=(kill, term) peer=xwayland, + signal send set=term peer=unconfined, unix type=stream peer=(label=xkbcomp), unix type=stream peer=(label=xwayland), @@ -63,6 +64,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/pipewire/client.conf.d/ r, /etc/xdg/** r, + owner /var/lib/plasmalogin/.cache/{,**} rw, + owner /var/lib/plasmalogin/.config/{,**} rwk, + owner /var/lib/plasmalogin/.config/breezerc.@{rand6} rwl -> /var/lib/plasmalogin/.config/#@{int}, + / r, owner @{HOME}/ r, @@ -105,9 +110,17 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/menus/** r, owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/session/* r, + owner @{user_config_dirs}/breezerc w, + owner @{user_config_dirs}/breezerc.@{rand6} rw, + owner @{user_config_dirs}/breezerc.lock rwk, + owner @{user_config_dirs}/Kvantum/{,**} r, + owner @{user_config_dirs}/breezerc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_share_dirs}/kscreen/* r, owner @{user_share_dirs}/kwin/scripts/{,**} r, + owner @{user_share_dirs}/kwin/effects/{,**} r, + owner @{user_share_dirs}/aurorae/themes/{,**} r, + owner @{user_share_dirs}/plasma/desktoptheme/{,**} r, owner @{run}/user/@{uid}/pipewire-@{int} rw, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 11e971e6fd..24146986b2 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -172,6 +172,10 @@ profile plasmashell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/networkmanagement.notifyrc r, owner @{user_config_dirs}/PlasmaUserFeedback r, owner @{user_config_dirs}/plasma* rwlk, + owner @{user_config_dirs}/kscreenlockerrc r, + owner @{user_config_dirs}/Kvantum/{,**} r, + + @{user_share_dirs}/plasma/** rPUx, owner @{user_share_dirs}/*/sessions/ r, owner @{user_share_dirs}/#@{int} rw, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index e2e964989c..175eeb9bbd 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -65,6 +65,7 @@ profile startplasma @{exec_path} { owner @{user_config_dirs}/startkderc r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, + owner @{user_config_dirs}/plasma-workspace/env/qt-media-backend.sh r, owner link @{user_config_dirs}/kdeglobals -> @{user_config_dirs}/#@{int}, owner @{user_share_dirs}/color-schemes/{,**} r, @@ -79,7 +80,7 @@ profile startplasma @{exec_path} { @{PROC}/sys/kernel/random/boot_id r, - /dev/tty r, + /dev/tty rw, /dev/tty@{u8} rw, include if exists diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 85e0c22594..e76068b5b4 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -21,6 +21,8 @@ profile xembedsniproxy @{exec_path} flags=(attach_disconnected) { @{run}/user/@{uid}/xauth_@{rand6} rl, + /dev/tty r, + include if exists } diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 2d3af3c771..34bff43dd5 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -27,6 +27,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { capability setgid, capability setuid, capability sys_chroot, + capability bpf, network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index f904120443..3ea11c22dc 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -57,6 +57,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{bin}/ddcutil rPx, @{bin}/input-remapper-control rPUx, + @{bin}/pktsetup rPUx, @{bin}/kmod rCx -> kmod, @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, @{bin}/snap rPx, diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 14f1177b36..1aac851866 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -29,6 +29,8 @@ profile unix-chkpwd @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{u8} rw, + /dev/pts/2 rw, # file_inherit + include if exists } From 81bd5c778cfdb834052d3354bd10905f8f11cc60 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Fri, 6 Mar 2026 07:54:57 +0000 Subject: [PATCH 1469/1736] feat(syntax): correction. --- apparmor.d/groups/kde/kaccess | 2 +- apparmor.d/groups/kde/kded | 2 +- apparmor.d/groups/kde/kiod | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 390ee7806e..4d3d55cef6 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -24,7 +24,7 @@ profile kaccess @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kaccessrc r, - owner @{user_config_dirs}/Kvantum/** r, + owner @{user_config_dirs}/Kvantum/{,**} r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 10c8b0a095..0b51ad700d 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -157,7 +157,7 @@ profile kded @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, owner @{user_config_dirs}/xsettingsd/{,**} rw, owner @{user_config_dirs}/kcmfonts r, - owner @{user_config_dirs}/Kvantum/** r, + owner @{user_config_dirs}/Kvantum/{,**} r, owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/kcookiejar/#@{int} rw, diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index 0cc90c06dc..c0ec1bd539 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -23,7 +23,7 @@ profile kiod @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksslcertificatemanager.lock rwk, - owner @{user_config_dirs}/Kvantum/** r, + owner @{user_config_dirs}/Kvantum/{,**} r, /etc/fstab r, From d4b0eff1601c857c5d0c0c8c749dbe7ca4fc6450 Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Fri, 6 Mar 2026 11:36:33 +0100 Subject: [PATCH 1470/1736] pipewire: remove already included rule --- apparmor.d/groups/freedesktop/pipewire | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 0fb8fbc63c..2eb4c6ff4c 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -54,7 +54,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, owner @{run}/user/@{uid}/pulse/pid rw, - owner @{run}/user/@{uid}/pipewire-0-manager w, owner @{run}/user/@{uid}/xauth_@{rand6} r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 From 47945769dfbabb03f13330c3d2f2c656f0455317 Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Fri, 6 Mar 2026 15:04:42 +0100 Subject: [PATCH 1471/1736] systemsettings: fix portal similar situation than #1052 DENIED systemsettings link owner @{run}/user/@{uid}/#418 info="Failed name lookup - deleted entry" comm=systemsettings requested_mask=l denied_mask=l error=-2 --- apparmor.d/groups/kde/systemsettings | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 5b8f4ef4bb..281b0c884e 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/systemsettings -profile systemsettings @{exec_path} flags=(attach_disconnected) { +profile systemsettings @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include From c9191ca448defd070e25c7a9689ea918e25f5482 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sun, 8 Mar 2026 20:32:38 +0000 Subject: [PATCH 1472/1736] feat(profile): kde plasma --- apparmor.d/groups/kde/kwalletd | 1 + apparmor.d/groups/kde/plasmashell | 1 + apparmor.d/groups/pacman/pacman | 1 + apparmor.d/groups/systemd/systemd-logind | 3 ++- apparmor.d/groups/systemd/systemd-udevd | 2 +- apparmor.d/profiles-s-z/unix-chkpwd | 2 +- 6 files changed, 7 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index a34c76fd4a..e9441972cc 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -39,6 +39,7 @@ profile kwalletd @{exec_path} { owner @{user_config_dirs}/kwalletrc r, owner @{user_config_dirs}/kwalletrc rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwalletrc.lock rwk, + owner @{user_config_dirs}/Kvantum/{,**} r, owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 24146986b2..c77e128d4a 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -201,6 +201,7 @@ profile plasmashell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/qalculate/{,**} r, owner @{user_share_dirs}/user-places.xbel{,*} rwl, owner @{user_share_dirs}/wallpapers/{,**} rw, + owner @{user_share_dirs}/knotifications6/apdatifier.notifyrc r, owner @{user_state_dirs}/#@{int} rw, owner @{user_state_dirs}/kickerstaterc r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index cd7623f689..d9c98e228f 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -112,6 +112,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { owner @{tmp}/arch-update-@{uid}/checkupdates-@{rand}/sync/** w, owner @{tmp}/checkup-db-@{int}/db.lck rw, owner @{tmp}/checkup-db-@{int}/sync/{,*.db*} rw, + owner @{tmp}/checkup-db-@{uid}/sync/download-@{rand6}/* w, @{run}/utmp rk, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index d36bc66638..8ba93553d4 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -117,7 +117,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,mediate_deleted) @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/fs/cgroup/memory.max r, @{sys}/fs/cgroup/memory/memory.limit_in_bytes r, - @{sys}/kernel/kexec_loaded r, + @{sys}/kernel/kexec/loaded r, @{sys}/module/vt/parameters/default_utf8 r, @{sys}/power/{state,resume_offset,resume,disk} r, @@ -140,6 +140,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,mediate_deleted) /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, /dev/tty@{u8} rw, + /dev/pts/@{u8} w, /dev/shm/{,**} rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 3ea11c22dc..101b722337 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -62,7 +62,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, @{bin}/snap rPx, @{bin}/systemctl rCx -> systemctl, - @{bin}/vmmouse_detect rPx, + @{bin}/vmmouse_detect rPUx, @{pager_path} rPx -> child-pager, @{sbin}/alsactl rPx, @{sbin}/dmsetup rPx, diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 1aac851866..e305f8a96c 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -29,7 +29,7 @@ profile unix-chkpwd @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{u8} rw, - /dev/pts/2 rw, # file_inherit + /dev/pts/@{u8} rw, # file_inherit include if exists } From 5f11729417bc53d2da64d474e9d69bed80c5859b Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sun, 8 Mar 2026 21:16:57 +0000 Subject: [PATCH 1473/1736] feat(profile): small changes. --- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/profiles-s-z/unix-chkpwd | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index d9c98e228f..209f240daf 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -112,7 +112,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { owner @{tmp}/arch-update-@{uid}/checkupdates-@{rand}/sync/** w, owner @{tmp}/checkup-db-@{int}/db.lck rw, owner @{tmp}/checkup-db-@{int}/sync/{,*.db*} rw, - owner @{tmp}/checkup-db-@{uid}/sync/download-@{rand6}/* w, + owner @{tmp}/checkup-db-@{uid}/sync/download-@{rand6}/** rw, @{run}/utmp rk, diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 2c524e654e..75cb6cf4e0 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -29,6 +29,8 @@ profile unix-chkpwd @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{u8} rw, + /dev/pts/@{u8} rw, # file_inherit + include if exists } From 779da61b49bad5b17d3183d02394c6cb42928ad0 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Mon, 9 Mar 2026 07:48:15 +0000 Subject: [PATCH 1474/1736] feat(profile): correct syntax. --- apparmor.d/groups/pacman/pacman | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 209f240daf..a9c1ecbcc9 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -112,7 +112,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { owner @{tmp}/arch-update-@{uid}/checkupdates-@{rand}/sync/** w, owner @{tmp}/checkup-db-@{int}/db.lck rw, owner @{tmp}/checkup-db-@{int}/sync/{,*.db*} rw, - owner @{tmp}/checkup-db-@{uid}/sync/download-@{rand6}/** rw, + owner @{tmp}/checkup-db-@{uid}/sync/download-@{rand6}/ rw, + owner @{tmp}/checkup-db-@{uid}/sync/download-@{rand6}/{,*} rw, @{run}/utmp rk, From 2dfc3a5c4d525a41ac04ede1076c77442c38e440 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Mon, 9 Mar 2026 10:53:48 +0000 Subject: [PATCH 1475/1736] feat(profile): few corrections. --- apparmor.d/groups/ssh/ssh-agent | 9 ++++++++- apparmor.d/groups/systemd/systemd-logind | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index b86c303571..c9a40c3568 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -7,10 +7,13 @@ abi , include -@{exec_path} = @{bin}/ssh-agent +@{exec_path} = @{bin}/ssh-agent @{lib}/{,ssh/ssh-sk-helper} profile ssh-agent @{exec_path} { include include + include + include + signal receive set=term peer=cockpit-bridge, signal receive set=term peer=cockpit-session, @@ -22,6 +25,8 @@ profile ssh-agent @{exec_path} { @{bin}/gpg-agent rPx, @{bin}/im-launch rPx, + @{lib}/ssh/ssh-sk-helper rPx, + owner @{HOME}/@{XDG_SSH_DIR}/ rw, owner @{HOME}/@{XDG_SSH_DIR}/* r, owner @{HOME}/@{XDG_SSH_DIR}/agent/ rw, @@ -38,6 +43,8 @@ profile ssh-agent @{exec_path} { owner @{run}/user/@{uid}/ssh-agent.@{rand6} w, owner @{run}/user/@{uid}/gcr/.ssh rw, + @{sys}/devices/**/uevent r, + /dev/tty@{u8} rw, /dev/tty rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 8ba93553d4..768c0f96d8 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -117,7 +117,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,mediate_deleted) @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/fs/cgroup/memory.max r, @{sys}/fs/cgroup/memory/memory.limit_in_bytes r, - @{sys}/kernel/kexec/loaded r, + @{sys}/kernel/kexec_loaded r, @{sys}/module/vt/parameters/default_utf8 r, @{sys}/power/{state,resume_offset,resume,disk} r, From 570f3760dc89d5ab27060bf4c663f159637b0857 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 9 Mar 2026 12:07:13 +0100 Subject: [PATCH 1476/1736] feat(abs): add abs for flatpak features. --- apparmor.d/abstractions/app/flatpak | 7 +++++++ .../flatpak/baseapp/com.valvesoftware.Steam | 9 +++++--- .../flatpak/baseapp/org.chromium.Chromium | 10 --------- .../abstractions/flatpak/features/bluetooth | 11 ++++++++++ .../abstractions/flatpak/features/canbus | 11 ++++++++++ .../abstractions/flatpak/features/devel | 14 +++++++++++++ .../abstractions/flatpak/features/multiarch | 12 +++++++++++ .../flatpak/features/per-app-dev-shm | 21 +++++++++++++++++++ 8 files changed, 82 insertions(+), 13 deletions(-) create mode 100644 apparmor.d/abstractions/flatpak/features/bluetooth create mode 100644 apparmor.d/abstractions/flatpak/features/canbus create mode 100644 apparmor.d/abstractions/flatpak/features/devel create mode 100644 apparmor.d/abstractions/flatpak/features/multiarch create mode 100644 apparmor.d/abstractions/flatpak/features/per-app-dev-shm diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak index a9f5788a24..78e71eec1b 100644 --- a/apparmor.d/abstractions/app/flatpak +++ b/apparmor.d/abstractions/app/flatpak @@ -68,6 +68,13 @@ include include + # Flatpak features '--feature=' + include + include + include + include + include + # Flatpak filesystem access '--filesystem=' # As a generic profile cannot filter filesystem for each app, this gives # full access to the user's home, and read only acccess to host system files. diff --git a/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam b/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam index 7b924660de..bd594718b3 100644 --- a/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam +++ b/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam @@ -21,6 +21,7 @@ @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, + @{sys}/devices/ r, @{sys}/devices/virtual/dmi/id/bios_date r, @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/bios_version rk, @@ -32,10 +33,10 @@ @{sys}/devices/virtual/dmi/id/chassis_vendor r, @{sys}/devices/virtual/dmi/id/chassis_version r, @{sys}/devices/virtual/dmi/id/product_family r, - @{sys}/devices/virtual/dmi/id/product_name k, + @{sys}/devices/virtual/dmi/id/product_name rk, @{sys}/devices/virtual/dmi/id/product_sku r, @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor k, + @{sys}/devices/virtual/dmi/id/sys_vendor rk, @{PROC}/@{pid}/comm rk, @{PROC}/locks r, @@ -45,7 +46,9 @@ @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/net/core/bpf_jit_enable r, owner @{PROC}/@{pid}/autogroup rw, - owner @{PROC}/@{pid}/cmdline rk, + + # Chromium content api unfortunately needs these for normal operation + owner @{PROC}/@{pid}/fd/@{int} w, include if exists diff --git a/apparmor.d/abstractions/flatpak/baseapp/org.chromium.Chromium b/apparmor.d/abstractions/flatpak/baseapp/org.chromium.Chromium index dedf3c8bfc..6d7dae03af 100644 --- a/apparmor.d/abstractions/flatpak/baseapp/org.chromium.Chromium +++ b/apparmor.d/abstractions/flatpak/baseapp/org.chromium.Chromium @@ -11,10 +11,6 @@ # The orcexec.* file is JIT compiled code for various GStreamer elements. owner @{run}/user/@{uid}/orcexec.@{rand6} mrw, - /dev/shm/ r, - owner /dev/shm/.@{appid}.@{rand6} rw, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, - @{sys}/bus/ r, @{sys}/devices/**/usb@{int}/{,*/}bConfigurationValue r, @{sys}/devices/**/usb@{int}/{,*/}descriptors r, @@ -31,12 +27,6 @@ # Chromium content api unfortunately needs these for normal operation owner @{PROC}/@{pid}/fd/@{int} w, - # This is an information leak but disallowing it leads to developer confusion - # when using the chromium content api file chooser due to a (harmless) glib - # warning and the noisy AppArmor denial. - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/mountinfo r, - # This allows raising the OOM score of other processes owned by the user. owner @{PROC}/@{pid}/oom_score_adj w, diff --git a/apparmor.d/abstractions/flatpak/features/bluetooth b/apparmor.d/abstractions/flatpak/features/bluetooth new file mode 100644 index 0000000000..5343b79c1d --- /dev/null +++ b/apparmor.d/abstractions/flatpak/features/bluetooth @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# The bluetooth feature allows the application to use bluetooth (AF_BLUETOOTH) +# sockets. Note, for bluetooth to fully work you must also have network access. + + abi , + + include if exists diff --git a/apparmor.d/abstractions/flatpak/features/canbus b/apparmor.d/abstractions/flatpak/features/canbus new file mode 100644 index 0000000000..15da79e0a0 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/features/canbus @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# The canbus feature allows the application to use canbus (AF_CAN) sockets. +# Note, for this work you must also have network access. + + abi , + + include if exists diff --git a/apparmor.d/abstractions/flatpak/features/devel b/apparmor.d/abstractions/flatpak/features/devel new file mode 100644 index 0000000000..502066e168 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/features/devel @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# The devel feature allows the application to access certain syscalls such as +# ptrace(), and perf_event_open(). + + abi , + + ptrace read peer=flatpak//bwrap, + ptrace trace peer=@{profile_name}, + + include if exists diff --git a/apparmor.d/abstractions/flatpak/features/multiarch b/apparmor.d/abstractions/flatpak/features/multiarch new file mode 100644 index 0000000000..feb248de8a --- /dev/null +++ b/apparmor.d/abstractions/flatpak/features/multiarch @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# The multiarch feature allows the application to execute programs compiled for +# an ABI other than the one supported natively by the system. For example, for +# the x86_64 architecture, 32-bit x86 binaries will be allowed as well. + + abi , + + include if exists diff --git a/apparmor.d/abstractions/flatpak/features/per-app-dev-shm b/apparmor.d/abstractions/flatpak/features/per-app-dev-shm new file mode 100644 index 0000000000..0982508074 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/features/per-app-dev-shm @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# The per-app-dev-shm feature shares a single instance of /dev/shm between the +# application, any unrestricted subsandboxes that it creates, and any other +# instances of the application that are launched while it is running. + +# We should theoretically allow all access of /dev/shm/ here. However, as it is +# a potential source of information leaks and confinement escapes, we only allow, +# we only allow some well-known paths that are used by the application. +# Baseapp can be used to allow access to more paths if needed. + + abi , + + /dev/shm/ r, + owner /dev/shm/.@{appid}.@{rand6} rw, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + + include if exists From 28b50309727e02f015d89e83c43142cf42fc63b0 Mon Sep 17 00:00:00 2001 From: valoq Date: Mon, 9 Mar 2026 13:21:47 +0100 Subject: [PATCH 1477/1736] minor improvements --- apparmor.d/groups/utils/login | 3 +++ apparmor.d/profiles-a-f/fd | 1 + apparmor.d/profiles-s-z/sbctl | 2 ++ 3 files changed, 6 insertions(+) diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index 6d1efabb3f..28d5afab96 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -12,6 +12,8 @@ profile login @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include #aa:only RBAC @@ -52,6 +54,7 @@ profile login @{exec_path} flags=(attach_disconnected) { /etc/motd r, /etc/motd.d/ r, /etc/shells r, + /etc/u2f/{,**} r, /var/lib/faillock/@{user} rwk, /var/lib/lastlog/ r, diff --git a/apparmor.d/profiles-a-f/fd b/apparmor.d/profiles-a-f/fd index ba3690e013..a8b1a92ed7 100644 --- a/apparmor.d/profiles-a-f/fd +++ b/apparmor.d/profiles-a-f/fd @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/fd profile fd @{exec_path} { include + include capability dac_override, capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index 5d93bcc093..b261a030a3 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -36,6 +36,8 @@ profile sbctl @{exec_path} { @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, + @{PROC}/@{pid}/mountinfo r, + # File Inherit deny network inet stream, deny network inet6 stream, From e7b39a61bcaf7cd08d323aeaca1e7c2c6c401706 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 9 Mar 2026 13:57:25 +0100 Subject: [PATCH 1478/1736] feat(abs): add flatpak/base. New flatpak/base for with common access for all flatpak applications. This is part of a long term milestone that aims at restricting as much as possible flatpak app. --- apparmor.d/abstractions/app/flatpak | 166 ++---------------- apparmor.d/abstractions/flatpak/base | 241 ++++++++++++++++++++++++++ apparmor.d/groups/flatpak/fapp | 1 + apparmor.d/groups/flatpak/fbwrap | 1 + apparmor.d/groups/flatpak/flatpak-app | 1 + 5 files changed, 255 insertions(+), 155 deletions(-) create mode 100644 apparmor.d/abstractions/flatpak/base diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak index 78e71eec1b..2ad5687dcf 100644 --- a/apparmor.d/abstractions/app/flatpak +++ b/apparmor.d/abstractions/app/flatpak @@ -4,6 +4,7 @@ # LOGPROF-SUGGEST: no # NEEDS-VARIABLE: appid # NEEDS-VARIABLE: att +# NEEDS-VARIABLE: profile_dbus # Default rules for all flatpak applications. Ideally, they should be # generated with settings from the flatpak metadata. @@ -33,11 +34,7 @@ abi , - include - include - include - include - include + include # The app base platform, similar to our desktop abstraction, but with flatpak paths include @@ -91,29 +88,9 @@ include include - capability dac_override, - capability dac_read_search, - - unix (bind listen) type=seqpacket addr=@@{hex}@{hex}, - unix (bind listen) type=seqpacket addr=@*, - - unix type=seqpacket peer=(label=dbus-session), - unix type=seqpacket peer=(label=fbwrap), - unix type=seqpacket peer=(label=flatpak-portal), - unix type=seqpacket peer=(label=flatpak), - unix type=seqpacket peer=(label=xdg-dbus-proxy), - unix type=stream peer=(label=dbus-session), - unix type=stream peer=(label=fbwrap), - unix type=stream peer=(label=flatpak), - unix type=stream peer=(label=gnome-keyring-daemon), - unix type=stream peer=(label=unconfined), - unix type=stream peer=(label=xdg-dbus-proxy), - unix type=stream peer=(label=xdg-desktop-portal), - signal (send receive) peer=fapp, signal (send receive) peer=fapp//&fbwrap, signal (send receive) peer=fbwrap, - signal receive peer=flatpak-portal, ptrace read peer=fapp, ptrace read peer=fapp//&fbwrap, @@ -122,142 +99,21 @@ ptrace trace peer=fapp//&fbwrap, ptrace trace peer=fbwrap, + unix (bind listen) type=seqpacket addr=@*, + unix type=dgram peer=(label=fbwrap), + unix type=seqpacket peer=(label=fbwrap), + unix type=stream peer=(label=fbwrap), + unix type=stream peer=(label=flatpak), + unix type=stream peer=(label=gnome-keyring-daemon), + unix type=stream peer=(label=unconfined), + unix type=stream peer=(label=xdg-desktop-portal), + # As a generic profile, we cannot restrict the session bus, and we trust flatpak on this. dbus bus=session, - # Run in the flatpak sandbox, the app - /app/ rk, - /app/** mrkix, - - # Run in the flatpak sandbox, the app runtime - @{bin}/ r, - @{bin}/** rix, - @{lib}/ r, - @{lib}/** rix, - @{sbin}/ r, - @{sbin}/** rix, - # apply_extra /app/extra/** w, - / r, - owner /.flatpak-info r, - - # In the sandbox, they are the same than ~/.var/app/@{appid}/{cache,config,data,cache/tmp} - #aa:lint ignore=too-wide - owner /var/cache/** rwlk, - owner /var/config/** rwlk, - owner /var/data/** rwlk, - owner /var/tmp/** rwlk, - - owner @{att}@{HOME}/ r, - owner @{att}@{HOME}/.var/app/@{appid}/ r, - owner @{att}@{HOME}/.var/app/@{appid}/** mrwlk, - owner @{HOME}/.var/app/@{appid}/ r, - owner @{HOME}/.var/app/@{appid}/** mrwlk -> @{HOME}/.var/app/@{appid}/**, - owner @{HOME}/.var/app/@{appid}/** ix, - - @{run}/parent/** mrix, - @{run}/parent/usr/.ref k, - @{run}/parent/app/.ref k, - - owner @{run}/flatpak/app/@{appid}/ r, - owner @{run}/flatpak/app/@{appid}/** mrwlk -> @{run}/flatpak/app/@{appid}/**, - - owner @{run}/flatpak/doc/ r, - owner @{run}/flatpak/doc/** mr, - owner @{run}/flatpak/ld.so.conf.d/ r, - owner @{run}/flatpak/ld.so.conf.d/*.conf r, - - owner @{run}/user/@{uid}/app/@{appid}/ r, - owner @{run}/user/@{uid}/app/@{appid}/** rwlk -> @{run}/user/@{uid}/app/@{appid}/**, - - owner @{att}@{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} rw, - owner @{att}@{run}/user/@{uid}/.dbus-proxy/session-bus-proxy-@{rand6} rw, - owner @{att}@{run}/user/@{uid}/.dbus-proxy/system-bus-proxy-@{rand6} rw, - - @{run}/host/os-release r, - owner @{run}/host/ r, - owner @{run}/host/container-manager r, - - #aa:lint ignore=too-wide - # Flatpak creates an app-specific private restricted /tmp. As such, we can - # simply allow full access to /tmp. - /tmp/ r, - owner /tmp/** mrwlkix, - @{att}/tmp/ r, - owner @{att}/tmp/** mrwlkix, - - # Show the list of active tty - @{sys}/devices/virtual/tty/tty@{int}/active r, - - # This is an information leak - owner @{PROC}/@{pid}/mountinfo r, - - # Reads of oom_adj and oom_score_adj are safe - owner @{PROC}/@{pid}/oom_adj r, - owner @{PROC}/@{pid}/oom_score_adj r, - - # Allow reading of smaps_rollup, which is a summary of the memory use of a process - owner @{PROC}/@{pid}/smaps_rollup r, - - # Per man(5) proc, the kernel enforces that a thread may only modify its comm - # value or those in its thread group. - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - # Allow reading file descriptor info - owner @{PROC}/@{pid}/fdinfo/ r, - owner @{PROC}/@{pid}/fdinfo/@{int} r, - - @{PROC}/ r, - @{PROC}/@{pid}/cpuset r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/io r, - @{PROC}/@{pid}/maps r, - @{PROC}/@{pid}/smaps r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/statm r, - @{PROC}/@{pid}/status r, - @{PROC}/@{pid}/task/@{tid}/status r, - @{PROC}/loadavg r, - @{PROC}/sys/fs/file-max r, - @{PROC}/sys/fs/file-nr r, - @{PROC}/sys/fs/inotify/max_queued_events r, - @{PROC}/sys/fs/inotify/max_user_instances r, - @{PROC}/sys/fs/inotify/max_user_watches r, - @{PROC}/sys/fs/nr_open r, - @{PROC}/sys/fs/pipe-max-size r, - @{PROC}/sys/kernel/hostname r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/ostype r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/sys/kernel/random/boot_id r, - @{PROC}/sys/kernel/random/entropy_avail r, - @{PROC}/sys/kernel/random/uuid r, - @{PROC}/sys/kernel/shmmax r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/uptime r, - @{PROC}/version r, - @{PROC}/version_signature r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/clear_refs w, - owner @{PROC}/@{pid}/cmdline rk, - owner @{PROC}/@{pid}/comm rk, - owner @{PROC}/@{pid}/environ r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/sessionid r, - owner @{PROC}/@{pid}/smaps_rollup r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/smaps r, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/statm r, - - # Allow setting up pseudoterminal via /dev/pts system. This is safe because - # flatpak uses a per-app devpts. - /dev/ptmx rw, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/base b/apparmor.d/abstractions/flatpak/base new file mode 100644 index 0000000000..e7ef13d021 --- /dev/null +++ b/apparmor.d/abstractions/flatpak/base @@ -0,0 +1,241 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: appid +# NEEDS-VARIABLE: att +# NEEDS-VARIABLE: profile_dbus + + abi , + + include + include #aa:lint ignore=abstractions + include + include + include + + capability dac_override, + capability dac_read_search, + + signal receive set=int peer=flatpak-portal, + + unix (send receive) type=seqpacket peer=(label=@{profile_dbus}), + unix (send receive) type=seqpacket peer=(label=dbus-session), + unix (send receive) type=seqpacket peer=(label=flatpak-portal), + unix (send receive) type=seqpacket peer=(label=flatpak), + unix (send receive) type=seqpacket peer=(label=flatpak//bwrap), + unix (send receive) type=stream peer=(label=@{profile_dbus}), + unix (send receive) type=stream peer=(label=dbus-session), + unix (send receive) type=stream peer=(label=flatpak-portal), + unix (send receive) type=stream peer=(label=flatpak), + unix (send receive) type=stream peer=(label=flatpak//bwrap), + + # Run in the flatpak sandbox, the app + /app/ rk, + /app/** mrkix, + + # Run in the flatpak sandbox, the app runtime + @{bin}/ r, + @{bin}/** rix, + @{lib}/ r, + @{lib}/** rix, + @{sbin}/ r, + @{sbin}/** rix, + + # Core directory of the flatpak platform runtime + / r, + /usr/ r, + + /etc/timezone r, + + owner /.flatpak-info r, + + # In the sandbox, they are the same than ~/.var/app/@{appid}/{cache,config,data,cache/tmp} + #aa:lint ignore=too-wide + owner /var/ r, + owner /var/cache/** rwlk, + owner /var/config/** rwlk, + owner /var/data/** rwlk, + owner /var/tmp/** rwlk, + + owner /home/ r, + + owner @{att}@{HOME}/ r, + owner @{att}@{HOME}/.var/app/@{appid}/ r, + owner @{att}@{HOME}/.var/app/@{appid}/** mrwlk, + + owner @{HOME}/.var/ w, + owner @{HOME}/.var/app/ w, + owner @{HOME}/.var/app/@{appid}/ rw, + owner @{HOME}/.var/app/@{appid}/** mrwlk -> @{HOME}/.var/app/@{appid}/**, + owner @{HOME}/.var/app/@{appid}/** ix, + + @{run}/parent/** mrix, + @{run}/parent/usr/.ref rk, + @{run}/parent/app/.ref rk, + + owner @{run}/flatpak/app/@{appid}/ r, + owner @{run}/flatpak/app/@{appid}/** mrwlk -> @{run}/flatpak/app/@{appid}/**, + + owner @{run}/flatpak/doc/ r, + owner @{run}/flatpak/doc/** mrw, + owner @{run}/flatpak/ld.so.conf.d/ r, + owner @{run}/flatpak/ld.so.conf.d/*.conf r, + + owner @{run}/user/@{uid}/app/@{appid}/ r, + owner @{run}/user/@{uid}/app/@{appid}/** rwlk -> @{run}/user/@{uid}/app/@{appid}/**, + + owner @{att}@{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} rw, + owner @{att}@{run}/user/@{uid}/.dbus-proxy/session-bus-proxy-@{rand6} rw, + owner @{att}@{run}/user/@{uid}/.dbus-proxy/system-bus-proxy-@{rand6} rw, + + @{run}/host/os-release r, + owner @{run}/host/ r, + owner @{run}/host/container-manager r, + + #aa:lint ignore=too-wide + # Flatpak creates an app-specific private restricted /tmp. As such, we can + # simply allow full access to /tmp. + /tmp/ r, + owner /tmp/** mrwlkix, + @{att}/tmp/ r, + owner @{att}/tmp/** mrwlkix, + + # Show the list of active tty + @{sys}/devices/virtual/tty/tty@{int}/active r, + + # List processes in /proc + @{PROC}/ r, + + # Which CPUs/memory nodes the process is assigned to + @{PROC}/@{pid}/cpuset r, + + # I/O statistics (bytes read/written) + @{PROC}/@{pid}/io r, + + # Memory mappings (addresses, permissions, mapped files) + @{PROC}/@{pid}/maps r, + + # Process status in one line (pid, state, ppid, CPU time, threads, etc.) + @{PROC}/@{pid}/stat r, + + # Memory usage in pages (total, resident, shared, text, data) + @{PROC}/@{pid}/statm r, + + # Human-readable process status (name, state, UIDs, memory, capabilities) + @{PROC}/@{pid}/status r, + + # Human-readable thread status + @{PROC}/@{pid}/task/@{tid}/status r, + + # Uptime + @{PROC}/uptime r, + @{PROC}/loadavg r, + + # Allow to read the maximum number of file handles that can be allocated system-wide. + @{PROC}/sys/fs/file-max r, + @{PROC}/sys/fs/file-nr r, + @{PROC}/sys/fs/nr_open r, + + # Limits for how many inotify instances, watches, and pending events a user can have. + @{PROC}/sys/fs/inotify/max_queued_events r, + @{PROC}/sys/fs/inotify/max_user_instances r, + @{PROC}/sys/fs/inotify/max_user_watches r, + + # Maximum size that an unprivileged process can set for a pipe buffer + @{PROC}/sys/fs/pipe-max-size r, + + # Get the system hostname + @{PROC}/sys/kernel/hostname r, + + # Get kernel version string + @{PROC}/sys/kernel/osrelease r, + + # Get OS type (always Linux) + @{PROC}/sys/kernel/ostype r, + + # Maximum PID value the kernel will assign + @{PROC}/sys/kernel/pid_max r, + + # Unique UUID generated each boot, used to identify the current boot session + @{PROC}/sys/kernel/random/boot_id r, + + # Get the amount of available entropy in the kernel's random pool + @{PROC}/sys/kernel/random/entropy_avail r, + + # Generates a fresh random UUID each time it's read + @{PROC}/sys/kernel/random/uuid r, + + # Maximum size of a single shared memory segment + @{PROC}/sys/kernel/shmmax r, + + # Get the ptrace restrictions level + @{PROC}/sys/kernel/yama/ptrace_scope r, + + # Kernel version + @{PROC}/version r, + @{PROC}/version_signature r, + + # Information about memory zones (DMA, Normal, HighMem) including free pages, + # watermarks, and per-CPU page counts. + @{PROC}/zoneinfo r, + + # Allow reading cgroup membership information for process introspection + owner @{PROC}/@{pid}/cgroup r, + + # Clearing the referenced bits in a process's page table entries provides a method to + # measure approximately how much memory a process is using. + owner @{PROC}/@{pid}/clear_refs w, + + # Allow reading command line arguments for process identification + owner @{PROC}/@{pid}/cmdline rk, + owner @{PROC}/@{pid}/comm rk, + + # Allow reading our own environment variables + owner @{PROC}/@{pid}/environ r, + + # Allow listing file descriptors + @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fd/ r, + + # Allow reading file descriptor info + owner @{PROC}/@{pid}/fdinfo/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, + + # Shows the process's current resource limits (soft/hard), the ulimit value. + owner @{PROC}/@{pid}/limits r, + + # Show the loginuid and sessionid of the process, which can be used for auditing and debugging. + owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/sessionid r, + + # Allow reading mount points for filesystem awareness. This is an information leak + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + # Reads of oom_adj and oom_score_adj are safe + owner @{PROC}/@{pid}/oom_adj r, + owner @{PROC}/@{pid}/oom_score_adj r, + + # Allow reading of smaps_rollup, which is a summary of the memory use of a process + @{PROC}/@{pid}/smaps r, + owner @{PROC}/@{pid}/smaps_rollup r, + + # Per man(5) proc, the kernel enforces that a thread may only modify its comm + # value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + # Provide statistical information about our own processes/threads + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/smaps r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/statm r, + owner @{PROC}/@{pid}/task/@{tid}/status r, + + # Allow setting up pseudoterminal via /dev/pts system. This is safe because + # flatpak uses a per-app devpts. + /dev/ptmx rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/flatpak/fapp b/apparmor.d/groups/flatpak/fapp index 35080bc0e7..4f66fc3a78 100644 --- a/apparmor.d/groups/flatpak/fapp +++ b/apparmor.d/groups/flatpak/fapp @@ -12,6 +12,7 @@ abi , include @{appid} = @{word}.@{word}.@{word}{,.@{word}} +@{profile_dbus} = xdg-dbus-proxy profile fapp flags=(attach_disconnected,mediate_deleted) { include diff --git a/apparmor.d/groups/flatpak/fbwrap b/apparmor.d/groups/flatpak/fbwrap index 773cdafadb..b72ad1a559 100644 --- a/apparmor.d/groups/flatpak/fbwrap +++ b/apparmor.d/groups/flatpak/fbwrap @@ -7,6 +7,7 @@ abi , include @{appid} = @{word}.@{word}.@{word}{,.@{word}} +@{profile_dbus} = xdg-dbus-proxy @{exec_path} = @{bin}/bwrap profile fbwrap flags=(attach_disconnected,mediate_deleted) { diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index 8da02b1897..1bc77ff616 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -27,6 +27,7 @@ abi , include @{appid} = @{word}.@{word}.@{word}{,.@{word}} +@{profile_dbus} = xdg-dbus-proxy @{exec_path} = @{bin}/bwrap profile flatpak-app flags=(attach_disconnected,mediate_deleted) { From 894f63ac7c6fec822ec126ac67c907f84ec75ee6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 9 Mar 2026 14:00:14 +0100 Subject: [PATCH 1479/1736] feat(abs): flatpak/base: ensure integration with attached feature. --- apparmor.d/abstractions/app/flatpak | 2 -- apparmor.d/abstractions/flatpak/base | 4 +++- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak index 2ad5687dcf..7882fca455 100644 --- a/apparmor.d/abstractions/app/flatpak +++ b/apparmor.d/abstractions/app/flatpak @@ -29,8 +29,6 @@ # Abstractions in `abstractions/flatpak/` closelly follow the sandbox defined by # flatpak, and are therefore different to they host equivalents, as flatpak apps # do not have access to the full host filesystem. -# -# attach_disconnected: tweak the build system to replace attached abstractions abi , diff --git a/apparmor.d/abstractions/flatpak/base b/apparmor.d/abstractions/flatpak/base index e7ef13d021..a88ff76ceb 100644 --- a/apparmor.d/abstractions/flatpak/base +++ b/apparmor.d/abstractions/flatpak/base @@ -6,12 +6,14 @@ # NEEDS-VARIABLE: att # NEEDS-VARIABLE: profile_dbus +# attach_disconnected: tweak the build system to replace attached abstractions + abi , include - include #aa:lint ignore=abstractions include include + include include capability dac_override, From 72db6f7bab35959e5daa1c25d69477610f4e7049 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Mon, 9 Mar 2026 14:14:54 +0000 Subject: [PATCH 1480/1736] feat(profile): resolved --- apparmor.d/groups/ssh/ssh-agent | 7 ++----- apparmor.d/groups/ssh/ssh-sk-helper | 2 ++ 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index c9a40c3568..a45b838e5b 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -7,13 +7,10 @@ abi , include -@{exec_path} = @{bin}/ssh-agent @{lib}/{,ssh/ssh-sk-helper} +@{exec_path} = @{bin}/ssh-agent profile ssh-agent @{exec_path} { include include - include - include - signal receive set=term peer=cockpit-bridge, signal receive set=term peer=cockpit-session, @@ -25,7 +22,7 @@ profile ssh-agent @{exec_path} { @{bin}/gpg-agent rPx, @{bin}/im-launch rPx, - @{lib}/ssh/ssh-sk-helper rPx, + @{lib}/ssh/ssh-sk-helper rPx -> ssh-agent, owner @{HOME}/@{XDG_SSH_DIR}/ rw, owner @{HOME}/@{XDG_SSH_DIR}/* r, diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper index 79f5d22da7..e245fd45e4 100644 --- a/apparmor.d/groups/ssh/ssh-sk-helper +++ b/apparmor.d/groups/ssh/ssh-sk-helper @@ -15,6 +15,8 @@ profile ssh-sk-helper flags=(complain) { @{exec_path} mr, + @{bin}/ssh-agent rPx, + include if exists } From 343f0feb14fc405013818a72ae79c25c6a58a85e Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Mon, 9 Mar 2026 20:35:03 +0000 Subject: [PATCH 1481/1736] feat(profile): no more logs --- apparmor.d/groups/ssh/ssh-agent | 4 +--- apparmor.d/groups/ssh/ssh-sk-helper | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index a45b838e5b..9ed22ccd7c 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -22,7 +22,7 @@ profile ssh-agent @{exec_path} { @{bin}/gpg-agent rPx, @{bin}/im-launch rPx, - @{lib}/ssh/ssh-sk-helper rPx -> ssh-agent, + @{lib}/{,ssh/}ssh-sk-helper rPx -> ssh-sk-helper, owner @{HOME}/@{XDG_SSH_DIR}/ rw, owner @{HOME}/@{XDG_SSH_DIR}/* r, @@ -40,8 +40,6 @@ profile ssh-agent @{exec_path} { owner @{run}/user/@{uid}/ssh-agent.@{rand6} w, owner @{run}/user/@{uid}/gcr/.ssh rw, - @{sys}/devices/**/uevent r, - /dev/tty@{u8} rw, /dev/tty rw, diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper index e245fd45e4..3b163cb02f 100644 --- a/apparmor.d/groups/ssh/ssh-sk-helper +++ b/apparmor.d/groups/ssh/ssh-sk-helper @@ -15,7 +15,7 @@ profile ssh-sk-helper flags=(complain) { @{exec_path} mr, - @{bin}/ssh-agent rPx, + @{sys}/devices/**/uevent r, include if exists } From a39440c383ffa512776ac7906bbb178f71ba594f Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 11 Mar 2026 11:00:58 +0100 Subject: [PATCH 1482/1736] minor improvements --- apparmor.d/groups/pacman/mkinitcpio | 1 + apparmor.d/groups/ssh/ssh | 2 ++ 2 files changed, 3 insertions(+) diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 12d7b71408..2dcc7202ad 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -53,6 +53,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{lib}/initcpio/post/** rix, @{lib}/ld-*.so* rix, + /etc/cmdline.d/{,**} r, /etc/fstab r, /etc/initcpio/{,**} r, /etc/locale.conf r, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index f5c4921bbf..de87a47685 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -16,6 +16,8 @@ profile ssh @{exec_path} flags=(attach_disconnected) { include include + capability dac_override, + network inet stream, network inet6 stream, network inet dgram, From 21ad8406e89058eeecf7cc38482a1c9e29420735 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Mar 2026 20:31:36 +0100 Subject: [PATCH 1483/1736] feat(abs): reorganise internal flatpak abs. --- apparmor.d/abstractions/flatpak/base | 3 +++ .../flatpak/baseapp/com.valvesoftware.Steam | 11 ++++++++-- .../flatpak/baseapp/org.chromium.Chromium | 9 +++------ .../{org.winehq.Win => org.winehq.Wine} | 2 +- apparmor.d/abstractions/flatpak/devices/all | 2 -- apparmor.d/abstractions/flatpak/devices/dri | 20 +++++++++++++++++-- .../abstractions/flatpak/features/bluetooth | 2 ++ .../flatpak/features/per-app-dev-shm | 4 ---- .../flatpak/platform/org.freedesktop | 4 ++++ .../abstractions/flatpak/sockets/wayland | 3 ++- 10 files changed, 42 insertions(+), 18 deletions(-) rename apparmor.d/abstractions/flatpak/baseapp/{org.winehq.Win => org.winehq.Wine} (98%) diff --git a/apparmor.d/abstractions/flatpak/base b/apparmor.d/abstractions/flatpak/base index a88ff76ceb..0e693e87a3 100644 --- a/apparmor.d/abstractions/flatpak/base +++ b/apparmor.d/abstractions/flatpak/base @@ -219,6 +219,9 @@ owner @{PROC}/@{pid}/oom_adj r, owner @{PROC}/@{pid}/oom_score_adj r, + # This allows raising the OOM score of other processes owned by the user. + owner @{PROC}/@{pid}/oom_score_adj w, + # Allow reading of smaps_rollup, which is a summary of the memory use of a process @{PROC}/@{pid}/smaps r, owner @{PROC}/@{pid}/smaps_rollup r, diff --git a/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam b/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam index bd594718b3..12809e8a91 100644 --- a/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam +++ b/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam @@ -5,20 +5,27 @@ abi , - include + include + include @{lib}/os-release rk, owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/discord-ipc-@{int} w, + owner @{run}/user/@{uid}/pressure-vessel/ r, + owner @{run}/user/@{uid}/pressure-vessel/{,**} rw, owner @{run}/user/@{uid}/srt-fifo.@{rand6}/{,*} rw, - owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, + owner /dev/shm/#@{int} rw, owner /dev/shm/fossilize-*-@{int}-@{int} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex8} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, + owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, + owner /dev/shm/ValveIPCSHM_@{uid} rw, + @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, @{sys}/devices/ r, diff --git a/apparmor.d/abstractions/flatpak/baseapp/org.chromium.Chromium b/apparmor.d/abstractions/flatpak/baseapp/org.chromium.Chromium index 6d7dae03af..1b5936edd9 100644 --- a/apparmor.d/abstractions/flatpak/baseapp/org.chromium.Chromium +++ b/apparmor.d/abstractions/flatpak/baseapp/org.chromium.Chromium @@ -8,10 +8,10 @@ include - # The orcexec.* file is JIT compiled code for various GStreamer elements. - owner @{run}/user/@{uid}/orcexec.@{rand6} mrw, + /dev/shm/ r, + owner /dev/shm/.@{appid}.@{rand6} rw, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, - @{sys}/bus/ r, @{sys}/devices/**/usb@{int}/{,*/}bConfigurationValue r, @{sys}/devices/**/usb@{int}/{,*/}descriptors r, @{sys}/devices/**/usb@{int}/{,*/}manufacturer r, @@ -27,9 +27,6 @@ # Chromium content api unfortunately needs these for normal operation owner @{PROC}/@{pid}/fd/@{int} w, - # This allows raising the OOM score of other processes owned by the user. - owner @{PROC}/@{pid}/oom_score_adj w, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Win b/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine similarity index 98% rename from apparmor.d/abstractions/flatpak/baseapp/org.winehq.Win rename to apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine index 32129ec21a..d50eeb706e 100644 --- a/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Win +++ b/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine @@ -7,6 +7,6 @@ include - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/devices/all b/apparmor.d/abstractions/flatpak/devices/all index 014c931fa6..b1276929f0 100644 --- a/apparmor.d/abstractions/flatpak/devices/all +++ b/apparmor.d/abstractions/flatpak/devices/all @@ -33,8 +33,6 @@ @{sys}/devices/system/cpu/cpufreq/ r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/uid_map r, # Allow reading info about the physical mapping of virtual pages diff --git a/apparmor.d/abstractions/flatpak/devices/dri b/apparmor.d/abstractions/flatpak/devices/dri index 4a186e7d62..c0b5df43a8 100644 --- a/apparmor.d/abstractions/flatpak/devices/dri +++ b/apparmor.d/abstractions/flatpak/devices/dri @@ -7,15 +7,31 @@ include + unix (bind listen) type=seqpacket addr=@@{hex}, + + # The orcexec.* file is JIT compiled code for various GStreamer elements. + # If one is blocked the next is used instead. + # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag. + owner @{run}/user/@{uid}/orcexec.@{rand6} mrw, + deny owner @{HOME}/orcexec.@{rand6} mrw, + deny owner @{tmp}/orcexec.@{rand6} mrw, + + @{sys}/bus/ r, + @{sys}/devices/@{pci_bus}/uevent r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{PROC}/devices r, @{PROC}/driver/nvidia/capabilities/mig/config r, - - /dev/ r, + @{PROC}/sys/vm/nr_hugepages r, # Video Acceleration API @{att}/dev/dri/renderD128 rw, @{att}/dev/dri/renderD129 rw, + /dev/ r, /dev/nvidia-caps/nvidia-cap@{int} rw, include if exists diff --git a/apparmor.d/abstractions/flatpak/features/bluetooth b/apparmor.d/abstractions/flatpak/features/bluetooth index 5343b79c1d..84eae1c15b 100644 --- a/apparmor.d/abstractions/flatpak/features/bluetooth +++ b/apparmor.d/abstractions/flatpak/features/bluetooth @@ -8,4 +8,6 @@ abi , + network bluetooth, + include if exists diff --git a/apparmor.d/abstractions/flatpak/features/per-app-dev-shm b/apparmor.d/abstractions/flatpak/features/per-app-dev-shm index 0982508074..d62d1bac1b 100644 --- a/apparmor.d/abstractions/flatpak/features/per-app-dev-shm +++ b/apparmor.d/abstractions/flatpak/features/per-app-dev-shm @@ -14,8 +14,4 @@ abi , - /dev/shm/ r, - owner /dev/shm/.@{appid}.@{rand6} rw, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, - include if exists diff --git a/apparmor.d/abstractions/flatpak/platform/org.freedesktop b/apparmor.d/abstractions/flatpak/platform/org.freedesktop index 3d08dffd60..13880340d0 100644 --- a/apparmor.d/abstractions/flatpak/platform/org.freedesktop +++ b/apparmor.d/abstractions/flatpak/platform/org.freedesktop @@ -42,11 +42,15 @@ @{run}/host/local-fonts/{,**} r, @{run}/host/share/icons/{,**} r, @{run}/host/user-share/icons/{,**} r, + @{run}/host/usr/share/applications/{,**} r, + @{run}/host/usr/share/icons/{,**} r, + @{run}/host/usr/share/pixmaps/{,**} r, # Pkcs11 # Flatpak only pkcs11 paths /etc/pki/ca-trust/extracted/** r, + /etc/pki/tls/certs/{,**} r, /etc/pki/tls/openssl.cnf r, owner /etc/pkcs11/modules/ r, diff --git a/apparmor.d/abstractions/flatpak/sockets/wayland b/apparmor.d/abstractions/flatpak/sockets/wayland index dc324e1d1e..c8fa3fb7c4 100644 --- a/apparmor.d/abstractions/flatpak/sockets/wayland +++ b/apparmor.d/abstractions/flatpak/sockets/wayland @@ -8,7 +8,8 @@ owner @{run}/flatpak/wayland-@{int} r, # Allow access to the Wayland compositor server socket - owner @{run}/user/@{uid}/wayland-@{int} rw, + owner @{run}/user/@{uid}/wayland-@{int} rw, + owner @{run}/user/@{uid}/wayland-proxy-@{int} rw, owner @{att}@{run}/user/@{uid}/wayland-@{int} rw, owner @{att}/dev/shm/@{uuid} rw, From 1d10cc830955c6cfaee3fdd37af48ba7a96ef98d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Mar 2026 20:38:52 +0100 Subject: [PATCH 1484/1736] feat(profile): few dbus improvements. --- .../session/org.freedesktop.portal.Desktop | 7 +++++++ apparmor.d/abstractions/webkit | 2 ++ .../groups/freedesktop/xdg-desktop-portal | 5 +++++ .../groups/freedesktop/xdg-desktop-portal-gtk | 21 ++----------------- apparmor.d/groups/gnome/gnome-control-center | 3 +-- apparmor.d/groups/gnome/gsd-screensaver-proxy | 2 +- .../groups/gvfs/gvfs-udisks2-volume-monitor | 1 + apparmor.d/groups/kde/kwalletd | 3 +-- apparmor.d/groups/network/mullvad-daemon | 13 ++++++------ 9 files changed, 27 insertions(+), 30 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop index f9c1dda2cd..ffd912e5f8 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Desktop @@ -88,6 +88,13 @@ member=Response peer=(name=@{busname}, label=xdg-desktop-portal), + # portal.FileChooser + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.FileChooser + member=OpenFile + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/webkit b/apparmor.d/abstractions/webkit index 77cf80fc64..c32b632526 100644 --- a/apparmor.d/abstractions/webkit +++ b/apparmor.d/abstractions/webkit @@ -6,6 +6,8 @@ abi , + include + mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, @{bin}/xdg-dbus-proxy rix, # TODO: stack me diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index ca9208313a..9ac7fd7eb5 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -45,6 +45,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.portal interface+=org.freedesktop.impl.portal + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Settings + member=SettingChanged + peer=(name=@{busname}), + # Receive registertration of from anyone dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.host.portal.Registry diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 086f8ac6d8..67ef6b88e5 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -18,6 +18,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -29,25 +30,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Settings path=/org/freedesktop/portal/desktop label=xdg-desktop-portal - - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Inhibit - member=CreateMonitor - peer=(name=@{busname}, label=xdg-desktop-portal), - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Inhibit - member=StateChanged - peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Inhibit - member=Inhibit - peer=(name=@{busname}, label=xdg-desktop-portal), - dbus receive bus=session path=/org/freedesktop/portal/desktop/request/** - interface=org.freedesktop.impl.portal.Request - member=Close - peer=(name=@{busname}, label=xdg-desktop-portal), + #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index d34183bd09..d4180f7f3c 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -11,6 +11,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -127,8 +128,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /etc/xdg/autostart/*.desktop r, /etc/fstab r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, /var/cache/cracklib/cracklib_dict.* r, /var/cache/samba/ rw, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index 5cd94906ba..6dd0c118bb 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -16,7 +16,7 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, - #aa:dbus own bus=session name=org.freedesktop.ScreenSaver + #aa:dbus own bus=session name=org.freedesktop.ScreenSaver path=/{,org/freedesktop/}ScreenSaver #aa:dbus own bus=session name=org.gnome.SettingsDaemon.ScreensaverProxy dbus receive bus=session diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 1bca3cf895..d5e1d890c2 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -18,6 +18,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_ptrace, diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index a34c76fd4a..b2c02b32ec 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -20,8 +20,7 @@ profile kwalletd @{exec_path} { include #aa:dbus own bus=session name=org.freedesktop.secrets - #aa:dbus own bus=session name=org.kde.kwalletd5 - #aa:dbus own bus=session name=org.kde.kwalletd6 + #aa:dbus own bus=session name=org.kde.kwalletd{,5,6} @{exec_path} mr, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 0250779864..d4873762df 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -12,13 +12,11 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { include include include - include capability dac_override, - - capability net_admin, capability fowner, capability fsetid, + capability net_admin, capability net_raw, capability sys_admin, @@ -33,10 +31,13 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { mount fstype=cgroup -> @{sys}/fs/cgroup/net_cls/, - dbus send bus=system path=/org/freedesktop/NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=@{busname}, label=NetworkManager), + member=Get + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, From 6593c75d0d265cc9ced0bfd41a1604102e4df7c0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Mar 2026 20:39:26 +0100 Subject: [PATCH 1485/1736] feat(abs): cover more usb sys path. --- apparmor.d/abstractions/devices-usb-read | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read index 6bc067245f..84b667a5ae 100644 --- a/apparmor.d/abstractions/devices-usb-read +++ b/apparmor.d/abstractions/devices-usb-read @@ -22,8 +22,11 @@ @{sys}/devices/**/usb@{int}/{,**/}busnum r, @{sys}/devices/**/usb@{int}/{,**/}descriptors r, @{sys}/devices/**/usb@{int}/{,**/}devnum r, + @{sys}/devices/**/usb@{int}/{,**/}idProduct r, + @{sys}/devices/**/usb@{int}/{,**/}idVendor r, @{sys}/devices/**/usb@{int}/{,**/}manufacturer r, @{sys}/devices/**/usb@{int}/{,**/}product r, + @{sys}/devices/**/usb@{int}/{,**/}removable r, @{sys}/devices/**/usb@{int}/{,**/}serial r, @{sys}/devices/**/usb@{int}/{,**/}speed r, From aa32145f567628b87466587b2fad1bdbebec5186 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Mar 2026 20:42:36 +0100 Subject: [PATCH 1486/1736] feat(profile): improve gnome profiles. --- apparmor.d/groups/freedesktop/pipewire | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal | 1 + apparmor.d/groups/freedesktop/xdg-document-portal | 3 ++- apparmor.d/groups/gnome/gnome-control-center-print-renderer | 4 ++++ apparmor.d/groups/gnome/gnome-desktop-thumbnailers | 3 +++ apparmor.d/groups/gnome/gnome-disks | 3 ++- apparmor.d/groups/gnome/gnome-shell | 6 ++++++ apparmor.d/groups/gnome/gnome-software | 2 +- 8 files changed, 20 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 2eb4c6ff4c..8bef51e073 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -22,7 +22,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { network netlink raw, - ptrace (read), + ptrace read, #aa:dbus own bus=session name=org.pulseaudio.Server diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 9ac7fd7eb5..4d0638e038 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -122,6 +122,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{tmp}/gtkprint@{rand6} r, owner @{tmp}/icon@{rand6} rw, + owner @{att}@{run}/flatpak/doc/** r, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, @{sys}/devices/**/uevent r, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 4a90aa6748..98c0adfe5c 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -49,8 +49,9 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { owner @{att}/.flatpak-info r, owner @{HOME}/ r, - owner @{HOME}/*/{,**} rw, + owner @{HOME}/** rw, owner @{MOUNTS}/ r, + owner @{MOUNTS}/** rw, owner @{user_share_dirs}/flatpak/db/documents r, owner @{user_share_dirs}/Trash/files/** r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 21ebd1f3de..24c9498820 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -16,10 +16,14 @@ profile gnome-control-center-print-renderer @{exec_path} flags=(attach_disconnec @{exec_path} mr, + @{bin}/flatpak Px, + /usr/share/pixmaps/{,**} r, / r, + owner @{HOME}/.var/app/*/cache/{,**/} r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index b9c1f23b12..824ecdbf4a 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -33,6 +33,7 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{tmp}/gnome-desktop-thumbnailer.png w, owner @{tmp}/gsf-thumbnailer-@{rand6} rw, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, profile thumbnailer flags=(attach_disconnected) { @@ -50,6 +51,7 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { /usr/share/poppler/{,**} r, + /usr/share/glycin-loaders/{,**} r, @{att}/usr/share/glycin-loaders/{,**} r, @{att}/usr/share/gtksourceview-2.0/{,**} r, @@ -64,6 +66,7 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{tmp}/gsf-thumbnailer-@{rand6} rw, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/cgroup r, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-disks b/apparmor.d/groups/gnome/gnome-disks index 9df8822bd4..eaabd71102 100644 --- a/apparmor.d/groups/gnome/gnome-disks +++ b/apparmor.d/groups/gnome/gnome-disks @@ -7,11 +7,12 @@ abi , include @{exec_path} = @{bin}/gnome-disks -profile gnome-disks @{exec_path} { +profile gnome-disks @{exec_path} flags=(attach_disconnected) { include include include include + include include #aa:dbus own bus=session name=org.gnome.DiskUtility diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a6eb2fd3bf..29a6a8ec1a 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -516,6 +516,12 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, + @{PROC}/@{pids}/ r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/maps r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 69de84dcda..c0171a00af 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -131,7 +131,7 @@ profile gnome-software @{exec_path} flags=(attach_disconnected,mediate_deleted) owner @{run}/user/@{uid}/systemd/private rw, owner /dev/shm/flatpak-com.*/ rw, - owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw, + owner /dev/shm/flatpak-com.*/* rw, @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{run}/systemd/sessions/@{int} r, From 152611197b5c80be3576fe42b6f9984022d25377 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Wed, 11 Mar 2026 20:07:30 +0000 Subject: [PATCH 1487/1736] Merge remote-tracking branch 'upstream/main' --- apparmor.d/groups/ssh/ssh-agent | 2 -- apparmor.d/groups/ssh/ssh-sk-helper | 2 -- 2 files changed, 4 deletions(-) diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 9ed22ccd7c..b86c303571 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -22,8 +22,6 @@ profile ssh-agent @{exec_path} { @{bin}/gpg-agent rPx, @{bin}/im-launch rPx, - @{lib}/{,ssh/}ssh-sk-helper rPx -> ssh-sk-helper, - owner @{HOME}/@{XDG_SSH_DIR}/ rw, owner @{HOME}/@{XDG_SSH_DIR}/* r, owner @{HOME}/@{XDG_SSH_DIR}/agent/ rw, diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper index 3b163cb02f..79f5d22da7 100644 --- a/apparmor.d/groups/ssh/ssh-sk-helper +++ b/apparmor.d/groups/ssh/ssh-sk-helper @@ -15,8 +15,6 @@ profile ssh-sk-helper flags=(complain) { @{exec_path} mr, - @{sys}/devices/**/uevent r, - include if exists } From 7602cdf163c21b89f34505a1bb937be5e3a0d0f8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 12 Mar 2026 21:12:16 +0100 Subject: [PATCH 1488/1736] feat(profile): improve code profiles. --- apparmor.d/abstractions/app/code-extension | 1 + apparmor.d/groups/code/code | 1 + apparmor.d/profiles-a-f/claude | 8 +++++--- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/code-extension b/apparmor.d/abstractions/app/code-extension index cd28aff4ca..a92e909d83 100644 --- a/apparmor.d/abstractions/app/code-extension +++ b/apparmor.d/abstractions/app/code-extension @@ -11,6 +11,7 @@ signal receive peer=code, + unix type=seqpacket peer=(label=code), unix (send receive) type=stream peer=(label=code), @{lib_dirs}/** mr, diff --git a/apparmor.d/groups/code/code b/apparmor.d/groups/code/code index e9e25e5db6..27579e787a 100644 --- a/apparmor.d/groups/code/code +++ b/apparmor.d/groups/code/code @@ -39,6 +39,7 @@ include profile code @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + include include include include diff --git a/apparmor.d/profiles-a-f/claude b/apparmor.d/profiles-a-f/claude index 162b1d1aa7..d4330bd6dd 100644 --- a/apparmor.d/profiles-a-f/claude +++ b/apparmor.d/profiles-a-f/claude @@ -161,19 +161,21 @@ profile claude @{exec_path} flags=(attach_disconnected) { priority=1 @{bin}/ssh Px -> claude//ssh, priority=1 @{ldd_path} rPx -> claude//ldd, - owner @{HOME}/.claude/ r, - owner @{HOME}/.claude/projects/{,**} r, + owner @{HOME}/.claude/{,**} r, owner @{HOME}/.claude/shell-snapshots/* rw, + owner @{HOME}/.claude/plugins/{,**} rwlk, owner @{code_config_dirs}/logs/{,**} w, owner @{user_config_dirs}/gh/*.yml r, - owner @{user_config_dirs}/git/*config r, + owner @{user_config_dirs}/git/* r, owner @{user_projects_dirs}/ r, owner @{user_projects_dirs}/** rwlk, /var/tmp/@{word8} rw, owner @{tmp}/* rwlk, + owner @{tmp}/claude-@{uid}/ rw, + owner @{tmp}/claude-@{uid}/** rwlk, owner @{tmp}/claude-shell/ rw, owner @{tmp}/claude-shell/** mix, owner @{tmp}/claude-shell/** rwlk -> @{tmp}/claude/**, From 40a0a557f798881cb7b48622f9284d184c1984cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 12 Mar 2026 21:14:03 +0100 Subject: [PATCH 1489/1736] feat(profile): use make-rslave instead of rslace in mount rules. --- apparmor.d/groups/_full/sd | 4 ++-- apparmor.d/groups/_full/systemd | 2 +- apparmor.d/groups/systemd/systemd-machine-id-setup | 4 ++-- apparmor.d/profiles-g-l/ip | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 9645a8f717..1e910e79ad 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -78,8 +78,8 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { mount -> @{run}/systemd/namespace-@{rand6}/{,**}, mount options=(rw move) /dev/shm/ -> @{run}/credentials/*/, mount options=(rw rshared) -> /, - mount options=(rw rslave) -> /, - mount options=(rw rslave) -> /dev/, + mount options=(rw make-rslave) /, + mount options=(rw make-rslave) /dev/, mount options=(rw slave) -> @{run}/systemd/incoming/, mount fstype=tmpfs options=(rw nodev noexec nosuid nosymfollow) tmpfs -> /dev/shm/, mount fstype=tmpfs options=(rw nodev strictatime) tmpfs -> @{run}/systemd/unit-private-tmp/, diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index a770b75d6c..d71096526e 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -99,7 +99,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted,complain) { mount fstype=autofs systemd-1 -> @{efi}/, mount fstype=tmpfs tmpfs -> /tmp/, - mount options=(rw rslave) -> /, + mount options=(rw make-rslave) /, remount @{HOME}/{,**}, remount @{HOMEDIRS}/, diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index 429365cd38..0de6c4d603 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -20,8 +20,8 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { ptrace read, - mount options=(rw rshared) -> /, - mount options=(rw rslave) -> /, + mount options=(rw make-rshared) /, + mount options=(rw make-rslave) /, umount /etc/machine-id, @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 4312252fe7..e99964f2ac 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -27,7 +27,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { mount options=(rw, bind) @{att}/ -> @{run}/netns/*, mount options=(rw, bind) /etc/netns/*/resolv.conf -> /etc/resolv.conf, mount options=(rw, rshared) -> @{run}/netns/, - mount options=(rw, rslave) -> /, + mount options=(rw, make-rslave) /, umount @{run}/netns/*, umount @{sys}, From 3c82bf76dfa59ac59562d5aa3bbecb686ff1eaa5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 12 Mar 2026 21:21:25 +0100 Subject: [PATCH 1490/1736] feat(profile): better dbus rules in portals. --- .../session/org.freedesktop.portal.Inhibit | 5 ++++ .../abstractions/bus/session/org.gtk.Actions | 22 ++++++++++++++ .../groups/freedesktop/xdg-desktop-portal | 30 ++++++++----------- .../freedesktop/xdg-desktop-portal-gnome | 8 +---- .../groups/freedesktop/xdg-desktop-portal-gtk | 1 + apparmor.d/groups/gnome/gsd-rfkill | 5 ++++ apparmor.d/groups/gnome/nautilus | 2 +- 7 files changed, 47 insertions(+), 26 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Inhibit b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Inhibit index e3b22814f2..8a2ce06264 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Inhibit +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Inhibit @@ -4,6 +4,11 @@ abi , + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Inhibit + member=Inhibit + peer=(name=@{busname}, label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Inhibit member=QueryEndResponse diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Actions b/apparmor.d/abstractions/bus/session/org.gtk.Actions index 7ba4e13ad2..02ec89a33f 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.Actions +++ b/apparmor.d/abstractions/bus/session/org.gtk.Actions @@ -11,6 +11,18 @@ member=GetAll peer=(name=@{busname}, label=gnome-shell), + # org.gtk.Actions + + dbus send bus=session + interface=org.gtk.Actions + member=DescribeAll + peer=(label=@{profile_name}), + + dbus receive bus=session + interface=org.gtk.Actions + member=Changed + peer=(name=@{busname}), + # org.gtk.Application dbus send bus=session @@ -36,6 +48,16 @@ member=Changed peer=(label=@{profile_name}), + dbus receive bus=session + interface=org.gtk.Application + member=Open + peer=(name=@{busname}, label=@{profile_name}), + + dbus send bus=session + interface=org.gtk.Application + member=Open + peer=(label=@{profile_name}), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 4d0638e038..af00f5f5f0 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -56,30 +56,13 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { member=Register peer=(name=@{busname}), - dbus send bus=session path=/org/freedesktop/portal/desktop/session/** - interface=org.freedesktop.impl.portal.Session - member=Close - peer=(name=@{busname}, label=xdg-desktop-portal-gtk), - #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Background path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gnome - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gnome - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.GlobalShortcuts path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gnome + #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gtk #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Settings - member={Read,ReadAll} - peer=(name=@{busname}, label=xdg-desktop-portal-*), - - dbus send bus=session path=/org/freedesktop/portal/desktop/request/** - interface=org.freedesktop.impl.portal.Request - member=Close - peer=(name=@{busname}), - dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Secret member=RetrieveSecret @@ -90,6 +73,17 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=@{busname}, label=gnome-shell), + # FIXME: This should have been included in the talk directive + dbus send bus=session path=/org/freedesktop/FileManager1 + interface=org.freedesktop.FileManager1 + member=ShowItems + peer=(name=org.freedesktop.FileManager1), + + dbus send bus=session path=/org/gnome/Nautilus + interface=org.freedesktop.Application + member=Open + peer=(name=org.gnome.Nautilus), + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 366ea10412..1608b741aa 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -29,8 +29,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome #aa:dbus own bus=session name=org.freedesktop.impl.portal.FileChooser path=/org/freedesktop/portal/desktop - #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Settings path=/org/freedesktop/portal/desktop label=xdg-desktop-portal + #aa:dbus talk bus=session name=org.freedesktop.portal interface+=org.freedesktop.impl.portal label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell @@ -40,11 +39,6 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.FileChooser, - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Background - member=RunningApplicationsChanged - peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - dbus send bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 67ef6b88e5..42cd28f7eb 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -31,6 +31,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit path=/org/freedesktop/portal/desktop label=xdg-desktop-portal @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index ecced2e7d5..9e50606c34 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -23,6 +23,11 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Rfkill + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=@{busname}, label=NetworkManager), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 8d7b03e094..2e2216df11 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -35,7 +35,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Nautilus #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gnome - #aa:dbus talk bus=session name=org.freedesktop.portal.FileTransfer label=xdg-document-portal + #aa:dbus talk bus=session name=org.freedesktop.portal.FileTransfer path=/org/freedesktop/portal/documents label=xdg-document-portal #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell From ce13d919494402a5281355aac20fefb80830ba43 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 12 Mar 2026 21:31:27 +0100 Subject: [PATCH 1491/1736] feat(profile): various minor update. --- apparmor.d/groups/bluetooth/bluetoothctl | 4 ++++ apparmor.d/groups/filesystem/udisksd | 6 +++--- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/yelp | 3 --- apparmor.d/groups/gvfs/gvfsd-mtp | 5 +++-- apparmor.d/groups/pacman/makepkg | 2 +- apparmor.d/groups/polkit/pkttyagent | 2 ++ apparmor.d/groups/polkit/polkit-agent-helper | 3 +++ apparmor.d/groups/procps/top | 1 + apparmor.d/groups/snap/snapd | 1 + apparmor.d/groups/systemd/coredumpctl | 2 +- apparmor.d/groups/systemd/homectl | 2 ++ apparmor.d/groups/systemd/systemd-homework | 1 + apparmor.d/groups/systemd/systemd-journald | 1 + apparmor.d/groups/systemd/systemd-path | 7 +++++++ apparmor.d/groups/systemd/systemd-shutdown | 2 +- apparmor.d/groups/systemd/zram-generator | 1 + apparmor.d/groups/usb/lsusb | 14 +++++++++++++- apparmor.d/groups/utils/nproc | 5 +++++ apparmor.d/groups/virt/libvirtd | 7 ++++--- apparmor.d/profiles-g-l/gimp | 2 +- apparmor.d/profiles-g-l/git | 1 - apparmor.d/profiles-g-l/libreoffice | 5 +---- apparmor.d/profiles-m-r/os-prober | 2 +- apparmor.d/profiles-s-z/transmission | 6 ++++++ 25 files changed, 64 insertions(+), 23 deletions(-) diff --git a/apparmor.d/groups/bluetooth/bluetoothctl b/apparmor.d/groups/bluetooth/bluetoothctl index 0b075581b1..3c0c78ce8f 100644 --- a/apparmor.d/groups/bluetooth/bluetoothctl +++ b/apparmor.d/groups/bluetooth/bluetoothctl @@ -16,6 +16,10 @@ profile bluetoothctl @{exec_path} { network bluetooth raw, #aa:dbus talk bus=system name=org.bluez label="@{p_bluetoothd}" + dbus send bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=org.bluez, label=bluetoothd), @{exec_path} mr, diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 8be3e06506..7d152ce231 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -30,9 +30,9 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { network netlink raw, # Allow mounting of removable devices - mount fstype={btrfs,ext*,vfat,exfat,f2fs,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/, - mount fstype={btrfs,ext*,vfat,exfat,f2fs,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, - mount fstype={btrfs,ext*,vfat,exfat,f2fs,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,f2fs,iso9660,udf,ntfs3,hfsplus} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,f2fs,iso9660,udf,ntfs3,hfsplus} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,f2fs,iso9660,udf,ntfs3,hfsplus} /dev/dm-[0-9]* -> @{MOUNTS}/*/, # Allow mounting of loop devices (ISO files) mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3,squashfs} /dev/loop[0-9]* -> @{MOUNTS}/*/, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 29a6a8ec1a..b4e7291123 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -494,7 +494,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include if exists } - profile open flags=(attach_disconnected,mediate_deleted,complain) { + profile open flags=(attach_disconnected,mediate_deleted) { include include diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index 283004c153..f4c4ca064c 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -42,9 +42,6 @@ profile yelp @{exec_path} flags=(attach_disconnected) { # owner @{run}/user/@{uid}/.flatpak/ rw, # owner @{run}/user/@{uid}/.flatpak/webkit-@{int}-@{int}/ w, # owner @{run}/user/@{uid}/.flatpak/webkit-@{int}-@{int}/bwrapinfo.json rw, -# owner @{run}/user/@{uid}/webkitgtk/ w, -# owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, -# owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, owner @{att}@{run}/user/@{uid}/wayland-@{int} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 4ee6f705f9..0c14660c10 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -11,13 +11,14 @@ include profile gvfsd-mtp @{exec_path} { include include - include include include include + include + include + include include include - include network netlink raw, diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index 9330def1de..8a25f1d8ac 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/makepkg -profile makepkg @{exec_path} flags=(attach_disconnected) { +profile makepkg @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include diff --git a/apparmor.d/groups/polkit/pkttyagent b/apparmor.d/groups/polkit/pkttyagent index 93c157f4cd..c952abd94b 100644 --- a/apparmor.d/groups/polkit/pkttyagent +++ b/apparmor.d/groups/polkit/pkttyagent @@ -36,6 +36,8 @@ profile pkttyagent @{exec_path} { @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, @{lib}/polkit-agent-helper-[0-9] rPx, + @{run}/polkit/agent-helper.socket rw, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index f8a81871e5..8e895483c5 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -22,9 +22,12 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { capability setgid, capability setuid, capability sys_nice, + capability sys_ptrace, # optional: no audit network netlink raw, + ptrace read peer=pkttyagent, + signal receive set=(term kill) peer=flatpak, signal receive set=(term kill) peer=gnome-shell, signal receive set=(term kill) peer=pkexec, diff --git a/apparmor.d/groups/procps/top b/apparmor.d/groups/procps/top index 23cc9acf0a..2e0c9981c3 100644 --- a/apparmor.d/groups/procps/top +++ b/apparmor.d/groups/procps/top @@ -41,6 +41,7 @@ profile top @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, + @{PROC}/@{pids}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/environ r, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index e0e7a0213f..e85afd6a87 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -165,6 +165,7 @@ profile snapd @{exec_path} { @{sys}/fs/cgroup/*.slice/{,**/} r, @{sys}/fs/cgroup/*.slice/**/cgroup.procs r, @{sys}/fs/cgroup/cgroup.controllers r, + @{sys}/fs/cgroup/net_cls/*/ r, @{sys}/fs/cgroup/system.slice/snapd.service/cpu.max r, @{sys}/kernel/kexec_loaded r, @{sys}/kernel/security/apparmor/.notify r, diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index faa117b46b..5b53f29fe1 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -19,7 +19,7 @@ profile coredumpctl @{exec_path} flags=(complain) { capability net_admin, capability sys_resource, - signal (send) peer=child-pager, + signal send peer=child-pager, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl index 3c962e3095..34cfa1ea79 100644 --- a/apparmor.d/groups/systemd/homectl +++ b/apparmor.d/groups/systemd/homectl @@ -28,6 +28,8 @@ profile homectl @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, /etc/machine-id r, + /etc/security/pwquality.conf r, + /etc/security/pwquality.conf.d/{,*.conf} r, owner @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-homework b/apparmor.d/groups/systemd/systemd-homework index da98d38f6e..2f2612b6df 100644 --- a/apparmor.d/groups/systemd/systemd-homework +++ b/apparmor.d/groups/systemd/systemd-homework @@ -43,6 +43,7 @@ profile systemd-homework @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sbin}/fsck rix, # no new privs + @{sbin}/fsck.* rix, @{sbin}/mke2fs rPx, @{sbin}/mkfs.btrfs rPx, @{sbin}/mkfs.fat rPx, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 086eab8308..be2586da99 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -43,6 +43,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted owner @{run}/systemd/journal/{,**} rw, @{run}/host/container-manager r, + @{run}/systemd/units/log-*.service r, @{run}/utmp rk, @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) diff --git a/apparmor.d/groups/systemd/systemd-path b/apparmor.d/groups/systemd/systemd-path index 0d061d8459..5463048317 100644 --- a/apparmor.d/groups/systemd/systemd-path +++ b/apparmor.d/groups/systemd/systemd-path @@ -12,8 +12,15 @@ profile systemd-path @{exec_path} { include include + signal send peer=child-pager, + @{exec_path} mr, + @{pager_path} rPx -> child-pager, + + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-shutdown b/apparmor.d/groups/systemd/systemd-shutdown index 6eb4d6256b..e37586c96a 100644 --- a/apparmor.d/groups/systemd/systemd-shutdown +++ b/apparmor.d/groups/systemd/systemd-shutdown @@ -19,7 +19,7 @@ profile systemd-shutdown @{exec_path} flags=(attach_disconnected) { capability sys_ptrace, capability sys_resource, - mount options=(rw rprivate) -> /, + mount options=(rw make-rprivate) /, ptrace read, diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index 9d86b01b77..56d6b96fe2 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -38,6 +38,7 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { capability sys_module, @{sys}/module/compression r, + @{sys}/module/lz4_compress/initstate r, include if exists } diff --git a/apparmor.d/groups/usb/lsusb b/apparmor.d/groups/usb/lsusb index a10659292d..ea24663287 100644 --- a/apparmor.d/groups/usb/lsusb +++ b/apparmor.d/groups/usb/lsusb @@ -22,7 +22,19 @@ profile lsusb @{exec_path} { /etc/udev/hwdb.bin r, - /dev/bus/usb/@{int}/@{int} w, + @{sys}/devices/**/usb@{int}/** r, + + @{sys}/devices/**/usb@{int}/{,**/}bAlternateSetting r, + @{sys}/devices/**/usb@{int}/{,**/}bDeviceClass r, + @{sys}/devices/**/usb@{int}/{,**/}bInterfaceClass r, + @{sys}/devices/**/usb@{int}/{,**/}bInterfaceProtocol r, + @{sys}/devices/**/usb@{int}/{,**/}bInterfaceSubClass r, + @{sys}/devices/**/usb@{int}/{,**/}bNumEndpoints r, + @{sys}/devices/**/usb@{int}/{,**/}maxchild r, + @{sys}/devices/**/usb@{int}/{,**/}rx_lanes r, + @{sys}/devices/**/usb@{int}/{,**/}tx_lanes r, + + /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} wk, include if exists } diff --git a/apparmor.d/groups/utils/nproc b/apparmor.d/groups/utils/nproc index 3900ba2c9d..64b824308f 100644 --- a/apparmor.d/groups/utils/nproc +++ b/apparmor.d/groups/utils/nproc @@ -21,6 +21,11 @@ profile nproc @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, + # file_inherit + deny network netlink raw, + deny owner @{user_config_dirs}/** rw, + deny /dev/ptmx rw, + include if exists } diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 5c07911f4e..d49e964826 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -193,6 +193,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /dev/shm/ w, + @{run}/credentials/libvirtd.service/secrets-encryption-key r, @{run}/libvirt/ rw, @{run}/libvirt/** rwk, @{run}/libvirtd.pid wk, @@ -204,13 +205,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/bus/[a-z]*/devices/ r, - @{sys}/bus/*/uevent r, + @{sys}/bus/**/uevent r, + @{sys}/bus/hid/drivers/*/uevent r, @{sys}/bus/pci/drivers_probe w, @{sys}/bus/pci/drivers/*/unbind w, - @{sys}/bus/hid/drivers/*/uevent r, @{sys}/bus/usb/drivers/*/uevent r, @{sys}/class/[a-z]*/ r, - @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/class r, @{sys}/devices/@{pci}/config r, @{sys}/devices/@{pci}/device r, @@ -226,6 +226,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/subsystem_device r, @{sys}/devices/@{pci}/subsystem_vendor r, @{sys}/devices/@{pci}/vendor r, + @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/distance r, @{sys}/devices/@{pci}/meminfo r, diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index 25a1287447..93bf148dc9 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -42,7 +42,7 @@ profile gimp @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-help, @{lib}/gimp/@{version}/plug-ins/python-console/__pycache__/{,*} w, - @{lib}/@{multiarch}/gimp/@{version}/plug-ins/web-browser/web-browser ix, + @{lib}/@{multiarch}/gimp/@{version}/plug-ins/** ix, /usr/share/gimp/{,**} r, /usr/share/mypaint-data/{,**} r, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index eab7be9a6c..f3db216534 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -98,7 +98,6 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.gitconfig* rw, owner @{HOME}/.netrc r, - owner @{HOME}/.claude/plugins/marketplaces/** rwlk, owner @{user_config_dirs}/git/{,*} rw, # GPG diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 61d498848f..570a1be9cb 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -122,12 +122,9 @@ profile libreoffice @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, @{PROC}/cgroups r, - owner @{PROC}/@{pid}/cgroup r, + @{PROC}/version r, owner @{PROC}/@{pid}/coredump_filter rw, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index 05ec28ae24..15bafcbff0 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -15,7 +15,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_admin, - mount options=(rprivate, rw) -> /, + mount options=(rw, make-rprivate) /, mount options=(rw, nosuid, nodev) -> /var/lib/os-prober/mount/, umount /var/lib/os-prober/mount/, diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index 8ff1c7b8c0..a2fe2fa3b2 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/transmission-{gtk,qt} profile transmission @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -24,6 +25,11 @@ profile transmission @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=systemd-hostnamed), + #aa:dbus own bus=session name=com.transmissionbt.Transmission #aa:dbus own bus=session name=com.transmissionbt.transmission_* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" From 9983e84f1aa3b3fce9c43ad2ec17a2d18f3249fc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 12 Mar 2026 21:33:40 +0100 Subject: [PATCH 1492/1736] feat(abs): minor abstraction update. --- apparmor.d/abstractions/cgroup-limits | 10 ++++++++-- apparmor.d/abstractions/common/electron | 9 +++------ apparmor.d/abstractions/development | 7 +------ apparmor.d/abstractions/gstreamer-registry | 2 +- apparmor.d/abstractions/hwmon | 1 + apparmor.d/abstractions/webkit | 2 ++ 6 files changed, 16 insertions(+), 15 deletions(-) diff --git a/apparmor.d/abstractions/cgroup-limits b/apparmor.d/abstractions/cgroup-limits index 674da97a9b..714edbdb03 100644 --- a/apparmor.d/abstractions/cgroup-limits +++ b/apparmor.d/abstractions/cgroup-limits @@ -6,16 +6,22 @@ abi , + @{sys}/fs/cgroup/cgroup.controllers r, + + @{sys}/fs/cgroup/user.slice/memory.high r, @{sys}/fs/cgroup/user.slice/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/memory.high r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.high r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/memory.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/memory.high r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/memory.max r, @{sys}/fs/cgroup/cpu.max r, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index f885091b98..b1deef2217 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -98,6 +98,9 @@ owner @{PROC}/@{pid}/oom_adj r, owner @{PROC}/@{pid}/oom_score_adj r, + # This allows raising the OOM score of other processes owned by the user. + owner @{PROC}/@{pid}/oom_score_adj w, + # Per man(5) proc, the kernel enforces that a thread may only modify its comm # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, @@ -110,12 +113,6 @@ owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, - # gvfs-metadata contains user-specific data that should not be readable by apps - deny @{user_share_dirs}/gvfs-metadata/* r, - - # This allows raising the OOM score of other processes owned by the user. - deny owner @{PROC}/@{pid}/oom_score_adj w, - profile crashpad_handler flags=(attach_disconnected) { include diff --git a/apparmor.d/abstractions/development b/apparmor.d/abstractions/development index 72ac1a2829..bf86b8e68d 100644 --- a/apparmor.d/abstractions/development +++ b/apparmor.d/abstractions/development @@ -7,6 +7,7 @@ abi , + include include include include @@ -54,12 +55,6 @@ @{sys}/kernel/mm/transparent_hugepage/enabled r, - # Allow reading CPU cgroup limits - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - # Per man(5) proc, the kernel enforces that a thread may only modify its comm # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/abstractions/gstreamer-registry b/apparmor.d/abstractions/gstreamer-registry index a7a7291d44..7d7a79b909 100644 --- a/apparmor.d/abstractions/gstreamer-registry +++ b/apparmor.d/abstractions/gstreamer-registry @@ -26,7 +26,7 @@ # If one is blocked the next is used instead. # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag. owner @{run}/user/@{uid}/orcexec.@{rand6} mrw, - deny owner @{HOME}/orcexec.@{rand6} rw, + deny owner @{HOME}/orcexec.@{rand6} mrw, deny owner @{tmp}/orcexec.@{rand6} mrw, include if exists diff --git a/apparmor.d/abstractions/hwmon b/apparmor.d/abstractions/hwmon index 6172d3eccf..bfee9cf5ba 100644 --- a/apparmor.d/abstractions/hwmon +++ b/apparmor.d/abstractions/hwmon @@ -6,6 +6,7 @@ abi , + include include include include diff --git a/apparmor.d/abstractions/webkit b/apparmor.d/abstractions/webkit index c32b632526..96a5b8eaa6 100644 --- a/apparmor.d/abstractions/webkit +++ b/apparmor.d/abstractions/webkit @@ -25,6 +25,8 @@ owner @{run}/user/@{uid}/.flatpak/ w, owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, + owner @{att}@{run}/user/@{uid}/bus rw, + owner @{att}@{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, owner @{att}@{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, owner @{run}/user/@{uid}/webkitgtk/ w, From 37201cbdd3b63a3398feb10ccbff07747265e446 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 12 Mar 2026 21:35:50 +0100 Subject: [PATCH 1493/1736] refractor(profile): move some profiles into groups. --- apparmor.d/{profiles-a-f => groups/procps}/btop | 0 apparmor.d/{profiles-m-r => groups/utils}/rfkill | 6 +++--- 2 files changed, 3 insertions(+), 3 deletions(-) rename apparmor.d/{profiles-a-f => groups/procps}/btop (100%) rename apparmor.d/{profiles-m-r => groups/utils}/rfkill (73%) diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/groups/procps/btop similarity index 100% rename from apparmor.d/profiles-a-f/btop rename to apparmor.d/groups/procps/btop diff --git a/apparmor.d/profiles-m-r/rfkill b/apparmor.d/groups/utils/rfkill similarity index 73% rename from apparmor.d/profiles-m-r/rfkill rename to apparmor.d/groups/utils/rfkill index 9c5946f222..1a5809a60c 100644 --- a/apparmor.d/profiles-m-r/rfkill +++ b/apparmor.d/groups/utils/rfkill @@ -8,13 +8,13 @@ abi , include @{exec_path} = @{sbin}/rfkill -profile rfkill @{exec_path} { +profile rfkill @{exec_path} flags=(attach_disconnected) { include @{exec_path} mr, - @{sys}/devices/**/rfkill/rfkill@{int}/name r, - @{sys}/devices/**/rfkill/rfkill@{int}/type r, + @{sys}/devices/**/rfkill@{int}/name r, + @{sys}/devices/**/rfkill@{int}/type r, /dev/rfkill rw, From 9866ddb7749237396e879e36232d8a5b98171691 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 12 Mar 2026 21:36:41 +0100 Subject: [PATCH 1494/1736] feat(abs): imrpove gpumon. --- apparmor.d/abstractions/sys/gpumon | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/sys/gpumon b/apparmor.d/abstractions/sys/gpumon index e97e0e9c61..77bc581caf 100644 --- a/apparmor.d/abstractions/sys/gpumon +++ b/apparmor.d/abstractions/sys/gpumon @@ -21,6 +21,7 @@ # hwmon interfaces for GPU clocks: @{sys}/devices/**/hwmon@{int}/freq@{int}_input r, + @{sys}/devices/**/hwmon@{int}/freq@{int}_label r, include if exists From d2b6d97eca951d733e026e534a751a8eacff50b5 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Fri, 13 Mar 2026 17:33:53 +0000 Subject: [PATCH 1495/1736] feat(profile): fix for systemd. --- apparmor.d/groups/systemd/systemd-rfkill | 1 + apparmor.d/groups/systemd/systemd-sleep | 3 +++ 2 files changed, 4 insertions(+) diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index 0fd488926e..dd53b136c1 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -27,6 +27,7 @@ profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{sys}/devices/**/rfkill@{int}/{uevent,name} r, + @{sys}/devices/@{pci}/usb@{int}/** r, /dev/rfkill rw, diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index 91aa4e84e5..1ca7aba94c 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -16,6 +16,7 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_admin, capability sys_resource, + capability perfmon, unix bind type=stream addr=@@{udbus}/bus/systemd-sleep/, unix bind type=stream addr=@@{udbus}/bus/systemd-sleep/system, @@ -24,6 +25,8 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { @{sh_path} mr, + /var/tmp/#@{int} rw, + @{lib}/systemd/system-sleep/grub2.sleep rPx, @{lib}/systemd/system-sleep/hdparm rPx, @{lib}/systemd/system-sleep/nvidia rPx, From fd3055bf74d5d1210fcc25e31d53bf292e8dfe75 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 14 Mar 2026 14:46:05 +0100 Subject: [PATCH 1496/1736] feat(profile): revist chromium based browser. The crashpad_handler is now common across browser in the app/chromium abs. --- apparmor.d/abstractions/app/chromium | 110 +++++++++++++++--- apparmor.d/groups/browsers/brave | 13 +-- .../groups/browsers/brave-crashpad-handler | 42 ------- apparmor.d/groups/browsers/chrome | 15 +-- .../groups/browsers/chrome-crashpad-handler | 38 ------ apparmor.d/groups/browsers/chrome-wrapper | 2 +- apparmor.d/groups/browsers/chromium | 2 +- .../groups/browsers/chromium-crashpad-handler | 37 ------ apparmor.d/groups/browsers/msedge | 13 +-- .../groups/browsers/msedge-crashpad-handler | 38 ------ 10 files changed, 102 insertions(+), 208 deletions(-) delete mode 100644 apparmor.d/groups/browsers/brave-crashpad-handler delete mode 100644 apparmor.d/groups/browsers/chrome-crashpad-handler delete mode 100644 apparmor.d/groups/browsers/chromium-crashpad-handler delete mode 100644 apparmor.d/groups/browsers/msedge-crashpad-handler diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 83c4415a79..a5a7e78c87 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -74,7 +74,7 @@ @{lib_dirs}/{,**} r, @{lib_dirs}/*.so* mr, - @{lib_dirs}/chrome-sandbox rPx, + @{lib_dirs}/WidevineCdm/_platform_specific/linux_*/libwidevinecdm.so mr, # Desktop integration @{bin}/lsb_release Px, @@ -162,6 +162,63 @@ @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/**/uevent r, + # List processes in /proc + @{PROC}/ r, + + # Process status in one line (pid, state, ppid, CPU time, threads, etc.) + @{PROC}/@{pid}/stat r, + + # Memory usage in pages (total, resident, shared, text, data) + @{PROC}/@{pid}/statm r, + + # Human-readable process status (name, state, UIDs, memory, capabilities) + @{PROC}/@{pid}/status r, + + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, + + # Human-readable thread status + @{PROC}/@{pid}/task/@{tid}/status r, + + # Limits for how many inotify instances, watches, and pending events a user can have. + @{PROC}/sys/fs/inotify/max_queued_events r, + @{PROC}/sys/fs/inotify/max_user_instances r, + @{PROC}/sys/fs/inotify/max_user_watches r, + + # Get the ptrace restrictions level + @{PROC}/sys/kernel/yama/ptrace_scope r, + + # Exposes virtual memory statistics (page faults, swap activity, allocation counts) + @{PROC}/vmstat r, + + # Allow reading cgroup membership information for process introspection + owner @{PROC}/@{pid}/cgroup r, + + # Clearing the referenced bits in a process's page table entries provides a method to + # measure approximately how much memory a process is using. + owner @{PROC}/@{pid}/clear_refs w, + + # Allow reading command line arguments for process identification + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/comm r, + + # Allow reading our own environment variables + owner @{PROC}/@{pid}/environ r, + + # Allow listing file descriptors + @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fd/ r, + + # Chromium content api unfortunately needs these for normal operation + owner @{PROC}/@{pid}/fd/@{int} w, + + # Shows the process's current resource limits (soft/hard), the ulimit value. + owner @{PROC}/@{pid}/limits r, + + # Allow reading info about the physical mapping of virtual pages + owner @{PROC}/@{pid}/mem r, + # This is an information leak but disallowing it leads to developer confusion # when using the chromium content api file chooser due to a (harmless) glib # warning and the noisy AppArmor denial. @@ -182,26 +239,10 @@ # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, - @{PROC}/ r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/statm r, - @{PROC}/@{pid}/status r, - @{PROC}/@{pid}/task/@{tid}/status r, - @{PROC}/pressure/cpu r, - @{PROC}/pressure/io r, - @{PROC}/pressure/memory r, - @{PROC}/sys/fs/inotify/max_user_watches r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/vmstat r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/clear_refs w, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/environ r, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/mem r, + # Provide statistical information about our own processes/threads owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/status r, /dev/ r, /dev/tty rw, @@ -211,6 +252,37 @@ deny @{lib_dirs}/** w, deny @{user_share_dirs}/gvfs-metadata/* r, + profile crashpad_handler flags=(attach_disconnected) { + include + + capability sys_ptrace, + + ptrace (read trace) peer=@{name}, + + unix (send receive) type=seqpacket peer=(label=@{name}), + + signal send peer=@{name}, + + @{lib_dirs}/chrome_crashpad_handler mrix, + @{lib_dirs}/@{name}_crashpad_handler mrix, + + owner "@{config_dirs}/Crash Reports/**" rwk, + + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, + + @{PROC}/@{pid}/maps r, + @{PROC}/@{pid}/status r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mem r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm r, + + include if exists + } + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 3b5156b555..e9e8fc33c2 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -10,18 +10,14 @@ include @{name} = brave{,-beta,-dev,-bin} @{domain} = com.brave.Brave org.chromium.Chromium @{lib_dirs} = /opt/brave{-bin,.com}{,/@{name}} -@{config_dirs} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} -@{cache_dirs} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} +@{config_dirs} = @{user_config_dirs}/BraveSoftware/ +@{cache_dirs} = @{user_cache_dirs}/BraveSoftware/ @{exec_path} = @{lib_dirs}/@{name} profile brave @{exec_path} flags=(attach_disconnected) { include include - # unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler), - - signal receive peer=brave//&brave-crashpad-handler, - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.brave path=/org/mpris/MediaPlayer2 ptrace trace peer=brave, @@ -30,17 +26,14 @@ profile brave @{exec_path} flags=(attach_disconnected) { @{bin}/man rPUx, # For "brave --help" - @{lib_dirs}/chrome_crashpad_handler rPx -> brave//&brave-crashpad-handler, + @{lib_dirs}/chrome_crashpad_handler Px -> brave//&brave//crashpad_handler, /usr/share/chromium/extensions/ r, /etc/opt/chrome/ r, /etc/opt/chrome/native-messaging-hosts/* r, - owner @{user_config_dirs}/BraveSoftware/ rw, - owner @{config_dirs}/WidevineCdm/libwidevinecdm.so mrw, - owner @{cache_dirs}/BraveSoftware/ rw, owner @{tmp}/net-export/ rw, # For brave://net-export/ diff --git a/apparmor.d/groups/browsers/brave-crashpad-handler b/apparmor.d/groups/browsers/brave-crashpad-handler deleted file mode 100644 index ae90c734e5..0000000000 --- a/apparmor.d/groups/browsers/brave-crashpad-handler +++ /dev/null @@ -1,42 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{name} = brave{,-beta,-dev,-bin} -@{lib_dirs} = /opt/brave{-bin,.com}{,/@{name}} -@{config_dirs} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} - -@{exec_path} = @{lib_dirs}/chrome_crashpad_handler -profile brave-crashpad-handler @{exec_path} { - include - - capability sys_ptrace, - - unix (send, receive) type=stream peer=(label=brave), - - ptrace peer=brave, - signal (send) peer=brave, - - @{exec_path} mrix, - - owner "@{config_dirs}/Crash Reports/**" rwk, - owner @{config_dirs}/CrashpadMetrics-active.pma rw, - owner @{config_dirs}/CrashpadMetrics.pma rw, - - @{PROC}/sys/kernel/yama/ptrace_scope r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pids}/mem r, - owner @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pids}/task/ r, - - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/chrome b/apparmor.d/groups/browsers/chrome index 66e6a6ceb4..0121097f36 100644 --- a/apparmor.d/groups/browsers/chrome +++ b/apparmor.d/groups/browsers/chrome @@ -20,23 +20,12 @@ profile chrome @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.mpris.MediaPlayer2.chrome path=/org/mpris/MediaPlayer2 - ptrace trace peer=chrome, - @{exec_path} mrix, @{bin}/man rPUx, # For "chrome --help" - @{lib_dirs}/chrome_crashpad_handler rPx -> chrome//&chrome-crashpad-handler, - @{lib_dirs}/google-@{name} rPx, - - @{lib_dirs}/nacl_helper rix, - @{lib_dirs}/xdg-mime rix, #-> xdg-mime, - @{lib_dirs}/xdg-settings rix, #-> xdg-settings, - - @{lib_dirs}/*.so* mr, - @{lib_dirs}/libwidevinecdm.so mr, - @{lib_dirs}/libwidevinecdmadapter.so mr, - @{lib_dirs}/WidevineCdm/_platform_specific/linux_*/libwidevinecdm.so mr, + @{lib_dirs}/chrome_crashpad_handler Px -> chrome//&chrome//crashpad_handler, + @{lib_dirs}/google-@{name} Px, include if exists } diff --git a/apparmor.d/groups/browsers/chrome-crashpad-handler b/apparmor.d/groups/browsers/chrome-crashpad-handler deleted file mode 100644 index ea3d7d64aa..0000000000 --- a/apparmor.d/groups/browsers/chrome-crashpad-handler +++ /dev/null @@ -1,38 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2022 Mikhail Morfikov -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{lib_dirs} = /opt/google/chrome{,-beta,-unstable} -@{config_dirs} = @{user_config_dirs}/google-chrome{,-beta,-unstable} - -@{exec_path} = @{lib_dirs}/chrome_crashpad_handler -profile chrome-crashpad-handler @{exec_path} { - include - - capability sys_ptrace, - - ptrace peer=chrome, - signal (send) peer=chrome, - - @{exec_path} mrix, - - owner "@{config_dirs}/Crash Reports/**" rwk, - - @{PROC}/sys/kernel/yama/ptrace_scope r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pids}/mem r, - owner @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pids}/task/ r, - - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/chrome-wrapper b/apparmor.d/groups/browsers/chrome-wrapper index 709eb79a13..5a367f7d56 100644 --- a/apparmor.d/groups/browsers/chrome-wrapper +++ b/apparmor.d/groups/browsers/chrome-wrapper @@ -28,7 +28,7 @@ profile chrome-wrapper @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/chrome-flags.conf r, - owner @{PROC}/@{pid}/fd/* rw, + owner @{PROC}/@{pid}/fd/@{int} rw, # File Inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/browsers/chromium b/apparmor.d/groups/browsers/chromium index 658dee3987..a9e9bd7bc4 100644 --- a/apparmor.d/groups/browsers/chromium +++ b/apparmor.d/groups/browsers/chromium @@ -22,7 +22,7 @@ profile chromium @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{lib_dirs}/chrome_crashpad_handler rPx -> chromium//&chromium-crashpad-handler, + @{lib_dirs}/chrome_crashpad_handler Px -> chromium//&chromium//crashpad_handler, include if exists } diff --git a/apparmor.d/groups/browsers/chromium-crashpad-handler b/apparmor.d/groups/browsers/chromium-crashpad-handler deleted file mode 100644 index ed759d6837..0000000000 --- a/apparmor.d/groups/browsers/chromium-crashpad-handler +++ /dev/null @@ -1,37 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2022 Mikhail Morfikov -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{config_dirs} = @{user_config_dirs}/chromium - -@{exec_path} = @{lib}/chromium/chrome_crashpad_handler -profile chromium-crashpad-handler @{exec_path} flags=(attach_disconnected) { - include - - capability sys_ptrace, - - ptrace peer=chromium, - signal (send) peer=chromium, - - @{exec_path} mrix, - - owner "@{config_dirs}/Crash Reports/**" rwk, - - @{PROC}/sys/kernel/yama/ptrace_scope r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pids}/mem r, - owner @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pids}/task/ r, - - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/msedge b/apparmor.d/groups/browsers/msedge index 0c9af6d42e..159ceaee5f 100644 --- a/apparmor.d/groups/browsers/msedge +++ b/apparmor.d/groups/browsers/msedge @@ -10,8 +10,8 @@ include @{name} = msedge{,-beta,-dev} @{domain} = com.microsoft.Edge @{lib_dirs} = /opt/microsoft/@{name} -@{config_dirs} = @{user_config_dirs}/microsoft-edge{,-beta,-dev} -@{cache_dirs} = @{user_cache_dirs}/microsoft-edge{,-beta,-dev} +@{config_dirs} = @{user_config_dirs}/microsoft-edge{,-beta,-dev} @{user_config_dirs}/Microsoft/Edge +@{cache_dirs} = @{user_cache_dirs}/microsoft-edge{,-beta,-dev} @{user_cache_dirs}/Microsoft/Edge @{exec_path} = @{lib_dirs}/@{name} profile msedge @{exec_path} flags=(attach_disconnected) { @@ -24,17 +24,12 @@ profile msedge @{exec_path} flags=(attach_disconnected) { @{bin}/man rPUx, # For "chrome --help" - @{lib_dirs}/xdg-mime rix, #-> xdg-mime, - @{lib_dirs}/xdg-settings rix, #-> xdg-settings, + @{lib_dirs}/msedge_crashpad_handler Px -> msedge//&msedge//crashpad_handler, + @{lib_dirs}/microsoft-edge{,beta,-dev} ix, - @{lib_dirs}/microsoft-edge{,beta,-dev} rPx, - @{lib_dirs}/chrome_crashpad_handler rPx -> msedge//&msedge-crashpad-handler, - - @{lib_dirs}/*.so* mr, @{lib_dirs}/WidevineCdm/_platform_specific/linux_*/libwidevinecdm.so mr, owner @{user_cache_dirs}/Microsoft/ rw, - owner @{user_cache_dirs}/Microsoft/** rwk, owner @{tmp}/.ses rw, owner @{tmp}/cv_debug.log rw, diff --git a/apparmor.d/groups/browsers/msedge-crashpad-handler b/apparmor.d/groups/browsers/msedge-crashpad-handler deleted file mode 100644 index 67e8212ff8..0000000000 --- a/apparmor.d/groups/browsers/msedge-crashpad-handler +++ /dev/null @@ -1,38 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022-2024 Alexandre Pujol -# Copyright (C) 2022-2024 Jose Maldonado -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{lib_dirs} = /opt/microsoft/msedge{,-beta,-dev} -@{config_dirs} = @{user_config_dirs}/microsoft-edge{,-beta,-dev} - -@{exec_path} = @{lib_dirs}/msedge_crashpad_handler -profile msedge-crashpad-handler @{exec_path} { - include - - capability sys_ptrace, - - ptrace peer=msedge, - signal (send) peer=msedge, - - @{exec_path} mrix, - - owner "@{config_dirs}/Crash Reports/**" rwk, - - @{PROC}/sys/kernel/yama/ptrace_scope r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pids}/mem r, - owner @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pids}/task/ r, - - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, - - include if exists -} - -# vim:syntax=apparmor From 7898479d2b44cb50990f7d6d53fea7a04b5f015a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 14 Mar 2026 14:54:28 +0100 Subject: [PATCH 1497/1736] build: remove dbus-broker fix Now that issue in dbus-broker has been fixed, stop edititing all dbus rules at build time. --- pkg/builder/dbus.go | 30 ------------------------------ pkg/directive/dbus.go | 36 ++++++++---------------------------- pkg/prebuild/cli/cli.go | 3 --- pkg/tasks/config.go | 4 ---- 4 files changed, 8 insertions(+), 65 deletions(-) diff --git a/pkg/builder/dbus.go b/pkg/builder/dbus.go index 49afed9a9c..d368083e95 100644 --- a/pkg/builder/dbus.go +++ b/pkg/builder/dbus.go @@ -25,11 +25,6 @@ type StackedDbus struct { tasks.BaseTask } -// DbusBroker is a fix for https://gitlab.com/apparmor/apparmor/-/issues/565 -type DbusBroker struct { - tasks.BaseTask -} - // NewStackedDbus creates a new StackedDbus builder. func NewStackedDbus() *StackedDbus { return &StackedDbus{ @@ -40,16 +35,6 @@ func NewStackedDbus() *StackedDbus { } } -// NewDbusBroker creates a new DbusBroker builder. -func NewDbusBroker() *DbusBroker { - return &DbusBroker{ - BaseTask: tasks.BaseTask{ - Keyword: "dbus-broker", - Msg: "Fix: ignore peer name in dbus rules", - }, - } -} - func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { var raw string paragraphs := []string{} @@ -118,18 +103,3 @@ func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { } return profile, nil } - -func (b DbusBroker) Apply(opt *Option, profile string) (string, error) { - // Remove peer name in two cases: - // 1. peer=(name=..., label=...) -> peer=(label=...) - // 2. peer=(name=...), -> (keep only the comma) - - // First, handle peer name with other attributes (has attribute after comma) - rePeerNameWithAttrs := regexp.MustCompile(`peer=\(\s*name\s*=\s*(?:"[^"]*"|'[^']*'|[^,)\s]+)\s*,\s*(\w+\s*=)`) - profile = rePeerNameWithAttrs.ReplaceAllString(profile, "peer=($1") - - // Second, handle peer name alone (followed by closing paren and comma) - rePeerNameAlone := regexp.MustCompile(`peer=\(\s*name\s*=\s*(?:"[^"]*"|'[^']*'|[^,)\s]+)\s*\)\s*,`) - profile = rePeerNameAlone.ReplaceAllString(profile, ",") - return profile, nil -} diff --git a/pkg/directive/dbus.go b/pkg/directive/dbus.go index 0de93d0187..daec06a795 100644 --- a/pkg/directive/dbus.go +++ b/pkg/directive/dbus.go @@ -121,39 +121,27 @@ func (d Dbus) own(rules map[string]string) aa.Rules { // Interfaces for _, iface := range interfaces { - var peerNames = make([]string, 2) - if d.DbusDaemon { - peerNames[0] = `"@{busname}"` - peerNames[1] = `"{@{busname},org.freedesktop.DBus}"` - } res = append(res, &aa.Dbus{ Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: iface, - PeerName: peerNames[0], + PeerName: `"@{busname}"`, }, &aa.Dbus{ Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], Interface: iface, - PeerName: peerNames[1], + PeerName: `"{@{busname},org.freedesktop.DBus}"`, }, ) } - var peerNames = make([]string, 4) - if d.DbusDaemon { - peerNames[0] = `"{@{busname},org.freedesktop.DBus}"` - peerNames[1] = `"@{busname}"` - peerNames[2] = `"{@{busname},` + rules["name"] + `}"` - peerNames[3] = `"{@{busname},org.freedesktop.DBus}"` - } res = append(res, // DBus.Properties: reply to properties request from anyone &aa.Dbus{ Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Properties", Member: "{Get,GetAll,Set,PropertiesChanged}", - PeerName: peerNames[0], + PeerName: `"{@{busname},org.freedesktop.DBus}"`, }, // DBus.Introspectable: allow clients to introspect the service @@ -161,7 +149,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Introspectable", Member: "Introspect", - PeerName: peerNames[0], + PeerName: `"@{busname}"`, }, // DBus.ObjectManager: allow clients to enumerate sources @@ -169,13 +157,13 @@ func (d Dbus) own(rules map[string]string) aa.Rules { Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", Member: "GetManagedObjects", - PeerName: peerNames[0], + PeerName: `"{@{busname},` + rules["name"] + `}"`, }, &aa.Dbus{ Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", Member: "{InterfacesAdded,InterfacesRemoved}", - PeerName: peerNames[0], + PeerName: `"{@{busname},org.freedesktop.DBus}"`, }, ) return res @@ -183,6 +171,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { func (d Dbus) talk(rules map[string]string) aa.Rules { interfaces := getInterfaces(rules) + peerName := `"{@{busname},` + rules["name"] + `,org.freedesktop.DBus}"` res := aa.Rules{ &aa.Unix{ Type: "stream", @@ -192,11 +181,6 @@ func (d Dbus) talk(rules map[string]string) aa.Rules { }, } - peerName := `` - if d.DbusDaemon { - peerName = `"{@{busname},` + rules["name"] + `}"` - } - // Interfaces for _, iface := range interfaces { res = append(res, &aa.Dbus{ @@ -241,11 +225,7 @@ func (d Dbus) talk(rules map[string]string) aa.Rules { } func (d Dbus) see(rules map[string]string) aa.Rules { - peerName := `` - if d.DbusDaemon { - peerName = `"{@{busname},` + rules["name"] + `}"` - } - + peerName := `"{@{busname},` + rules["name"] + `}"` res := aa.Rules{ // Unix: allow connection to the profile diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 5767e06726..f745153a0a 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -177,9 +177,6 @@ func Configure(r *runtime.Runners) *runtime.Runners { } r.Builders.Add(builder.NewAttach()) - // Fix dbus rules for dbus-broker - r.Builders.Add(builder.NewDbusBroker()) - r.DbusDaemon = false } default: diff --git a/pkg/tasks/config.go b/pkg/tasks/config.go index 559b85ccff..26ceaa1175 100644 --- a/pkg/tasks/config.go +++ b/pkg/tasks/config.go @@ -22,9 +22,6 @@ type TaskConfig struct { // Either or not we are in test mode Test bool - // The dbus implementation used (true for dbus-daemon, false for dbus-broker) - DbusDaemon bool - // Pkgname is the name of the package Pkgname string @@ -42,7 +39,6 @@ func NewTaskConfig(root *paths.Path) *TaskConfig { DownStream: false, RBAC: false, Test: false, - DbusDaemon: true, Pkgname: "apparmor.d", Root: root, RootApparmor: root.Join("apparmor.d"), From 155aea1a5d6f121b2f129dba02837cac6964062f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 14 Mar 2026 15:24:28 +0100 Subject: [PATCH 1498/1736] feat(abs): improve flatpak core abs. --- apparmor.d/abstractions/flatpak/base | 7 ++++--- .../flatpak/baseapp/com.valvesoftware.Steam | 21 ------------------- .../flatpak/baseapp/org.winehq.Wine | 11 +++++++++- apparmor.d/abstractions/flatpak/devices/all | 16 ++++++++++++++ 4 files changed, 30 insertions(+), 25 deletions(-) diff --git a/apparmor.d/abstractions/flatpak/base b/apparmor.d/abstractions/flatpak/base index 0e693e87a3..48f28aa313 100644 --- a/apparmor.d/abstractions/flatpak/base +++ b/apparmor.d/abstractions/flatpak/base @@ -72,9 +72,7 @@ owner @{HOME}/.var/app/@{appid}/** mrwlk -> @{HOME}/.var/app/@{appid}/**, owner @{HOME}/.var/app/@{appid}/** ix, - @{run}/parent/** mrix, - @{run}/parent/usr/.ref rk, - @{run}/parent/app/.ref rk, + @{run}/parent/** mrix, owner @{run}/flatpak/app/@{appid}/ r, owner @{run}/flatpak/app/@{appid}/** mrwlk -> @{run}/flatpak/app/@{appid}/**, @@ -174,6 +172,9 @@ # Get the ptrace restrictions level @{PROC}/sys/kernel/yama/ptrace_scope r, + # Allow to check check if BPF JIT is enabled + @{PROC}/sys/net/core/bpf_jit_enable r, + # Kernel version @{PROC}/version r, @{PROC}/version_signature r, diff --git a/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam b/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam index 12809e8a91..db52695cbc 100644 --- a/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam +++ b/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam @@ -12,9 +12,6 @@ owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/discord-ipc-@{int} w, - owner @{run}/user/@{uid}/pressure-vessel/ r, - owner @{run}/user/@{uid}/pressure-vessel/{,**} rw, - owner @{run}/user/@{uid}/srt-fifo.@{rand6}/{,*} rw, owner /dev/shm/#@{int} rw, owner /dev/shm/fossilize-*-@{int}-@{int} rw, @@ -28,30 +25,12 @@ @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, - @{sys}/devices/ r, - @{sys}/devices/virtual/dmi/id/bios_date r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/bios_version rk, - @{sys}/devices/virtual/dmi/id/board_asset_tag r, - @{sys}/devices/virtual/dmi/id/board_name r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/board_version r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/devices/virtual/dmi/id/chassis_vendor r, - @{sys}/devices/virtual/dmi/id/chassis_version r, - @{sys}/devices/virtual/dmi/id/product_family r, - @{sys}/devices/virtual/dmi/id/product_name rk, - @{sys}/devices/virtual/dmi/id/product_sku r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor rk, - @{PROC}/@{pid}/comm rk, @{PROC}/locks r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, @{PROC}/sys/kernel/sched_autogroup_enabled r, - @{PROC}/sys/net/core/bpf_jit_enable r, owner @{PROC}/@{pid}/autogroup rw, # Chromium content api unfortunately needs these for normal operation diff --git a/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine b/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine index d50eeb706e..6c97c4e74b 100644 --- a/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine +++ b/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine @@ -5,7 +5,16 @@ abi , - include + owner @{run}/user/@{uid}/pressure-vessel/ r, + owner @{run}/user/@{uid}/pressure-vessel/{,**} rw, + owner @{run}/user/@{uid}/srt-fifo.@{rand6}/{,*} rw, + + owner /dev/shm/wine-@{hex6}-fsync rw, + owner /dev/shm/wine-@{hex6}@{h}-fsync rw, + + # NT synchronization driver (performance improvement for games) + # https://www.phoronix.com/news/Linux-6.14-NTSYNC-Driver-Ready + /dev/ntsync r, include if exists diff --git a/apparmor.d/abstractions/flatpak/devices/all b/apparmor.d/abstractions/flatpak/devices/all index b1276929f0..731cbef756 100644 --- a/apparmor.d/abstractions/flatpak/devices/all +++ b/apparmor.d/abstractions/flatpak/devices/all @@ -26,12 +26,28 @@ @{sys}/class/*/ r, @{sys}/bus/*/devices/ r, + @{sys}/devices/ r, @{sys}/devices/@{pci_bus}/ r, @{sys}/devices/@{pci}/ r, @{sys}/devices/** k, @{sys}/devices/system/cpu/cpufreq/ r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, + @{sys}/devices/virtual/dmi/id/bios_date r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/bios_version rk, + @{sys}/devices/virtual/dmi/id/board_asset_tag r, + @{sys}/devices/virtual/dmi/id/board_name r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/board_version r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/devices/virtual/dmi/id/chassis_vendor r, + @{sys}/devices/virtual/dmi/id/chassis_version r, + @{sys}/devices/virtual/dmi/id/product_family r, + @{sys}/devices/virtual/dmi/id/product_name rk, + @{sys}/devices/virtual/dmi/id/product_sku r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor rk, owner @{PROC}/@{pid}/uid_map r, From 78bc2984502df0b724c02a82bf69e088e2575431 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 14 Mar 2026 15:26:11 +0100 Subject: [PATCH 1499/1736] feat(profile): minor kde update. --- apparmor.d/groups/kde/kconf_update | 3 -- apparmor.d/groups/kde/kglobalacceld | 2 - apparmor.d/groups/kde/systemsettings | 58 ++++++++++------------------ 3 files changed, 20 insertions(+), 43 deletions(-) diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index 6a01748fd2..d8176ba049 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -41,9 +41,6 @@ profile kconf_update @{exec_path} { /etc/xdg/*rc r, /etc/xdg/ui/*rc r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - owner @{HOME}/.gtkrc-@{version} w, owner @{user_config_dirs}/*rc rwl -> @{user_config_dirs}/#@{int}, diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 156bdf9281..d039dbdb9a 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -20,8 +20,6 @@ profile kglobalacceld @{exec_path} { /usr/share/kglobalaccel/{,**} r, - /etc/machine-id r, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, owner @{user_config_dirs}/kglobalshortcutsrc* rwl, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 281b0c884e..8841eb2fb6 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -27,7 +27,7 @@ profile systemsettings @{exec_path} flags=(attach_disconnected,mediate_deleted) #aa:dbus own bus=session name=org.kde.internal.KSettingsWidget_kcm_networkmanagement #aa:dbus own bus=session name=org.kde.systemsettings - @{exec_path} mr, + @{exec_path} mrix, @{sh_path} rix, @{bin}/cat rix, @@ -66,7 +66,6 @@ profile systemsettings @{exec_path} flags=(attach_disconnected,mediate_deleted) /usr/share/wallpapers/{,**} r, /etc/fstab r, - /etc/machine-id r, /etc/xdg/* r, /etc/xdg/plasmanotifyrc r, /etc/xdg/ui/ui_standards.rc r, @@ -80,58 +79,41 @@ profile systemsettings @{exec_path} flags=(attach_disconnected,mediate_deleted) owner @{HOME}/.face r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{user_cache_dirs}/[kK]* rwlk -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/[kK]*/ rw, + owner @{user_cache_dirs}/[kK]*/** rwlk -> @{user_cache_dirs}/[kK]*/**, owner @{user_cache_dirs}/#@{int} rwk, - owner @{user_cache_dirs}/kcrash-metadata/*.ini rw, - owner @{user_cache_dirs}/kinfocenter/{,**} rwlk, - owner @{user_cache_dirs}/ksvg-elements{,.@{rand6}} rwlk -> @{user_cache_dirs}/#@{int}, - owner @{user_cache_dirs}/ksvg-elements.lock rwlk, owner @{user_cache_dirs}/plasma* rw, owner @{user_cache_dirs}/systemsettings/ rw, owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, - owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/[kK]* rwlk -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/[kK]*/ rw, + owner @{user_config_dirs}/[kK]*/** rwlk -> @{user_config_dirs}/[kK]*/**, + owner @{user_config_dirs}/{P,p}lasma* r, owner @{user_config_dirs}/*rc r, + owner @{user_config_dirs}/#@{int} rwk, owner @{user_config_dirs}/autostart/ r, - owner @{user_config_dirs}/{P,p}lasma* r, - owner @{user_config_dirs}/plasma*/{,**} r, - owner @{user_config_dirs}/powerdevilrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/powerdevilrc.lock rwk, owner @{user_config_dirs}/device_automounter_kcmrc.lock rwk, owner @{user_config_dirs}/emaildefaults r, - owner @{user_config_dirs}/kactivitymanagerd-pluginsrc wl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kactivitymanagerd-pluginsrc.lock rwk, - owner @{user_config_dirs}/kcmfonts r, - owner @{user_config_dirs}/KDE/UserFeedback.conf r, - owner @{user_config_dirs}/kde.org/{,**} rwlk, - owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, - owner @{user_config_dirs}/kdedefaults/plasmarc r, - owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kdeglobals.lock rwk, - owner @{user_config_dirs}/ksmserverrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/ksmserverrc.lock rwk, - owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kwinrc.lock rwk, - owner @{user_config_dirs}/kdedefaults/ksplashrc r, - owner @{user_config_dirs}/kdedefaults/ksplashrc.lock rwk, - owner @{user_config_dirs}/kinfocenterrc* rwlk, owner @{user_config_dirs}/libaccounts-glib/ rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, + owner @{user_config_dirs}/plasma*/{,**} r, + owner @{user_config_dirs}/powerdevilrc.lock rwk, + owner @{user_config_dirs}/powerdevilrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/** rwlk, - owner @{user_config_dirs}/systemsettingsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/systemsettingsrc.lock rwk, + owner @{user_config_dirs}/systemsettingsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_share_dirs}/[kK]* rwlk -> @{user_share_dirs}/#@{int}, + owner @{user_share_dirs}/[kK]*/ rw, + owner @{user_share_dirs}/[kK]*/** rwlk -> @{user_share_dirs}/[kK]*/**, + owner @{user_share_dirs}/#@{int} rwk, owner @{user_share_dirs}/baloo/index r, - owner @{user_share_dirs}/kactivitymanagerd/resources/database rwk, - owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, - owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, - owner @{user_share_dirs}/kinfocenter/ rw, - owner @{user_share_dirs}/kinfocenter/** rwlk, - owner @{user_share_dirs}/knotifications{5,6}/{,**} r, - owner @{user_share_dirs}/krdpserver/ rw, - owner @{user_share_dirs}/kservices{5,6}/{,ServiceMenus/} r, owner @{user_share_dirs}/systemsettings/ rw, - owner @{user_share_dirs}/systemsettings/** rwlk, + owner @{user_share_dirs}/systemsettings/** rwlk -> @{user_share_dirs}/systemsettings/**, + owner @{user_share_dirs}/user-places.xbel r, owner @{user_share_dirs}/wallpapers/{,**} r, owner @{user_state_dirs}/#@{int} rwk, @@ -139,7 +121,7 @@ profile systemsettings @{exec_path} flags=(attach_disconnected,mediate_deleted) owner @{user_state_dirs}/systemsettingsstaterc.lock rwlk, @{run}/mount/utab r, - owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/#@{int} rwl, owner @{run}/user/@{uid}/systemsettings@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs From dc16e06266171d8785d5cd1c9dafc1ff5c3277be Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 14 Mar 2026 15:40:14 +0100 Subject: [PATCH 1500/1736] fix(abs): fix linter issues. --- apparmor.d/abstractions/flatpak/features/bluetooth | 2 ++ apparmor.d/abstractions/flatpak/features/canbus | 2 ++ apparmor.d/abstractions/flatpak/features/devel | 4 +++- apparmor.d/abstractions/flatpak/features/multiarch | 2 ++ apparmor.d/abstractions/flatpak/features/per-app-dev-shm | 4 +++- pkg/builder/dbus.go | 1 - 6 files changed, 12 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/flatpak/features/bluetooth b/apparmor.d/abstractions/flatpak/features/bluetooth index 84eae1c15b..403b4c1a3d 100644 --- a/apparmor.d/abstractions/flatpak/features/bluetooth +++ b/apparmor.d/abstractions/flatpak/features/bluetooth @@ -11,3 +11,5 @@ network bluetooth, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/features/canbus b/apparmor.d/abstractions/flatpak/features/canbus index 15da79e0a0..8bb50f14c3 100644 --- a/apparmor.d/abstractions/flatpak/features/canbus +++ b/apparmor.d/abstractions/flatpak/features/canbus @@ -9,3 +9,5 @@ abi , include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/features/devel b/apparmor.d/abstractions/flatpak/features/devel index 502066e168..8da7594ef1 100644 --- a/apparmor.d/abstractions/flatpak/features/devel +++ b/apparmor.d/abstractions/flatpak/features/devel @@ -3,7 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# The devel feature allows the application to access certain syscalls such as +# The devel feature allows the application to access certain syscalls such as # ptrace(), and perf_event_open(). abi , @@ -12,3 +12,5 @@ ptrace trace peer=@{profile_name}, include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/features/multiarch b/apparmor.d/abstractions/flatpak/features/multiarch index feb248de8a..fbcbaf0b3a 100644 --- a/apparmor.d/abstractions/flatpak/features/multiarch +++ b/apparmor.d/abstractions/flatpak/features/multiarch @@ -10,3 +10,5 @@ abi , include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/features/per-app-dev-shm b/apparmor.d/abstractions/flatpak/features/per-app-dev-shm index d62d1bac1b..71ebc3ed88 100644 --- a/apparmor.d/abstractions/flatpak/features/per-app-dev-shm +++ b/apparmor.d/abstractions/flatpak/features/per-app-dev-shm @@ -4,7 +4,7 @@ # LOGPROF-SUGGEST: no # The per-app-dev-shm feature shares a single instance of /dev/shm between the -# application, any unrestricted subsandboxes that it creates, and any other +# application, any unrestricted subsandboxes that it creates, and any other # instances of the application that are launched while it is running. # We should theoretically allow all access of /dev/shm/ here. However, as it is @@ -15,3 +15,5 @@ abi , include if exists + +# vim:syntax=apparmor diff --git a/pkg/builder/dbus.go b/pkg/builder/dbus.go index d368083e95..1f7df48dc8 100644 --- a/pkg/builder/dbus.go +++ b/pkg/builder/dbus.go @@ -5,7 +5,6 @@ package builder import ( - "regexp" "slices" "strings" From 9f6ce44f69405db9113e322cc1fb71a37484d46c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 14 Mar 2026 17:13:34 +0100 Subject: [PATCH 1501/1736] fix: various profiles fixes. --- apparmor.d/groups/apt/dpkg-scripts | 2 ++ apparmor.d/groups/flatpak/flatpak | 1 + apparmor.d/groups/network/NetworkManager | 6 +----- apparmor.d/groups/systemd/systemd-networkd | 5 ++++- apparmor.d/groups/utils/dmesg | 5 ++++- apparmor.d/groups/utils/lspci | 1 + apparmor.d/profiles-m-r/needrestart | 2 ++ apparmor.d/profiles-s-z/tlp | 4 +++- 8 files changed, 18 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index f47ba00d47..2ea288aca8 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -80,6 +80,8 @@ profile dpkg-scripts @{exec_path} { @{run}/** rwk, @{efi}/grub/* rw, + @{HOME}/.profile r, + /tmp/dbconfig-common*.@{rand6} rw, /tmp/dbconfig-common*.@{rand6}/{,**} rw, /tmp/dbconfig-package-config.@{rand6} rw, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 750812496c..5ef7ddbfd8 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -31,6 +31,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability dac_read_search, capability net_admin, capability sys_ptrace, + capability syslog, # optional: no audit # Manage the sandbox capability setgid, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 34bff43dd5..69aa7c55ff 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -140,12 +140,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/net/ r, @{sys}/class/net/rfkill/ r, @{sys}/class/rfkill/ r, - @{sys}/devices/@{pci}/net/*/{,**} r, - @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r, - @{sys}/devices/**/@{uuid}/net/*/{,**} r, + @{sys}/devices/**/net/{,**} r, @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/**/net/{,**} r, - @{sys}/devices/virtual/net/{,**} r, @{sys}/module/af_alg/uevent r, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 56fcd67b63..3c358757e2 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -80,7 +80,10 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/rfkill@{int}/* r, - @{sys}/devices/**/net/** r, + @{sys}/devices/**/@{pci}/ r, + @{sys}/devices/**/infiniband/ r, + @{sys}/devices/**/msi_irqs/ r, + @{sys}/devices/**/net/{,**} r, @{sys}/devices/**/phy@{int}/** r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, diff --git a/apparmor.d/groups/utils/dmesg b/apparmor.d/groups/utils/dmesg index 42aab91c9f..b2818df364 100644 --- a/apparmor.d/groups/utils/dmesg +++ b/apparmor.d/groups/utils/dmesg @@ -25,15 +25,18 @@ profile dmesg @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/pid_max r, - /dev/kmsg r, + /dev/kmsg rw, + # file_inherit deny @{sbin}/{,*/} r, deny @{bin}/{,*/} r, deny /snap/bin/ r, deny /{usr/,}local/{,s}bin/ r, + deny /var/crash/* w, deny /var/lib/flatpak/exports/bin/ r, deny @{HOME}/.go/bin/ r, deny @{user_bin_dirs}/ r, + deny @{att}@{run}/systemd/inhibit/* w, include if exists } diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index c6ac0fdcdb..c23c669d00 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -39,6 +39,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) { @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/devices/@{pci}/** r, + @{sys}/devices/**/@{uuid}/@{pci}/** r, @{sys}/module/compression r, @{PROC}/bus/pci/devices r, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 85edcbee35..b027c75d61 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -18,6 +18,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { ptrace read, + mqueue getattr type=posix /att/*/, + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 9e0366a6c1..62a88310f6 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -80,11 +80,13 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/{,**/}power/control w, @{sys}/devices/@{pci}/**/host@{int}/**/link_power_management_policy w, @{sys}/devices/@{pci}/class r, + @{sys}/devices/**/@{uuid}/@{pci}/ r, + @{sys}/devices/**/@{uuid}/@{pci}//{,**/}power/control w, + @{sys}/devices/**/@{uuid}/@{pci}/class r, @{sys}/devices/**/net/**/uevent r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/net/**/uevent r, @{sys}/firmware/acpi/platform_profile* rw, @{sys}/firmware/acpi/pm_profile* rw, @{sys}/module/*/parameters/power_save rw, From ec149f5d8d5d9689548287c220484055101e4eb5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 13:53:39 +0100 Subject: [PATCH 1502/1736] fix(aa): parse: fix typo --- pkg/aa/parse.go | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index a4cce093ce..c0fd806023 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -62,9 +62,6 @@ var ( BOOLEAN: "$", HAT: "^", } - openBlocks = []rune{tokOPENPAREN, tokOPENBRACE, tokOPENBRACKET} - closeBlocks = []rune{tokCLOSEPAREN, tokCLOSEBRACE, tokCLOSEBRACKET} - inHeader = false regParagraph = regexp.MustCompile(`(?s).*?\n\n|$`) regVariableDefinition = regexp.MustCompile(`@{(.*)}\s*[+=]+\s*(.*)`) @@ -93,7 +90,7 @@ func tokenizeBlock(input string) ([]*block, error) { blocks := []*block{} blockStack := []rune{} - blockRecored := false + blockRecorded := false blockStart := 0 blockEnd := 0 blockContentStart := 0 @@ -149,7 +146,7 @@ func tokenizeBlock(input string) ([]*block, error) { if !ignore { blockStart = idx - blockRecored = true + blockRecorded = true } } @@ -162,8 +159,8 @@ func tokenizeBlock(input string) ([]*block, error) { input[blockContentStart:idx]) } - if len(blockStack) == 1 && blockRecored { - blockRecored = false + if len(blockStack) == 1 && blockRecorded { + blockRecorded = false blockEnd = idx blockContentStartBkp = blockContentStart blockContentEnd = blockStart From f3a497eb29620406f12f1deb5e7b8eb73aaaec6a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 13:56:13 +0100 Subject: [PATCH 1503/1736] feat(aa): parse replaced slices.Contains with direct rune comparisons --- pkg/aa/parse.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index c0fd806023..b5b702d2f9 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -172,8 +172,7 @@ func tokenizeBlock(input string) ([]*block, error) { for i > 0 && blockContentRaw[i] != '\n' { i-- } - blockHeader := strings.Trim(blockContentRaw[i:], "\n ") - blockHeader = strings.Trim(blockHeader, "\n\t ") + blockHeader := strings.Trim(blockContentRaw[i:], "\n\t ") // Ignore commented block, restore previous id values if len(blockHeader) > 0 && blockHeader[0] == '#' { @@ -536,11 +535,11 @@ func tokenizeRule(str string) []string { quoted = !quoted currentToken.WriteRune(r) - case slices.Contains(openBlocks, r): + case r == tokOPENPAREN || r == tokOPENBRACE || r == tokOPENBRACKET: blockStack = append(blockStack, r) currentToken.WriteRune(r) - case slices.Contains(closeBlocks, r): + case r == tokCLOSEPAREN || r == tokCLOSEBRACE || r == tokCLOSEBRACKET: if len(blockStack) > 0 { blockStack = blockStack[:len(blockStack)-1] } else { From eec9de355847a182b8a5f2b3420a52b3f6eb7b85 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 13:59:54 +0100 Subject: [PATCH 1504/1736] feat(aa): add parseContentRules instead of parseLines & Comma Rules. --- pkg/aa/parse.go | 42 +++++++++--------------------------------- 1 file changed, 9 insertions(+), 33 deletions(-) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index b5b702d2f9..2d5945a67f 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -246,29 +246,14 @@ func tokenizeBlock(input string) ([]*block, error) { func parseBlock(b *block) (Rules, error) { var res Rules - var rrr Rules - var err error switch b.kind { case CONTENT: - // Line rules - var raw string - raw, res, err = parseLineRules(false, b.raw) - if err != nil { - return nil, err - } - - // Comma rules - rules, err := parseCommaRules(raw) - if err != nil { - return nil, err - } - rrr, err = newRules(rules) + var err error + res, err = parseContentRules(b.raw) if err != nil { return nil, err } - - res = append(res, rrr...) for _, r := range res { if r.Constraint() == PreambleRule { return nil, fmt.Errorf("Rule not allowed in block: %s", r) @@ -276,17 +261,16 @@ func parseBlock(b *block) (Rules, error) { } case RAW: - var blocks []*block - blocks, err = tokenizeBlock(b.raw) + blocks, err := tokenizeBlock(b.raw) if err != nil { return nil, err } for _, block := range blocks { - rrr, err = parseBlock(block) + rules, err := parseBlock(block) if err != nil { return nil, err } - res = append(res, rrr...) + res = append(res, rules...) } return res, nil @@ -462,15 +446,13 @@ func parseCommaRules(input string) ([]rule, error) { return rules, nil } -func parseParagraph(input string) (Rules, error) { - // Line rules - var raw string +// parseContentRules parses line and comma rules from a raw string. +func parseContentRules(input string) (Rules, error) { raw, res, err := parseLineRules(false, input) if err != nil { return nil, err } - // Comma rules rules, err := parseCommaRules(raw) if err != nil { return nil, err @@ -480,13 +462,7 @@ func parseParagraph(input string) (Rules, error) { return nil, err } - res = append(res, rrr...) - // for _, r := range res { - // if r.Constraint() == PreambleRule { - // return nil, fmt.Errorf("Rule not allowed in block: %s", r) - // } - // } - return res, nil + return append(res, rrr...), nil } // Split a raw input rule string into tokens by space or =, but ignore spaces @@ -1016,7 +992,7 @@ func ParseRules(input string) (ParaRules, []string, error) { } paragraphs = append(paragraphs, paragraph) - rules, err := parseParagraph(paragraph) + rules, err := parseContentRules(input) if err != nil { return nil, nil, err } From a227fcdb395a100c331faa047b6c43bf41d4a440 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 14:03:09 +0100 Subject: [PATCH 1505/1736] feat(aa): util: optimize compareFileAccess() and toAccess(). --- pkg/aa/util.go | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/pkg/aa/util.go b/pkg/aa/util.go index 7a89645e48..f4dd63adb5 100644 --- a/pkg/aa/util.go +++ b/pkg/aa/util.go @@ -120,15 +120,19 @@ func compare(a, b any) int { // compareFileAccess compares two access strings for file rules. // It is aimed to be used in slices.SortFunc. func compareFileAccess(i, j string) int { - if slices.Contains(requirements[FILE]["access"], i) && - slices.Contains(requirements[FILE]["access"], j) { - return requirementsWeights[FILE]["access"][i] - requirementsWeights[FILE]["access"][j] + accessWeights := requirementsWeights[FILE]["access"] + transitionWeights := requirementsWeights[FILE]["transition"] + wi, iIsAccess := accessWeights[i] + wj, jIsAccess := accessWeights[j] + if iIsAccess && jIsAccess { + return wi - wj } - if slices.Contains(requirements[FILE]["transition"], i) && - slices.Contains(requirements[FILE]["transition"], j) { - return requirementsWeights[FILE]["transition"][i] - requirementsWeights[FILE]["transition"][j] + wi, iIsTransition := transitionWeights[i] + wj, jIsTransition := transitionWeights[j] + if iIsTransition && jIsTransition { + return wi - wj } - if slices.Contains(requirements[FILE]["access"], i) { + if iIsAccess { return -1 } return 1 @@ -216,16 +220,18 @@ func toValues(kind Kind, key string, input string) ([]string, error) { } // Helper function to convert an access string to a slice of access according to -// the rule requirements as defined in the requirements map. +// the rule requirements as defined in the requirements matrix. func toAccess(kind Kind, input string) ([]string, error) { var res []string switch kind { case FILE: + accessWeights := requirementsWeights[FILE]["access"] + transitionWeights := requirementsWeights[FILE]["transition"] raw := strings.Split(input, "") trans := []string{} for _, access := range raw { - if slices.Contains(requirements[FILE]["access"], access) { + if _, ok := accessWeights[access]; ok { res = append(res, access) } else { trans = append(trans, access) @@ -234,7 +240,7 @@ func toAccess(kind Kind, input string) ([]string, error) { transition := strings.Join(trans, "") if len(transition) > 0 { - if slices.Contains(requirements[FILE]["transition"], transition) { + if _, ok := transitionWeights[transition]; ok { res = append(res, transition) } else { return nil, fmt.Errorf("unrecognized transition: %s", transition) @@ -242,9 +248,10 @@ func toAccess(kind Kind, input string) ([]string, error) { } case FILE + "-log": + accessWeights := requirementsWeights[FILE]["access"] raw := strings.Split(input, "") for _, access := range raw { - if slices.Contains(requirements[FILE]["access"], access) { + if _, ok := accessWeights[access]; ok { res = append(res, access) } else if maskToAccess[access] != "" { res = append(res, maskToAccess[access]) From 94fa3acdbd46473a87e00dc5a8063f47b0cf165a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 14:11:19 +0100 Subject: [PATCH 1506/1736] build: simplify attach and dbus tasks. --- pkg/builder/attach.go | 28 ++++++++-------------------- pkg/builder/dbus.go | 10 ++-------- 2 files changed, 10 insertions(+), 28 deletions(-) diff --git a/pkg/builder/attach.go b/pkg/builder/attach.go index b90237ddb6..9f1b998349 100644 --- a/pkg/builder/attach.go +++ b/pkg/builder/attach.go @@ -27,7 +27,7 @@ func NewAttach() *ReAttach { } // Apply will re-attach the disconnected path -// - Add the attach_disconnected.path flag on all frofile with the attach_disconnected flag +// - Add the attach_disconnected.path flag on all profile with the attach_disconnected flag // - Replace the base abstraction by attached/base // - Replace the consoles abstraction by attached/consoles // - For compatibility, non disconnected profile will have the @{att} variable set to / @@ -55,26 +55,14 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { insert = "@{att} = /att/" + opt.Name + "/\n" } } - profile = strings.ReplaceAll(profile, - "attach_disconnected", - "attach_disconnected,attach_disconnected.path=@{att}", - ) - profile = strings.ReplaceAll(profile, - "include ", - "include ", - ) - profile = strings.ReplaceAll(profile, - "include ", - "include ", - ) - profile = strings.ReplaceAll(profile, - "include ", - "include ", - ) - profile = strings.ReplaceAll(profile, - "include ", - "include ", + replacer := strings.NewReplacer( + "attach_disconnected", "attach_disconnected,attach_disconnected.path=@{att}", + "include ", "include ", + "include ", "include ", + "include ", "include ", + "include ", "include ", ) + profile = replacer.Replace(profile) } else { if opt.Kind == aa.ProfileKind { diff --git a/pkg/builder/dbus.go b/pkg/builder/dbus.go index 1f7df48dc8..728cbb4f6e 100644 --- a/pkg/builder/dbus.go +++ b/pkg/builder/dbus.go @@ -5,7 +5,6 @@ package builder import ( - "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/aa" @@ -67,11 +66,6 @@ func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { return profile, nil } - toResolve := []string{} - for k := range resolve { - toResolve = append(toResolve, k) - } - rulesByParagraph, paragraphs, err := parse(opt.Kind, profile) if err != nil { return "", err @@ -82,9 +76,9 @@ func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { for _, rule := range rules { switch rule := rule.(type) { case *aa.Dbus: - if slices.Contains(toResolve, rule.PeerLabel) { + if labels, ok := resolve[rule.PeerLabel]; ok { changed = true - for _, label := range resolve[rule.PeerLabel] { + for _, label := range labels { newRule := *rule newRule.PeerLabel = label newRules = append(newRules, &newRule) From 2cda946a45a3bdf9d012e1c8abc4848c6cb6e08d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 14:12:19 +0100 Subject: [PATCH 1507/1736] build: builder: add extractFlags() and setFlags() helpers. --- pkg/builder/complain.go | 26 ++++---------------------- pkg/builder/core.go | 27 +++++++++++++++++++++++++++ pkg/builder/enforce.go | 17 ++--------------- pkg/builder/profile-mode.go | 15 ++------------- 4 files changed, 35 insertions(+), 50 deletions(-) diff --git a/pkg/builder/complain.go b/pkg/builder/complain.go index 02abc7571e..168ff5593a 100644 --- a/pkg/builder/complain.go +++ b/pkg/builder/complain.go @@ -5,18 +5,11 @@ package builder import ( - "regexp" "slices" - "strings" "github.com/roddhjav/apparmor.d/pkg/tasks" ) -var ( - regFlags = regexp.MustCompile(`flags=\(([^)]+)\)`) - regProfileHeader = regexp.MustCompile(` {\n`) -) - type Complain struct { tasks.BaseTask } @@ -32,21 +25,10 @@ func NewComplain() *Complain { } func (b Complain) Apply(opt *Option, profile string) (string, error) { - flags := []string{} - matches := regFlags.FindStringSubmatch(profile) - if len(matches) != 0 { - flags = strings.Split(matches[1], ",") - if slices.Contains(flags, "complain") { - return profile, nil - } - if slices.Contains(flags, "unconfined") { - return profile, nil - } + flags := extractFlags(profile) + if slices.Contains(flags, "complain") || slices.Contains(flags, "unconfined") { + return profile, nil } flags = append(flags, "complain") - strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n" - - // Remove all flags definition, then set manifest' flags - profile = regFlags.ReplaceAllLiteralString(profile, "") - return regProfileHeader.ReplaceAllLiteralString(profile, strFlags), nil + return setFlags(profile, flags), nil } diff --git a/pkg/builder/core.go b/pkg/builder/core.go index 88d9709b93..51b1353740 100644 --- a/pkg/builder/core.go +++ b/pkg/builder/core.go @@ -6,6 +6,7 @@ package builder import ( "fmt" + "regexp" "strings" "github.com/roddhjav/apparmor.d/pkg/aa" @@ -13,6 +14,11 @@ import ( "github.com/roddhjav/apparmor.d/pkg/tasks" ) +var ( + regFlags = regexp.MustCompile(`flags=\(([^)]+)\)`) + regProfileHeader = regexp.MustCompile(` {\n`) +) + // Builder main directive interface type Builder interface { tasks.BaseTaskInterface @@ -65,3 +71,24 @@ func (r *Builders) Add(builder Builder) *Builders { r.BaseRunner.Add(builder) return r } + +// extractFlags parses the flags from a profile string. +func extractFlags(profile string) []string { + matches := regFlags.FindStringSubmatch(profile) + if len(matches) == 0 { + return nil + } + return strings.Split(matches[1], ",") +} + +// setFlags replaces flags in a profile string. If flags is empty, removes the flags clause. +func setFlags(profile string, flags []string) string { + profile = regFlags.ReplaceAllLiteralString(profile, "") + if len(flags) == 0 { + // Clean up any extra space left after removing flags + profile = strings.ReplaceAll(profile, " {\n", " {\n") + return profile + } + flagsStr := " flags=(" + strings.Join(flags, ",") + ") {\n" + return regProfileHeader.ReplaceAllLiteralString(profile, flagsStr) +} diff --git a/pkg/builder/enforce.go b/pkg/builder/enforce.go index ab7937cebd..1f27659563 100644 --- a/pkg/builder/enforce.go +++ b/pkg/builder/enforce.go @@ -6,7 +6,6 @@ package builder import ( "slices" - "strings" "github.com/roddhjav/apparmor.d/pkg/tasks" ) @@ -26,23 +25,11 @@ func NewEnforce() *Enforce { } func (b Enforce) Apply(opt *Option, profile string) (string, error) { - matches := regFlags.FindStringSubmatch(profile) - if len(matches) == 0 { - return profile, nil - } - - flags := strings.Split(matches[1], ",") + flags := extractFlags(profile) idx := slices.Index(flags, "complain") if idx == -1 { return profile, nil } flags = slices.Delete(flags, idx, idx+1) - strFlags := "{\n" - if len(flags) >= 1 { - strFlags = " flags=(" + strings.Join(flags, ",") + ") {\n" - } - - // Remove all flags definition, then set new flags - profile = regFlags.ReplaceAllLiteralString(profile, "") - return regProfileHeader.ReplaceAllLiteralString(profile, strFlags), nil + return setFlags(profile, flags), nil } diff --git a/pkg/builder/profile-mode.go b/pkg/builder/profile-mode.go index 544c55441d..43bf9c2527 100644 --- a/pkg/builder/profile-mode.go +++ b/pkg/builder/profile-mode.go @@ -8,7 +8,6 @@ import ( "fmt" "regexp" "slices" - "strings" "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/tasks" @@ -64,11 +63,7 @@ func (b ProfileMode) Apply(opt *Option, profile string) (string, error) { } func setMode(profile string, mode string) (string, error) { - flags := []string{} - matches := regFlags.FindStringSubmatch(profile) - if len(matches) != 0 { - flags = strings.Split(matches[1], ",") - } + flags := extractFlags(profile) // Remove all conflicting mode flags flags = slices.DeleteFunc(flags, func(f string) bool { @@ -80,11 +75,5 @@ func setMode(profile string, mode string) (string, error) { flags = append(flags, mode) } - // Remove all flags definition, then set the new flags - profile = regFlags.ReplaceAllLiteralString(profile, "") - if len(flags) > 0 { - flagsStr := " flags=(" + strings.Join(flags, ",") + ") {\n" - profile = regProfileHeader.ReplaceAllLiteralString(profile, flagsStr) - } - return profile, nil + return setFlags(profile, flags), nil } From 28daf8e5de8da8a20fed82965d50ff70e5aab1c0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 14:13:27 +0100 Subject: [PATCH 1508/1736] test(build): builder: add debug tests. --- pkg/builder/core_test.go | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/pkg/builder/core_test.go b/pkg/builder/core_test.go index 523d7998d8..4e5d4eb6c2 100644 --- a/pkg/builder/core_test.go +++ b/pkg/builder/core_test.go @@ -303,6 +303,28 @@ profile attach-2 flags=(complain) { include include include +}`, + }, + { + name: "debug-1", + b: NewDebug(), + profile: ` +profile debug-1 { + include + # @{exec_path} mr, + audit @{bin}/ls Px, + @{exec_path} mr, + @{bin}/foo Px, + @{bin}/bar ix, +}`, + want: ` +profile debug-1 { + include + # @{exec_path} mr, + audit @{bin}/ls Px, + @{exec_path} mr, + audit @{bin}/foo Px, + @{bin}/bar ix, }`, }, } From db556ab0f049afd0fcb8bf163b6d79c1724993ba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 14:15:13 +0100 Subject: [PATCH 1509/1736] feat(build): dbus directive: make it usable outside of this project. --- pkg/directive/dbus.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/pkg/directive/dbus.go b/pkg/directive/dbus.go index daec06a795..93a1d929ca 100644 --- a/pkg/directive/dbus.go +++ b/pkg/directive/dbus.go @@ -43,17 +43,17 @@ func NewDbus() *Dbus { func (d Dbus) Apply(opt *Option, profile string) (string, error) { var r aa.Rules - action, err := d.sanityCheck(opt) + action, err := d.SanityCheck(opt) if err != nil { return "", err } switch action { case "own": - r = d.own(opt.ArgMap) + r = d.Own(opt.ArgMap) case "talk": - r = d.talk(opt.ArgMap) + r = d.Talk(opt.ArgMap) case "common", "see": - r = d.see(opt.ArgMap) + r = d.See(opt.ArgMap) } aa.IndentationLevel = strings.Count( @@ -66,7 +66,7 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { return profile, nil } -func (d Dbus) sanityCheck(opt *Option) (string, error) { +func (d Dbus) SanityCheck(opt *Option) (string, error) { if len(opt.ArgList) < 1 { return "", fmt.Errorf("unknown dbus action: %s in %s", opt.Name, opt.File) } @@ -107,7 +107,7 @@ func getInterfaces(rules map[string]string) []string { return interfaces } -func (d Dbus) own(rules map[string]string) aa.Rules { +func (d Dbus) Own(rules map[string]string) aa.Rules { interfaces := getInterfaces(rules) res := aa.Rules{ @@ -169,7 +169,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { return res } -func (d Dbus) talk(rules map[string]string) aa.Rules { +func (d Dbus) Talk(rules map[string]string) aa.Rules { interfaces := getInterfaces(rules) peerName := `"{@{busname},` + rules["name"] + `,org.freedesktop.DBus}"` res := aa.Rules{ @@ -224,7 +224,7 @@ func (d Dbus) talk(rules map[string]string) aa.Rules { return res } -func (d Dbus) see(rules map[string]string) aa.Rules { +func (d Dbus) See(rules map[string]string) aa.Rules { peerName := `"{@{busname},` + rules["name"] + `}"` res := aa.Rules{ From 296bb80d2c8e2efddd38297149051666831acb09 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 14:21:34 +0100 Subject: [PATCH 1510/1736] feat(directive): various optimisation in stack directive. --- pkg/directive/stack.go | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/pkg/directive/stack.go b/pkg/directive/stack.go index 01eb70f080..1a20e14f23 100644 --- a/pkg/directive/stack.go +++ b/pkg/directive/stack.go @@ -44,9 +44,10 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) { if len(opt.ArgList) == 0 { return "", fmt.Errorf("no profile to stack") } + cleanRules := regCleanStakedRules t := opt.ArgList[0] if t != "X" { - regCleanStakedRules = slices.Insert(regCleanStakedRules, 0, + cleanRules = slices.Insert(slices.Clone(regCleanStakedRules), 0, util.ToRegexRepl([]string{ `(?m)^.*(|P|p)(|U|u)(|i)x,.*$`, ``, // Remove X transition rules })..., @@ -55,7 +56,7 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) { delete(opt.ArgMap, t) } - res := "" + var res strings.Builder ignoreDir := paths.FilterNames("tunables", "abstractions", "disable") for name := range opt.ArgMap { files, err := s.RootApparmor.ReadDirRecursiveFiltered( @@ -72,16 +73,16 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) { } stackedProfile := files[0].MustReadFileAsString() - if err != nil { - return "", fmt.Errorf("%s need to stack: %w", name, err) - } m := regRules.FindStringSubmatch(stackedProfile) if len(m) < 2 { return "", fmt.Errorf("no profile found in %s", name) } - stackedRules := m[1] - stackedRules = regCleanStakedRules.Replace(stackedRules) - res += " # Stacked profile: " + name + "\n" + stackedRules + "\n" + stackedRules := cleanRules.Replace(m[1]) + res.WriteString(" # Stacked profile: ") + res.WriteString(name) + res.WriteString("\n") + res.WriteString(stackedRules) + res.WriteString("\n") } // Insert the stacked profile at the end of the current profile, remove the stack directive @@ -89,7 +90,7 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) { if len(m) <= 1 { return "", fmt.Errorf("no end of rules found in %s", opt.File) } - profile = strings.ReplaceAll(profile, m[0], res+m[0]) + profile = strings.ReplaceAll(profile, m[0], res.String()+m[0]) profile = strings.ReplaceAll(profile, opt.Raw, "") return profile, nil } From e19610aa5c76eb0d3171fa9ebda5a7949edfb134 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 14:22:47 +0100 Subject: [PATCH 1511/1736] feat(directive): filter simplification. - Simplify filterRuleForUs - Eliminate double call to filterRuleForUs --- pkg/directive/filter.go | 43 +++++++++++++++++------------------------ 1 file changed, 18 insertions(+), 25 deletions(-) diff --git a/pkg/directive/filter.go b/pkg/directive/filter.go index f6660638b7..d906b34024 100644 --- a/pkg/directive/filter.go +++ b/pkg/directive/filter.go @@ -95,38 +95,31 @@ func compare(refValue any, prefix string, arg string) bool { func filterRuleForUs(c *tasks.TaskConfig, opt *Option) bool { for _, arg := range opt.ArgList { - var res bool - if c.RBAC && arg == "RBAC" { - res = true - } - if c.Test && arg == "test" { - res = true - } - if arg == tasks.Distribution { - res = true - } - if arg == tasks.Family { - res = true - } - if strings.HasPrefix(arg, "abi") { - res = compare(c.ABI, "abi", arg) - } - if strings.HasPrefix(arg, "apparmor") { - res = compare(c.Version, "apparmor", arg) - } - - if res { + switch { + case c.RBAC && arg == "RBAC": + return true + case c.Test && arg == "test": + return true + case arg == tasks.Distribution: return true + case arg == tasks.Family: + return true + case strings.HasPrefix(arg, "abi"): + if compare(c.ABI, "abi", arg) { + return true + } + case strings.HasPrefix(arg, "apparmor"): + if compare(c.Version, "apparmor", arg) { + return true + } } } return false } func filter(c *tasks.TaskConfig, only bool, opt *Option, profile string) (string, error) { - if only && filterRuleForUs(c, opt) { - return opt.Clean(profile), nil - } - if !only && !filterRuleForUs(c, opt) { + forUs := filterRuleForUs(c, opt) + if only == forUs { return opt.Clean(profile), nil } From 4fe1401c4dceb011bc7ff8a1d6c4745c1205882e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 14:23:54 +0100 Subject: [PATCH 1512/1736] feat(directive): update tests to last changes. --- pkg/directive/core.go | 2 +- pkg/directive/dbus_test.go | 18 +++++++++--------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/pkg/directive/core.go b/pkg/directive/core.go index 22d76e0eda..ada3fb5593 100644 --- a/pkg/directive/core.go +++ b/pkg/directive/core.go @@ -116,7 +116,7 @@ func (o *Option) Clean(input string) string { return strings.Replace(input, o.Raw, o.cleanKeyword(o.Raw), 1) } -// cleanKeyword removes the dirextive keywork (#aa:...) from the input string +// cleanKeyword removes the directive keyword (#aa:...) from the input string func (o *Option) cleanKeyword(input string) string { reg := regexp.MustCompile(`\s*` + Keyword + o.Name + `( .*)?$`) return reg.ReplaceAllString(input, "") diff --git a/pkg/directive/dbus_test.go b/pkg/directive/dbus_test.go index 0aa099bfa8..9a4092cead 100644 --- a/pkg/directive/dbus_test.go +++ b/pkg/directive/dbus_test.go @@ -24,11 +24,11 @@ const dbusOwnSystemd1 = ` include dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="{@{busname},org.freedesktop.DBus}"), + peer=(name="@{busname}"), dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{@{busname},org.freedesktop.DBus}"), + peer=(name="{@{busname},org.freedesktop.systemd1{,.*}}"), dbus send bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.ObjectManager member={InterfacesAdded,InterfacesRemoved} @@ -95,11 +95,11 @@ func TestDbus_Apply(t *testing.T) { dbus receive bus=session path=/com/rastersoft/ding{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="{@{busname},org.freedesktop.DBus}"), + peer=(name="@{busname}"), dbus receive bus=session path=/com/rastersoft/ding{,/**} interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{@{busname},org.freedesktop.DBus}"), + peer=(name="{@{busname},com.rastersoft.ding{,.*}}"), dbus send bus=session path=/com/rastersoft/ding{,/**} interface=org.freedesktop.DBus.ObjectManager member={InterfacesAdded,InterfacesRemoved} @@ -124,23 +124,23 @@ func TestDbus_Apply(t *testing.T) { dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.Accounts{,.*} - peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + peer=(name="{@{busname},org.freedesktop.Accounts{,.*},org.freedesktop.DBus}", label=accounts-daemon), dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll,Set,PropertiesChanged} - peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + peer=(name="{@{busname},org.freedesktop.Accounts{,.*},org.freedesktop.DBus}", label=accounts-daemon), dbus send bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + peer=(name="{@{busname},org.freedesktop.Accounts{,.*},org.freedesktop.DBus}", label=accounts-daemon), dbus send bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + peer=(name="{@{busname},org.freedesktop.Accounts{,.*},org.freedesktop.DBus}", label=accounts-daemon), dbus receive bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.ObjectManager member={InterfacesAdded,InterfacesRemoved} - peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon),`, + peer=(name="{@{busname},org.freedesktop.Accounts{,.*},org.freedesktop.DBus}", label=accounts-daemon),`, }, { name: "common", From 777ca3f279501df6709c3f7b9a4f87d720fd1f4f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 15:03:25 +0100 Subject: [PATCH 1513/1736] feat(aa-log): simplify GetApparmorLogs. --- pkg/logs/loggers.go | 8 +++----- pkg/logs/logs.go | 3 +-- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/pkg/logs/loggers.go b/pkg/logs/loggers.go index 097634921f..37ace93502 100644 --- a/pkg/logs/loggers.go +++ b/pkg/logs/loggers.go @@ -34,16 +34,14 @@ type systemdLog struct { func GetApparmorLogs(file io.Reader, profile string, namespace string) []string { var logs []string - isAppArmorLog := isAppArmorLogTemplate.Copy() exp := `apparmor=("DENIED"|"ALLOWED"|"AUDIT")` if profile != "" { - exp = fmt.Sprintf(exp+`.* (profile="%s.*"|label="%s.*")`, profile, profile) - isAppArmorLog = regexp.MustCompile(exp) + exp += fmt.Sprintf(`.* (profile="%s.*"|label="%s.*")`, profile, profile) } if namespace != "" { - exp = fmt.Sprintf(exp+`.* namespace="root//%s.*"`, namespace) - isAppArmorLog = regexp.MustCompile(exp) + exp += fmt.Sprintf(`.* namespace="root//%s.*"`, namespace) } + isAppArmorLog := regexp.MustCompile(exp) scanner := bufio.NewScanner(file) for scanner.Scan() { diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 744fb85703..e909684c02 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -35,8 +35,7 @@ const ( ) var ( - isAppArmorLogTemplate = regexp.MustCompile(`apparmor=("DENIED"|"ALLOWED"|"AUDIT")`) - regCleanLogs = util.ToRegexRepl([]string{ + regCleanLogs = util.ToRegexRepl([]string{ // Clean apparmor log file `.*apparmor="`, `apparmor="`, `(peer_|)pid=[0-9]*\s`, " ", From 421970c2b6ea1b132d556557df4705137f37b2a4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 15:05:35 +0100 Subject: [PATCH 1514/1736] feat(aa-log): remove redundant open/close in validateLogFile. --- pkg/logs/loggers.go | 7 ------- 1 file changed, 7 deletions(-) diff --git a/pkg/logs/loggers.go b/pkg/logs/loggers.go index 37ace93502..045121f522 100644 --- a/pkg/logs/loggers.go +++ b/pkg/logs/loggers.go @@ -137,13 +137,6 @@ func validateLogFile(filename string) error { if info.Size() == 0 { return fmt.Errorf("file is empty: %s", filename) } - file, err := os.Open(filename) - if err != nil { - return fmt.Errorf("unable to read: %s", filename) - } - if cerr := file.Close(); cerr != nil { - return fmt.Errorf("unable to close file %s: %w", filename, cerr) - } return nil } From dd82daf7a1be10a8f2a41b410a48cf59e75128fa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 15:06:31 +0100 Subject: [PATCH 1515/1736] feat(aa-log): optimize ignore slice to map. --- pkg/logs/logs.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index e909684c02..6407813631 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -256,9 +256,10 @@ func (aaLogs AppArmorLogs) String() string { "requested_mask", "denied_mask", "signal", "peer", "peer_label", } // Key to not print - ignore := []string{ - "fsuid", "ouid", "FSUID", "OUID", "exe", "SAUID", "sauid", "terminal", - "UID", "AUID", "hostname", "class", + ignore := map[string]bool{ + "fsuid": true, "ouid": true, "FSUID": true, "OUID": true, + "exe": true, "SAUID": true, "sauid": true, "terminal": true, + "UID": true, "AUID": true, "hostname": true, "class": true, } // Color template to use template := map[string]string{ @@ -307,7 +308,7 @@ func (aaLogs AppArmorLogs) String() string { } for key, value := range log { - if slices.Contains(ignore, key) { + if ignore[key] { continue } if _, present := seen[key]; !present && value != "" { From ef527368ba85911a785660950273c3cd9d019e5b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 15:10:24 +0100 Subject: [PATCH 1516/1736] feat(aa-log): add splitFields helper. Deduplicate the quoted-string-aware FieldsFunc pattern. --- pkg/logs/logs.go | 46 ++++++++++++++++++---------------------------- 1 file changed, 18 insertions(+), 28 deletions(-) diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 6407813631..a03efd6673 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -7,7 +7,6 @@ package logs import ( "bufio" "io" - "regexp" "slices" "strings" @@ -118,6 +117,17 @@ type AppArmorLog map[string]string // AppArmorLogs describes all apparmor log entries type AppArmorLogs []AppArmorLog +// splitFields splits a string by separator while respecting quoted sections. +func splitFields(s string, sep rune) []string { + var quoted bool + return strings.FieldsFunc(s, func(r rune) bool { + if r == '"' { + quoted = !quoted + } + return !quoted && r == sep + }) +} + func toQuote(str string) string { if strings.Contains(str, " ") { return `"` + str + `"` @@ -130,26 +140,14 @@ func New(file io.Reader, profile string, namespace string) AppArmorLogs { logs := GetApparmorLogs(file, profile, namespace) // Parse log into ApparmorLog struct - aaLogs := make(AppArmorLogs, 0) + aaLogs := make(AppArmorLogs, 0, len(logs)) toClean := []string{"profile", "name", "target"} - var quoted bool for _, log := range logs { - quoted = false - tmp := strings.FieldsFunc(log, func(r rune) bool { - if r == '"' { - quoted = !quoted - } - return !quoted && r == ' ' - }) + tmp := splitFields(log, ' ') aa := make(AppArmorLog) for _, item := range tmp { - kv := strings.FieldsFunc(item, func(r rune) bool { - if r == '"' { - quoted = !quoted - } - return !quoted && r == '=' - }) + kv := splitFields(item, '=') if len(kv) >= 2 { key, value := kv[0], kv[1] if slices.Contains(toClean, key) { @@ -169,18 +167,11 @@ func New(file io.Reader, profile string, namespace string) AppArmorLogs { // Load reads an ApparmorLogs from file written with AppArmorLogs.String. func Load(file io.Reader, profile string, namespace string) AppArmorLogs { - var quoted bool scanner := bufio.NewScanner(file) aaLogs := make(AppArmorLogs, 0) for scanner.Scan() { log := scanner.Text() - quoted = false - tmp := strings.FieldsFunc(log, func(r rune) bool { - if r == '"' { - quoted = !quoted - } - return !quoted && r == ' ' - }) + tmp := splitFields(log, ' ') if len(tmp) < 3 { continue } @@ -223,10 +214,9 @@ func Load(file io.Reader, profile string, namespace string) AppArmorLogs { } for _, item := range tmp { - kv := strings.Split(item, "=") - if len(kv) >= 2 { - key, value := kv[0], kv[1] - aa[key] = strings.Trim(value, `"`) + kv := strings.SplitN(item, "=", 2) + if len(kv) == 2 { + aa[kv[0]] = strings.Trim(kv[1], `"`) } } From 1014f8d7de397b197d68bd3f1dc52be6fccec115 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 15:12:54 +0100 Subject: [PATCH 1517/1736] build: enforce more profiles. --- dists/flags/main.flags | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index ca3ef12544..d97825b02d 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -70,7 +70,6 @@ cups-notifier-dbus complain cups-notifier-mailto complain cups-notifier-rss complain cups-pk-helper-mechanism complain -cupsd complain ddcutil complain decibels complain dino complain @@ -92,8 +91,6 @@ epiphany-webapp-provider complain evolution-user-prompter complain fail2ban-client complain fail2ban-server complain -fapp complain -fbwrap complain fdisk complain filezilla complain finalrd complain @@ -102,7 +99,6 @@ firewall-config complain flameshot complain flatpak complain flatpak-oci-authenticator complain -flatpak-session-helper complain flatpak-session-helper-app complain flatpak-system-helper complain flatpak-validate-icon complain @@ -110,18 +106,15 @@ fuse-overlayfs complain gdk-pixbuf-thumbnailer complain gdm-generate-config complain gdm-runtime-config complain -gdm-session complain gdm-xsession complain gmenudbusmenuproxy complain gnome-browser-connector-host complain gnome-control-center complain gnome-control-center-goa-helper complain gnome-disk-image-mounter complain -gnome-extension-gsconnect complain gnome-extension-manager complain gnome-initial-setup complain gnome-remote-desktop-daemon complain -gnome-session-service complain grub-bios-setup complain grub-editenv complain grub-file complain @@ -149,7 +142,6 @@ grub-render-label complain grub-script-check complain grub-set-default complain grub-syslinux2cfg complain -gsd-printer complain gsd-wwan complain gvfsd-dav complain gvfsd-wsdd complain @@ -213,9 +205,6 @@ linux-check-removal complain linux-update-symlinks complain locale-gen complain localectl complain -localsearch complain -localsearch-control complain -localsearch-writeback complain login complain loginctl complain low-memory-monitor complain @@ -262,8 +251,6 @@ plymouth-set-default-theme complain plymouthd complain polkit-kde-authentication-agent complain pollinate complain -ptyxis complain -ptyxis-agent complain pycompile complain qdbus complain remmina complain @@ -380,7 +367,6 @@ update-shells complain userdbctl complain utempter complain veracrypt complain -virt-manager complain virtinterfaced complain virtiofsd complain,attach_disconnected virtlockd complain From 16cf1c8808632a5ced5e1a9ef4cb517f2b47644e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 15:38:30 +0100 Subject: [PATCH 1518/1736] feat(profile): improve devs confinements. --- apparmor.d/abstractions/development | 42 ++++++++++++++++-------- apparmor.d/groups/code/code | 5 +++ apparmor.d/groups/code/code-extensions | 26 +++++++-------- apparmor.d/groups/code/code-shells | 8 +++++ apparmor.d/profiles-a-f/claude | 4 ++- apparmor.d/tunables/multiarch.d/programs | 2 +- 6 files changed, 58 insertions(+), 29 deletions(-) diff --git a/apparmor.d/abstractions/development b/apparmor.d/abstractions/development index bf86b8e68d..fbf2a3540a 100644 --- a/apparmor.d/abstractions/development +++ b/apparmor.d/abstractions/development @@ -15,10 +15,10 @@ include include - @{bin}/** ix, - @{sbin}/** ix, + @{bin}/** rix, + @{sbin}/** rix, @{HOME}/** ix, - @{lib}/** ix, + @{lib}/** rix, /opt/*/** ix, /usr/local/bin/** ix, /usr/local/lib/** ix, @@ -55,6 +55,31 @@ @{sys}/kernel/mm/transparent_hugepage/enabled r, + # Memory usage in pages (total, resident, shared, text, data) + @{PROC}/@{pid}/statm r, + + # Get kernel version string + @{PROC}/sys/kernel/osrelease r, + + # Kernel version + @{PROC}/version r, + @{PROC}/version_signature r, + + # Allow reading command line arguments for process identification + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/comm r, + + # Allow reading our own environment variables + owner @{PROC}/@{pid}/environ r, + + # Allow listing file descriptors for resource monitoring + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fd/@{int} rw, + + # Allow reading mount points for filesystem awareness. This is an information leak + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + # Per man(5) proc, the kernel enforces that a thread may only modify its comm # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, @@ -63,16 +88,7 @@ owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - - # Allow listing file descriptors for resource monitoring - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/fd/@{int} rw, - - @{PROC}/@{pid}/statm r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/version_signature r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/task/@{tid}/statm r, include if exists diff --git a/apparmor.d/groups/code/code b/apparmor.d/groups/code/code index 27579e787a..31e6e71167 100644 --- a/apparmor.d/groups/code/code +++ b/apparmor.d/groups/code/code @@ -60,6 +60,11 @@ profile code @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace read, unix (send receive) type=stream peer=(label=code-*), + unix (send receive) type=stream peer=(label=git), + unix (send receive) type=stream peer=(label=gitstatusd), + unix (send receive) type=stream peer=(label=nproc), + unix (send receive) type=stream peer=(label=ps), + unix type=seqpacket peer=(label=code-shells), signal send peer=claude, signal send peer=code-*, diff --git a/apparmor.d/groups/code/code-extensions b/apparmor.d/groups/code/code-extensions index 4a5a8cdec8..b4c71b1839 100644 --- a/apparmor.d/groups/code/code-extensions +++ b/apparmor.d/groups/code/code-extensions @@ -41,14 +41,15 @@ profile code-extensions @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/* r, - - @{bin}/aa-log Px, + # Well known programs used in code-extensions. + @{bin}/docker Ux, # TODO Px, @{bin}/git Px, - @{bin}/htop Px, @{bin}/journalctl Px, @{bin}/lscpu Px, + @{bin}/podman Px, @{bin}/ps Px, + @{bin}/uptime Px, + @{bin}/w Px, owner @{lib_dirs}/{,**/}__pycache__/ w, owner @{lib_dirs}/{,**/}__pycache__/**.pyc{,*} w, @@ -58,23 +59,20 @@ profile code-extensions @{exec_path} flags=(attach_disconnected) { owner @{user_projects_dirs}/ r, owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, + /tmp/ r, + owner @{tmp}/hsperfdata_@{user}/ rw, + owner @{tmp}/hsperfdata_@{user}/@{int} rwk, + owner @{tmp}/jansi-*-libjansi.so rwm, + owner @{tmp}/jansi-*-libjansi.so.lck rw, + owner @{tmp}/proc-macro-*/ w, + @{sys}/devices/system/node/ r, @{PROC}/@{pid}/net/if_inet6 r, @{PROC}/@{pid}/net/ipv6_route r, @{PROC}/@{pid}/net/tcp r, @{PROC}/sys/net/core/somaxconn r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/coredump_filter rw, - owner @{PROC}/@{pid}/statm r, - - /tmp/ r, - owner @{tmp}/hsperfdata_@{user}/ rw, - owner @{tmp}/hsperfdata_@{user}/@{int} rwk, - owner @{tmp}/jansi-*-libjansi.so rwm, - owner @{tmp}/jansi-*-libjansi.so.lck rw, - owner @{tmp}/proc-macro-*/ w, include if exists } diff --git a/apparmor.d/groups/code/code-shells b/apparmor.d/groups/code/code-shells index 93b6ac9a2b..f679ab217f 100644 --- a/apparmor.d/groups/code/code-shells +++ b/apparmor.d/groups/code/code-shells @@ -38,6 +38,8 @@ profile code-shells flags=(attach_disconnected) { ptrace read peer=git, ptrace read peer=child-pager, + unix type=seqpacket peer=(label=git), + @{shells_path} mrix, # Give glycin higher priority than `@{bin}/bwrap ix` got in the development abs @@ -56,6 +58,7 @@ profile code-shells flags=(attach_disconnected) { @{bin}/journalctl Px, @{bin}/man Px, @{bin}/nproc Px, + @{bin}/podman Px, @{bin}/ps Px, @{bin}/ssh Px, @{bin}/top Px, @@ -78,6 +81,11 @@ profile code-shells flags=(attach_disconnected) { owner @{user_config_dirs}/git/*config r, owner @{user_config_dirs}/git/ignore r, + /dev/ptmx rw, + + # file_inherit + priority=-1 deny owner @{user_config_dirs}/Code/** rw, + profile starship { include include diff --git a/apparmor.d/profiles-a-f/claude b/apparmor.d/profiles-a-f/claude index d4330bd6dd..2dee941452 100644 --- a/apparmor.d/profiles-a-f/claude +++ b/apparmor.d/profiles-a-f/claude @@ -154,8 +154,8 @@ profile claude @{exec_path} flags=(attach_disconnected) { priority=1 @{bin}/dpkg-query Px, priority=1 @{bin}/flatpak Px -> claude//flatpak, - priority=1 @{bin}/git Px, priority=1 @{bin}/journalctl Px, + priority=1 @{bin}/podman Px, priority=1 @{bin}/man PUx, priority=1 @{bin}/ps Px, priority=1 @{bin}/ssh Px -> claude//ssh, @@ -182,6 +182,8 @@ profile claude @{exec_path} flags=(attach_disconnected) { owner @{tmp}/claude{,-code}/ r, owner @{tmp}/claude{,-code}/** mix, owner @{tmp}/claude{,-code}/** rwlk -> @{tmp}/claude/**, + owner @{tmp}/tmp@{word8}/ rw, + owner @{tmp}/tmp@{word8}/** rwlk, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 4d0ec36a2a..eb5b174e55 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -37,7 +37,7 @@ # Sensitive tools like git/ssh/gpg should not be included in `@{devtools}`. # This should only contains core development tools like compilers, analysis tools, linters, debuggers etc. # -@{devtools} = ansible cargo dlv gem go{,-*} just node npm pip pyright python ruby +@{devtools} = ansible cargo dlv gem go just node npm pip pyright python ruby @{devtools} += rust typescript yarn docker # Python interpreters From 53c7fb957405391e67e1999ea4f00c8fa5394c35 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 20:38:19 +0100 Subject: [PATCH 1519/1736] feat(profile): small general update. --- .../bus/system/org.bluez.AgentManager1 | 2 +- .../system/org.freedesktop.Avahi.EntryGroup | 2 +- apparmor.d/abstractions/flatpak/devices/dri | 2 +- apparmor.d/groups/apt/apt | 13 ++--- apparmor.d/groups/apt/deb-systemd-invoke | 14 +++++ apparmor.d/groups/apt/dpkg-preconfigure | 1 + apparmor.d/groups/apt/dpkg-scripts | 2 + apparmor.d/groups/network/ModemManager | 4 ++ apparmor.d/groups/procps/ps | 6 +- apparmor.d/groups/systemd/systemd-logind | 3 +- apparmor.d/groups/utils/df | 6 ++ apparmor.d/groups/utils/dmesg | 1 + apparmor.d/profiles-a-f/evince-previewer | 23 -------- apparmor.d/profiles-g-l/git | 4 +- apparmor.d/profiles-m-r/mpv | 24 +++----- apparmor.d/profiles-m-r/needrestart | 2 +- apparmor.d/profiles-s-z/terminator | 1 + apparmor.d/profiles-s-z/tlp | 1 + apparmor.d/profiles-s-z/ucf | 2 + .../profiles-s-z/update-ca-certificates | 3 +- apparmor.d/profiles-s-z/update-ca-trust | 2 +- apparmor.d/profiles-s-z/veracrypt | 56 ++++++++++++++----- apparmor.d/tunables/multiarch.d/programs | 2 +- 23 files changed, 98 insertions(+), 78 deletions(-) delete mode 100644 apparmor.d/profiles-a-f/evince-previewer diff --git a/apparmor.d/abstractions/bus/system/org.bluez.AgentManager1 b/apparmor.d/abstractions/bus/system/org.bluez.AgentManager1 index 4af4ff80ca..e1e549cf2f 100644 --- a/apparmor.d/abstractions/bus/system/org.bluez.AgentManager1 +++ b/apparmor.d/abstractions/bus/system/org.bluez.AgentManager1 @@ -7,7 +7,7 @@ dbus send bus=system path=/org/bluez interface=org.bluez.AgentManager1 member={RegisterAgent,RequestDefaultAgent,UnregisterAgent} - peer=(name=org.bluez, label="@{p_bluetoothd}"), + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), include if exists diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.EntryGroup b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.EntryGroup index af799007dd..ca7a223065 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.EntryGroup +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.EntryGroup @@ -14,7 +14,7 @@ dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server2 member=EntryGroupNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + peer=(name="{@{busname},org.freedesktop.Avahi}", label="@{p_avahi_daemon}"), # dbus send bus=system path=/Client@{int}/EntryGroup@{int} # interface=org.freedesktop.Avahi.EntryGroup diff --git a/apparmor.d/abstractions/flatpak/devices/dri b/apparmor.d/abstractions/flatpak/devices/dri index c0b5df43a8..ed42b24db6 100644 --- a/apparmor.d/abstractions/flatpak/devices/dri +++ b/apparmor.d/abstractions/flatpak/devices/dri @@ -7,7 +7,7 @@ include - unix (bind listen) type=seqpacket addr=@@{hex}, + unix (bind listen) type=seqpacket addr=@@{hex}@{hex}, # The orcexec.* file is JIT compiled code for various GStreamer elements. # If one is blocked the next is used instead. diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 3388f987a5..8437393663 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -202,15 +202,10 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg-source mr, - @{bin}/bunzip2 rix, - @{bin}/chmod rix, - @{bin}/bzip2 rix, - @{bin}/gunzip rix, - @{bin}/gzip rix, - @{bin}/patch rix, - @{bin}/rm rix, - @{bin}/tar rix, - @{bin}/xz rix, + @{archive_path} rix, + @{bin}/chmod rix, + @{bin}/patch rix, + @{bin}/rm rix, /etc/dpkg/origins/* r, diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index 244f3257c3..ceceaeb156 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -19,6 +19,10 @@ profile deb-systemd-invoke @{exec_path} { signal send set=(cont term) peer=systemd-tty-ask-password-agent, + unix type=stream peer=(label=dbus-system), + unix type=stream peer=(label=deb-systemd-invoke//run), + unix type=stream peer=(label=systemd-stdio-bridge), + @{exec_path} mr, @{sh_path} rix, @@ -27,6 +31,16 @@ profile deb-systemd-invoke @{exec_path} { @{bin}/systemctl rix, #aa:lint ignore=transition @{bin}/systemd-tty-ask-password-agent Px, + @{bin}/systemd-run Cx -> run, + + profile run { + include + + capability net_admin, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 03fb7d27b8..d3736c4a95 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -41,6 +41,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/sed ix, @{bin}/sort ix, @{bin}/stty ix, + @{bin}/tail ix, @{bin}/touch ix, @{bin}/tr ix, @{bin}/uniq ix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 2ea288aca8..34a5ea0b51 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -152,6 +152,8 @@ profile dpkg-scripts @{exec_path} { /etc/machine-id r, + /etc/systemd/system/{,*/} r, + /var/lib/systemd/catalog/database r, /{run,var}/log/journal/ r, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 47266983ea..1ebde3be43 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -51,6 +51,10 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/tty/ r, @{sys}/class/wwan/ r, + @{sys}/devices/**/@{uuid}/@{pci}/device r, + @{sys}/devices/**/@{uuid}/@{pci}/revision r, + @{sys}/devices/**/@{uuid}/@{pci}/subsystem_vendor r, + @{sys}/devices/**/@{uuid}/@{pci}/vendor r, @{sys}/devices/**/net/*/ r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/tty/*/ r, diff --git a/apparmor.d/groups/procps/ps b/apparmor.d/groups/procps/ps index 256b5e334a..a4febf4b06 100644 --- a/apparmor.d/groups/procps/ps +++ b/apparmor.d/groups/procps/ps @@ -44,10 +44,6 @@ profile ps @{exec_path} flags=(attach_disconnected) { @{PROC}/tty/drivers r, @{PROC}/uptime r, - # file_inherit - owner @{HOME}/.xsession-errors w, - owner /dev/tty@{u8} rw, - # While commands like 'ps', 'ip netns identify ', 'ip netns pids foo', etc # trigger a 'ptrace trace' denial, they aren't actually tracing other # processes. Unfortunately, the kernel overloads trace such that the LSMs are @@ -62,8 +58,10 @@ profile ps @{exec_path} flags=(attach_disconnected) { deny network netlink raw, deny unix (send receive) type=stream, deny /usr/share/** r, + deny owner @{HOME}/.xsession-errors w, deny owner @{user_config_dirs}/*/logs/{,**} rw, deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny /dev/ptmx rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index d36bc66638..297669bea8 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -107,8 +107,8 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,mediate_deleted) @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, @{sys}/devices/** r, - @{sys}/devices/**/uevent rw, @{sys}/devices/**/brightness rw, + @{sys}/devices/**/uevent rw, @{sys}/devices/virtual/tty/tty@{int}/active r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r, @@ -118,6 +118,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,mediate_deleted) @{sys}/fs/cgroup/memory.max r, @{sys}/fs/cgroup/memory/memory.limit_in_bytes r, @{sys}/kernel/kexec_loaded r, + @{sys}/kernel/kexec/loaded r, @{sys}/module/vt/parameters/default_utf8 r, @{sys}/power/{state,resume_offset,resume,disk} r, diff --git a/apparmor.d/groups/utils/df b/apparmor.d/groups/utils/df index baceace65d..abca66c6b4 100644 --- a/apparmor.d/groups/utils/df +++ b/apparmor.d/groups/utils/df @@ -24,6 +24,12 @@ profile df @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mountinfo r, + /dev/ptmx rw, + + # file_inherit + deny /var/crash/* w, + deny @{att}@{run}/systemd/inhibit/* w, + include if exists } diff --git a/apparmor.d/groups/utils/dmesg b/apparmor.d/groups/utils/dmesg index b2818df364..23abe6ac6c 100644 --- a/apparmor.d/groups/utils/dmesg +++ b/apparmor.d/groups/utils/dmesg @@ -26,6 +26,7 @@ profile dmesg @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/pid_max r, /dev/kmsg rw, + /dev/ptmx rw, # file_inherit deny @{sbin}/{,*/} r, diff --git a/apparmor.d/profiles-a-f/evince-previewer b/apparmor.d/profiles-a-f/evince-previewer deleted file mode 100644 index dcd28ddc9f..0000000000 --- a/apparmor.d/profiles-a-f/evince-previewer +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/evince-previewer -profile evince-previewer @{exec_path} { - include - include - include - include - include - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index f3db216534..99e53b4843 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -27,8 +27,10 @@ profile git @{exec_path} flags=(attach_disconnected) { signal send peer=aurpublish, signal receive set=term peer=code, - unix (send receive) type=stream peer=(label=claude), + # unix (send receive) type=stream peer=(label=claude), unix (send receive) type=stream peer=(label=code), + unix type=seqpacket peer=(label=code-shells), + unix type=seqpacket peer=(label=code), @{exec_path} mrix, diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index 5cbd596a3b..c1253e2372 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -15,10 +15,11 @@ profile mpv @{exec_path} { include include include + include include + include include include - include network inet dgram, network inet6 dgram, @@ -40,11 +41,6 @@ profile mpv @{exec_path} { /etc/mpv/** r, /etc/samba/smb.conf r, - /usr/share/p11-kit/modules/{,*} r, - - /etc/machine-id r, - /var/lib/dbus/machine-id r, - owner @{HOME}/ r, owner @{user_music_dirs}/{,**} rw, owner @{user_pictures_dirs}/{,**} rw, @@ -64,20 +60,10 @@ profile mpv @{exec_path} { owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c116:@{int} r, # for ALSA @{sys}/bus/ r, @{sys}/class/ r, - @{sys}/class/input/ r, - @{sys}/devices/**/input/**/capabilities/* r, - @{sys}/devices/**/input/**/uevent r, @{sys}/devices/**/sound/**/capabilities/* r, @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/virtual/dmi/id/bios_vendor r, @@ -85,7 +71,11 @@ profile mpv @{exec_path} { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - /dev/input/event@{int} r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner /dev/tty@{u8} rw, include if exists diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index b027c75d61..d59659592f 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -18,7 +18,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { ptrace read, - mqueue getattr type=posix /att/*/, + mqueue (read, getattr) type=posix /att/*/, @{exec_path} mrix, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 50e768a368..fb051fa7d8 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -13,6 +13,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 62a88310f6..498a53b8e9 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -19,6 +19,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, + capability net_admin, capability sys_nice, capability sys_rawio, capability sys_tty_config, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index fa216a1a47..2735d882af 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -16,6 +16,8 @@ profile ucf @{exec_path} { capability dac_read_search, + mqueue getattr type=posix, + @{exec_path} rix, @{sh_path} rix, diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index d1cbf70a9f..9ff72ef2bb 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -11,6 +11,7 @@ include profile update-ca-certificates @{exec_path} { include include + include include @{exec_path} rmix, @@ -42,8 +43,6 @@ profile update-ca-certificates @{exec_path} { /etc/ca-certificates/update.d/ r, /etc/ca-certificates/update.d/* rix, - /usr/share/p11-kit/modules/{,*} r, - /etc/ r, /etc/ca-certificates.conf r, /etc/ssl/certs/ca-certificates.crt{,.new} rw, diff --git a/apparmor.d/profiles-s-z/update-ca-trust b/apparmor.d/profiles-s-z/update-ca-trust index 8cd9e918a9..5044822bd7 100644 --- a/apparmor.d/profiles-s-z/update-ca-trust +++ b/apparmor.d/profiles-s-z/update-ca-trust @@ -10,6 +10,7 @@ include profile update-ca-trust @{exec_path} { include include + include include capability dac_read_search, @@ -23,7 +24,6 @@ profile update-ca-trust @{exec_path} { @{bin}/trust rix, / r, - /usr/share/p11-kit/modules/{,*} r, /etc/ca-certificates/extracted/** rw, /etc/ssl/certs/{,*} rw, diff --git a/apparmor.d/profiles-s-z/veracrypt b/apparmor.d/profiles-s-z/veracrypt index b9b92a7219..42bf034312 100644 --- a/apparmor.d/profiles-s-z/veracrypt +++ b/apparmor.d/profiles-s-z/veracrypt @@ -7,15 +7,15 @@ abi , include @{exec_path} = @{bin}/veracrypt -profile veracrypt @{exec_path} { +profile veracrypt @{exec_path} flags=(attach_disconnected) { include - include - include + include include include include include include + include capability chown, capability dac_read_search, @@ -27,25 +27,25 @@ profile veracrypt @{exec_path} { @{exec_path} mrix, - @{sh_path} rix, - @{open_path} rPx -> child-open-help, + @{sh_path} rix, + @{open_path} rPx -> child-open-help, @{sbin}/dmsetup rPx, - @{bin}/{,e}grep rix, - @{bin}/kmod rix, + @{bin}/{,e}grep rix, + @{bin}/kmod rCx -> kmod, @{sbin}/ldconfig rix, + @{sbin}/ldconfig.real ix, @{sbin}/losetup rCx -> losetup, - @{bin}/mount rPx, - @{bin}/sudo rix, - @{bin}/umount rCx -> umount, - @{bin}/wc rix, + @{bin}/mount rPx, + @{bin}/sudo rCx -> sudo, + @{bin}/umount rCx -> umount, + @{bin}/wc rix, @{file_explorers_path} rPx, - /home/ r, - # Mount points @{MOUNTS}/ rw, @{MOUNTS}/*/ rw, + /home/ r, owner @{HOME}/ r, owner @{HOME}/.VeraCrypt-lock-@{user} rwk, @@ -55,10 +55,10 @@ profile veracrypt @{exec_path} { /tmp/.veracrypt_*/ rw, /tmp/.veracrypt_*/** rwk, - @{sys}/module/compression r, - @{sys}/module/dm_mod/initstate r, + /dev/shm/ r, @{PROC}/partitions r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, /dev/fuse rw, @@ -90,6 +90,32 @@ profile veracrypt @{exec_path} { include if exists } + profile kmod { + include + include + + @{sys}/module/compression r, + @{sys}/module/dm_mod/initstate r, + + include if exists + } + + profile sudo { + include + include + + capability sys_ptrace, + + ptrace read peer=veracrypt, + + @{bin}/veracrypt Px, + + @{HOME}/.VeraCrypt-lock-@{user} w, + @{user_config_dirs}/VeraCrypt/.show-request-queue r, + + include if exists + } + include if exists } diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index eb5b174e55..8cc49e8e6d 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -112,6 +112,6 @@ @{backup_names} = deja-dup borg # Archives -@{archive_names} = 7z 7zz ar bzip2 cpio gzip lzip rar tar unrar unrar-nonfree unzip xz zip zstd +@{archive_names} = 7z 7zz ar bunzip2 bzip2 cpio gunzip gzip lzip rar tar unrar unrar-nonfree unzip xz zip zstd # vim:syntax=apparmor From f9aae298fe802e885faf277d58ffbadf937f1fa5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 22:26:17 +0100 Subject: [PATCH 1520/1736] feat(profile): add pkill and hugetop --- apparmor.d/groups/procps/hugetop | 36 ++++++++++++++++++++++++++++++++ apparmor.d/groups/procps/pkill | 23 ++++++++++++++++++++ apparmor.d/groups/procps/w | 2 -- 3 files changed, 59 insertions(+), 2 deletions(-) create mode 100644 apparmor.d/groups/procps/hugetop create mode 100644 apparmor.d/groups/procps/pkill diff --git a/apparmor.d/groups/procps/hugetop b/apparmor.d/groups/procps/hugetop new file mode 100644 index 0000000000..9e397cc0b9 --- /dev/null +++ b/apparmor.d/groups/procps/hugetop @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/hugetop +profile hugetop @{exec_path} { + include + include + + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + /usr/share/terminfo/** r, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/hugepages/ r, + @{sys}/devices/system/node/node@{int}/hugepages/hugepages-*/*_hugepages r, + @{sys}/kernel/mm/hugepages/ r, + @{sys}/kernel/mm/hugepages/hugepages-*/*_hugepages r, + + @{PROC}/ r, + @{PROC}/@{pids}/smaps_rollup r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/procps/pkill b/apparmor.d/groups/procps/pkill new file mode 100644 index 0000000000..62fd31e9a1 --- /dev/null +++ b/apparmor.d/groups/procps/pkill @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pkill +profile pkill @{exec_path} { + include + include + + capability kill, + + signal send, + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/procps/w b/apparmor.d/groups/procps/w index 414721f88b..2d38d56ee7 100644 --- a/apparmor.d/groups/procps/w +++ b/apparmor.d/groups/procps/w @@ -31,8 +31,6 @@ profile w @{exec_path} { @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/status r, - @{PROC}/1/ r, - @{PROC}/1/status r, @{PROC}/loadavg r, @{PROC}/sys/kernel/osrelease r, @{PROC}/tty/drivers r, From eb60753048d964d3259ad643c9dab16032930284 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 22:53:37 +0100 Subject: [PATCH 1521/1736] feat(profile): small general update. --- apparmor.d/abstractions/app/firefox | 2 -- apparmor.d/groups/bluetooth/blueman | 2 ++ apparmor.d/groups/bluetooth/blueman-mechanism | 2 +- apparmor.d/groups/bus/dbus-session | 1 + apparmor.d/groups/code/code | 13 ++++--------- apparmor.d/groups/flatpak/flatpak | 1 + .../groups/freedesktop/xdg-desktop-portal-gnome | 2 +- .../groups/freedesktop/xdg-desktop-portal-gtk | 3 +-- apparmor.d/groups/gnome/gnome-calculator | 3 +-- apparmor.d/groups/gnome/papers | 1 - apparmor.d/groups/network/netplan | 6 ++---- apparmor.d/groups/systemd/resolvectl | 2 ++ apparmor.d/groups/systemd/systemd-coredump | 3 ++- apparmor.d/groups/systemd/systemd-homed | 5 +++-- apparmor.d/groups/systemd/systemd-homework | 5 +++-- apparmor.d/groups/virt/libvirtd | 8 ++++---- apparmor.d/tunables/multiarch.d/system-users | 2 +- 17 files changed, 29 insertions(+), 32 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index f932694a63..2f81b9246a 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -66,8 +66,6 @@ signal (send) set=(term, kill) peer=@{profile_name}-*, - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - @{sh_path} rix, @{bin}/basename rix, @{bin}/dirname rix, diff --git a/apparmor.d/groups/bluetooth/blueman b/apparmor.d/groups/bluetooth/blueman index ed6f2fedbf..dc5bd7d237 100644 --- a/apparmor.d/groups/bluetooth/blueman +++ b/apparmor.d/groups/bluetooth/blueman @@ -31,6 +31,8 @@ profile blueman @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.blueman.Applet #aa:dbus own bus=session name=org.blueman.Manager + #aa:dbus talk bus=system name=org.blueman.{m,M}echanism label=blueman-mechanism + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/bluetooth/blueman-mechanism b/apparmor.d/groups/bluetooth/blueman-mechanism index 9b48002109..112a86a8b0 100644 --- a/apparmor.d/groups/bluetooth/blueman-mechanism +++ b/apparmor.d/groups/bluetooth/blueman-mechanism @@ -23,7 +23,7 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus own bus=system name=org.blueman.Mechanism + #aa:dbus own bus=system name=org.blueman.{m,M}echanism @{exec_path} mr, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 8d7419c190..7041bed8c0 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -83,6 +83,7 @@ profile dbus-session flags=(attach_disconnected) { @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw, + owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/systemd/notify w, @{sys}/kernel/security/apparmor/.access rw, diff --git a/apparmor.d/groups/code/code b/apparmor.d/groups/code/code index 31e6e71167..99f086f556 100644 --- a/apparmor.d/groups/code/code +++ b/apparmor.d/groups/code/code @@ -149,6 +149,7 @@ profile code @{exec_path} flags=(attach_disconnected,mediate_deleted) { profile sign { include + include include include @@ -172,16 +173,10 @@ profile code @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/{,c}dotnet-diagnostic-*-socket rw, owner @{tmp}/clr-debug-pipe-* rw, - @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/level r, - @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/size r, - @{sys}/devices/system/node/ r, - @{sys}/fs/cgroup/user.slice/memory.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/memory.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-code-*.scope/memory.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/memory.max r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/level r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/size r, + @{sys}/devices/system/node/ r, - owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 5ef7ddbfd8..10465c6735 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -137,6 +137,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner /dev/shm/flatpak*/{,**} rw, @{att}@{run}/.userns r, + @{run}/polkit/agent-helper.socket rw, @{run}/user/@{uid}/.dbus-proxy/ w, @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 1608b741aa..509c33398e 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -29,7 +29,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome #aa:dbus own bus=session name=org.freedesktop.impl.portal.FileChooser path=/org/freedesktop/portal/desktop - #aa:dbus talk bus=session name=org.freedesktop.portal interface+=org.freedesktop.impl.portal label=xdg-desktop-portal + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.* path=/org/freedesktop/portal/desktop label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 42cd28f7eb..024d483be5 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -30,8 +30,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs - #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit path=/org/freedesktop/portal/desktop label=xdg-desktop-portal + #aa:dbus talk bus=session name=org.freedesktop.impl.portal{,.*} path=/org/freedesktop/portal/desktop label=xdg-desktop-portal @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 59ca8ac359..cd1b082dbf 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -11,6 +11,7 @@ profile gnome-calculator @{exec_path} flags=(attach_disconnected) { include include include + include include # Needed to get currency exchange rates @@ -31,8 +32,6 @@ profile gnome-calculator @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-help, - /usr/share/p11-kit/modules/{,*} r, - @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, include if exists diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 922d6ae7b3..640887f247 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -32,7 +32,6 @@ profile papers @{exec_path} flags=(attach_disconnected) { /etc/passwd r, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_config_dirs}/cpdb/print-settings r, owner @{HOME}/.pki/nssdb/pkcs11.txt r, diff --git a/apparmor.d/groups/network/netplan b/apparmor.d/groups/network/netplan index 8e3274defa..14ab82f132 100644 --- a/apparmor.d/groups/network/netplan +++ b/apparmor.d/groups/network/netplan @@ -13,7 +13,7 @@ profile netplan @{exec_path} flags=(attach_disconnected) { include include - #aa;dbus owb bus=system name=io.netplan.Netplan + #aa:dbus own bus=system name=io.netplan.Netplan @{exec_path} mr, @@ -35,11 +35,9 @@ profile netplan @{exec_path} flags=(attach_disconnected) { @{run}/systemd/system/ r, @{run}/systemd/system/systemd-networkd.service.wants/ r, - /tmp/#@{int} rw, /tmp/@{word8} rw, + /tmp/#@{int} rw, /tmp/netplan_@{word8}/{,**} rw, - - #aa:only test /tmp/tmp@{word8}/{,**} rwlk, profile systemctl { diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index 9644369ca6..51d26559cf 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -16,7 +16,9 @@ profile resolvectl @{exec_path} flags=(attach_disconnected) { capability net_admin, network inet raw, + network inet stream, network inet6 raw, + network inet6 stream, network netlink raw, signal send set=cont peer=child-pager, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 822b0c2908..3c79ad324e 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -10,8 +10,9 @@ include @{exec_path} = @{lib}/systemd/systemd-coredump profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include + include include + include userns, diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index ee8dd57af9..8dca66adce 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -63,8 +63,9 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{sbin}/mke2fs Px, # nnp - @{bin}/fsck.* rix, - @{bin}/mkfs.* ix, + @{sbin}/fsck ix, + @{sbin}/fsck.* rix, + @{bin}/mkfs.* ix, /etc/fstab r, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/systemd-homework b/apparmor.d/groups/systemd/systemd-homework index 2f2612b6df..d8bbdc6526 100644 --- a/apparmor.d/groups/systemd/systemd-homework +++ b/apparmor.d/groups/systemd/systemd-homework @@ -36,6 +36,8 @@ profile systemd-homework @{exec_path} flags=(attach_disconnected) { umount @{run}/systemd/user-home-mount/, umount @{run}/systemd/user-home-mount/@{user}/, + unix send type=dgram peer=(label=systemd-homed), + signal (send receive) set=kill peer=systemd-homed//&systemd-homework, ptrace read peer=systemd-homed//&systemd-homework, @@ -68,8 +70,7 @@ profile systemd-homework @{exec_path} flags=(attach_disconnected) { @{run}/systemd/user-home-mount/@{user}/{,**} rw, @{sys}/fs/ r, - @{sys}/devices/**/b24[0-9]:@{int}/read_ahead_kb r, # for dynamic assignment range 240 - @{sys}/devices/**/b25[0-4]:@{int}/read_ahead_kb r, # to 254 + @{sys}/devices/**/read_ahead_kb r, @{PROC}/@{pid}/setgroups w, @{PROC}/devices r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index d49e964826..64a7a78dff 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -308,10 +308,10 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { capability sys_module, - @{sys}/module/compression r, - @{sys}/module/iommufd/initstate r, - @{sys}/module/irqbypass/initstate r, - @{sys}/module/vfio/initstate r, + @{sys}/module/compression r, + @{sys}/module/iommufd/initstate r, + @{sys}/module/irqbypass/initstate r, + @{sys}/module/vfio/initstate r, include if exists } diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 68ef78cddf..0f3b760e3e 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -14,7 +14,7 @@ # if "gnome" in @{DE} { # Full path of the GDM configuration directories - @{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/home/gdm-greeter/ @{run}/gdm{,3}/home/gnome-initial-setup/ + @{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/home/gdm-greeter/ @{run}/gdm{,3}/home/gnome-initial-setup*/ @{gdm_cache_dirs}=@{GDM_HOME}/.cache/ @{gdm_config_dirs}=@{GDM_HOME}/.config/ @{GDM_HOME}/seat@{int}/config/ @{gdm_local_dirs}=@{GDM_HOME}/.local/ From 21d70de783390a4f9df1fcdd9a35b5edefdc5048 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 22:56:33 +0100 Subject: [PATCH 1522/1736] fix(profile): simplify sbctl fix #1064 --- apparmor.d/profiles-s-z/sbctl | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index 5d93bcc093..45e6fa2ddd 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -9,8 +9,9 @@ include @{exec_path} = @{bin}/sbctl profile sbctl @{exec_path} { include - include include + include + include capability dac_read_search, capability linux_immutable, @@ -22,9 +23,7 @@ profile sbctl @{exec_path} { /usr/share/secureboot/{,**} rw, /var/lib/sbctl/{,**} rw, - /{boot,efi}/{,**} r, - /{boot,efi}/EFI/{,**} rw, - /{boot,efi}/vmlinuz-linux* rw, + @{efi}/{,**} rw, @{lib}/fwupd/efi/{,**} rw, @{lib}/systemd/boot/efi/systemd-boot*.efi.signed rw, From ba6864991247642b08434f531f49e1d7dcbdd973 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 23:07:30 +0100 Subject: [PATCH 1523/1736] fix(profile): add pam_env and limits to the auth abs. see #1051 --- apparmor.d/abstractions/authentication.d/complete | 8 ++++++++ apparmor.d/abstractions/mapping/login | 1 + apparmor.d/groups/cron/cron | 2 -- apparmor.d/groups/cron/cron-exim4-base | 2 -- apparmor.d/groups/cron/cron-popularity-contest | 2 -- apparmor.d/groups/cron/crontab | 1 - apparmor.d/groups/display-manager/lightdm | 2 -- apparmor.d/groups/gnome/gdm-session-worker | 2 -- apparmor.d/groups/kde/sddm | 3 --- apparmor.d/groups/ssh/sshd | 2 -- apparmor.d/groups/utils/login | 3 --- apparmor.d/groups/virt/cockpit-session | 1 - apparmor.d/profiles-a-f/atd | 1 - apparmor.d/profiles-a-f/check-support-status-hook | 2 -- apparmor.d/profiles-g-l/gamemoded | 2 -- apparmor.d/profiles-m-r/runuser | 1 - 16 files changed, 9 insertions(+), 26 deletions(-) diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete index 1828e35166..1ee3a40bf3 100644 --- a/apparmor.d/abstractions/authentication.d/complete +++ b/apparmor.d/abstractions/authentication.d/complete @@ -13,4 +13,12 @@ @{lib}/security-misc/pam-info rPx, @{lib}/security-misc/pam_faillock_not_if_x rPx, + # pam_limit + @{etc_ro}/security/limits.conf r, + + # pam_env + @{etc_ro}/security/pam_env.conf r, + @{etc_ro}/security/pam_env.conf.d/ r, + @{etc_ro}/security/pam_env.conf.d/{,*.conf} r, + # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/login b/apparmor.d/abstractions/mapping/login index 7ccc2d6789..40139796f0 100644 --- a/apparmor.d/abstractions/mapping/login +++ b/apparmor.d/abstractions/mapping/login @@ -31,6 +31,7 @@ @{etc_ro}/security/limits.conf r, @{etc_ro}/security/limits.d/{,*} r, @{etc_ro}/security/pam_env.conf r, + @{etc_ro}/security/pam_env.conf.d/{,*} r, @{etc_ro}/login.defs r, @{etc_ro}/login.defs.d/{,*} r, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index b45cfad9cb..efc1008c19 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -38,8 +38,6 @@ profile cron @{exec_path} flags=(attach_disconnected) { /etc/cron.d/{,*} r, /etc/crontab r, /etc/default/locale r, - @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/{,**} r, /var/spool/cron/crontabs/{,*} r, /var/spool/cron/tabs/{,*} r, diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base index 784dfae193..1d13585a59 100644 --- a/apparmor.d/groups/cron/cron-exim4-base +++ b/apparmor.d/groups/cron/cron-exim4-base @@ -51,8 +51,6 @@ profile cron-exim4-base @{exec_path} { owner @{PROC}/@{pid}/fd/ r, @{PROC}/1/limits r, - @{etc_ro}/security/limits.d/ r, - include if exists } diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index 44d3a546f7..9434489578 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -98,8 +98,6 @@ profile cron-popularity-contest @{exec_path} { @{sh_path} rix, @{bin}/popularity-contest rPx, - @{etc_ro}/security/limits.d/ r, - /var/log/popularity-contest.new w, @{PROC}/1/limits r, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index 7663b5dafa..7b04be54ca 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -34,7 +34,6 @@ profile crontab @{exec_path} { @{lib}/systemd/system-generators/systemd-crontab-generator PUx, @{etc_ro}/environment r, - @{etc_ro}/security/*.conf r, /etc/cron.{allow,deny} r, /etc/pam.d/* r, diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index a29cc91128..b526017198 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -62,8 +62,6 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xgreeters/{,**} r, - @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/{,*} r, /etc/default/locale r, /etc/lightdm/{,**} r, /etc/machine-id r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index d24c732195..bf150567e6 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -80,8 +80,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /etc/nshadow rw, /etc/shadow w, - @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/{,*.conf} r, /etc/default/locale r, /etc/fscrypt.conf r, /etc/gdm{3,}/custom.conf r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 22ff544473..25aa0e9604 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -129,10 +129,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/X11/xinit/xinitrc.d/{,*} r, - @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/{,*.conf} r, @{etc_ro}/X11/Xmodmap r, - /etc/debuginfod/{,*} r, /etc/manpath.config r, /etc/default/locale r, /etc/locale.conf r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 7cf0cd8c1a..9d4364968c 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -79,8 +79,6 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{lib}/{openssh,ssh}/sshd-auth Px, @{lib}/{openssh,ssh}/sshd-session Px, - @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/{,*.conf} r, @{etc_rw}/motd r, @{etc_rw}/motd.d/{,**} r, /etc/default/locale r, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index 6d1efabb3f..7f848b488a 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -43,9 +43,6 @@ profile login @{exec_path} flags=(attach_disconnected) { @{etc_ro}/environment r, @{etc_ro}/security/group.conf r, - @{etc_ro}/security/limits.conf r, - @{etc_ro}/security/limits.d/{,*} r, - @{etc_ro}/security/pam_env.conf r, /etc/default/locale r, /etc/legal r, /etc/machine-id r, diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index eaeb5c0544..e7eeec73f6 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -45,7 +45,6 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{bin}/ssh-add rCx -> ssh-add, @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/{,*.conf} r, /etc/cockpit/disallowed-users r, /etc/group r, /etc/machine-id r, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index a1c0671e49..c9b97a7f35 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -33,7 +33,6 @@ profile atd @{exec_path} { @{sbin}/exim4 rPx, @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/ r, /var/spool/cron/atjobs/{,*} rwl, /var/spool/cron/atspool/{,*} rwl, diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index a33fe4957c..9cd895382f 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -116,8 +116,6 @@ profile check-support-status-hook @{exec_path} { owner @{PROC}/@{pids}/loginuid r, @{PROC}/1/limits r, - @{etc_ro}/security/limits.d/ r, - /tmp/ r, owner @{tmp}/debian-security-support.postinst.*/output w, diff --git a/apparmor.d/profiles-g-l/gamemoded b/apparmor.d/profiles-g-l/gamemoded index 346bf4f657..99af781018 100644 --- a/apparmor.d/profiles-g-l/gamemoded +++ b/apparmor.d/profiles-g-l/gamemoded @@ -59,8 +59,6 @@ profile gamemoded @{exec_path} flags=(attach_disconnected) { @{lib}/gamemode/gpuclockctl ix, @{lib}/gamemode/procsysctl ix, - @{etc_ro}/security/limits.d/ r, - @{etc_ro}/security/limits.d/@{int}-gamemode.conf r, /etc/shells r, @{sys}/devices/@{pci}/power_dpm_force_performance_level rw, diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser index 29665ebca1..1c381f0a14 100644 --- a/apparmor.d/profiles-m-r/runuser +++ b/apparmor.d/profiles-m-r/runuser @@ -27,7 +27,6 @@ profile runuser @{exec_path} { @{bin}/@{shells} rUx, @{bin}/mkdir ix, - @{etc_ro}/security/limits.d/ r, /etc/default/runuser r, owner @{tmp}/debian-security-support.postinst.*/output w, From 7b01387d8eb67395b258d4d81bfbd4ea9b859ff6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 23:11:25 +0100 Subject: [PATCH 1524/1736] fix(profile): improve support with opensuse fix #1051 --- apparmor.d/groups/kde/drkonqi | 9 ++++----- apparmor.d/profiles-g-l/git | 4 ++-- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index bcfb3c0ea4..7bebd976ff 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -26,13 +26,12 @@ profile drkonqi @{exec_path} { @{exec_path} mr, + @{bin}/kwin_x11 r, + @{bin}/lsb_release Px, @{bin}/plasmashell r, - @{bin}/lsb_release rPx, /usr/share/drkonqi/{,**} r, - /etc/machine-id r, - / r, owner @{user_cache_dirs}/drkonqi/ rw, @@ -50,12 +49,12 @@ profile drkonqi @{exec_path} { /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, /{run,var}/log/journal/remote/ r, - /dev/tty r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, + /dev/tty r, + include if exists } diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 99e53b4843..e140722a99 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -88,8 +88,8 @@ profile git @{exec_path} flags=(attach_disconnected) { /etc/gitconfig r, /etc/mailname r, - /etc/ssh/ssh_config r, - /etc/ssh/ssh_config.d/{,*} r, + @{etc_ro}/ssh/ssh_config r, + @{etc_ro}/ssh/ssh_config.d/{,*} r, owner @{user_projects_dirs}/ rw, owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, From 5f1f827937ea7910cafcf2e617d78386b7af1bff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 23:15:24 +0100 Subject: [PATCH 1525/1736] fix(profile): okular: add audio-client fix #1042 --- apparmor.d/groups/kde/okular | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index 42f83483d0..a25532d208 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/okular profile okular @{exec_path} { include - include + include include include include @@ -83,6 +83,7 @@ profile okular @{exec_path} { owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/okular@{rand6}.@{int}.kioworker.socket rwl, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, From dea3cf4eb53f251589f436fba5b3a023ff5e5604 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Mar 2026 23:34:17 +0100 Subject: [PATCH 1526/1736] fix(profile): few profiles fixes. fix #1012 --- apparmor.d/abstractions/golang-strict | 1 + apparmor.d/groups/freedesktop/xrdb | 2 +- apparmor.d/groups/kde/kded | 1 + apparmor.d/groups/kde/xwaylandvideobridge | 4 ++++ apparmor.d/groups/systemd/systemd-journald | 1 + apparmor.d/groups/systemd/systemd-logind | 5 +++++ apparmor.d/groups/systemd/systemd-makefs | 2 ++ apparmor.d/groups/systemd/systemd-remount-fs | 1 + apparmor.d/groups/systemd/systemd-tmpfiles | 8 ++++---- apparmor.d/groups/systemd/systemd-udevd | 1 + apparmor.d/groups/virt/containerd | 1 + apparmor.d/groups/virt/dockerd | 4 ++++ 12 files changed, 26 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/golang-strict b/apparmor.d/abstractions/golang-strict index 857ad37461..ca6b05245e 100644 --- a/apparmor.d/abstractions/golang-strict +++ b/apparmor.d/abstractions/golang-strict @@ -16,6 +16,7 @@ @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.scope/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.service/cpu.max r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index f06dabea6b..53b5fb5bcd 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/xrdb -profile xrdb @{exec_path} { +profile xrdb @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 0b51ad700d..8ad9129a32 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -127,6 +127,7 @@ profile kded @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner /var/lib/update-manager/meta-release-lts rw, + owner @{MOUNTS}/ r, owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, diff --git a/apparmor.d/groups/kde/xwaylandvideobridge b/apparmor.d/groups/kde/xwaylandvideobridge index 889018a138..be9be5a627 100644 --- a/apparmor.d/groups/kde/xwaylandvideobridge +++ b/apparmor.d/groups/kde/xwaylandvideobridge @@ -15,11 +15,15 @@ profile xwaylandvideobridge @{exec_path} { @{exec_path} mr, + /usr/share/color-schemes/{,*} r, + /etc/machine-id r, owner @{user_cache_dirs}/xwaylandvideobridge/ rw, owner @{user_cache_dirs}/xwaylandvideobridge/** rwk, + owner @{user_config_dirs}/breezerc r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index be2586da99..8ef89886a1 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -48,6 +48,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. + @{run}/udev/data/+hdaudio:* r, # For High Definition Audio devices, such as sound cards and audio interfaces. @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+ieee80211:* r, # For Wi-Fi devices, such as wireless network cards and access points. diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 297669bea8..5b691e34f9 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -78,6 +78,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,mediate_deleted) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+wakeup:* r, # For wakeup events (e.g., from sleep or hibernation) @{run}/udev/data/c1:@{int} r, # For RAM disk + @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) @@ -86,6 +89,8 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,mediate_deleted) @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c89:@{int} r, # For I2C bus interface @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c202:@{int} r, # CPU model-specific registers + @{run}/udev/data/c203:@{int} r, # CPU CPUID information @{run}/udev/data/c226:@{int} r, # For DRI card /dev/dri/card@{int} @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs index 804b03480a..9bbc2a4bd3 100644 --- a/apparmor.d/groups/systemd/systemd-makefs +++ b/apparmor.d/groups/systemd/systemd-makefs @@ -21,6 +21,8 @@ profile systemd-makefs @{exec_path} flags=(attach_disconnected) { @{sbin}/mkfs.* rPx, @{sbin}/mkswap rPx, + @{PROC}/sys/fs/nr_open r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index d3d08c768b..591f5fa26c 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -37,6 +37,7 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { @{PROC}/ r, @{PROC}/1/cmdline r, + @{PROC}/sys/fs/nr_open r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index d4c92b8734..e0c2332fb6 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -54,13 +54,13 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { @{sys}/class/net/ r, @{sys}/devices/system/cpu/cpufreq/ r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor w, - @{sys}/devices/system/cpu/microcode/reload w, - @{sys}/module/pcie_aspm/parameters/policy w, + + # Tmpfiles file can also be set in /sys and /proc + @{sys}/** w, + @{PROC}/** w, @{PROC}/@{pid}/net/unix r, @{PROC}/1/cmdline r, - @{PROC}/sched_debug w, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 3ea11c22dc..1b16dbd6cc 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -128,6 +128,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{PROC}/driver/nvidia/params r, @{PROC}/pressure/* r, @{PROC}/sys/fs/nr_open r, + @{PROC}/sys/vm/swappiness rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/oom_score_adj rw, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 63fcc503c2..12be210d5b 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -60,6 +60,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /opt/cni/bin/bandwidth rPx, /opt/cni/bin/calico rPx, + /etc/cdi/{,**} r, /etc/calico/ rw, /etc/cni/ rw, /etc/cni/{,**} r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 8102271cf7..4c8156f19f 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -90,8 +90,11 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{att}@{lib}/containerd/** rw, @{att}/var/lib/containerd/** rw, @{att}/var/lib/docker/{,**} rwk, + @{att}/@/var/lib/docker/{,**} rwk, + /etc/cdi/{,**} r, /etc/docker/{,**} r, + /etc/os-release r, @{att}/ r, @@ -130,6 +133,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/bridge/bridge-nf-call-ip*tables r, @{PROC}/sys/net/core/somaxconn r, @{PROC}/sys/net/ipv{4,6}/conf/*/disable_ipv{4,6} rw, + @{PROC}/sys/net/ipv{4,6}/conf/br-*/accept_ra w, @{PROC}/sys/net/ipv{4,6}/conf/docker@{int}/accept_ra rw, @{PROC}/sys/net/ipv{4,6}/ip_forward rw, @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r, From f0b7543df4e1c1ec80e21859a2b67f89fc216453 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Mar 2026 14:00:28 +0100 Subject: [PATCH 1527/1736] doc: cleanup unfinished sentenses. --- docs/abstractions/index.md | 6 ------ docs/security/hardening.md | 2 +- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/docs/abstractions/index.md b/docs/abstractions/index.md index 723fff009b..1c86ffbd4b 100644 --- a/docs/abstractions/index.md +++ b/docs/abstractions/index.md @@ -20,12 +20,6 @@ This project and the official apparmor-profiles project provide a large selectio include ``` -!!! warning - - https://snapcraft.io/docs/supported-interfaces - -find apparmor.d/abstractions/ -maxdepth 1 -type f | wc -l - ## Architecture Abstraction are structured in layers as follows: diff --git a/docs/security/hardening.md b/docs/security/hardening.md index 6b09721aee..a5c2129243 100644 --- a/docs/security/hardening.md +++ b/docs/security/hardening.md @@ -21,7 +21,7 @@ Hardening a system usually means installing a set of security tools and configur **Example** -- Instead of disabling some kernel modules, it is better to build the kernel without the module at all in such a way that even if an attacker manage to load the module, it would not be possible. +- Instead of disabling some kernel modules, it is better to build the kernel without the module at all and to lock it down. In such a way, even if an attacker get root access to the system, it would not be possible for them to load anything in the kernel. - Instead of disabling USB storage devices because they could be used to exfiltrate data, it would be way better to design the system in such a way that even if a USB storage device is connected, it cannot be used to exfiltrate data. From c783ce93e779d2e4cf18178a8f476761cdb2d2b0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Mar 2026 23:54:08 +0100 Subject: [PATCH 1528/1736] fix(build): fix minor parser bug. --- cmd/aa/main.go | 2 +- pkg/aa/parse.go | 10 ++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/cmd/aa/main.go b/cmd/aa/main.go index b0737de77f..7e9e5e486d 100644 --- a/cmd/aa/main.go +++ b/cmd/aa/main.go @@ -127,7 +127,7 @@ func formatFile(kind kind, profile string) (string, error) { for idx, rules := range rulesByParagraph { aa.IndentationLevel = getIndentationLevel(paragraphs[idx]) rules = rules.Merge().Sort().Format() - fmt.Printf(rules.String() + "\n") + fmt.Println(rules.String()) } return profile, nil } diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 2d5945a67f..c9a38c1119 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -992,7 +992,7 @@ func ParseRules(input string) (ParaRules, []string, error) { } paragraphs = append(paragraphs, paragraph) - rules, err := parseContentRules(input) + rules, err := parseContentRules(paragraph) if err != nil { return nil, nil, err } @@ -1004,7 +1004,13 @@ func ParseRules(input string) (ParaRules, []string, error) { // Scan an apparmor profile file with multiple profiles, hats, and nested. // Like Parse, but process all profiles and blocks in the file. -func (f *AppArmorProfileFile) Scan(input string) error { +func (f *AppArmorProfileFile) Scan(input string) (retErr error) { + defer func() { + if r := recover(); r != nil { + retErr = fmt.Errorf("%v", r) + } + }() + blocks, err := tokenizeBlock(input) if err != nil { return err From d348e10bc36da5474276168008eeaaa7b2668137 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 17 Mar 2026 00:38:55 +0100 Subject: [PATCH 1529/1736] fix(build): pci_bus has been cherry picked to all aa 4.1 fix #1058 --- apparmor.d/tunables/multiarch.d/system | 1 - pkg/configure/configure.go | 30 +++++++++++++++++++------- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index d501ce69e4..2ae30b47f5 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -59,7 +59,6 @@ # System Internal # --------------- -#aa:only debian @{pci_bus}=pci@{hex4}:@{hex2} # Shortcut for PCI device diff --git a/pkg/configure/configure.go b/pkg/configure/configure.go index 2cfbe4a814..ba8abed8db 100644 --- a/pkg/configure/configure.go +++ b/pkg/configure/configure.go @@ -46,6 +46,17 @@ func (p Configure) Apply() ([]string, error) { return res, err } + // @{pci_bus} was upstreamed in 5.0, and backported to 4.1, and in Ubuntu 24.04 + path := p.RootApparmor.Join("tunables/multiarch.d/system") + out, err := path.ReadFileAsString() + if err != nil { + return res, err + } + out = strings.ReplaceAll(out, "@{pci_bus}=pci@{hex4}:@{hex2}", "") + if path.WriteFile([]byte(out)); err != nil { + return res, err + } + if tasks.Release["VERSION_CODENAME"] == "noble" { remove := []string{ "tunables/multiarch.d/base", @@ -89,6 +100,17 @@ func (p Configure) Apply() ([]string, error) { if err := p.removeFiles(remove); err != nil { return res, err } + + // @{pci_bus} was upstreamed in 5.0, and backported to 4.1 + path := p.RootApparmor.Join("tunables/multiarch.d/system") + out, err := path.ReadFileAsString() + if err != nil { + return res, err + } + out = strings.ReplaceAll(out, "@{pci_bus}=pci@{hex4}:@{hex2}", "") + if err := path.WriteFile([]byte(out)); err != nil { + return res, err + } } if p.Version >= 5.0 { remove := []string{ @@ -108,14 +130,6 @@ func (p Configure) Apply() ([]string, error) { return res, err } - // @{pci_bus} was upstreamed in 5.0 - path := p.RootApparmor.Join("tunables/multiarch.d/system") - out, err := path.ReadFileAsString() - if err != nil { - return res, err - } - out = strings.ReplaceAll(out, "@{pci_bus}=pci@{hex4}:@{hex2}", "") - return res, path.WriteFile([]byte(out)) } return res, nil } From 9b7bcb77121d92986c13c1c87bd0ae2cf8da5f38 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 17 Mar 2026 11:01:00 +0100 Subject: [PATCH 1530/1736] feat(profile): ensure we use any version of xtables. See #1063 --- apparmor.d/groups/firewall/firewalld | 3 +-- apparmor.d/groups/firewall/ufw | 3 +-- apparmor.d/groups/firewall/ufw-init | 3 +-- apparmor.d/groups/network/NetworkManager | 6 +++--- apparmor.d/groups/network/openvpn | 2 +- apparmor.d/groups/network/tailscaled | 2 +- apparmor.d/groups/network/wg-quick | 2 +- apparmor.d/groups/virt/dockerd | 6 ++---- apparmor.d/groups/virt/k3s | 2 +- apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/groups/virt/xtables | 2 +- apparmor.d/groups/whonix/whonix-firewalld | 2 +- apparmor.d/profiles-a-f/fail2ban-server | 6 +++--- apparmor.d/profiles-m-r/monitorix | 2 +- tests/check.sh | 2 ++ tests/sbin.list | 1 + 16 files changed, 22 insertions(+), 24 deletions(-) diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index c56a4a70c1..509296f47f 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -38,8 +38,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{sbin}/ebtables-legacy ix, @{sbin}/ebtables-legacy-restore ix, @{sbin}/ipset ix, - @{sbin}/xtables-legacy-multi ix, - @{sbin}/xtables-nft-multi mix, + @{sbin}/xtables-{nft,legacy}-multi rmix, /usr/local/lib/@{python_name}/dist-packages/ r, diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw index 4397495c21..1635d88126 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -36,8 +36,7 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{bin}/kmod rCx -> kmod, @{lib}/ufw/ufw-init rPx, @{sbin}/sysctl rCx -> sysctl, - @{sbin}/xtables-legacy-multi rix, - @{sbin}/xtables-nft-multi rix, + @{sbin}/xtables-{nft,legacy}-multi rix, /usr/share/ufw/{,**} r, diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init index 868917a049..13812296bf 100644 --- a/apparmor.d/groups/firewall/ufw-init +++ b/apparmor.d/groups/firewall/ufw-init @@ -28,8 +28,7 @@ profile ufw-init @{exec_path} { @{sh_path} rix, @{bin}/echo rix, @{sbin}/sysctl rCx -> sysctl, - @{sbin}/xtables-legacy-multi rix, - @{sbin}/xtables-nft-multi rix, + @{sbin}/xtables-{nft,legacy}-multi rix, @{bin}/kmod rCx -> kmod, /etc/default/ufw r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 69aa7c55ff..d0be8748a3 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -75,9 +75,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} rix, - @{sbin}/nft rix, - @{sbin}/xtables-legacy-multi rix, + @{sh_path} rix, + @{sbin}/nft rix, + @{sbin}/xtables-{nft,legacy}-multi rix, @{bin}/kmod rCx -> kmod, @{bin}/netconfig rPUx, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 7eed686996..4e63814cc0 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -86,7 +86,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/ip rix, @{bin}/which{,.debianutils} rix, - @{sbin}/xtables-nft-multi rix, + @{sbin}/xtables-{nft,legacy}-multi rix, /etc/iproute2/rt_tables r, /etc/iproute2/rt_tables.d/{,*} r, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 4f3a5a532d..26e771a667 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -37,7 +37,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { @{bin}/ip rix, @{bin}/resolvectl rPx, - @{sbin}/xtables-nft-multi rix, + @{sbin}/xtables-{nft,legacy}-multi rix, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index eaf2b3b050..def051d8ac 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -39,7 +39,7 @@ profile wg-quick @{exec_path} flags=(attach_disconnected) { @{sbin}/nft rix, @{sbin}/resolvconf rPx, @{sbin}/sysctl rCx -> sysctl, - @{sbin}/xtables-nft-multi rix, + @{sbin}/xtables-{nft,legacy}-multi rix, /usr/share/iproute2/group r, /usr/share/iproute2/rt_realms r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 4c8156f19f..2409f1218c 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -80,8 +80,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/runc rUx, #aa:lint ignore=sbin @{bin}/unpigz rix, @{sbin}/nft rCx -> nft, - @{sbin}/xtables-nft-multi rCx -> nft, - @{sbin}/xtables-legacy-multi rCx -> nft, + @{sbin}/xtables-{nft,legacy}-multi rCx -> nft, # Docker needs full access of the containers it manages. # TODO: should be in a sub profile started with pivot_root, not supported yet. @@ -160,8 +159,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { network netlink raw, @{sbin}/nft rix, - @{sbin}/xtables-nft-multi rix, - @{sbin}/xtables-legacy-multi rix, + @{sbin}/xtables-{nft,legacy}-multi rix, @{bin}/kmod rPx -> dockerd//kmod, /usr/share/iproute2/* r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 6e31b71814..3c1166b83d 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -62,7 +62,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{bin}/systemd-run rix, @{bin}/{nano,emacs,ed} rPUx, @{bin}/vim{,.basic} rPUx, - @{sbin}/xtables-nft-multi rPx -> cni-xtables-nft, + @{sbin}/xtables-{nft,legacy}-multi rPx -> cni-xtables-nft, @{lib}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, /var/lib/rancher/k3s/data/@{hex}/bin/* rix, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 64a7a78dff..621c061bda 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -148,7 +148,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper @{sbin}/tc rix, @{bin}/xmllint rix, - @{sbin}/xtables-nft-multi rix, + @{sbin}/xtables-{nft,legacy}-multi rix, @{lib}/libvirt/virt-aa-helper rPx, /etc/libvirt/hooks/** rPUx, diff --git a/apparmor.d/groups/virt/xtables b/apparmor.d/groups/virt/xtables index a10b75ddef..511fa53fbf 100644 --- a/apparmor.d/groups/virt/xtables +++ b/apparmor.d/groups/virt/xtables @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/xtables-nft-multi @{sbin}/xtables-legacy-multi +@{exec_path} = @{sbin}/xtables-{nft,legacy}-multi profile xtables { include include diff --git a/apparmor.d/groups/whonix/whonix-firewalld b/apparmor.d/groups/whonix/whonix-firewalld index 08322714f3..47ee460f67 100644 --- a/apparmor.d/groups/whonix/whonix-firewalld +++ b/apparmor.d/groups/whonix/whonix-firewalld @@ -29,7 +29,7 @@ profile whonix-firewalld @{exec_path} { @{bin}/rm rix, @{bin}/touch rix, @{bin}/whonix-*-firewall rix, - @{sbin}/xtables-nft-multi rix, + @{sbin}/xtables-{nft,legacy}-multi rix, @{bin}/qubesdb-read rPUx, @{bin}/qubesdb-cmd rPUx, diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index 629208bc62..4be2ebe206 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -19,9 +19,9 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} rix, - @{sbin}/xtables-nft-multi rix, - @{bin}/iptables rix, + @{sh_path} rix, + @{sbin}/xtables-{nft,legacy}-multi rix, + @{bin}/iptables rix, @{bin}/ r, @{python_path} r, diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index 5c349423fe..ab81622cc4 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -49,7 +49,7 @@ profile monitorix @{exec_path} { @{bin}/who Px, @{sbin}/lvm Px, @{sbin}/ss Px, - @{sbin}/xtables-nft-multi ix, + @{sbin}/xtables-{nft,legacy}-multi rix, /var/lib/monitorix/www/cgi/monitorix.cgi ix, diff --git a/tests/check.sh b/tests/check.sh index f4eda3ea1d..36f44134b4 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -245,6 +245,8 @@ declare -A EQUIVALENTS=( ["grep"]="{,e}grep" ["gs"]="gs{,.bin}" ["which"]="which{,.debianutils}" + ["xtables-legacy-multi"]="xtables-{nft,legacy}-multi" + ["xtables-nft-multi"]="xtables-{nft,legacy}-multi" ) _check_equivalent() { _is_enabled equivalent || return 0 diff --git a/tests/sbin.list b/tests/sbin.list index 2cbe66d0bc..0345dc023b 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -889,6 +889,7 @@ xfsdist-bpfcc xfsdist.bt xfsslower-bpfcc xkbctrl +xtables- xtables-legacy-multi xtables-nft-multi yast2 From 1a3a0cff3c799fd10d3cfdd3ebbef1e9d869545f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 17 Mar 2026 11:37:31 +0100 Subject: [PATCH 1531/1736] feat(profile): remove kube and cni profiles They are obviously not complete and have not been maintainted for a while. Keeping them is too risky. --- apparmor.d/groups/virt/cni-bandwidth | 24 ---- apparmor.d/groups/virt/cni-bridge | 18 --- apparmor.d/groups/virt/cni-calico | 46 ------- apparmor.d/groups/virt/cni-firewall | 18 --- apparmor.d/groups/virt/cni-flannel | 18 --- apparmor.d/groups/virt/cni-host-local | 18 --- apparmor.d/groups/virt/cni-loopback | 28 ---- apparmor.d/groups/virt/cni-portmap | 25 ---- apparmor.d/groups/virt/cni-tuning | 18 --- apparmor.d/groups/virt/k3s | 174 ------------------------ apparmor.d/groups/virt/kubernetes-pause | 20 --- 11 files changed, 407 deletions(-) delete mode 100644 apparmor.d/groups/virt/cni-bandwidth delete mode 100644 apparmor.d/groups/virt/cni-bridge delete mode 100644 apparmor.d/groups/virt/cni-calico delete mode 100644 apparmor.d/groups/virt/cni-firewall delete mode 100644 apparmor.d/groups/virt/cni-flannel delete mode 100644 apparmor.d/groups/virt/cni-host-local delete mode 100644 apparmor.d/groups/virt/cni-loopback delete mode 100644 apparmor.d/groups/virt/cni-portmap delete mode 100644 apparmor.d/groups/virt/cni-tuning delete mode 100644 apparmor.d/groups/virt/k3s delete mode 100644 apparmor.d/groups/virt/kubernetes-pause diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth deleted file mode 100644 index 3192c70510..0000000000 --- a/apparmor.d/groups/virt/cni-bandwidth +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Jeroen Rijken -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/cni/bandwidth /opt/cni/bin/bandwidth -profile cni-bandwidth @{exec_path} { - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/virt/cni-bridge b/apparmor.d/groups/virt/cni-bridge deleted file mode 100644 index 1e27d04a3b..0000000000 --- a/apparmor.d/groups/virt/cni-bridge +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/cni/bridge /opt/cni/bin/bridge -profile cni-bridge @{exec_path} { - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico deleted file mode 100644 index 9015d2157d..0000000000 --- a/apparmor.d/groups/virt/cni-calico +++ /dev/null @@ -1,46 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Jeroen Rijken -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/cni/calico /opt/cni/bin/calico -profile cni-calico @{exec_path} flags=(attach_disconnected) { - include - include - - capability sys_admin, - capability net_admin, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - signal (receive) set=kill peer=containerd, - - @{exec_path} mr, - @{exec_path}-ipam rix, - - / r, - - /etc/cni/net.d/{,**} r, - - /var/lib/calico/{,**} r, - /var/log/calico/cni/ r, - /var/log/calico/cni/*.log rw, - - @{run}/calico/ rw, - @{run}/calico/ipam.lock rwk, - @{run}/netns/cni-@{uuid} r, - - @{PROC}/sys/net/ipv{4,6}/ip_forward rw, - @{PROC}/sys/net/ipv{4,6}/{conf,neigh}/cali[0-9a-z]*/* rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/virt/cni-firewall b/apparmor.d/groups/virt/cni-firewall deleted file mode 100644 index d5171e8dcc..0000000000 --- a/apparmor.d/groups/virt/cni-firewall +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/cni/firewall /opt/cni/bin/firewall -profile cni-firewall @{exec_path} { - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/virt/cni-flannel b/apparmor.d/groups/virt/cni-flannel deleted file mode 100644 index c32bf5e2f8..0000000000 --- a/apparmor.d/groups/virt/cni-flannel +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Jeroen Rijken -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/cni/flannel /opt/cni/bin/flannel -profile cni-flannel @{exec_path} flags=(complain,attach_disconnected) { - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/virt/cni-host-local b/apparmor.d/groups/virt/cni-host-local deleted file mode 100644 index 2a27cd8bc7..0000000000 --- a/apparmor.d/groups/virt/cni-host-local +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Jeroen Rijken -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/cni/host-local /opt/cni/bin/host-local -profile cni-host-local @{exec_path} flags=(complain,attach_disconnected) { - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback deleted file mode 100644 index fd4f50df32..0000000000 --- a/apparmor.d/groups/virt/cni-loopback +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Jeroen Rijken -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/cni/loopback /opt/cni/bin/loopback -profile cni-loopback @{exec_path} flags=(attach_disconnected) { - include - - capability sys_admin, - capability net_admin, - - network netlink raw, - - @{exec_path} mr, - - / r, - - @{run}/netns/ r, - @{run}/netns/cni-@{uuid} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap deleted file mode 100644 index 0f2692ecf9..0000000000 --- a/apparmor.d/groups/virt/cni-portmap +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Jeroen Rijken -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/cni/portmap /opt/cni/bin/portmap -profile cni-portmap @{exec_path} { - include - - capability net_admin, - - network netlink raw, - - @{exec_path} mr, - @{sbin}/xtables-nft-multi rPx -> cni-xtables-nft, - - @{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/virt/cni-tuning b/apparmor.d/groups/virt/cni-tuning deleted file mode 100644 index c6cc1f1dc3..0000000000 --- a/apparmor.d/groups/virt/cni-tuning +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/cni/tuning /opt/cni/bin/tuning -profile cni-tuning @{exec_path} { - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s deleted file mode 100644 index 3c1166b83d..0000000000 --- a/apparmor.d/groups/virt/k3s +++ /dev/null @@ -1,174 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Jeroen Rijken -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /{usr/,}{local/,}bin/k3s -profile k3s @{exec_path} flags=(attach_disconnected) { - include - include - include - include - - capability chown, - capability kill, - capability dac_override, - capability dac_read_search, - capability fsetid, - capability fowner, - capability net_admin, - capability syslog, - capability sys_admin, - capability sys_ptrace, - capability sys_resource, - - ptrace peer=@{profile_name}, - ptrace (read) peer={cni-calico-node,cri-containerd.apparmor.d,cni-xtables-nft,ip,kmod,kubernetes-pause,mount,unconfined}, - - # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes. - # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix. - ptrace (read) peer=container-*, - ptrace (read) peer=docker-*, - ptrace (read) peer=k3s-*, - ptrace (read) peer=kubernetes-*, - # When using ZFS as storage provider instead of the default overlay2. - ptrace (read) peer=zfs, - ptrace (read) peer=zpool, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - mount -> /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, - mount -> /var/lib/kubelet/pods/@{uuid}/volume-subpaths/{,**}, - - umount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, - umount /var/lib/kubelet/pods/@{uuid}/volume-subpaths/{,**}, - - signal (send, receive) set=term, - signal (send) set=kill peer=unconfined, - - unix (bind,listen) type=stream addr=@xtables, - - @{exec_path} mr, - - @{bin}/kmod rPx, - @{bin}/mount rPx, - @{bin}/systemd-run rix, - @{bin}/{nano,emacs,ed} rPUx, - @{bin}/vim{,.basic} rPUx, - @{sbin}/xtables-{nft,legacy}-multi rPx -> cni-xtables-nft, - - @{lib}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, - /var/lib/rancher/k3s/data/@{hex}/bin/* rix, - - @{lib}/kubernetes/kubelet-plugins/volume/exec/{,**} r, - - /etc/machine-id r, - /etc/rancher/{,**} rw, - - /var/lib/kubelet/{,**} rw, - /var/lib/rancher/{,**} rw, - /var/lib/rancher/k3s/data/.lock rwk, - /var/lib/rancher/k3s/server/db/{,**} rwk, - - /var/log/containers/ r, - /var/log/containers/** rw, - /var/log/rancher/{,**} r, - /var/log/kubelet/{,**} r, - /var/log/kubernetes/{,**} r, - /var/log/kubernetes/audit/** rw, - /var/log/pods/{,**} r, - /var/log/pods/{,**/} rw, - /var/log/pods/**/@{int}.log{,*} rw, - - owner @{HOME}/.kube/** rw, - - @{run}/containerd/containerd.sock rw, - @{run}/systemd/private rw, - @{run}/systemd/resolve/resolv.conf r, - @{run}/nodeagent/ rw, - @{run}/xtables.lock rwk, - - owner /var/tmp/** rwkl, - owner @{tmp}/** rwkl, - - owner @{PROC}/@{pids}/cgroup r, - owner @{PROC}/@{pids}/cpuset r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/@{pids}/limits r, - owner @{PROC}/@{pids}/mounts r, - owner @{PROC}/@{pids}/mountinfo r, - @{PROC}/@{pids}/net/dev r, - @{PROC}/@{pids}/net/ip_tables_names r, - owner @{PROC}/@{pids}/net/ipv6_route r, - owner @{PROC}/@{pids}/net/route r, - owner @{PROC}/@{pids}/oom_score_adj rw, - owner @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pids}/uid_map r, - - @{PROC}/diskstats r, - @{PROC}/loadavg r, - @{PROC}/modules r, - @{PROC}/sys/fs/pipe-max-size r, - @{PROC}/sys/kernel/keys/* r, - @{PROC}/sys/kernel/panic rw, - @{PROC}/sys/kernel/panic_on_oom rw, - @{PROC}/sys/kernel/panic_on_oops rw, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/threads-max r, - @{PROC}/sys/net/core/somaxconn r, - @{PROC}/sys/net/ipv{4,6}/conf/all/* rw, - @{PROC}/sys/net/ipv{4,6}/conf/default/* rw, - @{PROC}/sys/net/bridge/bridge-nf-call-iptables r, - @{PROC}/sys/net/netfilter/* rw, - @{PROC}/sys/vm/panic_on_oom r, - - @{sys}/class/net/ r, - - @{sys}/devices/@{pci}/net/*/{address,mtu,speed} r, - @{sys}/devices/system/edac/mc/ r, - @{sys}/devices/system/cpu/cpu@{int}/cache/{,**} r, - @{sys}/devices/system/cpu/cpu@{int}/topology/{,**} r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r, - @{sys}/devices/system/cpu/present{,/} r, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/ r, - @{sys}/devices/system/node/node@{int}/{cpumap,distance,meminfo} r, - @{sys}/devices/system/node/node@{int}/hugepages/{,**} r, - - @{sys}/devices/virtual/block/*/** r, - @{sys}/devices/virtual/dmi/id/* r, - @{sys}/devices/virtual/net/cali@{hex}/{address,mtu,speed} r, - @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r, - - @{sys}/fs/cgroup/{,*,*/} r, - @{sys}/fs/cgroup/cgroup.subtree_control rw, - @{sys}/fs/cgroup/kubepods/{,**} rw, - @{sys}/fs/cgroup/system.slice/{,**/} r, - @{sys}/fs/cgroup/system.slice/k3s.service/* r, - @{sys}/fs/cgroup/user.slice/ r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/ r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user-runtime-dir@@{uid}.service/ r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**/} r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{,**/} r, - - @{sys}/kernel/mm/hugepages/ r, - @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, - @{sys}/kernel/security/apparmor/profiles r, - - @{sys}/module/apparmor/parameters/enabled r, - - /dev/kmsg r, - /dev/pts/@{u16} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/virt/kubernetes-pause b/apparmor.d/groups/virt/kubernetes-pause deleted file mode 100644 index 8692655dda..0000000000 --- a/apparmor.d/groups/virt/kubernetes-pause +++ /dev/null @@ -1,20 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Jeroen Rijken -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /pause -profile kubernetes-pause @{exec_path} flags=(attach_disconnected) { - include - - signal (receive) set=kill, - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor From bce3120923867b231b203944fe6aef389dc78d99 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 20 Mar 2026 11:02:02 +0100 Subject: [PATCH 1532/1736] fix(profile): pacman: do not specify link target. fix #1070 --- apparmor.d/groups/pacman/pacman | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index a9c1ecbcc9..248e61277e 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -97,12 +97,12 @@ profile pacman @{exec_path} flags=(attach_disconnected) { #aa:lint ignore=too-wide / r, /*{,/} rw, - @{efi}/** rwl -> @{efi}/**, - /etc/** rwl -> /etc/**, - /opt/** rwl -> /opt/**, - /srv/** rwl -> /srv/**, - /usr/** rwlk -> /usr/**, - /var/** rwlk -> /var/**, + @{efi}/** rwlk, + /etc/** rwlk, + /opt/** rwlk, + /srv/** rwlk, + /usr/** rwlk, + /var/** rwlk, # Read packages files @{user_pkg_dirs}/{,**} r, From 70134896bcdda7b70bb6344c462c4573943dfc2c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 20 Mar 2026 11:25:46 +0100 Subject: [PATCH 1533/1736] fix(profile): hwdb.bin link creation see #1070 --- apparmor.d/groups/systemd/systemd-hwdb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index d44442cad5..ab2ce97874 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -18,10 +18,10 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/udev/#@{int} rwl, @{lib}/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> @{lib}/udev/#@{int}, - @{lib}/udev/hwdb.bin w, + @{lib}/udev/hwdb.bin wl -> @{lib}/udev/#@{int}, /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> /etc/udev/#@{int}, - /etc/udev/hwdb.bin w, + /etc/udev/hwdb.bin wl -> @{lib}/udev/#@{int}, /etc/udev/hwdb.d/{,*} r, owner @{PROC}/@{pid}/stat r, From 244ad164e14b637071840243dc44cd1a30c09166 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 20 Mar 2026 11:27:50 +0100 Subject: [PATCH 1534/1736] build(debian): ensure apparmor is not loaded twice during update. --- debian/common.postinst | 2 +- debian/common.postrm | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/debian/common.postinst b/debian/common.postinst index 840f3196b4..e6651093ef 100644 --- a/debian/common.postinst +++ b/debian/common.postinst @@ -7,7 +7,7 @@ set -e #DEBHELPER# -apparmor_parser --purge-cache || true +apparmor_parser --purge-cache 2>/dev/null || true deb-systemd-invoke reload apparmor.service || true exit 0 diff --git a/debian/common.postrm b/debian/common.postrm index 840f3196b4..2d83cea75c 100644 --- a/debian/common.postrm +++ b/debian/common.postrm @@ -7,7 +7,11 @@ set -e #DEBHELPER# -apparmor_parser --purge-cache || true -deb-systemd-invoke reload apparmor.service || true +case "$1" in + remove|purge) + apparmor_parser --purge-cache 2>/dev/null || true + deb-systemd-invoke reload apparmor.service || true + ;; +esac exit 0 From 436c6b50ccbee4c00126c11b2fd65dfbf4196ad0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 20 Mar 2026 11:50:13 +0100 Subject: [PATCH 1535/1736] feat(profile): update kde profiles. Also fix #992 --- .../abstractions/fontconfig-cache-write | 26 +++++++++---------- apparmor.d/groups/kde/DiscoverNotifier | 2 +- apparmor.d/groups/kde/baloo | 1 + apparmor.d/groups/kde/dolphin | 1 + apparmor.d/groups/kde/kde-powerdevil | 5 ++-- apparmor.d/groups/kde/kded | 7 ++--- apparmor.d/groups/kde/kstart | 3 +-- apparmor.d/groups/kde/kwin_wayland | 17 +++++------- apparmor.d/groups/kde/plasmashell | 7 ++++- apparmor.d/groups/kde/sddm-greeter | 1 - apparmor.d/groups/kde/systemsettings | 1 + apparmor.d/groups/systemd/systemd-udevd | 1 + 12 files changed, 39 insertions(+), 33 deletions(-) diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write index 2d3eefe32a..ff844f3284 100644 --- a/apparmor.d/abstractions/fontconfig-cache-write +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -23,19 +23,19 @@ owner /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW w, owner /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} wl, - owner @{gdm_cache_dirs}/fontconfig/ w, - owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} wl, - owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.LCK wl, - owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW w, - owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} wl, - owner @{gdm_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.NEW w, - owner @{gdm_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} wl, - owner @{gdm_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d} wl, - owner @{gdm_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.LCK wl, - owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG w, - owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.LCK wl, - owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.NEW w, - owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.TMP-@{rand6} wl, + owner @{desktop_cache_dirs}/fontconfig/ w, + owner @{desktop_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} wl, + owner @{desktop_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.LCK wl, + owner @{desktop_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW w, + owner @{desktop_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} wl, + owner @{desktop_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.NEW w, + owner @{desktop_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} wl, + owner @{desktop_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d} wl, + owner @{desktop_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.LCK wl, + owner @{desktop_cache_dirs}/fontconfig/CACHEDIR.TAG w, + owner @{desktop_cache_dirs}/fontconfig/CACHEDIR.TAG.LCK wl, + owner @{desktop_cache_dirs}/fontconfig/CACHEDIR.TAG.NEW w, + owner @{desktop_cache_dirs}/fontconfig/CACHEDIR.TAG.TMP-@{rand6} wl, owner @{HOME}/.fontconfig/ w, owner @{HOME}/.fontconfig/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} wl, diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index cb86ce2cd1..1cc72fc9fd 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -10,11 +10,11 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier profile DiscoverNotifier @{exec_path} flags=(attach_disconnected) { include - include include include include include + include include network inet dgram, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 827ef78f48..4bf009f1ec 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloo_file profile baloo @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 3e42a96a4b..033777186b 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -131,6 +131,7 @@ profile dolphin @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 5fce9a7fd1..ab98f90912 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -13,10 +13,11 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) include include include + include include include - include include + include include include include @@ -26,7 +27,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) network netlink raw, #aa:dbus own bus=system name=org.freedesktop.Policy.Power - #aa:dbus own bus=system name=org.kde.kf5auth path=/ + #aa:dbus own bus=system name=org.kde.kf[56]auth path=/ #aa:dbus own bus=session name=local.org_kde_powerdevil #aa:dbus own bus=session name=org.freedesktop.PowerManagement diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 8ad9129a32..1dd913a163 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -11,8 +11,8 @@ profile kded @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include #aa:only apt include - include include + include include include include @@ -73,12 +73,12 @@ profile kded @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label="{kglobalacceld,kwin_wayland}" dbus receive bus=system path=/ - interface=org.kde.kf5auth + interface=org.kde.kf{5,6}auth member=remoteSignal peer=(name=@{busname}, label=kauth-kded-smart-helper), dbus send bus=system path=/ - interface=org.kde.kf5auth + interface=org.kde.kf{5,6}auth member=performAction peer=(name="{@{busname},org.kde.kded.smart}", label=kauth-kded-smart-helper), @@ -124,6 +124,7 @@ profile kded @{exec_path} flags=(attach_disconnected,mediate_deleted) { / r, @{efi}/ r, + /home/ r, owner /var/lib/update-manager/meta-release-lts rw, diff --git a/apparmor.d/groups/kde/kstart b/apparmor.d/groups/kde/kstart index 04d084d0c2..2773458638 100644 --- a/apparmor.d/groups/kde/kstart +++ b/apparmor.d/groups/kde/kstart @@ -10,11 +10,10 @@ include @{exec_path} = @{bin}/kstart profile kstart @{exec_path} flags=(attach_disconnected) { include - include include + include include include - include include @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 045fd02aed..529b9706e2 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -11,6 +11,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include @@ -30,6 +31,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal receive set=(kill, term) peer=kwin_wayland_wrapper, signal send set=(kill, term) peer=xwayland, signal send set=term peer=unconfined, + signal send set=term peer=plasma-keyboard, unix type=stream peer=(label=xkbcomp), unix type=stream peer=(label=xwayland), @@ -40,6 +42,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect #aa:dbus own bus=session name=org.kde.screensaver + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind #aa:dbus talk bus=session name=org.kde.ActivityManager path=/ActivityManager label=kactivitymanagerd @{exec_path} mr, @@ -64,17 +67,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/pipewire/client.conf.d/ r, /etc/xdg/** r, - owner /var/lib/plasmalogin/.cache/{,**} rw, - owner /var/lib/plasmalogin/.config/{,**} rwk, - owner /var/lib/plasmalogin/.config/breezerc.@{rand6} rwl -> /var/lib/plasmalogin/.config/#@{int}, - / r, owner @{HOME}/ r, owner @{sddm_cache_dirs}/#@{int} rwk, - owner @{sddm_cache_dirs}/fontconfig/* rwk, - owner @{sddm_cache_dirs}/fontconfig/*-le64.cache-@{int}.LCK l -> @{sddm_cache_dirs}/fontconfig/*-le64.cache-@{int}.TMP-@{rand6}, - owner @{sddm_cache_dirs}/fontconfig/*-le64.cache-@{int}{,TMP-@{rand6},NEW,LCK} w, owner @{sddm_cache_dirs}/ksycoca{5,6}_* rwkl -> @{sddm_cache_dirs}/#@{int}, owner @{sddm_config_dirs}/#@{int} rw, @@ -116,11 +112,12 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/Kvantum/{,**} r, owner @{user_config_dirs}/breezerc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_share_dirs}/aurorae/themes/{,**} r, owner @{user_share_dirs}/kscreen/* r, - owner @{user_share_dirs}/kwin/scripts/{,**} r, owner @{user_share_dirs}/kwin/effects/{,**} r, - owner @{user_share_dirs}/aurorae/themes/{,**} r, + owner @{user_share_dirs}/kwin/scripts/{,**} r, owner @{user_share_dirs}/plasma/desktoptheme/{,**} r, + owner @{user_share_dirs}/smod/decorations/{,**} r, owner @{run}/user/@{uid}/pipewire-@{int} rw, @@ -152,7 +149,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, @{att}/dev/input/event@{int} rw, @{att}/dev/dri/card@{int} rw, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index c77e128d4a..4c8485caf3 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -22,7 +22,6 @@ profile plasmashell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -44,6 +43,8 @@ profile plasmashell @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal send, + # Owned by plasmashell + #aa:dbus own bus=session name=com.canonical.Unity #aa:dbus own bus=session name=org.freedesktop.Notifications #aa:dbus own bus=session name=org.kde.JobViewServer @@ -52,6 +53,10 @@ profile plasmashell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.kde.plasmashell path=/PlasmaShell #aa:dbus own bus=session name=org.kde.StatusNotifierHost-@{int} + # Talk with plasmashell + + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + #aa:dbus talk bus=session name=org.kde.kdeconnect path=/ label=kdeconnectd #aa:dbus talk bus=session name=org.kde.KeyboardLayouts path=/Layouts label=kded #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/kglobalaccel label="{kglobalacceld,kwin_wayland}" diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 1675840a7a..4972eeb2c1 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/sddm-greeter{,-qt6} profile sddm-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include include diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 8841eb2fb6..56558f9685 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -83,6 +83,7 @@ profile systemsettings @{exec_path} flags=(attach_disconnected,mediate_deleted) owner @{user_cache_dirs}/[kK]*/ rw, owner @{user_cache_dirs}/[kK]*/** rwlk -> @{user_cache_dirs}/[kK]*/**, owner @{user_cache_dirs}/#@{int} rwk, + owner @{user_cache_dirs}/plasma*/{,**} r, owner @{user_cache_dirs}/plasma* rw, owner @{user_cache_dirs}/systemsettings/ rw, owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index adb50c642e..01b8b9359f 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -122,6 +122,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pids}/cgroup r, + @{PROC}/asound/cards r, @{PROC}/devices r, @{PROC}/driver/nvidia/gpus/ r, @{PROC}/driver/nvidia/gpus/*/information r, From 672e64dde6bba353b75e33158545b4ec8fd25f40 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 20 Mar 2026 11:58:33 +0100 Subject: [PATCH 1536/1736] feat(profile): update dbus rules. --- .../abstractions/bus/session/org.ayatana.NotificationItem | 5 +++++ .../abstractions/bus/session/org.freedesktop.systemd1 | 2 +- .../bus/session/org.gnome.Shell.SearchProvider2 | 7 ++++++- apparmor.d/abstractions/bus/session/org.gtk.Actions | 4 ++++ apparmor.d/abstractions/bus/system/org.freedesktop.UPower | 5 +++++ apparmor.d/abstractions/desktop | 1 + apparmor.d/abstractions/gnome-strict | 1 + apparmor.d/abstractions/kde-strict | 1 + apparmor.d/groups/gnome/gjs | 2 +- apparmor.d/groups/gnome/gnome-calendar | 4 ++++ apparmor.d/groups/gnome/gnome-control-center | 2 ++ apparmor.d/groups/gnome/gnome-keyring-daemon | 2 +- apparmor.d/groups/gnome/goa-daemon | 1 + apparmor.d/groups/gnome/goa-identity-service | 5 +---- apparmor.d/groups/gvfs/gvfs-goa-volume-monitor | 7 ++----- apparmor.d/profiles-s-z/terminator | 2 +- 16 files changed, 37 insertions(+), 14 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.ayatana.NotificationItem b/apparmor.d/abstractions/bus/session/org.ayatana.NotificationItem index 940992b32a..6ef05910d2 100644 --- a/apparmor.d/abstractions/bus/session/org.ayatana.NotificationItem +++ b/apparmor.d/abstractions/bus/session/org.ayatana.NotificationItem @@ -4,6 +4,11 @@ abi , + dbus receive bus=session path=/org/ayatana/NotificationItem/* + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=@{busname}, label="@{pp_app_indicator}"), + dbus send bus=session path=/org/ayatana/NotificationItem/* interface=org.kde.StatusNotifierItem member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 index 1fad42ab0f..5c847cfe3c 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 @@ -31,7 +31,7 @@ member=PropertiesChanged peer=(label="@{p_systemd_user}"), - dbus send bus=system path=/org/freedesktop/systemd1 + dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={SetEnvironment,UnsetAndSetEnvironment,ResetFailed} peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), diff --git a/apparmor.d/abstractions/bus/session/org.gnome.Shell.SearchProvider2 b/apparmor.d/abstractions/bus/session/org.gnome.Shell.SearchProvider2 index b1868ce316..fbeb7ce3d9 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.Shell.SearchProvider2 +++ b/apparmor.d/abstractions/bus/session/org.gnome.Shell.SearchProvider2 @@ -11,11 +11,16 @@ member={GetInitialResultSet,GetSubsearchResultSet,GetResultMetas} peer=(name=@{busname}, label=gnome-shell), - dbus receive bus=session path=/org/gnome/Characters/SearchProvider + dbus receive bus=session path=/org/gnome/Characters/SearchProvider interface=org.gnome.Shell.SearchProvider2 member=*Cancel peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session path=/org/gnome/Characters/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + member=ActivateResult + peer=(name=@{busname}, label=gnome-shell), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Actions b/apparmor.d/abstractions/bus/session/org.gtk.Actions index 02ec89a33f..3f724f5ccf 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.Actions +++ b/apparmor.d/abstractions/bus/session/org.gtk.Actions @@ -58,6 +58,10 @@ member=Open peer=(label=@{profile_name}), + dbus send bus=session + interface=org.gtk.Actions + member=Activate, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower index 92ad15f1e2..1aacfed12d 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower @@ -52,6 +52,11 @@ member={GetHistory,Refresh} peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), + dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight + interface=org.freedesktop.UPower.KbdBacklight + member={GetBrightness,GetMaxBrightness} + peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 7cff72f3d0..5733cd7065 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -18,6 +18,7 @@ include include #aa:only ubuntu include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 4e12b1f8c7..45909a3919 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -11,6 +11,7 @@ include include #aa:only ubuntu include + include include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 228eae4d49..5e22dafbfd 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -11,6 +11,7 @@ include include #aa:only ubuntu include + include include include include diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index 96a8f276ae..846c962ac8 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -73,7 +73,7 @@ profile gjs @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.ScreenSaver # Only needed by org.gnome.Shell.Extensions - #aa:dbus own bus=session name=org.gnome.Shell.Extensions + #aa:dbus own bus=session name=org.gnome.Shell.Extensions path=/org/gnome/Shell # Only needed by org.gnome.Shell.Notifications #aa:dbus own bus=session name=org.gnome.Shell.Notifications diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 1be458a901..a96837d39e 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -17,6 +17,10 @@ profile gnome-calendar @{exec_path} flags=(attach_disconnected) { include include + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, network netlink raw, #aa:dbus own bus=session name=org.gnome.Calendar diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index d4180f7f3c..f4c9c702ff 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -62,6 +62,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" + #aa:dbus talk bus=system name=org.freedesktop.timedate1 label=systemd-timedated #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} @@ -116,6 +117,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-shell/search-providers/{,**} r, /usr/share/gnome/gnome-version.xml r, /usr/share/language-tools/main-countries r, + /usr/share/publicsuffix/{,**} r, /usr/share/thumbnailers/{,*} r, /usr/share/wallpapers/{,**} r, /usr/share/xml/iso-codes/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 1d3519af78..c29f3643c8 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -26,7 +26,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { unix type=stream peer=(label=fbwrap), #aa:dbus own bus=session name=org.gnome.keyring - #aa:dbus own bus=session name=org.freedesktop.{S,s}ecret{,s} + #aa:dbus own bus=session name=org.freedesktop.[sS]ecret{,s}{,.Service} #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret path=/org/freedesktop/portal/desktop #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Request path=/org/freedesktop/portal/desktop/ label=xdg-desktop-portal diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 9dab608d63..59e051e221 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -14,6 +14,7 @@ profile goa-daemon @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 3efc1ac448..0fac321adb 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -15,10 +15,7 @@ profile goa-identity-service @{exec_path} { #aa:dbus own bus=session name=org.gnome.Identity - dbus send bus=session path=/org/gnome/OnlineAccounts - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label=goa-daemon), + #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 017a66e842..077e47196a 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -14,16 +14,13 @@ profile gvfs-goa-volume-monitor @{exec_path} { #aa:dbus own bus=session name=org.gtk.vfs.GoaVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=@{busname}, label=gnome-shell), - dbus send bus=session path=/org/gnome/OnlineAccounts - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label=goa-daemon), - @{exec_path} mr, include if exists diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index fb051fa7d8..856af81913 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -25,7 +25,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) { signal send set=hup peer=unconfined, - #aa:dbus own bus=session name=net.tenshu.Terminator@{hex} + #aa:dbus own bus=session name=net.tenshu.{T,t}erminator@{hex} dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager From d8b6f80395b7a38649235e2c10652386bdb149d5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 20 Mar 2026 15:25:09 +0100 Subject: [PATCH 1537/1736] fix(build): dist configure script. --- pkg/configure/configure.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/configure/configure.go b/pkg/configure/configure.go index ba8abed8db..825bb7548a 100644 --- a/pkg/configure/configure.go +++ b/pkg/configure/configure.go @@ -53,7 +53,7 @@ func (p Configure) Apply() ([]string, error) { return res, err } out = strings.ReplaceAll(out, "@{pci_bus}=pci@{hex4}:@{hex2}", "") - if path.WriteFile([]byte(out)); err != nil { + if err := path.WriteFile([]byte(out)); err != nil { return res, err } From 6132be0dc3216b7702578b97fa8f373c4a83b86b Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Fri, 20 Mar 2026 18:13:25 +0000 Subject: [PATCH 1538/1736] feat(profile): minor updates --- apparmor.d/groups/filesystem/btrfs | 1 + apparmor.d/groups/filesystem/mkswap | 1 + apparmor.d/groups/freedesktop/xorg | 3 +++ apparmor.d/groups/network/NetworkManager | 1 + apparmor.d/groups/polkit/polkit-agent-helper | 1 + apparmor.d/groups/systemd/systemd-sleep | 3 +++ apparmor.d/profiles-g-l/iw | 1 + 7 files changed, 11 insertions(+) diff --git a/apparmor.d/groups/filesystem/btrfs b/apparmor.d/groups/filesystem/btrfs index c7eb029118..51b9dbd197 100644 --- a/apparmor.d/groups/filesystem/btrfs +++ b/apparmor.d/groups/filesystem/btrfs @@ -35,6 +35,7 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { /var/ r, /var/log/ r, /var/tmp/ r, + /var/cache/ r, @{MOUNTS}/ r, @{MOUNTS}/ext2_saved/ rw, @{MOUNTS}/ext2_saved/image rw, diff --git a/apparmor.d/groups/filesystem/mkswap b/apparmor.d/groups/filesystem/mkswap index 42caeafd2a..6555e014b8 100644 --- a/apparmor.d/groups/filesystem/mkswap +++ b/apparmor.d/groups/filesystem/mkswap @@ -11,6 +11,7 @@ include profile mkswap @{exec_path} { include include + include capability mknod, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index a7e493c435..c83b76843e 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -32,6 +32,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_admin, capability sys_rawio, + capability sys_nice, signal (send) set=(usr1), @@ -123,6 +124,8 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/hid r, @{sys}/devices/**/power_supply/**/{type,online} r, @{sys}/devices/platform/ r, + @{sys}/devices/@{pci}/tile0/gt0/freq0/min_freq r, + @{sys}/devices/@{pci}/tile0/gt0/freq0/max_freq r, @{sys}/module/i915/{,**} r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index d0be8748a3..aa7e70755f 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -134,6 +134,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/+ieee80211:phy0 r, # For wireless interfaces @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index 8e895483c5..835078a9ad 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -27,6 +27,7 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { network netlink raw, ptrace read peer=pkttyagent, + ptrace read peer=unconfined, signal receive set=(term kill) peer=flatpak, signal receive set=(term kill) peer=gnome-shell, diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index 1ca7aba94c..343826c0b1 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -12,6 +12,7 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { include include include + include capability net_admin, capability sys_admin, @@ -36,12 +37,14 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { /etc/systemd/sleep.conf r, /etc/systemd/sleep.conf.d/{,*} r, + /etc/os-release r, @{run}/systemd/private rw, @{sys}/power/state rw, @{PROC}/sys/fs/nr_open r, + @{PROC}/swaps r, include if exists } diff --git a/apparmor.d/profiles-g-l/iw b/apparmor.d/profiles-g-l/iw index 54155298cc..5153278eed 100644 --- a/apparmor.d/profiles-g-l/iw +++ b/apparmor.d/profiles-g-l/iw @@ -13,6 +13,7 @@ profile iw @{exec_path} { # To be able to manage network interfaces. capability net_admin, + capability sys_module, # Needed? audit deny capability sys_module, From 589576997ccbb1cd99290b78b1c872ddf77e3ab6 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Fri, 20 Mar 2026 18:16:26 +0000 Subject: [PATCH 1539/1736] feat(profile): remove rule --- apparmor.d/profiles-g-l/iw | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/iw b/apparmor.d/profiles-g-l/iw index 5153278eed..54155298cc 100644 --- a/apparmor.d/profiles-g-l/iw +++ b/apparmor.d/profiles-g-l/iw @@ -13,7 +13,6 @@ profile iw @{exec_path} { # To be able to manage network interfaces. capability net_admin, - capability sys_module, # Needed? audit deny capability sys_module, From e1536bdd6a50016506eab57f30040ba9f377ea5a Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Fri, 20 Mar 2026 18:28:18 +0000 Subject: [PATCH 1540/1736] feat(profile): additional rules added. --- apparmor.d/groups/systemd/systemd-sleep | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index 343826c0b1..99912b8f4e 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -42,6 +42,10 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { @{run}/systemd/private rw, @{sys}/power/state rw, + @{sys}/power/disk w, + @{sys}/power/resume rw, + @{sys}/power/resume_offset rw, + @{sys}/firmware@{efi}/efivars/HibernateLocation-@{uuid} w, @{PROC}/sys/fs/nr_open r, @{PROC}/swaps r, From 774cad5df41d3b97a171d64d300a47b9d5bd24ef Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Mar 2026 00:19:08 +0100 Subject: [PATCH 1541/1736] feat(abs): systemd: add access to /. See #1070 --- apparmor.d/abstractions/common/systemd | 6 +++--- apparmor.d/groups/freedesktop/colord | 2 ++ apparmor.d/groups/freedesktop/upowerd | 2 ++ apparmor.d/groups/gnome/gdm | 2 ++ apparmor.d/groups/gnome/gsd-rfkill | 2 ++ apparmor.d/groups/network/NetworkManager | 1 + apparmor.d/groups/systemd-generators/systemd-generator-ssh | 2 ++ apparmor.d/groups/systemd/systemd-update-done | 2 ++ apparmor.d/profiles-m-r/rngd | 2 ++ apparmor.d/profiles-s-z/udev-dmi-memory-id | 2 ++ apparmor.d/profiles-s-z/udev-fido_id | 2 ++ 11 files changed, 22 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index 5695f13d97..3f3981ad6f 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -3,14 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - # !!! warning # # This abstraction should only be used by profiles in the systemd software suite. # - ptrace read peer=@{p_systemd}, + abi , + + / r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/fs/cgroup/system.slice/@{profile_name}.service/ r, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 29675a8f00..080244feaa 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -39,6 +39,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { /usr/share/gvfs/remote-volume-monitors/{,**} r, /usr/share/snmp/mibs/{,*} r, + / r, + owner /var/lib/colord/.cache/ rw, owner /var/lib/colord/.cache/** rw, owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index d95f53b39d..f254fabb05 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -32,6 +32,8 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { /var/lib/upower/ r, /var/lib/upower/history-*.dat{,.*} rw, + / r, + owner /tmp/tmp@{rand8} r, owner /tmp/umockdev.@{rand6}/{,**} rw, owner /tmp/upower-cfg-@{word8} rw, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index aa8d284517..0b05855002 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -74,6 +74,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /var/log/gdm{3,}/ rw, + / r, + @{GDM_HOME}/ rw, @{GDM_HOME}/** rw, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 9e50606c34..e2391ce21d 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -35,6 +35,8 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + / r, + @{sys}/devices/virtual/misc/rfkill/uevent r, @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index d0be8748a3..7eb8043588 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -104,6 +104,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /etc/netplan/ r, /etc/netplan/90-NM-@{uuid}.yaml r, + / r, @{att}/ r, /etc/ r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ssh b/apparmor.d/groups/systemd-generators/systemd-generator-ssh index 0f6aa11d9e..dee02177d0 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ssh +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ssh @@ -20,6 +20,8 @@ profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) { @{sbin}/sshd r, + / r, + @{run}/ r, @{run}/systemd/ r, @{run}/systemd/generator/ r, diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done index 76ba6f5c45..867eea5a41 100644 --- a/apparmor.d/groups/systemd/systemd-update-done +++ b/apparmor.d/groups/systemd/systemd-update-done @@ -24,6 +24,8 @@ profile systemd-update-done @{exec_path} flags=(attach_disconnected) { /var/.#.updated@{hex} rw, /var/.updated w, + / r, + @{run}/host/container-manager r, @{PROC}/1/cmdline r, diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 0a704f0e7a..4de82597e5 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -27,6 +27,8 @@ profile rngd @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, + / r, + @{sys}/devices/**/uevent r, @{sys}/devices/virtual/misc/hw_random/rng_available r, diff --git a/apparmor.d/profiles-s-z/udev-dmi-memory-id b/apparmor.d/profiles-s-z/udev-dmi-memory-id index 1d6580311f..19d859992d 100644 --- a/apparmor.d/profiles-s-z/udev-dmi-memory-id +++ b/apparmor.d/profiles-s-z/udev-dmi-memory-id @@ -14,6 +14,8 @@ profile udev-dmi-memory-id @{exec_path} { /etc/udev/udev.conf r, + / r, + @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id index 453e0093ab..9a264fabd1 100644 --- a/apparmor.d/profiles-s-z/udev-fido_id +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -16,6 +16,8 @@ profile udev-fido_id @{exec_path} { /etc/udev/udev.conf r, /etc/udev/udev.conf.d/{,**} r, + / r, + @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/platform/**/report_descriptor r, @{sys}/devices/virtual/**/report_descriptor r, From 52383c08b172516fe1eddcca5c9087a32913aded Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Mar 2026 00:33:22 +0100 Subject: [PATCH 1542/1736] feat(profile): minor update. --- apparmor.d/abstractions/app/chromium | 4 ++++ apparmor.d/abstractions/app/fusermount | 1 + apparmor.d/abstractions/development | 1 + apparmor.d/groups/apt/dpkg-scripts | 3 +++ apparmor.d/groups/browsers/firefox-pingsender | 2 +- apparmor.d/groups/cups/print-backends-cups | 6 ++++-- apparmor.d/groups/filesystem/udisksd | 2 ++ apparmor.d/groups/freedesktop/accounts-daemon | 1 + apparmor.d/groups/freedesktop/xdg-desktop-portal | 5 +++-- .../groups/freedesktop/xdg-desktop-portal-gnome | 5 +++-- apparmor.d/groups/gnome/evolution-source-registry | 2 ++ apparmor.d/groups/gnome/gnome-control-center | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 3 +++ apparmor.d/groups/gnome/nautilus | 2 ++ apparmor.d/groups/gnome/papers | 2 ++ apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor | 2 ++ apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor | 2 ++ apparmor.d/groups/kde/sddm | 1 - apparmor.d/groups/network/NetworkManager | 2 +- apparmor.d/groups/network/mullvad-gui | 4 ---- apparmor.d/groups/network/nm-dispatcher | 9 +++++---- apparmor.d/groups/systemd/coredumpctl | 2 +- apparmor.d/profiles-a-f/fritzing | 11 +++-------- apparmor.d/profiles-g-l/gimp | 2 +- apparmor.d/profiles-g-l/gitstatusd | 2 ++ apparmor.d/profiles-m-r/nslookup | 4 ++++ apparmor.d/profiles-m-r/pidof | 4 +--- apparmor.d/profiles-s-z/swtpm_ioctl | 2 ++ apparmor.d/profiles-s-z/terminator | 2 -- 29 files changed, 57 insertions(+), 32 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index a5a7e78c87..5ed63a9825 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -62,6 +62,7 @@ network netlink raw, signal send set=(term, kill) peer=keepassxc-proxy, + signal receive peer=@{profile_name}//&@{profile_name}//crashpad_handler, ptrace read peer=browserpass, ptrace read peer=chrome-gnome-shell, @@ -165,6 +166,9 @@ # List processes in /proc @{PROC}/ r, + # Allow reading the memory map of any processes for introspection and debugging + @{PROC}/@{pid}/maps r, + # Process status in one line (pid, state, ppid, CPU time, threads, etc.) @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/abstractions/app/fusermount b/apparmor.d/abstractions/app/fusermount index a394e25288..c9dab01daf 100644 --- a/apparmor.d/abstractions/app/fusermount +++ b/apparmor.d/abstractions/app/fusermount @@ -21,6 +21,7 @@ @{bin}/umount rix, @{etc_ro}/fuse{,3}.conf r, + /etc/machine-id r, @{run}/mount/utab r, @{run}/mount/utab.* rwk, diff --git a/apparmor.d/abstractions/development b/apparmor.d/abstractions/development index fbf2a3540a..fdf22461d9 100644 --- a/apparmor.d/abstractions/development +++ b/apparmor.d/abstractions/development @@ -38,6 +38,7 @@ /etc/*@{devtools}*/{,**} r, /etc/debuginfod/{,**} r, /etc/inputrc r, + /etc/magic r, /etc/shells r, owner @{HOME}/.local/ r, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 34a5ea0b51..2c6c865a69 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -206,6 +206,9 @@ profile dpkg-scripts @{exec_path} { /usr/local/ r, /usr/local/lib/ r, + /etc/ld.so.cache rw, + /etc/ld.so.cache~ rw, + /var/cache/ldconfig/ rw, owner /var/cache/ldconfig/aux-cache* rw, diff --git a/apparmor.d/groups/browsers/firefox-pingsender b/apparmor.d/groups/browsers/firefox-pingsender index 94b8e187e5..a0e9ee0b15 100644 --- a/apparmor.d/groups/browsers/firefox-pingsender +++ b/apparmor.d/groups/browsers/firefox-pingsender @@ -12,7 +12,7 @@ include @{config_dirs} = @{HOME}/.mozilla/ @{exec_path} = @{lib_dirs}/pingsender -profile firefox-pingsender @{exec_path} { +profile firefox-pingsender @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/cups/print-backends-cups b/apparmor.d/groups/cups/print-backends-cups index 3a1a1341ce..fe61e7b06e 100644 --- a/apparmor.d/groups/cups/print-backends-cups +++ b/apparmor.d/groups/cups/print-backends-cups @@ -19,14 +19,16 @@ profile print-backends-cups @{exec_path} { network inet stream, network inet6 stream, - #aa dbus own bus=session name=org.openprinting.Backend.CUPS - #aa dbus own bus=session name=org.openprinting.PrintBackend + #aa:dbus own bus=session name=org.openprinting.Backend.CUPS + #aa:dbus own bus=session name=org.openprinting.PrintBackend path=/{,**} @{exec_path} mr, @{sh_path} rix, @{bin}/mkdir ix, + /usr/share/cups/locale/{,**} r, + /home/ r, owner @{HOME}/ r, owner @{HOME}/cpdb/ rw, diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 7d152ce231..091ad1ea46 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -101,6 +101,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { /var/lib/udisks2/{,**} r, /var/lib/udisks2/mounted-fs{,*} rw, + / r, + # Be able to create/delete dirs for removable media @{MOUNTDIRS}/ rw, @{MOUNTS}/ rw, diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index eaf3faf7cc..e3f63b98a7 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -44,6 +44,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { /usr/share/accountsservice/{,**} r, /usr/share/dbus-1/interfaces/*.xml r, + @{etc_rw}/tcb/{,**} r, /etc/default/locale r, /etc/gdm{3,}/ r, /etc/gdm{3,}/custom.conf{,.@{rand6}} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index af00f5f5f0..e5d37c725a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -89,9 +89,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/nautilus rPx, - @{bin}/kreadconfig{,5} rPx, - @{lib}/xdg-desktop-portal-validate-icon rPx, + @{bin}/browserpass rPx, + @{bin}/kreadconfig{,5,6} rPx, @{lib}/browserpass/browserpass-native rPx, + @{lib}/xdg-desktop-portal-validate-icon rPx, @{open_path} mrPx -> child-open-any, / r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 509c33398e..7762f7d27d 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -100,6 +100,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { profile flatpak { include include + include @{bin}/flatpak mr, @@ -110,8 +111,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { /var/lib/flatpak/runtime/{,*/} r, /var/lib/flatpak/runtime/*/@{arch}/ r, - owner @{user_cache_dirs}/flatpak/system-cache/ r, - owner @{user_share_dirs}/flatpak/repo/{,**} r, + owner @{user_cache_dirs}/flatpak/system-cache/ r, + owner @{user_share_dirs}/flatpak/repo/{,**} r, include if exists } diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index b70d39f933..ac95703af8 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -11,10 +11,12 @@ profile evolution-source-registry @{exec_path} { include include include + include include include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index f4c9c702ff..6cfd3f3114 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -15,6 +15,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index fa3d44cbdf..a9a03a8194 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -76,6 +76,9 @@ profile gnome-extension-gsconnect @{exec_path} flags=(attach_disconnected) { @{share_dirs}/{,**} r, @{share_dirs}/gsconnect-preferences rix, + /snap/*/@{uid}/**.@{icon_ext} r, + /usr/share/**.@{icon_ext} r, + owner @{user_cache_dirs}/gsconnect/{,**} rw, owner @{user_cache_dirs}/*/**.png r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 2e2216df11..ada468df7b 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -83,6 +83,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{open_path} mrPx -> child-open-any, + /snap/*/@{uid}/**.@{icon_ext} r, + /usr/share/**.@{icon_ext} r, /usr/share/nautilus/{,**} r, /usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 640887f247..fbc875df75 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -10,7 +10,9 @@ include profile papers @{exec_path} flags=(attach_disconnected) { include include + include include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index 592f608098..2675e73022 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -27,6 +27,8 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { /etc/fstab r, + / r, + @{sys}/class/scsi_generic/ r, @{sys}/devices/**/uevent r, diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index a699371990..9af0e2c4ba 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -24,6 +24,8 @@ profile gvfs-mtp-volume-monitor @{exec_path} { @{exec_path} mr, + / r, + @{sys}/devices/**/uevent r, include if exists diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 25aa0e9604..038b64d2e3 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -11,7 +11,6 @@ include profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 7eb8043588..de0c2cdb53 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -38,7 +38,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { network netlink raw, network packet dgram, - signal (send) set=(term) peer=dnsmasq, + signal send set=(term) peer=dnsmasq, #aa:dbus own bus=system name=org.freedesktop.NetworkManager diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 67a06955f6..1f25ac88c2 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -36,10 +36,6 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { /dev/tty rw, - deny @{user_share_dirs}/gvfs-metadata/* r, - deny /etc/machine-id r, - deny /var/lib/dbus/machine-id r, - include if exists } diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 1f9187882f..e1fcdeeea3 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -37,21 +37,20 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/chown rix, @{bin}/chronyc rPUx, + @{bin}/cp rix, @{bin}/date rix, - @{bin}/{m,g,}awk rix, - @{bin}/{,e}grep rix, @{bin}/id rix, - @{sbin}/invoke-rc.d rCx -> invoke-rc, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/netconfig rPUx, @{bin}/nmcli rix, - @{python_path} rix, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @@ -59,6 +58,8 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-cat rix, @{bin}/tr rix, + @{python_path} rix, + @{sbin}/invoke-rc.d rCx -> invoke-rc, /usr/share/tlp/tlp-readconfs rPUx, @{lib}/NetworkManager/dispatcher.d/ r, diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index 5b53f29fe1..c5628aad02 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -30,7 +30,7 @@ profile coredumpctl @{exec_path} flags=(complain) { /var/lib/dbus/machine-id r, /etc/machine-id r, - /var/lib/systemd/coredump/core.*.@{int}.@{hex}.@{int}.@{int}.zst r, + /var/lib/systemd/coredump/{,**} r, /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, diff --git a/apparmor.d/profiles-a-f/fritzing b/apparmor.d/profiles-a-f/fritzing index c57323c6a9..144ee03af1 100644 --- a/apparmor.d/profiles-a-f/fritzing +++ b/apparmor.d/profiles-a-f/fritzing @@ -11,12 +11,10 @@ include profile fritzing @{exec_path} { include include - include include - include + include include include - include network inet dgram, network inet6 dgram, @@ -28,18 +26,15 @@ profile fritzing @{exec_path} { @{exec_path} mrix, /usr/share/fritzing/{,**} r, - /usr/share/hwdata/pnp.ids r, /etc/debian_version r, /etc/fstab r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, owner @{user_config_dirs}/Fritzing/ rw, owner @{user_config_dirs}/Fritzing/** rwkl -> @{user_config_dirs}/Fritzing/**, - owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/ rw, - owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/** rw, + owner @{user_documents_dirs}/Fritzing/ rw, + owner @{user_documents_dirs}/Fritzing/** rw, owner @{run}/lock/LCK..ttyACM[0-9]* rwk, diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index 93bf148dc9..633a343ab4 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -14,6 +14,7 @@ profile gimp @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -24,7 +25,6 @@ profile gimp @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gimp #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index 3c359376f6..17c442b1e5 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -20,6 +20,8 @@ profile gitstatusd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/gitconfig r, + owner @{user_projects_dirs}/{,**} r, owner @{user_projects_dirs}/**/.git/{,**/}.gitstatus.@{rand6}/{,**} rw, diff --git a/apparmor.d/profiles-m-r/nslookup b/apparmor.d/profiles-m-r/nslookup index 41435f2f09..ca3af37e06 100644 --- a/apparmor.d/profiles-m-r/nslookup +++ b/apparmor.d/profiles-m-r/nslookup @@ -21,6 +21,10 @@ profile nslookup @{exec_path} { owner @{PROC}/@{pids}/task/@{tid}/comm rw, + @{sys}/kernel/mm/transparent_hugepage/enabled r, + + @{PROC}/version_signature r, + include if exists } diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof index 61845b2454..7f4197b1d8 100644 --- a/apparmor.d/profiles-m-r/pidof +++ b/apparmor.d/profiles-m-r/pidof @@ -13,7 +13,7 @@ profile pidof @{exec_path} flags=(attach_disconnected) { capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, @@ -29,8 +29,6 @@ profile pidof @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, - /dev/tty@{u8} rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/swtpm_ioctl b/apparmor.d/profiles-s-z/swtpm_ioctl index f1e41aa6ed..98349cda22 100644 --- a/apparmor.d/profiles-s-z/swtpm_ioctl +++ b/apparmor.d/profiles-s-z/swtpm_ioctl @@ -15,6 +15,8 @@ profile swtpm_ioctl @{exec_path} { @{exec_path} mr, + @{run}/libvirt/qemu/swtpm/*.sock rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 856af81913..bb54b5008e 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -68,8 +68,6 @@ profile terminator @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, /dev/ptmx rw, - deny @{user_share_dirs}/gvfs-metadata/{,*} r, - include if exists } From 272e4ccf01a2b43043105ca6f00b17db6faa5f22 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Mar 2026 00:38:51 +0100 Subject: [PATCH 1543/1736] feat(profile): rewrite dbus rule for gnome calendar. --- .../groups/freedesktop/xdg-desktop-portal | 3 +- .../gnome/evolution-addressbook-factory | 33 ++--------------- .../groups/gnome/evolution-alarm-notify | 10 ++---- .../groups/gnome/evolution-calendar-factory | 36 +++---------------- .../groups/gnome/evolution-source-registry | 12 ++----- .../groups/gnome/gnome-shell-calendar-server | 15 ++------ apparmor.d/groups/gnome/papers | 5 +++ 7 files changed, 22 insertions(+), 92 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index e5d37c725a..3ebd6d345d 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -57,10 +57,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { peer=(name=@{busname}), #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor + #aa:dbus own bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop{,/**} #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus - #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gnome - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gtk #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal dbus send bus=session path=/org/freedesktop/portal/desktop diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index c9b40ac080..21ae2c3c7e 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -26,43 +26,16 @@ profile evolution-addressbook-factory @{exec_path} { network inet6 dgram, network netlink raw, - #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} - #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookCursor - #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookFactory - #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookView + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBook{,@{u8},Cursor,View,Factory} path=/org/gnome/evolution/dataserver/Subprocess{,/**} + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBook{,@{u8},Cursor,View,Factory} - dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** - interface=org.gnome.evolution.dataserver.* - peer=(name=@{busname}), - - dbus send bus=session path=/org/gnome/evolution/dataserver/** - interface=org.gnome.evolution.dataserver.* - peer=(name=org.freedesktop.DBus, label=evolution-*), - - dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** - interface=org.freedesktop.DBus.Properties - peer=(name=@{busname}, label=evolution-*), - - dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label=evolution-source-registry), - - dbus send bus=session path=/org/gnome/evolution/dataserver/** - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=org.freedesktop.DBus, label=evolution-calendar-factory), + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.{Source,Sources@{int}} path=/org/gnome/evolution/dataserver/SourceManager{,/**} label=evolution-source-registry dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=@{busname}, label=gnome-shell), - dbus receive bus=session path=/org/gnome/evolution/dataserver/** - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=obexd), - @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 7614294c2f..13067954bc 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -19,13 +19,9 @@ profile evolution-alarm-notify @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Evolution-alarm-notify - dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** - interface=org.gnome.evolution.dataserver.Calendar* - peer=(name=@{busname}, label=evolution-*), - - dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** - interface=org.freedesktop.DBus.{ObjectManager,Properties} - peer=(name=@{busname}, label=evolution-*), + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.{Source,Sources@{int}} path=/org/gnome/evolution/dataserver/SourceManager{,/**} label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar{,View,Factory} path=/org/gnome/evolution/dataserver/Subprocess{,**} label=evolution-calendar-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar{,View,Factory} label=evolution-calendar-factory @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 38952781a5..d04c4b4a0e 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -26,38 +26,12 @@ profile evolution-calendar-factory @{exec_path} { network inet6 dgram, network netlink raw, - #aa:dbus own bus=session name=org.gnome.evolution.dataserver.Calendar8 + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.Calendar{,@{u8},View,Factory} path=/org/gnome/evolution/dataserver/Subprocess{,/**} + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.Calendar{,@{u8},View,Factory} - dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** - interface=org.gnome.evolution.dataserver.* - peer=(name=@{busname}), - - dbus send bus=session path=/org/gnome/evolution/dataserver/** - interface=org.gnome.evolution.dataserver.* - peer=(name=org.freedesktop.DBus, label="{evolution-*,gnome-shell-*-server}"), - - dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** - interface=org.freedesktop.DBus.Properties - peer=(name=@{busname}), - - dbus send bus=session path=/org/gnome/evolution/dataserver/** - interface=org.freedesktop.DBus.Properties - peer=(name=org.freedesktop.DBus, label=evolution-*), - - dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label=evolution-source-registry), - - dbus send bus=session path=/org/gnome/evolution/dataserver/** - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=org.freedesktop.DBus, label=gnome-shell-calendar-server), - - dbus send bus=session path=/org/gnome/evolution/dataserver/CalendarView/** - interface=org.gnome.evolution.dataserver.CalendarView - member=Complete - peer=(name=org.freedesktop.DBus, label=gnome-calendar), + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.{Source,Sources@{int}} path=/org/gnome/evolution/dataserver/SourceManager{,/**} label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook{,Cursor,View,Factory} path=/org/gnome/evolution/dataserver/Subprocess{,**} label=evolution-addressbook-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook{,Cursor,View,Factory} label=evolution-addressbook-factory dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index ac95703af8..f0c6c64da1 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -27,17 +27,9 @@ profile evolution-source-registry @{exec_path} { network inet6 dgram, network netlink raw, - #aa:dbus own bus=session name=org.gnome.evolution.dataserver.Sources@{int} + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.{Source,Sources@{int}} path=/org/gnome/evolution/dataserver/SourceManager{,/**} - dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} - interface={org.freedesktop.DBus.ObjectManager,org.freedesktop.DBus.Properties} - peer=(name=@{busname}), - dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} - interface=org.gnome.evolution.dataserver.Source{,.*} - peer=(name=@{busname}), - dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=org.freedesktop.DBus), + #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 80b9fe79f2..aaf8b5ac67 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -17,18 +17,9 @@ profile gnome-shell-calendar-server @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Shell.CalendarServer - dbus (send receive) bus=session path=/org/gnome/evolution/dataserver/{,**} - interface=org.freedesktop.DBus.Properties - peer=(name=@{busname}, label=evolution-*), - - dbus (send receive) bus=session path=/org/gnome/evolution/dataserver/{,**} - interface=org.gnome.evolution.dataserver.Calendar* - peer=(name=@{busname}, label=evolution-*), - - dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label=evolution-source-registry), + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.{Source,Sources@{int}} path=/org/gnome/evolution/dataserver/SourceManager{,/**} label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar{,View,Factory} label=evolution-calendar-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar{,View,Factory} path=/org/gnome/evolution/dataserver/Subprocess{,**} label=evolution-calendar-factory dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index fbc875df75..6026a145f3 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -28,6 +28,11 @@ profile papers @{exec_path} flags=(attach_disconnected) { member=Close peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Print + member={PreparePrint,Print} + peer=(name=@{busname}, label=xdg-desktop-portal), + @{exec_path} mr, @{open_path} Cx -> open, From 6aea9240941b9a7fd6c35c91cea6b4a9de2aec80 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Mar 2026 00:42:01 +0100 Subject: [PATCH 1544/1736] Release apparmor.d v0.4906 --- PKGBUILD | 4 ++-- debian/changelog | 6 ++++++ dists/apparmor.d.spec | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index de26eac56e..881094fe5a 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -9,13 +9,13 @@ pkgname=( # apparmor.d-base # apparmor.d-tools ) -pkgver=0.4905 +pkgver=0.4906 pkgrel=1 pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') url="https://github.com/roddhjav/apparmor.d" license=('GPL-2.0-only') -depends=('apparmor>=4.1.6') +depends=('apparmor') makedepends=('go' 'rsync' 'just') prepare() { diff --git a/debian/changelog b/debian/changelog index 53b2064e48..05559f78ca 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +apparmor.d (0.4906-1) stable; urgency=medium + + * Release apparmor.d v0.4906 + + -- Alexandre Pujol Sat, 21 Mar 2026 00:42:01 +0100 + apparmor.d (0.4905-1) stable; urgency=medium * Release apparmor.d v0.4905 diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index 5578f39fd5..70a5b2c77a 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -7,7 +7,7 @@ # Warning: for development only, use https://build.opensuse.org/package/show/home:cboltz/apparmor.d for production use. Name: apparmor.d -Version: 0.4905 +Version: 0.4906 Release: 1%{?dist} Summary: Set of over 1500 AppArmor profiles License: GPL-2.0-only From cc2f30bad4351e64670927431c00911e47e75293 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Mar 2026 00:50:21 +0100 Subject: [PATCH 1545/1736] build: update release process. --- Justfile | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/Justfile b/Justfile index fe3ad1845c..23feb19181 100644 --- a/Justfile +++ b/Justfile @@ -582,14 +582,15 @@ version-new: # Create a new release [group('release')] -release: tests lint commit archive publish +release: clean commit archive publish repo -# Write the new release version to package files & commit +# Write the new release version to package files, commit and tag it [group('release')] commit: #!/usr/bin/env bash set -eu -o pipefail version=`just version-new` + git restore debian/changelog cat > debian/changelog.tmp <<-EOF {{pkgname}} (${version}-1) stable; urgency=medium @@ -603,7 +604,7 @@ commit: sed -i "s/^pkgver=.*/pkgver=$version/" PKGBUILD sed -i "s/^Version:.*/Version: $version/" "dists/{{pkgname}}.spec" git add PKGBUILD "dists/{{pkgname}}.spec" debian/changelog - git commit -S -m "Release version $version" + git commit -S -m "Release {{pkgname}} v$version" git tag -a "v$version" -m "{{pkgname}} v$version" --local-user={{gpgkey}} # Create a release archive @@ -636,7 +637,7 @@ publish: # Create & upload new release packages to the repositories [group('release')] -repo path="../../Packages": +repo path="../../../Packages": just --justfile {{path}}/pkgbuilds/Justfile publish {{pkgname}} `just version` just --justfile {{path}}/repo.pujol.io/Justfile publish {{pkgname}} `just version` From 4c327f3136073e1bba5fb4d8265c5b289ef92863 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Mar 2026 13:50:49 +0100 Subject: [PATCH 1546/1736] feat(abs): chromium: minor improvements. --- apparmor.d/abstractions/app/chromium | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 5ed63a9825..b1fd53bb18 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -64,6 +64,8 @@ signal send set=(term, kill) peer=keepassxc-proxy, signal receive peer=@{profile_name}//&@{profile_name}//crashpad_handler, + ptrace trace peer=@{profile_name}, + ptrace read peer=browserpass, ptrace read peer=chrome-gnome-shell, ptrace read peer=gnome-browser-connector-host, @@ -159,8 +161,6 @@ @{sys}/bus/ r, @{sys}/bus/**/devices/ r, @{sys}/class/**/ r, - @{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r, - @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/**/uevent r, # List processes in /proc @@ -261,17 +261,17 @@ capability sys_ptrace, - ptrace (read trace) peer=@{name}, + signal send peer=@{name}, - unix (send receive) type=seqpacket peer=(label=@{name}), + ptrace trace peer=@{name}, - signal send peer=@{name}, + unix (send receive) type=seqpacket peer=(label=@{name}), @{lib_dirs}/chrome_crashpad_handler mrix, @{lib_dirs}/@{name}_crashpad_handler mrix, - owner "@{config_dirs}/Crash Reports/**" rwk, - + owner "@{config_dirs}/{,*/}Crash Reports/**" rwk, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, From 62206e72c5768f70b676e1268ff3937cbefa28db Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Mar 2026 14:44:02 +0100 Subject: [PATCH 1547/1736] feat(aa): add some profile utils. --- pkg/builder/complain.go | 5 +-- pkg/builder/core.go | 27 ---------------- pkg/builder/enforce.go | 5 +-- pkg/builder/profile-mode.go | 27 ++-------------- pkg/util/profiles.go | 62 +++++++++++++++++++++++++++++++++++++ 5 files changed, 70 insertions(+), 56 deletions(-) create mode 100644 pkg/util/profiles.go diff --git a/pkg/builder/complain.go b/pkg/builder/complain.go index 168ff5593a..358c33f76d 100644 --- a/pkg/builder/complain.go +++ b/pkg/builder/complain.go @@ -8,6 +8,7 @@ import ( "slices" "github.com/roddhjav/apparmor.d/pkg/tasks" + "github.com/roddhjav/apparmor.d/pkg/util" ) type Complain struct { @@ -25,10 +26,10 @@ func NewComplain() *Complain { } func (b Complain) Apply(opt *Option, profile string) (string, error) { - flags := extractFlags(profile) + flags := util.GetFlags(profile) if slices.Contains(flags, "complain") || slices.Contains(flags, "unconfined") { return profile, nil } flags = append(flags, "complain") - return setFlags(profile, flags), nil + return util.SetFlags(profile, flags), nil } diff --git a/pkg/builder/core.go b/pkg/builder/core.go index 51b1353740..88d9709b93 100644 --- a/pkg/builder/core.go +++ b/pkg/builder/core.go @@ -6,7 +6,6 @@ package builder import ( "fmt" - "regexp" "strings" "github.com/roddhjav/apparmor.d/pkg/aa" @@ -14,11 +13,6 @@ import ( "github.com/roddhjav/apparmor.d/pkg/tasks" ) -var ( - regFlags = regexp.MustCompile(`flags=\(([^)]+)\)`) - regProfileHeader = regexp.MustCompile(` {\n`) -) - // Builder main directive interface type Builder interface { tasks.BaseTaskInterface @@ -71,24 +65,3 @@ func (r *Builders) Add(builder Builder) *Builders { r.BaseRunner.Add(builder) return r } - -// extractFlags parses the flags from a profile string. -func extractFlags(profile string) []string { - matches := regFlags.FindStringSubmatch(profile) - if len(matches) == 0 { - return nil - } - return strings.Split(matches[1], ",") -} - -// setFlags replaces flags in a profile string. If flags is empty, removes the flags clause. -func setFlags(profile string, flags []string) string { - profile = regFlags.ReplaceAllLiteralString(profile, "") - if len(flags) == 0 { - // Clean up any extra space left after removing flags - profile = strings.ReplaceAll(profile, " {\n", " {\n") - return profile - } - flagsStr := " flags=(" + strings.Join(flags, ",") + ") {\n" - return regProfileHeader.ReplaceAllLiteralString(profile, flagsStr) -} diff --git a/pkg/builder/enforce.go b/pkg/builder/enforce.go index 1f27659563..43f2775d54 100644 --- a/pkg/builder/enforce.go +++ b/pkg/builder/enforce.go @@ -8,6 +8,7 @@ import ( "slices" "github.com/roddhjav/apparmor.d/pkg/tasks" + "github.com/roddhjav/apparmor.d/pkg/util" ) type Enforce struct { @@ -25,11 +26,11 @@ func NewEnforce() *Enforce { } func (b Enforce) Apply(opt *Option, profile string) (string, error) { - flags := extractFlags(profile) + flags := util.GetFlags(profile) idx := slices.Index(flags, "complain") if idx == -1 { return profile, nil } flags = slices.Delete(flags, idx, idx+1) - return setFlags(profile, flags), nil + return util.SetFlags(profile, flags), nil } diff --git a/pkg/builder/profile-mode.go b/pkg/builder/profile-mode.go index 43bf9c2527..57936e1031 100644 --- a/pkg/builder/profile-mode.go +++ b/pkg/builder/profile-mode.go @@ -5,19 +5,15 @@ package builder import ( - "fmt" "regexp" - "slices" "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/tasks" + "github.com/roddhjav/apparmor.d/pkg/util" ) var ( regProfileName = regexp.MustCompile(`(?m)^profile\s+(\S+)\s+`) - profileModes = []string{ - "enforce", "complain", "kill", "default_allow", "unconfined", "prompt", - } ) type ProfileMode struct { @@ -55,25 +51,6 @@ func (b ProfileMode) Apply(opt *Option, profile string) (string, error) { if !present { return profile, nil } - if !slices.Contains(profileModes, mode) { - return profile, fmt.Errorf("unknown profile mode: %s", mode) - } - - return setMode(profile, mode) -} - -func setMode(profile string, mode string) (string, error) { - flags := extractFlags(profile) - - // Remove all conflicting mode flags - flags = slices.DeleteFunc(flags, func(f string) bool { - return slices.Contains(profileModes, f) - }) - - // "enforce" is the default (no mode flag needed), otherwise add the mode - if mode != "enforce" { - flags = append(flags, mode) - } - return setFlags(profile, flags), nil + return util.SetMode(profile, mode) } diff --git a/pkg/util/profiles.go b/pkg/util/profiles.go new file mode 100644 index 0000000000..e756f03cc5 --- /dev/null +++ b/pkg/util/profiles.go @@ -0,0 +1,62 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package util + +import ( + "fmt" + "regexp" + "slices" + "strings" +) + +var ( + regFlags = regexp.MustCompile(`flags=\(([^)]+)\)`) + regProfileHeader = regexp.MustCompile(` {\n`) + profileModes = []string{ + "enforce", "complain", "kill", "default_allow", "unconfined", "prompt", + } +) + +// GetFlags parses the flags from a profile string. +func GetFlags(profile string) []string { + matches := regFlags.FindStringSubmatch(profile) + if len(matches) == 0 { + return nil + } + return strings.Split(matches[1], ",") +} + +// SetFlags replaces flags in a profile string. If flags is empty, removes the flags clause. +func SetFlags(profile string, flags []string) string { + profile = regFlags.ReplaceAllLiteralString(profile, "") + if len(flags) == 0 { + // Clean up any extra space left after removing flags + profile = strings.ReplaceAll(profile, " {\n", " {\n") + return profile + } + flagsStr := " flags=(" + strings.Join(flags, ",") + ") {\n" + return regProfileHeader.ReplaceAllLiteralString(profile, flagsStr) +} + +// SetMode sets the given mode in the profile string, removing any conflicting mode flags. +func SetMode(profile string, mode string) (string, error) { + if !slices.Contains(profileModes, mode) { + return profile, fmt.Errorf("unknown profile mode: %s", mode) + } + + flags := GetFlags(profile) + + // Remove all conflicting mode flags + flags = slices.DeleteFunc(flags, func(f string) bool { + return slices.Contains(profileModes, f) + }) + + // "enforce" is the default (no mode flag needed), otherwise add the mode + if mode != "enforce" { + flags = append(flags, mode) + } + + return SetFlags(profile, flags), nil +} From 1cd6bb9835482b89de6ac3ed9fb9cb4f3623ab1d Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sat, 21 Mar 2026 21:13:09 +0000 Subject: [PATCH 1548/1736] feat(profile): added more rules /. --- apparmor.d/groups/bluetooth/bluetoothd | 2 ++ apparmor.d/groups/freedesktop/plymouthd | 2 ++ apparmor.d/groups/ssh/ssh | 2 ++ apparmor.d/groups/ssh/ssh-sk-helper | 2 ++ apparmor.d/groups/systemd/systemd-sleep | 2 ++ apparmor.d/groups/utils/findmnt | 2 ++ apparmor.d/profiles-g-l/git | 3 +++ 7 files changed, 15 insertions(+) diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index 2d088bd3b9..a14c164aac 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -44,6 +44,8 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { /etc/bluetooth/{,*.conf} r, + / r, + /var/lib/bluetooth/{,**} rw, @{run}/sdp rw, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index e5b292b3fd..4abefb8c9a 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -43,6 +43,8 @@ profile plymouthd @{exec_path} { /etc/plymouth/plymouthd.conf r, /etc/vconsole.conf r, + / r, + /var/lib/plymouth/{,**} rw, /var/log/boot.log w, /var/log/plymouth-*.log w, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index de87a47685..199faf656e 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -41,6 +41,8 @@ profile ssh @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /etc/gss/mech.d/{,*} r, + / r, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl, owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_*_*_* wl, diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper index 79f5d22da7..4d374f18d8 100644 --- a/apparmor.d/groups/ssh/ssh-sk-helper +++ b/apparmor.d/groups/ssh/ssh-sk-helper @@ -15,6 +15,8 @@ profile ssh-sk-helper flags=(complain) { @{exec_path} mr, + / r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index 99912b8f4e..3e83a87e2f 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -39,6 +39,8 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { /etc/systemd/sleep.conf.d/{,*} r, /etc/os-release r, + /swap/* r, + @{run}/systemd/private rw, @{sys}/power/state rw, diff --git a/apparmor.d/groups/utils/findmnt b/apparmor.d/groups/utils/findmnt index 96ae6b6899..11592c4717 100644 --- a/apparmor.d/groups/utils/findmnt +++ b/apparmor.d/groups/utils/findmnt @@ -21,6 +21,8 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) { /etc/fstab r, /etc/mtab r, + / r, + @{PROC}/@{pids}/mountinfo r, include if exists diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index e140722a99..9b1bf33970 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -25,6 +25,7 @@ profile git @{exec_path} flags=(attach_disconnected) { network netlink raw, signal send peer=aurpublish, + signal send set=term peer=ssh//&unconfined, signal receive set=term peer=code, # unix (send receive) type=stream peer=(label=claude), @@ -91,6 +92,8 @@ profile git @{exec_path} flags=(attach_disconnected) { @{etc_ro}/ssh/ssh_config r, @{etc_ro}/ssh/ssh_config.d/{,*} r, + / r, + owner @{user_projects_dirs}/ rw, owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, owner @{user_projects_dirs}/**/.git/hooks/* rix, From d8f2a7529bc8d0a635410f6e67d31d59bdb170db Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sun, 22 Mar 2026 08:38:20 +0000 Subject: [PATCH 1549/1736] feat(profile): again missing /. --- apparmor.d/profiles-m-r/pcscd | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index a2c53224c2..d62c10a375 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -29,6 +29,8 @@ profile pcscd @{exec_path} { /etc/libccid_Info.plist r, /etc/reader.conf.d/{,**} r, + / r, + owner @{run}/pcscd/{,pcscd.pid} rw, @{sys}/devices/**/uevent r, From bde38c4fd10d0ed421ccf02266eb4d1591b7b9ea Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 22 Mar 2026 16:34:58 +0100 Subject: [PATCH 1550/1736] fix(profile): flatpak network add missing wireless. fix #1074 --- apparmor.d/abstractions/flatpak/shared/network | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/flatpak/shared/network b/apparmor.d/abstractions/flatpak/shared/network index 39180e6852..ac6bb9bcf6 100644 --- a/apparmor.d/abstractions/flatpak/shared/network +++ b/apparmor.d/abstractions/flatpak/shared/network @@ -41,6 +41,7 @@ @{PROC}/@{pid}/net/udp6 r, @{PROC}/@{pid}/net/udplite r, @{PROC}/@{pid}/net/unix r, + @{PROC}/@{pid}/net/wireless r, @{PROC}/net/dev r, include if exists From 96ffc85843a0e1f747a4829af4b0a5f0bf991cf0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 22 Mar 2026 16:37:33 +0100 Subject: [PATCH 1551/1736] fix(profile): missing udev in upowerd fix #1077 --- apparmor.d/groups/freedesktop/upowerd | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index f254fabb05..4d1bf9fdac 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -49,6 +49,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+serio:* r, # for serial mice @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features + @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) @{run}/udev/data/c116:@{int} r, # for ALSA @{att}@{run}/systemd/inhibit/@{int}.ref rw, From f4d69ea43cd2e5a3375449f25698f849e58d4a47 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 22 Mar 2026 16:58:59 +0100 Subject: [PATCH 1552/1736] feat(profile): update YACReader. --- apparmor.d/profiles-s-z/YACReader | 1 + apparmor.d/profiles-s-z/YACReaderLibrary | 10 +++------- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/apparmor.d/profiles-s-z/YACReader b/apparmor.d/profiles-s-z/YACReader index fd3942a37b..14e60e2b4b 100644 --- a/apparmor.d/profiles-s-z/YACReader +++ b/apparmor.d/profiles-s-z/YACReader @@ -14,6 +14,7 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index b3147dc2b9..2fb1e67b2b 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -13,6 +13,7 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted include include include + include include include include @@ -31,19 +32,14 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted /usr/share/yacreader/{,**} r, - /etc/machine-id r, - owner @{user_books_dirs}/{,**} rw, owner @{user_books_dirs}/**/.yacreaderlibrary/{,**} rwk, owner @{user_cache_dirs}/YACReader/ rw, - owner @{user_cache_dirs}/YACReader/YACReaderLibrary/ rw, - owner @{user_cache_dirs}/YACReader/YACReaderLibrary/** rwlk, + owner @{user_cache_dirs}/YACReader/** rwlk, owner @{user_share_dirs}/YACReader/ rw, - owner @{user_share_dirs}/YACReader/* r, - owner @{user_share_dirs}/YACReader/YACReaderLibrary/ rw, - owner @{user_share_dirs}/YACReader/YACReaderLibrary/** rwlk, + owner @{user_share_dirs}/YACReader/** rwlk, owner @{tmp}/@{uuid} rw, From ce60d14b2d14b62ff1caa92033548390ac43076a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 22 Mar 2026 17:01:36 +0100 Subject: [PATCH 1553/1736] chore(aa-log): minor improvments. --- cmd/aa-log/main.go | 52 +++++++++++++++++++---------------------- cmd/aa-log/main_test.go | 5 +--- pkg/logs/logs.go | 1 + 3 files changed, 26 insertions(+), 32 deletions(-) diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index 4435818430..12f24abb3d 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -54,7 +54,28 @@ var ( load bool ) -func aaLog(logger string, path string, profile string, namespace string) error { +func init() { + flag.BoolVar(&help, "h", false, "Show this help message and exit.") + flag.BoolVar(&help, "help", false, "Show this help message and exit.") + flag.StringVar(&path, "f", "", "Set a logfile or a suffix to the default log file.") + flag.StringVar(&path, "file", "", "Set a logfile or a suffix to the default log file.") + flag.BoolVar(&systemd, "s", false, "Parse systemd logs from journalctl.") + flag.BoolVar(&systemd, "systemd", false, "Parse systemd logs from journalctl.") + flag.BoolVar(&rules, "r", false, "Convert the log into AppArmor rules.") + flag.BoolVar(&rules, "rules", false, "Convert the log into AppArmor rules.") + flag.BoolVar(&raw, "R", false, "Print the raw log without any formatting.") + flag.BoolVar(&raw, "raw", false, "Print the raw log without any formatting.") + flag.StringVar(&boot, "b", "", "Show entries from the specified boot.") + flag.StringVar(&boot, "boot", "", "Show entries from the specified boot.") + flag.StringVar(&since, "S", "", "Display logs since the START time.") + flag.StringVar(&since, "since", "", "Display logs since the START time.") + flag.BoolVar(&load, "l", false, "Load logs from the default aa-log output.") + flag.BoolVar(&load, "load", false, "Load logs from the default aa-log output.") + flag.StringVar(&namespace, "n", "", "Filter the logs to the specified namespace") + flag.StringVar(&namespace, "namespace", "", "Filter the logs to the specified namespace") +} + +func aaLog(logger string, path string, profile string, namespace string, rules bool, raw bool, load bool) error { var err error var file io.Reader @@ -102,27 +123,6 @@ func aaLog(logger string, path string, profile string, namespace string) error { return nil } -func init() { - flag.BoolVar(&help, "h", false, "Show this help message and exit.") - flag.BoolVar(&help, "help", false, "Show this help message and exit.") - flag.StringVar(&path, "f", "", "Set a logfile or a suffix to the default log file.") - flag.StringVar(&path, "file", "", "Set a logfile or a suffix to the default log file.") - flag.BoolVar(&systemd, "s", false, "Parse systemd logs from journalctl.") - flag.BoolVar(&systemd, "systemd", false, "Parse systemd logs from journalctl.") - flag.BoolVar(&rules, "r", false, "Convert the log into AppArmor rules.") - flag.BoolVar(&rules, "rules", false, "Convert the log into AppArmor rules.") - flag.BoolVar(&raw, "R", false, "Print the raw log without any formatting.") - flag.BoolVar(&raw, "raw", false, "Print the raw log without any formatting.") - flag.StringVar(&boot, "b", "", "Show entries from the specified boot.") - flag.StringVar(&boot, "boot", "", "Show entries from the specified boot.") - flag.StringVar(&since, "S", "", "Display logs since the START time.") - flag.StringVar(&since, "since", "", "Display logs since the START time.") - flag.BoolVar(&load, "l", false, "Load logs from the default aa-log output.") - flag.BoolVar(&load, "load", false, "Load logs from the default aa-log output.") - flag.StringVar(&namespace, "n", "", "Filter the logs to the specified namespace") - flag.StringVar(&namespace, "namespace", "", "Filter the logs to the specified namespace") -} - func main() { flag.Usage = func() { fmt.Print(usage) } flag.Parse() @@ -131,10 +131,7 @@ func main() { os.Exit(0) } - profile := "" - if len(flag.Args()) >= 1 { - profile = flag.Args()[0] - } + profile := flag.Arg(0) if boot != "" { systemd = true @@ -150,8 +147,7 @@ func main() { fmt.Println(err) os.Exit(1) } - err = aaLog(logger, path, profile, namespace) - if err != nil { + if err = aaLog(logger, path, profile, namespace, rules, raw, load); err != nil { fmt.Println(err) os.Exit(1) } diff --git a/cmd/aa-log/main_test.go b/cmd/aa-log/main_test.go index ed85ee05e2..f60b0a8a71 100644 --- a/cmd/aa-log/main_test.go +++ b/cmd/aa-log/main_test.go @@ -82,10 +82,7 @@ func Test_app(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - rules = tt.rules - raw = tt.raw - load = tt.load - if err := aaLog(tt.logger, tt.path, tt.profile, tt.namespace); (err != nil) != tt.wantErr { + if err := aaLog(tt.logger, tt.path, tt.profile, tt.namespace, tt.rules, tt.raw, tt.load); (err != nil) != tt.wantErr { t.Errorf("aaLog() error = %v, wantErr %v", err, tt.wantErr) } }) diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index a03efd6673..6317fb1e31 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -74,6 +74,7 @@ var ( `(x86_64|amd64|i386|i686)`, `@{arch}`, `@{arch}-*linux-gnu[^/]?`, `@{multiarch}`, `/usr/etc/`, `@{etc_ro}/`, + `/var/etc/`, `@{etc_rw}/`, `/boot/(|efi/)`, `@{efi}/`, `/efi/`, `@{efi}/`, `/var/run/`, `@{run}/`, From 76aad7a87bfcab1cb66f0a30db79b74a42aff759 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 22 Mar 2026 17:04:51 +0100 Subject: [PATCH 1554/1736] fix(profile): linter issue. --- apparmor.d/abstractions/app/chromium | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index b1fd53bb18..bd69f2b602 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -271,7 +271,7 @@ @{lib_dirs}/@{name}_crashpad_handler mrix, owner "@{config_dirs}/{,*/}Crash Reports/**" rwk, - + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, From d59d94875438aad5692336c038d804fbbac4d903 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Fri, 20 Mar 2026 18:13:25 +0000 Subject: [PATCH 1555/1736] feat(profile): minor updates --- apparmor.d/groups/filesystem/btrfs | 1 + apparmor.d/groups/filesystem/mkswap | 1 + apparmor.d/groups/freedesktop/xorg | 3 +++ apparmor.d/groups/network/NetworkManager | 1 + apparmor.d/groups/polkit/polkit-agent-helper | 1 + apparmor.d/groups/systemd/systemd-sleep | 3 +++ apparmor.d/profiles-g-l/iw | 1 + 7 files changed, 11 insertions(+) diff --git a/apparmor.d/groups/filesystem/btrfs b/apparmor.d/groups/filesystem/btrfs index c7eb029118..51b9dbd197 100644 --- a/apparmor.d/groups/filesystem/btrfs +++ b/apparmor.d/groups/filesystem/btrfs @@ -35,6 +35,7 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { /var/ r, /var/log/ r, /var/tmp/ r, + /var/cache/ r, @{MOUNTS}/ r, @{MOUNTS}/ext2_saved/ rw, @{MOUNTS}/ext2_saved/image rw, diff --git a/apparmor.d/groups/filesystem/mkswap b/apparmor.d/groups/filesystem/mkswap index 42caeafd2a..6555e014b8 100644 --- a/apparmor.d/groups/filesystem/mkswap +++ b/apparmor.d/groups/filesystem/mkswap @@ -11,6 +11,7 @@ include profile mkswap @{exec_path} { include include + include capability mknod, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index a7e493c435..c83b76843e 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -32,6 +32,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_admin, capability sys_rawio, + capability sys_nice, signal (send) set=(usr1), @@ -123,6 +124,8 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/hid r, @{sys}/devices/**/power_supply/**/{type,online} r, @{sys}/devices/platform/ r, + @{sys}/devices/@{pci}/tile0/gt0/freq0/min_freq r, + @{sys}/devices/@{pci}/tile0/gt0/freq0/max_freq r, @{sys}/module/i915/{,**} r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index de0c2cdb53..3ded914f27 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -135,6 +135,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/+ieee80211:phy0 r, # For wireless interfaces @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index 8e895483c5..835078a9ad 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -27,6 +27,7 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { network netlink raw, ptrace read peer=pkttyagent, + ptrace read peer=unconfined, signal receive set=(term kill) peer=flatpak, signal receive set=(term kill) peer=gnome-shell, diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index 1ca7aba94c..343826c0b1 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -12,6 +12,7 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { include include include + include capability net_admin, capability sys_admin, @@ -36,12 +37,14 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { /etc/systemd/sleep.conf r, /etc/systemd/sleep.conf.d/{,*} r, + /etc/os-release r, @{run}/systemd/private rw, @{sys}/power/state rw, @{PROC}/sys/fs/nr_open r, + @{PROC}/swaps r, include if exists } diff --git a/apparmor.d/profiles-g-l/iw b/apparmor.d/profiles-g-l/iw index 54155298cc..5153278eed 100644 --- a/apparmor.d/profiles-g-l/iw +++ b/apparmor.d/profiles-g-l/iw @@ -13,6 +13,7 @@ profile iw @{exec_path} { # To be able to manage network interfaces. capability net_admin, + capability sys_module, # Needed? audit deny capability sys_module, From 5bdf95a200dd443089f680100d454d1e65168187 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Fri, 20 Mar 2026 18:16:26 +0000 Subject: [PATCH 1556/1736] feat(profile): remove rule --- apparmor.d/profiles-g-l/iw | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/iw b/apparmor.d/profiles-g-l/iw index 5153278eed..54155298cc 100644 --- a/apparmor.d/profiles-g-l/iw +++ b/apparmor.d/profiles-g-l/iw @@ -13,7 +13,6 @@ profile iw @{exec_path} { # To be able to manage network interfaces. capability net_admin, - capability sys_module, # Needed? audit deny capability sys_module, From fd1582760ad32b3528d62791f83b5d4a0ed77c0a Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Fri, 20 Mar 2026 18:28:18 +0000 Subject: [PATCH 1557/1736] feat(profile): additional rules added. --- apparmor.d/groups/systemd/systemd-sleep | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index 343826c0b1..99912b8f4e 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -42,6 +42,10 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { @{run}/systemd/private rw, @{sys}/power/state rw, + @{sys}/power/disk w, + @{sys}/power/resume rw, + @{sys}/power/resume_offset rw, + @{sys}/firmware@{efi}/efivars/HibernateLocation-@{uuid} w, @{PROC}/sys/fs/nr_open r, @{PROC}/swaps r, From 36e8eeaa956e72bf76761fec5a7f4a40fb697181 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sat, 21 Mar 2026 21:13:09 +0000 Subject: [PATCH 1558/1736] feat(profile): added more rules /. --- apparmor.d/groups/bluetooth/bluetoothd | 2 ++ apparmor.d/groups/freedesktop/plymouthd | 2 ++ apparmor.d/groups/ssh/ssh | 2 ++ apparmor.d/groups/ssh/ssh-sk-helper | 2 ++ apparmor.d/groups/systemd/systemd-sleep | 2 ++ apparmor.d/groups/utils/findmnt | 2 ++ apparmor.d/profiles-g-l/git | 3 +++ 7 files changed, 15 insertions(+) diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index 2d088bd3b9..a14c164aac 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -44,6 +44,8 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { /etc/bluetooth/{,*.conf} r, + / r, + /var/lib/bluetooth/{,**} rw, @{run}/sdp rw, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index e5b292b3fd..4abefb8c9a 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -43,6 +43,8 @@ profile plymouthd @{exec_path} { /etc/plymouth/plymouthd.conf r, /etc/vconsole.conf r, + / r, + /var/lib/plymouth/{,**} rw, /var/log/boot.log w, /var/log/plymouth-*.log w, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index de87a47685..199faf656e 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -41,6 +41,8 @@ profile ssh @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /etc/gss/mech.d/{,*} r, + / r, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl, owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_*_*_* wl, diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper index 79f5d22da7..4d374f18d8 100644 --- a/apparmor.d/groups/ssh/ssh-sk-helper +++ b/apparmor.d/groups/ssh/ssh-sk-helper @@ -15,6 +15,8 @@ profile ssh-sk-helper flags=(complain) { @{exec_path} mr, + / r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index 99912b8f4e..3e83a87e2f 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -39,6 +39,8 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { /etc/systemd/sleep.conf.d/{,*} r, /etc/os-release r, + /swap/* r, + @{run}/systemd/private rw, @{sys}/power/state rw, diff --git a/apparmor.d/groups/utils/findmnt b/apparmor.d/groups/utils/findmnt index 96ae6b6899..11592c4717 100644 --- a/apparmor.d/groups/utils/findmnt +++ b/apparmor.d/groups/utils/findmnt @@ -21,6 +21,8 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) { /etc/fstab r, /etc/mtab r, + / r, + @{PROC}/@{pids}/mountinfo r, include if exists diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index e140722a99..9b1bf33970 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -25,6 +25,7 @@ profile git @{exec_path} flags=(attach_disconnected) { network netlink raw, signal send peer=aurpublish, + signal send set=term peer=ssh//&unconfined, signal receive set=term peer=code, # unix (send receive) type=stream peer=(label=claude), @@ -91,6 +92,8 @@ profile git @{exec_path} flags=(attach_disconnected) { @{etc_ro}/ssh/ssh_config r, @{etc_ro}/ssh/ssh_config.d/{,*} r, + / r, + owner @{user_projects_dirs}/ rw, owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, owner @{user_projects_dirs}/**/.git/hooks/* rix, From 859b72c7b080ead046b44e84e2f2c633ec759a13 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sun, 22 Mar 2026 08:38:20 +0000 Subject: [PATCH 1559/1736] feat(profile): again missing /. --- apparmor.d/profiles-m-r/pcscd | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index a2c53224c2..d62c10a375 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -29,6 +29,8 @@ profile pcscd @{exec_path} { /etc/libccid_Info.plist r, /etc/reader.conf.d/{,**} r, + / r, + owner @{run}/pcscd/{,pcscd.pid} rw, @{sys}/devices/**/uevent r, From c4b76ac94a1d0c5a29ebf7dfe413f7436f3a445b Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Sun, 22 Mar 2026 18:14:27 +0000 Subject: [PATCH 1560/1736] feat(profile): Resolved as suggested. --- apparmor.d/groups/filesystem/mkswap | 2 +- apparmor.d/groups/freedesktop/xorg | 4 ++-- apparmor.d/groups/network/NetworkManager | 2 +- apparmor.d/groups/polkit/polkit-agent-helper | 2 +- apparmor.d/profiles-g-l/git | 1 - 5 files changed, 5 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/filesystem/mkswap b/apparmor.d/groups/filesystem/mkswap index 6555e014b8..92d0624013 100644 --- a/apparmor.d/groups/filesystem/mkswap +++ b/apparmor.d/groups/filesystem/mkswap @@ -10,8 +10,8 @@ include @{exec_path} = @{sbin}/mkswap profile mkswap @{exec_path} { include - include include + include capability mknod, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index c83b76843e..75874e2794 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -124,8 +124,8 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/hid r, @{sys}/devices/**/power_supply/**/{type,online} r, @{sys}/devices/platform/ r, - @{sys}/devices/@{pci}/tile0/gt0/freq0/min_freq r, - @{sys}/devices/@{pci}/tile0/gt0/freq0/max_freq r, + @{sys}/devices/@{pci}/tile0/gt@{int}/freq@{int}/min_freq r, + @{sys}/devices/@{pci}/tile0/gt@{int}/freq@{int}/max_freq r, @{sys}/module/i915/{,**} r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 3ded914f27..8e4b8f882a 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -135,7 +135,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{run}/udev/data/n@{int} r, # For network interfaces - @{run}/udev/data/+ieee80211:phy0 r, # For wireless interfaces + @{run}/udev/data/+ieee80211:* r, # For Wi-Fi devices, such as wireless network cards and access points. @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index 835078a9ad..b9c20804d9 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -27,7 +27,7 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { network netlink raw, ptrace read peer=pkttyagent, - ptrace read peer=unconfined, + ptrace read peer=@{p_systemd}, signal receive set=(term kill) peer=flatpak, signal receive set=(term kill) peer=gnome-shell, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 9b1bf33970..20989586ed 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -25,7 +25,6 @@ profile git @{exec_path} flags=(attach_disconnected) { network netlink raw, signal send peer=aurpublish, - signal send set=term peer=ssh//&unconfined, signal receive set=term peer=code, # unix (send receive) type=stream peer=(label=claude), From 5afa9b66b4c8073893cb105ead3356e032b4f12c Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Tue, 24 Mar 2026 06:58:39 +0000 Subject: [PATCH 1561/1736] feat(profile): added missing /. --- apparmor.d/groups/systemd/systemd-hwdb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index ab2ce97874..a0a48869a0 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -24,6 +24,8 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/udev/hwdb.bin wl -> @{lib}/udev/#@{int}, /etc/udev/hwdb.d/{,*} r, + / r, + owner @{PROC}/@{pid}/stat r, include if exists From a38ef7fa0a9c917da4761f3207a9c1284a275dd1 Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Sun, 22 Mar 2026 14:28:56 +0100 Subject: [PATCH 1562/1736] Update ufw-init #1075 --- apparmor.d/groups/firewall/ufw-init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init index 13812296bf..422bebb025 100644 --- a/apparmor.d/groups/firewall/ufw-init +++ b/apparmor.d/groups/firewall/ufw-init @@ -36,7 +36,7 @@ profile ufw-init @{exec_path} { @{run}/xtables.lock rwk, - @{PROC}/@{pid}/net/ip_tables_names r, + @{PROC}/@{pid}/net/{ip,ip6}_tables_names r, @{PROC}/sys/kernel/modprobe r, profile kmod { From 557ef87e342c40490e5f23364638cc8d215c04fd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 28 Mar 2026 19:16:56 +0100 Subject: [PATCH 1563/1736] feat(profile): various kde improvments. fix #1081 --- apparmor.d/groups/freedesktop/xorg | 1 + apparmor.d/groups/kde/baloo | 2 ++ apparmor.d/groups/kde/kauth-chargethresholdhelper | 2 +- apparmor.d/groups/kde/kde-powerdevil | 3 ++- apparmor.d/groups/kde/kded | 7 ++++--- apparmor.d/groups/kde/kscreenlocker_greet | 3 ++- apparmor.d/groups/kde/ksplashqml | 1 + apparmor.d/groups/kde/plasmashell | 3 +-- apparmor.d/groups/kde/sddm | 3 +++ apparmor.d/groups/kde/sddm-greeter | 1 - apparmor.d/groups/kde/systemsettings | 5 +++-- apparmor.d/groups/polkit/polkit-agent-helper | 5 +++++ apparmor.d/profiles-s-z/udev-ata_id | 2 ++ apparmor.d/profiles-s-z/udev-cdrom_id | 2 ++ 14 files changed, 29 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index a7e493c435..6be904e251 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -123,6 +123,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/hid r, @{sys}/devices/**/power_supply/**/{type,online} r, @{sys}/devices/platform/ r, + @{sys}/devices/platform/*/serio@{int}/id/ r, @{sys}/module/i915/{,**} r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 4bf009f1ec..948c8023b1 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -28,6 +28,8 @@ profile baloo @{exec_path} flags=(attach_disconnected) { /etc/fstab r, /etc/machine-id r, + / r, + # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, diff --git a/apparmor.d/groups/kde/kauth-chargethresholdhelper b/apparmor.d/groups/kde/kauth-chargethresholdhelper index 8de25da6fe..8907586b2c 100644 --- a/apparmor.d/groups/kde/kauth-chargethresholdhelper +++ b/apparmor.d/groups/kde/kauth-chargethresholdhelper @@ -14,7 +14,7 @@ profile kauth-chargethresholdhelper @{exec_path} flags=(attach_disconnected) { include #aa:dbus own bus=system name=org.kde.powerdevil.chargethresholdhelper - #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil + #aa:dbus talk bus=system name=org.kde.kf[56]auth path=/ label=kde-powerdevil @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index ab98f90912..556fc3be0c 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -12,7 +12,6 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) include include include - include include include include @@ -34,6 +33,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) #aa:dbus own bus=session name=org.kde.Solid.PowerManagement #aa:dbus talk bus=session name=org.kde.KWin path=/ label="kwin_{wayland,x11}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mrix, @@ -49,6 +49,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) /etc/fstab r, /etc/machine-id r, + / r, owner @{HOME}/ r, owner @{user_cache_dirs}/ddcutil/* rw, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 1dd913a163..21841fd812 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -187,10 +187,11 @@ profile kded @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/plasma-csd-generator.@{rand6}/{,**} rw, @{sys}/class/leds/ r, + @{sys}/devices/**/input@{int}/{,**/}uevent r, - @{run}/udev/data/b8:@{int} r, # for /dev/sd* - @{run}/udev/data/b259:@{int} r, # Block Extended Major - @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** + @{run}/udev/data/b8:@{int} r, # for /dev/sd* + @{run}/udev/data/b254:@{int} r, # for /dev/zram* + @{run}/udev/data/b259:@{int} r, # Block Extended Major @{PROC}/ r, @{PROC}/@{pids}/cmdline/ r, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 16a23b4a82..d6452afe12 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -11,7 +11,6 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kscreenlocker_greet profile kscreenlocker_greet @{exec_path} { include - include include include include @@ -29,6 +28,8 @@ profile kscreenlocker_greet @{exec_path} { signal (receive) set=(usr1, term) peer=ksmserver, signal (send) peer=kcheckpass, + unix bind type=stream addr=@@{udbus}/bus/QThread/system, + dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index dcd6c281fc..3796328ad8 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -23,6 +23,7 @@ profile ksplashqml @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, + @{bin}/ r, /usr/share/color-schemes/* r, /usr/share/plasma/** r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 4c8485caf3..bbded7f81d 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -25,7 +25,7 @@ profile plasmashell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include + include include userns, @@ -235,7 +235,6 @@ profile plasmashell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/platform/** r, @{sys}/devices/@{pci}/name r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 038b64d2e3..297c724caa 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -71,6 +71,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/date rix, @{bin}/dirname rix, @{bin}/disable-paste rix, + @{bin}/find rix, @{bin}/id rix, @{bin}/locale rix, @{bin}/manpath rix, @@ -82,8 +83,10 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rix, + @{bin}/xargs rix, @{bin}/xdm r, @{bin}/xmodmap rix, + @{bin}/zoxide rix, @{sbin}/checkproc rix, @{bin}/dbus-run-session rPx -> dbus-session, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 4972eeb2c1..682c8de6aa 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -48,7 +48,6 @@ profile sddm-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/xdg/plasmarc r, /var/lib/AccountsService/icons/* r, - /var/lib/dbus/machine-id r, @{SDDM_HOME}/state.conf r, owner @{SDDM_HOME}/** rw, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 56558f9685..681a4b2170 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -11,14 +11,15 @@ profile systemsettings @{exec_path} flags=(attach_disconnected,mediate_deleted) include include include + include include include include + include include include include include - include network netlink raw, @@ -65,11 +66,11 @@ profile systemsettings @{exec_path} flags=(attach_disconnected,mediate_deleted) /usr/share/thumbnailers/{,**} r, /usr/share/wallpapers/{,**} r, + @{etc_ro}/login.defs r, /etc/fstab r, /etc/xdg/* r, /etc/xdg/plasmanotifyrc r, /etc/xdg/ui/ui_standards.rc r, - /var/lib/dbus/machine-id r, /var/cache/cracklib/cracklib_dict.* r, /var/cache/samba/ rw, diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index 8e895483c5..f54c1c9692 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -17,7 +17,9 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { include capability audit_write, + capability chown, capability dac_override, + capability fowner, capability net_admin, capability setgid, capability setuid, @@ -26,13 +28,16 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { network netlink raw, + ptrace read peer=gnome-shell, ptrace read peer=pkttyagent, + ptrace read peer=polkit-kde-authentication-agent, signal receive set=(term kill) peer=flatpak, signal receive set=(term kill) peer=gnome-shell, signal receive set=(term kill) peer=pkexec, signal receive set=(term kill) peer=pkttyagent, signal receive set=(term kill) peer=polkit-*-authentication-agent, + signal receive set=(term kill) peer=yay, unix bind type=stream addr=@@{udbus}/bus/polkit-agent-he/system, diff --git a/apparmor.d/profiles-s-z/udev-ata_id b/apparmor.d/profiles-s-z/udev-ata_id index f12ed105fc..d41629bed4 100644 --- a/apparmor.d/profiles-s-z/udev-ata_id +++ b/apparmor.d/profiles-s-z/udev-ata_id @@ -17,6 +17,8 @@ profile udev-ata_id @{exec_path} { /etc/udev/udev.conf r, + / r, + include if exists } diff --git a/apparmor.d/profiles-s-z/udev-cdrom_id b/apparmor.d/profiles-s-z/udev-cdrom_id index 5521598676..ecfc5d902b 100644 --- a/apparmor.d/profiles-s-z/udev-cdrom_id +++ b/apparmor.d/profiles-s-z/udev-cdrom_id @@ -14,6 +14,8 @@ profile udev-cdrom_id @{exec_path} { @{exec_path} mr, + / r, + /etc/udev/udev.conf r, /dev/sr@{int} r, From fd5925d2fccbe6085020e68f2d2deefbc68d7ba6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 28 Mar 2026 19:17:41 +0100 Subject: [PATCH 1564/1736] feat(abs): minor chromium based improvement. --- apparmor.d/abstractions/app/chromium | 1 + apparmor.d/abstractions/common/electron | 2 ++ 2 files changed, 3 insertions(+) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index bd69f2b602..e8db7ac728 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -263,6 +263,7 @@ signal send peer=@{name}, + ptrace read peer=@{name}, ptrace trace peer=@{name}, unix (send receive) type=seqpacket peer=(label=@{name}), diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index b1deef2217..e2bafeab92 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -63,6 +63,7 @@ owner @{user_share_dirs}/applications/{,**} rw, owner @{user_config_dirs}/electron-flags.conf r, + owner @{user_config_dirs}/electron@{u8}-flags.conf r, owner @{tmp}/.@{domain}.*/{,**} rw, @@ -117,6 +118,7 @@ include unix (send receive) type=seqpacket peer=(label=@{name}), + unix (send receive) type=seqpacket, # peer=(label=---), @{lib}/electron@{int}/chrome_crashpad_handler mr, @{lib_dirs}/chrome_crashpad_handler mr, From 50fa944d17790134e887c068f70d9d9fe64b49e2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 28 Mar 2026 19:25:06 +0100 Subject: [PATCH 1565/1736] feat(profile): improve dbus rules. --- apparmor.d/abstractions/app/open | 5 +++++ apparmor.d/abstractions/bluetooth-control | 5 +++++ apparmor.d/abstractions/bus/system/org.bluez | 5 +++++ .../abstractions/bus/system/org.bluez.ProfileManager1 | 2 +- .../abstractions/bus/system/org.freedesktop.login1 | 4 ++-- apparmor.d/groups/bluetooth/blueman | 7 +++++++ apparmor.d/groups/bluetooth/obexd | 2 ++ apparmor.d/groups/browsers/firefox | 5 +++++ apparmor.d/groups/bus/dbus-system | 5 +++-- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 5 +++++ apparmor.d/groups/gnome/gnome-boxes | 1 + apparmor.d/groups/gnome/gnome-control-center | 5 +++++ apparmor.d/groups/gnome/gnome-extension-gsconnect | 11 ++++++++--- apparmor.d/groups/gnome/gnome-keyring-daemon | 2 +- apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor | 1 + apparmor.d/groups/gvfs/gvfsd-mtp | 2 ++ apparmor.d/profiles-m-r/mpris-proxy | 2 ++ 17 files changed, 60 insertions(+), 9 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index e735e34ffc..4052f16fc4 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -10,6 +10,11 @@ include include + dbus send bus=session path=/org/gnome/Nautilus + interface=org.freedesktop.Application + member=Open + peer=(name=org.gnome.Nautilus, label=nautilus), + # We cannot use `@{open_path} mrix,` here because it includes: # @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop # And `@{multiarch}` has a wildcard that cannot be merged and that will generate diff --git a/apparmor.d/abstractions/bluetooth-control b/apparmor.d/abstractions/bluetooth-control index 1803a101b8..39a3344116 100644 --- a/apparmor.d/abstractions/bluetooth-control +++ b/apparmor.d/abstractions/bluetooth-control @@ -13,6 +13,11 @@ include include + dbus send bus=system path=/org/bluez/hci@{int} + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=org.bluez, label="@{p_bluetoothd}"), + dbus send bus=system path=/org/bluez/hci@{int}/dev_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}{,/**} interface=org.freedesktop.DBus.Properties member=Set diff --git a/apparmor.d/abstractions/bus/system/org.bluez b/apparmor.d/abstractions/bus/system/org.bluez index e4300d7e5e..8db7744baf 100644 --- a/apparmor.d/abstractions/bus/system/org.bluez +++ b/apparmor.d/abstractions/bus/system/org.bluez @@ -11,6 +11,11 @@ member={Get,GetAll} peer=(name=@{busname}, label="@{p_bluetoothd}"), + dbus send bus=system path=/org/bluez/hci@{int} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}, label="@{p_bluetoothd}"), + dbus send bus=system path=/org/bluez/hci@{int}/dev_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} diff --git a/apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 b/apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 index 203a75bdb8..a6bf3d9318 100644 --- a/apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 +++ b/apparmor.d/abstractions/bus/system/org.bluez.ProfileManager1 @@ -9,7 +9,7 @@ member={RegisterProfile,UnregisterProfile} peer=(name=org.bluez, label="@{p_bluetoothd}"), - dbus receive bus=system path=/Profile/HFPAG + dbus receive bus=system path=/Profile/* interface=org.bluez.Profile1 member={NewConnection,RequestDisconnection,Release} peer=(name=@{busname}, label="@{p_bluetoothd}"), diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.login1 b/apparmor.d/abstractions/bus/system/org.freedesktop.login1 index 0241333e4e..8a1222d16d 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.login1 @@ -18,7 +18,7 @@ dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=@{busname}, label=systemd-logind), + peer=(name=@{busname}, label="@{p_systemd_logind}"), dbus receive bus=system path=/org/freedesktop/login1{,/session/**} interface=org.freedesktop.DBus.Properties @@ -75,7 +75,7 @@ dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager - member={CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession} + member={CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CanSuspendThenHibernate,CreateSession} peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), # Sessions diff --git a/apparmor.d/groups/bluetooth/blueman b/apparmor.d/groups/bluetooth/blueman index dc5bd7d237..62baa1377a 100644 --- a/apparmor.d/groups/bluetooth/blueman +++ b/apparmor.d/groups/bluetooth/blueman @@ -13,9 +13,11 @@ profile blueman @{exec_path} flags=(attach_disconnected) { include include include + include include include include + include include include include @@ -33,6 +35,11 @@ profile blueman @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.blueman.{m,M}echanism label=blueman-mechanism + dbus receive bus=system path=/org/bluez/agent/blueman + interface=org.bluez.Agent1 + member=Release + peer=(name=@{busname}, label=bluetoothd), + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 83a9fe0dc5..77e6fe5648 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -23,6 +23,8 @@ profile obexd @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.bluez.obex + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.{Source,Sources@{int}} path=/org/gnome/evolution/dataserver/SourceManager{,/**} label=evolution-source-registry + dbus receive bus=system path=/org/bluez/obex/@{uuid} interface=org.bluez.Profile1 member=Release diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index c9c1669890..9a245b21bd 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -33,6 +33,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.mozilla.firefox + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.host.portal.Registry + member=Register + peer=(name=@{busname}, label=xdg-desktop-portal), + @{exec_path} mrix, @{lib_dirs}/crashhelper rPx -> firefox//&firefox-crashhelper, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 7cf69cb852..ca174d80ef 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -52,11 +52,12 @@ profile dbus-system flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Activator member=ActivationFailure - peer=(name=@{busname}, label="@{p_systemd}"), + peer=(label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=Subscribe - peer=(name=@{busname}, label="@{p_systemd}"), + peer=(label="@{p_systemd}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 024d483be5..99316e6c20 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -32,6 +32,11 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs #aa:dbus talk bus=session name=org.freedesktop.impl.portal{,.*} path=/org/freedesktop/portal/desktop label=xdg-desktop-portal + dbus receive bus=session path=/org/freedesktop/portal/desktop/request/** + interface=org.freedesktop.impl.portal.Request + member=Close + peer=(name=@{busname}, label=xdg-desktop-portal), + @{exec_path} mr, / r, diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index d60a9b193f..c64e6107a0 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -18,6 +18,7 @@ profile gnome-boxes @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 6cfd3f3114..eeb2f9b17f 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -79,6 +79,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { member={InterfacesAdded,InterfacesRemoved} peer=(name=@{busname}), + dbus receive bus=system path=/org/gnome/bluetooth/settings + interface=org.bluez.Agent1 + member=Release + peer=(name=@{busname}, label=bluetoothd), + @{exec_path} mr, @{bin}/@{shells} rUx, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index a9a03a8194..a481812545 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -14,15 +14,16 @@ profile gnome-extension-gsconnect @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include include include + include + include include include include include + include include include include @@ -53,6 +54,10 @@ profile gnome-extension-gsconnect @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=PropertiesChanged peer=(name=@{busname}), + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.Player + member=PlayPause + peer=(name=@{busname}), dbus eavesdrop bus=session, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index c29f3643c8..a727aa40e7 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -26,7 +26,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { unix type=stream peer=(label=fbwrap), #aa:dbus own bus=session name=org.gnome.keyring - #aa:dbus own bus=session name=org.freedesktop.[sS]ecret{,s}{,.Service} + #aa:dbus own bus=session name=org.freedesktop.[sS]ecret{,s}{,.*} #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret path=/org/freedesktop/portal/desktop #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Request path=/org/freedesktop/portal/desktop/ label=xdg-desktop-portal diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index 9af0e2c4ba..20c22302ae 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -11,6 +11,7 @@ include profile gvfs-mtp-volume-monitor @{exec_path} { include include + include include network netlink raw, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 0c14660c10..0589bfad86 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -22,6 +22,8 @@ profile gvfsd-mtp @{exec_path} { network netlink raw, + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + @{exec_path} mr, owner @{HOME}/ r, diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy index 4ffa9a4128..78466a46db 100644 --- a/apparmor.d/profiles-m-r/mpris-proxy +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -16,6 +16,8 @@ profile mpris-proxy @{exec_path} { #aa:dbus own bus=session name=org.mpris.MediaPlayer2 #aa:dbus own bus=system name=org.mpris.MediaPlayer2.Player path=/{,**} + #aa:dbus common bus=session name=org.bluez.obex path=/ label=obexd + dbus send bus=session path=/org/mpris/MediaPlayer2 interface=org.freedesktop.DBus.Properties member=GetAll From 7c0f58a599671ff010fa7a1eea656253582d155b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 28 Mar 2026 19:34:00 +0100 Subject: [PATCH 1566/1736] build(directive): dbus common -> dbus see. --- .../abstractions/bus/session/org.freedesktop.FileManager1 | 2 +- .../bus/session/org.freedesktop.background.Monitor | 2 +- .../session/org.freedesktop.impl.portal.PermissionStore | 2 +- .../abstractions/bus/session/org.gnome.ArchiveManager1 | 2 +- .../bus/session/org.gnome.Mutter.DisplayConfig | 2 +- .../abstractions/bus/session/org.gnome.Mutter.IdleMonitor | 2 +- .../bus/session/org.gnome.Nautilus.FileOperations2 | 2 +- .../bus/session/org.gnome.Shell.SearchProvider2 | 2 +- .../abstractions/bus/system/net.hadess.PowerProfiles | 2 +- .../abstractions/bus/system/net.hadess.SwitcherooControl | 2 +- apparmor.d/abstractions/bus/system/net.reactivated.Fprint | 2 +- .../abstractions/bus/system/org.freedesktop.network1 | 2 +- .../abstractions/bus/system/org.gnome.DisplayManager | 2 +- apparmor.d/profiles-m-r/mpris-proxy | 2 +- docs/development/build.md | 2 +- docs/development/dbus.md | 3 ++- pkg/directive/dbus.go | 6 +++--- pkg/directive/dbus_test.go | 8 ++++---- 18 files changed, 24 insertions(+), 23 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/session/org.freedesktop.FileManager1 index afef9a524b..006ce1acfa 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.FileManager1 +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.FileManager1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=session name=org.freedesktop.FileManager1 label=nautilus + #aa:dbus see bus=session name=org.freedesktop.FileManager1 label=nautilus dbus send bus=session path=/org/freedesktop/FileManager1 interface=org.freedesktop.FileManager1 diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.background.Monitor b/apparmor.d/abstractions/bus/session/org.freedesktop.background.Monitor index 7715ddf451..2a44f09b2a 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.background.Monitor +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.background.Monitor @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=session name=org.freedesktop.background.Monitor label=xdg-desktop-portal + #aa:dbus see bus=session name=org.freedesktop.background.Monitor label=xdg-desktop-portal include if exists diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/session/org.freedesktop.impl.portal.PermissionStore index 55d5487b56..18cef81b37 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.impl.portal.PermissionStore +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.impl.portal.PermissionStore @@ -4,7 +4,7 @@ abi , - # dbus common bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store + #aa:dbus see bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 index 21424ceefd..64d1a3f519 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label="@{p_file_roller}" + #aa:dbus see bus=session name=org.gnome.ArchiveManager1 label="@{p_file_roller}" dbus send bus=session path=/org/gnome/ArchiveManager1 interface=org.gnome.ArchiveManager1 diff --git a/apparmor.d/abstractions/bus/session/org.gnome.Mutter.DisplayConfig b/apparmor.d/abstractions/bus/session/org.gnome.Mutter.DisplayConfig index 2572a2e458..5fa8580c7e 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.Mutter.DisplayConfig +++ b/apparmor.d/abstractions/bus/session/org.gnome.Mutter.DisplayConfig @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell + #aa:dbus see bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell dbus send bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig diff --git a/apparmor.d/abstractions/bus/session/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/session/org.gnome.Mutter.IdleMonitor index c248c34abd..e8022e5d57 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/session/org.gnome.Mutter.IdleMonitor @@ -6,7 +6,7 @@ abi , - #aa:dbus common bus=session name=org.gnome.Mutter.IdleMonitor label=gnome-shell + #aa:dbus see bus=session name=org.gnome.Mutter.IdleMonitor label=gnome-shell dbus send bus=session path=/org/gnome/Mutter/IdleMonitor interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 index 8a3e7d74e9..73eea6b866 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 +++ b/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus + #aa:dbus see bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus include if exists diff --git a/apparmor.d/abstractions/bus/session/org.gnome.Shell.SearchProvider2 b/apparmor.d/abstractions/bus/session/org.gnome.Shell.SearchProvider2 index fbeb7ce3d9..0746686171 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.Shell.SearchProvider2 +++ b/apparmor.d/abstractions/bus/session/org.gnome.Shell.SearchProvider2 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell + #aa:dbus see bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell dbus receive bus=session path=/org/gnome/Characters/SearchProvider interface=org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/abstractions/bus/system/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/system/net.hadess.PowerProfiles index 1033512ce9..83c5b9e77a 100644 --- a/apparmor.d/abstractions/bus/system/net.hadess.PowerProfiles +++ b/apparmor.d/abstractions/bus/system/net.hadess.PowerProfiles @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}" + #aa:dbus see bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}" include if exists diff --git a/apparmor.d/abstractions/bus/system/net.hadess.SwitcherooControl b/apparmor.d/abstractions/bus/system/net.hadess.SwitcherooControl index faad033200..5961b3467c 100644 --- a/apparmor.d/abstractions/bus/system/net.hadess.SwitcherooControl +++ b/apparmor.d/abstractions/bus/system/net.hadess.SwitcherooControl @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=net.hadess.SwitcherooControl label=switcheroo-control + #aa:dbus see bus=system name=net.hadess.SwitcherooControl label=switcheroo-control include if exists diff --git a/apparmor.d/abstractions/bus/system/net.reactivated.Fprint b/apparmor.d/abstractions/bus/system/net.reactivated.Fprint index 2d2c02fb3c..b755e04288 100644 --- a/apparmor.d/abstractions/bus/system/net.reactivated.Fprint +++ b/apparmor.d/abstractions/bus/system/net.reactivated.Fprint @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=net.reactivated.Fprint label="@{p_fprintd}" + #aa:dbus see bus=system name=net.reactivated.Fprint label="@{p_fprintd}" dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.network1 b/apparmor.d/abstractions/bus/system/org.freedesktop.network1 index 2f2a5cb594..a61627c9d7 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.network1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.network1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" + #aa:dbus see bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" include if exists diff --git a/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager index 4833b1512e..38ec52c7f9 100644 --- a/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager +++ b/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.gnome.DisplayManager label=gdm + #aa:dbus see bus=system name=org.gnome.DisplayManager label=gdm dbus send bus=system path=/org/gnome/DisplayManager/Manager interface=org.gnome.DisplayManager.Manager diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy index 78466a46db..92424dcfec 100644 --- a/apparmor.d/profiles-m-r/mpris-proxy +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -16,7 +16,7 @@ profile mpris-proxy @{exec_path} { #aa:dbus own bus=session name=org.mpris.MediaPlayer2 #aa:dbus own bus=system name=org.mpris.MediaPlayer2.Player path=/{,**} - #aa:dbus common bus=session name=org.bluez.obex path=/ label=obexd + #aa:dbus see bus=session name=org.bluez.obex path=/ label=obexd dbus send bus=session path=/org/mpris/MediaPlayer2 interface=org.freedesktop.DBus.Properties diff --git a/docs/development/build.md b/docs/development/build.md index 4f7cb0b29d..874abaa232 100644 --- a/docs/development/build.md +++ b/docs/development/build.md @@ -54,7 +54,7 @@ Build tasks: Directive: #aa:dbus own bus= name= [interface=AARE] [path=AARE] #aa:dbus talk bus= name= label= [interface=AARE] [path=AARE] - #aa:dbus common bus= name= label= + #aa:dbus see bus= name= label= #aa:exec [P|U|p|u|PU|pu|] profiles... #aa:only filters... #aa:exclude filters... diff --git a/docs/development/dbus.md b/docs/development/dbus.md index 7dc1008fb5..ecd8674722 100644 --- a/docs/development/dbus.md +++ b/docs/development/dbus.md @@ -45,10 +45,11 @@ We use a special [directive](directives.md) to generate more advanced dbus acces **``** -: Access type. Can be `own` or `talk`: +: Access type. Can be `own`, `talk`, or `see`: - `own` means the profile owns the dbus interface. It is allowed to send and receive from anyone on this interface. It should only be used for profile owning the dbus interface. - `talk` means the profile can talk on a given interface to the profile that owns it (a label must be given under the `label` option). It should only be used when full access to an interface is required. + - `see` means the profile can see a given interface, but cannot talk to it. It is mostly used for desktop integration, as it allows the profile to be seen by the desktop environment without giving it more access. **``** diff --git a/pkg/directive/dbus.go b/pkg/directive/dbus.go index 93a1d929ca..6050a7233f 100644 --- a/pkg/directive/dbus.go +++ b/pkg/directive/dbus.go @@ -34,7 +34,7 @@ func NewDbus() *Dbus { Help: []string{ "own bus= name= [interface=AARE] [path=AARE]", "talk bus= name= label= [interface=AARE] [path=AARE]", - "see bus= name= label=", + "see bus= name= label= [interface=AARE] [path=AARE]", }, }, } @@ -52,7 +52,7 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { r = d.Own(opt.ArgMap) case "talk": r = d.Talk(opt.ArgMap) - case "common", "see": + case "see": r = d.See(opt.ArgMap) } @@ -71,7 +71,7 @@ func (d Dbus) SanityCheck(opt *Option) (string, error) { return "", fmt.Errorf("unknown dbus action: %s in %s", opt.Name, opt.File) } action := opt.ArgList[0] - if action != "own" && action != "talk" && action != "common" { + if action != "own" && action != "talk" && action != "see" { return "", fmt.Errorf("unknown dbus action: %s in %s", opt.Name, opt.File) } diff --git a/pkg/directive/dbus_test.go b/pkg/directive/dbus_test.go index 9a4092cead..627bed51f9 100644 --- a/pkg/directive/dbus_test.go +++ b/pkg/directive/dbus_test.go @@ -143,7 +143,7 @@ func TestDbus_Apply(t *testing.T) { peer=(name="{@{busname},org.freedesktop.Accounts{,.*},org.freedesktop.DBus}", label=accounts-daemon),`, }, { - name: "common", + name: "see", opt: &Option{ Name: "dbus", ArgMap: map[string]string{ @@ -152,11 +152,11 @@ func TestDbus_Apply(t *testing.T) { "label": "power-profiles-daemon", "talk": "", }, - ArgList: []string{"common", "bus=system", "name=net.hadess.PowerProfiles", "power-profiles-daemon"}, + ArgList: []string{"see", "bus=system", "name=net.hadess.PowerProfiles", "power-profiles-daemon"}, File: nil, - Raw: " #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", + Raw: " #aa:dbus see bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", }, - profile: " #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", + profile: " #aa:dbus see bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", want: ` # Unix: allow connection to the profile unix type=stream peer=(label=power-profiles-daemon), From e4e71addb46b169caeacf36a441d3ba267a4c552 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 28 Mar 2026 19:40:58 +0100 Subject: [PATCH 1567/1736] feat(profile): minor update. --- apparmor.d/groups/freedesktop/boltd | 2 + .../polkit-kde-authentication-agent | 3 +- .../groups/freedesktop/xdg-desktop-portal | 10 ++++- .../groups/gnome/evolution-alarm-notify | 1 + apparmor.d/groups/gnome/gnome-boxes | 2 + apparmor.d/groups/gnome/gnome-control-center | 5 ++- ...e-control-center-global-shortcuts-provider | 41 +++++++++++++++++++ .../gnome-control-center-search-provider | 1 + apparmor.d/groups/gnome/gnome-session | 2 +- apparmor.d/groups/gnome/gnome-session-service | 2 +- apparmor.d/groups/gnome/papers | 2 - apparmor.d/groups/gpg/scdaemon | 2 + apparmor.d/groups/gvfs/gvfsd-metadata | 2 + apparmor.d/groups/pacman/pkgctl | 1 + apparmor.d/groups/pacman/yay | 12 ++++++ apparmor.d/groups/utils/lslogins | 2 +- apparmor.d/groups/virt/docker-proxy | 2 + apparmor.d/profiles-a-f/fprintd | 2 + apparmor.d/profiles-g-l/ip | 2 +- apparmor.d/profiles-g-l/irqbalance | 3 +- apparmor.d/profiles-m-r/nvtop | 2 + apparmor.d/profiles-m-r/ollama | 8 +++- apparmor.d/profiles-s-z/switcheroo-control | 2 + apparmor.d/profiles-s-z/unix-chkpwd | 5 --- 24 files changed, 98 insertions(+), 18 deletions(-) create mode 100644 apparmor.d/groups/gnome/gnome-control-center-global-shortcuts-provider diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/groups/freedesktop/boltd index 48130a9a00..0deb40ed7c 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -22,6 +22,8 @@ profile boltd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + / r, + /var/lib/boltd/{,**} rw, owner @{run}/boltd/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 5f3ffccb07..da8e5bff4a 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -11,11 +11,12 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include include include include - include include + include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 3ebd6d345d..b1c855cf92 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -33,6 +33,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { network netlink raw, network inet dgram, network inet6 dgram, + network inet dgram, ptrace read, @@ -94,15 +95,22 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{lib}/xdg-desktop-portal-validate-icon rPx, @{open_path} mrPx -> child-open-any, + /usr/share/xdg-desktop-portal/** r, + + /etc/sysconfig/proxy r, + / r, + /att/**/ r, @{att}/ r, @{att}/.flatpak-info r, - /att/**/ r, /usr/share/xdg-desktop-portal/** r, /etc/sysconfig/proxy r, + owner /var/lib/gdm/seat@{int}/config/evolution/sources/ r, + owner /var/lib/gdm/seat@{int}/config/evolution/sources/system-proxy.source r, + @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/user-dirs.dirs r, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 13067954bc..4d3713712d 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify profile evolution-alarm-notify @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index c64e6107a0..beec39225f 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -60,12 +60,14 @@ profile gnome-boxes @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gnome-boxes/ rw, owner @{user_share_dirs}/gnome-boxes/** rwk, + owner /var/tmp/*.svg-@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.iso-@{rand6} rw, owner @{tmp}/*.svg-@{rand6} rw, owner @{run}/user/@{uid}/libvirt/ rw, owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + owner @{run}/user/@{uid}/libvirt/virtqemud-sock rw, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index eeb2f9b17f..ee929d40ee 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -97,16 +97,17 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { # glycin @{bin}/gkbd-keyboard-display rPx, @{bin}/gnome-software rPx, + @{bin}/lscpu rPx, @{bin}/passwd rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/software-properties-gtk rPx, @{bin}/update-manager rPx, - @{sbin}/openvpn rPx, - @{sbin}/usermod rPx, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/cups/backend/snmp rPx, @{lib}/gnome-control-center-goa-helper rPx, @{lib}/gnome-control-center-print-renderer rPx, + @{sbin}/openvpn rPx, + @{sbin}/usermod rPx, /usr/share/language-tools/language2locale rix, /usr/share/language-tools/language-options rPUx, diff --git a/apparmor.d/groups/gnome/gnome-control-center-global-shortcuts-provider b/apparmor.d/groups/gnome/gnome-control-center-global-shortcuts-provider new file mode 100644 index 0000000000..d5110ad61f --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-control-center-global-shortcuts-provider @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/gnome-control-center-global-shortcuts-provider +profile gnome-control-center-global-shortcuts-provider @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + signal receive set=term peer=gdm, + signal receive set=hup peer=gdm-session-worker, + + unix type=stream peer=(label=gnome-shell), + + #aa:dbus own bus=session name=org.gnome.Settings.GlobalShortcutsProvider + + dbus send bus=session path=/org/gnome/Mutter/ServiceChannel + interface=org.gnome.Mutter.ServiceChannel + member=OpenWaylandServiceConnection + peer=(name=@{busname}, label=gnome-shell), + + @{exec_path} mr, + + /usr/share/gnome-control-center/keybindings/{,**} r, + + owner @{gdm_cache_dirs}/fontconfig/* r, + + owner @{PROC}/@{pid}/task/@{tid}/comm w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index c96a9aa481..a082b53289 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -10,6 +10,7 @@ include profile gnome-control-center-search-provider @{exec_path} { include include + include include include diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index e70f142ba3..d293cd4d4e 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -87,7 +87,7 @@ profile gnome-session @{exec_path} flags=(attach_disconnected) { /dev/tty@{u8} rw, - profile flatpak { + profile flatpak flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index e76d358510..81f866cfd5 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -55,7 +55,7 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, - profile open { + profile open flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 6026a145f3..3785993d8c 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -37,8 +37,6 @@ profile papers @{exec_path} flags=(attach_disconnected) { @{open_path} Cx -> open, - /etc/passwd r, - owner @{user_config_dirs}/cpdb/print-settings r, owner @{HOME}/.pki/nssdb/pkcs11.txt r, diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index 6db7e8bf8f..5cb9cd8286 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -24,6 +24,8 @@ profile scdaemon @{exec_path} { owner /etc/pacman.d/gnupg/scdaemon.conf r, owner /etc/pacman.d/gnupg/S.scdaemon rw, + / r, + owner @{HOME}/@{XDG_GPG_DIR}/scdaemon.conf r, owner @{HOME}/@{XDG_GPG_DIR}/common.conf r, owner @{HOME}/@{XDG_GPG_DIR}/reader_@{int}.status rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index 64c0d79622..3e585a504f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -22,6 +22,8 @@ profile gvfsd-metadata @{exec_path} { @{exec_path} mr, + / r, + owner @{gdm_share_dirs}/gvfs-metadata/{,*} rw, owner @{HOME}/.local/ w, diff --git a/apparmor.d/groups/pacman/pkgctl b/apparmor.d/groups/pacman/pkgctl index 1050e78c5a..48b5ebb6a3 100644 --- a/apparmor.d/groups/pacman/pkgctl +++ b/apparmor.d/groups/pacman/pkgctl @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # This profile is large on purpose: +# # - Pkgctl uses a lot of different binaries and scripts inside sandbox. # - Using the unconfined flag would Pix everything, we do not want that as the # transitioned profile would have to account for pkgctl paths too. diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay index a154b4acc6..3f58c16f9a 100644 --- a/apparmor.d/groups/pacman/yay +++ b/apparmor.d/groups/pacman/yay @@ -20,6 +20,9 @@ profile yay @{exec_path} { network inet6 stream, network netlink raw, + signal send set=term peer=pkttyagent, + signal send set=term peer=systemd-tty-ask-password-agent, + @{exec_path} mr, @{editor_path} Cx -> editor, @@ -29,6 +32,8 @@ profile yay @{exec_path} { @{bin}/pacman Px, @{bin}/pacman-conf Px, @{bin}/sudo Cx -> sudo, + @{bin}/pkttyagent Px, + @{bin}/systemd-tty-ask-password-agent Px, /var/lib/pacman/** r, @@ -37,6 +42,8 @@ profile yay @{exec_path} { owner @{user_config_dirs}/yay/{,**} rw, + owner @{PROC}/@{pid}/stat r, + profile git { include include @@ -91,6 +98,11 @@ profile yay @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + owner @{run}/user/@{uid}/gnupg/d.@{hex}/S.dirmngr rw, + owner @{run}/user/@{uid}/gnupg/d.@{hex}/S.gpg-agent rw, + + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/groups/utils/lslogins b/apparmor.d/groups/utils/lslogins index 7393b47c00..7a24767d3e 100644 --- a/apparmor.d/groups/utils/lslogins +++ b/apparmor.d/groups/utils/lslogins @@ -14,9 +14,9 @@ profile lslogins @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, /etc/.pwd.lock w, /etc/.pwd.lock wk, - /etc/login.defs r, /etc/shadow r, /var/log/lastlog r, diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index e2cc400204..253f787795 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -24,6 +24,8 @@ profile docker-proxy @{exec_path} { @{exec_path} mr, + @{sys}/fs/cgroup/system.slice/docker.service/cpu.max r, + @{PROC}/sys/net/core/somaxconn r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 523aad4af8..212ab70874 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -26,6 +26,8 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { /etc/fprintd.conf r, + / r, + /var/lib/fprint/{,**} rw, @{att}@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index e99964f2ac..7dfc3ba362 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -62,7 +62,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/net/igmp{,6} r, owner @{PROC}/sys/net/ipv{4,6}/route/flush w, - /dev/tty@{u8} rw, + /dev/net/tun rw, include if exists } diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index 022dc92d52..29e6e642db 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -33,7 +33,8 @@ profile irqbalance @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/cpu/isolated r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/ r, - @{sys}/devices/system/node/node@{int}/{cpumap,meminfo} r, + @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/system/cpu/nohz_full r, @{PROC}/interrupts r, diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index 88e91c81b7..b2ec5ad508 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -25,6 +25,8 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { /usr/share/terminfo/** r, + / r, + owner @{user_config_dirs}/nvtop/{,**} rw, @{att}@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/ollama b/apparmor.d/profiles-m-r/ollama index 7c0fe46f82..b1d29e8753 100644 --- a/apparmor.d/profiles-m-r/ollama +++ b/apparmor.d/profiles-m-r/ollama @@ -28,6 +28,7 @@ profile ollama @{exec_path} flags=(attach_disconnected) { /usr/ r, /usr/local/ r, /usr/local/lib/ r, + @{bin}/ r, @{lib}/ollama/ r, @{lib}/ollama/*.so mr, @@ -35,7 +36,8 @@ profile ollama @{exec_path} flags=(attach_disconnected) { owner /var/lib/ollama/ rw, owner /var/lib/ollama/** rwlk, - owner @{HOME}/.ollama/{,*} rw, + owner @{HOME}/.ollama/ rw, + owner @{HOME}/.ollama/** rwlk, @{tmp}/ r, owner @{tmp}/@{int}.bin rw, @@ -48,7 +50,7 @@ profile ollama @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/mem_info_vram_used r, @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/node/node@{int}/cpumap r, - + @{sys}/fs/cgroup/system.slice/ollama.service/cpu.max r, @{PROC}/devices r, @{PROC}/sys/net/core/somaxconn r, @@ -57,6 +59,8 @@ profile ollama @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/task/@{tid}/comm w, + /dev/nvidia-caps/nvidia-cap@{int} r, + include if exists } diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index dff61fb5df..c1fd317c8b 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -21,6 +21,8 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + / r, + @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 75cb6cf4e0..a73eb594a0 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -27,11 +27,6 @@ profile unix-chkpwd @{exec_path} flags=(attach_disconnected) { @{run}/host/userdb/*.user r, @{run}/host/userdb/*.user-privileged r, - owner /dev/tty@{u8} rw, - - /dev/pts/@{u8} rw, # file_inherit - - include if exists } From cd4e81ca060127e8d4d941c12cefb1bbbfa269e0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 28 Mar 2026 19:44:09 +0100 Subject: [PATCH 1568/1736] feat(profile): improve snap profiles. --- apparmor.d/groups/snap/snap-update-ns | 18 +++++------------- apparmor.d/groups/snap/snapd | 8 ++++++++ 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 9ae71af494..b3ea5eacf0 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -25,21 +25,17 @@ profile snap-update-ns @{exec_path} { mount -> /var/cache/fontconfig/, mount -> /var/lib/dhcp/, - umount @{lib}/@{multiarch}/webkit2gtk-@{version}/, + umount @{lib}/**/, umount /snap/**, umount /tmp/.snap/**, - umount /usr/share/fonts/, - umount /usr/share/xml/iso-codes/, + umount /usr/share/{,**/}, umount /var/cache/fontconfig/, umount /var/lib/dhcp/, @{exec_path} mr, @{lib_dirs}/**.so* mr, - @{lib}/@{multiarch}/webkit2gtk-@{version}/ w, - - /usr/share/xml/ r, - /usr/share/xml/iso-codes/ rw, + @{lib}/**/ w, /var/lib/snapd/mount/{,*} r, @@ -49,13 +45,9 @@ profile snap-update-ns @{exec_path} { /usr/ r, /usr/local/ r, /usr/local/share/ r, - /usr/local/share/doc/ rw, - /usr/local/share/fonts/ rw, + /usr/local/share/*/ rw, /usr/share/ r, - /usr/share/drirc.d w, - /usr/share/swcatalog/ rw, - /usr/share/X11/ r, - /usr/share/X11/XErrorDB w, + /usr/share/**/ rw, owner /snap/{,**} rw, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index e85afd6a87..b377e10bb3 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -228,6 +228,14 @@ profile snapd @{exec_path} { profile runuser { include + include + include + + capability audit_write, + capability setgid, + capability setuid, + + network netlink raw, @{sbin}/runuser mr, From 17156cda387ede20863fb84e879d430a57792b95 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 28 Mar 2026 19:45:06 +0100 Subject: [PATCH 1569/1736] build(debian): ensure the cache is not removed to often. This has performance consequences. --- debian/common.postinst | 1 - 1 file changed, 1 deletion(-) diff --git a/debian/common.postinst b/debian/common.postinst index e6651093ef..dfb2b60845 100644 --- a/debian/common.postinst +++ b/debian/common.postinst @@ -7,7 +7,6 @@ set -e #DEBHELPER# -apparmor_parser --purge-cache 2>/dev/null || true deb-systemd-invoke reload apparmor.service || true exit 0 From da45b0b9df3b6a70442c098777f691cc67658694 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 28 Mar 2026 20:11:53 +0100 Subject: [PATCH 1570/1736] tests(builder): add tests for profiles utils. --- pkg/builder/core_test.go | 4 +- pkg/util/profiles.go | 3 +- pkg/util/profiles_test.go | 153 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 156 insertions(+), 4 deletions(-) create mode 100644 pkg/util/profiles_test.go diff --git a/pkg/builder/core_test.go b/pkg/builder/core_test.go index 4e5d4eb6c2..86fa08bc6b 100644 --- a/pkg/builder/core_test.go +++ b/pkg/builder/core_test.go @@ -97,7 +97,7 @@ func TestBuilder_Apply(t *testing.T) { }`, want: ` @{exec_path} = @{bin}/foo - profile foo @{exec_path} flags=(attach_disconnected,complain) { + profile foo @{exec_path} flags=(attach_disconnected,complain) { include @{exec_path} mr, @@ -163,7 +163,7 @@ func TestBuilder_Apply(t *testing.T) { }`, want: ` @{exec_path} = @{bin}/foo - profile foo @{exec_path} flags=(attach_disconnected) { + profile foo @{exec_path} flags=(attach_disconnected) { include @{exec_path} mr, diff --git a/pkg/util/profiles.go b/pkg/util/profiles.go index e756f03cc5..6e96ce4a04 100644 --- a/pkg/util/profiles.go +++ b/pkg/util/profiles.go @@ -31,9 +31,8 @@ func GetFlags(profile string) []string { // SetFlags replaces flags in a profile string. If flags is empty, removes the flags clause. func SetFlags(profile string, flags []string) string { profile = regFlags.ReplaceAllLiteralString(profile, "") + profile = strings.ReplaceAll(profile, " {\n", " {\n") if len(flags) == 0 { - // Clean up any extra space left after removing flags - profile = strings.ReplaceAll(profile, " {\n", " {\n") return profile } flagsStr := " flags=(" + strings.Join(flags, ",") + ") {\n" diff --git a/pkg/util/profiles_test.go b/pkg/util/profiles_test.go new file mode 100644 index 0000000000..1a2e3212c4 --- /dev/null +++ b/pkg/util/profiles_test.go @@ -0,0 +1,153 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package util + +import ( + "reflect" + "testing" +) + +func TestGetFlags(t *testing.T) { + tests := []struct { + name string + profile string + want []string + }{ + { + name: "no flags", + profile: "profile foo /usr/bin/foo {\n", + want: nil, + }, + { + name: "single flag", + profile: "profile foo /usr/bin/foo flags=(complain) {\n", + want: []string{"complain"}, + }, + { + name: "multiple flags", + profile: "profile foo /usr/bin/foo flags=(attach_disconnected,complain) {\n", + want: []string{"attach_disconnected", "complain"}, + }, + { + name: "empty profile", + profile: "", + want: nil, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := GetFlags(tt.profile); !reflect.DeepEqual(got, tt.want) { + t.Errorf("GetFlags() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestSetFlags(t *testing.T) { + tests := []struct { + name string + profile string + flags []string + want string + }{ + { + name: "add flags to profile without flags", + profile: "profile foo /usr/bin/foo {\n", + flags: []string{"complain"}, + want: "profile foo /usr/bin/foo flags=(complain) {\n", + }, + { + name: "add multiple flags", + profile: "profile foo /usr/bin/foo {\n", + flags: []string{"attach_disconnected", "complain"}, + want: "profile foo /usr/bin/foo flags=(attach_disconnected,complain) {\n", + }, + { + name: "replace existing flags", + profile: "profile foo /usr/bin/foo flags=(complain) {\n", + flags: []string{"enforce"}, + want: "profile foo /usr/bin/foo flags=(enforce) {\n", + }, + { + name: "remove flags with empty slice", + profile: "profile foo /usr/bin/foo flags=(complain) {\n", + flags: []string{}, + want: "profile foo /usr/bin/foo {\n", + }, + { + name: "remove flags with nil", + profile: "profile foo /usr/bin/foo flags=(complain) {\n", + flags: nil, + want: "profile foo /usr/bin/foo {\n", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := SetFlags(tt.profile, tt.flags); got != tt.want { + t.Errorf("SetFlags() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestSetMode(t *testing.T) { + tests := []struct { + name string + profile string + mode string + want string + wantErr bool + }{ + { + name: "set complain mode", + profile: "profile foo /usr/bin/foo {\n", + mode: "complain", + want: "profile foo /usr/bin/foo flags=(complain) {\n", + }, + { + name: "set enforce mode removes mode flags", + profile: "profile foo /usr/bin/foo flags=(complain) {\n", + mode: "enforce", + want: "profile foo /usr/bin/foo {\n", + }, + { + name: "replace complain with kill", + profile: "profile foo /usr/bin/foo flags=(complain) {\n", + mode: "kill", + want: "profile foo /usr/bin/foo flags=(kill) {\n", + }, + { + name: "preserve non-mode flags when setting mode", + profile: "profile foo /usr/bin/foo flags=(attach_disconnected,complain) {\n", + mode: "enforce", + want: "profile foo /usr/bin/foo flags=(attach_disconnected) {\n", + }, + { + name: "preserve non-mode flags when changing mode", + profile: "profile foo /usr/bin/foo flags=(attach_disconnected,complain) {\n", + mode: "kill", + want: "profile foo /usr/bin/foo flags=(attach_disconnected,kill) {\n", + }, + { + name: "unknown mode returns error", + profile: "profile foo /usr/bin/foo {\n", + mode: "invalid", + want: "profile foo /usr/bin/foo {\n", + wantErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := SetMode(tt.profile, tt.mode) + if (err != nil) != tt.wantErr { + t.Errorf("SetMode() error = %v, wantErr %v", err, tt.wantErr) + return + } + if got != tt.want { + t.Errorf("SetMode() = %v, want %v", got, tt.want) + } + }) + } +} From a73dfd7bd0ffe495c57af608e98ba247a82aa2d7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 28 Mar 2026 20:13:36 +0100 Subject: [PATCH 1571/1736] chore: cosmetic. --- share/man/man8/aa-log.8 | 2 +- share/man/man8/aa-log.md | 2 +- tests/check.sh | 2 +- tests/packer/clean.sh | 1 - tests/packer/src/.bash_aliases | 19 +++++++++++++------ tests/requirements.sh | 4 ++-- 6 files changed, 18 insertions(+), 12 deletions(-) diff --git a/share/man/man8/aa-log.8 b/share/man/man8/aa-log.8 index 64a9f17a24..f19f669dcd 100644 --- a/share/man/man8/aa-log.8 +++ b/share/man/man8/aa-log.8 @@ -2,7 +2,7 @@ .\" .TH "aa\-log" "8" "December 2025" "" .SH NAME -aa\-log \[em] Review AppArmor generated messages in a colorful way. +aa\-log \- Review AppArmor generated messages in a colorful way. .SH SYNOPSIS \f[B]aa\-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] .SH DESCRIPTION diff --git a/share/man/man8/aa-log.md b/share/man/man8/aa-log.md index 81b2039f8d..f4ce74be39 100644 --- a/share/man/man8/aa-log.md +++ b/share/man/man8/aa-log.md @@ -4,7 +4,7 @@ # NAME -aa-log — Review AppArmor generated messages in a colorful way. +aa-log - Review AppArmor generated messages in a colorful way. # SYNOPSIS diff --git a/tests/check.sh b/tests/check.sh index 36f44134b4..3c1c051b3a 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -580,7 +580,7 @@ _check_udev() { check_sbin() { local file name jobs mapfile -t sbin <"$SBIN_LIST" - _msg "Ensuring '@{bin} and '@{sbin}' are correctly used in profiles" + _msg "Ensuring '@{bin}' and '@{sbin}' are correctly used in profiles" jobs=0 for name in "${sbin[@]}"; do diff --git a/tests/packer/clean.sh b/tests/packer/clean.sh index a31e2b1878..719cbe9011 100644 --- a/tests/packer/clean.sh +++ b/tests/packer/clean.sh @@ -70,7 +70,6 @@ impersonalize() { # Remove remaining pkg file, docs and caches dirs=( - /var/cache/ /var/tmp ) for dir in "${dirs[@]}"; do diff --git a/tests/packer/src/.bash_aliases b/tests/packer/src/.bash_aliases index 8a11708b3f..c18f0f3887 100644 --- a/tests/packer/src/.bash_aliases +++ b/tests/packer/src/.bash_aliases @@ -3,9 +3,16 @@ source /usr/share/bash-completion/bash_completion function up() { -for nb in $(seq "$1"); do - cd ../ -done + for nb in $(seq "$1"); do + cd ../ + done +} + +function _ps() { + LIBPROC_HIDE_KERNEL=1 ps "$@" | sed \ + -e "s/\bunconfined\b/\x1b[1;41;97munconfined\x1b[0m/g" \ + -e "s/\bcomplain\b/\x1b[1;33mcomplain\x1b[0m/g" \ + -e "s/\benforce\b/\x1b[1;32menforce\x1b[0m/g" } alias aa-log='sudo aa-log' @@ -14,9 +21,9 @@ alias c='clear' alias du='du -hs' alias l='ll -h' alias ll='ls -alFh' -alias p="LIBPROC_HIDE_KERNEL=1 ps auxZ" -alias pf="LIBPROC_HIDE_KERNEL=1 ps auxfZ" -alias pu="LIBPROC_HIDE_KERNEL=1 ps auxZ | grep unconfined" +alias p="_ps auxZ" +alias pf="_ps auxfZ" +alias pu="_ps auxZ | grep unconfined" alias u='up 1' alias uu='up 2' alias uuu='up 3' diff --git a/tests/requirements.sh b/tests/requirements.sh index 0801ff27dd..087f72df0f 100644 --- a/tests/requirements.sh +++ b/tests/requirements.sh @@ -21,8 +21,8 @@ arch) pacman-contrib tlp flatpak networkmanager ;; debian | ubuntu | whonix) - sudo apt update -y - sudo apt install -y \ + sudo apt-get update -y + sudo apt-get install -y \ bats bats-support \ cpuid dfc systemd-boot systemd-userdbd systemd-homed systemd-container tlp \ network-manager systemd-container flatpak util-linux-extra From f722e374632b3ac493d5577a73a4b6204742f40b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 17:54:44 +0200 Subject: [PATCH 1572/1736] feat(profile): initial support for gnome 50 and ubuntu 26.04 --- apparmor.d/abstractions/gnome.d/complete | 7 ++++++- apparmor.d/abstractions/gvfs-backend | 2 +- apparmor.d/groups/_full/systemd-user | 2 +- apparmor.d/groups/bluetooth/obexd | 2 +- apparmor.d/groups/bus/at-spi2-registryd | 2 +- apparmor.d/groups/bus/dbus-accessibility | 2 +- apparmor.d/groups/bus/ibus-daemon | 2 +- apparmor.d/groups/bus/ibus-dconf | 2 +- apparmor.d/groups/bus/ibus-engine-simple | 2 +- apparmor.d/groups/bus/ibus-extension-gtk3 | 2 +- apparmor.d/groups/bus/ibus-memconf | 2 +- apparmor.d/groups/bus/ibus-portal | 2 +- apparmor.d/groups/bus/ibus-x11 | 2 +- apparmor.d/groups/flatpak/flatpak-portal | 2 +- apparmor.d/groups/flatpak/flatpak-session-helper | 2 +- apparmor.d/groups/freedesktop/dconf-service | 2 +- apparmor.d/groups/freedesktop/pipewire | 2 +- apparmor.d/groups/freedesktop/pipewire-media-session | 2 +- apparmor.d/groups/freedesktop/pulseaudio | 2 +- apparmor.d/groups/freedesktop/wireplumber | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/freedesktop/xdg-document-portal | 2 +- apparmor.d/groups/freedesktop/xdg-permission-store | 2 +- apparmor.d/groups/gnome/deja-dup-monitor | 2 +- apparmor.d/groups/gnome/evolution-calendar-factory | 2 +- apparmor.d/groups/gnome/evolution-source-registry | 2 +- apparmor.d/groups/gnome/gdm-session | 2 +- apparmor.d/groups/gnome/gnome-extension | 12 ++++++++++++ apparmor.d/groups/gnome/gnome-keyring-daemon | 2 +- apparmor.d/groups/gnome/gnome-session | 2 +- apparmor.d/groups/gnome/gnome-session-service | 2 +- apparmor.d/groups/gnome/gnome-shell-calendar-server | 2 +- apparmor.d/groups/gnome/goa-identity-service | 2 +- apparmor.d/groups/gnome/gsd-a11y-settings | 2 +- apparmor.d/groups/gnome/gsd-datetime | 2 +- apparmor.d/groups/gnome/gsd-disk-utility-notify | 2 +- apparmor.d/groups/gnome/gsd-print-notifications | 2 +- apparmor.d/groups/gnome/gsd-printer | 2 +- apparmor.d/groups/gnome/gsd-rfkill | 2 +- apparmor.d/groups/gnome/gsd-screensaver-proxy | 2 +- apparmor.d/groups/gnome/gsd-sharing | 2 +- apparmor.d/groups/gnome/gsd-smartcard | 2 +- apparmor.d/groups/gnome/gsd-sound | 2 +- apparmor.d/groups/gnome/gsd-usb-protection | 2 +- apparmor.d/groups/gnome/gsd-wwan | 2 +- apparmor.d/groups/gnome/ptyxis-agent | 2 +- apparmor.d/groups/gvfs/gvfs-afc-volume-monitor | 2 +- apparmor.d/groups/gvfs/gvfs-goa-volume-monitor | 2 +- apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor | 2 +- apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor | 2 +- apparmor.d/groups/gvfs/gvfsd | 2 +- apparmor.d/groups/snap/snap | 2 +- apparmor.d/groups/ubuntu/software-properties-dbus | 2 +- apparmor.d/groups/ubuntu/ubuntu-advantage | 1 + apparmor.d/groups/virt/libvirt-dbus | 2 +- apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/profiles-m-r/mpris-proxy | 4 ++-- 57 files changed, 74 insertions(+), 56 deletions(-) diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 3d4b47f9f1..3b08aba332 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -7,7 +7,12 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-extension), /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, diff --git a/apparmor.d/abstractions/gvfs-backend b/apparmor.d/abstractions/gvfs-backend index fb925118bc..1f8518b397 100644 --- a/apparmor.d/abstractions/gvfs-backend +++ b/apparmor.d/abstractions/gvfs-backend @@ -21,7 +21,7 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), include if exists diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 057076e5f0..1931b4637b 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -46,7 +46,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 77e6fe5648..eae4842386 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -33,7 +33,7 @@ profile obexd @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index 4783bc66a8..c7be2735fa 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -25,7 +25,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index ca431950ca..25fae387d4 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -43,7 +43,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index f2ddcec8c0..b037cfaf6d 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -36,7 +36,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index cbd3a94fca..4deaacb75f 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -22,7 +22,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), dbus receive bus=system path=/ca/desrt/dconf/Writer/ibus interface=ca.desrt.dconf.Writer diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 4a67af1de3..b021e7d57d 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -21,7 +21,7 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index f643288f76..24f1142ac3 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -29,7 +29,7 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index b202fb324c..f07f8126eb 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -20,7 +20,7 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index cd01464d9d..e79c0e933f 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -25,7 +25,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 37fde622c3..d456021281 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -26,7 +26,7 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index ef12284709..04f60cdaae 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -32,7 +32,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper b/apparmor.d/groups/flatpak/flatpak-session-helper index 00acf58faf..df4acc1e90 100644 --- a/apparmor.d/groups/flatpak/flatpak-session-helper +++ b/apparmor.d/groups/flatpak/flatpak-session-helper @@ -25,7 +25,7 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected,mediate_d dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index a5a7ecd307..d9fd8cec45 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -22,7 +22,7 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 8bef51e073..5c27d41cdd 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -29,7 +29,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index ad3459df15..5ccc912010 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -26,7 +26,7 @@ profile pipewire-media-session @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 39386e3509..ceb42f349a 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -47,7 +47,7 @@ profile pulseaudio @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 1946f1a0e1..954becf9ce 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -36,7 +36,7 @@ profile wireplumber @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), dbus receive bus=system path=/midi{,server@{int}} interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index b1c855cf92..745380df35 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -71,7 +71,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), # FIXME: This should have been included in the talk directive dbus send bus=session path=/org/freedesktop/FileManager1 diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 98c0adfe5c..200d6a40e8 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -36,7 +36,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 3ae95c2e96..0840cf2850 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -24,7 +24,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index 58dee447f9..bd95fb553f 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -36,7 +36,7 @@ profile deja-dup-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index d04c4b4a0e..43c969209d 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -36,7 +36,7 @@ profile evolution-calendar-factory @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index f0c6c64da1..e7cba265ff 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -34,7 +34,7 @@ profile evolution-source-registry @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), dbus send bus=session path=/org/gnome/OnlineAccounts interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index b9ddbe2146..332dbc1c31 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -25,7 +25,7 @@ profile gdm-session @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-extension b/apparmor.d/groups/gnome/gnome-extension index 7a9a0b08b7..af4365aad5 100644 --- a/apparmor.d/groups/gnome/gnome-extension +++ b/apparmor.d/groups/gnome/gnome-extension @@ -22,10 +22,22 @@ profile gnome-extension { include include + # Server side of abstractions/gnome-base: introspect everything + dbus send bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}), + dbus send bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + @{exec_path} mr, # Used to track the extensions supported by this profile @{share_dirs}/tilingshell@ferrarodomenico.com/*.js r, + @{share_dirs}/ubuntu-appindicators@ubuntu.com/*.js r, + @{share_dirs}/ubuntu-appindicators@ubuntu.com/tools/busAnalyzer.js r, @{share_dirs}/ubuntu-dock@ubuntu.com/*.js r, /usr/share/xkeyboard-config-2/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index a727aa40e7..4138dcea7d 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -33,7 +33,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index d293cd4d4e..b0c2c9b4e9 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -28,7 +28,7 @@ profile gnome-session @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index 81f866cfd5..bb1d94b764 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -26,7 +26,7 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index aaf8b5ac67..d88e5af322 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -24,7 +24,7 @@ profile gnome-shell-calendar-server @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 0fac321adb..cd2031ce8d 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -20,7 +20,7 @@ profile goa-identity-service @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index d4d3d0ba1b..03e15fa421 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -32,7 +32,7 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index d42ec792bd..8b86f4eaf8 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -32,7 +32,7 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index cb3e278290..cebd18f02e 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -19,7 +19,7 @@ profile gsd-disk-utility-notify @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 639e27f002..48d50017b5 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -32,7 +32,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, @{lib}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index 6f2182a3b3..aa9ce1a519 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -24,7 +24,7 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index e2391ce21d..5b0e6e0b25 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -31,7 +31,7 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index 6dd0c118bb..57a3429c0c 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -22,7 +22,7 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 6eda58485b..835452f354 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -29,7 +29,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/3 interface=org.freedesktop.NetworkManager.VPN.Connection diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 38fd0a1829..b3eeffb51b 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -26,7 +26,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 7bd86e92d9..0730d49793 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -25,7 +25,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 5b23bf61a0..7982cb94c0 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -22,7 +22,7 @@ profile gsd-usb-protection @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-wwan b/apparmor.d/groups/gnome/gsd-wwan index 6aa6145720..045cf7b94e 100644 --- a/apparmor.d/groups/gnome/gsd-wwan +++ b/apparmor.d/groups/gnome/gsd-wwan @@ -21,7 +21,7 @@ profile gsd-wwan @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index e316a72d3e..a3613cd1a5 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -27,7 +27,7 @@ profile ptyxis-agent @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 32136d710c..322549b28d 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -17,7 +17,7 @@ profile gvfs-afc-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 077e47196a..a162e58075 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -19,7 +19,7 @@ profile gvfs-goa-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index 2675e73022..6e61cf85ca 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -21,7 +21,7 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index d5e1d890c2..e2434522a4 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -36,7 +36,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index af6ba0761e..ba904522ec 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -34,7 +34,7 @@ profile gvfsd @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 53cc857247..d3cd631635 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -55,7 +55,7 @@ profile snap @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 8f3cce65c3..9e461b269d 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -20,7 +20,7 @@ profile software-properties-dbus @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), dbus receive bus=system interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 7c656cb0a7..623f670bb0 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -10,6 +10,7 @@ include profile ubuntu-advantage @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index c8ddb7ed4e..670b4da5cf 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -19,7 +19,7 @@ profile libvirt-dbus @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 621c061bda..f4d913947b 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -105,7 +105,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), # include dbus send bus=system path=/org/freedesktop/DBus diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy index 92424dcfec..b5472c9221 100644 --- a/apparmor.d/profiles-m-r/mpris-proxy +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -24,10 +24,10 @@ profile mpris-proxy @{exec_path} { peer=(name=org.mpris.MediaPlayer2.*, label="*"), # DBus.Introspectable: allow introspection from gnome-shell - dbus receive bus=session path=/ + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, From 0b92d1e0d2509836dd875aef58bbfee6cd1e1c47 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 17:59:51 +0200 Subject: [PATCH 1573/1736] feat(abs): better dbus rules. --- .../bus/system/org.freedesktop.GeoClue2 | 11 ++++++--- .../bus/system/org.freedesktop.PackageKit | 2 +- apparmor.d/abstractions/gnome-base | 4 ++++ apparmor.d/abstractions/localization-control | 23 +++++++++++++++++++ 4 files changed, 36 insertions(+), 4 deletions(-) create mode 100644 apparmor.d/abstractions/localization-control diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 index b697137f94..46778361c5 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 @@ -47,14 +47,19 @@ member=AddAgent peer=(name="@{busname}", label="@{p_geoclue}"), + dbus send bus=system path=/org/freedesktop/GeoClue2/Manager + interface=org.freedesktop.GeoClue2.Manager + member={GetClient,DeleteClient} + peer=(name=@{busname}, label="@{p_geoclue}"), + dbus send bus=system path=/org/freedesktop/GeoClue2/Client/@{int} interface=org.freedesktop.GeoClue2.Client member=Start peer=(name=@{busname}, label="@{p_geoclue}"), - dbus send bus=system path=/org/freedesktop/GeoClue2/Manager - interface=org.freedesktop.GeoClue2.Manager - member={GetClient,DeleteClient} + dbus receive bus=system path=/org/freedesktop/GeoClue2/Client/@{int} + interface=org.freedesktop.GeoClue2.Client + member=LocationUpdated peer=(name=@{busname}, label="@{p_geoclue}"), include if exists diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/system/org.freedesktop.PackageKit index aa9aeaab36..ebc238aa07 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.PackageKit +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.PackageKit @@ -7,7 +7,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.PackageKit label=packagekitd + #aa:dbus see bus=system name=org.freedesktop.PackageKit label=packagekitd dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/abstractions/gnome-base b/apparmor.d/abstractions/gnome-base index c7bc3db752..74b785f40b 100644 --- a/apparmor.d/abstractions/gnome-base +++ b/apparmor.d/abstractions/gnome-base @@ -20,6 +20,10 @@ interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label=gnome-shell), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-extension), @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, diff --git a/apparmor.d/abstractions/localization-control b/apparmor.d/abstractions/localization-control new file mode 100644 index 0000000000..c6906be34f --- /dev/null +++ b/apparmor.d/abstractions/localization-control @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + + # GeoClue2 + + dbus send bus=system path=/org/freedesktop/GeoClue2/Client/@{int} + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=@{busname}, label="@{p_geoclue}"), + + dbus send bus=system path=/org/freedesktop/GeoClue2/Client/@{int} + interface=org.freedesktop.GeoClue2.Client + member={Start,Stop} + peer=(name=@{busname}, label="@{p_geoclue}"), + + include if exists + +# vim:syntax=apparmor From 93817e76d479ae1ba88a39af89062ea8932a57d2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 18:04:47 +0200 Subject: [PATCH 1574/1736] feat(abs): add wayland-strict It is mostly to be free in our changes and to not depand on upstream abs. --- apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/wayland-strict | 34 +++++++++++++++++++ apparmor.d/abstractions/xfce | 2 +- apparmor.d/groups/browsers/firefox-glxtest | 2 +- apparmor.d/groups/browsers/torbrowser-glxtest | 2 +- apparmor.d/groups/freedesktop/xwayland | 2 +- apparmor.d/groups/hyprland/hyprlock | 2 +- apparmor.d/groups/kde/kwin_wayland_wrapper | 2 +- apparmor.d/groups/steam/steam-fossilize | 2 +- apparmor.d/groups/umu/umu-run | 2 +- apparmor.d/profiles-s-z/slurp | 2 +- apparmor.d/profiles-s-z/thunderbird-glxtest | 2 +- tests/check.sh | 1 + 13 files changed, 46 insertions(+), 11 deletions(-) create mode 100644 apparmor.d/abstractions/wayland-strict diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 5733cd7065..b647eaf0f4 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -32,7 +32,7 @@ include include include - include + include include include diff --git a/apparmor.d/abstractions/wayland-strict b/apparmor.d/abstractions/wayland-strict new file mode 100644 index 0000000000..0855e35f36 --- /dev/null +++ b/apparmor.d/abstractions/wayland-strict @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2016 intrigeri +# Copyright (C) 2021-2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # Needed when using QT_QPA_PLATFORM=wayland-egl (MESA dri config) + /etc/drirc r, + + # Allow access to the Wayland compositor server socket + owner @{run}/user/@{uid}/wayland-@{int} rw, + owner @{run}/user/@{uid}/wayland-@{int}.lock rwk, + owner @{run}/user/@{uid}/wayland-cursor-shared-@{int} rw, + owner @{run}/user/@{uid}/wayland-proxy-@{int} rw, + + # Compositors specific socket path + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, + owner @{run}/user/@{uid}/mesa-shared-@{int} rw, + owner @{run}/user/@{uid}/mutter-shared-@{int} rw, + owner @{run}/user/@{uid}/sdl-shared-@{int} rw, + owner @{run}/user/@{uid}/weston-shared-@{int} rw, + owner @{run}/user/@{uid}/xwayland-shared-@{int} rw, + + # Compositors based on wlroots + owner /dev/shm/@{uuid} rw, + owner /dev/shm/dunst-@{rand6} rw, + owner /dev/shm/grim-@{rand6} rw, + owner /dev/shm/sway* rw, + owner /dev/shm/wlroots-@{rand6} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 745abadc5e..36602e8911 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -23,7 +23,7 @@ include include include - include + include include include diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index 89ef3a946f..9e6245eeb9 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -17,7 +17,7 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { include include include - include + include include unix type=seqpacket peer=(label=firefox), diff --git a/apparmor.d/groups/browsers/torbrowser-glxtest b/apparmor.d/groups/browsers/torbrowser-glxtest index 2d86972598..86d8e5471c 100644 --- a/apparmor.d/groups/browsers/torbrowser-glxtest +++ b/apparmor.d/groups/browsers/torbrowser-glxtest @@ -17,7 +17,7 @@ profile torbrowser-glxtest @{exec_path} flags=(attach_disconnected) { include include include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 20bec4efbe..b313ccf0ed 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -13,7 +13,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal (receive) set=(term hup) peer=gdm*, diff --git a/apparmor.d/groups/hyprland/hyprlock b/apparmor.d/groups/hyprland/hyprlock index 73b6616f91..a6cab4e0f7 100644 --- a/apparmor.d/groups/hyprland/hyprlock +++ b/apparmor.d/groups/hyprland/hyprlock @@ -13,7 +13,7 @@ profile hyprlock @{exec_path} flags=(attach_disconnected) { include include include - include + include network netlink raw, diff --git a/apparmor.d/groups/kde/kwin_wayland_wrapper b/apparmor.d/groups/kde/kwin_wayland_wrapper index a7ce4c2fea..5b81e7c7b1 100644 --- a/apparmor.d/groups/kde/kwin_wayland_wrapper +++ b/apparmor.d/groups/kde/kwin_wayland_wrapper @@ -10,7 +10,7 @@ include profile kwin_wayland_wrapper @{exec_path} { include include - include + include include signal (send) set=(term, kill) peer=kwin_wayland, diff --git a/apparmor.d/groups/steam/steam-fossilize b/apparmor.d/groups/steam/steam-fossilize index a5dd65b7ce..a2c999d90f 100644 --- a/apparmor.d/groups/steam/steam-fossilize +++ b/apparmor.d/groups/steam/steam-fossilize @@ -16,7 +16,7 @@ include profile steam-fossilize @{exec_path} flags=(attach_disconnected) { include include - include + include include signal receive peer=steam, diff --git a/apparmor.d/groups/umu/umu-run b/apparmor.d/groups/umu/umu-run index 2e325134e3..7b2235bdbf 100644 --- a/apparmor.d/groups/umu/umu-run +++ b/apparmor.d/groups/umu/umu-run @@ -25,7 +25,7 @@ profile umu-run @{exec_path} flags=(attach_disconnected) { include include include - include + include include network inet dgram, diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp index 740af9b7bc..8ffe32b106 100644 --- a/apparmor.d/profiles-s-z/slurp +++ b/apparmor.d/profiles-s-z/slurp @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/slurp profile slurp @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index 571fbf9bb4..81f506e9b1 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -16,7 +16,7 @@ profile thunderbird-glxtest @{exec_path} flags=(attach_disconnected) { include include include - include + include include network netlink raw, diff --git a/tests/check.sh b/tests/check.sh index 3c1c051b3a..4a44a61e43 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -179,6 +179,7 @@ declare -A ABS_DEPRECATED=( ["bash"]="shells" ["X"]="X-strict" ["gtk"]="gtk-strict" + ["wayland"]="wayland-strict" ["dbus-accessibility-strict"]="bus-accessibility" ["dbus-network-manager-strict"]="network-manager-observe" ["dbus-session-strict"]="bus-session" From 972657693537652b78b7c199f0a91b0fcc9b0c50 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 18:11:22 +0200 Subject: [PATCH 1575/1736] feat(abs): minor update on some core abs. --- apparmor.d/abstractions/amdgpu | 2 ++ apparmor.d/abstractions/desktop | 16 +++++++--------- apparmor.d/abstractions/development | 2 ++ apparmor.d/abstractions/devices-usb-read | 1 + apparmor.d/abstractions/gnome-strict | 2 +- apparmor.d/abstractions/graphics | 4 ++++ apparmor.d/abstractions/gstreamer | 1 + apparmor.d/abstractions/input | 1 + apparmor.d/abstractions/kde-strict | 2 +- apparmor.d/abstractions/lxqt | 2 +- apparmor.d/abstractions/mime | 8 ++++---- apparmor.d/abstractions/nvidia-strict | 3 +++ 12 files changed, 28 insertions(+), 16 deletions(-) diff --git a/apparmor.d/abstractions/amdgpu b/apparmor.d/abstractions/amdgpu index 181d868643..dd6cc4dc5d 100644 --- a/apparmor.d/abstractions/amdgpu +++ b/apparmor.d/abstractions/amdgpu @@ -6,6 +6,8 @@ abi , + /opt/rocm/lib/{,**} mr, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index b647eaf0f4..f2432e27fb 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -35,20 +35,18 @@ include include include + # include - # if @{DE} == gnome - + # if "gnome" in @{DE} { include if exists - # else if @{DE} == kde - - include - - # else if @{DE} == xfce + # } else if "kde" in @{DE} { + include if exists - include + # } else if "xfce" in @{DE} { + include if exists - # end + # } /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, # FIXME: a bit too wide diff --git a/apparmor.d/abstractions/development b/apparmor.d/abstractions/development index fdf22461d9..879df6e603 100644 --- a/apparmor.d/abstractions/development +++ b/apparmor.d/abstractions/development @@ -54,6 +54,8 @@ owner @{tmp}/*tests*/** rwlk, owner @{tmp}/*tests*/** mix, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, @{sys}/kernel/mm/transparent_hugepage/enabled r, # Memory usage in pages (total, resident, shared, text, data) diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read index 84b667a5ae..48ac000d7a 100644 --- a/apparmor.d/abstractions/devices-usb-read +++ b/apparmor.d/abstractions/devices-usb-read @@ -25,6 +25,7 @@ @{sys}/devices/**/usb@{int}/{,**/}idProduct r, @{sys}/devices/**/usb@{int}/{,**/}idVendor r, @{sys}/devices/**/usb@{int}/{,**/}manufacturer r, + @{sys}/devices/**/usb@{int}/{,**/}modalias r, @{sys}/devices/**/usb@{int}/{,**/}product r, @{sys}/devices/**/usb@{int}/{,**/}removable r, @{sys}/devices/**/usb@{int}/{,**/}serial r, diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 45909a3919..ce663374a3 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -25,7 +25,7 @@ include include include - include + include include include diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index 03c653c045..01accb1740 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -16,9 +16,12 @@ @{sys}/devices/system/ r, @{sys}/devices/system/cpu/cpu@{int}/ r, + @{sys}/devices/system/cpu/cpu@{int}/cache/ r, @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/coherency_line_size r, @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/id r, @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/level r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/physical_line_partition r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/shared_cpu_list r, @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/shared_cpu_map r, @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/size r, @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/type r, @@ -36,6 +39,7 @@ @{sys}/devices/system/cpu/present r, @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/ r, @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/system/node/online r, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index fe43f8a030..750e13782c 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -8,6 +8,7 @@ include unix (bind listen) type=seqpacket addr=@@{hex}, + unix (bind listen) type=seqpacket addr=@@{hex}@{hex}, @{gstreamer_path} rix, diff --git a/apparmor.d/abstractions/input b/apparmor.d/abstractions/input index 8e9bc96acb..d70e08b2c2 100644 --- a/apparmor.d/abstractions/input +++ b/apparmor.d/abstractions/input @@ -14,6 +14,7 @@ @{sys}/devices/**/input@{int}/capabilities/* r, @{sys}/devices/**/input@{int}/ r, + @{sys}/devices/**/input@{int}/{,**/}name r, @{sys}/devices/**/input@{int}/{,**/}properties r, @{sys}/devices/**/input@{int}/{,**/}uevent r, @{sys}/devices/**/input@{int}/event@{int}/ r, diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 5e22dafbfd..d002572ce9 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -25,7 +25,7 @@ include include include - include + include include include diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index 0ae59842e3..3dd7848d81 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -22,7 +22,7 @@ include include include - include + include include include diff --git a/apparmor.d/abstractions/mime b/apparmor.d/abstractions/mime index 90cffe9934..a91334adf1 100644 --- a/apparmor.d/abstractions/mime +++ b/apparmor.d/abstractions/mime @@ -8,17 +8,17 @@ @{system_share_dirs}/ r, @{system_share_dirs}/mime/{,**} r, - # if @{DM} == gdm + # if "gdm" in @{DM} { /usr/share/gdm/greeter/applications/ r, /usr/share/gdm/greeter/applications/mimeapps.list r, - # end + # } /etc/mime.types r, /etc/xdg/{,*-}mimeapps.list r, - # if @{DE} == gnome + # if "gnome" in @{DE} { /var/cache/gio-@{version}/{,*-}-mimeapps.list r, - # end + # } owner @{user_config_dirs}/mimeapps.list r, diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 6f6ccaf966..fdd0dacb16 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -17,6 +17,9 @@ /etc/nvidia/nvidia-application-profiles-rc.d/{,*} r, /etc/vdpau_wrapper.cfg r, + owner @{DESKTOP_HOME}/.nv/ w, + owner @{DESKTOP_HOME}/.nv/ComputeCache/ w, + owner @{HOME}/.nv/ w, owner @{HOME}/.nv/ComputeCache/ w, owner @{HOME}/.nv/ComputeCache/** rw, From b96e1051dde70ef02e1e2d9605683892a2ecbf60 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 18:39:47 +0200 Subject: [PATCH 1576/1736] fix: ubuntu 26 still does not support transition to namespace. fix #1063 --- apparmor.d/abstractions/gtk-strict | 3 ++- apparmor.d/abstractions/gtk.d/complete | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict index 3da1ad24d9..750bb75932 100644 --- a/apparmor.d/abstractions/gtk-strict +++ b/apparmor.d/abstractions/gtk-strict @@ -10,12 +10,13 @@ include #aa:only apparmor>=4.1 - #aa:only apparmor<5.0 + #aa:only apparmor<5.0 ubuntu unix type=stream peer=(label=glycin), unix type=stream peer=(label=glycin//loaders), signal send set=kill peer=glycin, priority=-1 @{bin}/bwrap Px -> glycin, + #aa:exclude ubuntu #aa:only apparmor>=5.0 # Need to be allowed for all peer because from the host namespace we do not # see the glycin namespace. This is showned by 'peer=(label=---)' in the logs. diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 5e5b503a9c..d452d21fab 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -8,12 +8,13 @@ include #aa:only apparmor>=4.1 - #aa:only apparmor<5.0 + #aa:only apparmor<5.0 ubuntu unix type=stream peer=(label=glycin), unix type=stream peer=(label=glycin//loaders), signal send set=kill peer=glycin, priority=-1 @{bin}/bwrap Px -> glycin, + #aa:exclude ubuntu #aa:only apparmor>=5.0 # Need to be allowed for all peer because from the host namespace we do not # see the glycin namespace. This is showned by 'peer=(label=---)' in the logs. From 3c21c0133819ee8b202837753b37af73aeecc404 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 18:59:58 +0200 Subject: [PATCH 1577/1736] feat(profile): general update. --- apparmor.d/abstractions/python.d/complete | 1 + apparmor.d/groups/apparmor/aa-log | 1 + apparmor.d/groups/apparmor/aa-status | 2 +- apparmor.d/groups/bluetooth/blueman | 3 +-- apparmor.d/groups/bluetooth/bluetoothd | 6 +++-- .../gnome/evolution-addressbook-factory | 2 +- apparmor.d/groups/gnome/gdm | 1 + apparmor.d/groups/gnome/gjs | 2 ++ .../groups/gnome/gnome-desktop-thumbnailers | 4 +++- apparmor.d/groups/gnome/gnome-initial-setup | 2 ++ apparmor.d/groups/gnome/gnome-session | 13 +++++----- apparmor.d/groups/gnome/gnome-session-service | 2 ++ apparmor.d/groups/gnome/gnome-system-monitor | 3 +-- apparmor.d/groups/gnome/gsd-color | 1 + apparmor.d/groups/gnome/localsearch | 1 + .../groups/gvfs/gvfs-mtp-volume-monitor | 2 +- .../groups/gvfs/gvfs-udisks2-volume-monitor | 3 ++- apparmor.d/groups/network/mullvad-daemon | 2 ++ apparmor.d/groups/pacman/pacman | 2 ++ apparmor.d/groups/pacman/pacman-hook-dkms | 9 +++---- .../groups/pacman/pacman-hook-mkinitcpio | 6 ++++- apparmor.d/groups/systemd/systemd-cat | 2 ++ apparmor.d/groups/systemd/systemd-logind | 3 ++- apparmor.d/groups/systemd/systemd-udevd | 1 + apparmor.d/groups/ubuntu/update-manager | 6 +++++ apparmor.d/groups/utils/du | 24 +++++++++++++++++++ apparmor.d/profiles-g-l/kdump-config | 1 + apparmor.d/profiles-g-l/landscape-sysinfo | 1 + apparmor.d/profiles-m-r/remmina | 6 ++++- 29 files changed, 88 insertions(+), 24 deletions(-) create mode 100644 apparmor.d/groups/utils/du diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index afd2303f7e..35a5d34523 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -17,6 +17,7 @@ #aa:only apparmor>=4.1 # Normal python run do not need to update pycache files. It is done by pycompile. audit @{lib}/@{python_name}/{,**/}__pycache__/ w, + audit @{lib}/@{python_name}/{,**/}__pycache__/**.pyc w, audit @{lib}/@{python_name}/{,**/}__pycache__/**.pyc.@{u64} w, #aa:only test diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log index 0991d8bb26..30d90ef911 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -32,6 +32,7 @@ profile aa-log @{exec_path} flags=(attach_disconnected) { include include + capability mknod, capability sys_resource, @{bin}/journalctl mr, diff --git a/apparmor.d/groups/apparmor/aa-status b/apparmor.d/groups/apparmor/aa-status index 8e82a55f4d..0c2e400257 100644 --- a/apparmor.d/groups/apparmor/aa-status +++ b/apparmor.d/groups/apparmor/aa-status @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{sbin}/aa-status @{sbin}/apparmor_status -profile aa-status @{exec_path} { +profile aa-status @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/bluetooth/blueman b/apparmor.d/groups/bluetooth/blueman index 62baa1377a..6653030f08 100644 --- a/apparmor.d/groups/bluetooth/blueman +++ b/apparmor.d/groups/bluetooth/blueman @@ -63,6 +63,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/obexd/* rw, @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, @@ -71,8 +72,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) { /dev/shm/ r, /dev/tty rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - include if exists } diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index 2d088bd3b9..c35c193e16 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -29,10 +29,10 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { # Missing rules from the directive above as these one are not standard # Part of abstractions/bus/system/org.bluez - dbus send bus=system path=/ + dbus send bus=system interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=org.bluez, label="@{p_bluetoothd}"), + peer=(name=@{busname}), dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member={InterfacesAdded,InterfacesRemoved} @@ -46,6 +46,8 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { /var/lib/bluetooth/{,**} rw, + / r, + @{run}/sdp rw, @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 21ae2c3c7e..f3e44aa224 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -34,7 +34,7 @@ profile evolution-addressbook-factory @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 0b05855002..2a567d9f15 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -57,6 +57,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /etc/gdm{3,}/PrimeOff/Default rix, /usr/share/gdm{3,}/gdm.schemas r, + /usr/share/gdm{3,}/greeter/wayland-sessions/*.desktop r, /usr/share/gvfs/remote-volume-monitors/{,**} r, /usr/share/wayland-sessions/*.desktop r, /usr/share/xsessions/*.desktop r, diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index 846c962ac8..d579ca5d7d 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -126,6 +126,8 @@ profile gjs @{exec_path} flags=(attach_disconnected) { owner @{user_desktop_dirs}/ r, owner @{user_templates_dirs}/ r, + @{sys}/devices/**/uevent r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index 824ecdbf4a..ac81d979f6 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -34,6 +34,7 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{tmp}/gsf-thumbnailer-@{rand6} rw, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, profile thumbnailer flags=(attach_disconnected) { @@ -65,8 +66,9 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{tmp}/gnome-desktop-thumbnailer.png w, owner @{tmp}/gsf-thumbnailer-@{rand6} rw, - owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 21ced2481b..078159a333 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -50,6 +50,7 @@ profile gnome-initial-setup @{exec_path} { @{bin}/systemd-detect-virt Px, @{bin}/ubuntu-advantage Px, #aa:only ubuntu @{bin}/xrandr Px, + @{open_path} Px -> child-open-browsers, @{lib}/gnome-initial-setup-goa-helper rix, @{ldd_path} rix, @@ -72,6 +73,7 @@ profile gnome-initial-setup @{exec_path} { owner @{user_config_dirs}/gnome-initial-setup-done w, owner @{user_config_dirs}/gnome-initial-setup-done.@{rand6} rw, + owner @{user_config_dirs}/gnome-initial-setup/{,**} rw, owner @{user_config_dirs}/ubuntu-insights/{,**} rw, #aa:only ubuntu owner @{user_config_dirs}/ibus/bus/ r, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index b0c2c9b4e9..41d4a5fc04 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -33,11 +33,11 @@ profile gnome-session @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{shells_path} rix, + @{bin}/{,e}grep rix, @{bin}/cat rix, @{bin}/find rix, @{bin}/gettext rix, @{bin}/gettext.sh r, - @{bin}/{,e}grep rix, @{bin}/head rix, @{bin}/id rix, @{bin}/locale rix, @@ -53,11 +53,12 @@ profile gnome-session @{exec_path} flags=(attach_disconnected) { @{bin}/uname rix, @{bin}/xargs rix, - @{bin}/dpkg-query rpx, - @{bin}/flatpak rCx -> flatpak, - @{bin}/gsettings rPx, - @{lib}/gnome-session-binary rPx, - @{lib}/gnome-session-init-worker rPx, + @{bin}/dpkg-query px, + @{bin}/flatpak Cx -> flatpak, + @{bin}/systemd-cat Px, + @{bin}/gsettings Px, + @{lib}/gnome-session-binary Px, + @{lib}/gnome-session-init-worker Px, /usr/share/im-config/{,**} r, /usr/share/libdebuginfod-common/debuginfod.sh r, diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index bb1d94b764..a4b5bec16e 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -45,6 +45,8 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/autostart/{,*.desktop} r, + owner @{user_state_dirs}/gnome-session@*.state r, + @{run}/systemd/sessions/{,@{l}}@{int}{,.ref} rw, @{att}@{run}/systemd/inhibit/@{int}.ref rw, @{att}@{run}/systemd/sessions/{,@{l}}@{int}{,.ref} rw, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 327937ed99..a68acb86d5 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -49,8 +49,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/doc/ rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, - @{run}/systemd/sessions/* r, - @{run}/systemd/sessions/*.ref r, + @{run}/systemd/sessions/* r, @{run}/mount/utab r, @{sys}/devices/@{pci}/net/*/statistics/collisions r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 73e9822cf4..8fe470d7e8 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -14,6 +14,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 7914817515..c55d554c78 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/localsearch @{lib}/localsearch-3 profile localsearch @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index 20c22302ae..e0703c3e01 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -21,7 +21,7 @@ profile gvfs-mtp-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=@{busname}, label="{gnome-shell,gnome-extension}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index e2434522a4..c2a1b83a4b 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -16,7 +16,8 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { include include include - include + include + include include include diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index d4873762df..830a0779d9 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -65,7 +65,9 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { owner @{run}/mullvad-vpn rw, @{sys}/fs/cgroup/net_cls/ w, + @{sys}/fs/cgroup/net_cls/cgroup.procs rw, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w, + @{sys}/fs/cgroup/net_cls/mullvad-exclusions/cgroup.procs rw, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, @{sys}/fs/cgroup/system.slice/cpu.max r, @{sys}/fs/cgroup/system.slice/mullvad-daemon.service/cpu.max r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 248e61277e..8fc784d446 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -156,6 +156,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /etc/pacman.d/gnupg/ rw, /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, + @{run}/user/@{uid}/gnupg/ w, + @{HOME}/@{XDG_GPG_DIR}/*.conf r, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms index e958f3e1eb..6afc311e31 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dkms +++ b/apparmor.d/groups/pacman/pacman-hook-dkms @@ -18,10 +18,11 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} rix, - @{sbin}/dkms rPx, - @{bin}/kmod rPx, - @{bin}/nproc rix, + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/kmod Px, + @{bin}/nproc Px, + @{sbin}/dkms Px, /usr/src/ r, /usr/src/**.conf r, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index 7fdcb4736e..4916271fe7 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -52,7 +52,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { /dev/tty rw, owner /dev/pts/@{u16} rw, - # # Inherit Silencer + # Inherit Silencer deny network inet6 stream, deny network inet stream, @@ -77,6 +77,10 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { @{HOME}/@{XDG_GPG_DIR}/*.conf r, + # Inherit Silencer + deny network inet6 stream, + deny network inet stream, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-cat b/apparmor.d/groups/systemd/systemd-cat index fd202c1814..5b5d073da2 100644 --- a/apparmor.d/groups/systemd/systemd-cat +++ b/apparmor.d/groups/systemd/systemd-cat @@ -16,6 +16,8 @@ profile systemd-cat @{exec_path} { @{exec_path} mr, + @{bin}/echo ix, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index cb0d55802e..66ccec0ac1 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -63,10 +63,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,mediate_deleted) @{run}/nologin rw, @{run}/utmp rk, + @{run}/udev/static_node-tags/uaccess/ r, @{run}/udev/tags/master-of-seat/ r, @{run}/udev/tags/power-switch/ r, @{run}/udev/tags/uaccess/ r, - @{run}/udev/static_node-tags/uaccess/ r, + @{run}/udev/tags/xaccess-render/ r, @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. @{run}/udev/data/+drivers:* r, # For drivers loaded in the system diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 01b8b9359f..46b66df1f7 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -111,6 +111,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/network/*.link rw, @{run}/systemd/private rw, @{run}/systemd/seats/seat@{int} r, + @{run}/systemd/sessions/{,*} r, @{run}/u-d-c-card@{int}-is-simpledrm w, @{att}@{run}/udev/control rw, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index b1e9fdd060..5f9d383d3b 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -11,6 +11,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -65,9 +66,14 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/update-manager-core/{,**} rw, + owner @{run}/user/@{uid}/ubuntu-drivers*.package-list w, + @{att}@{run}/systemd/inhibit/@{int}.ref rw, + @{sys}/devices/**/ r, + @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/utils/du b/apparmor.d/groups/utils/du new file mode 100644 index 0000000000..b13032522b --- /dev/null +++ b/apparmor.d/groups/utils/du @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/du +profile du @{exec_path} { + include + include + + @{exec_path} mr, + + #aa:lint ignore=too-wide + # As a directory tree analyzer it needs full access to the filesystem + / r, + /** r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index 75c5366126..9396b125be 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -61,6 +61,7 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, @{sys}/kernel/kexec_crash_loaded r, + @{sys}/kernel/kexec/crash_loaded r, @{PROC}/cmdline r, @{PROC}/iomem r, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 17c549595e..42d67bf61e 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/landscape-sysinfo profile landscape-sysinfo @{exec_path} { include + include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 089a362055..691b71056f 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -12,11 +12,14 @@ profile remmina @{exec_path} flags=(attach_disconnected) { include include include + include include include include + include include include + include include include include @@ -31,7 +34,6 @@ profile remmina @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.remmina.Remmina #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} rm, @@ -41,7 +43,9 @@ profile remmina @{exec_path} flags=(attach_disconnected) { /usr/share/remmina/{,**} r, + /etc/debian_version r, /etc/fstab r, + /etc/lsb-release r, /etc/ssh/ssh_config r, /etc/ssh/ssh_config.d/{,*} r, /etc/timezone r, From df78866163b4783311ef56d4a7afedb005277b53 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 21:17:22 +0200 Subject: [PATCH 1578/1736] feat(abs): minor abs update. --- apparmor.d/abstractions/bus/system/org.freedesktop.UPower | 7 +++++++ .../abstractions/bus/system/org.freedesktop.timedate1 | 5 ----- apparmor.d/abstractions/cgroup-limits | 1 + apparmor.d/abstractions/flatpak/base | 3 ++- apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine | 3 +++ apparmor.d/abstractions/flatpak/platform/org.freedesktop | 4 ++-- 6 files changed, 15 insertions(+), 8 deletions(-) diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower index 1aacfed12d..876d8be708 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower @@ -30,6 +30,13 @@ member=PropertiesChanged peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), + # DBus.Introspectable: allow clients to introspect the service + + dbus send bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), + # Find all devices monitored by UPower dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/system/org.freedesktop.timedate1 index af15e2552b..6d4f336d59 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.timedate1 @@ -25,11 +25,6 @@ member=SetTimezone peer=(name=org.freedesktop.timedate1, label=systemd-timedated), - dbus receive bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=PrepareForSleep - peer=(name=@{busname}, label=systemd-logind), - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/cgroup-limits b/apparmor.d/abstractions/cgroup-limits index 714edbdb03..c09a8c0bbb 100644 --- a/apparmor.d/abstractions/cgroup-limits +++ b/apparmor.d/abstractions/cgroup-limits @@ -20,6 +20,7 @@ @{sys}/fs/cgroup/cpu.max r, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, diff --git a/apparmor.d/abstractions/flatpak/base b/apparmor.d/abstractions/flatpak/base index 48f28aa313..a9713f7e15 100644 --- a/apparmor.d/abstractions/flatpak/base +++ b/apparmor.d/abstractions/flatpak/base @@ -19,7 +19,8 @@ capability dac_override, capability dac_read_search, - signal receive set=int peer=flatpak-portal, + signal receive set=(int term) peer=flatpak-portal, + signal receive set=(int term) peer=flatpak//bwrap, unix (send receive) type=seqpacket peer=(label=@{profile_dbus}), unix (send receive) type=seqpacket peer=(label=dbus-session), diff --git a/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine b/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine index 6c97c4e74b..300c9d78e0 100644 --- a/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine +++ b/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine @@ -12,6 +12,9 @@ owner /dev/shm/wine-@{hex6}-fsync rw, owner /dev/shm/wine-@{hex6}@{h}-fsync rw, + owner /dev/shm/mono.@{int} rw, + owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, + # NT synchronization driver (performance improvement for games) # https://www.phoronix.com/news/Linux-6.14-NTSYNC-Driver-Ready /dev/ntsync r, diff --git a/apparmor.d/abstractions/flatpak/platform/org.freedesktop b/apparmor.d/abstractions/flatpak/platform/org.freedesktop index 13880340d0..6b4a415dc9 100644 --- a/apparmor.d/abstractions/flatpak/platform/org.freedesktop +++ b/apparmor.d/abstractions/flatpak/platform/org.freedesktop @@ -10,7 +10,6 @@ include # Base directories of the flatpak platform - /usr/ r, /usr/share/ r, /usr/share/** r, @@ -18,8 +17,9 @@ # We are purposely not using the fonts abstraction as it gives access to # system-wide and user fonts out of the sandbox. - /usr/share/fonts/{,**} rk, /usr/cache/fontconfig/** r, + /usr/local/share/fonts/{,**} rk, + /usr/share/fonts/{,**} rk, /etc/fonts/{,**} r, From 988322d9e11bd074d8e025497d85a57261930e20 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 21:25:41 +0200 Subject: [PATCH 1579/1736] feat(profile): minor profile update. --- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/pacman/pacman | 6 +-- apparmor.d/groups/systemd/systemd-udevd | 68 ++++++++++++------------ apparmor.d/profiles-a-f/claude | 18 ++++++- apparmor.d/profiles-m-r/mono-sgen | 2 +- apparmor.d/profiles-s-z/YACReaderLibrary | 1 + apparmor.d/profiles-s-z/transmission | 10 +--- 7 files changed, 59 insertions(+), 48 deletions(-) diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 350336e4bd..529ac8c17a 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -63,7 +63,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/gs{,.bin} rCx -> gs, @{bin}/gsc rix, @{bin}/hostname rix, - @{bin}/ippfind rix, + @{bin}/ippfind rPx, @{bin}/mktemp rix, @{bin}/printenv rix, @{python_path} rix, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 8fc784d446..b530a4ab96 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -249,9 +249,9 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /usr/local/ r, /usr/local/lib/ r, - /opt/cuda/**/@{lib}/ r, - /opt/cuda/**/@{lib}/@{multiarch}/ r, - /opt/cuda/**/@{lib}/**.so* r, + /opt/**/@{lib}/ r, + /opt/**/@{lib}/@{multiarch}/ r, + /opt/**/@{lib}/**.so* r, /etc/ld.so.cache rw, /etc/ld.so.cache~ rw, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 46b66df1f7..32a3fdde5e 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -38,7 +38,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { unix bind type=dgram addr=@@{udbus}, unix bind type=stream addr=@@{udbus}/bus/udevadm/, - @{exec_path} mrix, @{sh_path} rix, @@ -50,43 +49,44 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{sbin}/partx rix, @{bin}/setfacl rix, @{bin}/sg_inq rix, - @{bin}/systemd-run rCx -> run, + @{bin}/systemd-run Cx -> run, @{bin}/unshare rix, @{sbin}/ethtool rix, @{sbin}/kpartx rix, - @{bin}/ddcutil rPx, - @{bin}/input-remapper-control rPUx, - @{bin}/pktsetup rPUx, - @{bin}/kmod rCx -> kmod, - @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, - @{bin}/snap rPx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/vmmouse_detect rPUx, - @{pager_path} rPx -> child-pager, - @{sbin}/alsactl rPx, - @{sbin}/dmsetup rPx, - @{sbin}/issue-generator rPx, - @{sbin}/kdump-config rPx, - @{sbin}/lvm rPx, - @{sbin}/multipath rPx, - @{sbin}/sysctl rPx, - @{sbin}/tlp rPx, - @{sbin}/u-d-c-print-pci-ids rPx, - - @{lib}/crda/* rPUx, - @{lib}/gdm-runtime-config rPx, - @{lib}/nfsrahead rPUx, - @{lib}/open-iscsi/net-interface-handler rPx, - @{lib}/pm-utils/power.d/* rPUx, - @{lib}/snapd/snap-device-helper rPx, - @{lib}/switcheroo-control-check-discrete-amdgpu rPUx, - @{lib}/systemd/systemd-* rPx, - @{lib}/udev/* rPUx, - /usr/share/hplip/config_usb_printer.py rPUx, - - /etc/console-setup/*.sh rPUx, - /etc/network/cloud-ifupdown-helper rPUx, + @{bin}/ddcutil Px, + @{bin}/input-remapper-control PUx, + @{bin}/pktsetup PUx, + @{bin}/kmod Cx -> kmod, + @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, + @{bin}/set-wireless-regdom PUx, + @{bin}/snap Px, + @{bin}/systemctl Cx -> systemctl, + @{bin}/vmmouse_detect PUx, + @{pager_path} Px -> child-pager, + @{sbin}/alsactl Px, + @{sbin}/dmsetup Px, + @{sbin}/issue-generator Px, + @{sbin}/kdump-config Px, + @{sbin}/lvm Px, + @{sbin}/multipath Px, + @{sbin}/sysctl Px, + @{sbin}/tlp Px, + @{sbin}/u-d-c-print-pci-ids Px, + + @{lib}/crda/* PUx, + @{lib}/gdm-runtime-config Px, + @{lib}/nfsrahead PUx, + @{lib}/open-iscsi/net-interface-handler Px, + @{lib}/pm-utils/power.d/* PUx, + @{lib}/snapd/snap-device-helper Px, + @{lib}/switcheroo-control-check-discrete-amdgpu PUx, + @{lib}/systemd/systemd-* Px, + @{lib}/udev/* PUx, + /usr/share/hplip/config_usb_printer.py PUx, + + /etc/console-setup/*.sh PUx, + /etc/network/cloud-ifupdown-helper PUx, /etc/default/* r, /etc/machine-id r, diff --git a/apparmor.d/profiles-a-f/claude b/apparmor.d/profiles-a-f/claude index 2dee941452..a9e47e9913 100644 --- a/apparmor.d/profiles-a-f/claude +++ b/apparmor.d/profiles-a-f/claude @@ -47,7 +47,7 @@ profile claude @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/git Px, + @{bin}/git Cx -> git, @{open_path} Px -> child-open-strict, @{shells_path} Cx -> shell, @@ -114,6 +114,7 @@ profile claude @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/vm/mmap_min_addr r, @{PROC}/version r, + @{PROC}/version_signature r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, @@ -225,6 +226,18 @@ profile claude @{exec_path} flags=(attach_disconnected) { include if exists } + profile git flags=(attach_disconnected,complain) { + include + include + + owner @{HOME}/.claude/ r, + owner @{HOME}/.claude/** rwlk, + + owner @{user_projects_dirs}/** rw, + + include if exists + } + profile ssh { include include @@ -232,6 +245,9 @@ profile claude @{exec_path} flags=(attach_disconnected) { @{bin}/ssh mr, + @{etc_ro}/ssh/ssh_config r, + @{etc_ro}/ssh/ssh_config.d/{,*} r, + owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/config r, diff --git a/apparmor.d/profiles-m-r/mono-sgen b/apparmor.d/profiles-m-r/mono-sgen index b4ba3db0a1..fdee93a744 100644 --- a/apparmor.d/profiles-m-r/mono-sgen +++ b/apparmor.d/profiles-m-r/mono-sgen @@ -36,7 +36,7 @@ profile mono-sgen @{exec_path} { owner @{tmp}/*.* rw, owner @{tmp}/CASESENSITIVETEST* rw, - owner /dev/shm/mono.* rw, + owner /dev/shm/mono.@{int} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index 2fb1e67b2b..e8c39ba7fe 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -27,6 +27,7 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted @{exec_path} mr, + @{bin}/ r, @{bin}/YACReader rPx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index a2fe2fa3b2..992a72419b 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -10,9 +10,11 @@ include profile transmission @{exec_path} flags=(attach_disconnected) { include include + include include include include + include include include include @@ -25,14 +27,8 @@ profile transmission @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - dbus send bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=systemd-hostnamed), - #aa:dbus own bus=session name=com.transmissionbt.Transmission #aa:dbus own bus=session name=com.transmissionbt.transmission_* - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} mr, @@ -53,8 +49,6 @@ profile transmission @{exec_path} flags=(attach_disconnected) { owner @{tmp}/tr_session_id_* rwk, - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - @{run}/mount/utab r, @{PROC}/@{pid}/net/route r, From efeffc8ac2f5f199ee5a7541a5f97a176f82c9e8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 21:30:45 +0200 Subject: [PATCH 1580/1736] feat(abs): add app/git abstraction. --- apparmor.d/abstractions/app/git | 80 +++++++++++++++++++++++++++++++++ apparmor.d/profiles-g-l/git | 78 ++++++-------------------------- 2 files changed, 94 insertions(+), 64 deletions(-) create mode 100644 apparmor.d/abstractions/app/git diff --git a/apparmor.d/abstractions/app/git b/apparmor.d/abstractions/app/git new file mode 100644 index 0000000000..b96c1c0e78 --- /dev/null +++ b/apparmor.d/abstractions/app/git @@ -0,0 +1,80 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Minimal set of rules for git subprofiles. Path to projects should +# be defined in the calling profile. + + abi , + + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{bin}/git mrix, + @{bin}/git-* mrix, + @{lib}/git-core/git mrix, + @{lib}/git-core/git-* mrix, + @{lib}/git-core/mergetools/* mrix, + @{lib}/git/git mrix, + @{lib}/git/git-* mrix, + @{lib}/git/mergetools/* mrix, + + # These are needed for "git submodule update" + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/alts rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/date rix, + @{bin}/dirname rix, + @{bin}/envsubst rix, + @{bin}/gettext rix, + @{bin}/gettext.sh rix, + @{bin}/hostname rix, + @{bin}/mkdir rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/tar rix, + @{bin}/true rix, + @{bin}/uname rix, + @{bin}/wc rix, + @{bin}/whoami rix, + + /usr/share/git{,-core}/{,**} r, + + /etc/gitconfig r, + + owner @{HOME}/.gitconfig* r, + + owner @{user_config_dirs}/git/{,*} r, + + owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{tmp}/git-commit-msg-.txt rw, # For android studio + owner @{tmp}/git-difftool.*/{,**} rw, # For diffs + owner @{tmp}/git-index-private@{int} rw, + + # When you mistype a command, git checks the $PATH variable and search its exec dirs to give you + # the most similar commands, which it thinks can be used instead. Git binaries are all under + # /usr/bin/ , so allow only this location. + @{bin}/ r, + deny @{bin}/*/ r, + deny /usr/games/ r, + deny /usr/local/{s,}bin/ r, + deny /usr/local/games/ r, + deny /var/lib/flatpak/exports/bin/ r, + deny owner @{HOME}/.go/bin/ r, + deny owner @{HOME}/bin/ r, + deny owner @{user_bin_dirs}/ r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index e140722a99..25e536369b 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -14,15 +14,7 @@ include @{exec_path} += @{lib_dirs}/git @{lib_dirs}/git-* @{lib_dirs}/mergetools/* profile git @{exec_path} flags=(attach_disconnected) { include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, + include signal send peer=aurpublish, signal receive set=term peer=code, @@ -34,59 +26,22 @@ profile git @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - # When you mistype a command, git checks the $PATH variable and search its exec dirs to give you - # the most similar commands, which it thinks can be used instead. Git binaries are all under - # /usr/bin/ , so allow only this location. - @{bin}/ r, - deny @{bin}/*/ r, - deny /usr/games/ r, - deny /usr/local/{s,}bin/ r, - deny /usr/local/games/ r, - deny /var/lib/flatpak/exports/bin/ r, - deny owner @{HOME}/.go/bin/ r, - deny owner @{HOME}/bin/ r, - deny owner @{user_bin_dirs}/ r, - - # These are needed for "git submodule update" - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/alts rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/date rix, - @{bin}/dirname rix, - @{bin}/envsubst rix, - @{bin}/gettext rix, - @{bin}/gettext.sh rix, - @{bin}/hostname rix, - @{bin}/mkdir rix, - @{bin}/mv rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/tar rix, - @{bin}/true rix, - @{bin}/uname rix, - @{bin}/wc rix, - @{bin}/whoami rix, - - @{pager_path} rPx -> child-pager, - - @{bin}/gh rPUx, - @{bin}/man rPx, - @{bin}/meld rPUx, - @{lib}/code/extensions/git/dist/askpass.sh rPx, - @{lib}/code/extensions/git/dist/git-editor.sh rPx, - /usr/share/aurpublish/*.hook rPx, - - @{bin}/gpg{,2} rCx -> &gpg, - @{bin}/ssh rCx -> &ssh, - @{editor_path} rCx -> editor, - - /usr/share/git{,-core}/{,**} r, + @{pager_path} Px -> child-pager, + + @{bin}/gh Px, + @{bin}/man Px, + @{bin}/meld PUx, + @{lib}/code/extensions/git/dist/askpass.sh Px, + @{lib}/code/extensions/git/dist/git-editor.sh Px, + /usr/share/aurpublish/*.hook Px, + + @{bin}/gpg{,2} Cx -> &gpg, + @{bin}/ssh Cx -> &ssh, + @{editor_path} Cx -> editor, + /usr/share/libalternatives/{,**} r, /usr/share/terminfo/** r, - /etc/gitconfig r, /etc/mailname r, @{etc_ro}/ssh/ssh_config r, @{etc_ro}/ssh/ssh_config.d/{,*} r, @@ -110,11 +65,6 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.git_vtag_tmp@{rand6} r, owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, - owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature - owner @{tmp}/git-commit-msg-.txt rw, # For android studio - owner @{tmp}/git-difftool.*/{,**} rw, # For diffs - owner @{tmp}/git-index-private@{int} rw, - owner @{run}/user/@{uid}/gcr/ssh rw, # file_inherit From 4c2c6e8dd1c2cc77cf73c36f776a31b3741dbba8 Mon Sep 17 00:00:00 2001 From: JND94 Date: Tue, 17 Mar 2026 15:11:26 +0100 Subject: [PATCH 1581/1736] Draft: initial support for plasma-login-manager --- apparmor.d/groups/kde/plasmalogin | 33 ++++++ apparmor.d/groups/kde/plasmalogin-helper | 104 ++++++++++++++++++ .../groups/kde/startplasma-login-wayland | 50 +++++++++ 3 files changed, 187 insertions(+) create mode 100644 apparmor.d/groups/kde/plasmalogin create mode 100644 apparmor.d/groups/kde/plasmalogin-helper create mode 100644 apparmor.d/groups/kde/startplasma-login-wayland diff --git a/apparmor.d/groups/kde/plasmalogin b/apparmor.d/groups/kde/plasmalogin new file mode 100644 index 0000000000..a0073fafa2 --- /dev/null +++ b/apparmor.d/groups/kde/plasmalogin @@ -0,0 +1,33 @@ +abi , + +include + +@{exec_path} = @{bin}/plasmalogin + +profile plasmalogin @{exec_path} flags=(complain) { + include + + capability chown, + capability net_admin, + capability sys_tty_config, + + /dev/tty@{u8} rw, + /dev/tty rw, + + signal send set=term peer=plasmalogin-helper, + + @{lib}/plasmalogin-helper rpx, + + /usr/share/plasmalogin/{,**} r, + /usr/share/wayland-sessions/plasma.desktop r, + + @{tmp}/plasmalogin--@{rand6} rw, + @{tmp}/.@{rand6}/{,**} rw, + @{tmp}/plasmalogin-auth-@{uuid} rw, + + /etc/plasmalogin.conf r, + /etc/passwd r, + /etc/nsswitch.conf r, + + include if exists +} diff --git a/apparmor.d/groups/kde/plasmalogin-helper b/apparmor.d/groups/kde/plasmalogin-helper new file mode 100644 index 0000000000..350a3830c7 --- /dev/null +++ b/apparmor.d/groups/kde/plasmalogin-helper @@ -0,0 +1,104 @@ +abi , + +include + +@{exec_path} = @{lib}/plasmalogin-helper + +profile plasmalogin-helper @{exec_path} flags=(complain) { + include + + capability audit_write, + capability chown, + capability dac_read_search, + capability fowner, + capability kill, + capability net_admin, + capability setgid, + capability setuid, + capability sys_tty_config, + + signal receive set=term peer=plasmalogin, + signal send set=term peer=startplasma-login-wayland, + signal send set=term peer=startplasma, + + ptrace read peer=unconfined, + ptrace read peer=dbus-session, + ptrace read peer=pipewire, + ptrace read peer=wireplumber, + ptrace read peer=obexd, + + @{shells_path} rix, + @{bin}/pidof rix, + @{bin}/tty rix, + @{bin}/xargs rix, + @{bin}/cat rix, + @{bin}/find rix, + @{bin}/tr rix, + + @{bin}/startplasma-wayland rpx, + @{bin}/startplasma-login-wayland rpx, + @{bin}/unix_chkpwd rpx, + + @{bin}/ksecretd rpux, + @{bin}/kwalletd{5,6} rpx, + + /usr/share/plasmalogin/scripts/wayland-session rix, + @{lib}/plasma-dbus-run-session-if-needed rix, + + /dev/tty@{u8} rw, + /dev/tty rw, + + owner @{user_share_dirs}/plasmalogin/wayland-session.log rw, + owner @{user_share_dirs}/kwalletd/kdewallet.kwl rw, + owner @{user_share_dirs}/kwalletd/kdewallet.kwl.@{rand6} rwl, + owner @{user_share_dirs}/kwalletd/kdewallet.salt r, + + @{bin}/site_perl/ r, + @{bin}/vendor_perl/ r, + @{bin}/core_perl/ r, + + /etc/plasmalogin.conf r, + /etc/debuginfod/ r, + /etc/debuginfod/*.urls r, + /etc/environment r, + /etc/login.defs r, + /etc/profile r, + /etc/profile.d/ r, + /etc/profile.d/*.sh r, + /etc/security/*.conf r, + /etc/shells r, + /etc/pam.d/system-auth r, + /etc/pam.d/system-login r, + /etc/pam.d/other r, + /etc/nsswitch.conf r, + /etc/passwd r, + /etc/machine-id r, + /etc/group r, + + owner /var/lib/plasmalogin/ r, + /var/lib/lastlog/ rw, + /var/lib/lastlog/lastlog@{int}.db-journal rw, + /var/lib/lastlog/lastlog@{int}.db rwk, + + /home/ r, + owner @{HOME}/ r, + owner @{HOME}/.bash_profile r, + owner @{HOME}/.bashrc r, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/loginuid rw, + @{PROC}/@{pid}/uid_map r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/fd/ r, + + @{run}/faillock/@{user} rwk, + @{run}/systemd/userdb/ r, + owner @{run}/user/@{uid}/kwallet5.socket rw, + + @{sys}/devices/system/node/ r, + + include if exists +} diff --git a/apparmor.d/groups/kde/startplasma-login-wayland b/apparmor.d/groups/kde/startplasma-login-wayland new file mode 100644 index 0000000000..547a234706 --- /dev/null +++ b/apparmor.d/groups/kde/startplasma-login-wayland @@ -0,0 +1,50 @@ +abi , + +include + +@{exec_path} = @{bin}/startplasma-login-wayland + +profile startplasma-login-wayland @{exec_path} flags=(complain) { + include + include + + @{exec_path} r, + + /dev/tty@{u8} rw, + /dev/tty rw, + + signal receive set=term peer=plasmalogin-helper, + + /usr/share/color-schemes/ r, + /usr/share/color-schemes/*.colors r, + /usr/share/plasma/look-and-feel/** r, + /etc/xdg/menus/ r, + + owner /var/lib/plasmalogin/.cache/ rw, + owner /var/lib/plasmalogin/.cache/#@{int6} rw, + owner /var/lib/plasmalogin/.cache/ksycoca6* rwl, + owner /var/lib/plasmalogin/.cache/ksycoca6*.lock rwk, + + owner /var/lib/plasmalogin/.config/plasma-localerc r, + owner /var/lib/plasmalogin/.config/kdeglobals r, + owner /var/lib/plasmalogin/.config/plasmarc r, + owner /var/lib/plasmalogin/.config/kcminputrc r, + owner /var/lib/plasmalogin/.config/kwinrc r, + owner /var/lib/plasmalogin/.config/kdedefaults/#@{int6} rw, + owner /var/lib/plasmalogin/.config/kdedefaults/package rw, + owner /var/lib/plasmalogin/.config/kdedefaults/kwinrc r, + owner /var/lib/plasmalogin/.config/kdedefaults/plasmarc r, + owner /var/lib/plasmalogin/.config/kdedefaults/kcminputrc r, + owner /var/lib/plasmalogin/.config/kdedefaults/ksplashrc rw, + owner /var/lib/plasmalogin/.config/kdedefaults/ksplashrc.lock rwk, + owner /var/lib/plasmalogin/.config/kdedefaults/ksplashrc.@{rand6} rwl, + owner /var/lib/plasmalogin/.config/kdedefaults/kdeglobals rw, + owner /var/lib/plasmalogin/.config/kdedefaults/kdeglobals.@{rand6} rwl, + owner /var/lib/plasmalogin/.config/kdedefaults/kdeglobals.lock rwk, + + @{PROC}/sys/kernel/random/boot_id r, + + /etc/machine-id r, + + include if exists +} From 4a33488690438e9e30345cb84afd10656cf0c44b Mon Sep 17 00:00:00 2001 From: JND94 Date: Tue, 17 Mar 2026 15:22:16 +0100 Subject: [PATCH 1582/1736] missing rule in startplasma --- apparmor.d/groups/kde/startplasma | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 175eeb9bbd..9af588829c 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -17,6 +17,7 @@ profile startplasma @{exec_path} { signal (receive) set=(hup) peer=@{p_systemd}, signal (receive) set=(term) peer=sddm, + signal receive set=term peer=plasmalogin-helper, #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" #aa:dbus talk bus=session name=org.kde.KSplash path=/KSplash label=ksplashqml From ae05108b614c234bd045ae8c35aed460d6a71432 Mon Sep 17 00:00:00 2001 From: JND94 Date: Tue, 17 Mar 2026 16:49:54 +0100 Subject: [PATCH 1583/1736] add auth abs --- apparmor.d/groups/kde/plasmalogin | 6 ++++++ apparmor.d/groups/kde/plasmalogin-helper | 16 ++++++++-------- apparmor.d/groups/kde/startplasma-login-wayland | 6 ++++++ 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/kde/plasmalogin b/apparmor.d/groups/kde/plasmalogin index a0073fafa2..e244c13c12 100644 --- a/apparmor.d/groups/kde/plasmalogin +++ b/apparmor.d/groups/kde/plasmalogin @@ -1,3 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + abi , include @@ -31,3 +35,5 @@ profile plasmalogin @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/kde/plasmalogin-helper b/apparmor.d/groups/kde/plasmalogin-helper index 350a3830c7..bd9f37b7b3 100644 --- a/apparmor.d/groups/kde/plasmalogin-helper +++ b/apparmor.d/groups/kde/plasmalogin-helper @@ -1,3 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + abi , include @@ -6,6 +10,7 @@ include profile plasmalogin-helper @{exec_path} flags=(complain) { include + include capability audit_write, capability chown, @@ -37,7 +42,6 @@ profile plasmalogin-helper @{exec_path} flags=(complain) { @{bin}/startplasma-wayland rpx, @{bin}/startplasma-login-wayland rpx, - @{bin}/unix_chkpwd rpx, @{bin}/ksecretd rpux, @{bin}/kwalletd{5,6} rpx, @@ -60,25 +64,19 @@ profile plasmalogin-helper @{exec_path} flags=(complain) { /etc/plasmalogin.conf r, /etc/debuginfod/ r, /etc/debuginfod/*.urls r, - /etc/environment r, - /etc/login.defs r, /etc/profile r, /etc/profile.d/ r, /etc/profile.d/*.sh r, - /etc/security/*.conf r, /etc/shells r, - /etc/pam.d/system-auth r, - /etc/pam.d/system-login r, - /etc/pam.d/other r, /etc/nsswitch.conf r, /etc/passwd r, /etc/machine-id r, /etc/group r, - owner /var/lib/plasmalogin/ r, /var/lib/lastlog/ rw, /var/lib/lastlog/lastlog@{int}.db-journal rw, /var/lib/lastlog/lastlog@{int}.db rwk, + owner /var/lib/plasmalogin/ r, /home/ r, owner @{HOME}/ r, @@ -102,3 +100,5 @@ profile plasmalogin-helper @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/kde/startplasma-login-wayland b/apparmor.d/groups/kde/startplasma-login-wayland index 547a234706..935006b74b 100644 --- a/apparmor.d/groups/kde/startplasma-login-wayland +++ b/apparmor.d/groups/kde/startplasma-login-wayland @@ -1,3 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + abi , include @@ -48,3 +52,5 @@ profile startplasma-login-wayland @{exec_path} flags=(complain) { include if exists } + +# vim:syntax=apparmor From 6313704622eb3127107c267c4c7652b893b1c5fc Mon Sep 17 00:00:00 2001 From: JND94 Date: Tue, 17 Mar 2026 18:11:12 +0100 Subject: [PATCH 1584/1736] fix startplasma-login-wayland --- .../groups/kde/startplasma-login-wayland | 27 +++++-------------- 1 file changed, 7 insertions(+), 20 deletions(-) diff --git a/apparmor.d/groups/kde/startplasma-login-wayland b/apparmor.d/groups/kde/startplasma-login-wayland index 935006b74b..fa4b75d2da 100644 --- a/apparmor.d/groups/kde/startplasma-login-wayland +++ b/apparmor.d/groups/kde/startplasma-login-wayland @@ -13,6 +13,7 @@ profile startplasma-login-wayland @{exec_path} flags=(complain) { include @{exec_path} r, + @{bin}/xrdb rpx, /dev/tty@{u8} rw, /dev/tty rw, @@ -25,26 +26,12 @@ profile startplasma-login-wayland @{exec_path} flags=(complain) { /etc/xdg/menus/ r, owner /var/lib/plasmalogin/.cache/ rw, - owner /var/lib/plasmalogin/.cache/#@{int6} rw, - owner /var/lib/plasmalogin/.cache/ksycoca6* rwl, - owner /var/lib/plasmalogin/.cache/ksycoca6*.lock rwk, - - owner /var/lib/plasmalogin/.config/plasma-localerc r, - owner /var/lib/plasmalogin/.config/kdeglobals r, - owner /var/lib/plasmalogin/.config/plasmarc r, - owner /var/lib/plasmalogin/.config/kcminputrc r, - owner /var/lib/plasmalogin/.config/kwinrc r, - owner /var/lib/plasmalogin/.config/kdedefaults/#@{int6} rw, - owner /var/lib/plasmalogin/.config/kdedefaults/package rw, - owner /var/lib/plasmalogin/.config/kdedefaults/kwinrc r, - owner /var/lib/plasmalogin/.config/kdedefaults/plasmarc r, - owner /var/lib/plasmalogin/.config/kdedefaults/kcminputrc r, - owner /var/lib/plasmalogin/.config/kdedefaults/ksplashrc rw, - owner /var/lib/plasmalogin/.config/kdedefaults/ksplashrc.lock rwk, - owner /var/lib/plasmalogin/.config/kdedefaults/ksplashrc.@{rand6} rwl, - owner /var/lib/plasmalogin/.config/kdedefaults/kdeglobals rw, - owner /var/lib/plasmalogin/.config/kdedefaults/kdeglobals.@{rand6} rwl, - owner /var/lib/plasmalogin/.config/kdedefaults/kdeglobals.lock rwk, + owner /var/lib/plasmalogin/.cache/** rwlk, + owner /var/lib/plasmalogin/.config/ rw, + owner /var/lib/plasmalogin/.config/** rwlk, + + owner /tmp/startplasma-login-wayland.@{rand6} rwl, + owner @{tmp}/#@{int} rw, @{PROC}/sys/kernel/random/boot_id r, From 5b283dea4f883b38397344012cd4ce28cc95a3d0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 22 Mar 2026 17:31:20 +0100 Subject: [PATCH 1585/1736] feat(tunable): add plasmalogin to DESKTOP_HOME --- apparmor.d/tunables/multiarch.d/system-users | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 0f3b760e3e..4fd647ef9a 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -31,7 +31,7 @@ # } else if "kde" in @{DE} { # Full path of the SDDM configuration directories - @{SDDM_HOME}=/var/lib/sddm/ + @{SDDM_HOME}=/var/lib/sddm/ /var/lib/plasmalogin @{sddm_cache_dirs}=@{SDDM_HOME}/.cache/ @{sddm_config_dirs}=@{SDDM_HOME}/.config/ @{sddm_local_dirs}=@{SDDM_HOME}/.local/ From 6aa261eb2e510e9453c3a5a96aefb1e5505929ed Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 22 Mar 2026 19:16:57 +0100 Subject: [PATCH 1586/1736] feat(profile): plasmalogin: add plasmalogin-shell Also: - Use more abstraction - Add dbus rules --- apparmor.d/groups/kde/plasmalogin | 28 ++--- apparmor.d/groups/kde/plasmalogin-helper | 112 ++++++++---------- apparmor.d/groups/kde/plasmalogin-shell | 52 ++++++++ .../groups/kde/startplasma-login-wayland | 39 +++--- 4 files changed, 136 insertions(+), 95 deletions(-) create mode 100644 apparmor.d/groups/kde/plasmalogin-shell diff --git a/apparmor.d/groups/kde/plasmalogin b/apparmor.d/groups/kde/plasmalogin index e244c13c12..8b261caf7a 100644 --- a/apparmor.d/groups/kde/plasmalogin +++ b/apparmor.d/groups/kde/plasmalogin @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2026 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -7,31 +7,31 @@ abi , include @{exec_path} = @{bin}/plasmalogin - -profile plasmalogin @{exec_path} flags=(complain) { +profile plasmalogin @{exec_path} flags=(attach_disconnected) { include + include + include + include capability chown, capability net_admin, capability sys_tty_config, - /dev/tty@{u8} rw, - /dev/tty rw, - signal send set=term peer=plasmalogin-helper, - @{lib}/plasmalogin-helper rpx, + @{exec_path} mr, + + @{lib}/plasmalogin-helper Px, - /usr/share/plasmalogin/{,**} r, /usr/share/wayland-sessions/plasma.desktop r, - @{tmp}/plasmalogin--@{rand6} rw, - @{tmp}/.@{rand6}/{,**} rw, - @{tmp}/plasmalogin-auth-@{uuid} rw, + /tmp/.@{rand6}/ rw, + /tmp/.@{rand6}/** rw, + /tmp/plasmalogin--@{rand6} rw, + /tmp/plasmalogin-auth-@{uuid} rw, - /etc/plasmalogin.conf r, - /etc/passwd r, - /etc/nsswitch.conf r, + /dev/tty rw, + /dev/tty@{u8} rw, include if exists } diff --git a/apparmor.d/groups/kde/plasmalogin-helper b/apparmor.d/groups/kde/plasmalogin-helper index bd9f37b7b3..13a7d03bba 100644 --- a/apparmor.d/groups/kde/plasmalogin-helper +++ b/apparmor.d/groups/kde/plasmalogin-helper @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2026 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -7,10 +7,12 @@ abi , include @{exec_path} = @{lib}/plasmalogin-helper - -profile plasmalogin-helper @{exec_path} flags=(complain) { +profile plasmalogin-helper @{exec_path} flags=(attach_disconnected) { include include + include + include + include capability audit_write, capability chown, @@ -22,81 +24,69 @@ profile plasmalogin-helper @{exec_path} flags=(complain) { capability setuid, capability sys_tty_config, + network netlink raw, + + unix bind type=stream addr=@@{udbus}/bus/plasmalogin-hel/system, + signal receive set=term peer=plasmalogin, signal send set=term peer=startplasma-login-wayland, signal send set=term peer=startplasma, - ptrace read peer=unconfined, - ptrace read peer=dbus-session, - ptrace read peer=pipewire, - ptrace read peer=wireplumber, - ptrace read peer=obexd, + @{exec_path} mr, - @{shells_path} rix, - @{bin}/pidof rix, - @{bin}/tty rix, - @{bin}/xargs rix, - @{bin}/cat rix, - @{bin}/find rix, - @{bin}/tr rix, + @{bin}/startplasma-login-wayland Px, + @{shells_path} Px -> plasmalogin-shell, + @{bin}/ksecretd PUx, - @{bin}/startplasma-wayland rpx, - @{bin}/startplasma-login-wayland rpx, + @{bin}/cat rix, + @{bin}/find rix, + @{bin}/tr rix, + @{bin}/tty rix, + @{bin}/xargs rix, - @{bin}/ksecretd rpux, - @{bin}/kwalletd{5,6} rpx, + @{bin}/pidof Px, + @{bin}/flatpak Cx -> flatpak, /usr/share/plasmalogin/scripts/wayland-session rix, - @{lib}/plasma-dbus-run-session-if-needed rix, + /usr/share/plasmalogin/scripts/Xsession rix, + /usr/share/plasmalogin/scripts/Xsetup rix, + /usr/share/plasmalogin/scripts/Xstop rix, - /dev/tty@{u8} rw, - /dev/tty rw, + @{etc_ro}/profile.d/{,*} r, + /etc/debuginfod/{,*} r, + /etc/machine-id r, + /etc/profile r, + /etc/shells r, - owner @{user_share_dirs}/plasmalogin/wayland-session.log rw, - owner @{user_share_dirs}/kwalletd/kdewallet.kwl rw, - owner @{user_share_dirs}/kwalletd/kdewallet.kwl.@{rand6} rwl, - owner @{user_share_dirs}/kwalletd/kdewallet.salt r, + /var/lib/lastlog/ r, + /var/lib/lastlog/* rwk, - @{bin}/site_perl/ r, - @{bin}/vendor_perl/ r, - @{bin}/core_perl/ r, + owner @{SDDM_HOME}/ rw, - /etc/plasmalogin.conf r, - /etc/debuginfod/ r, - /etc/debuginfod/*.urls r, - /etc/profile r, - /etc/profile.d/ r, - /etc/profile.d/*.sh r, - /etc/shells r, - /etc/nsswitch.conf r, - /etc/passwd r, - /etc/machine-id r, - /etc/group r, - - /var/lib/lastlog/ rw, - /var/lib/lastlog/lastlog@{int}.db-journal rw, - /var/lib/lastlog/lastlog@{int}.db rwk, - owner /var/lib/plasmalogin/ r, - - /home/ r, - owner @{HOME}/ r, - owner @{HOME}/.bash_profile r, - owner @{HOME}/.bashrc r, - - @{PROC}/ r, - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/loginuid rw, + owner @{user_share_dirs}/kwalletd/ rw, + owner @{user_share_dirs}/kwalletd/kdewallet.salt rw, + owner @{user_share_dirs}/plasmalogin/wayland-session.log w, + + /tmp/plasmalogin-auth-@{uuid} rw, + + @{run}/faillock/@{user} rwk, + @{run}/systemd/io.systemd.Login rw, + owner @{run}/user/@{uid}/kwallet5.socket w, + + @{PROC}/@{pid}/loginuid w, @{PROC}/@{pid}/uid_map r, - @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/fd/ r, - @{run}/faillock/@{user} rwk, - @{run}/systemd/userdb/ r, - owner @{run}/user/@{uid}/kwallet5.socket rw, + /dev/tty@{u8} rw, + /dev/tty rw, + + profile flatpak { + include + + @{bin}/flatpak mr, - @{sys}/devices/system/node/ r, + include if exists + } include if exists } diff --git a/apparmor.d/groups/kde/plasmalogin-shell b/apparmor.d/groups/kde/plasmalogin-shell new file mode 100644 index 0000000000..6e964b513d --- /dev/null +++ b/apparmor.d/groups/kde/plasmalogin-shell @@ -0,0 +1,52 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/plasmalogin-shell +profile plasmalogin-shell @{exec_path} { + include + include + include + + @{shells_path} mr, + + @{bin}/cat rix, + @{bin}/find rix, + @{bin}/tr rix, + @{bin}/tty rix, + @{bin}/xargs rix, + + @{bin}/pidof Px, + @{bin}/flatpak Cx -> flatpak, + + @{bin}/startplasma-wayland Px, + @{bin}/startplasma-x11 Px, + + @{lib}/plasma-dbus-run-session-if-needed rix, + @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix, + + /usr/share/plasmalogin/scripts/{,**} r, + + /etc/debuginfod/{,*} r, + + owner @{user_share_dirs}/plasmalogin/wayland-session.log w, + + owner @{PROC}/@{pid}/fd/ r, + + profile flatpak { + include + include + + @{bin}/flatpak mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/kde/startplasma-login-wayland b/apparmor.d/groups/kde/startplasma-login-wayland index fa4b75d2da..a037f9e081 100644 --- a/apparmor.d/groups/kde/startplasma-login-wayland +++ b/apparmor.d/groups/kde/startplasma-login-wayland @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2026 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -7,35 +7,34 @@ abi , include @{exec_path} = @{bin}/startplasma-login-wayland - -profile startplasma-login-wayland @{exec_path} flags=(complain) { +profile startplasma-login-wayland @{exec_path} { include + include + include + include include - - @{exec_path} r, - @{bin}/xrdb rpx, - - /dev/tty@{u8} rw, - /dev/tty rw, + include signal receive set=term peer=plasmalogin-helper, - /usr/share/color-schemes/ r, - /usr/share/color-schemes/*.colors r, - /usr/share/plasma/look-and-feel/** r, - /etc/xdg/menus/ r, + @{exec_path} mr, + + /usr/share/color-schemes/{,**} r, + /usr/share/plasma/look-and-feel/{,**} r, - owner /var/lib/plasmalogin/.cache/ rw, - owner /var/lib/plasmalogin/.cache/** rwlk, - owner /var/lib/plasmalogin/.config/ rw, - owner /var/lib/plasmalogin/.config/** rwlk, + /etc/xdg/menus/{,**} r, - owner /tmp/startplasma-login-wayland.@{rand6} rwl, - owner @{tmp}/#@{int} rw, + owner @{sddm_cache_dirs}/#@{int} rw, + owner @{sddm_cache_dirs}/ksycoca{5,6}_* rwkl -> @{sddm_cache_dirs}/#@{int}, + owner @{sddm_config_dirs}/kdedefaults/kdeglobals r, + owner @{sddm_config_dirs}/kdedefaults/package r, + owner @{sddm_config_dirs}/kdeglobals r, + owner @{sddm_config_dirs}/plasma-localerc r, @{PROC}/sys/kernel/random/boot_id r, - /etc/machine-id r, + /dev/tty rw, + /dev/tty@{u8} rw, include if exists } From c0d1cc65e027dc8a8311ed030b8cf7eb7c6f97fb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 22 Mar 2026 19:19:24 +0100 Subject: [PATCH 1587/1736] feat(profile): add more plasma-login profiles. --- apparmor.d/groups/kde/plasma-keyboard | 31 +++++++++++++ apparmor.d/groups/kde/plasma-login-greeter | 49 ++++++++++++++++++++ apparmor.d/groups/kde/plasma-login-wallpaper | 30 ++++++++++++ dists/flags/main.flags | 3 ++ 4 files changed, 113 insertions(+) create mode 100644 apparmor.d/groups/kde/plasma-keyboard create mode 100644 apparmor.d/groups/kde/plasma-login-greeter create mode 100644 apparmor.d/groups/kde/plasma-login-wallpaper diff --git a/apparmor.d/groups/kde/plasma-keyboard b/apparmor.d/groups/kde/plasma-keyboard new file mode 100644 index 0000000000..cdadff45ff --- /dev/null +++ b/apparmor.d/groups/kde/plasma-keyboard @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/plasma-keyboard +profile plasma-keyboard @{exec_path} flags=(attach_disconnected,mediate_deleted) { + include + include + include + + signal receive set=term peer=kwin_wayland, + + @{exec_path} mr, + + /usr/share/plasma/keyboard/{,**} r, + + owner @{sddm_cache_dirs}/plasma-keyboard/ rw, + owner @{sddm_cache_dirs}/plasma-keyboard/** rwkl, + owner @{sddm_config_dirs}/kdedefaults/* r, + owner @{sddm_config_dirs}/kdeglobals r, + + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/kde/plasma-login-greeter b/apparmor.d/groups/kde/plasma-login-greeter new file mode 100644 index 0000000000..00d6718882 --- /dev/null +++ b/apparmor.d/groups/kde/plasma-login-greeter @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/plasma-login-greeter +profile plasma-login-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + include + include + include + + network netlink raw, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ListActivatableNames + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + @{exec_path} mr, + + /usr/share/plasma/{,**} r, + /usr/share/wayland-sessions/{,*.desktop} r, + + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, + /etc/fstab r, + + / r, + + owner @{SDDM_HOME}/** rw, + owner @{sddm_cache_dirs}/** mrwkl -> @{sddm_cache_dirs}/**, + + owner @{tmp}/plasmalogin--@{rand6} rw, + + @{sys}/devices/**/uevent r, + + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/kde/plasma-login-wallpaper b/apparmor.d/groups/kde/plasma-login-wallpaper new file mode 100644 index 0000000000..7ba1ca781d --- /dev/null +++ b/apparmor.d/groups/kde/plasma-login-wallpaper @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/plasma-login-wallpaper +profile plasma-login-wallpaper @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/plasma/{,**} r, + /usr/share/wallpapers/{,**} r, + + @{etc_ro}/login.defs r, + + owner @{sddm_cache_dirs}/plasma-login-wallpaper/ rw, + owner @{sddm_cache_dirs}/plasma-login-wallpaper/** rwkl, + owner @{sddm_config_dirs}/kdedefaults/* r, + owner @{sddm_config_dirs}/kdeglobals r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index d97825b02d..c079004b2b 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -245,6 +245,9 @@ plank complain plasma_waitforname complain plasma-browser-integration-host complain plasma-discover complain +plasma-keyboard complain +plasma-login-greeter complain +plasma-login-wallpaper plasmashell complain plymouth complain plymouth-set-default-theme complain From 2261f029c3935161c8e5cbe155db38306598b91f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 22 Mar 2026 19:20:36 +0100 Subject: [PATCH 1588/1736] feat(profile): integrate kde profiles with plasmalogin. --- apparmor.d/groups/kde/kwin_wayland | 4 ++++ apparmor.d/groups/kde/startplasma | 1 + 2 files changed, 5 insertions(+) diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 529b9706e2..76d954bc82 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -72,12 +72,16 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{sddm_cache_dirs}/#@{int} rwk, owner @{sddm_cache_dirs}/ksycoca{5,6}_* rwkl -> @{sddm_cache_dirs}/#@{int}, + owner @{sddm_cache_dirs}/kwin/ rw, + owner @{sddm_cache_dirs}/kwin/** rwlk, owner @{sddm_config_dirs}/#@{int} rw, owner @{sddm_config_dirs}/kcminputrc r, + owner @{sddm_config_dirs}/kdedefaults/* r, owner @{sddm_config_dirs}/kdeglobals r, owner @{sddm_config_dirs}/kglobalshortcutsrc.lock rwk, owner @{sddm_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl, + owner @{sddm_config_dirs}/kwinoutputconfig.json rw, owner @{sddm_config_dirs}/kwinrc.lock rwk, owner @{sddm_config_dirs}/kwinrc{,.@{rand6}} rwl, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 9af588829c..04e957a8cc 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -71,6 +71,7 @@ profile startplasma @{exec_path} { owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/kservices{5,6}/{,**} r, + owner @{user_share_dirs}/plasmalogin/wayland-session.log rw, owner @{user_share_dirs}/sddm/wayland-session.log rw, owner @{user_share_dirs}/sddm/xorg-session.log rw, From a94330550fe0ead25cda6653c90b6d962e051d06 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 22 Mar 2026 19:31:47 +0100 Subject: [PATCH 1589/1736] feat(profile): add ksecretd. --- apparmor.d/groups/kde/ksecretd | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 apparmor.d/groups/kde/ksecretd diff --git a/apparmor.d/groups/kde/ksecretd b/apparmor.d/groups/kde/ksecretd new file mode 100644 index 0000000000..588d5a861b --- /dev/null +++ b/apparmor.d/groups/kde/ksecretd @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ksecretd +profile ksecretd @{exec_path} flags=(attach_disconnected,mediate_deleted) { + include + include + include + + @{exec_path} mr, + + owner @{user_config_dirs}/kwalletrc r, + + owner @{user_share_dirs}/kwalletd/ rw, + owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, + + owner @{run}/user/@{uid}/kwallet5.socket rw, + + @{PROC}/sys/kernel/random/boot_id r, + + /dev/tty r, + + include if exists +} + +# vim:syntax=apparmor From f652d9bc30c1330e331773eb81149f75b8e04128 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 22:11:23 +0200 Subject: [PATCH 1590/1736] feat(aa): rewrite file rule sorting with regex-based group matching. --- pkg/aa/file.go | 100 ++++++++++++++++++-- pkg/aa/template.go | 225 ++++++++++++++++++++++++++++++++++----------- 2 files changed, 263 insertions(+), 62 deletions(-) diff --git a/pkg/aa/file.go b/pkg/aa/file.go index a51f4b05dd..a0dd209f98 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -151,11 +151,27 @@ func (r *File) Validate() error { func (r *File) Compare(other Rule) int { o, _ := other.(*File) + if o.Qualifier.AccessType == "deny" { + return -1 // Deny file rules always come last + } + + // Compare by file group - use pattern matching + groupR := getGroup(fileWeights, r.Path) + groupO := getGroup(fileWeights, o.Path) + if groupR != "" && groupO != "" { + weightR := fileWeights[groupR] + weightO := fileWeights[groupO] + if weightR != weightO { + return weightR - weightO + } + } else if groupR != "" { + return -1 + } else if groupO != "" { + return 1 + } - letterR := getLetterIn(fileAlphabet, r.Path) - letterO := getLetterIn(fileAlphabet, o.Path) - if fileWeights[letterR] != fileWeights[letterO] && letterR != "" && letterO != "" { - return fileWeights[letterR] - fileWeights[letterO] + if res := r.Qualifier.Compare(o.Qualifier); res != 0 { + return res } if res := compare(r.Owner, o.Owner); res != 0 { return res @@ -184,6 +200,11 @@ func (r *File) Merge(other Rule) bool { } func (r *File) Lengths() []int { + // Deny rules don't participate in padding alignment + if r.Qualifier.AccessType == "deny" { + return []int{0, 0, 0, 0} + } + // Add padding to align with other transition rule lenPath := 0 isTransition := util.Intersect( @@ -211,12 +232,23 @@ func (r *File) addLine(other Rule) bool { if other.Kind() != r.Kind() { return false } + o := other.(*File) + + // Deny rules are all grouped together without blank lines + if r.Qualifier.AccessType == "deny" && o.Qualifier.AccessType == "deny" { + return false + } + + patternI := getGroup(fileWeights, r.Path) + patternJ := getGroup(fileWeights, o.Path) + if patternI == "" || patternJ == "" { + return patternI != patternJ + } + groupI, ok1 := fileAlphabetGroups[patternI] + groupJ, ok2 := fileAlphabetGroups[patternJ] - letterI := getLetterIn(fileAlphabet, r.Path) - letterJ := getLetterIn(fileAlphabet, other.(*File).Path) - groupI, ok1 := fileAlphabetGroups[letterI] - groupJ, ok2 := fileAlphabetGroups[letterJ] - return letterI != letterJ && (!ok1 || !ok2 || groupI != groupJ) + // Add newline if patterns differ and they're in different groups (or unrecognized) + return patternI != patternJ && (!ok1 || !ok2 || groupI != groupJ) } type Link struct { @@ -293,6 +325,24 @@ func (r *Link) Validate() error { func (r *Link) Compare(other Rule) int { o, _ := other.(*Link) + if o.Qualifier.AccessType == "deny" { + return -1 // Deny file rules always come last + } + + // Compare by file group - use pattern matching + groupR := getGroup(fileWeights, r.Path) + groupO := getGroup(fileWeights, o.Path) + if groupR != "" && groupO != "" { + weightR := fileWeights[groupR] + weightO := fileWeights[groupO] + if weightR != weightO { + return weightR - weightO + } + } else if groupR != "" { + return -1 + } else if groupO != "" { + return 1 + } if res := compare(r.Owner, o.Owner); res != 0 { return res @@ -330,3 +380,35 @@ func (r *Link) setPaddings(max []int) { []any{r.Owner, r.Subset, r.Path, r.Target})..., ) } + +// compareFileLink compares File and Link rules by their file group weight. +func compareFileLink(a, b Rule) int { + pathA := "" + switch r := a.(type) { + case *File: + pathA = r.Path + case *Link: + pathA = r.Path + } + + pathB := "" + switch r := b.(type) { + case *File: + pathB = r.Path + case *Link: + pathB = r.Path + } + + groupA := getGroup(fileWeights, pathA) + groupB := getGroup(fileWeights, pathB) + if groupA != "" && groupB != "" { + if res := fileWeights[groupA] - fileWeights[groupB]; res != 0 { + return res + } + } else if groupA != "" { + return -1 + } else if groupB != "" { + return 1 + } + return compare(pathA, pathB) +} diff --git a/pkg/aa/template.go b/pkg/aa/template.go index ddd74fc24e..d5dfff33cf 100644 --- a/pkg/aa/template.go +++ b/pkg/aa/template.go @@ -7,8 +7,11 @@ package aa import ( "embed" "fmt" + "regexp" "strings" "text/template" + + "github.com/roddhjav/apparmor.d/pkg/util" ) var ( @@ -83,52 +86,99 @@ var ( } ruleWeights = generateWeights(ruleAlphabet) - // The order the apparmor file rules should be sorted - fileAlphabet = []string{ - "@{exec_path}", // 1. entry point - "@{sh_path}", // 2.1 shells - "@{coreutils_path}", // 2.2 coreutils - "@{open_path}", // 2.3 binaries paths - "@{bin}", // 2.3 binaries - "@{lib}", // 2.4 libraries - "/opt", // 2.5 opt binaries & libraries - "/usr/share", // 3. shared data - "/etc", // 4. system configuration - "/var", // 5.1 system read/write data - "/boot", // 5.2 boot files - "/home", // 6.1 user data - "@{HOME}", // 6.2 home files - "@{user_cache_dirs}", // 7.1 user caches - "@{user_config_dirs}", // 7.2 user config - "@{user_share_dirs}", // 7.3 user shared - "/tmp", // 8.1 Temporary data - "@{tmp}", // 8.1. User temporary data - "/dev/shm", // 8.2 Shared memory - "@{run}", // 8.3 Runtime data - "@{sys}", // 9. Sys files - "@{PROC}", // 10. Proc files - "/dev", // 11. Dev files - "deny", // 12. Deny rules - "profile", // 13. Subprofiles + // The order the apparmor file rules should be sorted. Some rules are sorted + // in the same group and their order is determined by fileWeights. + fileGroups = map[string][]string{ + // 1. entry point + "attachment": { + `@{exec_path}`, + }, + // 2 Binaries + "bin": { + `@{sh_path}`, // Shells + `@{coreutils_path}`, // Coreutils + `@{open_path}`, // Binaries paths + `@{bin}`, // Binaries + }, + // 3 Libraries + "lib": { + `@{lib}`, // Libraries + `@{lib_dirs}`, // Profile libraries + `/opt`, // opt binaries & libraries + }, + // 4. System shared data + "share": { + `@{system_share_dirs}`, + `/usr/share`, + }, + // 5. System configuration + "etc": { + `/etc`, `@{etc_ro}`, `@{etc_rw}`, + `/etc/machine-id$`, + `/var/lib/dbus/machine-id`, + }, + // 6. Boot files + "boot": { + `/boot`, + }, + // 7. System read/write data + "system-data": { + `/$`, + `/usr/`, + `/usr/local/`, + `/home`, + `/var`, + }, + // 8. System user data + "system-user": { + `@{(DESKTOP|GDM|SSDM|LIGHTDM)_HOME}`, + `@{(desktop|gdm|ssdm|lightdm)_[a-z]*_dirs}`, + }, + // 9. User data + "user-data": { + `@{MOUNTDIRS}`, + `@{MOUNTS}`, + `@{HOME}`, + `@{[a-z]*_dirs}`, + `@{user_[a-z]*_dirs}`, + }, + // 10 Temporary data + "tmp": { + `/tmp`, `@{tmp}`, // Temporary data + `/dev/shm`, // Shared memory + }, + // 11 Runtime data + "runtime": { + `@{run}/user/@{uid}`, + `@{run}/gdm`, + `@{run}`, + }, + // 12 Udev data + "udev": {"@{run}/udev"}, + // 13. Sys files + "sys": {"@{sys}"}, + // 14. Proc files + "proc": {"@{PROC}"}, + // 15. Dev files + "dev": {"/dev"}, } - fileWeights = generateWeights(fileAlphabet) - - // Some file rule should be sorted in the same group - fileAlphabetGroups = map[string]string{ - "@{exec_path}": "exec", - "@{sh_path}": "exec", - "@{coreutils_path}": "exec", - "@{open_path}": "exec", - "@{bin}": "exec", - "@{lib}": "exec", - "/opt": "exec", - "/home": "home", - "@{HOME}": "home", - "/tmp": "tmp", - "@{tmp}": "tmp", - "/dev/shm": "tmp", + fileAlphabetGroups = util.InvertFlatten(fileGroups) + + // The order the apparmor file group rules should be sorted + fileAlphabetGroup = []string{ + "attachment", "bin", "lib", "share", "etc", "boot", + "system-data", "system-user", "user-data", + "tmp", "runtime", "udev", "sys", "proc", "dev", } + fileWeights = generateFileWeights(fileAlphabetGroup, fileGroups) + + // Compiled regexps for matching file paths to their sort group + fileReg = generateRegexp(fileWeights) + + // Memoization cache for file path to group label lookups + groupCache = map[string]string{} + // The order AARE should be sorted stringAlphabet = []byte( "!\"#$%&'*(){}[]@+,-./:;<=>?\\^_`|~0123456789abcdefghijklmnopqrstuvwxyz", @@ -147,6 +197,7 @@ func init() { requirementsWeights = generateRequirementsWeights(requirements) } +// generateTemplates parses and clones the embedded gotmpl files for each rule kind. func generateTemplates(names []Kind) map[Kind]*template.Template { res := make(map[Kind]*template.Template, len(names)) base := template.New("").Funcs(tmplFunctionMap) @@ -163,6 +214,7 @@ func generateTemplates(names []Kind) map[Kind]*template.Template { return res } +// renderTemplate render the template for the given kind and data func renderTemplate(name Kind, data any) string { var res strings.Builder template, ok := tmpl[name] @@ -173,9 +225,19 @@ func renderTemplate(name Kind, data any) string { if err != nil { panic(err) } - return res.String() + return trimTrailingWhitespace(res.String()) +} + +// trimTrailingWhitespace removes trailing spaces and tabs from each line. +func trimTrailingWhitespace(s string) string { + lines := strings.Split(s, "\n") + for i, line := range lines { + lines[i] = strings.TrimRight(line, " \t") + } + return strings.Join(lines, "\n") } +// generateWeights assigns a sort weight to each element based on its position in the alphabet. func generateWeights[T comparable](alphabet []T) map[T]int { res := make(map[T]int, len(alphabet)) for i, r := range alphabet { @@ -184,6 +246,25 @@ func generateWeights[T comparable](alphabet []T) map[T]int { return res } +// generateFileWeights assigns sort weights to file patterns based on their group order. +func generateFileWeights[T comparable](groupOrder []T, groups map[T][]T) map[T]int { + totalLen := 0 + for i := range groups { + totalLen += len(groups[i]) + } + + idx := 0 + res := make(map[T]int, totalLen) + for _, group := range groupOrder { + for _, r := range groups[group] { + res[r] = idx + idx++ + } + } + return res +} + +// generateRequirementsWeights builds per-kind, per-key weight maps for sorting rule values. func generateRequirementsWeights(requirements map[Kind]requirement) map[Kind]map[string]map[string]int { res := make(map[Kind]map[string]map[string]int, len(requirements)) for rule, req := range requirements { @@ -195,6 +276,48 @@ func generateRequirementsWeights(requirements map[Kind]requirement) map[Kind]map return res } +// generateRegexp compiles AARE file patterns into anchored regular expressions. +func generateRegexp(weights map[string]int) map[string]*regexp.Regexp { + res := make(map[string]*regexp.Regexp, len(weights)) + for w := range weights { + // Escape special regex chars that appear in AARE patterns + // Note: $ at end of pattern is kept as regex end anchor for exact matching + pattern := w + pattern = strings.ReplaceAll(pattern, "{", `\{`) + pattern = strings.ReplaceAll(pattern, "}", `\}`) + // Only escape $ if not at end of pattern (end anchor) + if !strings.HasSuffix(pattern, "$") { + pattern = strings.ReplaceAll(pattern, "$", `\$`) + } + res[w] = regexp.MustCompile(`(?m)^` + pattern) + } + return res +} + +// getGroup returns the file sort group label for the given path, using cached results. +func getGroup(weights map[string]int, in string) string { + if result, ok := groupCache[in]; ok { + return result + } + + // Find the best (most specific) matching pattern + // More specific patterns have higher weights within their group + bestLabel := "" + bestWeight := -1 + for w := range weights { + if fileReg[w].MatchString(in) { + // Choose the pattern with the highest weight (most specific) + if weights[w] > bestWeight { + bestWeight = weights[w] + bestLabel = w + } + } + } + groupCache[in] = bestLabel + return bestLabel +} + +// join is a template function that joins slices with spaces or maps as key=value pairs. func join(i any) string { switch i := i.(type) { case []string: @@ -210,6 +333,7 @@ func join(i any) string { } } +// cjoin is a template function that joins values with parentheses when there are multiple items. func cjoin(i any) string { switch i := i.(type) { case []string: @@ -228,6 +352,7 @@ func cjoin(i any) string { } } +// kindOf is a template function that returns the kind string of a rule. func kindOf(i Rule) string { if i == nil { return "" @@ -235,6 +360,7 @@ func kindOf(i Rule) string { return i.Kind().String() } +// setindent is a template function that increments or decrements the indentation level. func setindent(i string) string { switch i { case "++": @@ -245,19 +371,12 @@ func setindent(i string) string { return "" } +// indent is a template function that prepends the current indentation to a string. func indent(s string) string { return strings.Repeat(Indentation, IndentationLevel) + s } +// indentDbus is a template function that indents dbus rule continuation lines with extra padding. func indentDbus(s string) string { return strings.Join([]string{Indentation, s}, " ") } - -func getLetterIn(alphabet []string, in string) string { - for _, letter := range alphabet { - if strings.HasPrefix(in, letter) { - return letter - } - } - return "" -} From 583097c353d262fa48f4d478eb4bdce965144328 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 22:22:44 +0200 Subject: [PATCH 1591/1736] feat(aa): validate peer modifiers and improve network/unix rule parsing --- pkg/aa/network.go | 15 ++++++++++++++- pkg/aa/unix.go | 11 +++++++++++ pkg/aa/util.go | 10 ++++++++++ 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/pkg/aa/network.go b/pkg/aa/network.go index a3ff71e83a..0e67b34a57 100644 --- a/pkg/aa/network.go +++ b/pkg/aa/network.go @@ -27,12 +27,15 @@ func init() { "netlink", "packet", "ash", "econet", "atmsvc", "rds", "sna", "irda", "pppox", "wanpipe", "llc", "ib", "mpls", "can", "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "caif", "alg", - "nfc", "vsock", "kcm", "qipcrtr", "smc", "xdp", "mctp", + "nfc", "vsock", "kcm", "qipcrtr", "smc", "xdp", "mctp", "unspec", }, "type": []string{ "stream", "dgram", "seqpacket", "rdm", "raw", "packet", }, "protocol": []string{"tcp", "udp", "icmp"}, + "local-only": []string{ + "create", "bind", "listen", "getattr", "setattr", "getopt", "setopt", "shutdown", + }, } } @@ -153,6 +156,7 @@ func newNetwork(q Qualifier, rule rule) (Rule, error) { nType, protocol, domain := "", "", "" // Classify each token as access, domain, type, or protocol + allowedMapKeys := map[string]bool{"ip": true, "port": true, "peer": true, "type": true} for _, token := range rule.GetSlice() { switch { case slices.Contains(requirements[NETWORK]["access"], token): @@ -163,6 +167,10 @@ func newNetwork(q Qualifier, rule rule) (Rule, error) { nType = token case slices.Contains(requirements[NETWORK]["protocol"], token): protocol = token + case allowedMapKeys[token]: + // Map key tokens (ip, port, peer, type) are handled separately + default: + return nil, fmt.Errorf("unrecognized network token: %s", token) } } @@ -230,6 +238,11 @@ func (r *Network) Validate() error { if err := r.PeerAddress.Validate(); err != nil { return fmt.Errorf("%s: %w", r, err) } + if r.PeerAddress.IP != "" || r.PeerAddress.Port != "" || r.PeerAddress.Src != "" { + if len(r.Access) > 0 && allLocalOnly(r.Access, requirements[NETWORK]["local-only"]) { + return fmt.Errorf("peer modifier not allowed with local-only access types in network rule") + } + } return nil } diff --git a/pkg/aa/unix.go b/pkg/aa/unix.go index 8b9c440b59..f397dc6126 100644 --- a/pkg/aa/unix.go +++ b/pkg/aa/unix.go @@ -19,6 +19,9 @@ func init() { "getattr", "setattr", "getopt", "setopt", "send", "receive", "r", "w", "rw", }, + "local-only": []string{ + "create", "bind", "listen", "getattr", "setattr", "getopt", "setopt", "shutdown", + }, } } @@ -97,6 +100,11 @@ func (r *Unix) Validate() error { if err := validateValues(r.Kind(), "type", []string{r.Type}); err != nil { return fmt.Errorf("%s: %w", r, err) } + if r.PeerLabel != "" || r.PeerAddr != "" { + if len(r.Access) > 0 && allLocalOnly(r.Access, requirements[UNIX]["local-only"]) { + return fmt.Errorf("peer modifier not allowed with local-only access types in unix rule") + } + } return nil } @@ -111,6 +119,9 @@ func (r *Unix) Compare(other Rule) int { if res := compare(r.Protocol, o.Protocol); res != 0 { return res } + if res := compare(r.Address == "", o.Address == ""); res != 0 { + return res + } if res := compare(r.Address, o.Address); res != 0 { return res } diff --git a/pkg/aa/util.go b/pkg/aa/util.go index f4dd63adb5..3f5127063c 100644 --- a/pkg/aa/util.go +++ b/pkg/aa/util.go @@ -267,3 +267,13 @@ func toAccess(kind Kind, input string) ([]string, error) { slices.SortFunc(res, compareFileAccess) return slices.Compact(res), nil } + +// allLocalOnly returns true if all access types are in the local-only list. +func allLocalOnly(access, localOnly []string) bool { + for _, a := range access { + if !slices.Contains(localOnly, a) { + return false + } + } + return true +} From a12d081036998f5c73fe8103521970586b7a5c12 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 22:23:13 +0200 Subject: [PATCH 1592/1736] feat(aa): add user bin and lib dirs. --- pkg/aa/apparmor.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index 7f191e8797..56087d776f 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -95,6 +95,8 @@ func DefaultTunables() *AppArmorProfileFile { &Variable{Name: "user_cache_dirs", Values: []string{"/home/*/.cache"}, Define: true}, &Variable{Name: "user_config_dirs", Values: []string{"/home/*/.config"}, Define: true}, &Variable{Name: "user_share_dirs", Values: []string{"/home/*/.local/share"}, Define: true}, + &Variable{Name: "user_bin_dirs", Values: []string{"/home/*/.local/bin"}, Define: true}, + &Variable{Name: "user_lib_dirs", Values: []string{"/home/*/.local/lib"}, Define: true}, &Variable{Name: "user", Values: []string{"[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}"}, Define: true}, &Variable{Name: "version", Values: []string{"@{int}{.@{int},}{.@{int},}{-@{rand},}"}, Define: true}, &Variable{Name: "w", Values: []string{"[a-zA-Z0-9_]"}, Define: true}, From dd3eb0cfea34a46545e72753b6811a6f5c8acd39 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 22:29:22 +0200 Subject: [PATCH 1593/1736] feat(aa): improve parser robustness and validation --- pkg/aa/all.go | 5 ++++ pkg/aa/file.go | 4 +++ pkg/aa/io_uring.go | 3 +++ pkg/aa/mount.go | 5 ++-- pkg/aa/mqueue.go | 12 +++++++++ pkg/aa/parse.go | 12 +++++++++ pkg/aa/preamble.go | 64 ++++++++++++++++++++++++++++++++++++++-------- 7 files changed, 93 insertions(+), 12 deletions(-) diff --git a/pkg/aa/all.go b/pkg/aa/all.go index abe7dacb0b..557899e8d7 100644 --- a/pkg/aa/all.go +++ b/pkg/aa/all.go @@ -4,6 +4,8 @@ package aa +import "fmt" + const ( ALL Kind = "all" ) @@ -13,6 +15,9 @@ type All struct { } func newAll(q Qualifier, rule rule) (Rule, error) { + if len(rule.GetSlice()) > 0 { + return nil, fmt.Errorf("'all' rule cannot have additional arguments") + } return &All{Base: newBase(rule)}, rule.ValidateMapKeys([]string{}) } diff --git a/pkg/aa/file.go b/pkg/aa/file.go index a0dd209f98..e362cd2f02 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -59,6 +59,10 @@ func newFile(q Qualifier, rule rule) (Rule, error) { if rule.Get(0) == FILE.Tok() { rule = rule[1:] } + // Skip safe/unsafe modifiers (handled at exec time) + if rule.Get(0) == "unsafe" || rule.Get(0) == "safe" { + rule = rule[1:] + } r := rule.GetSlice() size := len(r) diff --git a/pkg/aa/io_uring.go b/pkg/aa/io_uring.go index 30975a759c..ffb71df07f 100644 --- a/pkg/aa/io_uring.go +++ b/pkg/aa/io_uring.go @@ -28,6 +28,9 @@ func newIOUring(q Qualifier, rule rule) (Rule, error) { if err != nil { return nil, err } + if err := rule.ValidateNonEmptyValues([]string{"label"}); err != nil { + return nil, err + } return &IOUring{ Base: newBase(rule), Qualifier: q, diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go index 980b110cfb..2dc5221797 100644 --- a/pkg/aa/mount.go +++ b/pkg/aa/mount.go @@ -18,7 +18,7 @@ func init() { requirements[MOUNT] = requirement{ "flags": { // flags bind - "B", "bind", "R", "rbind", + "B", "bind", "M", "R", "rbind", // flags change "shared", "slave", "nostrictatime", "lazytime", "nolazytime", @@ -27,7 +27,8 @@ func init() { "make-rprivate", "make-rslave", "symfollow", // flags mount - "ro", "rw", "w", "acl", "async", "atime", "bind", "dev", "diratime", + "r", "read-only", "ro", "rw", "w", + "acl", "async", "atime", "bind", "dev", "diratime", "dirsync", "exec", "iversion", "loud", "mand", "move", "noacl", "noatime", "nodev", "nodiratime", "noexec", "noiversion", "nomand", "norelatime", "nosuid", "nosymfollow", "nouser", "private", "rbind", "relatime", diff --git a/pkg/aa/mqueue.go b/pkg/aa/mqueue.go index 2626100d99..0ed1889dcb 100644 --- a/pkg/aa/mqueue.go +++ b/pkg/aa/mqueue.go @@ -92,6 +92,18 @@ func (r *Mqueue) Validate() error { if err := validateValues(r.Kind(), "type", []string{r.Type}); err != nil { return fmt.Errorf("%s: %w", r, err) } + // Only validate name if it's not an access keyword (parser may put access in Name) + nameIsAccess := slices.Contains(requirements[MQUEUE]["access"], r.Name) + if !nameIsAccess && r.Name != "" { + // POSIX mqueue names must start with / + if r.Type == "posix" && !strings.HasPrefix(r.Name, "/") && !strings.Contains(r.Name, "@{") { + return fmt.Errorf("mqueue: posix queue name '%s' must start with /", r.Name) + } + // SYSV mqueue names must not start with / + if r.Type == "sysv" && strings.HasPrefix(r.Name, "/") { + return fmt.Errorf("mqueue: sysv queue name '%s' must not start with /", r.Name) + } + } return nil } diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index c9a38c1119..c14654b580 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -754,6 +754,18 @@ func (r rule) ValidateMapKeys(validKeys []string) error { return nil } +// ValidateNonEmptyValues validates that keys which are present have non-empty values. +func (r rule) ValidateNonEmptyValues(keys []string) error { + for _, kv := range r { + if kv.values != nil && slices.Contains(keys, kv.key) { + if len(kv.values) == 0 { + return fmt.Errorf("empty value for '%s' in rule: %s", kv.key, r) + } + } + } + return nil +} + // String return a generic representation of a rule. func (r rule) String() string { var res strings.Builder diff --git a/pkg/aa/preamble.go b/pkg/aa/preamble.go index 8460f444fd..7b39372124 100644 --- a/pkg/aa/preamble.go +++ b/pkg/aa/preamble.go @@ -6,6 +6,7 @@ package aa import ( "fmt" + "regexp" "slices" "strings" ) @@ -21,6 +22,12 @@ const ( tokIFEXISTS = "if exists" ) +var ( + // reValidVarName matches valid variable names: must start with a letter, + // followed by letters, digits, or underscores. + reValidVarName = regexp.MustCompile(`^[a-zA-Z][a-zA-Z0-9_]*$`) +) + type Comment struct { Base } @@ -69,11 +76,12 @@ type Abi struct { func newAbi(q Qualifier, rule rule) (Rule, error) { var magic bool - if len(rule) != 1 { + + // Rejoin tokens that were split by spaces (e.g., "< includes/path >") + path := strings.Join(rule.GetSlice(), " ") + if path == "" { return nil, fmt.Errorf("invalid abi format: %s", rule) } - - path := rule.Get(0) switch path[0] { case '"': magic = false @@ -89,6 +97,8 @@ func newAbi(q Qualifier, rule rule) (Rule, error) { return nil, fmt.Errorf("invalid path %s in rule: %s", path, rule) } path = strings.Trim(path, "\"<>") + path = strings.Trim(path, " \t") + path = strings.Trim(path, "\"") return &Abi{ Base: newBase(rule), Path: path, @@ -206,22 +216,25 @@ func newInclude(rule rule) (Rule, error) { r = r[2:] } - path := r[0] + path := strings.Join(r, " ") // Rejoin in case of spaces in path switch path[0] { case '"': magic = false if !strings.HasSuffix(path, "\"") || len(path) < 3 { return nil, fmt.Errorf("invalid path %s in rule: %s", path, rule) } + path = strings.Trim(path, "\"") case '<': magic = true if !strings.HasSuffix(path, ">") || len(path) < 3 { return nil, fmt.Errorf("invalid path %s in rule: %s", path, rule) } + path = strings.Trim(path, "<>") + path = strings.Trim(path, " \t") default: - return nil, fmt.Errorf("invalid path format: %v", path) + // Allow bare/relative paths (e.g., simple_tests/includes/...) + magic = false } - path = strings.Trim(path, "\"<>") return &Include{ Base: newBase(rule), IfExists: ifexists, @@ -290,8 +303,12 @@ func newVariable(rule rule) (Rule, error) { r := rule.GetSlice() name := strings.Trim(rule.Get(0), VARIABLE.Tok()+"}") + if !reValidVarName.MatchString(name) { + return nil, fmt.Errorf("invalid variable name '%s': must start with a letter", name) + } + switch rule.Get(1) { - case tokEQUAL: + case tokEQUAL, "?=", ":=": define = true values = r[2:] case tokPLUS + tokEQUAL: @@ -300,6 +317,21 @@ func newVariable(rule rule) (Rule, error) { default: return nil, fmt.Errorf("invalid operator in variable: %v", rule) } + + // Validate variable values + for _, v := range values { + if strings.HasSuffix(v, ",") { + return nil, fmt.Errorf("trailing comma in variable value: %s", v) + } + quoteCount := strings.Count(v, "\"") + if quoteCount%2 != 0 { + return nil, fmt.Errorf("unbalanced quotes in variable value: %s", v) + } + if strings.Contains(v, "!") { + return nil, fmt.Errorf("invalid character '!' in variable value: %s", v) + } + } + return &Variable{ Base: newBase(rule), Name: name, @@ -368,22 +400,34 @@ func newBoolean(rule rule) (Rule, error) { case 3: name = strings.Trim(rule.Get(0), BOOLEAN.Tok()+"{}") - if rule.Get(1) != tokEQUAL { + op := rule.Get(1) + if op != tokEQUAL && op != "?=" && op != ":=" { return nil, fmt.Errorf("invalid boolean format, missing %s in: %s", tokEQUAL, rule) } value = rule.Get(2) + case 4: + // Handle ?= and := operators: "$VAR ? = value" or "$VAR : = value" + name = strings.Trim(rule.Get(0), BOOLEAN.Tok()+"{}") + op := rule.Get(1) + if (op == "?" || op == ":") && rule.Get(2) == tokEQUAL { + value = rule.Get(3) + } else { + return nil, fmt.Errorf("invalid boolean format: %v", rule) + } + default: return nil, fmt.Errorf("invalid boolean format: %v", rule) } - if !slices.Contains([]string{"true", "false"}, value) { + valueLower := strings.ToLower(value) + if !slices.Contains([]string{"true", "false"}, valueLower) { return nil, fmt.Errorf("invalid boolean value %s in rule: %s", value, rule) } return &Boolean{ Base: newBase(rule), Name: name, - Value: value == "true", + Value: valueLower == "true", }, nil } From 5cede816753f90092520d478c67ae16a8fb804d5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 22:35:26 +0200 Subject: [PATCH 1594/1736] feat(aa): enhance validation and comparison in file rules and utilities - Add AARE pattern validation - file access conflict detection - prefix-based requirement matching. --- pkg/aa/file.go | 9 +++ pkg/aa/util.go | 158 +++++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 157 insertions(+), 10 deletions(-) diff --git a/pkg/aa/file.go b/pkg/aa/file.go index e362cd2f02..6404fe1b01 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -150,6 +150,15 @@ func (r *File) Validate() error { return fmt.Errorf("invalid mode '%s'", v) } } + if err := validateAAREPattern(r.Path); err != nil { + return err + } + // Conflicting access: write (w) and append (a) cannot coexist + hasW := slices.Contains(r.Access, "w") + hasA := slices.Contains(r.Access, "a") + if hasW && hasA { + return fmt.Errorf("conflicting file access: 'w' and 'a' cannot coexist") + } return nil } diff --git a/pkg/aa/util.go b/pkg/aa/util.go index 3f5127063c..2791ab25c0 100644 --- a/pkg/aa/util.go +++ b/pkg/aa/util.go @@ -19,6 +19,7 @@ func Must[T any](v T, err error) T { return v } +// boolToInt converts a boolean to an integer (true = 1, false = 0). func boolToInt(b bool) int { if b { return 1 @@ -26,6 +27,7 @@ func boolToInt(b bool) int { return 0 } +// merge merges two slices of strings according to their kind (file, variable, other) and requirements matrix. func merge(kind Kind, key string, a, b []string) []string { a = append(a, b...) switch kind { @@ -43,6 +45,7 @@ func merge(kind Kind, key string, a, b []string) []string { return slices.Compact(a) } +// length returns the length of a value with its prefix for padding calculation. func length(prefix string, value any) int { var res int switch value := value.(type) { @@ -66,12 +69,16 @@ func length(prefix string, value any) int { if len(value) > 1 { res += 2 // Brackets on slices } + if res > 0 && prefix != "" { + res += len(prefix) // Add prefix length when slice is non-empty + } return res default: panic("length: unsupported type") } } +// setPaddings returns a slice of paddings for each value to align them according to the max lengths provided. func setPaddings(max []int, prefixes []string, values []any) []string { if len(max) != len(values) || len(max) != len(prefixes) { panic("setPaddings: max, prefix, and values must have the same length") @@ -90,6 +97,8 @@ func setPaddings(max []int, prefixes []string, values []any) []string { return res } +// compare compares two values of the same type and returns -1, 0, or 1 +// if a is less than, equal to, or greater than b, respectively. func compare(a, b any) int { switch a := a.(type) { case int: @@ -107,9 +116,19 @@ func compare(a, b any) int { } return len(a) - len(b) case []string: - return slices.CompareFunc(a, b.([]string), func(s1, s2 string) int { - return compare(s1, s2) - }) + b := b.([]string) + // Compare using the formatted representation so that parenthesized + // multi-element values (e.g., "(kill term)") sort before single + // element values (e.g., "hup") based on the '(' character weight. + sa := strings.Join(a, " ") + if len(a) > 1 { + sa = "(" + sa + ")" + } + sb := strings.Join(b, " ") + if len(b) > 1 { + sb = "(" + sb + ")" + } + return compare(sa, sb) case bool: return boolToInt(a) - boolToInt(b.(bool)) default: @@ -138,20 +157,53 @@ func compareFileAccess(i, j string) int { return 1 } +// validateValues checks if all values in the slice are valid according to the requirements matrix. func validateValues(kind Kind, key string, values []string) error { for _, v := range values { if v == "" { continue } + // Skip variable references — they will be expanded at runtime + if strings.Contains(v, "@{") { + continue + } + v = strings.Trim(v, "`\"") // Strip surrounding quotes for validation if !slices.Contains(requirements[kind][key], v) { - return fmt.Errorf("invalid mode '%s'", v) + // Check for prefix-based values (e.g., "kill.signal=hup" matches "kill.signal=") + found := false + for _, req := range requirements[kind][key] { + if strings.HasSuffix(req, "=") && strings.HasPrefix(v, req) { + found = true + break + } + } + if !found { + return fmt.Errorf("invalid mode '%s'", v) + } } } return nil } +// flagMatch checks if a value matches a conflict pattern. +// Supports exact match and prefix match for patterns ending with "=". +func flagMatch(value, pattern string) bool { + if value == pattern { + return true + } + // Prefix match: "attach_disconnected.ipc=/foo" matches "attach_disconnected.ipc=" + if strings.HasSuffix(pattern, "=") && strings.HasPrefix(value, pattern) { + return true + } + // Also match the other way: value "attach_disconnected.ipc=" prefix matches actual value + if strings.HasSuffix(value, "=") && strings.HasPrefix(pattern, value) { + return true + } + return false +} + // validateConflicts checks if any values in the slice conflict with each other. // Conflicts are defined in the conflicts map as pairs of mutually exclusive values. func validateConflicts(kind Kind, key string, values []string) error { @@ -163,8 +215,16 @@ func validateConflicts(kind Kind, key string, values []string) error { if len(pair) != 2 { continue } - hasFirst := slices.Contains(values, pair[0]) - hasSecond := slices.Contains(values, pair[1]) + hasFirst := false + hasSecond := false + for _, v := range values { + if flagMatch(v, pair[0]) { + hasFirst = true + } + if flagMatch(v, pair[1]) { + hasSecond = true + } + } if hasFirst && hasSecond { return fmt.Errorf("conflicting %s '%s' and '%s'", key, pair[0], pair[1]) } @@ -172,6 +232,46 @@ func validateConflicts(kind Kind, key string, values []string) error { return nil } +// validateAAREPattern checks for invalid AARE (AppArmor Regular Expression) patterns. +func validateAAREPattern(path string) error { + // Check for empty character class: [] + if strings.Contains(path, "[]") { + return fmt.Errorf("empty character class '[]' in path '%s'", path) + } + // Check for empty alternation: {} + if strings.Contains(path, "{}") { + return fmt.Errorf("empty alternation '{}' in path '%s'", path) + } + // Check for single-entry alternation: {word} (no comma inside) + // Skip variable references @{...} and handle nesting + for i := 0; i < len(path); i++ { + if path[i] == '{' && (i == 0 || (path[i-1] != '@' && path[i-1] != '\\')) { + // Find matching closing brace, accounting for nesting + depth := 1 + end := -1 + for j := i + 1; j < len(path); j++ { + if path[j] == '{' { + depth++ + } else if path[j] == '}' { + depth-- + if depth == 0 { + end = j + break + } + } + } + if end > 0 { + inner := path[i+1 : end] + if !strings.Contains(inner, ",") { + return fmt.Errorf("single-entry alternation '{%s}' in path '%s'", inner, path) + } + } + } + } + return nil +} + +// tokenToSlice splits a token string into a slice of strings based on commas or spaces. func tokenToSlice(token string) []string { res := []string{} token = strings.Trim(token, "()\n ") @@ -230,18 +330,32 @@ func toAccess(kind Kind, input string) ([]string, error) { transitionWeights := requirementsWeights[FILE]["transition"] raw := strings.Split(input, "") trans := []string{} - for _, access := range raw { + // Track positions of access vs transition chars to detect interleaving + lastTransPos := -1 + firstAccessAfterTrans := false + for i, access := range raw { if _, ok := accessWeights[access]; ok { res = append(res, access) + if lastTransPos >= 0 { + firstAccessAfterTrans = true + } } else { + _ = i + if firstAccessAfterTrans { + // Transition char after access char that was after a transition char + // e.g., "prx" → p(trans) r(access) x(trans) — invalid interleaving + return nil, fmt.Errorf("invalid access mode: access and transition chars interleaved in '%s'", input) + } trans = append(trans, access) + lastTransPos = i } } transition := strings.Join(trans, "") if len(transition) > 0 { - if _, ok := transitionWeights[transition]; ok { - res = append(res, transition) + resolved := resolveTransition(transition, transitionWeights) + if resolved != "" { + res = append(res, resolved) } else { return nil, fmt.Errorf("unrecognized transition: %s", transition) } @@ -263,11 +377,35 @@ func toAccess(kind Kind, input string) ([]string, error) { default: return toValues(kind, "access", input) } - slices.SortFunc(res, compareFileAccess) return slices.Compact(res), nil } +// resolveTransition tries to match a transition string against known transitions. +// It handles exact match, case-insensitive match, and repeated transitions (e.g., "pxpxpx" → "px"). +func resolveTransition(transition string, weights map[string]int) string { + // Exact match + if _, ok := weights[transition]; ok { + return transition + } + // Case-insensitive match + for t := range weights { + if strings.EqualFold(transition, t) { + return t + } + } + // Check if it's a repeated valid transition (e.g., "pxpxpx" → "px") + for t := range weights { + if len(t) > 0 && len(transition) > len(t) && len(transition)%len(t) == 0 { + repeated := strings.Repeat(t, len(transition)/len(t)) + if repeated == transition || strings.EqualFold(repeated, transition) { + return t + } + } + } + return "" +} + // allLocalOnly returns true if all access types are in the local-only list. func allLocalOnly(access, localOnly []string) bool { for _, a := range access { From 94b02767d712717c4e9f2ce0b32fd78b41566e4d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 22:35:46 +0200 Subject: [PATCH 1595/1736] feat(aa): normalize signal set names --- pkg/aa/signal.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pkg/aa/signal.go b/pkg/aa/signal.go index df558496be..7aea59c288 100644 --- a/pkg/aa/signal.go +++ b/pkg/aa/signal.go @@ -6,6 +6,8 @@ package aa import ( "fmt" + "strconv" + "strings" ) const SIGNAL Kind = "signal" @@ -83,6 +85,15 @@ func (r *Signal) Validate() error { if err := validateValues(r.Kind(), "access", r.Access); err != nil { return fmt.Errorf("%s: %w", r, err) } + // Normalize signal set names (strip leading zeros from rtmin+NNN) + for i, s := range r.Set { + if after, ok := strings.CutPrefix(s, "rtmin+"); ok { + numStr := after + if n, err := strconv.Atoi(numStr); err == nil { + r.Set[i] = fmt.Sprintf("rtmin+%d", n) + } + } + } if err := validateValues(r.Kind(), "set", r.Set); err != nil { return fmt.Errorf("%s: %w", r, err) } From 2bde668a036efc00ba387ea4d0b8f970d04c6c59 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 22:36:55 +0200 Subject: [PATCH 1596/1736] fix(aa): improve rule sorting, merging, and deduplication --- pkg/aa/rules.go | 43 +++++++++++++++++++++---------------------- 1 file changed, 21 insertions(+), 22 deletions(-) diff --git a/pkg/aa/rules.go b/pkg/aa/rules.go index e817af44ad..c862018899 100644 --- a/pkg/aa/rules.go +++ b/pkg/aa/rules.go @@ -60,6 +60,7 @@ func (r Rules) Validate() error { return nil } +// String renders all rules as a string func (r Rules) String() string { return renderTemplate("rules", r) } @@ -79,12 +80,7 @@ func (r Rules) Index(item Rule) int { // IndexOf returns the index of the first occurrence of item in r, or -1 if not present. func (r Rules) IndexOf(item Rule) int { - for idx, rr := range r { - if rr.Kind() == item.Kind() && rr.Compare(item) == 0 { - return idx - } - } - return -1 + return r.Index(item) } // Contains checks if the rule is in the slice @@ -131,20 +127,6 @@ func (r Rules) DeleteKind(kind Kind) Rules { return res } -// FilterOut removes all rules of the given kind from the slice and returns the new slice. -func (r Rules) FilterOut(filter Kind) Rules { - res := make(Rules, 0, len(r)) - for _, rule := range r { - if rule == nil { - continue - } - if rule.Kind() != filter { - res = append(res, rule) - } - } - return res -} - // Filter returns all rules of the given kind from the slice. func (r Rules) Filter(filter Kind) Rules { res := make(Rules, 0, len(r)) @@ -203,8 +185,15 @@ func (r Rules) Merge() Rules { continue } - // If rules are identical, merge them. Ignore comments + // If rules are identical, try to merge them to combine Base fields (NoNewPrivs, FileInherit, etc.) if r[i].Kind() != COMMENT && r[i].Compare(r[j]) == 0 { + // Attempt merge to combine metadata like NoNewPrivs, FileInherit + if r[i].Merge(r[j]) { + r = r.Delete(j) + j-- + continue + } + // If merge returns false but they're identical, delete duplicate r = r.Delete(j) j-- continue @@ -222,6 +211,7 @@ func (r Rules) Merge() Rules { // Sort the rules according to the guidelines: // https://apparmor.pujol.io/development/guidelines/#guidelines func (r Rules) Sort() Rules { + // r = slices.DeleteFunc(r, func(a Rule) bool { return a == nil }) slices.SortFunc(r, func(a, b Rule) int { kindOfA := a.Kind() kindOfB := b.Kind() @@ -232,7 +222,16 @@ func (r Rules) Sort() Rules { if kindOfB == INCLUDE && b.(*Include).IfExists { kindOfB = "include_if_exists" } - return ruleWeights[kindOfA] - ruleWeights[kindOfB] + if kindOfA == LINK { + kindOfA = FILE + } + if kindOfB == LINK { + kindOfB = FILE + } + if res := ruleWeights[kindOfA] - ruleWeights[kindOfB]; res != 0 { + return res + } + return compareFileLink(a, b) } return a.Compare(b) }) From b984e2461d82f575bcffad8cdb9cfa0422f8dacf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 22:38:40 +0200 Subject: [PATCH 1597/1736] feat(aa): add mount change flag validation and improve mount rule comparison --- pkg/aa/mount.go | 34 +++++++++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go index 2dc5221797..618a4fffe0 100644 --- a/pkg/aa/mount.go +++ b/pkg/aa/mount.go @@ -36,6 +36,14 @@ func init() { "silent", "slave", "strictatime", "suid", "sync", "unbindable", "user", "verbose", }, + "change": { + // Change flags are mount flags that indicate a change operation + // and cannot have a source path. + "private", "rprivate", "slave", "rslave", "shared", "rshared", + "unbindable", "runbindable", "remount", + "make-unbindable", "make-private", "make-slave", "make-shared", + "make-runbindable", "make-rprivate", "make-rslave", "make-rshared", + }, } } @@ -66,7 +74,10 @@ func newMountConditionsFromLog(log map[string]string) MountConditions { } func (m MountConditions) Validate() error { - return validateValues(MOUNT, "flags", m.Options) + if err := validateValues(MOUNT, "flags", m.Options); err != nil { + return err + } + return validateConflicts(MOUNT, "flags", m.Options) } func (m MountConditions) Compare(other MountConditions) int { @@ -162,18 +173,35 @@ func (r *Mount) Validate() error { if err := r.MountConditions.Validate(); err != nil { return fmt.Errorf("%s: %w", r, err) } + if r.Source != "" && r.MountPoint != "" { + for _, opt := range r.Options { + if slices.Contains(requirements[MOUNT]["change"], opt) { + return fmt.Errorf("mount option '%s' cannot be used with a source path", opt) + } + } + } return nil } func (r *Mount) Compare(other Rule) int { o, _ := other.(*Mount) - if res := compare(r.Source, o.Source); res != 0 { + // Order: no fstype before fstype, then by options, then by source presence, then by mountpoint + if res := compare(r.FsType, o.FsType); res != 0 { + return res + } + if res := compare(len(r.Options) > 0, len(o.Options) > 0); res != 0 { + return res + } + if res := compare(r.Options, o.Options); res != 0 { + return res + } + if res := compare(r.Source != "", o.Source != ""); res != 0 { return res } if res := compare(r.MountPoint, o.MountPoint); res != 0 { return res } - if res := r.MountConditions.Compare(o.MountConditions); res != 0 { + if res := compare(r.Source, o.Source); res != 0 { return res } return r.Qualifier.Compare(o.Qualifier) From 124447597493ae3cd3b83122280eeedb8a0b5d5d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 22:39:21 +0200 Subject: [PATCH 1598/1736] feat(aa): validate dbus bind and eavesdrop modifier constraints --- pkg/aa/dbus.go | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/pkg/aa/dbus.go b/pkg/aa/dbus.go index 6208af0ad1..243bc96cf3 100644 --- a/pkg/aa/dbus.go +++ b/pkg/aa/dbus.go @@ -100,7 +100,28 @@ func (r *Dbus) Validate() error { if err := validateValues(r.Kind(), "access", r.Access); err != nil { return fmt.Errorf("%s: %w", r, err) } - return validateValues(r.Kind(), "bus", []string{r.Bus}) + if err := validateValues(r.Kind(), "bus", []string{r.Bus}); err != nil { + return fmt.Errorf("%s: %w", r, err) + } + + // Bind access cannot have member, interface, or path modifiers + if len(r.Access) == 1 && r.Access[0] == "bind" { + if r.Member != "" { + return fmt.Errorf("dbus bind cannot have member modifier") + } + if r.Interface != "" { + return fmt.Errorf("dbus bind cannot have interface modifier") + } + } + + // Eavesdrop access cannot have non-bus modifiers + if len(r.Access) == 1 && r.Access[0] == "eavesdrop" { + if r.Name != "" || r.Path != "" || r.Interface != "" || r.Member != "" || + r.PeerName != "" || r.PeerLabel != "" { + return fmt.Errorf("dbus eavesdrop cannot have non-bus modifiers") + } + } + return nil } func (r *Dbus) Compare(other Rule) int { From 08f95a8bb9e657702ffdc31685f02d6bc718a7bb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 22:40:17 +0200 Subject: [PATCH 1599/1736] refactor(aa): extract flag parsing in Base and fix comment merge dedup --- pkg/aa/base.go | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/pkg/aa/base.go b/pkg/aa/base.go index c80527fda0..ae83019fc8 100644 --- a/pkg/aa/base.go +++ b/pkg/aa/base.go @@ -18,6 +18,15 @@ type Base struct { Paddings []string } +func extractFlag(comment, flag string) (string, bool) { + if !strings.Contains(comment, flag) { + return comment, false + } + comment = strings.ReplaceAll(comment, flag+" ", "") + comment = strings.ReplaceAll(comment, flag, "") + return comment, true +} + func newBase(rule rule) Base { comment := "" fileInherit, noNewPrivs, optional := false, false, false @@ -32,19 +41,11 @@ func newBase(rule rule) Base { comment = rule[len(rule)-1].comment } } - switch { - case strings.Contains(comment, "file_inherit"): - fileInherit = true - comment = strings.Replace(comment, "file_inherit ", "", 1) - case strings.HasPrefix(comment, "no new privs"): - noNewPrivs = true - comment = strings.Replace(comment, "no new privs ", "", 1) - case strings.Contains(comment, "optional:"): - optional = true - comment = strings.Replace(comment, "optional: ", "", 1) - } + comment, fileInherit = extractFlag(comment, "file_inherit") + comment, noNewPrivs = extractFlag(comment, "no new privs") + comment, optional = extractFlag(comment, "optional:") return Base{ - Comment: comment, + Comment: strings.TrimRight(comment, " "), NoNewPrivs: noNewPrivs, FileInherit: fileInherit, Optional: optional, @@ -94,7 +95,7 @@ func (r *Base) merge(other Base) bool { r.NoNewPrivs = r.NoNewPrivs || other.NoNewPrivs r.FileInherit = r.FileInherit || other.FileInherit r.Optional = r.Optional || other.Optional - if other.Comment != "" { + if other.Comment != "" && other.Comment != r.Comment { r.Comment += " " + other.Comment } return true From e7033c8ae39635734c3dc25456c640bedad24804 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 22:41:57 +0200 Subject: [PATCH 1600/1736] fix(aa): require exec condition when change_profile has exec mode --- pkg/aa/change_profile.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/aa/change_profile.go b/pkg/aa/change_profile.go index 64d6dbe0ed..1feb0d3f5a 100644 --- a/pkg/aa/change_profile.go +++ b/pkg/aa/change_profile.go @@ -83,6 +83,9 @@ func (r *ChangeProfile) Validate() error { if err := validateValues(r.Kind(), "mode", []string{r.ExecMode}); err != nil { return fmt.Errorf("%s: %w", r, err) } + if r.ExecMode != "" && r.Exec == "" { + return fmt.Errorf("change_profile: '%s' requires an exec condition", r.ExecMode) + } return nil } From 9b83eeaf0b6285a29a57a760e874a8605e53fb24 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 22:42:43 +0200 Subject: [PATCH 1601/1736] feat(aa): add missing mount flag conflict detection. --- pkg/aa/mount.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go index 618a4fffe0..aa0c4064b7 100644 --- a/pkg/aa/mount.go +++ b/pkg/aa/mount.go @@ -6,6 +6,7 @@ package aa import ( "fmt" + "slices" ) const ( @@ -15,7 +16,22 @@ const ( ) func init() { + conflicts[MOUNT] = map[string][][]string{ + "flags": { + {"rw", "ro"}, + {"strictatime", "nostrictatime"}, + {"lazytime", "nolazytime"}, + {"symfollow", "nosymfollow"}, + }, + } requirements[MOUNT] = requirement{ + "fstype": { + "auto", "btrfs", "cgroup", "cgroup2", "configfs", "debugfs", + "devpts", "devtmpfs", "efivarfs", "ext2", "ext3", "ext4", "fuse.*", + "fuseblk", "fusectl", "hugetlbfs", "iso9660", "mqueue", "nfs", + "nfs4", "proc", "pstore", "ramfs", "rootfs", "securityfs", + "selinuxfs", "squashfs", "sysfs", "tmpfs", "tracefs", + }, "flags": { // flags bind "B", "bind", "M", "R", "rbind", From 93e98d9c43d563255bd5a163e6aa240cb3e46509 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 22:44:56 +0200 Subject: [PATCH 1602/1736] feat(aa): extend parser with escape handling, new operators, and qualifier validation --- pkg/aa/parse.go | 76 +++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 68 insertions(+), 8 deletions(-) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index c14654b580..1cc933aaa1 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -17,8 +17,11 @@ const ( tokALLOW = "allow" tokAUDIT = "audit" tokDENY = "deny" + tokOTHER = "other" tokPROMPT = "prompt" tokPRIORITY = "priority" + tokSAFE = "safe" + tokUNSAFE = "unsafe" tokARROW = "->" tokEQUAL = "=" tokLESS = "<" @@ -202,8 +205,16 @@ func tokenizeBlock(input string) ([]*block, error) { kind = HAT case strings.HasPrefix(blockHeader, IF.Tok()): kind = IF - case strings.HasPrefix(blockHeader, ELSE.Tok()): + case strings.HasPrefix(blockHeader, ELSE.Tok()), + blockHeader == "": kind = ELSE + case isProfileBlockHeader(blockHeader): + kind = PROFILE + case isRuleBlockHeader(blockHeader): + // Rule block modifiers: "owner { ... }", "audit { ... }" + // Wrap the block content with the modifier prefix on each rule + blockRaw = prependToRules(blockHeader, blockRaw) + kind = CONTENT default: return nil, fmt.Errorf("unrecognized block type: %s", blockHeader) } @@ -477,15 +488,29 @@ func parseContentRules(input string) (Rules, error) { // []string{"owner", "@{user_config_dirs}/powerdevilrc{,.@{rand6}}", "rwl", "->", "@{user_config_dirs}/#@{int}"} func tokenizeRule(str string) []string { var currentToken strings.Builder - isVariable, wasTokPLUS, quoted := false, false, false + isVariable, wasTokPLUS, wasTokQM, wasTokCOLON, quoted := false, false, false, false, false blockStack := []rune{} tokens := make([]string, 0, len(str)/2) - if inHeader && len(str) > 2 && str[0:2] == VARIABLE.Tok() && strings.Contains(str, "=") { - isVariable = true + trimmed := strings.TrimLeft(str, " \t") + if inHeader && len(trimmed) > 1 && strings.Contains(trimmed, "=") { + if trimmed[0:2] == VARIABLE.Tok() || trimmed[0] == '$' { + isVariable = true + } } + escaped := false for _, r := range str { + if escaped { + currentToken.WriteRune(r) + escaped = false + continue + } + if r == '\\' { + currentToken.WriteRune(r) + escaped = true + continue + } switch { case unicode.IsSpace(r) && len(blockStack) == 0 && !quoted: // Split on space/tab/newline if not in a block or quoted @@ -494,18 +519,24 @@ func tokenizeRule(str string) []string { currentToken.Reset() } - case (r == '+' || r == '=') && len(blockStack) == 0 && !quoted && isVariable: - // Handle variable assignment + case (r == '+' || r == '?' || r == ':' || r == '=') && len(blockStack) == 0 && !quoted && isVariable: + // Handle variable assignment operators: =, +=, ?=, := if currentToken.Len() != 0 { tokens = append(tokens, currentToken.String()) currentToken.Reset() } if wasTokPLUS { tokens[len(tokens)-1] = tokPLUS + tokEQUAL + } else if wasTokQM { + tokens[len(tokens)-1] = "?=" + } else if wasTokCOLON { + tokens[len(tokens)-1] = ":=" } else { tokens = append(tokens, string(r)) } wasTokPLUS = (r == '+') + wasTokQM = (r == '?') + wasTokCOLON = (r == ':') case r == '"' && len(blockStack) == 0: quoted = !quoted @@ -561,10 +592,11 @@ func parseRule(str string) rule { inAare := len(tokens) > 0 && (tokens[0] == tokOWNER || (isAARE(tokens[0]) && !inHeader)) for idx, token := range tokens { switch { - case token == tokEQUAL, token == tokPLUS+tokEQUAL, token == tokLESS+tokEQUAL: // Variable & Rlimit + case token == tokEQUAL, token == tokPLUS+tokEQUAL, token == tokLESS+tokEQUAL, + token == "?=", token == ":=": // Variable, Boolean & Rlimit res = append(res, kv{key: token}) - case strings.Contains(token, "=") && !inAare: // Map + case strings.Contains(token, "=") && !inAare && !isAARE(token): // Map items := strings.SplitN(token, "=", 2) key := items[0] if len(items) > 1 { @@ -816,6 +848,7 @@ func newRules(rules []rule) (Rules, error) { owner := false q := Qualifier{} + hasAccessType := false // track if allow/deny/prompt was seen qualifier: switch rule.Get(0) { // File & Link prefix @@ -824,20 +857,37 @@ func newRules(rules []rule) (Rules, error) { rule = rule[1:] goto qualifier + // File exec modifiers and "other" prefix - these are only valid + // before file rules, not before other rule types like change_profile. + // We peek at the next token to decide. + case tokUNSAFE, tokSAFE, tokOTHER: + rule = rule[1:] + goto qualifier + // Qualifier case tokPRIORITY: priority, err := strconv.Atoi(rule.GetValues(tokPRIORITY).GetString()) if err != nil { return nil, fmt.Errorf("invalid priority value in rule: %s", rule) } + if priority < -1000 || priority > 1000 { + return nil, fmt.Errorf("priority value %d out of range [-1000, 1000]", priority) + } q.Priority = priority rule = rule[1:] goto qualifier case tokALLOW, tokDENY, tokPROMPT: + if hasAccessType { + return nil, fmt.Errorf("conflicting access types '%s' and '%s' in rule: %s", q.AccessType, rule.Get(0), rule) + } + hasAccessType = true q.AccessType = rule.Get(0) rule = rule[1:] goto qualifier case tokAUDIT: + if hasAccessType { + return nil, fmt.Errorf("'audit' must appear before '%s' in rule: %s", q.AccessType, rule) + } q.Audit = true rule = rule[1:] goto qualifier @@ -1028,6 +1078,16 @@ func (f *AppArmorProfileFile) Scan(input string) (retErr error) { return err } + // Check if the file has any profile/hat blocks + hasProfileBlocks := false + for _, block := range blocks { + if block.kind == PROFILE || block.kind == HAT { + hasProfileBlocks = true + break + } + } + _ = hasProfileBlocks + for _, block := range blocks { switch block.kind { case CONTENT: From cc753a52c9f5b69ca0c5d9fa1a4db5e860dc2703 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 22:46:44 +0200 Subject: [PATCH 1603/1736] feat(aa): parser: add some helper functions. --- pkg/aa/parse.go | 51 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 1cc933aaa1..f03e3f43db 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -835,6 +835,57 @@ func isAARE(str string) bool { } } +// isProfileBlockHeader checks if a block header represents a profile +// that starts with a qualifier prefix or namespace. +func isProfileBlockHeader(header string) bool { + // Handle qualifier prefixes: "audit /path", "allow /path" + prefixes := []string{"audit ", "allow ", "deny "} + for _, p := range prefixes { + if strings.HasPrefix(header, p) { + rest := strings.TrimPrefix(header, p) + if isAARE(rest) || strings.HasPrefix(rest, PROFILE.Tok()) || isProfileBlockHeader(rest) { + return true + } + } + } + + // Handle namespace prefix: ":ns:path" or ":ns:name" + if len(header) > 2 && header[0] == ':' { + // Must have a second colon after the namespace name + if idx := strings.Index(header[1:], ":"); idx > 0 { + return true + } + } + return false +} + +// isRuleBlockHeader checks if a block header is a rule modifier block +// like "owner { ... }" or "audit { ... }" that applies to all rules inside. +func isRuleBlockHeader(header string) bool { + modifiers := []string{"owner", "audit", "deny", "allow"} + for _, m := range modifiers { + if header == m { + return true + } + } + return false +} + +// prependToRules prepends a modifier to each rule line in a block. +func prependToRules(modifier, blockContent string) string { + lines := strings.Split(blockContent, "\n") + var result []string + for _, line := range lines { + trimmed := strings.TrimSpace(line) + if trimmed == "" || strings.HasPrefix(trimmed, "#") { + result = append(result, line) + } else { + result = append(result, modifier+" "+trimmed) + } + } + return strings.Join(result, "\n") +} + // Convert a slice of internal rules to a slice of ApparmorRule. func newRules(rules []rule) (Rules, error) { var err error From 3086ed03965c2e3eba6cbf8c8953e32c52a6059f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 22:49:41 +0200 Subject: [PATCH 1604/1736] feat(aa): extend profile flag validation and conflict detection --- pkg/aa/profile.go | 110 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 103 insertions(+), 7 deletions(-) diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index 8d21ad2c5d..8c0b7cb186 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -6,7 +6,9 @@ package aa import ( "fmt" + "regexp" "slices" + "strconv" "strings" ) @@ -20,21 +22,52 @@ const ( func init() { requirements[PROFILE] = requirement{ tokFLAGS: { - "attach_disconneced.path=", "attach_disconnected", "audit", - "chroot_relative", "complain", "debug", "default_allow", "enforce", - "interruptible", "kill", "mediate_deleted", - "prompt", "unconfined", "namespace_relative", "delegate_deleted", "chroot_attach", - "chroot_no_attach", "no_attach_disconnected", + "attach_disconnected", "attach_disconnected.ipc", "attach_disconnected.ipc=", + "attach_disconnected.path=", + "audit", + "chroot_attach", "chroot_no_attach", "chroot_relative", + "complain", "debug", + "default_allow", "delegate_deleted", + "enforce", "error=", + "interruptible", "kill", "kill.signal=", + "mediate_deleted", + "namespace_relative", "no_attach_disconnected", + "prompt", "unconfined", }, } conflicts[PROFILE] = map[string][][]string{ tokFLAGS: { + // Mode conflicts: enforce, complain, kill, unconfined, prompt are mutually exclusive {"enforce", "complain"}, + {"enforce", "kill"}, {"enforce", "unconfined"}, {"enforce", "prompt"}, + {"complain", "kill"}, {"complain", "unconfined"}, + {"complain", "prompt"}, + {"kill", "unconfined"}, + {"kill", "prompt"}, + // Note: kill + interruptible is valid (flags_ok33, flags_ok36) + {"unconfined", "prompt"}, + + // default_allow conflicts with all modes except enforce + {"default_allow", "complain"}, {"default_allow", "kill"}, + {"default_allow", "unconfined"}, + {"default_allow", "prompt"}, {"default_allow", "enforce"}, + + // Namespace conflicts + {"namespace_relative", "chroot_relative"}, + + // Deletion conflicts + {"mediate_deleted", "delegate_deleted"}, + + // Disconnected conflicts + {"attach_disconnected", "no_attach_disconnected"}, + {"attach_disconnected.ipc", "no_attach_disconnected"}, + {"attach_disconnected.ipc=", "no_attach_disconnected"}, + {"chroot_attach", "chroot_no_attach"}, }, } } @@ -73,12 +106,17 @@ func newHeader(rule rule) (Header, error) { for k, v := range rule.GetValues(tokATTRIBUTES).GetAsMap() { attributes[k] = strings.Join(v, "") } + + flags := rule.GetValuesAsSlice(tokFLAGS) + for i, f := range flags { + flags[i] = strings.TrimRight(f, ",") + } return Header{ Name: name, Attachments: attachments, Attributes: attributes, - Flags: rule.GetValuesAsSlice(tokFLAGS), - }, rule.ValidateMapKeys([]string{tokATTRIBUTES, tokFLAGS}) + Flags: flags, + }, rule.ValidateMapKeys([]string{tokATTRIBUTES, tokFLAGS, "identities"}) } func (p *Profile) Kind() Kind { @@ -100,9 +138,67 @@ func (p *Profile) Validate() error { if err := validateConflicts(p.Kind(), tokFLAGS, p.Flags); err != nil { return fmt.Errorf("profile %s: %w", p.Name, err) } + if err := validateProfileFlags(p.Flags); err != nil { + return fmt.Errorf("profile %s: %w", p.Name, err) + } return p.Rules.Validate() } +// validateProfileFlags performs additional validation on profile flags +// beyond simple value/conflict checks. +func validateProfileFlags(flags []string) error { + for _, f := range flags { + switch { + case strings.HasPrefix(f, "kill.signal="): + sig := strings.TrimPrefix(f, "kill.signal=") + if sig == "" || strings.ContainsAny(sig, ".=/") { + return fmt.Errorf("invalid kill.signal value '%s'", sig) + } + // Signal name must be a valid identifier (letters, digits, +) + // e.g., hup, kill, usr1, rtmin+0 + if !regexp.MustCompile(`^[a-zA-Z][a-zA-Z0-9+]*$`).MatchString(sig) { + // Also allow pure numeric signals + if _, err := strconv.Atoi(sig); err != nil { + return fmt.Errorf("invalid kill.signal value '%s'", sig) + } + } + case strings.HasPrefix(f, "error="): + val := strings.TrimPrefix(f, "error=") + if val == "" { + return fmt.Errorf("invalid error value: empty") + } + // error= can be a number or an errno name (e.g., ENOENT, EISCONN) + if _, err := strconv.Atoi(val); err != nil { + // Must be a valid errno name: uppercase letters only + if !regexp.MustCompile(`^E[A-Z]+$`).MatchString(val) { + return fmt.Errorf("invalid error value '%s'", val) + } + } + case strings.HasPrefix(f, "attach_disconnected.path="): + path := strings.TrimPrefix(f, "attach_disconnected.path=") + if path == "" || !strings.HasPrefix(path, "/") { + return fmt.Errorf("invalid attach_disconnected.path value '%s': must be absolute", path) + } + case strings.HasPrefix(f, "attach_disconnected.ipc="): + path := strings.TrimPrefix(f, "attach_disconnected.ipc=") + if path == "" || !strings.HasPrefix(path, "/") { + return fmt.Errorf("invalid attach_disconnected.ipc value '%s': must be absolute", path) + } + } + } + // Check for duplicate attach_disconnected.ipc= values + ipcCount := 0 + for _, f := range flags { + if strings.HasPrefix(f, "attach_disconnected.ipc=") { + ipcCount++ + } + } + if ipcCount > 1 { + return fmt.Errorf("duplicate attach_disconnected.ipc flags") + } + return nil +} + func (p *Profile) Compare(other Rule) int { o, _ := other.(*Profile) if res := compare(p.Name, o.Name); res != 0 { From 019073344de1e8372014318463053456cc241b24 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 22:50:33 +0200 Subject: [PATCH 1605/1736] fix(aa): handle missing mount operations and change_profile in log parsing --- pkg/aa/profile.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index 8c0b7cb186..8f08c380ed 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -272,11 +272,13 @@ var ( if strings.Contains(log["flags"], "remount") { return newRemountFromLog(log) } - newRule := newLogMountMap[log["operation"]] - return newRule(log) + if newRule, ok := newLogMountMap[log["operation"]]; ok { + return newRule(log) + } + return newMountFromLog(log) }, "file": func(log map[string]string) Rule { - if log["operation"] == "change_onexec" { + if log["operation"] == "change_onexec" || log["operation"] == "change_profile" { return newChangeProfileFromLog(log) } else { return newFileFromLog(log) @@ -307,6 +309,10 @@ var ( ) func (p *Profile) AddRule(log map[string]string) { + if len(log) == 0 { + return + } + // Generate profile flags and extra rules switch log["error"] { case "-2": From 8d9c2cfc3ef6e3ac81b52d0fbf4ba901928c36bf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 22:52:03 +0200 Subject: [PATCH 1606/1736] fix(aa): fix mount source padding and pivot_root target profile rendering --- pkg/aa/templates/rule/mount.gotmpl | 2 ++ pkg/aa/templates/rule/pivot_root.gotmpl | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/pkg/aa/templates/rule/mount.gotmpl b/pkg/aa/templates/rule/mount.gotmpl index 6f2d54c6fc..8dbe995649 100644 --- a/pkg/aa/templates/rule/mount.gotmpl +++ b/pkg/aa/templates/rule/mount.gotmpl @@ -15,6 +15,8 @@ {{- .Padding 3 -}} {{- with .Source -}} {{ " " }}{{ . }} + {{- else -}} + {{- .Padding 4 -}} {{- end -}} {{- with .MountPoint -}} {{ " -> " }}{{ . }} diff --git a/pkg/aa/templates/rule/pivot_root.gotmpl b/pkg/aa/templates/rule/pivot_root.gotmpl index 678617ca0a..b03026a219 100644 --- a/pkg/aa/templates/rule/pivot_root.gotmpl +++ b/pkg/aa/templates/rule/pivot_root.gotmpl @@ -12,9 +12,9 @@ {{- with .NewRoot -}} {{ " " }}{{ . }} {{- end -}} - {{- .Padding 3 -}} - {{- with .TargetProfile -}} - {{ " -> " }}{{ . }} + {{- if .TargetProfile -}} + {{- .Padding 3 -}} + {{ " -> " }}{{ .TargetProfile }} {{- end -}} {{- "," -}} {{- .Padding 4 -}} From 9e9bed28eb6b5ef2cac9ff68498635302546f450 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 22:58:51 +0200 Subject: [PATCH 1607/1736] tests(aa): update unit tests to the last changes. --- pkg/aa/apparmor_test.go | 5 +++-- pkg/aa/parse_test.go | 1 + pkg/aa/rule_test.go | 14 +++++++------- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index 5346627159..bc049d6789 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -143,8 +143,8 @@ func TestAppArmorProfileFile_Sort(t *testing.T) { include1, all1, rlimit3, userns1, capability1, capability2, network2, network1, mount2, mount1, remount2, umount2, pivotroot1, changeprofile2, mqueue2, iouring2, signal1, - signal2, ptrace1, unix2, dbus2, dbus1, file1, file2, - link2, includeLocal1, + signal2, ptrace1, unix2, dbus2, dbus1, file1, + link2, file2, includeLocal1, }, }}, }, @@ -217,6 +217,7 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { Header: Header{ Name: "aa-status", Attachments: []string{"@{exec_path}"}, + Flags: []string{"attach_disconnected"}, }, Rules: Rules{ &Include{IfExists: true, IsMagic: true, Path: "local/aa-status"}, diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go index 3f882c3eb8..038c8714c8 100644 --- a/pkg/aa/parse_test.go +++ b/pkg/aa/parse_test.go @@ -452,6 +452,7 @@ func Test_Parser_UpstreamTestSuite(t *testing.T) { // [01/06/24]: 1986 tests, success: 1242, fail 744, success rate: 62% // [14/12/25]: 2148 tests, success: 1722, fail 422, success rate: 80% + // [23/03/26]: 2222 tests, success: 2035, fail 187, success rate: 91% reports.SumUp(t) } diff --git a/pkg/aa/rule_test.go b/pkg/aa/rule_test.go index 9211927d9c..d7a9fe47d9 100644 --- a/pkg/aa/rule_test.go +++ b/pkg/aa/rule_test.go @@ -193,7 +193,7 @@ var ( name: "capability-multi", rule: &Capability{Names: []string{"dac_override", "dac_read_search"}}, other: capability2, - wCompare: -15, + wCompare: -52, wMerge: false, wString: "capability dac_override dac_read_search,", }, @@ -201,7 +201,7 @@ var ( name: "capability-all", rule: &Capability{}, other: capability2, - wCompare: -1, + wCompare: -10, wMerge: false, wString: "capability,", }, @@ -233,7 +233,7 @@ var ( log: mount1Log, rule: mount1, other: mount2, - wCompare: 37, + wCompare: 7, wMerge: false, wString: "mount fstype=overlay overlay -> /var/lib/docker/overlay2/opaque-bug-check1209538631/merged/, # failed perms check", }, @@ -377,7 +377,7 @@ var ( name: "dbus/full", rule: &Dbus{Bus: "accessibility"}, other: dbus1, - wCompare: -1, + wCompare: -7, wMerge: false, wString: `dbus bus=accessibility,`, }, @@ -387,7 +387,7 @@ var ( log: file1Log, rule: file1, other: file2, - wCompare: -14, + wCompare: -19, wMerge: false, wString: "/usr/share/poppler/cMap/Identity-H r,", }, @@ -440,7 +440,7 @@ var ( log: link1Log, rule: link1, other: link2, - wCompare: -1, + wCompare: 1, wMerge: false, wString: "link /tmp/mkinitcpio.QDWtza/early@{lib}/firmware/i915/dg1_dmc_ver2_02.bin.zst -> /tmp/mkinitcpio.QDWtza/root@{lib}/firmware/i915/dg1_dmc_ver2_02.bin.zst,", }, @@ -450,7 +450,7 @@ var ( log: link3Log, rule: link3, other: link1, - wCompare: 1, + wCompare: -1, wMerge: false, wString: "owner link @{user_config_dirs}/kiorc -> @{user_config_dirs}/#3954,", }, From 88d3af1a54ee879806d6ca637742a1f2589f48de Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 29 Mar 2026 23:07:25 +0200 Subject: [PATCH 1608/1736] fix(aa): simplify embedded field selectors per staticcheck QF1008 --- pkg/aa/file.go | 8 ++++---- pkg/aa/network.go | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pkg/aa/file.go b/pkg/aa/file.go index 6404fe1b01..87c47b8908 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -164,7 +164,7 @@ func (r *File) Validate() error { func (r *File) Compare(other Rule) int { o, _ := other.(*File) - if o.Qualifier.AccessType == "deny" { + if o.AccessType == "deny" { return -1 // Deny file rules always come last } @@ -214,7 +214,7 @@ func (r *File) Merge(other Rule) bool { func (r *File) Lengths() []int { // Deny rules don't participate in padding alignment - if r.Qualifier.AccessType == "deny" { + if r.AccessType == "deny" { return []int{0, 0, 0, 0} } @@ -248,7 +248,7 @@ func (r *File) addLine(other Rule) bool { o := other.(*File) // Deny rules are all grouped together without blank lines - if r.Qualifier.AccessType == "deny" && o.Qualifier.AccessType == "deny" { + if r.AccessType == "deny" && o.AccessType == "deny" { return false } @@ -338,7 +338,7 @@ func (r *Link) Validate() error { func (r *Link) Compare(other Rule) int { o, _ := other.(*Link) - if o.Qualifier.AccessType == "deny" { + if o.AccessType == "deny" { return -1 // Deny file rules always come last } diff --git a/pkg/aa/network.go b/pkg/aa/network.go index 0e67b34a57..c229b64e74 100644 --- a/pkg/aa/network.go +++ b/pkg/aa/network.go @@ -238,7 +238,7 @@ func (r *Network) Validate() error { if err := r.PeerAddress.Validate(); err != nil { return fmt.Errorf("%s: %w", r, err) } - if r.PeerAddress.IP != "" || r.PeerAddress.Port != "" || r.PeerAddress.Src != "" { + if r.PeerAddress.IP != "" || r.PeerAddress.Port != "" || r.Src != "" { if len(r.Access) > 0 && allLocalOnly(r.Access, requirements[NETWORK]["local-only"]) { return fmt.Errorf("peer modifier not allowed with local-only access types in network rule") } From 6d691c265c728c47b1473eebac8125607aaf137c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 30 Mar 2026 00:42:25 +0200 Subject: [PATCH 1609/1736] fix(profile): remove deprecated steam-runtime. --- apparmor.d/groups/steam/steam-runtime | 90 --------------------------- 1 file changed, 90 deletions(-) delete mode 100644 apparmor.d/groups/steam/steam-runtime diff --git a/apparmor.d/groups/steam/steam-runtime b/apparmor.d/groups/steam/steam-runtime deleted file mode 100644 index 543324c0fe..0000000000 --- a/apparmor.d/groups/steam/steam-runtime +++ /dev/null @@ -1,90 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{runtime_name} = sniper soldier -@{runtime} = SteamLinuxRuntime_@{runtime_name} -@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} -@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} -@{app_dirs} = @{share_dirs}/steamapps/common/ - -@{exec_path} = @{lib_dirs}/reaper -profile steam-runtime @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - - network inet stream, - network inet6 stream, - network unix stream, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/getopt rix, - @{bin}/readlink rix, - - @{lib_dirs}/** mr, - @{lib_dirs}/steam-launch-wrapper rix, - - # Native linux games (steam-game-native) - @{app_dirs}/[^S]*/** rpx -> steam-game-native, # Only for @{app_dirs}/@{runtime}/** - - # Proton games, sandboxed (steam-game-proton) - @{app_dirs}/@{runtime}/*entry-point rmix, - @{app_dirs}/@{runtime}/pressure-vessel/@{bin}/pressure-vessel-* rix, - @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/** mr, - @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, - @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rpx -> steam-game-proton, - @{app_dirs}/@{runtime}/run rix, - @{bin}/bwrap rpx -> steam-game-proton, - - / r, - @{lib}/ r, - @{lib_dirs}/ r, - - owner @{HOME}/ r, - owner @{HOME}/.steam/steam.pipe r, - - owner @{app_dirs}/*/ r, - owner @{app_dirs}/config/config.vdf{,.*} rw, - owner @{app_dirs}/@{runtime}/** r, - owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk, - owner @{app_dirs}/@{runtime}/@{runtime_name}_platform_*/** rwk, - owner @{app_dirs}/@{runtime}/var/** rwk, - owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**, - owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/@{runtime_name}_platform_*/**, - - owner @{share_dirs}/config/config.vdf{,.*} rw, - owner @{share_dirs}/steamapps/appmanifest_* rw, - - owner @{tmp}/ r, - owner @{tmp}/#@{int} rw, - owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, - - owner @{run}/user/@{uid}/ r, - - owner /dev/shm/u@{uid}-Shm_@{hex6} rw, - owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, - owner /dev/shm/u@{uid}-Shm_@{hex8} rw, - owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, - - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/comm r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/stat r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor From f16e8a103aacb2259483543179b683b4936eddba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Apr 2026 14:46:27 +0200 Subject: [PATCH 1610/1736] fix(profile): child profiles missing complain flag. When building in complain mode, profile already configured in complain mode do not expand the mode to sub profile. This is handled by the build system, so simply removing hardcoded complain mode work. fix #1087 --- apparmor.d/groups/apt/aptitude | 2 +- apparmor.d/groups/systemd/coredumpctl | 2 +- apparmor.d/profiles-a-f/appstreamcli | 2 +- apparmor.d/profiles-a-f/aspell-autobuildhash | 2 +- apparmor.d/profiles-a-f/execute-dput | 2 +- apparmor.d/profiles-g-l/gsmartcontrol | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index f6a83d9af7..fb2560553f 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/aptitude{,-curses} -profile aptitude @{exec_path} flags=(complain) { +profile aptitude @{exec_path} { include include include diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index c5628aad02..09507e7d69 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/coredumpctl -profile coredumpctl @{exec_path} flags=(complain) { +profile coredumpctl @{exec_path} { include include include diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 00bc8c27c0..086fec5057 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/appstreamcli -profile appstreamcli @{exec_path} flags=(complain) { +profile appstreamcli @{exec_path} { include include include diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index 9a433b204c..f4b4e6eb7b 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{sbin}/aspell-autobuildhash -profile aspell-autobuildhash @{exec_path} flags=(complain) { +profile aspell-autobuildhash @{exec_path} { include include include diff --git a/apparmor.d/profiles-a-f/execute-dput b/apparmor.d/profiles-a-f/execute-dput index 7161c59007..d7a8886f99 100644 --- a/apparmor.d/profiles-a-f/execute-dput +++ b/apparmor.d/profiles-a-f/execute-dput @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/dput /usr/share/dput/execute-dput -profile execute-dput @{exec_path} flags=(complain) { +profile execute-dput @{exec_path} { include include include diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol index 988c547f0b..6486e061fe 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol +++ b/apparmor.d/profiles-g-l/gsmartcontrol @@ -48,7 +48,7 @@ profile gsmartcontrol @{exec_path} { # hence this behavior should be blocked. deny @{open_path} rx, - profile bus flags=(complain) { + profile bus { include include From 141bd62eb17cb92db9b93161da12da5a91ca530f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Apr 2026 16:18:46 +0200 Subject: [PATCH 1611/1736] fix(profile): coredumpctl//gdb: gdb denials. fix #1086 --- apparmor.d/groups/systemd/coredumpctl | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index 09507e7d69..df3c1dc1f7 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -46,23 +46,32 @@ profile coredumpctl @{exec_path} { profile gdb { include + include include - ptrace (trace), + ptrace trace, + + signal receive peer=coredumpctl, @{bin}/gdb mr, @{bin}/iconv rix, @{bin}/* r, + @{lib}/sysimage/rpm/*.db rk, + /usr/share/gcc-[0-9]*/python/{,**} r, /usr/share/gcc/** r, /usr/share/gdb/{,**} r, + /usr/share/gdb/python/{,**/}__pycache__/ w, + /usr/share/gdb/python/{,**/}__pycache__/**.pyc w, + /usr/share/gdb/python/{,**/}__pycache__/**.pyc.@{u64} w, /usr/share/glib-2.0/gdb/{,**} r, /usr/share/terminfo/** r, - /etc/inputrc r, /etc/gdb/** r, + /etc/gdbinit r, + /etc/inputrc r, owner /var/tmp/coredump-* rw, From 4af9488a4d45f92fcf2a1b122b7bbe5c2939891c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Apr 2026 16:30:38 +0200 Subject: [PATCH 1612/1736] feat(profile): improve cpupower Also fix #1083 --- apparmor.d/groups/freedesktop/cpupower | 20 ++++++++++---------- tests/integration/utils/cpupower.bats | 26 ++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 10 deletions(-) create mode 100644 tests/integration/utils/cpupower.bats diff --git a/apparmor.d/groups/freedesktop/cpupower b/apparmor.d/groups/freedesktop/cpupower index 2d58faffe4..8433d038ce 100644 --- a/apparmor.d/groups/freedesktop/cpupower +++ b/apparmor.d/groups/freedesktop/cpupower @@ -10,28 +10,28 @@ include @{exec_path} = @{bin}/cpupower profile cpupower @{exec_path} { include + include - # Needed to read the /dev/cpu/@{int}/msr device, and hence remove the following error: - # Could not read perf-bias value[-1] - capability sys_rawio, - - # Needed to operate on CPU IDLE states capability sys_admin, + capability sys_rawio, @{exec_path} mr, @{sh_path} rix, + @{bin}/basename rix, @{bin}/kmod rCx -> kmod, @{bin}/man rPx, + @{bin}/uname rix, + + @{lib}/linux-tools-*/cpupower rix, - @{sys}/devices/system/cpu/{cpufreq,cpuidle}/ r, - @{sys}/devices/system/cpu/{cpufreq,cpuidle}/** r, - @{sys}/devices/system/cpu/cpu@{int}/{cpufreq,cpuidle}/ r, - @{sys}/devices/system/cpu/cpu@{int}/{cpufreq,cpuidle}/** r, @{sys}/devices/system/cpu/cpu@{int}/cpuidle/state@{int}/disable rw, @{sys}/devices/system/cpu/cpu@{int}/online r, - @{sys}/devices/system/cpu/cpu@{int}/topology/{physical_package_id,core_id} r, + @{sys}/devices/system/cpu/cpu@{int}/topology/{,**} r, + @{sys}/devices/system/cpu/cpufreq/{,**} r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/* rw, + @{sys}/devices/system/cpu/cpuidle/{,**} r, + @{sys}/devices/virtual/powercap/{,**} r, /dev/cpu/@{int}/msr r, diff --git a/tests/integration/utils/cpupower.bats b/tests/integration/utils/cpupower.bats new file mode 100644 index 0000000000..b22a9e53b0 --- /dev/null +++ b/tests/integration/utils/cpupower.bats @@ -0,0 +1,26 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "cpupower: List CPUs" { + sudo cpupower --cpu all info || true +} + +@test "cpupower: Print information about all cores" { + sudo cpupower --cpu all info || true +} + +@test "cpupower: Set all CPUs to a power-saving frequency governor" { + sudo cpupower --cpu all frequency-set --governor powersave || true +} + +@test "cpupower: Print CPU 0's available frequency governors" { + sudo cpupower --cpu 0 frequency-info --governors || true +} + +@test "cpupower: Print CPU 4's frequency from the hardware, in a human-readable format" { + sudo cpupower --cpu 0 frequency-info --hwfreq --human || true +} From 23cf0b7365ee3cb879011e2e607a75f20d9e3e43 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 2 Apr 2026 11:32:33 +0200 Subject: [PATCH 1613/1736] feat(abs): add transparent_hugepage/enabled to base-strict. See https://gitlab.com/apparmor/apparmor/-/merge_requests/2009 --- apparmor.d/abstractions/base-strict | 1 + apparmor.d/abstractions/development | 1 - apparmor.d/groups/code/code | 2 -- apparmor.d/profiles-a-f/dig | 2 -- apparmor.d/profiles-g-l/host | 2 -- apparmor.d/profiles-g-l/libreoffice | 1 - apparmor.d/profiles-m-r/nslookup | 2 -- apparmor.d/profiles-s-z/telegram-desktop | 2 -- 8 files changed, 1 insertion(+), 12 deletions(-) diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 4c77388c6a..f3faccd82b 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -120,6 +120,7 @@ @{run}/systemd/journal/stdout rw, # Transparent hugepage support + @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, # Allow determining the highest valid capability of the running kernel diff --git a/apparmor.d/abstractions/development b/apparmor.d/abstractions/development index 879df6e603..4a7ee6cb8f 100644 --- a/apparmor.d/abstractions/development +++ b/apparmor.d/abstractions/development @@ -56,7 +56,6 @@ @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, - @{sys}/kernel/mm/transparent_hugepage/enabled r, # Memory usage in pages (total, resident, shared, text, data) @{PROC}/@{pid}/statm r, diff --git a/apparmor.d/groups/code/code b/apparmor.d/groups/code/code index 99f086f556..758a72bf36 100644 --- a/apparmor.d/groups/code/code +++ b/apparmor.d/groups/code/code @@ -133,8 +133,6 @@ profile code @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/ovsx-@{rand6}/{,**} rw, owner @{tmp}/tmp-@{int}-@{rand12}/ w, - @{sys}/kernel/mm/transparent_hugepage/enabled r, - @{PROC}/loadavg r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/clear_refs w, diff --git a/apparmor.d/profiles-a-f/dig b/apparmor.d/profiles-a-f/dig index 916123ddc5..a8b482788e 100644 --- a/apparmor.d/profiles-a-f/dig +++ b/apparmor.d/profiles-a-f/dig @@ -30,8 +30,6 @@ profile dig @{exec_path} { /tmp/batch_mode.dig r, - @{sys}/kernel/mm/transparent_hugepage/enabled r, - owner @{PROC}/@{pids}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index ab0cf0cbad..458dcdc787 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -22,8 +22,6 @@ profile host @{exec_path} { @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/enabled r, - @{PROC}/version_signature r, owner @{PROC}/@{pids}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 570a1be9cb..65ac01a9cd 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -120,7 +120,6 @@ profile libreoffice @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, @{sys}/devices/virtual/block/**/queue/rotational r, @{sys}/kernel/mm/hugepages/ r, - @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, @{PROC}/cgroups r, diff --git a/apparmor.d/profiles-m-r/nslookup b/apparmor.d/profiles-m-r/nslookup index ca3af37e06..08628eefbe 100644 --- a/apparmor.d/profiles-m-r/nslookup +++ b/apparmor.d/profiles-m-r/nslookup @@ -21,8 +21,6 @@ profile nslookup @{exec_path} { owner @{PROC}/@{pids}/task/@{tid}/comm rw, - @{sys}/kernel/mm/transparent_hugepage/enabled r, - @{PROC}/version_signature r, include if exists diff --git a/apparmor.d/profiles-s-z/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop index 9f846ea0a0..349cab595a 100644 --- a/apparmor.d/profiles-s-z/telegram-desktop +++ b/apparmor.d/profiles-s-z/telegram-desktop @@ -48,8 +48,6 @@ profile telegram-desktop @{exec_path} { owner @{tmp}/@{hex32}-?@{uuid}? rwk, audit owner /dev/shm/#@{int} rw, - @{sys}/kernel/mm/transparent_hugepage/enabled r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, From 105c0c8bea7357145e4fe639d3da6a68c2ecd748 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Thu, 2 Apr 2026 14:18:51 +0100 Subject: [PATCH 1614/1736] feat(profile): minor update. --- apparmor.d/groups/freedesktop/xdg-desktop-menu | 1 + apparmor.d/groups/systemd/systemd-userdbd | 2 ++ apparmor.d/groups/utils/lsblk | 2 ++ apparmor.d/profiles-m-r/multipath | 2 ++ 4 files changed, 7 insertions(+) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-menu b/apparmor.d/groups/freedesktop/xdg-desktop-menu index f86fbedc8e..e718108479 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-menu +++ b/apparmor.d/groups/freedesktop/xdg-desktop-menu @@ -37,6 +37,7 @@ profile xdg-desktop-menu @{exec_path} flags=(complain) { @{bin}/tr ix, @{bin}/umask ix, @{bin}/uname ix, + @{bin}/id rPx, # To get DE information @{bin}/kde{,4}-config ix, diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index 220376ba5d..8cb603ec78 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -31,6 +31,8 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) /etc/machine-id r, /etc/userdb/{,**} r, + / r, + @{att}@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}@{run}/systemd/userdb/io.systemd.Home rw, @{att}@{run}/systemd/userdb/io.systemd.Machine rw, diff --git a/apparmor.d/groups/utils/lsblk b/apparmor.d/groups/utils/lsblk index 6fc1d5bb25..4289628e4f 100644 --- a/apparmor.d/groups/utils/lsblk +++ b/apparmor.d/groups/utils/lsblk @@ -19,6 +19,8 @@ profile lsblk @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + / r, + @{PROC}/swaps r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-m-r/multipath b/apparmor.d/profiles-m-r/multipath index 588f4b6b1f..25634cd44b 100644 --- a/apparmor.d/profiles-m-r/multipath +++ b/apparmor.d/profiles-m-r/multipath @@ -23,6 +23,8 @@ profile multipath @{exec_path} flags=(attach_disconnected) { /etc/multipath/* rwk, /etc/systemd/system/ r, + / r, + @{run}/systemd/system/ r, @{sys}/bus/ r, From a986dcaeaec038b712f9b4a58a8991337e367018 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Thu, 2 Apr 2026 17:43:22 +0100 Subject: [PATCH 1615/1736] fix(profile): systemd-cat greetd denial. --- apparmor.d/groups/systemd/systemd-cat | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/systemd-cat b/apparmor.d/groups/systemd/systemd-cat index 5b5d073da2..14ba03d6d3 100644 --- a/apparmor.d/groups/systemd/systemd-cat +++ b/apparmor.d/groups/systemd/systemd-cat @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/systemd-cat -profile systemd-cat @{exec_path} { +profile systemd-cat @{exec_path} flags=(attach_disconnected) { include include include From 4de5a281e26d65e9835098351a65eec3055b2f80 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 2 Apr 2026 22:54:34 +0200 Subject: [PATCH 1616/1736] build: move to a more classic version scheme. --- PKGBUILD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/PKGBUILD b/PKGBUILD index 881094fe5a..f15e630911 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -9,7 +9,7 @@ pkgname=( # apparmor.d-base # apparmor.d-tools ) -pkgver=0.4906 +pkgver=0.4906.0 pkgrel=1 pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') From 866fbf1b63983374dc8bd04ca852891b464c9020 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 2 Apr 2026 23:51:28 +0200 Subject: [PATCH 1617/1736] feat(profile): better use of the mime abstraction. --- apparmor.d/abstractions/app/firefox | 1 - apparmor.d/abstractions/development | 1 + apparmor.d/abstractions/mime | 1 + apparmor.d/groups/apt/querybts | 1 - apparmor.d/groups/snap/snapd | 2 +- apparmor.d/groups/virt/cockpit-bridge | 3 +-- apparmor.d/profiles-a-f/calibre | 2 -- apparmor.d/profiles-a-f/conky | 2 +- apparmor.d/profiles-g-l/gpodder | 1 - apparmor.d/profiles-g-l/hugo | 2 -- apparmor.d/profiles-g-l/lynx | 1 - apparmor.d/profiles-m-r/metadata-cleaner | 3 --- apparmor.d/profiles-m-r/mpsyt | 26 +++++++++----------- apparmor.d/profiles-m-r/mutt | 2 +- apparmor.d/profiles-s-z/s3fs | 2 +- apparmor.d/profiles-s-z/update-smart-drivedb | 2 +- apparmor.d/profiles-s-z/w3m | 2 +- apparmor.d/profiles-s-z/youtube-dl | 2 -- apparmor.d/profiles-s-z/ytdl | 3 +-- 19 files changed, 21 insertions(+), 38 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 2f81b9246a..37df87e554 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -91,7 +91,6 @@ /etc/fstab r, /etc/lsb-release r, /etc/mailcap r, - /etc/mime.types r, /etc/sysconfig/proxy r, /etc/xdg/* r, /etc/xul-ext/kwallet5.js r, diff --git a/apparmor.d/abstractions/development b/apparmor.d/abstractions/development index 4a7ee6cb8f..60b0f39799 100644 --- a/apparmor.d/abstractions/development +++ b/apparmor.d/abstractions/development @@ -11,6 +11,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/mime b/apparmor.d/abstractions/mime index a91334adf1..e4e9463412 100644 --- a/apparmor.d/abstractions/mime +++ b/apparmor.d/abstractions/mime @@ -13,6 +13,7 @@ /usr/share/gdm/greeter/applications/mimeapps.list r, # } + /etc/httpd/conf/mime.types r, /etc/mime.types r, /etc/xdg/{,*-}mimeapps.list r, diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index 0a8abb2ece..219d285316 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -36,7 +36,6 @@ profile querybts @{exec_path} { /etc/reportbug.conf r, - /etc/mime.types r, /etc/inputrc r, /etc/dpkg/origins/ r, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index b377e10bb3..6afb6c1621 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -19,6 +19,7 @@ profile snapd @{exec_path} { include include include + include include include include @@ -108,7 +109,6 @@ profile snapd @{exec_path} { /etc/apparmor.d/*snapd.snap* r, /etc/dbus-1/system.d/{,**/} r, /etc/fstab r, - /etc/mime.types r, /etc/modprobe.d/{,**/} r, /etc/modules-load.d/{,**/} r, /etc/modules-load.d/*snap* rw, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 8c58931058..bf5ae89fd2 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -17,6 +17,7 @@ profile cockpit-bridge @{exec_path} { include include include + include include include include @@ -89,9 +90,7 @@ profile cockpit-bridge @{exec_path} { @{etc_ro}/login.defs r, /etc/cockpit/{,**} r, - /etc/httpd/conf/mime.types r, /etc/machine-id r, - /etc/mime.types r, /etc/motd r, /etc/shadow r, /etc/shells r, diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index e6395875cd..2f2ffe717f 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -62,10 +62,8 @@ profile calibre @{exec_path} { /usr/share/calibre/{,**} r, /etc/fstab r, - /etc/httpd/conf/mime.types r, /etc/inputrc r, /etc/magic r, - /etc/mime.types r, owner @{HOME}/ r, owner "@{HOME}/Calibre Library/{,**}" rw, diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky index 0fdf804965..b68950990b 100644 --- a/apparmor.d/profiles-a-f/conky +++ b/apparmor.d/profiles-a-f/conky @@ -151,6 +151,7 @@ profile conky @{exec_path} { profile browse { include include + include include include @@ -167,7 +168,6 @@ profile conky @{exec_path} { @{sh_path} rix, - /etc/mime.types r, /etc/mailcap r, /etc/lynx/* r, diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index 40c47e7782..e98d8bc149 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -42,7 +42,6 @@ profile gpodder @{exec_path} { /usr/share/gpodder/{,**} r, /etc/fstab r, - /etc/mime.types r, owner @{HOME}/ r, owner @{HOME}/gPodder/ rw, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index fd9c3dfa01..a15c432816 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -29,8 +29,6 @@ profile hugo @{exec_path} { /usr/share/git{,-core}/{,**} r, /usr/share/terminfo/** r, - /etc/mime.types r, - owner @{user_projects_dirs}/{,**} rw, owner @{user_projects_dirs}/**/.hugo_build.lock rwk, owner @{user_projects_dirs}/**/go.{mod,sum} rwk, diff --git a/apparmor.d/profiles-g-l/lynx b/apparmor.d/profiles-g-l/lynx index a9613e7c17..c19a766a58 100644 --- a/apparmor.d/profiles-g-l/lynx +++ b/apparmor.d/profiles-g-l/lynx @@ -31,7 +31,6 @@ profile lynx @{exec_path} { /etc/lynx.lss r, /etc/lynx/{,**} r, /etc/mailcap r, - /etc/mime.types r, owner @{tmp}/lynxXXXX*/{,**} rw, diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner index 7806e62e4e..d45911b5db 100644 --- a/apparmor.d/profiles-m-r/metadata-cleaner +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -23,9 +23,6 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { /usr/share/metadata-cleaner/src/metadatacleaner/{,*/}__pycache__/ w, - /etc/httpd/conf/mime.types r, - /etc/mime.types r, - owner @{tmp}/@{hex64}.* rw, owner @{tmp}/@{rand8} rw, owner @{tmp}/tmp@{word8} rw, diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt index a66fc287fb..5ceab569b4 100644 --- a/apparmor.d/profiles-m-r/mpsyt +++ b/apparmor.d/profiles-m-r/mpsyt @@ -10,12 +10,11 @@ include @{exec_path} = @{bin}/mpsyt profile mpsyt @{exec_path} { include - include - include + include include + include include - - signal (send) set=(term, kill) peer=mpv, + include network inet dgram, network inet6 dgram, @@ -23,6 +22,8 @@ profile mpsyt @{exec_path} { network inet6 stream, network netlink raw, + signal send set=(term, kill) peer=mpv, + @{exec_path} r, @{python_path} r, @@ -35,27 +36,22 @@ profile mpsyt @{exec_path} { @{bin}/ffmpeg rPUx, @{bin}/ffprobe rPUx, - # MPV config files + /etc/inputrc r, /etc/mpv/* r, - owner @{user_config_dirs}/mpv/* r, - - # mps-yt config files - owner @{user_config_dirs}/mps-youtube/{,**} rw, - # Cache files owner @{user_cache_dirs}/youtube-dl/youtube-sigfuncs/js_*.json{,.*.tmp} rw, - /etc/inputrc r, - /etc/mime.types r, - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, + owner @{user_config_dirs}/mpv/* r, + owner @{user_config_dirs}/mps-youtube/{,**} rw, /tmp/ r, owner @{tmp}/[a-z0-9]* rw, owner @{tmp}/mpsyt-input* rw, owner @{tmp}/mpsyt-mpv*.sock rw, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + include if exists } diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index a91aba2416..0889fa9a73 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -10,6 +10,7 @@ include profile mutt @{exec_path} { include include + include include include include @@ -49,7 +50,6 @@ profile mutt @{exec_path} { /usr/share/mutt/** r, @{etc_ro}/mailcap r, - /etc/mime.types r, /etc/mutt{,**} r, /etc/Muttrc r, /etc/Muttrc.d/{*,} r, diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index aaf34d49ce..67ae325b1c 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/s3fs profile s3fs @{exec_path} { include + include include include @@ -25,7 +26,6 @@ profile s3fs @{exec_path} { @{bin}/fusermount{,3} rCx -> fusermount, - /etc/mime.types r, /etc/passwd-s3fs r, owner @{HOME}/.passwd-s3fs r, diff --git a/apparmor.d/profiles-s-z/update-smart-drivedb b/apparmor.d/profiles-s-z/update-smart-drivedb index 70b9bc6e24..5ec8a45c0e 100644 --- a/apparmor.d/profiles-s-z/update-smart-drivedb +++ b/apparmor.d/profiles-s-z/update-smart-drivedb @@ -64,6 +64,7 @@ profile update-smart-drivedb @{exec_path} { profile browse { include include + include include include @@ -78,7 +79,6 @@ profile update-smart-drivedb @{exec_path} { @{sh_path} rix, - /etc/mime.types r, /etc/mailcap r, /etc/lynx/* r, diff --git a/apparmor.d/profiles-s-z/w3m b/apparmor.d/profiles-s-z/w3m index ade896ea53..5a8393f513 100644 --- a/apparmor.d/profiles-s-z/w3m +++ b/apparmor.d/profiles-s-z/w3m @@ -11,6 +11,7 @@ include profile w3m @{exec_path} { include include + include include include include @@ -29,7 +30,6 @@ profile w3m @{exec_path} { /usr/share/terminfo/{,**} r, - /etc/mime.types r, /etc/w3m/{,**} r, owner @{HOME}/.w3m/{,**} rw, diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index d0b1c19887..96d261b0b6 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -42,8 +42,6 @@ profile youtube-dl @{exec_path} { @{lib}/git{,-core}/git rix, @{lib}/llvm-[0-9]*/bin/clang rix, - /etc/mime.types r, - owner @{HOME}/ r, owner @{user_music_dirs}/{,**} rw, owner @{user_videos_dirs}/{,**} rw, diff --git a/apparmor.d/profiles-s-z/ytdl b/apparmor.d/profiles-s-z/ytdl index a76bf0d89a..b14c8d1e08 100644 --- a/apparmor.d/profiles-s-z/ytdl +++ b/apparmor.d/profiles-s-z/ytdl @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/ytdl profile ytdl @{exec_path} { include + include include include include @@ -30,8 +31,6 @@ profile ytdl @{exec_path} { @{sbin}/ldconfig rix, @{bin}/uname rix, - /etc/mime.types r, - owner @{HOME}/ r, owner @{user_music_dirs}/{,**} rw, owner @{user_videos_dirs}/{,**} rw, From fbae2e08a8be010ed1aafb99ace77201f62c2b95 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Apr 2026 00:17:22 +0200 Subject: [PATCH 1618/1736] feat(abs): improve dev abstractions. --- apparmor.d/abstractions/development | 21 +++++++++---- apparmor.d/abstractions/devrun | 37 ++++++++++++++++++++++ apparmor.d/abstractions/devtools | 7 +++++ apparmor.d/groups/code/code-extensions | 10 ------ apparmor.d/groups/code/code-shells | 43 -------------------------- apparmor.d/profiles-a-f/claude | 8 +---- 6 files changed, 60 insertions(+), 66 deletions(-) create mode 100644 apparmor.d/abstractions/devrun diff --git a/apparmor.d/abstractions/development b/apparmor.d/abstractions/development index 60b0f39799..f72a813ed0 100644 --- a/apparmor.d/abstractions/development +++ b/apparmor.d/abstractions/development @@ -8,6 +8,7 @@ abi , include + include include include include @@ -35,25 +36,33 @@ @{user_bin_dirs}/{,**} r, /etc/ r, - /etc/*@{devtools}* r, - /etc/*@{devtools}*/{,**} r, /etc/debuginfod/{,**} r, + /etc/gitconfig r, /etc/inputrc r, /etc/magic r, /etc/shells r, + owner @{HOME}/.gitconfig* r, + owner @{HOME}/.local/ r, owner @{user_lib_dirs}/ r, owner /dev/shm/sem.* rwl, - owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{tmp}/*tests*/ rw, + owner @{tmp}/*tests*/** mix, + owner @{tmp}/*tests*/** rwlk, owner @{tmp}/cc@{rand6}* rw, owner @{tmp}/GMfifo@{int} rw, owner @{tmp}/tmp.@{rand10} rw, - owner @{tmp}/*tests*/ rw, - owner @{tmp}/*tests*/** rwlk, - owner @{tmp}/*tests*/** mix, + owner @{tmp}/tmp@{word8}/ rw, + owner @{tmp}/tmp@{word8}/** rwlk, + + # Git + owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{tmp}/git-commit-msg-.txt rw, # For android studio + owner @{tmp}/git-difftool.*/{,**} rw, # For diffs + owner @{tmp}/git-index-private@{int} rw, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, diff --git a/apparmor.d/abstractions/devrun b/apparmor.d/abstractions/devrun new file mode 100644 index 0000000000..d547c744f2 --- /dev/null +++ b/apparmor.d/abstractions/devrun @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: devtools + +# Well known programs used in various development shells. Only programs that are +# safe to allow running from a shell dev environment are allowed here. Profile +# must exist, and may have more permissions than the shell it is coming from. + + abi , + + @{bin}/aa-log Px, + @{bin}/claude Px, + @{bin}/docker PUx, # TODO: Px, + @{bin}/dpkg-query Px, + @{bin}/git Px, + @{bin}/htop Px, + @{bin}/ip Px, + @{bin}/journalctl Px, + @{bin}/lscpu Px, + @{bin}/man Px, + @{bin}/nproc Px, + @{bin}/podman Px, + @{bin}/ps Px, + @{bin}/ssh Px, + @{bin}/top Px, + @{bin}/uptime Px, + @{bin}/w Px, + + # Well known shells tools + @{bin}/starship PUx, + priority=1 @{user_cache_dirs}/gitstatus/gitstatusd{,-*} Px, + priority=1 /usr/share/zsh-theme-powerlevel{9,10}k/gitstatus/usrbin/gitstatusd{,-*} Px, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/devtools b/apparmor.d/abstractions/devtools index def31f614d..b052b31966 100644 --- a/apparmor.d/abstractions/devtools +++ b/apparmor.d/abstractions/devtools @@ -15,6 +15,9 @@ /usr/share/*@{devtools}*/ r, /usr/share/*@{devtools}*/** r, + /etc/*@{devtools}*/ r, + /etc/*@{devtools}*/** r, + owner @{HOME}/.*@{devtools}* rw, owner @{HOME}/.*@{devtools}*/ rw, owner @{HOME}/.*@{devtools}*/** rwlk, @@ -24,6 +27,10 @@ owner @{HOME}/*@{devtools}*/** rwlk, owner @{HOME}/.*@{devtools}*/** mix, + owner @{user_lib_dirs}/ r, + owner @{user_lib_dirs}/*@{devtools}*/ rw, + owner @{user_lib_dirs}/*@{devtools}*/** rwlk, + owner @{user_cache_dirs}/ r, owner @{user_cache_dirs}/*@{devtools}*/ rw, owner @{user_cache_dirs}/*@{devtools}*/** rwlk, diff --git a/apparmor.d/groups/code/code-extensions b/apparmor.d/groups/code/code-extensions index b4c71b1839..5b82d8c173 100644 --- a/apparmor.d/groups/code/code-extensions +++ b/apparmor.d/groups/code/code-extensions @@ -41,16 +41,6 @@ profile code-extensions @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} rix, - # Well known programs used in code-extensions. - @{bin}/docker Ux, # TODO Px, - @{bin}/git Px, - @{bin}/journalctl Px, - @{bin}/lscpu Px, - @{bin}/podman Px, - @{bin}/ps Px, - @{bin}/uptime Px, - @{bin}/w Px, - owner @{lib_dirs}/{,**/}__pycache__/ w, owner @{lib_dirs}/{,**/}__pycache__/**.pyc{,*} w, diff --git a/apparmor.d/groups/code/code-shells b/apparmor.d/groups/code/code-shells index f679ab217f..5bb5cb9880 100644 --- a/apparmor.d/groups/code/code-shells +++ b/apparmor.d/groups/code/code-shells @@ -48,31 +48,8 @@ profile code-shells flags=(attach_disconnected) { # Well known programs used in shells, when we also have specific profiles for # them and want to allow them, event if they need more/different permissions # than what is allowed in this profile. - @{bin}/aa-log Px, - @{bin}/claude Px, - @{bin}/docker Ux, # TODO Px, - @{bin}/dpkg-query Px, - @{bin}/git Px, - @{bin}/htop Px, - @{bin}/ip Px, - @{bin}/journalctl Px, - @{bin}/man Px, - @{bin}/nproc Px, - @{bin}/podman Px, - @{bin}/ps Px, - @{bin}/ssh Px, - @{bin}/top Px, - @{bin}/uptime Px, - @{bin}/w Px, /opt/claude-code/bin/claude Px, - # Handle shell prompts, out of scope, thus unconfined - @{bin}/starship Cx -> starship, - - # Well known shells tools - priority=1 @{user_cache_dirs}/gitstatus/gitstatusd{,-*} Px, - priority=1 /usr/share/zsh-theme-powerlevel{9,10}k/gitstatus/usrbin/gitstatusd{,-*} Px, - owner @{config_dirs}/User/globalStorage/**/ r, owner @{user_projects_dirs}/ r, @@ -86,26 +63,6 @@ profile code-shells flags=(attach_disconnected) { # file_inherit priority=-1 deny owner @{user_config_dirs}/Code/** rw, - profile starship { - include - include - include - - @{bin}/starship mr, - - owner @{user_cache_dirs}/starship/ rw, - owner @{user_cache_dirs}/starship/** rw, - owner @{user_config_dirs}/starship.toml r, - - owner @{user_projects_dirs}/**/.git/{,**} r, - - @{sys}/class/power_supply/ r, - - owner @{PROC}/@{pid}/cgroup r, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-a-f/claude b/apparmor.d/profiles-a-f/claude index a9e47e9913..d7f51602ce 100644 --- a/apparmor.d/profiles-a-f/claude +++ b/apparmor.d/profiles-a-f/claude @@ -155,10 +155,6 @@ profile claude @{exec_path} flags=(attach_disconnected) { priority=1 @{bin}/dpkg-query Px, priority=1 @{bin}/flatpak Px -> claude//flatpak, - priority=1 @{bin}/journalctl Px, - priority=1 @{bin}/podman Px, - priority=1 @{bin}/man PUx, - priority=1 @{bin}/ps Px, priority=1 @{bin}/ssh Px -> claude//ssh, priority=1 @{ldd_path} rPx -> claude//ldd, @@ -180,11 +176,9 @@ profile claude @{exec_path} flags=(attach_disconnected) { owner @{tmp}/claude-shell/ rw, owner @{tmp}/claude-shell/** mix, owner @{tmp}/claude-shell/** rwlk -> @{tmp}/claude/**, - owner @{tmp}/claude{,-code}/ r, + owner @{tmp}/claude{,-code}/ rw, owner @{tmp}/claude{,-code}/** mix, owner @{tmp}/claude{,-code}/** rwlk -> @{tmp}/claude/**, - owner @{tmp}/tmp@{word8}/ rw, - owner @{tmp}/tmp@{word8}/** rwlk, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, From 67696437caf0a65f814a4abe1602f8415f6613c3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Apr 2026 00:22:46 +0200 Subject: [PATCH 1619/1736] feat(profile): minor update. --- apparmor.d/groups/gnome/gjs | 1 + apparmor.d/groups/gnome/gnome-desktop-thumbnailers | 1 + apparmor.d/groups/gnome/gnome-shell | 4 +++- apparmor.d/groups/gnome/gnome-weather | 1 + apparmor.d/groups/gvfs/gvfsd-dav | 2 ++ apparmor.d/groups/ssh/ssh | 1 + apparmor.d/groups/systemd-service/shadow.service | 1 + apparmor.d/profiles-a-f/appstreamcli | 3 ++- apparmor.d/profiles-g-l/libreoffice | 5 +++++ apparmor.d/profiles-g-l/lynx | 3 ++- apparmor.d/profiles-m-r/nvtop | 2 +- apparmor.d/profiles-m-r/pdfinfo | 1 + apparmor.d/tunables/multiarch.d/paths | 2 +- apparmor.d/tunables/multiarch.d/programs | 2 +- 14 files changed, 23 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index d579ca5d7d..c41b394874 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -102,6 +102,7 @@ profile gjs @{exec_path} flags=(attach_disconnected) { owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, owner @{HOME}/ r, + owner @{user_videos_dirs}/{,**} r, # TODO: ScreenCast only owner @{user_cache_dirs}/gjs_repl_history rw, owner @{user_cache_dirs}/gjs_repl_history-@{int}.tmp rw, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index ac81d979f6..4773a551ba 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -28,6 +28,7 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw, + owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/flatpak-seccomp-@{rand6} rw, owner @{tmp}/gnome-desktop-file-to-thumbnail.* r, owner @{tmp}/gnome-desktop-thumbnailer.png w, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b4e7291123..8a5b85a210 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -15,6 +15,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include @@ -237,6 +238,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, /usr/share/gnome-shell/extensions/*/** rPUx, + @{system_share_dirs}/gnome-shell/{,**} r, /snap/*/@{uid}/**.@{icon_ext} r, /usr/share/**.@{icon_ext} r, /usr/share/**/icons/{,**} r, @@ -245,13 +247,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/desktop-directories/{,*.directory} r, /usr/share/gdm/BuiltInSessions/{,*.desktop} r, /usr/share/gdm/greeter/applications/{,**} r, + /usr/share/gdm/greeter/wayland-sessions/{,*.desktop} r, /usr/share/libgweather/Locations.xml r, /usr/share/libinput*/{,**} r, /usr/share/libwacom/{,*.stylus,*.tablet} r, /usr/share/wallpapers/** r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/{,**} r, - @{system_share_dirs}/gnome-shell/{,**} r, /etc/fstab r, /etc/timezone r, diff --git a/apparmor.d/groups/gnome/gnome-weather b/apparmor.d/groups/gnome/gnome-weather index 9202be590f..698c8fe8b2 100644 --- a/apparmor.d/groups/gnome/gnome-weather +++ b/apparmor.d/groups/gnome/gnome-weather @@ -12,6 +12,7 @@ profile gnome-weather @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 705db09ad0..2f6740bf07 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -13,7 +13,9 @@ profile gvfsd-dav @{exec_path} flags=(attach_disconnected) { include include include + include include + include include include include diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 199faf656e..e94fb6912c 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -33,6 +33,7 @@ profile ssh @{exec_path} flags=(attach_disconnected) { @{bin}/ssh.hmac r, @{lib}/{,ssh/}ssh-sk-helper rix, + @{lib}/ssh-askpass/x11-ssh-askpass PUx, @{etc_ro}/ssh/ssh_config r, @{etc_ro}/ssh/ssh_config.d/{,*} r, diff --git a/apparmor.d/groups/systemd-service/shadow.service b/apparmor.d/groups/systemd-service/shadow.service index 95f780b891..8edb05f2cc 100644 --- a/apparmor.d/groups/systemd-service/shadow.service +++ b/apparmor.d/groups/systemd-service/shadow.service @@ -8,6 +8,7 @@ include profile shadow.service flags=(attach_disconnected) { include + include include @{sh_path} rix, diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 086fec5057..c56c1e89cb 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -11,7 +11,8 @@ include profile appstreamcli @{exec_path} { include include - include + include + include include capability dac_read_search, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 65ac01a9cd..765b1137bc 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -91,6 +91,10 @@ profile libreoffice @{exec_path} flags=(attach_disconnected,mediate_deleted) { /var/tmp/ r, owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, + owner @{lib}/@{python_name}/{,**/}__pycache__/ w, + owner @{lib}/@{python_name}/{,**/}__pycache__/uno**.pyc w, + owner @{lib}/@{python_name}/{,**/}__pycache__/uno**.pyc.@{u64} w, + owner @{user_cache_dirs}/libreoffice/{,**} rw, owner @{user_config_dirs}/kservicemenurc r, @@ -122,6 +126,7 @@ profile libreoffice @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, + @{PROC}/@{pid}/net/if_inet6 r, @{PROC}/cgroups r, @{PROC}/version r, owner @{PROC}/@{pid}/coredump_filter rw, diff --git a/apparmor.d/profiles-g-l/lynx b/apparmor.d/profiles-g-l/lynx index c19a766a58..0f324e6972 100644 --- a/apparmor.d/profiles-g-l/lynx +++ b/apparmor.d/profiles-g-l/lynx @@ -10,11 +10,12 @@ include @{exec_path} = @{bin}/lynx profile lynx @{exec_path} { include + include include - include include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index b2ec5ad508..3fc7a7b766 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -19,7 +19,7 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pdfinfo b/apparmor.d/profiles-m-r/pdfinfo index a481ad3239..b1c2929523 100644 --- a/apparmor.d/profiles-m-r/pdfinfo +++ b/apparmor.d/profiles-m-r/pdfinfo @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/pdfinfo profile pdfinfo @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 0865f74a50..4d1fb5ee01 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -20,7 +20,7 @@ # ldd (List Dynamic Dependencies) and dynamic linker/loader @{ldd_path} = @{bin}/ldd @{bin}/ld -@{ldd_path} += @{lib}/ld-linux-@{arch}.so{,.*} +@{ldd_path} += @{lib}/ld-linux-@{arch}.so{,.*} @{lib}/ld-linux.so{,.*} @{ldd_path} += @{lib}/@{multiarch}/ld-linux-@{arch}.so{,.*} # Gstreamer plugin scanner diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 8cc49e8e6d..0feaa00720 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -38,7 +38,7 @@ # This should only contains core development tools like compilers, analysis tools, linters, debuggers etc. # @{devtools} = ansible cargo dlv gem go just node npm pip pyright python ruby -@{devtools} += rust typescript yarn docker +@{devtools} += rust typescript yarn docker uv pytest # Python interpreters @{python_version} = 3 3.[0-9] 3.1[0-9] From 6f2c8a21e4df4dfb3447d22576c51cfc3f15cdc5 Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Tue, 31 Mar 2026 00:12:56 +0200 Subject: [PATCH 1620/1736] plasma-login-greeter: add user icon it seems user icon is stored there without an extension --- apparmor.d/groups/kde/plasma-login-greeter | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/kde/plasma-login-greeter b/apparmor.d/groups/kde/plasma-login-greeter index 00d6718882..072d5ee72f 100644 --- a/apparmor.d/groups/kde/plasma-login-greeter +++ b/apparmor.d/groups/kde/plasma-login-greeter @@ -32,6 +32,8 @@ profile plasma-login-greeter @{exec_path} flags=(attach_disconnected,mediate_del @{etc_ro}/login.defs.d/{,*} r, /etc/fstab r, + /var/lib/AccountsService/icons/@{user} r, + / r, owner @{SDDM_HOME}/** rw, From 7b019ccc381431d4445599f266c77119e08e09f8 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Thu, 2 Apr 2026 14:18:51 +0100 Subject: [PATCH 1621/1736] feat(profile): minor update. --- apparmor.d/groups/freedesktop/xdg-desktop-menu | 1 + apparmor.d/groups/systemd/systemd-userdbd | 2 ++ apparmor.d/groups/utils/lsblk | 2 ++ apparmor.d/profiles-m-r/multipath | 2 ++ 4 files changed, 7 insertions(+) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-menu b/apparmor.d/groups/freedesktop/xdg-desktop-menu index f86fbedc8e..e718108479 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-menu +++ b/apparmor.d/groups/freedesktop/xdg-desktop-menu @@ -37,6 +37,7 @@ profile xdg-desktop-menu @{exec_path} flags=(complain) { @{bin}/tr ix, @{bin}/umask ix, @{bin}/uname ix, + @{bin}/id rPx, # To get DE information @{bin}/kde{,4}-config ix, diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index 220376ba5d..8cb603ec78 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -31,6 +31,8 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) /etc/machine-id r, /etc/userdb/{,**} r, + / r, + @{att}@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}@{run}/systemd/userdb/io.systemd.Home rw, @{att}@{run}/systemd/userdb/io.systemd.Machine rw, diff --git a/apparmor.d/groups/utils/lsblk b/apparmor.d/groups/utils/lsblk index 6fc1d5bb25..4289628e4f 100644 --- a/apparmor.d/groups/utils/lsblk +++ b/apparmor.d/groups/utils/lsblk @@ -19,6 +19,8 @@ profile lsblk @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + / r, + @{PROC}/swaps r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-m-r/multipath b/apparmor.d/profiles-m-r/multipath index 588f4b6b1f..25634cd44b 100644 --- a/apparmor.d/profiles-m-r/multipath +++ b/apparmor.d/profiles-m-r/multipath @@ -23,6 +23,8 @@ profile multipath @{exec_path} flags=(attach_disconnected) { /etc/multipath/* rwk, /etc/systemd/system/ r, + / r, + @{run}/systemd/system/ r, @{sys}/bus/ r, From 180708cfd937a896f3654571bdde4e19ae08b7aa Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Thu, 2 Apr 2026 17:43:22 +0100 Subject: [PATCH 1622/1736] fix(profile): systemd-cat greetd denial. --- apparmor.d/groups/systemd/systemd-cat | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/systemd-cat b/apparmor.d/groups/systemd/systemd-cat index 5b5d073da2..14ba03d6d3 100644 --- a/apparmor.d/groups/systemd/systemd-cat +++ b/apparmor.d/groups/systemd/systemd-cat @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/systemd-cat -profile systemd-cat @{exec_path} { +profile systemd-cat @{exec_path} flags=(attach_disconnected) { include include include From 5c81b792e8a5036448acbf26441ec02dc3c093da Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Apr 2026 00:28:17 +0200 Subject: [PATCH 1623/1736] build: move to a more classic version scheme. (2) --- Justfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Justfile b/Justfile index 23feb19181..2d9c82ceb5 100644 --- a/Justfile +++ b/Justfile @@ -578,7 +578,7 @@ version: # Create a new version number from the current release [group('version')] version-new: - @bash -c 'source PKGBUILD && awk -v ver="$pkgver" "BEGIN {printf \"%.4f\n\", ver + 0.0001}"' + @bash -c 'source PKGBUILD && IFS="." read -r major minor patch <<< "$pkgver" && echo "${major}.$(( minor + 1 )).0"' # Create a new release [group('release')] From ec2821f822b59ede37b9bdec2e3afd86370605f6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Apr 2026 00:28:39 +0200 Subject: [PATCH 1624/1736] Release apparmor.d v0.4907.0 --- PKGBUILD | 8 ++++++-- debian/changelog | 6 ++++++ dists/apparmor.d.spec | 2 +- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index f15e630911..010a716a29 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -9,7 +9,7 @@ pkgname=( # apparmor.d-base # apparmor.d-tools ) -pkgver=0.4906.0 +pkgver=0.4907.0 pkgrel=1 pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') @@ -32,14 +32,18 @@ build() { export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw -tags=dev" export DISTRIBUTION=arch just complain +# just prebuild } package_apparmor.d() { # depends+=('apparmor.d-base' 'apparmor.d-tools') cd "$srcdir/$pkgbase" just destdir="$pkgdir" install +# just destdir="$pkgdir" install-tools +# just destdir="$pkgdir" install-base +# just destdir="$pkgdir" install-prebuilt } - + # package_apparmor.d-base() { # pkgdesc="$pkgdesc (base abstractions, tunables, and booleans)" # cd "$srcdir/$pkgbase" diff --git a/debian/changelog b/debian/changelog index 05559f78ca..a1e5c7ef60 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +apparmor.d (0.4907.0-1) stable; urgency=medium + + * Release apparmor.d v0.4907.0 + + -- Alexandre Pujol Fri, 03 Apr 2026 00:28:39 +0200 + apparmor.d (0.4906-1) stable; urgency=medium * Release apparmor.d v0.4906 diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index 70a5b2c77a..4c2f9e0e7a 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -7,7 +7,7 @@ # Warning: for development only, use https://build.opensuse.org/package/show/home:cboltz/apparmor.d for production use. Name: apparmor.d -Version: 0.4906 +Version: 0.4907.0 Release: 1%{?dist} Summary: Set of over 1500 AppArmor profiles License: GPL-2.0-only From 6c9fdf13841cdc4d61a921891dce2ca1e7993590 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 5 Apr 2026 23:52:00 +0200 Subject: [PATCH 1625/1736] feat(profile): add profile for solaar --- apparmor.d/profiles-s-z/solaar | 42 ++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 apparmor.d/profiles-s-z/solaar diff --git a/apparmor.d/profiles-s-z/solaar b/apparmor.d/profiles-s-z/solaar new file mode 100644 index 0000000000..aa7618d04f --- /dev/null +++ b/apparmor.d/profiles-s-z/solaar @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/solaar +profile solaar @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + @{sbin}/ldconfig ix, + + owner @{user_config_dirs}/solaar/{,**} rw, + + owner /var/tmp/@{word8} rw, + owner @{tmp}/Solaar_@{rand8} rw, + owner @{tmp}/@{word8} rw, + + owner @{PROC}/@{pid}/mounts r, + + deny @{bin}/git x, + deny @{HOME}/@{word8} rw, + + include if exists +} + +# vim:syntax=apparmor From 91472268114eaa7e5f4e47b6bfe2ce66cac50a72 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 13:31:29 +0200 Subject: [PATCH 1626/1736] feat(abs): improve flatpak core abs. --- apparmor.d/abstractions/flatpak/base | 2 ++ .../flatpak/baseapp/com.valvesoftware.Steam | 3 --- .../abstractions/flatpak/baseapp/org.winehq.Wine | 11 +++++++++++ apparmor.d/abstractions/flatpak/devices/all | 1 - apparmor.d/abstractions/flatpak/devices/dri | 3 +++ apparmor.d/abstractions/flatpak/shared/network | 4 ++++ 6 files changed, 20 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/flatpak/base b/apparmor.d/abstractions/flatpak/base index a9713f7e15..58eee52103 100644 --- a/apparmor.d/abstractions/flatpak/base +++ b/apparmor.d/abstractions/flatpak/base @@ -77,6 +77,8 @@ owner @{run}/flatpak/app/@{appid}/ r, owner @{run}/flatpak/app/@{appid}/** mrwlk -> @{run}/flatpak/app/@{appid}/**, + owner @{att}@{run}/flatpak/app/@{appid}/ r, + owner @{att}@{run}/flatpak/app/@{appid}/** mrwlk -> @{att}@{run}/flatpak/app/@{appid}/**, owner @{run}/flatpak/doc/ r, owner @{run}/flatpak/doc/** mrw, diff --git a/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam b/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam index db52695cbc..50d18bd76c 100644 --- a/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam +++ b/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam @@ -33,9 +33,6 @@ @{PROC}/sys/kernel/sched_autogroup_enabled r, owner @{PROC}/@{pid}/autogroup rw, - # Chromium content api unfortunately needs these for normal operation - owner @{PROC}/@{pid}/fd/@{int} w, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine b/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine index 300c9d78e0..9f8c22ebda 100644 --- a/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine +++ b/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine @@ -5,6 +5,17 @@ abi , + owner /tmp/.wine-@{uid}/ rw, + owner /tmp/.wine-@{uid}/server-*/ rw, + owner /tmp/.wine-@{uid}/server-*/lock rwk, + owner /tmp/.wine-@{uid}/server-*/socket rw, + owner /tmp/.wine-@{uid}/server-*/tmpmap-@{hex8} mrw, + owner @{att}/tmp/.wine-@{uid}/server-*/socket rw, + + owner /tmp/@{word8} rw, + owner /tmp/protonfixes_test.log w, + owner /tmp/protonfixes-gtk-@{word8}/{,**} rw, + owner @{run}/user/@{uid}/pressure-vessel/ r, owner @{run}/user/@{uid}/pressure-vessel/{,**} rw, owner @{run}/user/@{uid}/srt-fifo.@{rand6}/{,*} rw, diff --git a/apparmor.d/abstractions/flatpak/devices/all b/apparmor.d/abstractions/flatpak/devices/all index 731cbef756..0a02efe57e 100644 --- a/apparmor.d/abstractions/flatpak/devices/all +++ b/apparmor.d/abstractions/flatpak/devices/all @@ -20,7 +20,6 @@ include include include - include include @{sys}/class/*/ r, diff --git a/apparmor.d/abstractions/flatpak/devices/dri b/apparmor.d/abstractions/flatpak/devices/dri index ed42b24db6..b47872a424 100644 --- a/apparmor.d/abstractions/flatpak/devices/dri +++ b/apparmor.d/abstractions/flatpak/devices/dri @@ -6,6 +6,8 @@ abi , include + include + include unix (bind listen) type=seqpacket addr=@@{hex}@{hex}, @@ -32,6 +34,7 @@ @{att}/dev/dri/renderD129 rw, /dev/ r, + /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, include if exists diff --git a/apparmor.d/abstractions/flatpak/shared/network b/apparmor.d/abstractions/flatpak/shared/network index ac6bb9bcf6..65f75307ac 100644 --- a/apparmor.d/abstractions/flatpak/shared/network +++ b/apparmor.d/abstractions/flatpak/shared/network @@ -33,6 +33,7 @@ @{PROC}/@{pid}/net/raw r, @{PROC}/@{pid}/net/raw6 r, @{PROC}/@{pid}/net/route r, + @{PROC}/@{pid}/net/snmp r, @{PROC}/@{pid}/net/sockstat r, @{PROC}/@{pid}/net/sockstat6 r, @{PROC}/@{pid}/net/tcp r, @@ -44,6 +45,9 @@ @{PROC}/@{pid}/net/wireless r, @{PROC}/net/dev r, + @{PROC}/sys/net/ipv4/conf/default/forwarding r, + @{PROC}/sys/net/ipv4/ip_default_ttl r, + include if exists # vim:syntax=apparmor From 3755d8e443dc64bc07faf67f16018d496b83c656 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 13:33:33 +0200 Subject: [PATCH 1627/1736] feat(abs): improve some core abs. --- apparmor.d/abstractions/amdgpu | 1 + apparmor.d/abstractions/cgroup-limits | 1 + apparmor.d/abstractions/graphics | 6 ++++++ apparmor.d/abstractions/input | 1 - 4 files changed, 8 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/amdgpu b/apparmor.d/abstractions/amdgpu index dd6cc4dc5d..5c39d9b1c9 100644 --- a/apparmor.d/abstractions/amdgpu +++ b/apparmor.d/abstractions/amdgpu @@ -16,6 +16,7 @@ @{sys}/devices/virtual/kfd/kfd/topology/generation_id r, @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/caches/ r, @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/caches/@{int}/properties r, @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/gpu_id r, @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/io_links/@{int}/properties r, diff --git a/apparmor.d/abstractions/cgroup-limits b/apparmor.d/abstractions/cgroup-limits index c09a8c0bbb..5b1906c15a 100644 --- a/apparmor.d/abstractions/cgroup-limits +++ b/apparmor.d/abstractions/cgroup-limits @@ -24,6 +24,7 @@ @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, + # Allow reading cgroup membership information owner @{PROC}/@{pid}/cgroup r, include if exists diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index 01accb1740..06b4e4b892 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -14,6 +14,12 @@ @{sys}/bus/pci/devices/ r, + # GPU sysfs for PCI graphics cards: + @{sys}/devices/@{pci}/current_link_speed r, # Current PCIe link speed (e.g., 8.0 GT/s) + @{sys}/devices/@{pci}/current_link_width r, # Current PCIe lane width (e.g., x16) + @{sys}/devices/@{pci}/max_link_speed r, # Maximum supported PCIe speed + @{sys}/devices/@{pci}/max_link_width r, # Maximum supported PCIe lane width + @{sys}/devices/system/ r, @{sys}/devices/system/cpu/cpu@{int}/ r, @{sys}/devices/system/cpu/cpu@{int}/cache/ r, diff --git a/apparmor.d/abstractions/input b/apparmor.d/abstractions/input index d70e08b2c2..8270ed477d 100644 --- a/apparmor.d/abstractions/input +++ b/apparmor.d/abstractions/input @@ -23,7 +23,6 @@ @{sys}/devices/**/input@{int}/id/product r, @{sys}/devices/**/input@{int}/id/vendor r, @{sys}/devices/**/input/ r, - @{sys}/devices/virtual/input/mice/uevent r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # for /dev/input/* From f40c8072a6b24c61f727d9cd7b941d61c311595f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 13:34:19 +0200 Subject: [PATCH 1628/1736] feat(abs): add sys/power-supply abs. --- apparmor.d/abstractions/sys/power-supply | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 apparmor.d/abstractions/sys/power-supply diff --git a/apparmor.d/abstractions/sys/power-supply b/apparmor.d/abstractions/sys/power-supply new file mode 100644 index 0000000000..2ca2e76ae3 --- /dev/null +++ b/apparmor.d/abstractions/sys/power-supply @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Listing for power supply devices. Used to enumerate power sources and +# determine if the system is on AC or battery. + + abi , + + @{sys}/class/power_supply/ r, + + @{sys}/devices/**/power_supply/AC/ r, + @{sys}/devices/**/power_supply/AC/online r, + @{sys}/devices/**/power_supply/AC/type r, + + @{sys}/devices/**/power_supply/BAT@{int}/ r, + @{sys}/devices/**/power_supply/BAT@{int}/online r, + @{sys}/devices/**/power_supply/BAT@{int}/type r, + + include if exists + +# vim:syntax=apparmor From b9246ac5999ca0ee2dcf206185d4d5721e06705d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 13:34:49 +0200 Subject: [PATCH 1629/1736] feat(abs): add sys/amdgpu abs. --- apparmor.d/abstractions/sys/amdgpu | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 apparmor.d/abstractions/sys/amdgpu diff --git a/apparmor.d/abstractions/sys/amdgpu b/apparmor.d/abstractions/sys/amdgpu new file mode 100644 index 0000000000..a477990d56 --- /dev/null +++ b/apparmor.d/abstractions/sys/amdgpu @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# AMD's amdgpu driver power management (PowerPlay) + + abi , + + # DPM performance level (auto/low/high/manual) + @{sys}/devices/@{pci}/power_dpm_force_performance_level r, + + # Memory clock frequency states and current selection + @{sys}/devices/@{pci}/pp_dpm_mclk r, + + # PCIe bandwidth states + @{sys}/devices/@{pci}/pp_dpm_pcie r, + + # Shader/core clock frequency states + @{sys}/devices/@{pci}/pp_dpm_sclk r, + + # Overclocking table (clock/voltage curves) + @{sys}/devices/@{pci}/pp_od_clk_voltage r, + + include if exists + +# vim:syntax=apparmor From e3d9d1cd30f2f032a0895a899f47e0cb796bcc84 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 13:35:05 +0200 Subject: [PATCH 1630/1736] feat(abs): add sys/input abs. --- apparmor.d/abstractions/sys/input | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 apparmor.d/abstractions/sys/input diff --git a/apparmor.d/abstractions/sys/input b/apparmor.d/abstractions/sys/input new file mode 100644 index 0000000000..767e04b3ae --- /dev/null +++ b/apparmor.d/abstractions/sys/input @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # Allow reading for supported event reports for all input devices. See + # https://www.kernel.org/doc/Documentation/input/event-codes.txt + @{sys}/devices/**/input@{int}/capabilities/* r, + + @{sys}/devices/**/input@{int}/ r, + @{sys}/devices/**/input/input@{int}/event@{int}/uevent r, + @{sys}/devices/**/input/input@{int}/properties r, + @{sys}/devices/**/input/input@{int}/uevent r, + @{sys}/devices/virtual/input/mice/uevent r, + + include if exists + +# vim:syntax=apparmor From a2ab76a3efa55f5540db62c3f23ea48e3d479b1d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 13:35:41 +0200 Subject: [PATCH 1631/1736] feat(abs): add sys/dmi abs. --- apparmor.d/abstractions/sys/dmi | 34 +++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 apparmor.d/abstractions/sys/dmi diff --git a/apparmor.d/abstractions/sys/dmi b/apparmor.d/abstractions/sys/dmi new file mode 100644 index 0000000000..acfbb0ef9c --- /dev/null +++ b/apparmor.d/abstractions/sys/dmi @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Desktop Management Interface (DMI) firmware tables and identity files +# +# DMI is a standard framework for managing and tracking hardware components in a +# computer. +# +# Games and game launchers (Steam, Proton, anti-cheat) read these for hardware +# fingerprinting, telemetry, and compatibility checks. This is the same data +# from dmidecode but readable without root via sysfs. + + abi , + + @{sys}/devices/virtual/dmi/id/bios_date r, # BIOS release date + @{sys}/devices/virtual/dmi/id/bios_vendor r, # BIOS manufacturer + @{sys}/devices/virtual/dmi/id/bios_version r, # BIOS version string + @{sys}/devices/virtual/dmi/id/board_asset_tag r, # Motherboard asset tag + @{sys}/devices/virtual/dmi/id/board_name r, # Motherboard model + @{sys}/devices/virtual/dmi/id/board_vendor r, # Motherboard manufacturer + @{sys}/devices/virtual/dmi/id/board_version r, # Motherboard revision + @{sys}/devices/virtual/dmi/id/chassis_type r, # Chassis form factor (numeric) + @{sys}/devices/virtual/dmi/id/chassis_vendor r, # Chassis manufacturer + @{sys}/devices/virtual/dmi/id/chassis_version r, # Chassis version + @{sys}/devices/virtual/dmi/id/product_family r, # Product family name + @{sys}/devices/virtual/dmi/id/product_name r, # System product name + @{sys}/devices/virtual/dmi/id/product_sku r, # Product SKU identifier + @{sys}/devices/virtual/dmi/id/product_version r, # Product version + @{sys}/devices/virtual/dmi/id/sys_vendor r, # System manufacturer + + include if exists + +# vim:syntax=apparmor From 9a7fbc1c9053008085579296b478aff02afecb68 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 13:42:17 +0200 Subject: [PATCH 1632/1736] feat(profile): replace the freedesktop abs. --- apparmor.d/groups/freedesktop/update-desktop-database | 3 +-- apparmor.d/groups/freedesktop/xdg-document-portal | 3 ++- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index 90be74ecf4..0313606b65 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -11,8 +11,7 @@ include profile update-desktop-database @{exec_path} flags=(attach_disconnected) { include include - include - include + include capability dac_override, capability dac_read_search, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 200d6a40e8..437eb9ed90 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -13,7 +13,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { include include include - include + include + include include capability sys_admin, From cc844398854b6c180734522ea57b44efd4baa44d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 13:45:31 +0200 Subject: [PATCH 1633/1736] feat(profile): update systemd-ac-power. --- apparmor.d/groups/systemd/systemd-ac-power | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-ac-power b/apparmor.d/groups/systemd/systemd-ac-power index 1353547f00..90b9e66db5 100644 --- a/apparmor.d/groups/systemd/systemd-ac-power +++ b/apparmor.d/groups/systemd/systemd-ac-power @@ -10,16 +10,12 @@ include @{exec_path} = @{lib}/systemd/systemd-ac-power profile systemd-ac-power @{exec_path} { include + include @{exec_path} mr, owner @{PROC}/@{pid}/stat r, - @{sys}/class/power_supply/ r, - - @{sys}/devices/**/power_supply/{AC,BAT@{int}}/ r, - @{sys}/devices/**/power_supply/{AC,BAT@{int}}/{type,online} r, - include if exists } From 9354c912c78b7fa1769bab5a6abbeace87824078 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 13:56:16 +0200 Subject: [PATCH 1634/1736] feat(profile): systemd: add some ctl profile. --- apparmor.d/groups/systemd/machinectl | 48 +++++++++++++++++++++++++++ apparmor.d/groups/systemd/oomctl | 28 ++++++++++++++++ apparmor.d/groups/systemd/timedatectl | 29 ++++++++++++++++ apparmor.d/groups/systemd/updatectl | 32 ++++++++++++++++++ apparmor.d/groups/systemd/userdbctl | 5 +-- dists/flags/main.flags | 4 +++ 6 files changed, 142 insertions(+), 4 deletions(-) create mode 100644 apparmor.d/groups/systemd/machinectl create mode 100644 apparmor.d/groups/systemd/oomctl create mode 100644 apparmor.d/groups/systemd/timedatectl create mode 100644 apparmor.d/groups/systemd/updatectl diff --git a/apparmor.d/groups/systemd/machinectl b/apparmor.d/groups/systemd/machinectl new file mode 100644 index 0000000000..f745cb5dd3 --- /dev/null +++ b/apparmor.d/groups/systemd/machinectl @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/machinectl +profile machinectl @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + + capability net_admin, + capability sys_ptrace, + capability sys_resource, + + signal send set=(cont term winch) peer=child-pager, + signal send set=(cont term winch) peer=pkttyagent, + signal send set=(cont term winch) peer=systemd-tty-ask-password-agent, + + #aa:dbus talk bus=system name=org.freedesktop.machine1 label=systemd-machined + + @{exec_path} mr, + + @{bin}/pkttyagent Px, + @{bin}/systemd-tty-ask-password-agent Px, + @{pager_path} Px -> child-pager, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/{,*} r, + + @{run}/systemd/machines/{,**} r, + + @{PROC}/@{pid}/comm r, + + @{PROC}/sys/fs/nr_open r, + owner @{PROC}/@{pid}/cgroup r, + + /dev/pts/ptmx rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/oomctl b/apparmor.d/groups/systemd/oomctl new file mode 100644 index 0000000000..473cacc948 --- /dev/null +++ b/apparmor.d/groups/systemd/oomctl @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/oomctl +profile oomctl @{exec_path} { + include + include + include + + signal send set=cont peer=child-pager, + + #aa:dbus talk bus=system name=org.freedesktop.oom1 label="@{p_systemd_oomd}" + + @{exec_path} mr, + + @{pager_path} rPx -> child-pager, + + owner @{PROC}/@{pid}/cgroup r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/timedatectl b/apparmor.d/groups/systemd/timedatectl new file mode 100644 index 0000000000..eec048c53b --- /dev/null +++ b/apparmor.d/groups/systemd/timedatectl @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/timedatectl +profile timedatectl @{exec_path} { + include + include + include + + capability net_admin, + + signal send set=cont peer=child-pager, + + #aa:dbus talk bus=system name=org.freedesktop.timedate1 label="@{p_systemd_timedated}" + #aa:dbus talk bus=system name=org.freedesktop.timesync1 label=systemd-timesyncd + + @{exec_path} mr, + + @{pager_path} rPx -> child-pager, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/updatectl b/apparmor.d/groups/systemd/updatectl new file mode 100644 index 0000000000..7d2ba69648 --- /dev/null +++ b/apparmor.d/groups/systemd/updatectl @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/updatectl +profile updatectl @{exec_path} flags=(attach_disconnected) { + include + include + include + + signal send set=(cont term winch) peer=child-pager, + signal send set=(cont term winch) peer=pkttyagent, + + #aa:dbus talk bus=system name=org.freedesktop.sysupdate1 label=systemd-sysupdated + + @{exec_path} mr, + + @{bin}/pkttyagent rPx, + + @{PROC}/1/cgroup r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/stat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index 199d322b09..c07479a897 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/userdbctl profile userdbctl @{exec_path} flags=(attach_disconnected) { include + include include include @@ -31,10 +32,6 @@ profile userdbctl @{exec_path} flags=(attach_disconnected) { @{run}/userdb/ rw, @{run}/credentials/systemd-userdb-load-credentials.service/ r, - @{PROC}/1/cgroup r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/setgroups r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index c079004b2b..c7c46a44f6 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -215,6 +215,7 @@ lvm complain lvmconfig complain lvmdump complain lvmpolld complain +machinectl complain man complain mate-notification-daemon complain mdadm complain @@ -235,6 +236,7 @@ nmcli complain nvidia-detector complain nvidia-persistenced complain ollama complain +oomctl complain os-prober complain pam_kwallet_init complain passimd complain @@ -347,6 +349,7 @@ systemd-user-sessions complain systemd-userwork complain systemsettings complain telegram-desktop complain +timedatectl complain totem complain tracker-writeback complain ucf complain @@ -367,6 +370,7 @@ update-grub complain update-info-dir complain update-secureboot-policy complain update-shells complain +updatectl complain userdbctl complain utempter complain veracrypt complain From db80b14fcea2fedd60575117aaad0a713aaf5776 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 13:58:03 +0200 Subject: [PATCH 1635/1736] feat(profile): systemd: add systemd-bless-boot. --- apparmor.d/groups/systemd/systemd-bless-boot | 28 ++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 29 insertions(+) create mode 100644 apparmor.d/groups/systemd/systemd-bless-boot diff --git a/apparmor.d/groups/systemd/systemd-bless-boot b/apparmor.d/groups/systemd/systemd-bless-boot new file mode 100644 index 0000000000..30783c8982 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-bless-boot @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-bless-boot +profile systemd-bless-boot @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability net_admin, + + @{exec_path} mr, + + @{efi}/ r, + @{efi}/EFI/Linux/ r, + @{efi}/EFI/Linux/*.efi rw, + + @{sys}/firmware@{efi}/efivars/LoaderBootCountPath-@{uuid} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index c7c46a44f6..ff1e74e3d6 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -302,6 +302,7 @@ sysstat-sa complain sysstat-sadc complain systemd-ask-password complain systemd-binfmt complain +systemd-bless-boot complain systemd-cgls complain systemd-cgtop complain systemd-cryptsetup complain From ba4da80ca152985a238b69910b10db08dc5d7060 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 14:00:54 +0200 Subject: [PATCH 1636/1736] feat(profile): add systemd-importd --- apparmor.d/groups/systemd/systemd-importd | 75 +++++++ dists/flags/main.flags | 241 ++++++++++++++++++++++ 2 files changed, 316 insertions(+) create mode 100644 apparmor.d/groups/systemd/systemd-importd diff --git a/apparmor.d/groups/systemd/systemd-importd b/apparmor.d/groups/systemd/systemd-importd new file mode 100644 index 0000000000..d8bc412a1c --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-importd @@ -0,0 +1,75 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-importd +profile systemd-importd @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + capability chown, + capability fowner, + capability fsetid, + capability mknod, + capability setfcap, + capability sys_admin, + capability setpcap, + capability dac_override, + capability linux_immutable, + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + #aa:dbus own bus=system name=org.freedesktop.import1 + + @{exec_path} mr, + + @{bin}/gpg ix, + @{bin}/tar ix, + @{lib}/systemd/systemd-import ix, + @{lib}/systemd/systemd-pull ix, + + @{lib}/systemd/import-pubring.gpg r, + /etc/systemd/import-pubring.gpg r, + + /var/lib/ r, + /var/lib/confexts/ rw, + /var/lib/confexts/** rwlk -> /var/lib/confexts/**, + /var/lib/extensions/ rw, + /var/lib/extensions/** rwlk -> /var/lib/extensions/**, + /var/lib/machines/ rw, + /var/lib/machines/** rwlk -> /var/lib/machines/**, + /var/lib/portables/ rw, + /var/lib/portables/** rwlk -> /var/lib/portables/**, + + owner @{run}/systemd/import/ w, + owner @{run}/systemd/import/notify w, + + /tmp/gpghome@{rand6}/ rw, + /tmp/sig@{rand6} rw, + + @{run}/dbus/system_bus_socket rw, + @{run}/systemd/import/notify r, + + @{sys}/fs/cgroup/system.slice/systemd-importd.service/memory.pressure rw, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index ff1e74e3d6..6c63ecc3b5 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -7,6 +7,155 @@ systemd-user complain sd complain sdu complain +code enforce +claude enforce +code-extension-ltex enforce +code-extensions enforce +code-shells enforce +flatpak-session-helper-app enforce +spotify enforce +git enforce + +# TODO Later +# mullvad-daemon enforce +# mullvad-gui enforce + +# Self enforced (namespace) +:glycin:bwrap enforce +:glycin:loaders enforce +:makepkg:gpg enforce + +# Self enforced +# htop enforce +# accounts-daemon enforce +# blueman enforce +# bluetoothd enforce +# boltd enforce +# child-modprobe-nvidia enforce +# child-open enforce +# child-open-any enforce +# child-open-browsers enforce +# child-open-editor enforce +# child-open-email enforce +# child-open-help enforce +# child-open-strict enforce +# child-pager enforce +# child-systemctl enforce +# chromium enforce +# colord enforce +# cupsd enforce +# dconf-service enforce +# evolution-addressbook-factory enforce +# evolution-alarm-notify enforce +# evolution-calendar-factory enforce +# evolution-source-registry enforce +# fapp enforce +# fbwrap enforce +# # firefox enforce +# firewalld enforce +# flatpak-session-helper enforce +# gdm enforce +# gdm-session enforce +# gitstatusd enforce +# gnome-calculator enforce +# gnome-calendar enforce +# gnome-characters enforce +# gnome-clocks enforce +# gnome-contacts enforce +# gnome-extension-gsconnect enforce +# gnome-font-viewer enforce +# gnome-keyring-daemon enforce +# gnome-logs enforce +# gnome-maps enforce +# gnome-music enforce +# gnome-session enforce +# gnome-session-binary enforce +# gnome-session-check enforce +# gnome-session-ctl enforce +# gnome-session-init-worker enforce +# gnome-session-service enforce +# gnome-shell enforce +# gnome-shell-calendar-server enforce +# gnome-system-monitor enforce +# gnome-terminal-serve enforce +# gnome-weather enforce +# goa-daemon enforce +# goa-identity-service enforce +# gpg-agent enforce +# gsd-a11y-settings enforce +# gsd-color enforce +# gsd-datetime enforce +# gsd-disk-utility-notify enforce +# gsd-housekeeping enforce +# gsd-keyboard enforce +# gsd-media-keys enforce +# gsd-power enforce +# gsd-print-notifications enforce +# gsd-printer +# gsd-rfkill enforce +# gsd-screensaver-proxy enforce +# gsd-sharing enforce +# gsd-smartcard enforce +# gsd-sound enforce +# gsd-usb-protection enforce +# gsd-xsettings enforce +# gvfs-afc-volume-monitor enforce +# gvfs-goa-volume-monitor enforce +# gvfs-gphoto2-volume-monitor enforce +# gvfs-mtp-volume-monitor enforce +# gvfs-udisks2-volume-monitor enforce +# gvfsd enforce +# gvfsd-metadata enforce +# gvfsd-trash enforce +# ibus-daemon enforce +# ibus-dconf enforce +# ibus-engine-simple enforce +# ibus-extension-gtk3 enforce +# ibus-portal enforce +# ibus-x11 enforce +# irqbalance enforce +# localsearch enforce +# localsearch-control enforce +# localsearch-writeback enforce +# loupe enforce +# mkosi enforce +# mutter-x11-frames enforce +# nautilus enforce +# NetworkManager enforce +# nvidia-smi enforce +# obexd enforce +# org.gnome.NautilusPreviewer enforce +# papers enforce +# pipewire enforce +# polkitd enforce +# power-profiles-daemon enforce +# ptyxis enforce +# ptyxis-agent enforce +# rngd enforce +# rtkit-daemon enforce +# scdaemon enforce +# seahorse enforce +# showtime enforce +# signal-desktop enforce +# ssh-agent enforce +# superproductivity enforce +# switcheroo-control enforce +# syncthing enforce +# systemd-journald enforce +# systemd-timesyncd enforce +# telca enforce +# upowerd enforce +# virt-manager enforce +# wireplumber enforce +# wpa-supplicant enforce +# xdg-desktop-portal enforce +# xdg-desktop-portal-gnome enforce +# xdg-desktop-portal-gtk enforce +# xdg-document-portal enforce +# xdg-permission-store enforce +# xwayland enforce +# yelp enforce + akonadi_akonotes_resource complain akonadi_archivemail_agent complain akonadi_birthdays_resource complain @@ -194,6 +343,7 @@ kwin_x11 complain landscape-sysinfo complain landscape-sysinfo.wrapper complain language-validate complain +languagetool complain last complain lastlog complain libreoffice complain @@ -260,6 +410,7 @@ pycompile complain qdbus complain remmina complain run-parts complain +runc complain runuser complain rustdesk complain sdcv complain @@ -338,6 +489,7 @@ systemd-generator-user-environment complain systemd-generator-veritysetup complain systemd-homed complain systemd-homework complain +systemd-importd complain systemd-inhibit complain systemd-initctl complain systemd-mount complain @@ -399,3 +551,92 @@ xfce-session complain xsettingsd complain zpool complain +# Work in Progress +aa-load complain +aa-logprof complain +akonadi_agent_launcher complain +akonadi_agent_server complain +akonadi_davgroupware_resource complain +akonadi_etesync_resource complain +akonadi_ews_resource complain +akonadi_ewsmta_resource complain +akonadi_google_resource complain +akonadi_icaldir_resource complain +akonadi_imap_resource complain +akonadi_knut_resource complain +akonadi_kolab_resource complain +akonadi_mbox_resource complain +akonadi_mixedmaildir_resource complain +akonadi_notes_resource complain +akonadi_openxchange_resource complain +akonadi_pop3_resource complain +akonadi_rds complain +akonadi_tomboynotes_resource complain +akonadi_vcard_resource complain +akonadi_vcarddir_resource complain +appimagelauncherd complain +fprintd-delete complain +fprintd-enroll complain +fprintd-list complain +fprintd-verify complain +gdm-host-chooser complain +gdm-simple-chooser complain +gkbd-keyboard-display complain +glib-genmarshal complain +glib-gettextize complain +gnome-network-displays complain +gnome-tweak-tool-lid-inhibitor complain +homectl complain +hwsim complain +init-exim4 complain +install-catalog complain +iwdmon complain +lazydocker complain +loginctl complain +losetup complain +mount-ntfs-3g complain +nfsdcld complain +nginx complain +nvidia-settings complain +passim complain +prime-switch complain +qrencode complain +realmd complain +rpc.idmapd complain +rpc.mountd complain +rpc.statd complain +rpcbind complain +smbspool complain +systemd-battery-check complain +systemd-boot-check-no-failures complain +systemd-bsod complain +systemd-cgroups-agent complain +systemd-export complain +systemd-firstboot complain +systemd-hibernate-resume complain +systemd-import complain +systemd-import-fs complain +systemd-journal-gatewayd complain +systemd-journal-remote complain +systemd-journal-upload complain +systemd-pcrphase complain +systemd-pull complain +systemd-quotacheck complain +systemd-repart complain +systemd-reply-password complain +systemd-run complain +systemd-socket-activate complain +systemd-sulogin-shell complain +systemd-sysext complain +systemd-time-wait-sync complain +systemd-xdg-autostart-condition complain +tomb complain +tomb-kdb-pbkdf2 complain +virt-aa-helper complain +virtlogd complain +virtqemud complain +virtxend complain +waydroid complain + +# Not easy +portmaster-start complain From 14a00727fd3dbab10e7b96447363c9371bbb9331 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 14:03:01 +0200 Subject: [PATCH 1637/1736] feat(profile): add systemd-sysext and systemd-sysupdate. --- apparmor.d/groups/systemd/systemd-sysext | 77 +++++++++++++++++++++ apparmor.d/groups/systemd/systemd-sysupdate | 57 +++++++++++++++ dists/flags/main.flags | 2 + 3 files changed, 136 insertions(+) create mode 100644 apparmor.d/groups/systemd/systemd-sysext create mode 100644 apparmor.d/groups/systemd/systemd-sysupdate diff --git a/apparmor.d/groups/systemd/systemd-sysext b/apparmor.d/groups/systemd/systemd-sysext new file mode 100644 index 0000000000..65659e2076 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-sysext @@ -0,0 +1,77 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/systemd-sysext @{bin}/systemd-confext +profile systemd-sysext @{exec_path} flags=(attach_disconnected,mediate_deleted) { + include + + capability chown, + capability dac_override, + capability dac_read_search, + capability fsetid, + capability net_admin, + capability sys_admin, + capability sys_resource, + + mount options=(rw bind) @{lib}/confexts/core-config/ -> @{run}/systemd/sysext/confexts/core-config/, + mount options=(rw bind) @{run}/systemd/sysext/overlay/etc/.systemd-confext/ -> @{run}/systemd/sysext/overlay/etc/.systemd-confext/, + mount options=(rw make-rslave) @{run}/, + mount options=(rw rbind) @{run}/systemd/sysext/overlay/etc/ -> /etc/, + mount fstype=overlay options=(ro nodev noexec nosuid) confext -> @{run}/systemd/sysext/overlay/etc/, + mount fstype=overlay options=(rw noatime nodev noexec nosuid) confext -> @{run}/systemd/sysext/overlay/etc/, + mount fstype=tmpfs confext -> @{run}/systemd/sysext/, + + umount /etc/, + umount /etc/.systemd-confext/, + + ptrace read peer=@{p_systemd}, + + signal send set=(cont term winch) peer=child-pager, + + @{exec_path} mr, + + @{pager_path} Px -> child-pager, + + @{att}/etc/ r, + @{att}/lib/confexts/{,**} r, + @{att}/meta/etc/ r, + @{att}/meta/etc/.systemd-confext/* r, + @{att}/var/lib/extensions.mutable/{,**} rw, + + /etc/ r, + /etc/.systemd-confext/confexts r, + /etc/.systemd-confext/dev r, + /etc/extension-release.d/extension-release.* r, + + @{run}/systemd/ r, + @{run}/systemd/nspawn/ r, + @{run}/systemd/nspawn/locks/* rwk, + @{run}/systemd/sysext/confexts/ rw, + @{run}/systemd/sysext/confexts/{,**/} rw, + @{run}/systemd/sysext/meta/ w, + @{run}/systemd/sysext/meta/etc/ rw, + @{run}/systemd/sysext/meta/etc/.systemd-confext/ rw, + @{run}/systemd/sysext/meta/etc/.systemd-confext/* w, + @{run}/systemd/sysext/overlay/{,**/} w, + + # /usr/lib/confexts/{,**} r, + # /usr/local/lib/confexts/{,**} r, + # /var/lib/confexts/{,**} r, + # @{run}/confexts/{,**} r, + + @{PROC}/@{pid}/mountinfo r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/cgroup r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-sysupdate b/apparmor.d/groups/systemd/systemd-sysupdate new file mode 100644 index 0000000000..488e06e2e1 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-sysupdate @@ -0,0 +1,57 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-sysupdate +profile systemd-sysupdate @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability chown, + capability dac_override, + capability fowner, + capability fsetid, + capability linux_immutable, + capability mknod, + capability setfcap, + capability setpcap, + capability sys_admin, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + unix send type=dgram peer=(label=unconfined, addr=@@{int}@{int}), + + @{exec_path} mr, + + @{bin}/gpg{,2} ix, + @{lib}/systemd/systemd-pull ix, + + @{etc_rw}/sysupdate.d/{,**} r, + + @{efi}/EFI/Linux/ r, + @{lib}/ r, + @{run}/ r, + /etc/ r, + /usr/ r, + /usr/local/lib/ r, + + /tmp/gpghome@{rand6}/ w, + /tmp/sig@{rand6} rw, + + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 6c63ecc3b5..3475034015 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -497,6 +497,8 @@ systemd-network-generator complain systemd-portabled complain systemd-sleep-tlp complain systemd-socket-proxyd complain +systemd-sysext complain +systemd-sysupdate complain systemd-udevd complain systemd-user-sessions complain systemd-userwork complain From da23a896f2da95f03c92ff11236928a8f0bbf3e0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 14:13:44 +0200 Subject: [PATCH 1638/1736] feat(profile): general update. --- apparmor.d/groups/freedesktop/wireplumber | 2 ++ apparmor.d/groups/freedesktop/xdg-desktop-portal | 4 ---- apparmor.d/groups/freedesktop/xdg-document-portal | 3 +++ apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/localsearch | 1 - apparmor.d/groups/pacman/pacman-hook-dkms | 7 ------- apparmor.d/profiles-a-f/claude | 3 +++ apparmor.d/profiles-m-r/resources | 4 ---- apparmor.d/profiles-s-z/spotify | 2 -- apparmor.d/profiles-s-z/totem | 1 - apparmor.d/profiles-s-z/virt-manager | 1 - 11 files changed, 9 insertions(+), 21 deletions(-) diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 954becf9ce..f940fe2407 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -68,6 +68,8 @@ profile wireplumber @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, + @{run}/snapd.socket rw, + @{run}/systemd/users/@{uid} r, @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 745380df35..719a605f78 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -104,10 +104,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{att}/ r, @{att}/.flatpak-info r, - /usr/share/xdg-desktop-portal/** r, - - /etc/sysconfig/proxy r, - owner /var/lib/gdm/seat@{int}/config/evolution/sources/ r, owner /var/lib/gdm/seat@{int}/config/evolution/sources/system-proxy.source r, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 437eb9ed90..c3d49c498e 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -57,10 +57,13 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/documents r, owner @{user_share_dirs}/Trash/files/** r, + owner @{run}/user/@{uid}/.flatpak/@{int}/bwrapinfo.json r, owner @{run}/user/@{uid}/doc/ rw, + @{PROC}/ r, @{PROC}/1/cgroup r, @{PROC}/sys/fs/pipe-max-size r, + owner @{PROC}/@{pid}/ r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 8a5b85a210..db331f9093 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -111,7 +111,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" #aa:dbus talk bus=session name=org.gnome.* label=gnome-* - #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label="*" + #aa:dbus talk bus=session name=org.gnome.*.SearchProvider{,2} interface+=org.gnome.Shell.SearchProvider2 label="*" #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs #aa:dbus talk bus=session name=org.gnome.SessionManager label="@{p_gnome_session}" diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index c55d554c78..662ee14bc6 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -16,7 +16,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms index 6afc311e31..949094e2f2 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dkms +++ b/apparmor.d/groups/pacman/pacman-hook-dkms @@ -29,13 +29,6 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) { /etc/dkms/{,*} r, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - - @{PROC}/@{pid}/cgroup r, - /dev/tty rw, # Inherit Silencer diff --git a/apparmor.d/profiles-a-f/claude b/apparmor.d/profiles-a-f/claude index d7f51602ce..aa43392424 100644 --- a/apparmor.d/profiles-a-f/claude +++ b/apparmor.d/profiles-a-f/claude @@ -180,6 +180,9 @@ profile claude @{exec_path} flags=(attach_disconnected) { owner @{tmp}/claude{,-code}/** mix, owner @{tmp}/claude{,-code}/** rwlk -> @{tmp}/claude/**, + # Required to copy result to clipboard + owner @{run}/user/@{uid}/wayland-@{int} rw, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-code-@{int}.scope/memory.* r, diff --git a/apparmor.d/profiles-m-r/resources b/apparmor.d/profiles-m-r/resources index dc6f0dd006..24410de2dd 100644 --- a/apparmor.d/profiles-m-r/resources +++ b/apparmor.d/profiles-m-r/resources @@ -36,11 +36,7 @@ profile resources @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/ata@{int}/ r, @{sys}/devices/@{pci}/ata@{int}/**/model r, @{sys}/devices/@{pci}/ata@{int}/**/sata_spd r, - @{sys}/devices/@{pci}/current_link_speed r, - @{sys}/devices/@{pci}/current_link_width r, @{sys}/devices/@{pci}/ip_discovery/**/major r, - @{sys}/devices/@{pci}/max_link_speed r, - @{sys}/devices/@{pci}/max_link_width r, @{sys}/devices/**/block/**/address r, @{sys}/devices/**/block/**/model r, @{sys}/devices/**/block/**/queue/rotational r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index c87abaec98..46b6b7394d 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -53,8 +53,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { /etc/spotify-adblock/* r, - owner @{HOME}/.tmp rw, - owner @{user_music_dirs}/{,**} r, owner @{user_config_dirs}/spotify-adblock/* r, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index 4bb79cf212..f23dfcdf80 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -66,7 +66,6 @@ profile totem @{exec_path} flags=(attach_disconnected) { include include include - include include include diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 9b23e513ba..a6a06c9ab8 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,7 +12,6 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include - include include include include From eeeed203d60265dd073d3986ba8ded717d7b1549 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 14:14:21 +0200 Subject: [PATCH 1639/1736] feat(profile): ensure child-systemctl can show systemd status. --- apparmor.d/groups/children/child-systemctl | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/children/child-systemctl b/apparmor.d/groups/children/child-systemctl index 6dd9afd4a1..ee97d9f13c 100644 --- a/apparmor.d/groups/children/child-systemctl +++ b/apparmor.d/groups/children/child-systemctl @@ -38,11 +38,16 @@ profile child-systemctl flags=(attach_disconnected) { /etc/machine-id r, /etc/systemd/user/{,**} rwl, + /var/lib/systemd/catalog/database r, + /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, @{run}/systemd/private rw, From 03871dd7670c45f92598ddf437e9e9524a0e0f48 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 14:16:06 +0200 Subject: [PATCH 1640/1736] feat(profile): add mullvad-exclude --- apparmor.d/groups/network/mullvad-exclude | 34 +++++++++++++++++++++++ apparmor.d/groups/network/mullvad-gui | 12 ++++++-- dists/flags/main.flags | 1 + 3 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 apparmor.d/groups/network/mullvad-exclude diff --git a/apparmor.d/groups/network/mullvad-exclude b/apparmor.d/groups/network/mullvad-exclude new file mode 100644 index 0000000000..f9188bc57d --- /dev/null +++ b/apparmor.d/groups/network/mullvad-exclude @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/mullvad-exclude +profile mullvad-exclude @{exec_path} { + include + include + + capability setuid, + + unix (send receive) type=stream peer=(label=mullvad-gui), + + @{exec_path} mr, + + @{bin}/** PUx, + @{lib}/** PUx, + @{user_bin_dirs}/** PUx, + /opt/*/** PUx, + /usr/local/bin/** PUx, + /usr/share/** PUx, + + @{sys}/fs/cgroup/net_cls/mullvad-exclusions/cgroup.procs rw, + + @{PROC}/@{pid}/mounts r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 1f25ac88c2..b6a47e48eb 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -25,10 +25,18 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + unix (send receive) type=stream peer=(label=gsettings), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=Inhibit + peer=(name=org.freedesktop.login1, label=systemd-logind), + @{exec_path} mrix, - @{bin}/gsettings rPx, + @{bin}/gsettings Px, + @{bin}/mullvad-exclude Px, - @{open_path} rPx -> child-open-browsers, + @{open_path} Px -> child-open-browsers, owner @{user_config_dirs}/autostart/mullvad-vpn.desktop rw, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 3475034015..62c5abee77 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -372,6 +372,7 @@ mdadm complain mdadm-mkconf complain ModemManager complain mount complain +mullvad-exclude complain multipath complain multipathd complain needrestart-hook complain From 1c2f4f4afee439f0b3bb886b9c209a7ce69094dd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 14:23:40 +0200 Subject: [PATCH 1641/1736] fix: too many profile transition. --- apparmor.d/abstractions/flatpak/base | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/flatpak/base b/apparmor.d/abstractions/flatpak/base index 58eee52103..7f28c90835 100644 --- a/apparmor.d/abstractions/flatpak/base +++ b/apparmor.d/abstractions/flatpak/base @@ -78,7 +78,7 @@ owner @{run}/flatpak/app/@{appid}/ r, owner @{run}/flatpak/app/@{appid}/** mrwlk -> @{run}/flatpak/app/@{appid}/**, owner @{att}@{run}/flatpak/app/@{appid}/ r, - owner @{att}@{run}/flatpak/app/@{appid}/** mrwlk -> @{att}@{run}/flatpak/app/@{appid}/**, + owner @{att}@{run}/flatpak/app/@{appid}/** mrwlk, owner @{run}/flatpak/doc/ r, owner @{run}/flatpak/doc/** mrw, From 5a6e4e3bfa8cedd55da124af3bdda336768889d9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 14:28:22 +0200 Subject: [PATCH 1642/1736] fix: linting issue. --- apparmor.d/abstractions/sys/dmi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/sys/dmi b/apparmor.d/abstractions/sys/dmi index acfbb0ef9c..61927fe7e1 100644 --- a/apparmor.d/abstractions/sys/dmi +++ b/apparmor.d/abstractions/sys/dmi @@ -5,7 +5,7 @@ # Desktop Management Interface (DMI) firmware tables and identity files # # DMI is a standard framework for managing and tracking hardware components in a -# computer. +# computer. # # Games and game launchers (Steam, Proton, anti-cheat) read these for hardware # fingerprinting, telemetry, and compatibility checks. This is the same data From 4f3d3112d0ca972a57a0f77f2e37a9af55761f7a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 14:31:47 +0200 Subject: [PATCH 1643/1736] chore: remove useless config in flag manifesr. --- dists/flags/main.flags | 239 ----------------------------------------- 1 file changed, 239 deletions(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 62c5abee77..1452bc5b0e 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -7,155 +7,6 @@ systemd-user complain sd complain sdu complain -code enforce -claude enforce -code-extension-ltex enforce -code-extensions enforce -code-shells enforce -flatpak-session-helper-app enforce -spotify enforce -git enforce - -# TODO Later -# mullvad-daemon enforce -# mullvad-gui enforce - -# Self enforced (namespace) -:glycin:bwrap enforce -:glycin:loaders enforce -:makepkg:gpg enforce - -# Self enforced -# htop enforce -# accounts-daemon enforce -# blueman enforce -# bluetoothd enforce -# boltd enforce -# child-modprobe-nvidia enforce -# child-open enforce -# child-open-any enforce -# child-open-browsers enforce -# child-open-editor enforce -# child-open-email enforce -# child-open-help enforce -# child-open-strict enforce -# child-pager enforce -# child-systemctl enforce -# chromium enforce -# colord enforce -# cupsd enforce -# dconf-service enforce -# evolution-addressbook-factory enforce -# evolution-alarm-notify enforce -# evolution-calendar-factory enforce -# evolution-source-registry enforce -# fapp enforce -# fbwrap enforce -# # firefox enforce -# firewalld enforce -# flatpak-session-helper enforce -# gdm enforce -# gdm-session enforce -# gitstatusd enforce -# gnome-calculator enforce -# gnome-calendar enforce -# gnome-characters enforce -# gnome-clocks enforce -# gnome-contacts enforce -# gnome-extension-gsconnect enforce -# gnome-font-viewer enforce -# gnome-keyring-daemon enforce -# gnome-logs enforce -# gnome-maps enforce -# gnome-music enforce -# gnome-session enforce -# gnome-session-binary enforce -# gnome-session-check enforce -# gnome-session-ctl enforce -# gnome-session-init-worker enforce -# gnome-session-service enforce -# gnome-shell enforce -# gnome-shell-calendar-server enforce -# gnome-system-monitor enforce -# gnome-terminal-serve enforce -# gnome-weather enforce -# goa-daemon enforce -# goa-identity-service enforce -# gpg-agent enforce -# gsd-a11y-settings enforce -# gsd-color enforce -# gsd-datetime enforce -# gsd-disk-utility-notify enforce -# gsd-housekeeping enforce -# gsd-keyboard enforce -# gsd-media-keys enforce -# gsd-power enforce -# gsd-print-notifications enforce -# gsd-printer -# gsd-rfkill enforce -# gsd-screensaver-proxy enforce -# gsd-sharing enforce -# gsd-smartcard enforce -# gsd-sound enforce -# gsd-usb-protection enforce -# gsd-xsettings enforce -# gvfs-afc-volume-monitor enforce -# gvfs-goa-volume-monitor enforce -# gvfs-gphoto2-volume-monitor enforce -# gvfs-mtp-volume-monitor enforce -# gvfs-udisks2-volume-monitor enforce -# gvfsd enforce -# gvfsd-metadata enforce -# gvfsd-trash enforce -# ibus-daemon enforce -# ibus-dconf enforce -# ibus-engine-simple enforce -# ibus-extension-gtk3 enforce -# ibus-portal enforce -# ibus-x11 enforce -# irqbalance enforce -# localsearch enforce -# localsearch-control enforce -# localsearch-writeback enforce -# loupe enforce -# mkosi enforce -# mutter-x11-frames enforce -# nautilus enforce -# NetworkManager enforce -# nvidia-smi enforce -# obexd enforce -# org.gnome.NautilusPreviewer enforce -# papers enforce -# pipewire enforce -# polkitd enforce -# power-profiles-daemon enforce -# ptyxis enforce -# ptyxis-agent enforce -# rngd enforce -# rtkit-daemon enforce -# scdaemon enforce -# seahorse enforce -# showtime enforce -# signal-desktop enforce -# ssh-agent enforce -# superproductivity enforce -# switcheroo-control enforce -# syncthing enforce -# systemd-journald enforce -# systemd-timesyncd enforce -# telca enforce -# upowerd enforce -# virt-manager enforce -# wireplumber enforce -# wpa-supplicant enforce -# xdg-desktop-portal enforce -# xdg-desktop-portal-gnome enforce -# xdg-desktop-portal-gtk enforce -# xdg-document-portal enforce -# xdg-permission-store enforce -# xwayland enforce -# yelp enforce - akonadi_akonotes_resource complain akonadi_archivemail_agent complain akonadi_birthdays_resource complain @@ -553,93 +404,3 @@ xembedsniproxy complain xfce-session complain xsettingsd complain zpool complain - -# Work in Progress -aa-load complain -aa-logprof complain -akonadi_agent_launcher complain -akonadi_agent_server complain -akonadi_davgroupware_resource complain -akonadi_etesync_resource complain -akonadi_ews_resource complain -akonadi_ewsmta_resource complain -akonadi_google_resource complain -akonadi_icaldir_resource complain -akonadi_imap_resource complain -akonadi_knut_resource complain -akonadi_kolab_resource complain -akonadi_mbox_resource complain -akonadi_mixedmaildir_resource complain -akonadi_notes_resource complain -akonadi_openxchange_resource complain -akonadi_pop3_resource complain -akonadi_rds complain -akonadi_tomboynotes_resource complain -akonadi_vcard_resource complain -akonadi_vcarddir_resource complain -appimagelauncherd complain -fprintd-delete complain -fprintd-enroll complain -fprintd-list complain -fprintd-verify complain -gdm-host-chooser complain -gdm-simple-chooser complain -gkbd-keyboard-display complain -glib-genmarshal complain -glib-gettextize complain -gnome-network-displays complain -gnome-tweak-tool-lid-inhibitor complain -homectl complain -hwsim complain -init-exim4 complain -install-catalog complain -iwdmon complain -lazydocker complain -loginctl complain -losetup complain -mount-ntfs-3g complain -nfsdcld complain -nginx complain -nvidia-settings complain -passim complain -prime-switch complain -qrencode complain -realmd complain -rpc.idmapd complain -rpc.mountd complain -rpc.statd complain -rpcbind complain -smbspool complain -systemd-battery-check complain -systemd-boot-check-no-failures complain -systemd-bsod complain -systemd-cgroups-agent complain -systemd-export complain -systemd-firstboot complain -systemd-hibernate-resume complain -systemd-import complain -systemd-import-fs complain -systemd-journal-gatewayd complain -systemd-journal-remote complain -systemd-journal-upload complain -systemd-pcrphase complain -systemd-pull complain -systemd-quotacheck complain -systemd-repart complain -systemd-reply-password complain -systemd-run complain -systemd-socket-activate complain -systemd-sulogin-shell complain -systemd-sysext complain -systemd-time-wait-sync complain -systemd-xdg-autostart-condition complain -tomb complain -tomb-kdb-pbkdf2 complain -virt-aa-helper complain -virtlogd complain -virtqemud complain -virtxend complain -waydroid complain - -# Not easy -portmaster-start complain From e7f0dd4cb529247a2c710a49c7432b6226dc3b8d Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Mon, 6 Apr 2026 18:16:21 +0100 Subject: [PATCH 1644/1736] fix(profile): quick fix. --- apparmor.d/groups/gvfs/gvfsd-mtp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 0589bfad86..7bd7c4a3f2 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -26,6 +26,8 @@ profile gvfsd-mtp @{exec_path} { @{exec_path} mr, + / r, + owner @{HOME}/ r, owner @{HOME}/** rw, owner @{MOUNTS}/** rw, From d1bdc94d8c0b4b8d0a08e67034100ab986e29471 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 20:01:51 +0200 Subject: [PATCH 1645/1736] feat(abs): add sys/dmi-full, and use it in profiles. --- apparmor.d/abstractions/app/firefox | 3 +- apparmor.d/abstractions/flatpak/devices/all | 17 ++-------- apparmor.d/abstractions/flatpak/devices/dri | 5 +-- apparmor.d/abstractions/gstreamer | 6 +--- apparmor.d/abstractions/sys/dmi | 15 ++------- apparmor.d/abstractions/sys/dmi-full | 32 +++++++++++++++++++ apparmor.d/groups/_full/sdu | 4 +-- apparmor.d/groups/_full/systemd | 6 +--- apparmor.d/groups/_full/systemd-user | 6 +--- apparmor.d/groups/freedesktop/boltd | 4 +-- apparmor.d/groups/freedesktop/colord | 4 +-- apparmor.d/groups/freedesktop/pipewire | 2 +- apparmor.d/groups/freedesktop/pulseaudio | 2 +- apparmor.d/groups/freedesktop/upowerd | 2 +- apparmor.d/groups/freedesktop/wireplumber | 5 +-- .../groups/freedesktop/xdg-desktop-portal-gtk | 6 +--- .../freedesktop/xdg-desktop-portal-hyprland | 8 ++--- apparmor.d/groups/gnome/gnome-initial-setup | 7 +--- apparmor.d/groups/gnome/gnome-shell | 4 +-- apparmor.d/groups/kde/kwin_wayland | 5 +-- apparmor.d/groups/kde/plasmashell | 5 +-- apparmor.d/groups/network/tailscaled | 3 +- .../systemd-generator-ds-identify | 6 +--- .../systemd-generators/systemd-generator-ssh | 6 +--- apparmor.d/groups/systemd/bootctl | 3 +- apparmor.d/groups/systemd/systemd-detect-virt | 6 +--- apparmor.d/groups/systemd/systemd-hostnamed | 12 +------ apparmor.d/groups/systemd/systemd-networkd | 4 +-- apparmor.d/groups/virt/virtnodedevd | 2 +- apparmor.d/profiles-a-f/cheese | 6 +--- apparmor.d/profiles-m-r/mpv | 5 +-- apparmor.d/profiles-s-z/sensors-detect | 5 +-- apparmor.d/profiles-s-z/simple-scan | 7 +--- apparmor.d/profiles-s-z/spice-vdagent | 4 +-- apparmor.d/profiles-s-z/tlp | 3 +- apparmor.d/profiles-s-z/vlc | 7 ---- apparmor.d/profiles-s-z/waybar | 4 --- apparmor.d/profiles-s-z/xournalpp | 5 --- 38 files changed, 69 insertions(+), 167 deletions(-) create mode 100644 apparmor.d/abstractions/sys/dmi-full diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 37df87e554..14c8a4df1b 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -47,6 +47,7 @@ include include include + include include include @@ -143,8 +144,6 @@ @{sys}/devices/**/uevent r, @{sys}/devices/power/events/energy-* r, @{sys}/devices/power/type r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_sku r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, diff --git a/apparmor.d/abstractions/flatpak/devices/all b/apparmor.d/abstractions/flatpak/devices/all index 0a02efe57e..5d7a561151 100644 --- a/apparmor.d/abstractions/flatpak/devices/all +++ b/apparmor.d/abstractions/flatpak/devices/all @@ -22,6 +22,8 @@ include include + include + @{sys}/class/*/ r, @{sys}/bus/*/devices/ r, @@ -32,21 +34,6 @@ @{sys}/devices/system/cpu/cpufreq/ r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, - @{sys}/devices/virtual/dmi/id/bios_date r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/bios_version rk, - @{sys}/devices/virtual/dmi/id/board_asset_tag r, - @{sys}/devices/virtual/dmi/id/board_name r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/board_version r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/devices/virtual/dmi/id/chassis_vendor r, - @{sys}/devices/virtual/dmi/id/chassis_version r, - @{sys}/devices/virtual/dmi/id/product_family r, - @{sys}/devices/virtual/dmi/id/product_name rk, - @{sys}/devices/virtual/dmi/id/product_sku r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor rk, owner @{PROC}/@{pid}/uid_map r, diff --git a/apparmor.d/abstractions/flatpak/devices/dri b/apparmor.d/abstractions/flatpak/devices/dri index b47872a424..3b200e0b45 100644 --- a/apparmor.d/abstractions/flatpak/devices/dri +++ b/apparmor.d/abstractions/flatpak/devices/dri @@ -8,6 +8,7 @@ include include include + include unix (bind listen) type=seqpacket addr=@@{hex}@{hex}, @@ -20,10 +21,6 @@ @{sys}/bus/ r, @{sys}/devices/@{pci_bus}/uevent r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/devices r, @{PROC}/driver/nvidia/capabilities/mig/config r, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 750e13782c..f147c7423b 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -6,6 +6,7 @@ abi , include + include unix (bind listen) type=seqpacket addr=@@{hex}, unix (bind listen) type=seqpacket addr=@@{hex}@{hex}, @@ -36,11 +37,6 @@ @{sys}/devices/**/video4linux/video@{int}/ r, @{sys}/devices/**/video4linux/video@{int}/uevent r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - /dev/ r, /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/abstractions/sys/dmi b/apparmor.d/abstractions/sys/dmi index 61927fe7e1..f8ae65aa74 100644 --- a/apparmor.d/abstractions/sys/dmi +++ b/apparmor.d/abstractions/sys/dmi @@ -7,26 +7,15 @@ # DMI is a standard framework for managing and tracking hardware components in a # computer. # -# Games and game launchers (Steam, Proton, anti-cheat) read these for hardware -# fingerprinting, telemetry, and compatibility checks. This is the same data -# from dmidecode but readable without root via sysfs. +# It is a light version of that leaks only the most +# basic identity information and no version strings. abi , - @{sys}/devices/virtual/dmi/id/bios_date r, # BIOS release date @{sys}/devices/virtual/dmi/id/bios_vendor r, # BIOS manufacturer - @{sys}/devices/virtual/dmi/id/bios_version r, # BIOS version string - @{sys}/devices/virtual/dmi/id/board_asset_tag r, # Motherboard asset tag - @{sys}/devices/virtual/dmi/id/board_name r, # Motherboard model @{sys}/devices/virtual/dmi/id/board_vendor r, # Motherboard manufacturer - @{sys}/devices/virtual/dmi/id/board_version r, # Motherboard revision - @{sys}/devices/virtual/dmi/id/chassis_type r, # Chassis form factor (numeric) - @{sys}/devices/virtual/dmi/id/chassis_vendor r, # Chassis manufacturer - @{sys}/devices/virtual/dmi/id/chassis_version r, # Chassis version @{sys}/devices/virtual/dmi/id/product_family r, # Product family name @{sys}/devices/virtual/dmi/id/product_name r, # System product name - @{sys}/devices/virtual/dmi/id/product_sku r, # Product SKU identifier - @{sys}/devices/virtual/dmi/id/product_version r, # Product version @{sys}/devices/virtual/dmi/id/sys_vendor r, # System manufacturer include if exists diff --git a/apparmor.d/abstractions/sys/dmi-full b/apparmor.d/abstractions/sys/dmi-full new file mode 100644 index 0000000000..3caafbcb6c --- /dev/null +++ b/apparmor.d/abstractions/sys/dmi-full @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Desktop Management Interface (DMI) firmware tables and identity files +# +# DMI is a standard framework for managing and tracking hardware components in a +# computer. +# +# Games and game launchers (Steam, Proton, anti-cheat) read these for hardware +# fingerprinting, telemetry, and compatibility checks. This is the same data +# from dmidecode but readable without root via sysfs. + + abi , + + include + + @{sys}/devices/virtual/dmi/id/ r, + @{sys}/devices/virtual/dmi/id/bios_date r, # BIOS release date + @{sys}/devices/virtual/dmi/id/bios_version r, # BIOS version string + @{sys}/devices/virtual/dmi/id/board_asset_tag r, # Motherboard asset tag + @{sys}/devices/virtual/dmi/id/board_version r, # Motherboard revision + @{sys}/devices/virtual/dmi/id/chassis_asset_tag r, # Chassis asset tag + @{sys}/devices/virtual/dmi/id/chassis_type r, # Chassis form factor (numeric) + @{sys}/devices/virtual/dmi/id/chassis_vendor r, # Chassis manufacturer + @{sys}/devices/virtual/dmi/id/chassis_version r, # Chassis version + @{sys}/devices/virtual/dmi/id/product_sku r, # Product SKU identifier + @{sys}/devices/virtual/dmi/id/product_version r, # Product version + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index 65921a3ba2..62f29bfc6d 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -28,6 +28,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { include include include + include network netlink raw, @@ -96,9 +97,6 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/sound/seq/uevent r, @{sys}/devices/virtual/sound/timer/uevent r, diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index d71096526e..b76db1a239 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -66,6 +66,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted,complain) { include include include + include include capability audit_control, @@ -192,11 +193,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted,complain) { @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/console/active r, @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, @{sys}/fs/cgroup/{,**} rw, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 1931b4637b..d41ebb3b06 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -29,6 +29,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { include include include + include network netlink raw, @@ -79,11 +80,6 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { @{run}/udev/data/n@{int} r, # For network interfaces @{run}/udev/tags/systemd/ r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/**/uevent r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/groups/freedesktop/boltd index 0deb40ed7c..5ded880230 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -12,6 +12,7 @@ profile boltd @{exec_path} flags=(attach_disconnected) { include include include + include capability net_admin, @@ -53,9 +54,6 @@ profile boltd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/domain@{int}/security r, @{sys}/devices/platform/**/uevent r, @{sys}/devices/platform/*/wmi_bus/wmi_bus-*/@{uuid}/force_power rw, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, include if exists } diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 080244feaa..eaade45093 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -18,6 +18,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, @@ -69,9 +70,6 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/model r, @{sys}/devices/@{pci}/type r, @{sys}/devices/@{pci}/vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/sys/dev/parport/ r, @{PROC}/sys/dev/parport/parport@{int}/base-addr r, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 5c27d41cdd..9f9ffcbd6a 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -17,6 +17,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_ptrace, @@ -63,7 +64,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { @{sys}/class/ r, @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,removable,uevent} r, @{sys}/devices/**/device:*/**/path r, - @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor,board_vendor} r, @{sys}/module/apparmor/parameters/enabled r, owner @{PROC}/@{pid}/attr/apparmor/current r, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index ceb42f349a..f21bc07bdc 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -28,6 +28,7 @@ profile pulseaudio @{exec_path} { include include include + include ptrace trace peer=@{profile_name}, @@ -86,7 +87,6 @@ profile pulseaudio @{exec_path} { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/devices/**/sound/**/{uevent,pcm_class} r, - @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, deny @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 4d1bf9fdac..a78ff72f40 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -17,6 +17,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { include include include + include capability net_admin, capability sys_admin, @@ -60,7 +61,6 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/ r, @{sys}/devices/**/power_supply/**/* r, @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/product_name r, include if exists } diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index f940fe2407..8363c282c7 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -19,6 +19,7 @@ profile wireplumber @{exec_path} flags=(attach_disconnected) { include include include + include include capability sys_ptrace, @@ -84,10 +85,6 @@ profile wireplumber @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/uevent r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/@{pids}/ r, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 99316e6c20..ec450bc9fe 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -21,6 +21,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include + include include include @@ -50,11 +51,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - owner @{PROC}/@{pid}/mountinfo r, include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland index 15e130f923..5434a43012 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland @@ -15,6 +15,7 @@ profile xdg-desktop-portal-hyprland @{exec_path} { include include include + include @{exec_path} mr, @@ -27,13 +28,8 @@ profile xdg-desktop-portal-hyprland @{exec_path} { owner /tmp/hypr/\#@{int} rwkl, owner /tmp/hypr/hyprland-share-picker.conf* rwkl, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/task/@{tid}/comm w, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 078159a333..a372615bbd 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -17,6 +17,7 @@ profile gnome-initial-setup @{exec_path} { include include include + include include network inet dgram, @@ -88,12 +89,6 @@ profile gnome-initial-setup @{exec_path} { owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/gnome-initial-setup-first-login.service/memory.* r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/bios_version r, - @{sys}/devices/virtual/dmi/id/product_family r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index db331f9093..9807ddf0d7 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -31,6 +31,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include @@ -408,9 +409,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/tx_{bytes,errors,packets} r, @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/platform/**/input@{int}/{properties,name} r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/net/*/statistics/collisions r, @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 76d954bc82..4d1fa5013c 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -17,6 +17,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include # See https://community.kde.org/Distributions/Packaging_Recommendations#KWin_package_configuration capability sys_nice, @@ -134,10 +135,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/drm/ r, @{sys}/class/input/ r, @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:* r, # for motherboard info diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index bbded7f81d..6b11a9db4a 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -25,6 +25,7 @@ profile plasmashell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include @@ -235,10 +236,6 @@ profile plasmashell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/platform/** r, @{sys}/devices/@{pci}/name r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/thermal/**/{name,type} r, @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 26e771a667..0fd176f6b4 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -12,6 +12,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_read_search, capability mknod, @@ -55,8 +56,6 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { owner @{run}/tailscale/{,**} rw, - @{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r, - @{PROC}/ r, @{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/net/{,**} r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify index f4c679f13e..9870ba9057 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify @@ -11,6 +11,7 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { include include include + include ptrace read peer=@{p_systemd}, @@ -30,11 +31,6 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { @{sys}/class/*/ r, @{sys}/devices/**/name r, - @{sys}/devices/virtual/dmi/id/chassis_asset_tag r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_serial r, - @{sys}/devices/virtual/dmi/id/product_uuid r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/cmdline r, @{PROC}/uptime r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ssh b/apparmor.d/groups/systemd-generators/systemd-generator-ssh index dee02177d0..5ce8d2f8e4 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ssh +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ssh @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/systemd/system-generators/systemd-ssh-generator profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) { include + include capability net_admin, @@ -32,11 +33,6 @@ profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) { @{run}/systemd/system/ r, @{run}/systemd/transient/ r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/firmware/dmi/entries/*/raw r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 70a91197fd..dce710ae20 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -12,6 +12,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include capability linux_immutable, capability mknod, @@ -43,8 +44,6 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/tpmrm/ r, @{sys}/devices/pnp@{int}/**/tpm/tpm@{int}/tpm_version_major r, - @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r, - @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/efi/efivars/ r, diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 8a7993ab25..8aa2896c01 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -11,6 +11,7 @@ include profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { include include + include capability sys_ptrace, @@ -22,11 +23,6 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{run}/host/container-manager r, @{run}/systemd/container r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/uv/prot_virt_guest r, @{sys}/hypervisor/properties/features r, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 7275b6dfcb..4675b2f7d2 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -13,6 +13,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_admin, # To set a hostname @@ -35,17 +36,6 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{run}/systemd/default-hostname rw, @{run}/udev/data/+dmi:* r, # for motherboard info - @{sys}/devices/virtual/dmi/id/ r, - @{sys}/devices/virtual/dmi/id/bios_date r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/bios_version r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_serial r, - @{sys}/devices/virtual/dmi/id/product_uuid r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/uevent r, @{sys}/firmware/acpi/pm_profile r, @{sys}/firmware/dmi/entries/*/raw r, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 3c358757e2..ea4ff38af4 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -14,6 +14,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { include include include + include capability bpf, capability net_admin, @@ -86,9 +87,6 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/net/{,**} r, @{sys}/devices/**/phy@{int}/** r, @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/fs/cgroup/ r, @{sys}/fs/cgroup/system.slice/networkd-*.service/ r, @{sys}/kernel/btf/vmlinux r, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 1a7b62e1e6..89b62f50f2 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -15,6 +15,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { include include include + include capability net_admin, capability sys_admin, @@ -87,7 +88,6 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/uevent r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{sys}/devices/virtual/dmi/id/{product_name,product_serial,product_uuid,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r, @{sys}/devices/virtual/net/{,**} r, @{sys}/kernel/iommu_groups/ r, @{sys}/kernel/iommu_groups/@{int}/devices/ r, diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese index 33b933be2f..98d96edbd9 100644 --- a/apparmor.d/profiles-a-f/cheese +++ b/apparmor.d/profiles-a-f/cheese @@ -18,6 +18,7 @@ profile cheese @{exec_path} { include include include + include include network netlink raw, @@ -44,11 +45,6 @@ profile cheese @{exec_path} { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index c1253e2372..8493a7ddd8 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -19,6 +19,7 @@ profile mpv @{exec_path} { include include include + include include network inet dgram, @@ -66,10 +67,6 @@ profile mpv @{exec_path} { @{sys}/class/ r, @{sys}/devices/**/sound/**/capabilities/* r, @{sys}/devices/**/sound/**/uevent r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/ r, diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index d21cf6f565..a8d2f636c4 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -11,6 +11,7 @@ include profile sensors-detect @{exec_path} { include include + include capability syslog, @@ -29,10 +30,6 @@ profile sensors-detect @{exec_path} { @{sys}/devices/@{pci}/{class,vendor,device} r, @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/@{pci}/modalias r, - @{sys}/devices/virtual/dmi/id/board_{version,vendor,name} r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/devices/virtual/dmi/id/product_{version,name} r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/modules r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-s-z/simple-scan b/apparmor.d/profiles-s-z/simple-scan index e6d09785bc..ad746f4e27 100644 --- a/apparmor.d/profiles-s-z/simple-scan +++ b/apparmor.d/profiles-s-z/simple-scan @@ -13,6 +13,7 @@ profile simple-scan @{exec_path} flags=(attach_disconnected) { include include include + include include network inet dgram, @@ -34,12 +35,6 @@ profile simple-scan @{exec_path} flags=(attach_disconnected) { @{sys}/bus/scsi/devices/ r, @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/board_name r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/board_version r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/scsi/scsi r, @{PROC}/sys/dev/parport/ r, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 9bb084a8cd..1d97de454a 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -20,6 +20,7 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include + include include dbus send bus=session path=/org/freedesktop/portal/desktop @@ -39,9 +40,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, @{run}/spice-vdagentd/spice-vdagent-sock rw, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pids}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 498a53b8e9..0bfc8eecdb 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -17,6 +17,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_read_search, capability net_admin, @@ -86,8 +87,6 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/@{uuid}/@{pci}/class r, @{sys}/devices/**/net/**/uevent r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/firmware/acpi/platform_profile* rw, @{sys}/firmware/acpi/pm_profile* rw, @{sys}/module/*/parameters/power_save rw, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index f5d3090871..55c131c101 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -71,13 +71,6 @@ profile vlc @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/mount/utab r, - @{sys}/devices/virtual/dmi/id/board_name r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/board_version r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - /dev/shm/#@{int} rw, /dev/snd/ r, /dev/tty r, diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar index e6abca0f5c..0d6ca95636 100644 --- a/apparmor.d/profiles-s-z/waybar +++ b/apparmor.d/profiles-s-z/waybar @@ -28,10 +28,6 @@ profile waybar @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/uevent r, @{sys}/devices/system/cpu/present r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/uevent r, @{PROC}/@{pid}/net/dev r, diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp index 0d6c4d65f1..a4337515c4 100644 --- a/apparmor.d/profiles-s-z/xournalpp +++ b/apparmor.d/profiles-s-z/xournalpp @@ -29,11 +29,6 @@ profile xournalpp @{exec_path} { owner @{user_config_dirs}/xournalpp/{,**} rw, owner @{user_cache_dirs}/xournalpp/{,**} rw, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/snd/controlC@{int} w, From f2f046c8199739751334a48264c82abec949cf31 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 21:20:43 +0200 Subject: [PATCH 1646/1736] feat(abs): electron: improve crashpad_handler. --- apparmor.d/abstractions/common/electron | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index e2bafeab92..c33ea62399 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -117,13 +117,32 @@ profile crashpad_handler flags=(attach_disconnected) { include + signal send peer=@{name}, + + ptrace read peer=@{name}, + ptrace trace peer=@{name}, + unix (send receive) type=seqpacket peer=(label=@{name}), unix (send receive) type=seqpacket, # peer=(label=---), @{lib}/electron@{int}/chrome_crashpad_handler mr, @{lib_dirs}/chrome_crashpad_handler mr, - owner @{config_dirs}/Crashpad/{,**} rw, + owner @{config_dirs}/Crashpad/{,**} rwk, + + @{PROC}/@{pid}/maps r, + @{PROC}/@{pid}/status r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mem r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm r, + + deny network inet dgram, + deny network inet stream, + deny network inet6 dgram, + deny network inet6 stream, include if exists } From 4e2c99e4706a6109c2e22421e11377573b2409d3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 21:28:41 +0200 Subject: [PATCH 1647/1736] feat(profile): chromium: ix some xdg tool. --- apparmor.d/abstractions/app/chromium | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index e8db7ac728..895d832821 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -81,9 +81,9 @@ # Desktop integration @{bin}/lsb_release Px, - @{bin}/xdg-desktop-menu Px -> &xdg-desktop-menu, + @{bin}/xdg-desktop-menu ix, @{bin}/xdg-email Px, - @{bin}/xdg-icon-resource Px -> &xdg-icon-resource, + @{bin}/xdg-icon-resource ix, @{bin}/xdg-mime rix, @{bin}/xdg-open Px -> child-open-any, @{bin}/xdg-settings rix, @@ -130,6 +130,8 @@ owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/menus/applications-merged/*.menu rw, owner @{user_config_dirs}/mimeapps.list{,.new} rw, + owner @{user_share_dirs}/icons/hicolor/.icon-theme.cache w, + owner @{user_share_dirs}/icons/hicolor/icon-theme.cache w, # For importing data (bookmarks, cookies, etc) from Firefox # owner @{HOME}/.mozilla/firefox/profiles.ini r, From 0cc5190d7f88281c24b8263497a5a70321ed219c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 Apr 2026 21:40:02 +0200 Subject: [PATCH 1648/1736] feat(profile): firefox: cleanup proc access. --- apparmor.d/abstractions/app/firefox | 51 +++++++++++++++++++++++------ 1 file changed, 41 insertions(+), 10 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 14c8a4df1b..163994979b 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -53,10 +53,12 @@ userns, - capability sys_admin, # If kernel.unprivileged_userns_clone = 1 - capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 capability sys_ptrace, + # Needed with sysctl_kernel_unprivileged_userns_clone = 1 + capability sys_admin, + capability sys_chroot, + network inet dgram, network inet stream, network inet6 dgram, @@ -149,31 +151,60 @@ @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, - @{PROC}/@{pid}/net/arp r, - @{PROC}/@{pid}/net/if_inet6 r, - @{PROC}/@{pid}/net/route r, + # Network interface information + @{PROC}/@{pid}/net/arp r, + @{PROC}/@{pid}/net/if_inet6 r, + @{PROC}/@{pid}/net/route r, + + # Allow reading cgroup membership information for process introspection owner @{PROC}/@{pid}/cgroup r, + + # Allow reading command line arguments for process identification owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/comm r, + + # Allow reading our own environment variables owner @{PROC}/@{pid}/environ r, + + # Allow listing file descriptors owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 - owner @{PROC}/@{pid}/mountinfo r, + + # Needed with sysctl_kernel_unprivileged_userns_clone = 1 + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/uid_map w, + + # This is an information leak but disallowing it leads to developer confusion + # when using the chromium content api file chooser due to a (harmless) glib + # warning and the noisy AppArmor denial. owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, + + # Reads of oom_adj and oom_score_adj are safe + owner @{PROC}/@{pid}/oom_adj r, + owner @{PROC}/@{pid}/oom_score_adj r, + + # This allows raising the OOM score of other processes owned by the user. owner @{PROC}/@{pid}/oom_score_adj w, - owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 + + # Per man(5) proc, the kernel enforces that a thread may only modify its comm + # value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + # Provide statistical information about our own processes/threads owner @{PROC}/@{pid}/smaps r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 + owner @{PROC}/@{pid}/task/@{tid}/status r, /dev/tty rw, owner /dev/tty@{u8} rw, # File Inherit # Silencer deny dbus send bus=system path=/org/freedesktop/hostname1, + deny dbus send bus=system path=/org/freedesktop/login1, deny /tmp/MozillaUpdateLock-* w, deny owner @{HOME}/.* r, deny @{run}/user/@{uid}/gnome-shell-disable-extensions w, From d7d272378df2a8af36d41c2b9cb442812faad893 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Tue, 7 Apr 2026 18:26:14 +0100 Subject: [PATCH 1649/1736] fix(profile): let docker kill containers. --- apparmor.d/groups/virt/containerd-shim-runc-v2 | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index 04b355a481..7462d0b773 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -18,6 +18,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_ptrace, capability sys_resource, + capability kill, ptrace (read) peer=containerd, ptrace (read) peer=unconfined, From 94d1fac4bfc4eba3ae78c11a1a4918c22b5f0039 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 7 Apr 2026 23:17:29 +0200 Subject: [PATCH 1650/1736] feat(profile): various minor improvements. --- .../bus/system/fi.w1.wpa_supplicant1 | 1 - .../flatpak/baseapp/com.valvesoftware.Steam | 12 ++++++---- apparmor.d/groups/bus/dbus-system | 2 ++ .../groups/flatpak/flatpak-system-helper | 2 ++ apparmor.d/groups/freedesktop/colord | 4 ++-- apparmor.d/groups/freedesktop/pipewire-pulse | 5 +--- apparmor.d/groups/freedesktop/upowerd | 2 +- .../groups/freedesktop/xdg-desktop-portal | 7 +++--- .../groups/gnome/gnome-desktop-thumbnailers | 2 ++ apparmor.d/groups/procps/htop | 12 +--------- .../systemd-generators/systemd-generator-ssh | 2 +- .../systemd/systemd-tty-ask-password-agent | 4 ++-- apparmor.d/groups/utils/lsblk | 1 + apparmor.d/profiles-a-f/claude | 2 ++ apparmor.d/profiles-m-r/protonmail | 2 +- apparmor.d/profiles-m-r/resources | 23 +++++++++++-------- apparmor.d/profiles-s-z/waybar | 1 + apparmor.d/profiles-s-z/xournalpp | 1 + 18 files changed, 44 insertions(+), 41 deletions(-) diff --git a/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 index 6b925e8d1f..dac62128d1 100644 --- a/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 @@ -16,7 +16,6 @@ member={Get,GetAll} peer=(name=@{busname}, label=wpa-supplicant), - # DBus.Properties: receive property changed events dbus receive bus=system path=/fi/w1/wpa_supplicant1 diff --git a/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam b/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam index 50d18bd76c..4087921faf 100644 --- a/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam +++ b/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam @@ -25,11 +25,15 @@ @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, - @{PROC}/@{pid}/comm rk, + # Pressure Stall Information interface + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, + + # Allow reading command line arguments for process identification + @{PROC}/@{pids}/comm rk, + @{PROC}/locks r, - @{PROC}/pressure/cpu r, - @{PROC}/pressure/io r, - @{PROC}/pressure/memory r, @{PROC}/sys/kernel/sched_autogroup_enabled r, owner @{PROC}/@{pid}/autogroup rw, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index ca174d80ef..fa654f72b4 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -43,6 +43,8 @@ profile dbus-system flags=(attach_disconnected) { unix (send receive ) type=seqpacket peer=(label=flatpak-system-helper), + unix type=stream peer=(label=deb-systemd-invoke), + #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} # Larger than what is allowed in the directive above, needed due to complex diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index cf907e5eb3..280d858f74 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -29,6 +29,8 @@ profile flatpak-system-helper @{exec_path} flags=(attach_disconnected,mediate_de capability sys_nice, capability sys_ptrace, + network inet6 dgram, + ptrace read, unix type=seqpacket peer=(label=dbus-system), diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index eaade45093..a782e4e0e4 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -11,14 +11,14 @@ include profile colord @{exec_path} flags=(attach_disconnected) { include include - include include include include + include include include include - include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index fa20e82331..5dbc39af87 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -15,6 +15,7 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_ptrace, @@ -40,10 +41,6 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/pulse/pid w, owner @{tmp}/librnnoise-@{int}.so rm, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/module/apparmor/parameters/enabled r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index a78ff72f40..39fd3803c6 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -10,8 +10,8 @@ include @{exec_path} = @{lib}/{,upower/}upowerd profile upowerd @{exec_path} flags=(attach_disconnected) { include - include include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 719a605f78..319773534f 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -17,6 +17,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -24,6 +25,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -112,6 +114,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { # The portal can receive any user file as it is a file chooser for UI app. owner @{HOME}/** r, + owner @{HOME}/.var/app/*/{,**} rw, @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/xdg-desktop-portal/* r, @@ -124,10 +127,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/.flatpak/{,*/*} r, @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/ r, @{PROC}/@{pids}/status r, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index 4773a551ba..de4193962f 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -14,6 +14,8 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { capability dac_override, + unix (send receive) type=stream peer=(label=nautilus), + signal receive set=kill peer=nautilus, @{bin}/*-thumbnailer Cx -> &gnome-desktop-thumbnailers//thumbnailer, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index 416686e61f..02b36c4f44 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -12,6 +12,7 @@ profile htop @{exec_path} flags=(attach_disconnected) { include include include + include include include @@ -55,17 +56,6 @@ profile htop @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/system/node/online r, @{sys}/devices/virtual/block/zram@{int}/{disksize,mm_stat} r, - @{sys}/devices/virtual/dmi/id/ r, - @{sys}/devices/virtual/dmi/id/bios_date r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/bios_version r, - @{sys}/devices/virtual/dmi/id/chassis_asset_tag r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/devices/virtual/dmi/id/chassis_vendor r, - @{sys}/devices/virtual/dmi/id/chassis_version r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/cpuset.cpus.effective r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ssh b/apparmor.d/groups/systemd-generators/systemd-generator-ssh index 5ce8d2f8e4..e73b65fc7a 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ssh +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ssh @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/systemd/system-generators/systemd-ssh-generator profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) { include - include + include capability net_admin, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 8d0cf72eff..3dd8af829e 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -21,11 +21,11 @@ profile systemd-tty-ask-password-agent @{exec_path} flags=(attach_disconnected) ptrace read peer=systemd-cryptsetup, signal receive set=(term cont winch) peer=@{p_logrotate}, + signal receive set=(term cont winch) peer=*//root, + signal receive set=(term cont winch) peer=*//sudo, signal receive set=(term cont winch) peer=*//systemctl, signal receive set=(term cont winch) peer=deb-systemd-invoke, - signal receive set=(term cont winch) peer=default, signal receive set=(term cont winch) peer=machinectl, - signal receive set=(term cont winch) peer=makepkg//sudo, signal receive set=(term cont winch) peer=role_*, signal receive set=(term cont winch) peer=rpm, signal receive set=(term cont winch) peer=systemd-run, diff --git a/apparmor.d/groups/utils/lsblk b/apparmor.d/groups/utils/lsblk index 4289628e4f..c22090caa0 100644 --- a/apparmor.d/groups/utils/lsblk +++ b/apparmor.d/groups/utils/lsblk @@ -30,6 +30,7 @@ profile lsblk @{exec_path} flags=(attach_disconnected) { deny network inet stream, deny network inet6 stream, deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + deny /dev/udmabuf rw, include if exists } diff --git a/apparmor.d/profiles-a-f/claude b/apparmor.d/profiles-a-f/claude index aa43392424..3558d6abeb 100644 --- a/apparmor.d/profiles-a-f/claude +++ b/apparmor.d/profiles-a-f/claude @@ -72,6 +72,8 @@ profile claude @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.claude/** rwkl -> @{HOME}/.claude/**, owner @{HOME}/.npm/{,**} rw, + owner @{user_share_dirs}/applications/claude-code-url-handler.desktop r, + # TODO: deny this as self update is an abberation owner @{user_bin_dirs}/claude w, owner @{user_bin_dirs}/claude.tmp.* rw, diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index dd74ae0e3b..cbdd8a5b8e 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -9,7 +9,7 @@ include @{name} = proton-mail "Proton Mail" @{domain} = org.chromium.Chromium -@{lib_dirs} = /opt/@{name} +@{lib_dirs} = /opt/@{name} /usr/share/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-m-r/resources b/apparmor.d/profiles-m-r/resources index 24410de2dd..6c7d1061e5 100644 --- a/apparmor.d/profiles-m-r/resources +++ b/apparmor.d/profiles-m-r/resources @@ -14,6 +14,8 @@ profile resources @{exec_path} flags=(attach_disconnected) { include include + network netlink raw, + #aa:dbus own bus=session name=net.nokyan.Resources @{exec_path} mr, @@ -34,20 +36,19 @@ profile resources @{exec_path} flags=(attach_disconnected) { @{sys}/block/ r, @{sys}/class/*/ r, @{sys}/devices/@{pci}/ata@{int}/ r, - @{sys}/devices/@{pci}/ata@{int}/**/model r, @{sys}/devices/@{pci}/ata@{int}/**/sata_spd r, @{sys}/devices/@{pci}/ip_discovery/**/major r, - @{sys}/devices/**/block/**/address r, - @{sys}/devices/**/block/**/model r, - @{sys}/devices/**/block/**/queue/rotational r, - @{sys}/devices/**/block/**/removable r, - @{sys}/devices/**/block/**/ro r, - @{sys}/devices/**/block/**/size r, - @{sys}/devices/**/block/**/stat r, - @{sys}/devices/**/net/*/address r, - @{sys}/devices/**/net/*/speed r, + @{sys}/devices/**/address r, + @{sys}/devices/**/model r, + @{sys}/devices/**/queue/rotational r, + @{sys}/devices/**/removable r, + @{sys}/devices/**/ro r, + @{sys}/devices/**/size r, + @{sys}/devices/**/speed r, + @{sys}/devices/**/stat r, @{sys}/devices/**/statistics/rx_bytes r, @{sys}/devices/**/statistics/tx_bytes r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_avg_freq r, @{PROC}/devices r, @{PROC}/uptime r, @@ -122,6 +123,8 @@ profile resources @{exec_path} flags=(attach_disconnected) { /etc/udev/udev.conf r, + / r, + @{run}/udev/data/+dmi:* r, # for motherboard info @{sys}/devices/virtual/dmi/id/uevent r, diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar index 0d6ca95636..d246ed3454 100644 --- a/apparmor.d/profiles-s-z/waybar +++ b/apparmor.d/profiles-s-z/waybar @@ -15,6 +15,7 @@ profile waybar @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp index a4337515c4..331fb5e380 100644 --- a/apparmor.d/profiles-s-z/xournalpp +++ b/apparmor.d/profiles-s-z/xournalpp @@ -14,6 +14,7 @@ profile xournalpp @{exec_path} { include include include + include include include From 496191dcee994a9590526e595008ccd1b74d7c04 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 8 Apr 2026 13:38:58 +0200 Subject: [PATCH 1651/1736] fix(profile): hostname: typo in attachments. fix #1094 --- apparmor.d/profiles-g-l/hostname | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index bf5ecd9f8d..1088774886 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/{hostname,domainname,ypdomainname,nisdomainname,nisdomainname} +@{exec_path} = @{bin}/hostname @{bin}/domainname @{bin}/ypdomainname @{bin}/nisdomainname @{bin}/dnsdomainname profile hostname @{exec_path} flags=(attach_disconnected) { include include From 5511bb28af32ced9036374f8b5545134e83c40b3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 8 Apr 2026 22:37:04 +0200 Subject: [PATCH 1652/1736] feat(abs): update bluetooth abs --- apparmor.d/abstractions/bluetooth-control | 5 +++-- .../abstractions/bus/system/org.bluez.Bearer | 14 ++++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 apparmor.d/abstractions/bus/system/org.bluez.Bearer diff --git a/apparmor.d/abstractions/bluetooth-control b/apparmor.d/abstractions/bluetooth-control index 39a3344116..3b8cf3cbd8 100644 --- a/apparmor.d/abstractions/bluetooth-control +++ b/apparmor.d/abstractions/bluetooth-control @@ -9,6 +9,7 @@ include + include include include include @@ -16,12 +17,12 @@ dbus send bus=system path=/org/bluez/hci@{int} interface=org.freedesktop.DBus.Properties member=Set - peer=(name=org.bluez, label="@{p_bluetoothd}"), + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez/hci@{int}/dev_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}{,/**} interface=org.freedesktop.DBus.Properties member=Set - peer=(name=org.bluez, label="@{p_bluetoothd}"), + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), include if exists diff --git a/apparmor.d/abstractions/bus/system/org.bluez.Bearer b/apparmor.d/abstractions/bus/system/org.bluez.Bearer new file mode 100644 index 0000000000..644b18387d --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.bluez.Bearer @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=system path=/org/bluez/hci@{int}/dev_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2}_@{hex2} + interface=org.bluez.Bearer.* + member=Disconnected + peer=(name=@{busname}, label=bluetoothd), + + include if exists + +# vim:syntax=apparmor From 45c872de2edf32c769571536ddd1fba346a72185 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 8 Apr 2026 22:37:44 +0200 Subject: [PATCH 1653/1736] feat(abs): update dev abs --- apparmor.d/abstractions/development | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/development b/apparmor.d/abstractions/development index f72a813ed0..b2d52aa274 100644 --- a/apparmor.d/abstractions/development +++ b/apparmor.d/abstractions/development @@ -49,6 +49,7 @@ owner /dev/shm/sem.* rwl, + owner @{tmp}/@{word8} rw, owner @{tmp}/*tests*/ rw, owner @{tmp}/*tests*/** mix, owner @{tmp}/*tests*/** rwlk, @@ -57,6 +58,7 @@ owner @{tmp}/tmp.@{rand10} rw, owner @{tmp}/tmp@{word8}/ rw, owner @{tmp}/tmp@{word8}/** rwlk, + owner /var/tmp/@{word8} rw, # Git owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature From 7199d4ac7e49852d7e2d325e29cfc4c4da1593d4 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Fri, 10 Apr 2026 12:21:05 +0100 Subject: [PATCH 1654/1736] feat(profile): few updates. --- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 11 +++++++++++ apparmor.d/groups/freedesktop/xdg-mime | 2 ++ apparmor.d/groups/xfce/thunar-volman | 4 ++++ apparmor.d/profiles-a-f/borg | 2 +- 4 files changed, 18 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index ec450bc9fe..0bef13a04a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -13,6 +13,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -43,6 +44,8 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { / r, owner /att/**/ r, + owner @{HOME}/{,**} r, + owner /var/lib/xkb/server-@{int}.xkm rw, owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, @@ -51,7 +54,15 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + owner @{sys}/fs/cgroup/user.slice/user-1001.slice/user@1001.service/app.slice/xdg-desktop-portal-gtk.service/cpu.max r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/cgroup r, include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 921dc99e8a..8d63342c43 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -20,6 +20,8 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{bin}/vendor_perl/mimetype Px, @{bin}/xprop Px, + /usr/share/file/misc/magic.mgc r, + owner @{user_config_dirs}/mimeapps.list{,.new} rw, owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r, diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman index 2f5b298c3d..974c29c9c7 100644 --- a/apparmor.d/groups/xfce/thunar-volman +++ b/apparmor.d/groups/xfce/thunar-volman @@ -10,6 +10,8 @@ include profile thunar-volman @{exec_path} flags=(attach_disconnected) { include include + include + include include include include @@ -20,6 +22,8 @@ profile thunar-volman @{exec_path} flags=(attach_disconnected) { /etc/fstab r, + / r, + @{sys}/devices/virtual/input/input@{int}/{,**/}uevent r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index d8a7e42272..bdb6acefe9 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/borg -profile borg @{exec_path} { +profile borg @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include From cfe5501335ea13c566460beeb86d801bb02f022b Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Fri, 10 Apr 2026 12:38:25 +0100 Subject: [PATCH 1655/1736] fix(profile): removed whitespace. --- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 0bef13a04a..352045fb32 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -58,7 +58,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - + owner @{sys}/fs/cgroup/user.slice/user-1001.slice/user@1001.service/app.slice/xdg-desktop-portal-gtk.service/cpu.max r, owner @{PROC}/@{pid}/mountinfo r, From 93c4c4e0d2084643b947588698cbf46a0e64eb93 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Fri, 10 Apr 2026 19:00:56 +0100 Subject: [PATCH 1656/1736] fix(profile): further adjustments. --- apparmor.d/profiles-a-f/borg | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index bdb6acefe9..2c42f0fbf3 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/borg -profile borg @{exec_path} flags=(attach_disconnected,mediate_deleted) { +profile borg @{exec_path} flags=(attach_disconnected) { include include include @@ -16,6 +16,8 @@ profile borg @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability dac_override, capability dac_read_search, + capability fowner, + capability sys_admin, network inet dgram, network inet6 dgram, @@ -45,12 +47,15 @@ profile borg @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Dirs that can be backed up / r, + /tmp/borg/ r, /etc/{,**} r, /home/{,**} r, @{MOUNTS}/{,**} r, /root/{,**} r, /srv/{,**} r, /var/{,**} r, + + @{att}/var/lib/docker/overlay2/@{hex64}/{,**} r, # The backup dirs owner @{MOUNTS}/ r, @@ -85,6 +90,7 @@ profile borg @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:only test mount fstype=fuse options=(ro nosuid nodev) borgfs -> /tmp/autopkgtest.@{rand6}/**, mount fstype=fuse options=(ro nosuid nodev) borgfs -> /tmp/tmp@{word8}/**, + mount fstype=fuse options=(ro nodev nosuid) borgfs -> /tmp/borg/, owner /tmp/tmp@{word8}/{,**} rwlk, profile ccache { From 9f3a299ec905fc3d8e401c2ed7e3a1f7ce9584a3 Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Fri, 10 Apr 2026 19:05:34 +0100 Subject: [PATCH 1657/1736] feat(profile): trailing whitespace. --- apparmor.d/profiles-a-f/borg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 2c42f0fbf3..8b8e316bd9 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -54,7 +54,7 @@ profile borg @{exec_path} flags=(attach_disconnected) { /root/{,**} r, /srv/{,**} r, /var/{,**} r, - + @{att}/var/lib/docker/overlay2/@{hex64}/{,**} r, # The backup dirs From 5a3c010f6d08e1886b777019013868cef206dc3f Mon Sep 17 00:00:00 2001 From: Tukas Armanis Date: Fri, 10 Apr 2026 21:46:02 +0100 Subject: [PATCH 1658/1736] feat(profile): corrected. --- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 7 +------ apparmor.d/profiles-a-f/borg | 6 +++--- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 352045fb32..83edf652c0 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -54,12 +54,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - - owner @{sys}/fs/cgroup/user.slice/user-1001.slice/user@1001.service/app.slice/xdg-desktop-portal-gtk.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/xdg-desktop-portal-gtk.service/cpu.max r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 8b8e316bd9..d3ec0f9a4b 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -25,6 +25,7 @@ profile borg @{exec_path} flags=(attach_disconnected) { mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/, mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/*/, + mount fstype=fuse options=(ro nodev nosuid) borgfs -> /tmp/borg/, @{exec_path} r, @@ -47,7 +48,6 @@ profile borg @{exec_path} flags=(attach_disconnected) { # Dirs that can be backed up / r, - /tmp/borg/ r, /etc/{,**} r, /home/{,**} r, @{MOUNTS}/{,**} r, @@ -55,7 +55,7 @@ profile borg @{exec_path} flags=(attach_disconnected) { /srv/{,**} r, /var/{,**} r, - @{att}/var/lib/docker/overlay2/@{hex64}/{,**} r, + @{att}/var/{,**} r, # The backup dirs owner @{MOUNTS}/ r, @@ -69,6 +69,7 @@ profile borg @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/borg/** rw, # If /tmp/ isn't accessible, then /var/tmp/ is used. + /tmp/borg/ r, owner @{tmp}/* rw, owner @{tmp}/borg-cache-*/ rw, owner @{tmp}/borg-cache-*/* rw, @@ -90,7 +91,6 @@ profile borg @{exec_path} flags=(attach_disconnected) { #aa:only test mount fstype=fuse options=(ro nosuid nodev) borgfs -> /tmp/autopkgtest.@{rand6}/**, mount fstype=fuse options=(ro nosuid nodev) borgfs -> /tmp/tmp@{word8}/**, - mount fstype=fuse options=(ro nodev nosuid) borgfs -> /tmp/borg/, owner /tmp/tmp@{word8}/{,**} rwlk, profile ccache { From 564ac64ab9bd4c679fdbc8a94477b5b0ea71919e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Apr 2026 13:27:51 +0200 Subject: [PATCH 1659/1736] feat(abs): minor abstraction update. --- apparmor.d/abstractions/app/chromium | 2 ++ apparmor.d/abstractions/app/firefox | 12 +++++++++--- apparmor.d/abstractions/base-strict | 1 + apparmor.d/abstractions/common/chromium | 11 +++++++---- apparmor.d/abstractions/common/systemd | 1 - .../abstractions/flatpak/baseapp/org.winehq.Wine | 2 ++ apparmor.d/abstractions/gstreamer | 3 +++ apparmor.d/abstractions/gvfs-metadata | 2 ++ apparmor.d/abstractions/nvidia-strict | 2 ++ 9 files changed, 28 insertions(+), 8 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 895d832821..846bd5a21a 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -164,6 +164,7 @@ @{sys}/bus/**/devices/ r, @{sys}/class/**/ r, @{sys}/devices/**/uevent r, + @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, # List processes in /proc @{PROC}/ r, @@ -180,6 +181,7 @@ # Human-readable process status (name, state, UIDs, memory, capabilities) @{PROC}/@{pid}/status r, + # Pressure Stall Information interface @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 163994979b..6a0b0b40ac 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -135,6 +135,8 @@ @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{sys}/devices/virtual/dmi/id/product_sku r, + @{sys}/bus/ r, @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, @{sys}/class/ r, @@ -156,6 +158,11 @@ @{PROC}/@{pid}/net/if_inet6 r, @{PROC}/@{pid}/net/route r, + # Pressure Stall Information interface + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, + # Allow reading cgroup membership information for process introspection owner @{PROC}/@{pid}/cgroup r, @@ -203,12 +210,11 @@ owner /dev/tty@{u8} rw, # File Inherit # Silencer - deny dbus send bus=system path=/org/freedesktop/hostname1, - deny dbus send bus=system path=/org/freedesktop/login1, + deny dbus bus=system path=/org/freedesktop/hostname1, + deny dbus bus=system path=/org/freedesktop/login1, deny /tmp/MozillaUpdateLock-* w, deny owner @{HOME}/.* r, deny @{run}/user/@{uid}/gnome-shell-disable-extensions w, - deny @{PROC}/pressure/* r, include if exists diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index f3faccd82b..b6c2859650 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -80,6 +80,7 @@ #aa:only pacman # Allow pacman to communicate with us via unix sockets. It ensures pacman can communicate with its hooks. unix (send receive) type=stream peer=(label=pacman), + signal receive set=kill peer=pacman-hook-*//pgrep, #aa:exclude RBAC # Allow unconfined processes to communicate with us via unix sockets diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 23ab71f135..5bfb1a18a4 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -28,12 +28,15 @@ # drops CAP_SYS_ADMIN we are ok. capability sys_admin, - # All of these are for sanely dropping from root and chrooting - capability setgid, # If kernel.unprivileged_userns_clone = 1 - capability setuid, # If kernel.unprivileged_userns_clone = 1 + # Needed for sanely dropping from root and chrooting + capability sys_admin, capability sys_chroot, capability sys_ptrace, + # Needed with sysctl_kernel_unprivileged_userns_clone = 1 + audit capability setgid, + audit capability setuid, + owner @{user_share_dirs}/.@{domain}.@{rand6} rw, @{tmp}/ r, @@ -62,7 +65,7 @@ @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - # If kernel.unprivileged_userns_clone = 1 + # Needed with sysctl_kernel_unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/setgroups w, owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/uid_map w, diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index 3f3981ad6f..5a28be170e 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -12,7 +12,6 @@ / r, - @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/fs/cgroup/system.slice/@{profile_name}.service/ r, @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw, diff --git a/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine b/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine index 9f8c22ebda..5fa05619f6 100644 --- a/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine +++ b/apparmor.d/abstractions/flatpak/baseapp/org.winehq.Wine @@ -5,6 +5,8 @@ abi , + include + owner /tmp/.wine-@{uid}/ rw, owner /tmp/.wine-@{uid}/server-*/ rw, owner /tmp/.wine-@{uid}/server-*/lock rwk, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index f147c7423b..91e332fa7d 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -17,6 +17,9 @@ @{lib}/@{multiarch}/libvisual-@{version}/*/*.so mr, @{lib}/frei0r-@{int}/*.so mr, + owner @{lib}/gstreamer-1.0/python/__pycache__/ w, + owner @{lib}/gstreamer-1.0/python/__pycache__/**.pyc.@{u64} w, + /usr/share/gstreamer-1.0/presets/Gst*Enc.prs r, /usr/share/ladspa/rdf/{,**} r, /usr/share/xml/iso-codes/*.xml r, diff --git a/apparmor.d/abstractions/gvfs-metadata b/apparmor.d/abstractions/gvfs-metadata index d2fb4120c2..33666e6ccb 100644 --- a/apparmor.d/abstractions/gvfs-metadata +++ b/apparmor.d/abstractions/gvfs-metadata @@ -12,6 +12,8 @@ owner @{user_share_dirs}/gvfs-metadata/home r, owner @{user_share_dirs}/gvfs-metadata/home-@{hex8}.log r, + owner @{user_share_dirs}/gvfs-metadata/uuid-@{uuid} r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index fdd0dacb16..9a1cf7e04a 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -19,6 +19,8 @@ owner @{DESKTOP_HOME}/.nv/ w, owner @{DESKTOP_HOME}/.nv/ComputeCache/ w, + owner @{DESKTOP_HOME}/.nv/ComputeCache/** rw, + owner @{DESKTOP_HOME}/.nv/ComputeCache/index rwk, owner @{HOME}/.nv/ w, owner @{HOME}/.nv/ComputeCache/ w, From 0ac69fb38830af350e5af50f639792ae841b525a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Apr 2026 13:41:47 +0200 Subject: [PATCH 1660/1736] feat(profile): minor profile update. --- apparmor.d/abstractions/development | 6 ++++-- apparmor.d/abstractions/devrun | 5 +---- apparmor.d/groups/apt/dpkg-scripts | 5 ++--- apparmor.d/groups/code/code | 4 ++-- apparmor.d/groups/code/code-extensions | 1 + apparmor.d/groups/code/code-shells | 1 + apparmor.d/groups/freedesktop/boltd | 4 ++++ apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/gnome/yelp | 1 - apparmor.d/groups/pacman/makepkg | 1 + apparmor.d/groups/ssh/sshd-session | 1 + apparmor.d/groups/utils/fsck | 1 + apparmor.d/profiles-a-f/alacarte | 1 + apparmor.d/profiles-a-f/claude | 2 +- apparmor.d/profiles-a-f/dkms | 3 +++ apparmor.d/profiles-a-f/foliate | 1 - apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders | 1 + 18 files changed, 26 insertions(+), 14 deletions(-) diff --git a/apparmor.d/abstractions/development b/apparmor.d/abstractions/development index b2d52aa274..a9ec261a94 100644 --- a/apparmor.d/abstractions/development +++ b/apparmor.d/abstractions/development @@ -8,7 +8,6 @@ abi , include - include include include include @@ -27,8 +26,11 @@ /usr/share/** ix, @{user_bin_dirs}/** ix, - @{pager_path} Px -> child-pager, @{bin}/lsb_release Px, + @{bin}/nproc Px, + @{bin}/uptime Px, + @{bin}/w Px, + @{pager_path} Px -> child-pager, / r, /usr/{,**} r, diff --git a/apparmor.d/abstractions/devrun b/apparmor.d/abstractions/devrun index d547c744f2..e408efb001 100644 --- a/apparmor.d/abstractions/devrun +++ b/apparmor.d/abstractions/devrun @@ -11,7 +11,7 @@ @{bin}/aa-log Px, @{bin}/claude Px, - @{bin}/docker PUx, # TODO: Px, + @{bin}/docker Px, @{bin}/dpkg-query Px, @{bin}/git Px, @{bin}/htop Px, @@ -19,13 +19,10 @@ @{bin}/journalctl Px, @{bin}/lscpu Px, @{bin}/man Px, - @{bin}/nproc Px, @{bin}/podman Px, @{bin}/ps Px, @{bin}/ssh Px, @{bin}/top Px, - @{bin}/uptime Px, - @{bin}/w Px, # Well known shells tools @{bin}/starship PUx, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 2c6c865a69..e117d2106d 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -82,15 +82,14 @@ profile dpkg-scripts @{exec_path} { @{HOME}/.profile r, + /tmp/*.@{rand6} rw, + /tmp/*.@{word8} rw, /tmp/dbconfig-common*.@{rand6} rw, /tmp/dbconfig-common*.@{rand6}/{,**} rw, /tmp/dbconfig-package-config.@{rand6} rw, - /tmp/fmtutil.@{rand8} rw, - /tmp/grub.@{rand10} rw, /tmp/sed@{rand6} rw, /tmp/tmp.@{rand10} rw, /tmp/tmp.@{rand10}/ rw, - /tmp/updateppds.@{rand6} rw, @{sys}/kernel/security/apparmor/features/policy/unconfined_restrictions/userns r, diff --git a/apparmor.d/groups/code/code b/apparmor.d/groups/code/code index 758a72bf36..f008812386 100644 --- a/apparmor.d/groups/code/code +++ b/apparmor.d/groups/code/code @@ -119,14 +119,14 @@ profile code @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_cache_dirs}/typescript/ rw, owner @{user_cache_dirs}/typescript/** rwlk, - owner @{run}/user/@{uid}/@{name}-*.sock w, + owner @{run}/user/@{uid}/@{name}-*.sock rw, owner @{run}/user/@{uid}/git-graph-askpass-@{rand32}.sock w, /var/tmp/ r, owner @{tmp}/@{name}-*/ rw, owner @{tmp}/@{name}-*/** rwlk, - owner @{tmp}/@{user}-code-*/{,**} rw, + owner @{tmp}/@{user}-@{name}-*/{,**} rw, owner @{tmp}/exthost-@{hex6}.cpuprofile w, owner @{tmp}/mcp-@{rand6}/{,**} rw, owner @{tmp}/node-compile-cache/{,**} rw, diff --git a/apparmor.d/groups/code/code-extensions b/apparmor.d/groups/code/code-extensions index 5b82d8c173..27e960e637 100644 --- a/apparmor.d/groups/code/code-extensions +++ b/apparmor.d/groups/code/code-extensions @@ -20,6 +20,7 @@ profile code-extensions @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/apparmor.d/groups/code/code-shells b/apparmor.d/groups/code/code-shells index 5bb5cb9880..245d612f6a 100644 --- a/apparmor.d/groups/code/code-shells +++ b/apparmor.d/groups/code/code-shells @@ -20,6 +20,7 @@ profile code-shells flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/groups/freedesktop/boltd index 5ded880230..f5e2f93386 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -55,6 +55,10 @@ profile boltd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/platform/**/uevent r, @{sys}/devices/platform/*/wmi_bus/wmi_bus-*/@{uuid}/force_power rw, + #aa:only test + owner /tmp/tmp@{rand8}/{,**} rw, + owner /tmp/umockdev.@{rand6}/{,**} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 9807ddf0d7..7b860283cc 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -96,6 +96,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label=geoclue #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.MalcontentTimer1 label=malcontent-timerd #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label=ModemManager #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager #aa:dbus talk bus=system name=org.freedesktop.PackageKit label=packagekitd diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index c0171a00af..0867e50df1 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -13,6 +13,7 @@ profile gnome-software @{exec_path} flags=(attach_disconnected,mediate_deleted) include include include + include include include include diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index f4c4ca064c..7693951f9c 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -46,7 +46,6 @@ profile yelp @{exec_path} flags=(attach_disconnected) { owner @{att}@{run}/user/@{uid}/wayland-@{int} rw, @{sys}/firmware/acpi/pm_profile r, - @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r, diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index 8a25f1d8ac..c1bc6fe28b 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -92,6 +92,7 @@ profile makepkg @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal send set=(term winch) peer=pacman, signal send set=(term winch) peer=pacman//systemctl, signal send set=(term winch) peer=systemd-tty-ask-password-agent, + signal send set=(term winch) peer=unconfined, @{bin}/pacman Px, diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session index 29efd272b1..b5db3667d1 100644 --- a/apparmor.d/groups/ssh/sshd-session +++ b/apparmor.d/groups/ssh/sshd-session @@ -83,6 +83,7 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) { @{att}@{run}/systemd/sessions/@{int}.ref w, @{run}/cockpit/active.issue r, + @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, @{run}/motd.dynamic rw, @{run}/motd.dynamic.new rw, diff --git a/apparmor.d/groups/utils/fsck b/apparmor.d/groups/utils/fsck index e2537b21c8..6bc8964ff5 100644 --- a/apparmor.d/groups/utils/fsck +++ b/apparmor.d/groups/utils/fsck @@ -24,6 +24,7 @@ profile fsck @{exec_path} flags=(attach_disconnected) { /etc/fstab r, # When a mount dir is passed to fsck as an argument. + / r, @{HOME}/ r, @{MOUNTS}/ r, @{efi}/ r, diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index 398e5df68d..62a6fe8cce 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -11,6 +11,7 @@ profile alacarte @{exec_path} flags=(attach_disconnected) { include include include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/claude b/apparmor.d/profiles-a-f/claude index 3558d6abeb..9c84a81f60 100644 --- a/apparmor.d/profiles-a-f/claude +++ b/apparmor.d/profiles-a-f/claude @@ -136,6 +136,7 @@ profile claude @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -155,7 +156,6 @@ profile claude @{exec_path} flags=(attach_disconnected) { signal receive peer=claude, - priority=1 @{bin}/dpkg-query Px, priority=1 @{bin}/flatpak Px -> claude//flatpak, priority=1 @{bin}/ssh Px -> claude//ssh, priority=1 @{ldd_path} rPx -> claude//ldd, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index cbe15f3df8..17e913a6d1 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -27,6 +27,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) { capability setgid, capability setuid, + ptrace read peer=@{p_systemd}, + unix (receive) type=stream, @{exec_path} rm, @@ -130,6 +132,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { audit owner @{tmp}/sh-thd.* rw, @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index a95c7dc8ea..1fe00d7379 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -48,7 +48,6 @@ profile foliate @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/com.github.johnfactotum.Foliate/{,**} rwlk, owner @{user_share_dirs}/com.github.johnfactotum.Foliate/{,**} rwlk, - @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Nautilus.slice/dbus*org.gnome.Nautilus@*.service/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-com.github.johnfactotum.Foliate-@{int}.scope/memory.* r, diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index 04c9a33f24..eb308b150d 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/gdk-pixbuf-query-loaders profile gdk-pixbuf-query-loaders @{exec_path} { include + include include capability dac_read_search, From bc935ab8e90c7af7c1f58f12b5f4d7ebe72d077b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Apr 2026 13:42:55 +0200 Subject: [PATCH 1661/1736] feat(profile): add profile for docker. --- apparmor.d/groups/virt/docker | 30 ++++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 31 insertions(+) create mode 100644 apparmor.d/groups/virt/docker diff --git a/apparmor.d/groups/virt/docker b/apparmor.d/groups/virt/docker new file mode 100644 index 0000000000..fc7a02c4ba --- /dev/null +++ b/apparmor.d/groups/virt/docker @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/docker +profile docker @{exec_path} flags=(attach_disconnected) { + include + include + + capability dac_read_search, + + network netlink raw, + + @{exec_path} mr, + + @{lib}/docker/cli-plugins/docker-buildx Px, + + @{run}/docker.sock rw, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 1452bc5b0e..d0c3d73156 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -78,6 +78,7 @@ discord-chrome-sandbox complain DiscoverNotifier complain dkms complain dmsetup complain +docker complain dockerd complain dolphin complain downloadhelper complain From 73a6c5db1a8415d28721773d2993ba1b10883888 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Apr 2026 23:57:24 +0200 Subject: [PATCH 1662/1736] feat(abs): chromium: improve crashpad_handler. --- apparmor.d/abstractions/app/chromium | 1 + apparmor.d/abstractions/common/electron | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 846bd5a21a..a73c22db43 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -262,6 +262,7 @@ profile crashpad_handler flags=(attach_disconnected) { include + include capability sys_ptrace, diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index c33ea62399..174d19a00c 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -116,6 +116,7 @@ profile crashpad_handler flags=(attach_disconnected) { include + include signal send peer=@{name}, @@ -130,6 +131,9 @@ owner @{config_dirs}/Crashpad/{,**} rwk, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, + @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/status r, @{PROC}/sys/kernel/yama/ptrace_scope r, From 61f17eb45774d5f2807b8099b37f0ea19df17dcc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Apr 2026 00:04:28 +0200 Subject: [PATCH 1663/1736] feat(profile): update xdg tool profiles. --- apparmor.d/abstractions/common/xdg | 7 +++-- .../groups/freedesktop/xdg-desktop-icon | 22 ++------------ .../groups/freedesktop/xdg-desktop-menu | 29 +++---------------- .../groups/freedesktop/xdg-desktop-portal-gtk | 3 +- apparmor.d/groups/freedesktop/xdg-email | 2 ++ .../groups/freedesktop/xdg-icon-resource | 27 ++--------------- apparmor.d/groups/freedesktop/xdg-open | 1 + apparmor.d/groups/freedesktop/xdg-screensaver | 20 ++----------- apparmor.d/groups/freedesktop/xdg-settings | 1 + 9 files changed, 22 insertions(+), 90 deletions(-) diff --git a/apparmor.d/abstractions/common/xdg b/apparmor.d/abstractions/common/xdg index 99087cb84e..9817ed7cf6 100644 --- a/apparmor.d/abstractions/common/xdg +++ b/apparmor.d/abstractions/common/xdg @@ -17,11 +17,14 @@ @{bin}/{m,g,}awk rix, @{bin}/basename rix, @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cp rix, @{bin}/cut rix, - @{bin}/cut rix, + @{bin}/dirname rix, @{bin}/env rix, @{bin}/file rix, @{bin}/head rix, + @{bin}/ln rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mv rix, @@ -33,10 +36,10 @@ @{bin}/sort rix, @{bin}/touch rix, @{bin}/tr rix, - @{bin}/tr rix, @{bin}/umask rix, @{bin}/uname rix, @{bin}/wc rix, + @{bin}/whoami rix, # To set/get DE information @{bin}/gconftool{,-2} ix, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-icon b/apparmor.d/groups/freedesktop/xdg-desktop-icon index a6200a2b22..485c86f2e3 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-icon +++ b/apparmor.d/groups/freedesktop/xdg-desktop-icon @@ -9,29 +9,10 @@ include @{exec_path} = @{bin}/xdg-desktop-icon profile xdg-desktop-icon @{exec_path} { include - include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/basename ix, - @{bin}/cat ix, - @{bin}/chmod ix, - @{bin}/cp ix, - @{bin}/cut ix, - @{bin}/mkdir ix, - @{bin}/readlink ix, - @{bin}/realpath ix, - @{bin}/rm ix, - @{bin}/sed ix, - @{bin}/tr ix, - @{bin}/umask ix, - @{bin}/uname ix, - - # To get DE information - @{bin}/kde{,4}-config ix, - @{bin}/dbus-send Cx -> bus, @{bin}/xprop Px, @@ -39,6 +20,7 @@ profile xdg-desktop-icon @{exec_path} { include include include + include include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-menu b/apparmor.d/groups/freedesktop/xdg-desktop-menu index e718108479..c28f224ee3 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-menu +++ b/apparmor.d/groups/freedesktop/xdg-desktop-menu @@ -10,38 +10,15 @@ include @{exec_path} = @{bin}/xdg-desktop-menu profile xdg-desktop-menu @{exec_path} flags=(complain) { include - include - include + include include @{exec_path} r, @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/{m,g,}awk ix, - @{bin}/basename ix, - @{bin}/cat ix, - @{bin}/chmod ix, - @{bin}/cp ix, - @{bin}/cut ix, - @{bin}/dirname ix, - @{bin}/ln ix, - @{bin}/mkdir ix, - @{bin}/mktemp ix, - @{bin}/mv ix, - @{bin}/readlink ix, - @{bin}/realpath ix, - @{bin}/rm ix, - @{bin}/sed ix, - @{bin}/touch ix, - @{bin}/tr ix, - @{bin}/umask ix, - @{bin}/uname ix, + @{bin}/chmod rix, @{bin}/id rPx, - # To get DE information - @{bin}/kde{,4}-config ix, - @{bin}/dbus-send Cx -> bus, @{bin}/update-desktop-database Px, @{bin}/xprop Px, @@ -50,6 +27,8 @@ profile xdg-desktop-menu @{exec_path} flags=(complain) { include include include + include + include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index ec450bc9fe..e8712fb040 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -23,7 +23,8 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include - include + + network inet stream, signal receive set=term peer=gdm, signal receive set=hup peer=gdm-session-worker, diff --git a/apparmor.d/groups/freedesktop/xdg-email b/apparmor.d/groups/freedesktop/xdg-email index f95c73bd91..2f468889e2 100644 --- a/apparmor.d/groups/freedesktop/xdg-email +++ b/apparmor.d/groups/freedesktop/xdg-email @@ -11,6 +11,7 @@ include profile xdg-email @{exec_path} flags=(attach_disconnected) { include include + include @{exec_path} r, @@ -27,6 +28,7 @@ profile xdg-email @{exec_path} flags=(attach_disconnected) { include include include + include include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-icon-resource b/apparmor.d/groups/freedesktop/xdg-icon-resource index 4f29d38a0a..d1f2ecf2ad 100644 --- a/apparmor.d/groups/freedesktop/xdg-icon-resource +++ b/apparmor.d/groups/freedesktop/xdg-icon-resource @@ -10,34 +10,11 @@ include @{exec_path} = @{bin}/xdg-icon-resource profile xdg-icon-resource @{exec_path} flags=(attach_disconnected) { include + include include - include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/{m,g,}awk ix, - @{bin}/basename ix, - @{bin}/cat ix, - @{bin}/cp ix, - @{bin}/cut ix, - @{bin}/dirname ix, - @{bin}/ln ix, - @{bin}/mkdir ix, - @{bin}/readlink ix, - @{bin}/realpath ix, - @{bin}/rm ix, - @{bin}/sed ix, - @{bin}/touch ix, - @{bin}/tr ix, - @{bin}/umask ix, - @{bin}/uname ix, - @{bin}/whoami ix, - - # To get DE information - @{bin}/kde{,4}-config ix, - @{bin}/dbus-send Cx -> bus, @{bin}/gtk{,4}-update-icon-cache Px, @{bin}/xprop Px, @@ -46,6 +23,8 @@ profile xdg-icon-resource @{exec_path} flags=(attach_disconnected) { include include include + include + include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open index e906a96827..4e6dcb6762 100644 --- a/apparmor.d/groups/freedesktop/xdg-open +++ b/apparmor.d/groups/freedesktop/xdg-open @@ -37,6 +37,7 @@ profile xdg-open @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver index 351292a8b0..9f4e776d27 100644 --- a/apparmor.d/groups/freedesktop/xdg-screensaver +++ b/apparmor.d/groups/freedesktop/xdg-screensaver @@ -10,29 +10,12 @@ include @{exec_path} = @{bin}/xdg-screensaver profile xdg-screensaver @{exec_path} flags=(complain) { include - include - include + include include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/{m,g,}awk ix, - @{bin}/basename ix, - @{bin}/cat ix, - @{bin}/cut ix, - @{bin}/dirname ix, - @{bin}/kill ix, - @{bin}/ln ix, @{bin}/lockfile ix, - @{bin}/mktemp ix, - @{bin}/mv ix, - @{bin}/readlink ix, - @{bin}/realpath ix, - @{bin}/rm ix, - @{bin}/sed ix, - @{bin}/uname ix, @{bin}/xautolock ix, @{bin}/dbus-send Cx -> bus, @@ -45,6 +28,7 @@ profile xdg-screensaver @{exec_path} flags=(complain) { include include include + include #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index 2fb7db155c..423c69b3f8 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -26,6 +26,7 @@ profile xdg-settings @{exec_path} flags=(attach_disconnected) { include include include + include include if exists } From 6a8bdb50cba139a66b69afc83055eb0d84f1fb8c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Apr 2026 00:04:58 +0200 Subject: [PATCH 1664/1736] feat(abs): dbus: update ca.desrt.dconf.Writer --- apparmor.d/abstractions/bus/session/ca.desrt.dconf.Writer | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/bus/session/ca.desrt.dconf.Writer b/apparmor.d/abstractions/bus/session/ca.desrt.dconf.Writer index 356ad2b2ee..06f9c934e3 100644 --- a/apparmor.d/abstractions/bus/session/ca.desrt.dconf.Writer +++ b/apparmor.d/abstractions/bus/session/ca.desrt.dconf.Writer @@ -7,7 +7,12 @@ dbus send bus=session path=/ca/desrt/dconf/Writer/user interface=ca.desrt.dconf.Writer member=Change - peer=(name=ca.desrt.dconf), # no peer's labels + peer=(name=ca.desrt.dconf), + + dbus send bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Change + peer=(name=ca.desrt.dconf, label=dconf-service), dbus receive bus=session path=/ca/desrt/dconf/Writer/user interface=ca.desrt.dconf.Writer From 7f8434800e391c46b61d5c3da52937d3e6ea7e6a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Apr 2026 00:08:48 +0200 Subject: [PATCH 1665/1736] feat(profile): update some apt profiles. --- apparmor.d/groups/apt/deb-systemd-helper | 2 ++ apparmor.d/groups/apt/deb-systemd-invoke | 2 ++ apparmor.d/groups/apt/dpkg-maintscript-helper | 2 ++ apparmor.d/groups/apt/dpkg-scripts | 12 +++++++----- apparmor.d/groups/ubuntu/apport | 4 ++++ 5 files changed, 17 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/apt/deb-systemd-helper b/apparmor.d/groups/apt/deb-systemd-helper index 006606e3a1..65d6705ebb 100644 --- a/apparmor.d/groups/apt/deb-systemd-helper +++ b/apparmor.d/groups/apt/deb-systemd-helper @@ -23,6 +23,8 @@ profile deb-systemd-helper @{exec_path} { /var/lib/systemd/deb-systemd-helper-masked/{,**} rw, /var/lib/systemd/deb-systemd-user-helper-enabled/{,**} rw, + /tmp/tmp.@{rand10} rw, + profile systemctl { include include diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index ceceaeb156..2a8977b102 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -33,6 +33,8 @@ profile deb-systemd-invoke @{exec_path} { @{bin}/systemd-run Cx -> run, + /tmp/tmp.@rand10} rw, + profile run { include diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper index ed7cb08a4e..e004638c6d 100644 --- a/apparmor.d/groups/apt/dpkg-maintscript-helper +++ b/apparmor.d/groups/apt/dpkg-maintscript-helper @@ -32,6 +32,8 @@ profile dpkg-maintscript-helper @{exec_path} { /etc/**.dpkg-remove w, + /tmp/tmp.@{rand10} rw, + profile dpkg { include include diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index e117d2106d..28c4bfc612 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -82,14 +82,12 @@ profile dpkg-scripts @{exec_path} { @{HOME}/.profile r, + /tmp/*.@{rand10} rw, /tmp/*.@{rand6} rw, /tmp/*.@{word8} rw, - /tmp/dbconfig-common*.@{rand6} rw, - /tmp/dbconfig-common*.@{rand6}/{,**} rw, - /tmp/dbconfig-package-config.@{rand6} rw, + /tmp/dbconfig-*.@{rand6}/{,**} rw, /tmp/sed@{rand6} rw, - /tmp/tmp.@{rand10} rw, - /tmp/tmp.@{rand10}/ rw, + /tmp/tmp.@{rand10}/{,**} rw, @{sys}/kernel/security/apparmor/features/policy/unconfined_restrictions/userns r, @@ -164,6 +162,8 @@ profile dpkg-scripts @{exec_path} { /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + /tmp/tmp.@{rand10} rw, + @{run}/utmp rk, include if exists @@ -188,6 +188,8 @@ profile dpkg-scripts @{exec_path} { /etc/rc@{int}.d/ r, /etc/rc@{int}.d/* rw, + /tmp/tmp.@{rand10} rw, + include if exists } diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index c484e24e1d..2b429248bb 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -29,12 +29,15 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/{,e,f}grep rix, + @{bin}/* r, @{bin}/dpkg rPx -> apport//&child-dpkg, @{bin}/dpkg-divert rPx -> apport//&child-dpkg-divert, @{bin}/gdbus rix, @{bin}/md5sum rix, /usr/share/apport/{,**} r, + /usr/share/backgrounds/{,**} r, + /usr/share/doc/{,**} r, @{etc_ro}/login.defs r, /etc/apport/{,**} r, @@ -49,6 +52,7 @@ profile apport @{exec_path} flags=(attach_disconnected) { /var/lib/dpkg/updates/{,*} r, /var/lib/apport/coredump/{,**} r, + /var/lib/ispell/{,**} r, /var/lib/systemd/coredump/{,**} r, /var/crash/ rw, From 0601eee0b4249f4bb22548c3f45255cf61c14e17 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Apr 2026 00:11:37 +0200 Subject: [PATCH 1666/1736] feat(profile): update some gnome profiles. --- apparmor.d/groups/gnome/gnome-control-center | 2 +- apparmor.d/groups/gnome/gsd-power | 3 ++- apparmor.d/groups/gnome/showtime | 1 + 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index ee929d40ee..a46734cdf0 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -54,7 +54,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.bluez label=bluetoothd #aa:dbus talk bus=system name=org.cups.cupsd.Notifier label=cups-notifier-dbus #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" - #aa:dbus talk bus=system name=org.freedesktop.bolt1 path=/org/freedesktop/bolt label=boltd + #aa:dbus talk bus=system name=org.freedesktop.bolt1 path=/org/freedesktop/bolt{,/**} label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord #aa:dbus talk bus=system name=org.freedesktop.fwupd path=/ label=fwupd #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 0ee2867410..0f3964e624 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -28,12 +28,13 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { network inet stream, network netlink raw, - signal (receive) set=(term, hup) peer=gdm*, + signal receive set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Power #aa:dbus talk bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell #aa:dbus talk bus=session name=org.gnome.Shell.Brightness label=gnome-shell + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight diff --git a/apparmor.d/groups/gnome/showtime b/apparmor.d/groups/gnome/showtime index 3fbe2e6ac3..3778ae0fa6 100644 --- a/apparmor.d/groups/gnome/showtime +++ b/apparmor.d/groups/gnome/showtime @@ -12,6 +12,7 @@ profile showtime @{exec_path} flags=(attach_disconnected) { include include include + include include include From 2e1e1ed3bddddf1f9f2bb42168043555c4574962 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Apr 2026 22:49:33 +0200 Subject: [PATCH 1667/1736] doc: add doc for the linter. --- docs/linter/checks/abi.md | 33 ++++++++ docs/linter/checks/abstractions.md | 51 ++++++++++++ docs/linter/checks/bin.md | 39 ++++++++++ docs/linter/checks/directory-mark.md | 28 +++++++ docs/linter/checks/equivalent.md | 39 ++++++++++ docs/linter/checks/header.md | 19 +++++ docs/linter/checks/include.md | 33 ++++++++ docs/linter/checks/profile.md | 50 ++++++++++++ docs/linter/checks/tabs.md | 11 +++ docs/linter/checks/too-wide.md | 44 +++++++++++ docs/linter/checks/trailing.md | 11 +++ docs/linter/checks/transition.md | 40 ++++++++++ docs/linter/checks/tunables.md | 30 ++++++++ docs/linter/checks/useless.md | 29 +++++++ docs/linter/checks/vim.md | 30 ++++++++ docs/linter/index.md | 111 +++++++++++++++++++++++++++ zensical.toml | 26 +++++++ 17 files changed, 624 insertions(+) create mode 100644 docs/linter/checks/abi.md create mode 100644 docs/linter/checks/abstractions.md create mode 100644 docs/linter/checks/bin.md create mode 100644 docs/linter/checks/directory-mark.md create mode 100644 docs/linter/checks/equivalent.md create mode 100644 docs/linter/checks/header.md create mode 100644 docs/linter/checks/include.md create mode 100644 docs/linter/checks/profile.md create mode 100644 docs/linter/checks/tabs.md create mode 100644 docs/linter/checks/too-wide.md create mode 100644 docs/linter/checks/trailing.md create mode 100644 docs/linter/checks/transition.md create mode 100644 docs/linter/checks/tunables.md create mode 100644 docs/linter/checks/useless.md create mode 100644 docs/linter/checks/vim.md create mode 100644 docs/linter/index.md diff --git a/docs/linter/checks/abi.md b/docs/linter/checks/abi.md new file mode 100644 index 0000000000..0d8ab5a4b2 --- /dev/null +++ b/docs/linter/checks/abi.md @@ -0,0 +1,33 @@ +--- +title: Abi +--- + +# `abi` + +Use of incorrect or missing ABI version. + +## Problematic rule + +```sh +# WRONG +abi , +``` + +```sh +# WRONG +# missing 'abi ,' +``` + +## Correct rule + +```sh +abi , +``` + +## Rationale + +All profiles in the project must use the same ABI version to ensure compatibility with the AppArmor kernel module and features. The current default ABI targeted by this project is `4.0`. + +## Exceptions + +None diff --git a/docs/linter/checks/abstractions.md b/docs/linter/checks/abstractions.md new file mode 100644 index 0000000000..0b93154519 --- /dev/null +++ b/docs/linter/checks/abstractions.md @@ -0,0 +1,51 @@ +--- +title: Abstractions +--- + +# `abstractions` + +Use of dangerous or deprecated abstractions + +## Problematic rule + +```sh +# WRONG +include +``` + +## Correct rule + +```sh +include +``` + +## Rationale + +Some abstractions provide more access than required, do not integrate with profiles defined in apparmor.d or with non-Ubuntu systems. + +The following abstractions are considered dangerous: + +- `dbus`: Full dbus access +- `dbus-accessibility`: Full dbus accessibility access +- `dbus-session`: Full dbus session access +- `dbus-system`: Full dbus system access +- `user-tmp`: Full access to user temporary files (See [too-wide](too-wide.md) check) + +Deprecated abstractions: + +- `bash` -> `shell`: `bash` does not cover all shells. +- `nameservice` -> `nameservice-strict`: `nameservice` gives network access which is not required in most cases. + +Deprecated abstractions, would conflict with apparmor.d integration + +- `dbus-accessibility-strict` -> `bus-accessibility` +- `dbus-network-manager-strict` -> `network-manager-observe` +- `dbus-session-strict` -> `bus-session` +- `dbus-system-strict` -> `bus-system` +- `gnome` -> `gnome-strict` +- `kde` -> `kde-strict` +- `X` -> `X-strict` + +## Exceptions + +None diff --git a/docs/linter/checks/bin.md b/docs/linter/checks/bin.md new file mode 100644 index 0000000000..893028356f --- /dev/null +++ b/docs/linter/checks/bin.md @@ -0,0 +1,39 @@ +--- +title: Bin +--- + +# `bin` / `sbin` + +Use of incorrect binary path in rules. + +## Problematic rule + +```sh +# WRONG +@{bin}/cron Px, +``` + +```sh +# WRONG +@{sbin}/pass Px, +``` + +## Correct rule + +```sh +@{sbin}/cron Px, +``` + +```sh +@{bin}/pass Px, +``` + +## Rationale + +To differentiate between system binaries and administrator binaries, `apparmor.d` uses two separate variables: `@{bin}` for regular binaries and `@{sbin}` for system binaries. + +The list of known path in `/usr/sbin` is maintained under the `sbin.list` file. + +## Exceptions + +Some binaries may be installed in both @{bin} and @{sbin} depending on the package it is installed from. For instance, upstream docker package installs `dockerd` in `/usr/bin/` while the distribution package installs it in `/usr/sbin/`. In such cases, both paths is required. diff --git a/docs/linter/checks/directory-mark.md b/docs/linter/checks/directory-mark.md new file mode 100644 index 0000000000..c8bafaf275 --- /dev/null +++ b/docs/linter/checks/directory-mark.md @@ -0,0 +1,28 @@ +--- +title: Directory Mark +--- + +# `directory-mark` + +Missing directory mark (trailing slash) in well-known directory paths. + +## Problematic rule + +```sh +# WRONG +owner @{HOME} r, +``` + +## Correct rule + +```sh +owner @{HOME}/ r, +``` + +## Rationale + +In AppArmor profiles, a directory path **must** be explicitly marked with a trailing slash (`/`) to indicate that it refers to a directory rather than to a file. + +## Exceptions + +None diff --git a/docs/linter/checks/equivalent.md b/docs/linter/checks/equivalent.md new file mode 100644 index 0000000000..1bdb3036d4 --- /dev/null +++ b/docs/linter/checks/equivalent.md @@ -0,0 +1,39 @@ +--- +title: Equivalent +--- + +# `equivalent` + +Missing rules to equivalent paths. + +## Problematic rule + +```sh +# WRONG +@{bin}/grep ix, +``` + +## Correct rule + +```sh +@{bin}/{,e}grep ix, +``` + +## Rationale + +In AppArmor profiles, certain binaries may have equivalent paths that need to be explicitly allowed to ensure proper functionality. + +For example, the `grep` binary can be accessed as both `grep` and `egrep` (`exec grep -E "$@"`). Failing to include rules for all equivalent paths **will** lead to unexpected denials in some distributions. + +The following equivalent paths exist: + +- `@{bin}/awk` -> `@{bin}/{m,g,}awk` +- `@{bin}/grep` -> `@{bin}/{,e}grep` +- `@{bin}/gs` -> `@{bin}/gs{,.bin}` +- `@{bin}/which` -> `@{bin}/which{,.debianutils}` +- `@{sbin}/xtables-legacy-multi` -> `@{sbin}/xtables-{nft,legacy}-multi` +- `@{bin}/xtables-nft-multi` -> `@{sbin}/xtables-{nft,legacy}-multi` + +## Exceptions + +None diff --git a/docs/linter/checks/header.md b/docs/linter/checks/header.md new file mode 100644 index 0000000000..be5e544c35 --- /dev/null +++ b/docs/linter/checks/header.md @@ -0,0 +1,19 @@ +--- +title: Header +--- + +# `header` + +Missing or incorrect profile header. + +All profile files **must** begin with a standardized header that includes the project name, copyright information, and SPDX licence identifier. + +```sh +# apparmor.d - Full set of apparmor profiles +# Copyright (C) +# SPDX-License-Identifier: GPL-2.0-only +``` + +## Exceptions + +None diff --git a/docs/linter/checks/include.md b/docs/linter/checks/include.md new file mode 100644 index 0000000000..d20a8b1acb --- /dev/null +++ b/docs/linter/checks/include.md @@ -0,0 +1,33 @@ +--- +title: Local include +--- + +# `include` + +Missing inclusion of local rule additions. + +## Problematic rule + +```sh +# WRONG +profile pass { + ... +} + +``` + +## Correct rule + +```sh +profile pass { + include if exists +} +``` + +## Rationale + +To allow for easier customization and extension of AppArmor profiles and subprofiles, all profiles and abstractions **must** include local rule additions. + +## Exceptions + +None diff --git a/docs/linter/checks/profile.md b/docs/linter/checks/profile.md new file mode 100644 index 0000000000..8da5aa54e8 --- /dev/null +++ b/docs/linter/checks/profile.md @@ -0,0 +1,50 @@ +--- +title: Profile / Subprofile +--- + +# `profile` / `subprofile` + +Missing or incorrect profile name. + +## Problematic rule + +```sh +cat /etc/apparmor.d/foo +# WRONG +profile myfoo { + ... +} +``` + +```sh +cat /etc/apparmor.d/foo +# WRONG +profile @{bin}/foo { + ... +} +``` + +## Correct rule + +```sh +cat /etc/apparmor.d/foo +profile foo { + ... +} +``` + +```sh +cat /etc/apparmor.d/foo +# WRONG +profile foo @{bin}/foo { + ... +} +``` + +## Rationale + +AppArmor profiles and subprofiles **must** have a name that matches the filename of the profile. Old syntax that includes profile attachment instead of a profile name **must** be avoided. + +## Exceptions + +None diff --git a/docs/linter/checks/tabs.md b/docs/linter/checks/tabs.md new file mode 100644 index 0000000000..5e492f5712 --- /dev/null +++ b/docs/linter/checks/tabs.md @@ -0,0 +1,11 @@ +--- +title: Tabs +--- + +# `tabs` + +Tabs are not allowed. 2 spaces **must** be used for indentation. + +## Exceptions + +None diff --git a/docs/linter/checks/too-wide.md b/docs/linter/checks/too-wide.md new file mode 100644 index 0000000000..cac09a5b0d --- /dev/null +++ b/docs/linter/checks/too-wide.md @@ -0,0 +1,44 @@ +--- +title: Rule too wide +--- + +# `too-wide` + +Rule too wide may lead to confinement escape or data leaks. + +## Problematic rule + +```sh +# WRONG +/tmp/** rw, +``` + +```sh +# WRONG +/etc/** rw, +``` + +## Correct rule + +Limit access to only required files as much as you can. For example: + +```sh +/tmp/@{rand6}/{,**} rw, +``` + +```sh +/etc//** rw, +``` + +## Rationale + +Full access to entire config and temporary directories is dangerous as it may allow confinement escape or data leaks. It is better to restrict access to only the required files or subdirectories. + +## Exceptions + +When a profile needs access to the full system, because it is a package manager for example. + +## Related Resources + +* [Access to `/tmp` breaks program isolation](https://github.com/roddhjav/apparmor.d/discussions/294) +* [Abusing Ubuntu 24.04 features for root privilege escalation](https://labs.snyk.io/resources/abusing-ubuntu-root-privilege-escalation/) diff --git a/docs/linter/checks/trailing.md b/docs/linter/checks/trailing.md new file mode 100644 index 0000000000..02739a5bd3 --- /dev/null +++ b/docs/linter/checks/trailing.md @@ -0,0 +1,11 @@ +--- +title: Trailing space +--- + +# `trailing` + +Trailing whitespace are not allowed. + +## Exceptions + +None diff --git a/docs/linter/checks/transition.md b/docs/linter/checks/transition.md new file mode 100644 index 0000000000..c47e3043b6 --- /dev/null +++ b/docs/linter/checks/transition.md @@ -0,0 +1,40 @@ +--- +title: Transition +--- + +# `transition` + +`Pix` transition leads to unmaintainable profile. + +## Problematic rule + +```sh +# WRONG +@{bin}/foo Pix, +``` + +## Correct rule + +```sh +@{bin}/foo ix, +``` + +Or, if the transition is needed: + +```sh +@{bin}/foo Px, +``` + +## Rationale + +The actual enforced transition will depend on the presence of other profiles and is therefore unpredictable. If a profile exists, it will transition and may allow more access than the original profile. If no profile exists, the program will be run inherited in the same profile, which may lead to breakage and maintenance issues. + +It is **also** a security risk when used alongside a wildcard (`@{bin}/* Pix`) as, when a lot of profiles are present (like in apparmor.d) it pretty much allow to transition to any program in the system. + +## Exceptions + +It can be used in profile for an interactive shell environments. In this case, as long as profiles like `apt` or `apparmor_parser` it may be equivalent to giving full admin access to the user. + +## Related Resources + +* The [`role_play` profile of the AppArmor Play machine](https://github.com/roddhjav/play/blob/e81baf3b42513983112f3e82250710003c0dd95a/apparmor.d/groups/roles/role_play#L50-L55) use it to provide a fully confined admin role. diff --git a/docs/linter/checks/tunables.md b/docs/linter/checks/tunables.md new file mode 100644 index 0000000000..588f53cea7 --- /dev/null +++ b/docs/linter/checks/tunables.md @@ -0,0 +1,30 @@ +--- +title: Tunables +--- + +# `tunables` + +Variables must be used + +## Problematic rule + +```sh +# WRONG +owner @{HOME}/.config/foo/{,**} rw, +``` + +## Correct rule + +```sh +owner @{user_config_dirs}/foo/{,**} rw, +``` + +## Rationale + +Using variables instead of hardcoding paths allows for better maintainability and compatibility across different systems and user configurations. It also makes the profile more adaptable to changes in directory structures or user environments. + +See [Variables](../../variables.md) for more information on available variables. + +## Exceptions + +None diff --git a/docs/linter/checks/useless.md b/docs/linter/checks/useless.md new file mode 100644 index 0000000000..aba3e7b3f0 --- /dev/null +++ b/docs/linter/checks/useless.md @@ -0,0 +1,29 @@ +--- +title: Useless rule +--- + +# `useless` + +Rule already included in the base abstraction, remove it. + +## Problematic rule + +```sh +# WRONG +@{sys}/devices/system/cpu/online r, +``` + +## Correct rule + +```sh +# CORRECT +# Rule already included in the base abstraction, no need to include it again +``` + +## Exceptions + +None + +## Related Resources + +* The [`base-strict` abstraction](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/abstractions/base-strict) diff --git a/docs/linter/checks/vim.md b/docs/linter/checks/vim.md new file mode 100644 index 0000000000..8f17c39c5a --- /dev/null +++ b/docs/linter/checks/vim.md @@ -0,0 +1,30 @@ +--- +title: Vim syntax +--- + +# `vim` + +Missing vim syntax: `# vim:syntax=apparmor` + +## Problematic rule + +A profile without the vim syntax highlighting comment at the end. + +## Correct rule + +```sh +profile foo { + ... +} + +# vim:syntax=apparmor + +``` + +## Rationale + +The vim syntax highlighting comment enables proper syntax highlighting when editing the profile in vim. This improves readability and helps prevent syntax errors. + +## Exceptions + +None diff --git a/docs/linter/index.md b/docs/linter/index.md new file mode 100644 index 0000000000..d7afdaa60e --- /dev/null +++ b/docs/linter/index.md @@ -0,0 +1,111 @@ +--- +title: Linter +--- + +The profiles are checked for common style and security issues with `just check`. This page documents all the checks performed. + +!!! note "Check system" + + Future implementation will expand this basic check system to a full linter and security analyzer system. + + +## Overview + +| Output | Check ID | Description | +|---|---|---| +| **:fontawesome-solid-ban:** | `abi` | Missing ABI | +| **:fontawesome-solid-ban:** | `abstractions` | Use of dangerous abstraction | +| **:fontawesome-solid-ban:** | `abstractions` | Use of deprecated abstraction | +| **:fontawesome-solid-ban:** | `abstractions` | Use of deprecated, ubuntu only abstraction | +| **:fontawesome-solid-ban:** | `bin` | Use of `@{sbin}` instead of `@{bin}` | +| **:fontawesome-solid-ban:** | `directory-mark` | Missing directory mark | +| **:fontawesome-solid-ban:** | `equivalent` | Missing equivalent program | +| **:fontawesome-solid-ban:** | `header` | Missing header | +| **:fontawesome-solid-ban:** | `include` | Missing include | +| **:fontawesome-solid-ban:** | `indentation` | Invalid indentation | +| **:fontawesome-solid-ban:** | `profile` | Missing profile name | +| **:fontawesome-solid-ban:** | `sbin` | Use of `@{bin}` instead of `@{sbin}` | +| **:fontawesome-solid-ban:** | `subprofiles` | Missing subprofiles | +| **:fontawesome-solid-ban:** | `tabs` | Tabs are not allowed | +| **:fontawesome-solid-ban:** | `trailing` | Line has trailing whitespace | +| **:fontawesome-solid-ban:** | `transition` | `Pix` transition leads to unmaintainable profile | +| **:fontawesome-solid-ban:** | `transition` | Executable should be should be used inherited: `ix` or `Cx` | +| **:fontawesome-solid-ban:** | `transition` | Executable should transition to another (sub)profile with `Px` or `Cx` | +| **:fontawesome-solid-ban:** | `tunables` | Variables must be used | +| **:fontawesome-solid-ban:** | `udev` | Udev data path without a description comment | +| **:fontawesome-solid-ban:** | `useless` | Rule already included in the base abstraction | +| **:fontawesome-solid-ban:** | `vim` | Missing vim syntax | +| **:fontawesome-solid-warning:** | `transition` | Path `@{bin}/XXX` should transition to a subprofile with 'Cx' | +|**:fontawesome-solid-warning:** | `too-wide` | Rule too wide may lead to confinement escape or data leaks | + +## Directive + +We use a special [directive](directives.md) to ignore specific checks: + +- Inline directive is supported +- Directive before a paragraph applies to all rules in the paragraph +- Directive within the first 5 lines of a file applies to the whole file + +**Format** + +```sh +#aa:lint ignore= +``` + +**``** + +: Check id to ignore. + + +**Example** + +Ignore the `too-wide` check in the `dpkg` profile: + +!!! quote "" + + **[apparmor.d/groups/apt/dpkg](https://github.com/roddhjav/apparmor.d/blob/094795cc6d628923b7454fd3a9289c44891edc62/apparmor.d/groups/apt/dpkg#L52-L61)** + ``` sh linenums="52" + #aa:lint ignore=too-wide + # Install/update packages + / r, + /*{,/} rw, + @{efi}/** rwl -> @{efi}/**, + /etc/** rwl -> /etc/**, + /opt/** rwl -> /opt/**, + /srv/** rwl -> /srv/**, + /usr/** rwlk -> /usr/**, + /var/** rwlk -> /var/**, + ``` + +## Description Template + + --- + title: id + --- + + # `id` + + + + ## Problematic rule + + ```sh + # WRONG + + ``` + + ## Correct rule + + ```sh + + ``` + + ## Rationale + + + + ## Exceptions + + None + + ## Related Resources diff --git a/zensical.toml b/zensical.toml index a112ce2435..4696364b2d 100644 --- a/zensical.toml +++ b/zensical.toml @@ -103,6 +103,32 @@ nav = [ "abstractions/mapping.md", ] }, ] }, + { "Linter" = [ + { "Linter" = [ + "linter/index.md", + ] }, + { "Security Checks" = [ + "linter/checks/abstractions.md", + "linter/checks/too-wide.md", + "linter/checks/transition.md", + "linter/checks/tunables.md", + ] }, + { "Compatibility Checks" = [ + "linter/checks/abi.md", + "linter/checks/bin.md", + "linter/checks/directory-mark.md", + "linter/checks/equivalent.md", + ] }, + { "Style Checks" = [ + "linter/checks/header.md", + "linter/checks/include.md", + "linter/checks/profile.md", + "linter/checks/tabs.md", + "linter/checks/trailing.md", + "linter/checks/useless.md", + "linter/checks/vim.md", + ] }, + ] }, ] # Navigation structure From c2056759fd61b5752d090425547e411e9a63d234 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Apr 2026 23:15:06 +0200 Subject: [PATCH 1668/1736] fix(profile): compilation issue. --- apparmor.d/groups/apt/deb-systemd-invoke | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index 2a8977b102..4ab20933cc 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -33,7 +33,7 @@ profile deb-systemd-invoke @{exec_path} { @{bin}/systemd-run Cx -> run, - /tmp/tmp.@rand10} rw, + /tmp/tmp.@{rand10} rw, profile run { include From 0b5ee83f97232e7b704eecee93346d03bab3daea Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 18 Apr 2026 14:32:17 +0200 Subject: [PATCH 1669/1736] feat(profile): improve gnome profiles. --- .../bus/session/org.openprinting.PrintBackend | 37 ++++++++----------- apparmor.d/groups/browsers/epiphany | 3 ++ .../groups/freedesktop/xdg-desktop-portal-gtk | 2 + .../groups/gnome/gnome-extension-gsconnect | 8 ++-- apparmor.d/groups/gnome/gnome-session-service | 1 + apparmor.d/groups/gvfs/gvfsd-recent | 2 +- 6 files changed, 27 insertions(+), 26 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.openprinting.PrintBackend b/apparmor.d/abstractions/bus/session/org.openprinting.PrintBackend index a53b40acdf..68583bbb36 100644 --- a/apparmor.d/abstractions/bus/session/org.openprinting.PrintBackend +++ b/apparmor.d/abstractions/bus/session/org.openprinting.PrintBackend @@ -4,45 +4,38 @@ abi , - dbus send bus=session path=/ - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=print-backends-cups), - dbus send bus=session path=/ - interface=org.openprinting.PrintBackend - member=GetAllOptions - peer=(name=@{busname}, label=print-backends-cups), - dbus send bus=session path=/ - interface=org.openprinting.PrintBackend - member=GetAllPrinters - peer=(name=@{busname}, label=print-backends-cups), - dbus send bus=session path=/ - interface=org.openprinting.PrintBackend - member=getChoiceTranslation - peer=(name=@{busname}, label=print-backends-cups), + #aa:dbus see bus=session name=org.openprinting.PrintBackend path=/ label=print-backends-cups + + # openprinting.PrintBackend + dbus send bus=session path=/ interface=org.openprinting.PrintBackend - member=getDefaultPrinter + member={GetAllOptions,GetAllPrinters} peer=(name=@{busname}, label=print-backends-cups), + dbus send bus=session path=/ interface=org.openprinting.PrintBackend - member=getGroupTranslation + member={getChoiceTranslation,getDefaultPrinter,getPrinterState} peer=(name=@{busname}, label=print-backends-cups), + dbus send bus=session path=/ interface=org.openprinting.PrintBackend - member=getOptionTranslation + member={getGroupTranslation,getOptionTranslation} peer=(name=@{busname}, label=print-backends-cups), + dbus send bus=session path=/ interface=org.openprinting.PrintBackend - member=getPrinterState + member=isAcceptingJobs peer=(name=@{busname}, label=print-backends-cups), + dbus send bus=session path=/ interface=org.openprinting.PrintBackend - member=isAcceptingJobs + member=printSocket peer=(name=@{busname}, label=print-backends-cups), + dbus send bus=session path=/ interface=org.openprinting.PrintBackend - member=printSocket + member=doListing peer=(name=@{busname}, label=print-backends-cups), include if exists diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 5bb766c8c6..6628e42159 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -10,6 +10,7 @@ include profile epiphany @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -52,9 +53,11 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/org.gnome.Epiphany.WebApp_@{hex}/{,**} rw, + owner @{tmp}/ContentRuleList-@{rand6} rw, owner @{tmp}/ContentRuleList@{rand6} rw, owner @{tmp}/epiphany-*-@{rand6}/{,**} rw, owner @{tmp}/Serialized@{rand9} rw, + owner @{tmp}/SerializedNFA-@{rand6} rw, owner @{tmp}/WebKit-Media-@{rand6} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index e8712fb040..2c795436bd 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -48,6 +48,8 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, + owner @{user_config_dirs}/autostart/ w, + owner @{tmp}/runtime-*/xauth_@{rand6} r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index a481812545..bed0ff2491 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -83,16 +83,17 @@ profile gnome-extension-gsconnect @{exec_path} flags=(attach_disconnected) { /snap/*/@{uid}/**.@{icon_ext} r, /usr/share/**.@{icon_ext} r, + /var/lib/flatpak/appstream/**/icons/{,**} r, owner @{user_cache_dirs}/gsconnect/{,**} rw, - owner @{user_cache_dirs}/*/**.png r, + owner @{user_cache_dirs}/*/**.@{icon_ext} r, owner @{user_config_dirs}/gsconnect/{,**} rw, owner @{user_config_dirs}/mimeapps.list w, owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, - owner @{HOME}/.mozilla/firefox{,-esr}/firefox-mpris/@{word}.png r, - owner @{HOME}/.var/app/*/**.png r, + owner @{HOME}/.mozilla/firefox{,-esr}/firefox-mpris/@{word}.@{icon_ext} r, + owner @{HOME}/.var/app/*/**.@{icon_ext} r, owner @{tmp}/.org.chromium.Chromium.@{rand6} r, @@ -107,6 +108,7 @@ profile gnome-extension-gsconnect @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/@{tid}/stat r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index a4b5bec16e..f89170afee 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -45,6 +45,7 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/autostart/{,*.desktop} r, + owner @{user_state_dirs}/ w, owner @{user_state_dirs}/gnome-session@*.state r, @{run}/systemd/sessions/{,@{l}}@{int}{,.ref} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index b0d1972ef0..93bf6abd4e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-recent -profile gvfsd-recent @{exec_path} { +profile gvfsd-recent @{exec_path} flags=(attach_disconnected) { include include include From 5696f2f5872cc3c0894b2f09354c1647e188412a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 18 Apr 2026 14:36:07 +0200 Subject: [PATCH 1670/1736] feat(profile): improve some electron based profiles. --- apparmor.d/profiles-m-r/protonmail | 4 ++-- apparmor.d/profiles-s-z/spotify | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index cbdd8a5b8e..a381ac4b81 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -7,13 +7,13 @@ abi , include -@{name} = proton-mail "Proton Mail" +@{name} = protonmail proton-mail Proton?Mail @{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} /usr/share/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} -@{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton?Mail +@{exec_path} = @{bin}/@{name} /opt/proton-mail/@{name} profile protonmail @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 46b6b7394d..f48524de76 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -67,7 +67,12 @@ profile spotify @{exec_path} flags=(attach_disconnected) { /dev/tty rw, + deny dbus bus=session interface=org.freedesktop.systemd1.Manager, + deny dbus bus=system interface=org.freedesktop.login1.Manager, + deny owner @{HOME}/.tmp* rw, + deny /var/tmp/ r, deny @{PROC}/pressure/* r, + deny /dev/bus/usb/** w, include if exists } From 4b467ee016c43d9fb5cc3e267c58873e95871d0a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 18 Apr 2026 14:37:30 +0200 Subject: [PATCH 1671/1736] feat(abs): improve sys/dmi. --- apparmor.d/abstractions/sys/dmi | 2 +- apparmor.d/abstractions/sys/dmi-full | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/sys/dmi b/apparmor.d/abstractions/sys/dmi index f8ae65aa74..ccb344ac3a 100644 --- a/apparmor.d/abstractions/sys/dmi +++ b/apparmor.d/abstractions/sys/dmi @@ -7,7 +7,7 @@ # DMI is a standard framework for managing and tracking hardware components in a # computer. # -# It is a light version of that leaks only the most +# It is a light version of `` that leaks only the most # basic identity information and no version strings. abi , diff --git a/apparmor.d/abstractions/sys/dmi-full b/apparmor.d/abstractions/sys/dmi-full index 3caafbcb6c..184f1140de 100644 --- a/apparmor.d/abstractions/sys/dmi-full +++ b/apparmor.d/abstractions/sys/dmi-full @@ -24,7 +24,9 @@ @{sys}/devices/virtual/dmi/id/chassis_type r, # Chassis form factor (numeric) @{sys}/devices/virtual/dmi/id/chassis_vendor r, # Chassis manufacturer @{sys}/devices/virtual/dmi/id/chassis_version r, # Chassis version + @{sys}/devices/virtual/dmi/id/product_serial r, # Product serial number @{sys}/devices/virtual/dmi/id/product_sku r, # Product SKU identifier + @{sys}/devices/virtual/dmi/id/product_uuid r, # Product UUID @{sys}/devices/virtual/dmi/id/product_version r, # Product version include if exists From 3e3c3730c6aea0a0be2758a891b239992718e442 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 18 Apr 2026 14:52:26 +0200 Subject: [PATCH 1672/1736] build: initial structure for the base / tools / and prebuilt packages. --- Justfile | 60 +++++++++++++++++++++++++++++++++++++++++++++++++------- PKGBUILD | 33 +++++++++++++++---------------- 2 files changed, 69 insertions(+), 24 deletions(-) diff --git a/Justfile b/Justfile index 2d9c82ceb5..07feaf914a 100644 --- a/Justfile +++ b/Justfile @@ -155,9 +155,23 @@ server-fsp-complain: build server-fsp-debug: build @./{{build}}/prebuild --buildir {{build}} --server --full --complain --debug -# Install prebuild profiles +# Install base abstraction, tunable and booleans +[group('install')] +install-base: + #!/usr/bin/env bash + set -eu -o pipefail + mapfile -t files < <(find "{{build}}/apparmor.d/abstractions" -type f -printf "%P\n") + for file in "${files[@]}"; do + install -Dm0644 "{{build}}/apparmor.d/abstractions/$file" "{{destdir}}/etc/apparmor.d/abstractions/$file" + done + mapfile -t files < <(find "{{build}}/apparmor.d/tunables" -type f -printf "%P\n") + for file in "${files[@]}"; do + install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file" + done + +# Install apparmor.d tools [group('install')] -install: +install-tools: #!/usr/bin/env bash set -eu -o pipefail install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log @@ -165,6 +179,36 @@ install: for file in "${share[@]}"; do install -Dm0644 "{{build}}/share/$file" "{{destdir}}/usr/share/$file" done + +# Install prebuilt profiles +[group('install')] +install-prebuilt: + #!/usr/bin/env bash + set -eu -o pipefail + mapfile -t aa < <(find "{{build}}/apparmor.d" -type f -not -path "*/abstractions/*" -not -path "*/tunables/*" -printf "%P\n") + for file in "${aa[@]}"; do + #install -Dm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/usr/share/apparmor.d/$file" + install -Dm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" + done + mapfile -t links < <(find "{{build}}/apparmor.d" -type l -printf "%P\n") + for file in "${links[@]}"; do + mkdir -p "{{destdir}}/etc/apparmor.d/disable" + cp -d "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" + done + for file in "{{build}}/systemd/system/"*; do + service="$(basename "$file")" + install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/system/$service.d/apparmor.conf" + done + for file in "{{build}}/systemd/user/"*; do + service="$(basename "$file")" + install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" + done + +# Install prebuild profiles +[group('install')] +install: install-tools + #!/usr/bin/env bash + set -eu -o pipefail mapfile -t aa < <(find "{{build}}/apparmor.d" -type f -printf "%P\n") for file in "${aa[@]}"; do install -Dm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" @@ -264,21 +308,23 @@ build-rpm: (_ensure_pkgdest) # Build & install apparmor.d on Arch based systems [group('packages')] -pkg name="": (build-pkg) +pkg: build-pkg @sudo pacman -U --noconfirm \ - {{pkgdest}}/{{pkgname}}{{ if name != "" { "." + name } else { "" } }}-`just version`*.pkg.tar.zst + {{pkgdest}}/{{pkgname}}-`just version`*.pkg.tar.zst \ + {{pkgdest}}/{{pkgname}}-base-`just version`*.pkg.tar.zst \ + {{pkgdest}}/{{pkgname}}-tools-`just version`*.pkg.tar.zst # Build & install apparmor.d on Debian based systems [group('packages')] -dpkg name="": (build-dpkg) +dpkg name="": build-dpkg @sudo dpkg -i \ {{pkgdest}}/{{pkgname}}{{ if name != "" { "." + name } else { "" } }}_`just version`*.deb # Build & install apparmor.d on OpenSUSE based systems [group('packages')] -rpm name="": (build-rpm) +rpm: build-rpm @sudo rpm -ivh --force \ - {{pkgdest}}/{{pkgname}}{{ if name != "" { "." + name } else { "" } }}-`just version`*.rpm + {{pkgdest}}/{{pkgname}}-`just version`*.rpm # Run the linters [group('linter')] diff --git a/PKGBUILD b/PKGBUILD index 010a716a29..2935d436c3 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -6,8 +6,8 @@ pkgbase=apparmor.d pkgname=( apparmor.d - # apparmor.d-base - # apparmor.d-tools + apparmor.d-base + apparmor.d-tools ) pkgver=0.4907.0 pkgrel=1 @@ -36,22 +36,21 @@ build() { } package_apparmor.d() { - # depends+=('apparmor.d-base' 'apparmor.d-tools') + depends+=('apparmor.d-base' 'apparmor.d-tools') + arch=("any") cd "$srcdir/$pkgbase" - just destdir="$pkgdir" install -# just destdir="$pkgdir" install-tools -# just destdir="$pkgdir" install-base -# just destdir="$pkgdir" install-prebuilt + just destdir="$pkgdir" install-prebuilt } -# package_apparmor.d-base() { -# pkgdesc="$pkgdesc (base abstractions, tunables, and booleans)" -# cd "$srcdir/$pkgbase" -# just destdir="$pkgdir" install-base -# } +package_apparmor.d-base() { + pkgdesc="$pkgdesc (base abstractions, tunables, and booleans)" + arch=("any") + cd "$srcdir/$pkgbase" + just destdir="$pkgdir" install-base +} -# package_apparmor.d-tools() { -# pkgdesc="$pkgdesc (userland toolings)" -# cd "$srcdir/$pkgbase" -# just destdir="$pkgdir" install-tools -# } +package_apparmor.d-tools() { + pkgdesc="$pkgdesc (userland toolings)" + cd "$srcdir/$pkgbase" + just destdir="$pkgdir" install-tools +} From e8cb660e1f00024d96d4dfbe1d955613562fd8d6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 18 Apr 2026 15:05:47 +0200 Subject: [PATCH 1673/1736] feat(abs): improve some abstractions. --- apparmor.d/abstractions/app/open | 2 +- apparmor.d/abstractions/flatpak/base | 6 ++++++ apparmor.d/abstractions/flatpak/features/per-app-dev-shm | 6 +++--- apparmor.d/abstractions/java | 2 ++ apparmor.d/abstractions/media-control | 1 + apparmor.d/abstractions/user-read | 5 ++++- 6 files changed, 17 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 4052f16fc4..0dc3a3a53f 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -3,7 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Full set of rules for desktop generic open-* used in child-open-* profiles. +# Full set of rules for desktop generic `open-*` used in `child-open-*` profiles. abi , diff --git a/apparmor.d/abstractions/flatpak/base b/apparmor.d/abstractions/flatpak/base index 7f28c90835..ea27c96a70 100644 --- a/apparmor.d/abstractions/flatpak/base +++ b/apparmor.d/abstractions/flatpak/base @@ -131,6 +131,9 @@ # Human-readable thread status @{PROC}/@{pid}/task/@{tid}/status r, + # + @{PROC}/cgroups r, + # Uptime @{PROC}/uptime r, @{PROC}/loadavg r, @@ -193,6 +196,9 @@ # measure approximately how much memory a process is using. owner @{PROC}/@{pid}/clear_refs w, + # Control which memory segments are written to the core dump file + owner @{PROC}/@{pid}/coredump_filter rw, + # Allow reading command line arguments for process identification owner @{PROC}/@{pid}/cmdline rk, owner @{PROC}/@{pid}/comm rk, diff --git a/apparmor.d/abstractions/flatpak/features/per-app-dev-shm b/apparmor.d/abstractions/flatpak/features/per-app-dev-shm index 71ebc3ed88..acbaf5e104 100644 --- a/apparmor.d/abstractions/flatpak/features/per-app-dev-shm +++ b/apparmor.d/abstractions/flatpak/features/per-app-dev-shm @@ -3,11 +3,11 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# The per-app-dev-shm feature shares a single instance of /dev/shm between the +# The per-app-dev-shm feature shares a single instance of `/dev/shm` between the # application, any unrestricted subsandboxes that it creates, and any other # instances of the application that are launched while it is running. - -# We should theoretically allow all access of /dev/shm/ here. However, as it is +# +# We should theoretically allow all access of `/dev/shm/` here. However, as it is # a potential source of information leaks and confinement escapes, we only allow, # we only allow some well-known paths that are used by the application. # Baseapp can be used to allow access to more paths if needed. diff --git a/apparmor.d/abstractions/java b/apparmor.d/abstractions/java index 91472d21e7..01597230c1 100644 --- a/apparmor.d/abstractions/java +++ b/apparmor.d/abstractions/java @@ -9,6 +9,8 @@ /etc/java/{,**} r, /etc/java-*/{,**} r, + owner @{PROC}/@{pid}/coredump_filter rw, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/media-control b/apparmor.d/abstractions/media-control index b4fbc0f34c..20bc59fc4c 100644 --- a/apparmor.d/abstractions/media-control +++ b/apparmor.d/abstractions/media-control @@ -4,6 +4,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Allows access to media controller such as microphones, and video capture hardware. +# # See: https://www.kernel.org/doc/Documentation/userspace-api/media/mediactl/media-controller-intro.rst abi , diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index bd350186b9..94b677d27a 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -2,7 +2,10 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Warning: This abstraction gives unrestricted read access on all non hidden user directories. +# !!! warning +# +# This abstraction gives unrestricted read access on all non hidden user directories. +# abi , From c880c1f2e5e5ee45f297a05bfe3f86e529fe1fab Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Apr 2026 16:56:14 +0200 Subject: [PATCH 1674/1736] refractor(aa): move path related tool in paths. --- pkg/paths/paths.go | 30 ++++++++++++- pkg/paths/paths_test.go | 97 +++++++++++++++++++++++++++++++++++++++++ pkg/util/tools.go | 9 ---- pkg/util/tools_test.go | 62 -------------------------- 4 files changed, 125 insertions(+), 73 deletions(-) create mode 100644 pkg/paths/paths_test.go diff --git a/pkg/paths/paths.go b/pkg/paths/paths.go index 1cdaeaa0f2..0004dd9155 100644 --- a/pkg/paths/paths.go +++ b/pkg/paths/paths.go @@ -35,14 +35,29 @@ import ( "io/fs" "os" "path/filepath" + "regexp" "slices" "strings" "syscall" "time" +) - "github.com/roddhjav/apparmor.d/pkg/util" +var ( + Comment = `#` + regFilter = []*regexp.Regexp{ + regexp.MustCompile(`\s*` + Comment + `.*`), + regexp.MustCompile(`(?m)^(?:[\t\s]*(?:\r?\n|\r))+`), + } ) +// Filter out comments and empty lines from a string. +func Filter(src string) string { + for _, re := range regFilter { + src = re.ReplaceAllLiteralString(src, "") + } + return src +} + // Path represents a path type Path struct { path string @@ -210,6 +225,17 @@ func (p *Path) IsInsideDir(dir *Path) (bool, error) { rel != ".", nil } +// IsInsideAnyDir returns true if the current path is inside any of the +// provided dirs. +func (p *Path) IsInsideAnyDir(dirs []*Path) bool { + for _, d := range dirs { + if inside, _ := p.IsInsideDir(d); inside { + return true + } + } + return false +} + // Parent returns all but the last element of path, typically the path's // directory or the parent directory if the path is already a directory func (p *Path) Parent() *Path { @@ -555,7 +581,7 @@ func (p *Path) MustReadFilteredFileAsLines() []string { } txt := string(data) txt = strings.ReplaceAll(txt, "\r\n", "\n") - txt = util.Filter(txt) + txt = Filter(txt) res := strings.Split(txt, "\n") if slices.Contains(res, "") { idx := slices.Index(res, "") diff --git a/pkg/paths/paths_test.go b/pkg/paths/paths_test.go new file mode 100644 index 0000000000..497cbb139d --- /dev/null +++ b/pkg/paths/paths_test.go @@ -0,0 +1,97 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package paths + +import "testing" + +func Test_Filter(t *testing.T) { + tests := []struct { + name string + src string + want string + }{ + { + name: "comment", + src: "# comment", + want: "", + }, + { + name: "comment with space", + src: " # comment", + want: "", + }, + { + name: "no comment", + src: "no comment", + want: "no comment", + }, + { + name: "no comment # comment", + src: "no comment # comment", + want: "no comment", + }, + { + name: "empty", + src: ` + +`, + want: ``, + }, + { + name: "main", + src: ` +# Common profile flags definition for all distributions +# File format: one profile by line using the format: ' ' + +bwrap attach_disconnected,mediate_deleted,complain +bwrap-app attach_disconnected,complain + +akonadi_akonotes_resource complain # Dev +gnome-disks complain + +`, + want: `bwrap attach_disconnected,mediate_deleted,complain +bwrap-app attach_disconnected,complain +akonadi_akonotes_resource complain +gnome-disks complain +`, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + gotLine := Filter(tt.src) + if gotLine != tt.want { + t.Errorf("FilterComment() got = |%v|, want |%v|", gotLine, tt.want) + } + }) + } +} + +func TestIsInsideAnyDir(t *testing.T) { + tests := []struct { + name string + p string + dirs []string + want bool + }{ + {name: "empty dirs", p: "/a/b/c", dirs: nil, want: false}, + {name: "direct child", p: "/a/b/c", dirs: []string{"/a/b"}, want: true}, + {name: "nested descendant", p: "/a/b/c/d/e", dirs: []string{"/a/b"}, want: true}, + {name: "sibling not under", p: "/a/bc/d", dirs: []string{"/a/b"}, want: false}, + {name: "equal path is not under", p: "/a/b", dirs: []string{"/a/b"}, want: false}, + {name: "matches one of many", p: "/x/y/z", dirs: []string{"/a", "/x", "/p"}, want: true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + var dirs []*Path + for _, d := range tt.dirs { + dirs = append(dirs, New(d)) + } + if got := New(tt.p).IsInsideAnyDir(dirs); got != tt.want { + t.Errorf("IsInsideAnyDir(%q, %v) = %v, want %v", tt.p, tt.dirs, got, tt.want) + } + }) + } +} diff --git a/pkg/util/tools.go b/pkg/util/tools.go index 749a97e629..0aaab53d3e 100644 --- a/pkg/util/tools.go +++ b/pkg/util/tools.go @@ -10,11 +10,6 @@ import ( ) var ( - Comment = `#` - regFilter = ToRegexRepl([]string{ - `\s*` + Comment + `.*`, ``, - `(?m)^(?:[\t\s]*(?:\r?\n|\r))+`, ``, - }) regHex = map[string]*regexp.Regexp{ "name": regexp.MustCompile(`name=[0-9A-F]+`), "comm": regexp.MustCompile(`comm=[0-9A-F]+`), @@ -63,7 +58,3 @@ func DecodeHexInString(str string) string { return str } -// Filter out comments and empty line from a string -func Filter(src string) string { - return regFilter.Replace(src) -} diff --git a/pkg/util/tools_test.go b/pkg/util/tools_test.go index e8b2bb8373..bc74e6999d 100644 --- a/pkg/util/tools_test.go +++ b/pkg/util/tools_test.go @@ -88,65 +88,3 @@ func TestRegexReplList_Replace(t *testing.T) { } } -func Test_Filter(t *testing.T) { - tests := []struct { - name string - src string - want string - }{ - { - name: "comment", - src: "# comment", - want: "", - }, - { - name: "comment with space", - src: " # comment", - want: "", - }, - { - name: "no comment", - src: "no comment", - want: "no comment", - }, - { - name: "no comment # comment", - src: "no comment # comment", - want: "no comment", - }, - { - name: "empty", - src: ` - -`, - want: ``, - }, - { - name: "main", - src: ` -# Common profile flags definition for all distributions -# File format: one profile by line using the format: ' ' - -bwrap attach_disconnected,mediate_deleted,complain -bwrap-app attach_disconnected,complain - -akonadi_akonotes_resource complain # Dev -gnome-disks complain - -`, - want: `bwrap attach_disconnected,mediate_deleted,complain -bwrap-app attach_disconnected,complain -akonadi_akonotes_resource complain -gnome-disks complain -`, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - gotLine := Filter(tt.src) - if gotLine != tt.want { - t.Errorf("FilterComment() got = |%v|, want |%v|", gotLine, tt.want) - } - }) - } -} From 9e107446eeef497419aa4715cae67ad327919f99 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Apr 2026 16:57:36 +0200 Subject: [PATCH 1675/1736] feat(prebuild): remove deprecated server configuration task. --- pkg/configure/server.go | 109 ---------------------------------------- 1 file changed, 109 deletions(-) delete mode 100644 pkg/configure/server.go diff --git a/pkg/configure/server.go b/pkg/configure/server.go deleted file mode 100644 index 3bf461f4ab..0000000000 --- a/pkg/configure/server.go +++ /dev/null @@ -1,109 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2026 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package configure - -import ( - "fmt" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/tasks" -) - -var ( - serverIgnorePatterns = []string{ - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - } - serverIgnoreGroups = []string{ - "akonadi", - "avahi", - "bluetooth", - "browsers", - "cosmic", - "cups", - "display-manager", - "flatpak", - "freedesktop", - "gnome", - "gvfs", - "hyprland", - "kde", - "lxqt", - "steam", - "xfce", - "zed", - } -) - -type Server struct { - tasks.BaseTask -} - -// NewServer creates a new Server task. -func NewServer() *Server { - return &Server{ - BaseTask: tasks.BaseTask{ - Keyword: "server", - Msg: "Configure AppArmor for server", - }, - } -} - -func (p Server) Apply() ([]string, error) { - res := []string{} - - // Ignore desktop related groups - groupNb := 0 - for _, group := range serverIgnoreGroups { - path := p.RootApparmor.Join("groups", group) - if path.IsDir() { - if err := path.RemoveAll(); err != nil { - return res, err - } - groupNb++ - } else { - res = append(res, fmt.Sprintf("Group %s not found, ignoring", path)) - } - } - - // Ignore profiles using a desktop related abstraction - fileNb := 0 - files, _ := p.RootApparmor.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) - for _, file := range files { - if !file.Exist() { - continue - } - profile, err := file.ReadFileAsString() - if err != nil { - return res, err - } - for _, pattern := range serverIgnorePatterns { - if strings.Contains(profile, pattern) { - if err := file.RemoveAll(); err != nil { - return res, err - } - fileNb++ - break - } - } - } - - res = append(res, fmt.Sprintf("%d groups ignored", groupNb)) - res = append(res, fmt.Sprintf("%d profiles ignored", fileNb)) - return res, nil -} From eab7f50128cf87c3194a3c056268fb8e8c76bdcb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Apr 2026 17:33:56 +0200 Subject: [PATCH 1676/1736] chore(pkg): remove windows onlt paths function. --- pkg/paths/process.go | 9 +-------- pkg/paths/process_linux.go | 4 ---- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/pkg/paths/process.go b/pkg/paths/process.go index ebfe713435..e9e96ce427 100644 --- a/pkg/paths/process.go +++ b/pkg/paths/process.go @@ -55,8 +55,7 @@ func NewProcess(extraEnv []string, args ...string) (*Process, error) { cmd: exec.Command(args[0], args[1:]...), } p.cmd.Env = append(os.Environ(), extraEnv...) - tellCommandNotToSpawnShell(p.cmd) // windows specific - tellCommandToStartOnNewProcessGroup(p.cmd) // linux specific + tellCommandToStartOnNewProcessGroup(p.cmd) // linux and macosx specific // This is required because some tools detects if the program is running // from terminal by looking at the stdin/out bindings. @@ -65,12 +64,6 @@ func NewProcess(extraEnv []string, args ...string) (*Process, error) { return p, nil } -// TellCommandNotToSpawnShell avoids that the specified Cmd display a small -// command prompt while runnning on Windows. It has no effects on other OS. -func (p *Process) TellCommandNotToSpawnShell() { - tellCommandNotToSpawnShell(p.cmd) -} - // NewProcessFromPath creates a command from the provided executable path, // additional environment vars (in addition to the system default ones) // and command line arguments. diff --git a/pkg/paths/process_linux.go b/pkg/paths/process_linux.go index 5735a85c38..7e43d1ff3a 100644 --- a/pkg/paths/process_linux.go +++ b/pkg/paths/process_linux.go @@ -36,10 +36,6 @@ import ( "syscall" ) -func tellCommandNotToSpawnShell(_ *exec.Cmd) { - // no op -} - func tellCommandToStartOnNewProcessGroup(oscmd *exec.Cmd) { // https://groups.google.com/g/golang-nuts/c/XoQ3RhFBJl8 From 00f425ebfb8f32aca60ca09924f2d8aaf96a0c76 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Apr 2026 17:34:37 +0200 Subject: [PATCH 1677/1736] chore(pkg): use os instead of io/ioutil --- pkg/paths/constructors.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pkg/paths/constructors.go b/pkg/paths/constructors.go index e3b70c9212..853d033c51 100644 --- a/pkg/paths/constructors.go +++ b/pkg/paths/constructors.go @@ -30,7 +30,6 @@ package paths import ( - "io/ioutil" "os" ) @@ -49,7 +48,7 @@ func TempDir() *Path { // the new directory. If dir is the empty string, TempDir uses the // default directory for temporary files func MkTempDir(dir, prefix string) (*Path, error) { - path, err := ioutil.TempDir(dir, prefix) + path, err := os.MkdirTemp(dir, prefix) if err != nil { return nil, err } @@ -66,7 +65,7 @@ func MkTempFile(dir *Path, prefix string) (*os.File, error) { if dir != nil { tmpDir = dir.String() } - return ioutil.TempFile(tmpDir, prefix) + return os.CreateTemp(tmpDir, prefix) } // Getwd returns a rooted path name corresponding to the current From 5427a23cb8c83c79180ea2691abf78916fef9301 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Apr 2026 22:24:10 +0200 Subject: [PATCH 1678/1736] feat(pkg): minor update to the paths lib. --- pkg/paths/constructors.go | 32 +++-------------- pkg/paths/doc.go | 12 +++++++ pkg/paths/list.go | 46 ++++++++++-------------- pkg/paths/paths.go | 36 +++---------------- pkg/paths/process.go | 73 +++++++++++++++++--------------------- pkg/paths/process_linux.go | 30 ++-------------- pkg/paths/readdir.go | 32 +++-------------- 7 files changed, 79 insertions(+), 182 deletions(-) create mode 100644 pkg/paths/doc.go diff --git a/pkg/paths/constructors.go b/pkg/paths/constructors.go index 853d033c51..2c6f6caef7 100644 --- a/pkg/paths/constructors.go +++ b/pkg/paths/constructors.go @@ -1,31 +1,7 @@ -/* - * This file is part of PathsHelper library. - * - * Copyright 2018 Arduino AG (http://www.arduino.cc/) - * - * PathsHelper library is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - * - * As a special exception, you may use this file as part of a free software - * library without restriction. Specifically, if other files instantiate - * templates or use macros or inline functions from this file, or you compile - * this file and link it with other files to produce an executable, this - * file does not by itself cause the resulting executable to be covered by - * the GNU General Public License. This exception does not however - * invalidate any other reasons why the executable file might be covered by - * the GNU General Public License. - */ +// This file is part of PathsHelper library. +// Copyright (C) 2018-2025 Arduino AG (http://www.arduino.cc/) +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only package paths diff --git a/pkg/paths/doc.go b/pkg/paths/doc.go new file mode 100644 index 0000000000..d18ff4c1c0 --- /dev/null +++ b/pkg/paths/doc.go @@ -0,0 +1,12 @@ +// This file is part of PathsHelper library. +// Copyright (C) 2018-2025 Arduino AG (http://www.arduino.cc/) +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +// Paths is a library that provides a set of utilities to work with file paths in a platform-independent way. +// It includes functions for creating temporary directories and files, handling null paths, and more. +// It is designed to be used in Go applications that require file system operations without worrying about +// platform-specific details. +// Based on go-paths-helper (GPL2 version) with minor modifications and improvements. +// See https://github.com/arduino/go-paths-helper for more details and documentation. +package paths diff --git a/pkg/paths/list.go b/pkg/paths/list.go index fbab13c5f5..9f9975670c 100644 --- a/pkg/paths/list.go +++ b/pkg/paths/list.go @@ -1,31 +1,7 @@ -/* - * This file is part of PathsHelper library. - * - * Copyright 2018 Arduino AG (http://www.arduino.cc/) - * - * PathsHelper library is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - * - * As a special exception, you may use this file as part of a free software - * library without restriction. Specifically, if other files instantiate - * templates or use macros or inline functions from this file, or you compile - * this file and link it with other files to produce an executable, this - * file does not by itself cause the resulting executable to be covered by - * the GNU General Public License. This exception does not however - * invalidate any other reasons why the executable file might be covered by - * the GNU General Public License. - */ +// This file is part of PathsHelper library. +// Copyright (C) 2018-2025 Arduino AG (http://www.arduino.cc/) +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only package paths @@ -63,6 +39,20 @@ func (p *PathList) AsStrings() []string { return res } +// Equals returns true if the current PathList is equal to the +// PathList passed as argument +func (p *PathList) Equals(other PathList) bool { + if len(*p) != len(other) { + return false + } + for i, path := range *p { + if !path.EqualsTo(other[i]) { + return false + } + } + return true +} + // FilterDirs remove all entries except directories func (p *PathList) FilterDirs() { res := (*p)[:0] diff --git a/pkg/paths/paths.go b/pkg/paths/paths.go index 0004dd9155..46148bd21e 100644 --- a/pkg/paths/paths.go +++ b/pkg/paths/paths.go @@ -1,31 +1,7 @@ -/* - * This file is part of PathsHelper library. - * - * Copyright 2018 Arduino AG (http://www.arduino.cc/) - * - * PathsHelper library is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - * - * As a special exception, you may use this file as part of a free software - * library without restriction. Specifically, if other files instantiate - * templates or use macros or inline functions from this file, or you compile - * this file and link it with other files to produce an executable, this - * file does not by itself cause the resulting executable to be covered by - * the GNU General Public License. This exception does not however - * invalidate any other reasons why the executable file might be covered by - * the GNU General Public License. - */ +// This file is part of PathsHelper library. +// Copyright (C) 2018-2025 Arduino AG (http://www.arduino.cc/) +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only package paths @@ -674,9 +650,7 @@ func (p *Path) String() string { func (p *Path) Canonical() *Path { canonical := p.Clone() // https://github.com/golang/go/issues/17084#issuecomment-246645354 - if err := canonical.FollowSymLink(); err != nil { - return nil - } + _ = canonical.FollowSymLink() if absPath, err := canonical.Abs(); err == nil { canonical = absPath } diff --git a/pkg/paths/process.go b/pkg/paths/process.go index e9e96ce427..20fad233e4 100644 --- a/pkg/paths/process.go +++ b/pkg/paths/process.go @@ -1,31 +1,7 @@ -// // This file is part of PathsHelper library. -// -// Copyright 2023 Arduino AG (http://www.arduino.cc/) -// -// PathsHelper library is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; either version 2 of the License, or -// (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License -// along with this program; if not, write to the Free Software -// Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -// -// As a special exception, you may use this file as part of a free software -// library without restriction. Specifically, if other files instantiate -// templates or use macros or inline functions from this file, or you compile -// this file and link it with other files to produce an executable, this -// file does not by itself cause the resulting executable to be covered by -// the GNU General Public License. This exception does not however -// invalidate any other reasons why the executable file might be covered by -// the GNU General Public License. -// +// Copyright (C) 2018-2025 Arduino AG (http://www.arduino.cc/) +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only package paths @@ -79,10 +55,10 @@ func (p *Process) RedirectStdoutTo(out io.Writer) { p.cmd.Stdout = out } -// RedirectStderrTo will redirect the process' stdout to the specified +// RedirectStderrTo will redirect the process' stderr to the specified // writer. Any previous redirection will be overwritten. -func (p *Process) RedirectStderrTo(out io.Writer) { - p.cmd.Stderr = out +func (p *Process) RedirectStderrTo(err io.Writer) { + p.cmd.Stderr = err } // StdinPipe returns a pipe that will be connected to the command's standard @@ -131,6 +107,21 @@ func (p *Process) Wait() error { return p.cmd.Wait() } +// WaitWithinContext wait for the process to complete. If the given context is canceled +// before the normal process termination, the process is killed. +func (p *Process) WaitWithinContext(ctx context.Context) error { + completed := make(chan struct{}) + defer close(completed) + go func() { + select { + case <-ctx.Done(): + p.Kill() + case <-completed: + } + }() + return p.Wait() +} + // Signal sends a signal to the Process. Sending Interrupt on Windows is not implemented. func (p *Process) Signal(sig os.Signal) error { return p.cmd.Process.Signal(sig) @@ -181,16 +172,7 @@ func (p *Process) RunWithinContext(ctx context.Context) error { if err := p.Start(); err != nil { return err } - completed := make(chan struct{}) - defer close(completed) - go func() { - select { - case <-ctx.Done(): - p.Kill() - case <-completed: - } - }() - return p.Wait() + return p.WaitWithinContext(ctx) } // RunAndCaptureOutput starts the specified command and waits for it to complete. If the given context @@ -205,6 +187,17 @@ func (p *Process) RunAndCaptureOutput(ctx context.Context) ([]byte, []byte, erro return stdout.Bytes(), stderr.Bytes(), err } +// RunAndCaptureCombinedOutput starts the specified command and waits for it to complete. If the given context +// is canceled before the normal process termination, the process is killed. The standard output and +// standard error of the process are captured and returned combined at process termination. +func (p *Process) RunAndCaptureCombinedOutput(ctx context.Context) ([]byte, error) { + out := &bytes.Buffer{} + p.RedirectStdoutTo(out) + p.RedirectStderrTo(out) + err := p.RunWithinContext(ctx) + return out.Bytes(), err +} + // GetArgs returns the command arguments func (p *Process) GetArgs() []string { return p.cmd.Args diff --git a/pkg/paths/process_linux.go b/pkg/paths/process_linux.go index 7e43d1ff3a..c56f8a025f 100644 --- a/pkg/paths/process_linux.go +++ b/pkg/paths/process_linux.go @@ -1,31 +1,7 @@ -// // This file is part of PathsHelper library. -// -// Copyright 2023 Arduino AG (http://www.arduino.cc/) -// -// PathsHelper library is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; either version 2 of the License, or -// (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License -// along with this program; if not, write to the Free Software -// Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -// -// As a special exception, you may use this file as part of a free software -// library without restriction. Specifically, if other files instantiate -// templates or use macros or inline functions from this file, or you compile -// this file and link it with other files to produce an executable, this -// file does not by itself cause the resulting executable to be covered by -// the GNU General Public License. This exception does not however -// invalidate any other reasons why the executable file might be covered by -// the GNU General Public License. -// +// Copyright (C) 2018-2025 Arduino AG (http://www.arduino.cc/) +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only //go:build !windows diff --git a/pkg/paths/readdir.go b/pkg/paths/readdir.go index 985fed5464..d4ff88fe67 100644 --- a/pkg/paths/readdir.go +++ b/pkg/paths/readdir.go @@ -1,31 +1,7 @@ -/* - * This file is part of PathsHelper library. - * - * Copyright 2018-2022 Arduino AG (http://www.arduino.cc/) - * - * PathsHelper library is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - * - * As a special exception, you may use this file as part of a free software - * library without restriction. Specifically, if other files instantiate - * templates or use macros or inline functions from this file, or you compile - * this file and link it with other files to produce an executable, this - * file does not by itself cause the resulting executable to be covered by - * the GNU General Public License. This exception does not however - * invalidate any other reasons why the executable file might be covered by - * the GNU General Public License. - */ +// This file is part of PathsHelper library. +// Copyright (C) 2018-2025 Arduino AG (http://www.arduino.cc/) +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only package paths From 60819f4827abe4eea5878f0991e590584eead8d3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Apr 2026 22:28:41 +0200 Subject: [PATCH 1679/1736] tests(pkg): add unit tests to the paths lib. --- pkg/paths/list_test.go | 424 +++++++ pkg/paths/paths_test.go | 1050 ++++++++++++++++- pkg/paths/process_test.go | 64 + pkg/paths/readdir_test.go | 460 ++++++++ .../paths/broken_symlink/dir_1/broken_link | 1 + .../testdata/paths/broken_symlink/dir_1/file2 | 0 .../paths/broken_symlink/dir_1/linked_dir | 1 + .../paths/broken_symlink/dir_1/linked_file | 1 + .../paths/broken_symlink/dir_1/real_dir/file1 | 0 tests/testdata/paths/delay/.gitignore | 1 + tests/testdata/paths/delay/main.go | 16 + tests/testdata/paths/fileset/anotherFile | 4 + tests/testdata/paths/fileset/file | 0 tests/testdata/paths/fileset/folder/.hidden | 0 tests/testdata/paths/fileset/folder/file2 | 0 tests/testdata/paths/fileset/folder/file3 | 0 .../paths/fileset/folder/subfolder/file4 | 0 tests/testdata/paths/fileset/symlinktofolder | 1 + tests/testdata/paths/loops/loop_1/dir1/loop | 1 + tests/testdata/paths/loops/loop_2/dir1/loop2 | 1 + tests/testdata/paths/loops/loop_2/dir2/loop1 | 1 + tests/testdata/paths/loops/loop_3/dir1/loop2 | 1 + .../paths/loops/loop_3/dir2/dir3/loop2 | 1 + .../paths/loops/loop_4/dir1/dir2/loop2 | 1 + .../paths/loops/loop_4/dir1/dir3/dir4/loop1 | 1 + .../testdata/paths/loops/regular_1/dir1/file1 | 0 tests/testdata/paths/loops/regular_1/dir2 | 1 + .../testdata/paths/loops/regular_2/dir1/file1 | 0 .../testdata/paths/loops/regular_2/dir2/dir1 | 1 + .../testdata/paths/loops/regular_2/dir2/file2 | 0 .../testdata/paths/loops/regular_3/dir1/file1 | 0 .../testdata/paths/loops/regular_3/dir2/dir1 | 1 + .../testdata/paths/loops/regular_3/dir2/file2 | 0 tests/testdata/paths/loops/regular_3/link | 1 + .../dir1/file1 | 0 .../regular_4_with_permission_error/dir2/dir1 | 1 + .../dir2/file2 | 0 .../regular_4_with_permission_error/link | 1 + 38 files changed, 2025 insertions(+), 11 deletions(-) create mode 100644 pkg/paths/list_test.go create mode 100644 pkg/paths/process_test.go create mode 100644 pkg/paths/readdir_test.go create mode 120000 tests/testdata/paths/broken_symlink/dir_1/broken_link create mode 100644 tests/testdata/paths/broken_symlink/dir_1/file2 create mode 120000 tests/testdata/paths/broken_symlink/dir_1/linked_dir create mode 120000 tests/testdata/paths/broken_symlink/dir_1/linked_file create mode 100644 tests/testdata/paths/broken_symlink/dir_1/real_dir/file1 create mode 100644 tests/testdata/paths/delay/.gitignore create mode 100644 tests/testdata/paths/delay/main.go create mode 100644 tests/testdata/paths/fileset/anotherFile create mode 100644 tests/testdata/paths/fileset/file create mode 100644 tests/testdata/paths/fileset/folder/.hidden create mode 100644 tests/testdata/paths/fileset/folder/file2 create mode 100644 tests/testdata/paths/fileset/folder/file3 create mode 100644 tests/testdata/paths/fileset/folder/subfolder/file4 create mode 120000 tests/testdata/paths/fileset/symlinktofolder create mode 120000 tests/testdata/paths/loops/loop_1/dir1/loop create mode 120000 tests/testdata/paths/loops/loop_2/dir1/loop2 create mode 120000 tests/testdata/paths/loops/loop_2/dir2/loop1 create mode 120000 tests/testdata/paths/loops/loop_3/dir1/loop2 create mode 120000 tests/testdata/paths/loops/loop_3/dir2/dir3/loop2 create mode 120000 tests/testdata/paths/loops/loop_4/dir1/dir2/loop2 create mode 120000 tests/testdata/paths/loops/loop_4/dir1/dir3/dir4/loop1 create mode 100644 tests/testdata/paths/loops/regular_1/dir1/file1 create mode 120000 tests/testdata/paths/loops/regular_1/dir2 create mode 100644 tests/testdata/paths/loops/regular_2/dir1/file1 create mode 120000 tests/testdata/paths/loops/regular_2/dir2/dir1 create mode 100644 tests/testdata/paths/loops/regular_2/dir2/file2 create mode 100644 tests/testdata/paths/loops/regular_3/dir1/file1 create mode 120000 tests/testdata/paths/loops/regular_3/dir2/dir1 create mode 100644 tests/testdata/paths/loops/regular_3/dir2/file2 create mode 120000 tests/testdata/paths/loops/regular_3/link create mode 100644 tests/testdata/paths/loops/regular_4_with_permission_error/dir1/file1 create mode 120000 tests/testdata/paths/loops/regular_4_with_permission_error/dir2/dir1 create mode 100644 tests/testdata/paths/loops/regular_4_with_permission_error/dir2/file2 create mode 120000 tests/testdata/paths/loops/regular_4_with_permission_error/link diff --git a/pkg/paths/list_test.go b/pkg/paths/list_test.go new file mode 100644 index 0000000000..190915ffca --- /dev/null +++ b/pkg/paths/list_test.go @@ -0,0 +1,424 @@ +// This file is part of PathsHelper library. +// Copyright (C) 2018-2025 Arduino AG (http://www.arduino.cc/) +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package paths + +import ( + "fmt" + "testing" +) + +func TestPathList_New(t *testing.T) { + tests := []struct { + name string + args []string + want string + len int + }{ + { + name: "empty", + args: nil, + want: "[]", + len: 0, + }, + { + name: "single", + args: []string{"test"}, + want: "[test]", + len: 1, + }, + { + name: "three", + args: []string{"a", "b", "c"}, + want: "[a b c]", + len: 3, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + list := NewPathList(tt.args...) + if len(list) != tt.len { + t.Fatalf("got len %d, want %d", len(list), tt.len) + } + if got := fmt.Sprintf("%s", list); got != tt.want { + t.Errorf("got %v, want %v", got, tt.want) + } + }) + } +} + +func TestPathList_Contains(t *testing.T) { + list := NewPathList("a", "b", "c") + tests := []struct { + name string + path string + want bool + }{ + { + name: "not-present", + path: "d", + want: false, + }, + { + name: "present", + path: "a", + want: true, + }, + { + name: "equivalent-not-considered", + path: "d/../a", + want: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := list.Contains(New(tt.path)); got != tt.want { + t.Errorf("got %v, want %v", got, tt.want) + } + }) + } +} + +func TestPathList_ContainsEquivalentTo(t *testing.T) { + list := NewPathList("a", "b", "c") + tests := []struct { + name string + path string + want bool + }{ + { + name: "not-present", + path: "d", + want: false, + }, + { + name: "present", + path: "a", + want: true, + }, + { + name: "equivalent", + path: "d/../a", + want: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := list.ContainsEquivalentTo(New(tt.path)); got != tt.want { + t.Errorf("got %v, want %v", got, tt.want) + } + }) + } +} + +func TestPathList_Equals(t *testing.T) { + base := NewPathList("a", "b", "c") + tests := []struct { + name string + a PathList + b PathList + want bool + }{ + { + name: "clone", + a: base, + b: base.Clone(), + want: true, + }, + { + name: "different-len", + a: base, + b: NewPathList("a", "b"), + want: false, + }, + { + name: "different-content", + a: base, + b: NewPathList("a", "b", "d"), + want: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := tt.a.Equals(tt.b); got != tt.want { + t.Errorf("got %v, want %v", got, tt.want) + } + }) + } +} + +func TestPathList_AddIfMissing(t *testing.T) { + tests := []struct { + name string + start []string + add string + want string + }{ + { + name: "add-new", + start: []string{"a", "b", "c"}, + add: "d", + want: "[a b c d]", + }, + { + name: "skip-existing", + start: []string{"a", "b", "c", "d"}, + add: "b", + want: "[a b c d]", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + list := NewPathList(tt.start...) + list.AddIfMissing(New(tt.add)) + if got := fmt.Sprintf("%s", list); got != tt.want { + t.Errorf("got %v, want %v", got, tt.want) + } + }) + } +} + +func TestPathList_AddAllMissing(t *testing.T) { + tests := []struct { + name string + start []string + add []string + want string + }{ + { + name: "mix-new-and-existing", + start: []string{"a", "b", "c", "d"}, + add: []string{"a", "e", "i", "o", "u"}, + want: "[a b c d e i o u]", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + list := NewPathList(tt.start...) + list.AddAllMissing(NewPathList(tt.add...)) + if got := fmt.Sprintf("%s", list); got != tt.want { + t.Errorf("got %v, want %v", got, tt.want) + } + }) + } +} + +func TestPathList_Sort(t *testing.T) { + tests := []struct { + name string + entries []string + before string + after string + }{ + { + name: "unsorted", + entries: []string{ + "pointless", "spare", "carve", "unwieldy", "empty", + "bow", "tub", "grease", "error", "energetic", + "depend", "property", + }, + before: "[pointless spare carve unwieldy empty bow tub grease error energetic depend property]", + after: "[bow carve depend empty energetic error grease pointless property spare tub unwieldy]", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + list := NewPathList(tt.entries...) + if got := fmt.Sprintf("%s", list); got != tt.before { + t.Errorf("before: got %v, want %v", got, tt.before) + } + list.Sort() + if got := fmt.Sprintf("%s", list); got != tt.after { + t.Errorf("after: got %v, want %v", got, tt.after) + } + }) + } +} + +var testFilterList = []string{ + "aaaa", + "bbbb", + "cccc", + "dddd", + "eeff", + "aaaa/bbbb", + "eeee/ffff", + "gggg/hhhh", +} + +func TestPathList_FilterPrefix(t *testing.T) { + tests := []struct { + name string + prefixes []string + want string + }{ + { + name: "single-a", + prefixes: []string{"a"}, + want: "[aaaa]", + }, + { + name: "single-b", + prefixes: []string{"b"}, + want: "[bbbb aaaa/bbbb]", + }, + { + name: "two-a-b", + prefixes: []string{"a", "b"}, + want: "[aaaa bbbb aaaa/bbbb]", + }, + { + name: "no-match", + prefixes: []string{"test"}, + want: "[]", + }, + { + name: "empty", + prefixes: nil, + want: "[]", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + list := NewPathList(testFilterList...) + list.FilterPrefix(tt.prefixes...) + if got := fmt.Sprintf("%s", list); got != tt.want { + t.Errorf("got %v, want %v", got, tt.want) + } + }) + } +} + +func TestPathList_FilterOutPrefix(t *testing.T) { + tests := []struct { + name string + prefixes []string + want string + }{ + { + name: "single-b", + prefixes: []string{"b"}, + want: "[aaaa cccc dddd eeff eeee/ffff gggg/hhhh]", + }, + { + name: "multi", + prefixes: []string{"b", "c", "h"}, + want: "[aaaa dddd eeff eeee/ffff]", + }, + { + name: "empty", + prefixes: nil, + want: "[aaaa bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + list := NewPathList(testFilterList...) + list.FilterOutPrefix(tt.prefixes...) + if got := fmt.Sprintf("%s", list); got != tt.want { + t.Errorf("got %v, want %v", got, tt.want) + } + }) + } +} + +func TestPathList_FilterSuffix(t *testing.T) { + tests := []struct { + name string + suffixes []string + want string + }{ + { + name: "single-a", + suffixes: []string{"a"}, + want: "[aaaa]", + }, + { + name: "two-a-h", + suffixes: []string{"a", "h"}, + want: "[aaaa gggg/hhhh]", + }, + { + name: "no-match", + suffixes: []string{"test"}, + want: "[]", + }, + { + name: "empty", + suffixes: nil, + want: "[]", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + list := NewPathList(testFilterList...) + list.FilterSuffix(tt.suffixes...) + if got := fmt.Sprintf("%s", list); got != tt.want { + t.Errorf("got %v, want %v", got, tt.want) + } + }) + } +} + +func TestPathList_FilterOutSuffix(t *testing.T) { + tests := []struct { + name string + suffixes []string + want string + }{ + { + name: "single-a", + suffixes: []string{"a"}, + want: "[bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", + }, + { + name: "two-a-h", + suffixes: []string{"a", "h"}, + want: "[bbbb cccc dddd eeff aaaa/bbbb eeee/ffff]", + }, + { + name: "no-match", + suffixes: []string{"test"}, + want: "[aaaa bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", + }, + { + name: "empty", + suffixes: nil, + want: "[aaaa bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + list := NewPathList(testFilterList...) + list.FilterOutSuffix(tt.suffixes...) + if got := fmt.Sprintf("%s", list); got != tt.want { + t.Errorf("got %v, want %v", got, tt.want) + } + }) + } +} + +func TestPathList_Filter(t *testing.T) { + tests := []struct { + name string + fn func(p *Path) bool + want string + }{ + { + name: "base-equals-bbbb", + fn: func(p *Path) bool { return p.Base() == "bbbb" }, + want: "[bbbb aaaa/bbbb]", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + list := NewPathList(testFilterList...) + list.Filter(tt.fn) + if got := fmt.Sprintf("%s", list); got != tt.want { + t.Errorf("got %v, want %v", got, tt.want) + } + }) + } +} diff --git a/pkg/paths/paths_test.go b/pkg/paths/paths_test.go index 497cbb139d..bcff1f51df 100644 --- a/pkg/paths/paths_test.go +++ b/pkg/paths/paths_test.go @@ -1,12 +1,36 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol +// This file is part of PathsHelper library. +// Copyright (C) 2018-2025 Arduino AG (http://www.arduino.cc/) +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package paths -import "testing" +import ( + "bytes" + "path/filepath" + "strings" + "testing" +) -func Test_Filter(t *testing.T) { +var testdataRoot = "../../tests/testdata/paths" + +func pathEqualsTo(t *testing.T, expected string, actual *Path) { + t.Helper() + got := filepath.ToSlash(actual.String()) + if got != expected { + t.Errorf("got %v, want %v", got, expected) + } +} + +func makeTestPath(parts []string) *Path { + p := New(testdataRoot, "fileset") + for _, part := range parts { + p = p.Join(part) + } + return p +} + +func TestFilter(t *testing.T) { tests := []struct { name string src string @@ -69,19 +93,49 @@ gnome-disks complain } } -func TestIsInsideAnyDir(t *testing.T) { +func TestPath_IsInsideAnyDir(t *testing.T) { tests := []struct { name string p string dirs []string want bool }{ - {name: "empty dirs", p: "/a/b/c", dirs: nil, want: false}, - {name: "direct child", p: "/a/b/c", dirs: []string{"/a/b"}, want: true}, - {name: "nested descendant", p: "/a/b/c/d/e", dirs: []string{"/a/b"}, want: true}, - {name: "sibling not under", p: "/a/bc/d", dirs: []string{"/a/b"}, want: false}, - {name: "equal path is not under", p: "/a/b", dirs: []string{"/a/b"}, want: false}, - {name: "matches one of many", p: "/x/y/z", dirs: []string{"/a", "/x", "/p"}, want: true}, + { + name: "empty dirs", + p: "/a/b/c", + dirs: nil, + want: false, + }, + { + name: "direct child", + p: "/a/b/c", + dirs: []string{"/a/b"}, + want: true, + }, + { + name: "nested descendant", + p: "/a/b/c/d/e", + dirs: []string{"/a/b"}, + want: true, + }, + { + name: "sibling not under", + p: "/a/bc/d", + dirs: []string{"/a/b"}, + want: false, + }, + { + name: "equal path is not under", + p: "/a/b", + dirs: []string{"/a/b"}, + want: false, + }, + { + name: "matches one of many", + p: "/x/y/z", + dirs: []string{"/a", "/x", "/p"}, + want: true, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -95,3 +149,977 @@ func TestIsInsideAnyDir(t *testing.T) { }) } } + +func TestPath_New(t *testing.T) { + tests := []struct { + name string + args []string + want string + wantNil bool + }{ + { + name: "single", + args: []string{"path"}, + want: "path", + }, + { + name: "join", + args: []string{"path", "path"}, + want: filepath.Join("path", "path"), + }, + { + name: "no-args", + args: nil, + wantNil: true, + }, + { + name: "empty-string", + args: []string{""}, + wantNil: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got := New(tt.args...) + if tt.wantNil { + if got != nil { + t.Errorf("expected nil, got %v", got) + } + return + } + if got.String() != tt.want { + t.Errorf("got %v, want %v", got.String(), tt.want) + } + }) + } +} + +// testPathCases drives the per-method tests over shared filesystem fixtures. +var testPathCases = []struct { + name string + joinParts []string // parts joined onto testdataRoot/fileset + wantPath string // forward-slash path string expected + wantIsDir bool + wantExist bool + wantExistOK bool // whether ExistCheck should return err==nil + wantIsDirOK bool // whether IsDirCheck should return err==nil +}{ + { + name: "fileset-dir", + joinParts: nil, + wantPath: testdataRoot + "/fileset", + wantIsDir: true, + wantExist: true, + wantExistOK: true, + wantIsDirOK: true, + }, + { + name: "subdir", + joinParts: []string{"folder"}, + wantPath: testdataRoot + "/fileset/folder", + wantIsDir: true, + wantExist: true, + wantExistOK: true, + wantIsDirOK: true, + }, + { + name: "regular-file", + joinParts: []string{"file"}, + wantPath: testdataRoot + "/fileset/file", + wantIsDir: false, + wantExist: true, + wantExistOK: true, + wantIsDirOK: true, + }, + { + name: "nonexistent", + joinParts: []string{"file", "notexistent"}, + wantPath: testdataRoot + "/fileset/file/notexistent", + wantIsDir: false, + wantExist: false, + wantExistOK: true, + wantIsDirOK: false, + }, +} + +func TestPath_Join(t *testing.T) { + for _, tt := range testPathCases { + t.Run(tt.name, func(t *testing.T) { + p := makeTestPath(tt.joinParts) + pathEqualsTo(t, tt.wantPath, p) + }) + } +} + +func TestPath_IsDirCheck(t *testing.T) { + for _, tt := range testPathCases { + t.Run(tt.name, func(t *testing.T) { + p := makeTestPath(tt.joinParts) + isDir, err := p.IsDirCheck() + if isDir != tt.wantIsDir { + t.Errorf("IsDirCheck() isDir = %v, want %v", isDir, tt.wantIsDir) + } + if (err == nil) != tt.wantIsDirOK { + t.Errorf("IsDirCheck() err = %v, wantOK = %v", err, tt.wantIsDirOK) + } + }) + } +} + +func TestPath_IsDir(t *testing.T) { + for _, tt := range testPathCases { + t.Run(tt.name, func(t *testing.T) { + p := makeTestPath(tt.joinParts) + if got := p.IsDir(); got != tt.wantIsDir { + t.Errorf("IsDir() = %v, want %v", got, tt.wantIsDir) + } + }) + } +} + +func TestPath_IsNotDir(t *testing.T) { + for _, tt := range testPathCases { + t.Run(tt.name, func(t *testing.T) { + p := makeTestPath(tt.joinParts) + // IsNotDir returns true only when the path exists and is not a directory + want := tt.wantExist && !tt.wantIsDir + if got := p.IsNotDir(); got != want { + t.Errorf("IsNotDir() = %v, want %v", got, want) + } + }) + } +} + +func TestPath_ExistCheck(t *testing.T) { + for _, tt := range testPathCases { + t.Run(tt.name, func(t *testing.T) { + p := makeTestPath(tt.joinParts) + exist, err := p.ExistCheck() + if exist != tt.wantExist { + t.Errorf("ExistCheck() exist = %v, want %v", exist, tt.wantExist) + } + if (err == nil) != tt.wantExistOK { + t.Errorf("ExistCheck() err = %v, wantOK = %v", err, tt.wantExistOK) + } + }) + } +} + +func TestPath_Exist(t *testing.T) { + for _, tt := range testPathCases { + t.Run(tt.name, func(t *testing.T) { + p := makeTestPath(tt.joinParts) + if got := p.Exist(); got != tt.wantExist { + t.Errorf("Exist() = %v, want %v", got, tt.wantExist) + } + }) + } +} + +func TestPath_NotExist(t *testing.T) { + for _, tt := range testPathCases { + t.Run(tt.name, func(t *testing.T) { + p := makeTestPath(tt.joinParts) + want := !tt.wantExist + if got := p.NotExist(); got != want { + t.Errorf("NotExist() = %v, want %v", got, want) + } + }) + } +} + +func TestPath_ReadDir(t *testing.T) { + tests := []struct { + name string + parts []string + want []string + }{ + { + name: "subfolder", + parts: []string{"folder"}, + want: []string{ + testdataRoot + "/fileset/folder/.hidden", + testdataRoot + "/fileset/folder/file2", + testdataRoot + "/fileset/folder/file3", + testdataRoot + "/fileset/folder/subfolder", + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + p := makeTestPath(tt.parts) + list, err := p.ReadDir() + if err != nil { + t.Fatal(err) + } + if len(list) != len(tt.want) { + t.Fatalf("got len %d, want %d", len(list), len(tt.want)) + } + for i, want := range tt.want { + pathEqualsTo(t, want, list[i]) + } + }) + } +} + +func TestPathList_FilterDirsOnReadDir(t *testing.T) { + tests := []struct { + name string + parts []string + want []string + }{ + { + name: "folder", + parts: []string{"folder"}, + want: []string{ + testdataRoot + "/fileset/folder/subfolder", + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + list, err := makeTestPath(tt.parts).ReadDir() + if err != nil { + t.Fatal(err) + } + list.FilterDirs() + if len(list) != len(tt.want) { + t.Fatalf("got len %d, want %d", len(list), len(tt.want)) + } + for i, w := range tt.want { + pathEqualsTo(t, w, list[i]) + } + }) + } +} + +func TestPathList_FilterOutHiddenFilesOnReadDir(t *testing.T) { + tests := []struct { + name string + parts []string + want []string + }{ + { + name: "folder", + parts: []string{"folder"}, + want: []string{ + testdataRoot + "/fileset/folder/file2", + testdataRoot + "/fileset/folder/file3", + testdataRoot + "/fileset/folder/subfolder", + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + list, err := makeTestPath(tt.parts).ReadDir() + if err != nil { + t.Fatal(err) + } + list.FilterOutHiddenFiles() + if len(list) != len(tt.want) { + t.Fatalf("got len %d, want %d", len(list), len(tt.want)) + } + for i, w := range tt.want { + pathEqualsTo(t, w, list[i]) + } + }) + } +} + +func TestPathList_FilterOutPrefixOnReadDir(t *testing.T) { + tests := []struct { + name string + parts []string + prefixes []string + want []string + }{ + { + name: "folder-prefix-file", + parts: []string{"folder"}, + prefixes: []string{"file"}, + want: []string{ + testdataRoot + "/fileset/folder/.hidden", + testdataRoot + "/fileset/folder/subfolder", + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + list, err := makeTestPath(tt.parts).ReadDir() + if err != nil { + t.Fatal(err) + } + list.FilterOutPrefix(tt.prefixes...) + if len(list) != len(tt.want) { + t.Fatalf("got len %d, want %d", len(list), len(tt.want)) + } + for i, w := range tt.want { + pathEqualsTo(t, w, list[i]) + } + }) + } +} + +func TestPath_FollowSymLink(t *testing.T) { + tests := []struct { + name string + parts []string + entry string + wantIsDir bool + }{ + { + name: "symlink-to-folder", + parts: nil, + entry: "symlinktofolder", + wantIsDir: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + dir := makeTestPath(tt.parts) + files, err := dir.ReadDir() + if err != nil { + t.Fatal(err) + } + var match *Path + for _, file := range files { + if file.Base() == tt.entry { + match = file + break + } + } + if match == nil { + t.Fatalf("%s not found under %s", tt.entry, dir) + } + if err := match.FollowSymLink(); err != nil { + t.Fatal(err) + } + isDir, err := match.IsDirCheck() + if err != nil { + t.Fatal(err) + } + if isDir != tt.wantIsDir { + t.Errorf("IsDirCheck() = %v, want %v", isDir, tt.wantIsDir) + } + }) + } +} + +func TestPath_IsInsideDir(t *testing.T) { + tests := []struct { + name string + a *Path + b *Path + want bool + }{ + { + name: "abs-self", + a: New("/a/b/c"), + b: New("/a/b/c"), + want: false, + }, + { + name: "abs-parent-inside-child", + a: New("/a/b/c"), + b: New("/a/b/c/d"), + want: false, + }, + { + name: "abs-child-inside-parent", + a: New("/a/b/c/d"), + b: New("/a/b/c"), + want: true, + }, + { + name: "abs-deep-parent-inside-child", + a: New("/a/b/c"), + b: New("/a/b/c/d/e"), + want: false, + }, + { + name: "abs-deep-child-inside-parent", + a: New("/a/b/c/d/e"), + b: New("/a/b/c"), + want: true, + }, + + { + name: "rel-self", + a: New("a/b/c"), + b: New("a/b/c"), + want: false, + }, + { + name: "rel-parent-inside-child", + a: New("a/b/c"), + b: New("a/b/c/d"), + want: false, + }, + { + name: "rel-child-inside-parent", + a: New("a/b/c/d"), + b: New("a/b/c"), + want: true, + }, + { + name: "rel-deep-parent-inside-child", + a: New("a/b/c"), + b: New("a/b/c/d/e"), + want: false, + }, + { + name: "rel-deep-child-inside-parent", + a: New("a/b/c/d/e"), + b: New("a/b/c"), + want: true, + }, + { + name: "rel-normalized-inside", + a: New("f/../a/b/c/d/e"), + b: New("a/b/c"), + want: true, + }, + { + name: "rel-parent-not-inside-normalized", + a: New("a/b/c"), + b: New("f/../a/b/c/d/e"), + want: false, + }, + { + name: "rel-trailing-dotdot-inside", + a: New("a/b/c/d/e/f/.."), + b: New("a/b/c"), + want: true, + }, + { + name: "rel-parent-not-inside-trailing-dotdot", + a: New("a/b/c"), + b: New("a/b/c/d/e/f/.."), + want: false, + }, + + { + name: "unrelated-1", + a: New("/home/megabug/a15/packages"), + b: New("/home/megabug/aide/arduino-1.8.6/hardware/arduino/avr"), + want: false, + }, + { + name: "unrelated-2", + a: New("/home/megabug/aide/arduino-1.8.6/hardware/arduino/avr"), + b: New("/home/megabug/a15/packages"), + want: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + isInside, err := tt.a.IsInsideDir(tt.b) + if err != nil { + t.Fatal(err) + } + if isInside != tt.want { + t.Errorf("%s IsInsideDir(%s) = %v, want %v", tt.a, tt.b, isInside, tt.want) + } + }) + } +} + +func TestPath_ReadFileAsLines(t *testing.T) { + tests := []struct { + name string + path []string + want []string + }{ + { + name: "anotherFile", + path: []string{"fileset", "anotherFile"}, + want: []string{"line 1", "line 2", "", "line 3"}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + p := New(testdataRoot) + for _, part := range tt.path { + p = p.Join(part) + } + lines, err := p.ReadFileAsLines() + if err != nil { + t.Fatal(err) + } + if len(lines) != len(tt.want) { + t.Fatalf("got len %d, want %d", len(lines), len(tt.want)) + } + for i, want := range tt.want { + if lines[i] != want { + t.Errorf("line[%d]: got %v, want %v", i, lines[i], want) + } + } + }) + } +} + +func TestPath_CanonicalTempDir(t *testing.T) { + tests := []struct { + name string + }{ + { + name: "tempdir-canonical", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if TempDir().String() != TempDir().Canonical().String() { + t.Errorf("got %v, want %v", TempDir().Canonical().String(), TempDir().String()) + } + }) + } +} + +func TestCopyDir(t *testing.T) { + tests := []struct { + name string + }{ + { + name: "copy-fileset", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tmp, err := MkTempDir("", "") + if err != nil { + t.Fatal(err) + } + defer tmp.RemoveAll() + + src := New(testdataRoot, "fileset") + if err := src.CopyDirTo(tmp.Join("dest")); err != nil { + t.Fatalf("copying dir: %v", err) + } + + exist, err := tmp.Join("dest", "folder", "subfolder", "file4").ExistCheck() + if !exist { + t.Error("expected true") + } + if err != nil { + t.Fatal(err) + } + + isdir, err := tmp.Join("dest", "folder", "subfolder", "file4").IsDirCheck() + if isdir { + t.Error("expected false") + } + if err != nil { + t.Fatal(err) + } + + if err := src.CopyDirTo(tmp.Join("dest")); err == nil { + t.Fatal("copying dir to already existing") + } + + if err := src.Join("file").CopyDirTo(tmp.Join("dest2")); err == nil { + t.Fatal("copying file as dir") + } + }) + } +} + +func TestPath_Parents(t *testing.T) { + tests := []struct { + name string + in string + want []string + }{ + { + name: "absolute", + in: "/a/very/long/path", + want: []string{"/a/very/long/path", "/a/very/long", "/a/very", "/a", "/"}, + }, + { + name: "relative", + in: "a/very/relative/path", + want: []string{"a/very/relative/path", "a/very/relative", "a/very", "a", "."}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + parents := New(tt.in).Parents() + if len(parents) != len(tt.want) { + t.Fatalf("got len %d, want %d", len(parents), len(tt.want)) + } + for i, want := range tt.want { + pathEqualsTo(t, want, parents[i]) + } + }) + } +} + +func TestPathList_FilterDirs(t *testing.T) { + tests := []struct { + name string + parts []string + wantBefore []string + wantAfter []string + }{ + { + name: "fileset", + parts: nil, + wantBefore: []string{ + testdataRoot + "/fileset/anotherFile", + testdataRoot + "/fileset/file", + testdataRoot + "/fileset/folder", + testdataRoot + "/fileset/symlinktofolder", + testdataRoot + "/fileset/test.txt", + testdataRoot + "/fileset/test.txt.gz", + }, + wantAfter: []string{ + testdataRoot + "/fileset/folder", + testdataRoot + "/fileset/symlinktofolder", + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + p := makeTestPath(tt.parts) + list, err := p.ReadDir() + if err != nil { + t.Fatal(err) + } + if len(list) != len(tt.wantBefore) { + t.Fatalf("got len %d, want %d", len(list), len(tt.wantBefore)) + } + for i, want := range tt.wantBefore { + pathEqualsTo(t, want, list[i]) + } + list.FilterDirs() + if len(list) != len(tt.wantAfter) { + t.Fatalf("got len %d, want %d", len(list), len(tt.wantAfter)) + } + for i, want := range tt.wantAfter { + pathEqualsTo(t, want, list[i]) + } + }) + } +} + +func TestPathList_FilterOutDirs(t *testing.T) { + tests := []struct { + name string + readFn func() (PathList, error) + wantBefore []string + wantAfter []string + }{ + { + name: "fileset", + readFn: func() (PathList, error) { + return New(testdataRoot, "fileset").ReadDir() + }, + wantBefore: []string{ + testdataRoot + "/fileset/anotherFile", + testdataRoot + "/fileset/file", + testdataRoot + "/fileset/folder", + testdataRoot + "/fileset/symlinktofolder", + testdataRoot + "/fileset/test.txt", + testdataRoot + "/fileset/test.txt.gz", + }, + wantAfter: []string{ + testdataRoot + "/fileset/anotherFile", + testdataRoot + "/fileset/file", + testdataRoot + "/fileset/test.txt", + testdataRoot + "/fileset/test.txt.gz", + }, + }, + { + name: "broken_symlink-dir_1", + readFn: func() (PathList, error) { + return New(testdataRoot, "broken_symlink", "dir_1").ReadDirRecursive() + }, + wantBefore: []string{ + testdataRoot + "/broken_symlink/dir_1/broken_link", + testdataRoot + "/broken_symlink/dir_1/file2", + testdataRoot + "/broken_symlink/dir_1/linked_dir", + testdataRoot + "/broken_symlink/dir_1/linked_dir/file1", + testdataRoot + "/broken_symlink/dir_1/linked_file", + testdataRoot + "/broken_symlink/dir_1/real_dir", + testdataRoot + "/broken_symlink/dir_1/real_dir/file1", + }, + wantAfter: []string{ + testdataRoot + "/broken_symlink/dir_1/broken_link", + testdataRoot + "/broken_symlink/dir_1/file2", + testdataRoot + "/broken_symlink/dir_1/linked_dir/file1", + testdataRoot + "/broken_symlink/dir_1/linked_file", + testdataRoot + "/broken_symlink/dir_1/real_dir/file1", + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + list, err := tt.readFn() + if err != nil { + t.Fatal(err) + } + if len(list) != len(tt.wantBefore) { + t.Fatalf("got len %d, want %d", len(list), len(tt.wantBefore)) + } + for i, want := range tt.wantBefore { + pathEqualsTo(t, want, list[i]) + } + list.FilterOutDirs() + if len(list) != len(tt.wantAfter) { + t.Fatalf("got len %d, want %d", len(list), len(tt.wantAfter)) + } + for i, want := range tt.wantAfter { + pathEqualsTo(t, want, list[i]) + } + }) + } +} + +func TestPath_EquivalentTo(t *testing.T) { + wd, err := Getwd() + if err != nil { + t.Fatal(err) + } + tests := []struct { + name string + a *Path + b *Path + want bool + }{ + { + name: "redundant-parent", + a: New("file1"), + b: New("file1", "somethingelse", ".."), + want: true, + }, + { + name: "redundant-nested", + a: New("file1", "abc"), + b: New("file1", "abc", "def", ".."), + want: true, + }, + { + name: "abs-vs-relative", + a: wd.Join("file1"), + b: New("file1"), + want: true, + }, + { + name: "abs-vs-normalized-relative", + a: wd.Join("file1"), + b: New("file1", "abc", ".."), + want: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := tt.a.EquivalentTo(tt.b); got != tt.want { + t.Errorf("EquivalentTo: got %v, want %v", got, tt.want) + } + }) + } +} + +func TestCanonicalize(t *testing.T) { + wd, err := Getwd() + if err != nil { + t.Fatal(err) + } + + tests := []struct { + name string + in *Path + want string + }{ + { + name: "existing-file", + in: New(testdataRoot, "fileset", "anotherFile"), + want: wd.Join(testdataRoot, "fileset", "anotherFile").String(), + }, + { + name: "nonexistent-file", + in: New(testdataRoot, "fileset", "nonexistentFile"), + want: wd.Join(testdataRoot, "fileset", "nonexistentFile").String(), + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got := tt.in.Canonical() + if got.String() != tt.want { + t.Errorf("got %v, want %v", got.String(), tt.want) + } + }) + } +} + +func TestPath_RelTo(t *testing.T) { + tests := []struct { + name string + a *Path + b *Path + want string + wantErr bool + }{ + { + name: "descendant-to-ancestor", + a: New("/my/abs/path/123/456"), + b: New("/my/abs/path"), + want: "../..", + }, + { + name: "ancestor-to-descendant", + a: New("/my/abs/path"), + b: New("/my/abs/path/123/456"), + want: "123/456", + }, + { + name: "relative-mismatch", + a: New("my/path"), + b: New("/other/path"), + wantErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + res, err := tt.a.RelTo(tt.b) + if (err != nil) != tt.wantErr { + t.Fatalf("RelTo() err = %v, wantErr %v", err, tt.wantErr) + } + if tt.wantErr { + if res != nil { + t.Errorf("expected nil, got %v", res) + } + return + } + pathEqualsTo(t, tt.want, res) + }) + } +} + +func TestPath_RelFrom(t *testing.T) { + tests := []struct { + name string + a *Path + b *Path + want string + wantErr bool + }{ + { + name: "descendant-from-ancestor", + a: New("/my/abs/path/123/456"), + b: New("/my/abs/path"), + want: "123/456", + }, + { + name: "ancestor-from-descendant", + a: New("/my/abs/path"), + b: New("/my/abs/path/123/456"), + want: "../..", + }, + { + name: "relative-mismatch", + a: New("my/path"), + b: New("/other/path"), + wantErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + res, err := tt.a.RelFrom(tt.b) + if (err != nil) != tt.wantErr { + t.Fatalf("RelFrom() err = %v, wantErr %v", err, tt.wantErr) + } + if tt.wantErr { + if res != nil { + t.Errorf("expected nil, got %v", res) + } + return + } + pathEqualsTo(t, tt.want, res) + }) + } +} + +func TestWriteToTempFile(t *testing.T) { + tests := []struct { + name string + prefix string + data []byte + }{ + { + name: "prefix-test", + prefix: "prefix", + data: []byte("test"), + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tmpDir := New(testdataRoot, "fileset", "tmp") + if err := tmpDir.MkdirAll(); err != nil { + t.Fatal(err) + } + defer tmpDir.RemoveAll() + + tmp, err := WriteToTempFile(tt.data, tmpDir, tt.prefix) + if err != nil { + t.Fatal(err) + } + defer tmp.Remove() + + if !strings.HasPrefix(tmp.Base(), tt.prefix) { + t.Errorf("base %q does not have prefix %q", tmp.Base(), tt.prefix) + } + isInside, err := tmp.IsInsideDir(tmpDir) + if err != nil { + t.Fatal(err) + } + if !isInside { + t.Error("expected true") + } + data, err := tmp.ReadFile() + if err != nil { + t.Fatal(err) + } + if !bytes.Equal(data, tt.data) { + t.Errorf("got %v, want %v", data, tt.data) + } + }) + } +} + +func TestCopyToSamePath(t *testing.T) { + tests := []struct { + name string + content []byte + }{ + { + name: "same-file", + content: []byte("hello"), + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tmpDir := New(t.TempDir()) + srcFile := tmpDir.Join("test_file") + dstFile := srcFile + + if err := srcFile.WriteFile(tt.content); err != nil { + t.Fatal(err) + } + content, err := srcFile.ReadFile() + if err != nil { + t.Fatal(err) + } + if !bytes.Equal(content, tt.content) { + t.Errorf("got %v, want %v", content, tt.content) + } + + err = srcFile.CopyTo(dstFile) + if err == nil { + t.Fatal("expected error") + } + if !strings.Contains(err.Error(), "are the same file") { + t.Errorf("%q does not contain %q", err.Error(), "are the same file") + } + }) + } +} diff --git a/pkg/paths/process_test.go b/pkg/paths/process_test.go new file mode 100644 index 0000000000..813e5d9b95 --- /dev/null +++ b/pkg/paths/process_test.go @@ -0,0 +1,64 @@ +// This file is part of PathsHelper library. +// Copyright (C) 2018-2025 Arduino AG (http://www.arduino.cc/) +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package paths + +import ( + "context" + "runtime" + "testing" + "time" +) + +func TestProcess_RunWithinContext(t *testing.T) { + // Build `delay` helper inside testdata/delay + builder, err := NewProcess(nil, "go", "build") + if err != nil { + t.Fatal(err) + } + builder.SetDir(testdataRoot + "/delay") + if err := builder.Run(); err != nil { + t.Fatal(err) + } + + // Run delay and test if the process is terminated correctly due to context + process, err := NewProcess(nil, testdataRoot+"/delay/delay") + if err != nil { + t.Fatal(err) + } + start := time.Now() + ctx, cancel := context.WithTimeout(context.Background(), 250*time.Millisecond) + err = process.RunWithinContext(ctx) + if err == nil { + t.Fatal("expected error") + } + if elapsed := time.Since(start); !(elapsed < 500*time.Millisecond) { + t.Errorf("%v not less than %v", elapsed, 500*time.Millisecond) + } + cancel() +} + +func TestProcess_KillProcessGroupOnLinux(t *testing.T) { + if runtime.GOOS != "linux" { + t.Skip("skipping test on non-linux system") + } + + p, err := NewProcess(nil, "bash", "-c", "sleep 5 ; echo -n 5") + if err != nil { + t.Fatal(err) + } + start := time.Now() + ctx, cancel := context.WithTimeout(context.Background(), time.Second) + defer cancel() + + _, _, err = p.RunAndCaptureOutput(ctx) + if err == nil || err.Error() != "signal: killed" { + t.Fatalf("got %v, want signal: killed", err) + } + // Assert that the process was killed within the timeout + if elapsed := time.Since(start); !(elapsed < 2*time.Second) { + t.Errorf("%v not less than %v", elapsed, 2*time.Second) + } +} diff --git a/pkg/paths/readdir_test.go b/pkg/paths/readdir_test.go new file mode 100644 index 0000000000..16276cbbc0 --- /dev/null +++ b/pkg/paths/readdir_test.go @@ -0,0 +1,460 @@ +// This file is part of PathsHelper library. +// Copyright (C) 2018-2025 Arduino AG (http://www.arduino.cc/) +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package paths + +import ( + "fmt" + "io/fs" + "os" + "runtime" + "testing" + "time" +) + +// filesetAll is the expected full list of entries in `fileset` when read recursively and sorted. +var filesetAll = []string{ + testdataRoot + "/fileset/anotherFile", + testdataRoot + "/fileset/file", + testdataRoot + "/fileset/folder", + testdataRoot + "/fileset/folder/.hidden", + testdataRoot + "/fileset/folder/file2", + testdataRoot + "/fileset/folder/file3", + testdataRoot + "/fileset/folder/subfolder", + testdataRoot + "/fileset/folder/subfolder/file4", + testdataRoot + "/fileset/symlinktofolder", + testdataRoot + "/fileset/symlinktofolder/.hidden", + testdataRoot + "/fileset/symlinktofolder/file2", + testdataRoot + "/fileset/symlinktofolder/file3", + testdataRoot + "/fileset/symlinktofolder/subfolder", + testdataRoot + "/fileset/symlinktofolder/subfolder/file4", + testdataRoot + "/fileset/test.txt", + testdataRoot + "/fileset/test.txt.gz", +} + +func TestPath_ReadDirRecursive(t *testing.T) { + tests := []struct { + name string + parts []string + want []string + }{ + {name: "fileset", parts: []string{"fileset"}, want: filesetAll}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + p := New(testdataRoot) + for _, part := range tt.parts { + p = p.Join(part) + } + list, err := p.ReadDirRecursive() + if err != nil { + t.Fatal(err) + } + if len(list) != len(tt.want) { + t.Fatalf("got len %d, want %d", len(list), len(tt.want)) + } + for i, want := range tt.want { + pathEqualsTo(t, want, list[i]) + } + }) + } +} + +func TestReadDirRecursiveSymLinkLoop(t *testing.T) { + tests := []struct { + name string + fn func(tmp *Path) (PathList, error) + }{ + { + name: "ReadDirRecursive", + fn: func(tmp *Path) (PathList, error) { return tmp.ReadDirRecursive() }, + }, + { + name: "ReadDirRecursiveFiltered", + fn: func(tmp *Path) (PathList, error) { return tmp.ReadDirRecursiveFiltered(nil) }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tmp, err := MkTempDir("", "") + if err != nil { + t.Fatal(err) + } + defer tmp.RemoveAll() + + folder := tmp.Join("folder") + if err := os.Symlink(tmp.String(), folder.String()); err != nil { + t.Fatal(err) + } + + l, err := tt.fn(tmp) + if err == nil { + t.Fatal("expected error") + } + fmt.Println(err) + if l != nil { + t.Errorf("expected nil, got %v", l) + } + }) + } +} + +func TestPath_ReadDirFiltered(t *testing.T) { + tests := []struct { + name string + filters []ReadDirFilter + want []string + }{ + { + name: "no-filter", + filters: nil, + want: []string{ + testdataRoot + "/fileset/folder/.hidden", + testdataRoot + "/fileset/folder/file2", + testdataRoot + "/fileset/folder/file3", + testdataRoot + "/fileset/folder/subfolder", + }, + }, + { + name: "only-directories", + filters: []ReadDirFilter{FilterDirectories()}, + want: []string{ + testdataRoot + "/fileset/folder/subfolder", + }, + }, + { + name: "filter-out-file-prefix", + filters: []ReadDirFilter{FilterOutPrefixes("file")}, + want: []string{ + testdataRoot + "/fileset/folder/.hidden", + testdataRoot + "/fileset/folder/subfolder", + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + folderPath := New(testdataRoot + "/fileset/folder") + list, err := folderPath.ReadDir(tt.filters...) + if err != nil { + t.Fatal(err) + } + if len(list) != len(tt.want) { + t.Fatalf("got len %d, want %d", len(list), len(tt.want)) + } + for i, want := range tt.want { + pathEqualsTo(t, want, list[i]) + } + }) + } +} + +func TestPath_ReadDirRecursiveFiltered(t *testing.T) { + tests := []struct { + name string + recurseFiltr ReadDirFilter + filters []ReadDirFilter + want []string + }{ + { + name: "no-filters", + recurseFiltr: nil, + filters: nil, + want: filesetAll, + }, + { + name: "recurse-only-filter-out-dirs", + recurseFiltr: FilterOutDirectories(), + filters: nil, + want: []string{ + testdataRoot + "/fileset/anotherFile", + testdataRoot + "/fileset/file", + testdataRoot + "/fileset/folder", // <- listed but not traversed + testdataRoot + "/fileset/symlinktofolder", // <- listed but not traversed + testdataRoot + "/fileset/test.txt", + testdataRoot + "/fileset/test.txt.gz", + }, + }, + { + name: "recurse-nil-filter-out-dirs", + recurseFiltr: nil, + filters: []ReadDirFilter{FilterOutDirectories()}, + want: []string{ + testdataRoot + "/fileset/anotherFile", + testdataRoot + "/fileset/file", + testdataRoot + "/fileset/folder/.hidden", + testdataRoot + "/fileset/folder/file2", + testdataRoot + "/fileset/folder/file3", + testdataRoot + "/fileset/folder/subfolder/file4", + testdataRoot + "/fileset/symlinktofolder/.hidden", + testdataRoot + "/fileset/symlinktofolder/file2", + testdataRoot + "/fileset/symlinktofolder/file3", + testdataRoot + "/fileset/symlinktofolder/subfolder/file4", + testdataRoot + "/fileset/test.txt", + testdataRoot + "/fileset/test.txt.gz", + }, + }, + { + name: "both-filter-out-dirs", + recurseFiltr: FilterOutDirectories(), + filters: []ReadDirFilter{FilterOutDirectories()}, + want: []string{ + testdataRoot + "/fileset/anotherFile", + testdataRoot + "/fileset/file", + testdataRoot + "/fileset/test.txt", + testdataRoot + "/fileset/test.txt.gz", + }, + }, + { + name: "recurse-filter-sub-filter-suffix-3", + recurseFiltr: FilterOutPrefixes("sub"), + filters: []ReadDirFilter{FilterOutSuffixes("3")}, + want: []string{ + testdataRoot + "/fileset/anotherFile", + testdataRoot + "/fileset/file", + testdataRoot + "/fileset/folder", + testdataRoot + "/fileset/folder/.hidden", + testdataRoot + "/fileset/folder/file2", + testdataRoot + "/fileset/folder/subfolder", // <- subfolder skipped by Prefix("sub") + testdataRoot + "/fileset/symlinktofolder", + testdataRoot + "/fileset/symlinktofolder/.hidden", + testdataRoot + "/fileset/symlinktofolder/file2", + testdataRoot + "/fileset/symlinktofolder/subfolder", // <- subfolder skipped by Prefix("sub") + testdataRoot + "/fileset/test.txt", + testdataRoot + "/fileset/test.txt.gz", + }, + }, + { + name: "recurse-sub-and-filter-suffix3-prefix-fil", + recurseFiltr: FilterOutPrefixes("sub"), + filters: []ReadDirFilter{ + AndFilter(FilterOutSuffixes("3"), FilterOutPrefixes("fil")), + }, + want: []string{ + testdataRoot + "/fileset/anotherFile", + testdataRoot + "/fileset/folder", + testdataRoot + "/fileset/folder/.hidden", + testdataRoot + "/fileset/folder/subfolder", + testdataRoot + "/fileset/symlinktofolder", + testdataRoot + "/fileset/symlinktofolder/.hidden", + testdataRoot + "/fileset/symlinktofolder/subfolder", + testdataRoot + "/fileset/test.txt", + testdataRoot + "/fileset/test.txt.gz", + }, + }, + { + name: "recurse-sub-and-filter-suffix3-prefix-fil-suffix-gz", + recurseFiltr: FilterOutPrefixes("sub"), + filters: []ReadDirFilter{ + AndFilter(FilterOutSuffixes("3"), FilterOutPrefixes("fil"), FilterOutSuffixes(".gz")), + }, + want: []string{ + testdataRoot + "/fileset/anotherFile", + testdataRoot + "/fileset/folder", + testdataRoot + "/fileset/folder/.hidden", + testdataRoot + "/fileset/folder/subfolder", + testdataRoot + "/fileset/symlinktofolder", + testdataRoot + "/fileset/symlinktofolder/.hidden", + testdataRoot + "/fileset/symlinktofolder/subfolder", + testdataRoot + "/fileset/test.txt", + }, + }, + { + name: "or-filter-prefix-sub-or-suffix-tofolder", + recurseFiltr: OrFilter(FilterPrefixes("sub"), FilterSuffixes("tofolder")), + filters: nil, + want: []string{ + testdataRoot + "/fileset/anotherFile", + testdataRoot + "/fileset/file", + testdataRoot + "/fileset/folder", + testdataRoot + "/fileset/symlinktofolder", + testdataRoot + "/fileset/symlinktofolder/.hidden", + testdataRoot + "/fileset/symlinktofolder/file2", + testdataRoot + "/fileset/symlinktofolder/file3", + testdataRoot + "/fileset/symlinktofolder/subfolder", + testdataRoot + "/fileset/symlinktofolder/subfolder/file4", + testdataRoot + "/fileset/test.txt", + testdataRoot + "/fileset/test.txt.gz", + }, + }, + { + name: "filter-names-folder", + recurseFiltr: nil, + filters: []ReadDirFilter{FilterNames("folder")}, + want: []string{ + testdataRoot + "/fileset/folder", + }, + }, + { + name: "recurse-symlinktofolder-filter-out-hidden", + recurseFiltr: FilterNames("symlinktofolder"), + filters: []ReadDirFilter{FilterOutNames(".hidden")}, + want: []string{ + testdataRoot + "/fileset/anotherFile", + testdataRoot + "/fileset/file", + testdataRoot + "/fileset/folder", + testdataRoot + "/fileset/symlinktofolder", + testdataRoot + "/fileset/symlinktofolder/file2", + testdataRoot + "/fileset/symlinktofolder/file3", + testdataRoot + "/fileset/symlinktofolder/subfolder", + testdataRoot + "/fileset/test.txt", + testdataRoot + "/fileset/test.txt.gz", + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + testdata := New(testdataRoot, "fileset") + l, err := testdata.ReadDirRecursiveFiltered(tt.recurseFiltr, tt.filters...) + if err != nil { + t.Fatal(err) + } + l.Sort() + if len(l) != len(tt.want) { + t.Fatalf("got len %d, want %d", len(l), len(tt.want)) + } + for i, want := range tt.want { + pathEqualsTo(t, want, l[i]) + } + }) + } +} + +func TestPath_ReadDirRecursiveLoopDetection(t *testing.T) { + loopsPath := New(testdataRoot, "loops") + unbuondedReaddir := func(testdir string) (PathList, error) { + var files PathList + var err error + done := make(chan bool) + go func() { + files, err = loopsPath.Join(testdir).ReadDirRecursive() + done <- true + }() + deadline := time.After(5 * time.Second) + tick := time.NewTicker(10 * time.Millisecond) + defer tick.Stop() + finished := false + for !finished { + select { + case <-done: + finished = true + case <-deadline: + t.Fatalf("Infinite symlink loop while loading sketch") + case <-tick.C: + } + } + return files, err + } + + loopTests := []struct { + name string + dir string + }{ + {name: "loop_1", dir: "loop_1"}, + {name: "loop_2", dir: "loop_2"}, + {name: "loop_3", dir: "loop_3"}, + {name: "loop_4", dir: "loop_4"}, + } + for _, tt := range loopTests { + t.Run(tt.name, func(t *testing.T) { + l, err := unbuondedReaddir(tt.dir) + if err == nil || err.Error() != "directories symlink loop detected" { + t.Fatalf("loop not detected in %s: got %v, want directories symlink loop detected", tt.dir, err) + } + if l != nil { + t.Errorf("expected nil, got %v", l) + } + }) + } + + regularTests := []struct { + name string + dir string + want []string + }{ + { + name: "regular_1", + dir: "regular_1", + want: []string{ + testdataRoot + "/loops/regular_1/dir1", + testdataRoot + "/loops/regular_1/dir1/file1", + testdataRoot + "/loops/regular_1/dir2", + testdataRoot + "/loops/regular_1/dir2/file1", + }, + }, + { + name: "regular_2", + dir: "regular_2", + want: []string{ + testdataRoot + "/loops/regular_2/dir1", + testdataRoot + "/loops/regular_2/dir1/file1", + testdataRoot + "/loops/regular_2/dir2", + testdataRoot + "/loops/regular_2/dir2/dir1", + testdataRoot + "/loops/regular_2/dir2/dir1/file1", + testdataRoot + "/loops/regular_2/dir2/file2", + }, + }, + { + name: "regular_3", + dir: "regular_3", + want: []string{ + testdataRoot + "/loops/regular_3/dir1", + testdataRoot + "/loops/regular_3/dir1/file1", + testdataRoot + "/loops/regular_3/dir2", + testdataRoot + "/loops/regular_3/dir2/dir1", + testdataRoot + "/loops/regular_3/dir2/dir1/file1", + testdataRoot + "/loops/regular_3/dir2/file2", + testdataRoot + "/loops/regular_3/link", // broken symlink reported in files + }, + }, + } + for _, tt := range regularTests { + t.Run(tt.name, func(t *testing.T) { + l, err := unbuondedReaddir(tt.dir) + if err != nil { + t.Fatal(err) + } + if len(l) != len(tt.want) { + t.Fatalf("got len %d, want %d", len(l), len(tt.want)) + } + l.Sort() + for i, want := range tt.want { + pathEqualsTo(t, want, l[i]) + } + }) + } + + if runtime.GOOS != "windows" { + t.Run("regular_4_with_permission_error", func(t *testing.T) { + dir1 := loopsPath.Join("regular_4_with_permission_error", "dir1") + + l, err := unbuondedReaddir("regular_4_with_permission_error") + if err != nil { + t.Fatal(err) + } + if len(l) == 0 { + t.Error("expected non-empty list") + } + + dir1Stat, err := dir1.Stat() + if err != nil { + t.Fatal(err) + } + if err := dir1.Chmod(fs.FileMode(0)); err != nil { + t.Fatal(err) + } + t.Cleanup(func() { + dir1.Chmod(dir1Stat.Mode()) + }) + + l, err = unbuondedReaddir("regular_4_with_permission_error") + if err == nil { + t.Fatal("expected error") + } + if l != nil { + t.Errorf("expected nil, got %v", l) + } + }) + } +} diff --git a/tests/testdata/paths/broken_symlink/dir_1/broken_link b/tests/testdata/paths/broken_symlink/dir_1/broken_link new file mode 120000 index 0000000000..86a410dd1d --- /dev/null +++ b/tests/testdata/paths/broken_symlink/dir_1/broken_link @@ -0,0 +1 @@ +broken \ No newline at end of file diff --git a/tests/testdata/paths/broken_symlink/dir_1/file2 b/tests/testdata/paths/broken_symlink/dir_1/file2 new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/testdata/paths/broken_symlink/dir_1/linked_dir b/tests/testdata/paths/broken_symlink/dir_1/linked_dir new file mode 120000 index 0000000000..4b019049fd --- /dev/null +++ b/tests/testdata/paths/broken_symlink/dir_1/linked_dir @@ -0,0 +1 @@ +real_dir \ No newline at end of file diff --git a/tests/testdata/paths/broken_symlink/dir_1/linked_file b/tests/testdata/paths/broken_symlink/dir_1/linked_file new file mode 120000 index 0000000000..30d67d4672 --- /dev/null +++ b/tests/testdata/paths/broken_symlink/dir_1/linked_file @@ -0,0 +1 @@ +file2 \ No newline at end of file diff --git a/tests/testdata/paths/broken_symlink/dir_1/real_dir/file1 b/tests/testdata/paths/broken_symlink/dir_1/real_dir/file1 new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/testdata/paths/delay/.gitignore b/tests/testdata/paths/delay/.gitignore new file mode 100644 index 0000000000..fd5812a40b --- /dev/null +++ b/tests/testdata/paths/delay/.gitignore @@ -0,0 +1 @@ +delay* diff --git a/tests/testdata/paths/delay/main.go b/tests/testdata/paths/delay/main.go new file mode 100644 index 0000000000..d484f1c2c9 --- /dev/null +++ b/tests/testdata/paths/delay/main.go @@ -0,0 +1,16 @@ +// This file is part of PathsHelper library. +// Copyright (C) 2018-2025 Arduino AG (http://www.arduino.cc/) +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package main + +import ( + "fmt" + "time" +) + +func main() { + time.Sleep(3 * time.Second) + fmt.Println("Elapsed!") +} diff --git a/tests/testdata/paths/fileset/anotherFile b/tests/testdata/paths/fileset/anotherFile new file mode 100644 index 0000000000..27649646ed --- /dev/null +++ b/tests/testdata/paths/fileset/anotherFile @@ -0,0 +1,4 @@ +line 1 +line 2 + +line 3 \ No newline at end of file diff --git a/tests/testdata/paths/fileset/file b/tests/testdata/paths/fileset/file new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/testdata/paths/fileset/folder/.hidden b/tests/testdata/paths/fileset/folder/.hidden new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/testdata/paths/fileset/folder/file2 b/tests/testdata/paths/fileset/folder/file2 new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/testdata/paths/fileset/folder/file3 b/tests/testdata/paths/fileset/folder/file3 new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/testdata/paths/fileset/folder/subfolder/file4 b/tests/testdata/paths/fileset/folder/subfolder/file4 new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/testdata/paths/fileset/symlinktofolder b/tests/testdata/paths/fileset/symlinktofolder new file mode 120000 index 0000000000..01196353b6 --- /dev/null +++ b/tests/testdata/paths/fileset/symlinktofolder @@ -0,0 +1 @@ +folder \ No newline at end of file diff --git a/tests/testdata/paths/loops/loop_1/dir1/loop b/tests/testdata/paths/loops/loop_1/dir1/loop new file mode 120000 index 0000000000..c9f3ab1eac --- /dev/null +++ b/tests/testdata/paths/loops/loop_1/dir1/loop @@ -0,0 +1 @@ +../dir1 \ No newline at end of file diff --git a/tests/testdata/paths/loops/loop_2/dir1/loop2 b/tests/testdata/paths/loops/loop_2/dir1/loop2 new file mode 120000 index 0000000000..d014eb492e --- /dev/null +++ b/tests/testdata/paths/loops/loop_2/dir1/loop2 @@ -0,0 +1 @@ +../dir2 \ No newline at end of file diff --git a/tests/testdata/paths/loops/loop_2/dir2/loop1 b/tests/testdata/paths/loops/loop_2/dir2/loop1 new file mode 120000 index 0000000000..c9f3ab1eac --- /dev/null +++ b/tests/testdata/paths/loops/loop_2/dir2/loop1 @@ -0,0 +1 @@ +../dir1 \ No newline at end of file diff --git a/tests/testdata/paths/loops/loop_3/dir1/loop2 b/tests/testdata/paths/loops/loop_3/dir1/loop2 new file mode 120000 index 0000000000..d014eb492e --- /dev/null +++ b/tests/testdata/paths/loops/loop_3/dir1/loop2 @@ -0,0 +1 @@ +../dir2 \ No newline at end of file diff --git a/tests/testdata/paths/loops/loop_3/dir2/dir3/loop2 b/tests/testdata/paths/loops/loop_3/dir2/dir3/loop2 new file mode 120000 index 0000000000..85babfdb0e --- /dev/null +++ b/tests/testdata/paths/loops/loop_3/dir2/dir3/loop2 @@ -0,0 +1 @@ +../../dir1/ \ No newline at end of file diff --git a/tests/testdata/paths/loops/loop_4/dir1/dir2/loop2 b/tests/testdata/paths/loops/loop_4/dir1/dir2/loop2 new file mode 120000 index 0000000000..3fd50ca463 --- /dev/null +++ b/tests/testdata/paths/loops/loop_4/dir1/dir2/loop2 @@ -0,0 +1 @@ +../dir3 \ No newline at end of file diff --git a/tests/testdata/paths/loops/loop_4/dir1/dir3/dir4/loop1 b/tests/testdata/paths/loops/loop_4/dir1/dir3/dir4/loop1 new file mode 120000 index 0000000000..4f388a6696 --- /dev/null +++ b/tests/testdata/paths/loops/loop_4/dir1/dir3/dir4/loop1 @@ -0,0 +1 @@ +../../../dir1 \ No newline at end of file diff --git a/tests/testdata/paths/loops/regular_1/dir1/file1 b/tests/testdata/paths/loops/regular_1/dir1/file1 new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/testdata/paths/loops/regular_1/dir2 b/tests/testdata/paths/loops/regular_1/dir2 new file mode 120000 index 0000000000..df490f837a --- /dev/null +++ b/tests/testdata/paths/loops/regular_1/dir2 @@ -0,0 +1 @@ +dir1 \ No newline at end of file diff --git a/tests/testdata/paths/loops/regular_2/dir1/file1 b/tests/testdata/paths/loops/regular_2/dir1/file1 new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/testdata/paths/loops/regular_2/dir2/dir1 b/tests/testdata/paths/loops/regular_2/dir2/dir1 new file mode 120000 index 0000000000..c9f3ab1eac --- /dev/null +++ b/tests/testdata/paths/loops/regular_2/dir2/dir1 @@ -0,0 +1 @@ +../dir1 \ No newline at end of file diff --git a/tests/testdata/paths/loops/regular_2/dir2/file2 b/tests/testdata/paths/loops/regular_2/dir2/file2 new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/testdata/paths/loops/regular_3/dir1/file1 b/tests/testdata/paths/loops/regular_3/dir1/file1 new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/testdata/paths/loops/regular_3/dir2/dir1 b/tests/testdata/paths/loops/regular_3/dir2/dir1 new file mode 120000 index 0000000000..c9f3ab1eac --- /dev/null +++ b/tests/testdata/paths/loops/regular_3/dir2/dir1 @@ -0,0 +1 @@ +../dir1 \ No newline at end of file diff --git a/tests/testdata/paths/loops/regular_3/dir2/file2 b/tests/testdata/paths/loops/regular_3/dir2/file2 new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/testdata/paths/loops/regular_3/link b/tests/testdata/paths/loops/regular_3/link new file mode 120000 index 0000000000..86a410dd1d --- /dev/null +++ b/tests/testdata/paths/loops/regular_3/link @@ -0,0 +1 @@ +broken \ No newline at end of file diff --git a/tests/testdata/paths/loops/regular_4_with_permission_error/dir1/file1 b/tests/testdata/paths/loops/regular_4_with_permission_error/dir1/file1 new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/testdata/paths/loops/regular_4_with_permission_error/dir2/dir1 b/tests/testdata/paths/loops/regular_4_with_permission_error/dir2/dir1 new file mode 120000 index 0000000000..c9f3ab1eac --- /dev/null +++ b/tests/testdata/paths/loops/regular_4_with_permission_error/dir2/dir1 @@ -0,0 +1 @@ +../dir1 \ No newline at end of file diff --git a/tests/testdata/paths/loops/regular_4_with_permission_error/dir2/file2 b/tests/testdata/paths/loops/regular_4_with_permission_error/dir2/file2 new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/testdata/paths/loops/regular_4_with_permission_error/link b/tests/testdata/paths/loops/regular_4_with_permission_error/link new file mode 120000 index 0000000000..86a410dd1d --- /dev/null +++ b/tests/testdata/paths/loops/regular_4_with_permission_error/link @@ -0,0 +1 @@ +broken \ No newline at end of file From 52cf464960dd88d0d91b94fd0a07bdd9fbf12e95 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Apr 2026 23:07:31 +0200 Subject: [PATCH 1680/1736] feat(profile): update hostname. --- apparmor.d/profiles-g-l/hostname | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index 1088774886..2e4b26a19d 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -17,12 +17,12 @@ profile hostname @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - # network ip=127.0.0.1:53, TODO: abi 4.0 network netlink raw, @{exec_path} mr, - owner /dev/tty@{u8} rw, + /etc/defaultdomain r, + /etc/hostname r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, From 256272e6cd814754bbd6696b9548133a23eda044 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Apr 2026 23:10:46 +0200 Subject: [PATCH 1681/1736] feat(abs): add desktop-base. --- apparmor.d/abstractions/desktop | 6 +----- apparmor.d/abstractions/desktop-base | 19 +++++++++++++++++++ apparmor.d/abstractions/gnome-strict | 6 +----- apparmor.d/abstractions/kde-strict | 6 +----- apparmor.d/abstractions/xfce | 1 + 5 files changed, 23 insertions(+), 15 deletions(-) create mode 100644 apparmor.d/abstractions/desktop-base diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index f2432e27fb..1d7494b610 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -21,6 +21,7 @@ include include include + include include include include @@ -48,11 +49,6 @@ # } - /usr/share/desktop-base/{,**} r, - /usr/share/hwdata/*.ids r, # FIXME: a bit too wide - /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/poppler/{,**} r, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/desktop-base b/apparmor.d/abstractions/desktop-base new file mode 100644 index 0000000000..cdb362c2f3 --- /dev/null +++ b/apparmor.d/abstractions/desktop-base @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Base files required by any GUI on any desktop environment. +# +# It should only contain basic files required everywhere. It is intended to be +# included in desktop environment specific abstractions, and not directly in profiles. + + abi , + + /usr/share/desktop-base/{,**} r, + /usr/share/hwdata/*.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/poppler/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index ce663374a3..ba258b96ef 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -14,6 +14,7 @@ include include include + include include include include @@ -32,11 +33,6 @@ # Gnome specific rules include - /usr/share/desktop-base/{,**} r, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/poppler/{,**} r, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index d002572ce9..a8f9cf33a6 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -14,6 +14,7 @@ include include include + include include include include @@ -32,11 +33,6 @@ # Kde specific rules include - /usr/share/desktop-base/{,**} r, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/poppler/{,**} r, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 36602e8911..3cda268a5d 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -12,6 +12,7 @@ include include include + include include include include From 7201d6cb7b5052564e058ba45e46dc0ac0ce1d1f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Apr 2026 23:49:40 +0200 Subject: [PATCH 1682/1736] feat(aa-mode): add inital version of aa-mode. --- cmd/aa-mode/main.go | 130 ++++++++++++++++++++++++++++++++ cmd/aa-mode/main_test.go | 150 +++++++++++++++++++++++++++++++++++++ pkg/paths/helper.go | 57 ++++++++++++++ pkg/paths/helper_test.go | 158 +++++++++++++++++++++++++++++++++++++++ pkg/paths/paths.go | 17 ----- pkg/paths/paths_test.go | 63 ---------------- pkg/util/profiles.go | 6 +- 7 files changed, 498 insertions(+), 83 deletions(-) create mode 100644 cmd/aa-mode/main.go create mode 100644 cmd/aa-mode/main_test.go create mode 100644 pkg/paths/helper.go create mode 100644 pkg/paths/helper_test.go diff --git a/cmd/aa-mode/main.go b/cmd/aa-mode/main.go new file mode 100644 index 0000000000..21334eba30 --- /dev/null +++ b/cmd/aa-mode/main.go @@ -0,0 +1,130 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package main + +import ( + "flag" + "fmt" + "os" + + "github.com/roddhjav/apparmor.d/pkg/aa" + "github.com/roddhjav/apparmor.d/pkg/logging" + "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/util" +) + +const usage = `aa-mode [-h] (-e|-c|-k|-a|-u|-p) [profiles...] + + Switch the given program to an AppArmor mode. + + If a profile name is given without a path, it is looked up in '/etc/apparmor.d/'. + If a directory is given, all profiles in it are processed recursively. + +Options: + -h, --help Show this help message and exit. + -e, --enforce Set the profile in enforce mode. + -c, --complain Set the profile in complain mode. + -k, --kill Set the profile in kill mode. + -a, --default-allow Set the profile in default_allow mode. + -u, --unconfined Set the profile in unconfined mode. + -p, --prompt Set the profile in prompt mode. + --no-reload Do not reload the profile after modifying it. + +` + +var ( + help bool + enforce bool + complain bool + kill bool + defaultAllow bool + unconfined bool + prompt bool + noReload bool +) + +func init() { + flag.BoolVar(&help, "h", false, "Show this help message and exit.") + flag.BoolVar(&help, "help", false, "Show this help message and exit.") + flag.BoolVar(&enforce, "e", false, "Set the profile in enforce mode.") + flag.BoolVar(&enforce, "enforce", false, "Set the profile in enforce mode.") + flag.BoolVar(&complain, "c", false, "Set the profile in complain mode.") + flag.BoolVar(&complain, "complain", false, "Set the profile in complain mode.") + flag.BoolVar(&kill, "k", false, "Set the profile in kill mode.") + flag.BoolVar(&kill, "kill", false, "Set the profile in kill mode.") + flag.BoolVar(&defaultAllow, "a", false, "Set the profile in default_allow mode.") + flag.BoolVar(&defaultAllow, "default-allow", false, "Set the profile in default_allow mode.") + flag.BoolVar(&unconfined, "u", false, "Set the profile in unconfined mode.") + flag.BoolVar(&unconfined, "unconfined", false, "Set the profile in unconfined mode.") + flag.BoolVar(&prompt, "p", false, "Set the profile in prompt mode.") + flag.BoolVar(&prompt, "prompt", false, "Set the profile in prompt mode.") + flag.BoolVar(&noReload, "no-reload", false, "Do not reload the profile after modifying it.") +} + +func selectedMode() (string, error) { + flagsByMode := map[string]bool{ + "enforce": enforce, + "complain": complain, + "kill": kill, + "default_allow": defaultAllow, + "unconfined": unconfined, + "prompt": prompt, + } + var selected string + for _, mode := range util.ProfileModes { + if !flagsByMode[mode] { + continue + } + if selected != "" { + return "", fmt.Errorf("only one mode can be set, got %s and %s", selected, mode) + } + selected = mode + } + if selected == "" { + return "", fmt.Errorf("a mode must be set") + } + return selected, nil +} + +func aaSetMode(files paths.PathList, mode string) error { + for _, file := range files { + profile, err := file.ReadFileAsString() + if err != nil { + return err + } + profile, err = util.SetMode(profile, mode) + if err != nil { + return err + } + if err = file.WriteFile([]byte(profile)); err != nil { + return err + } + } + if noReload { + return nil + } + return util.ReloadProfiles(files) +} + +func main() { + flag.Usage = func() { fmt.Print(usage) } + flag.Parse() + if help || flag.NArg() < 1 { + flag.Usage() + os.Exit(0) + } + + mode, err := selectedMode() + if err != nil { + logging.Fatal("%s", err.Error()) + } + files, err := paths.PathListFromArgs(flag.Args(), aa.MagicRoot) + if err != nil { + logging.Fatal("%s", err.Error()) + } + if err = aaSetMode(files, mode); err != nil { + logging.Fatal("%s", err.Error()) + } +} diff --git a/cmd/aa-mode/main_test.go b/cmd/aa-mode/main_test.go new file mode 100644 index 0000000000..a6dd1ee01d --- /dev/null +++ b/cmd/aa-mode/main_test.go @@ -0,0 +1,150 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package main + +import ( + "os" + "testing" + + "github.com/roddhjav/apparmor.d/pkg/paths" +) + +func tempDir(t *testing.T) *paths.Path { + t.Helper() + if err := os.MkdirAll("/tmp/tests", 0o755); err != nil { + t.Fatalf("mkdir /tmp/tests: %v", err) + } + t.Setenv("TMPDIR", "/tmp/tests") + return paths.New(t.TempDir()) +} + +func resetFlags(t *testing.T) { + t.Helper() + enforce, complain, kill = false, false, false + defaultAllow, unconfined, prompt = false, false, false + noReload = true +} + +func TestSelectedMode(t *testing.T) { + tests := []struct { + name string + setup func() + want string + wantErr bool + }{ + { + name: "enforce", + setup: func() { enforce = true }, + want: "enforce", + }, + { + name: "complain", + setup: func() { complain = true }, + want: "complain", + }, + { + name: "kill", + setup: func() { kill = true }, + want: "kill", + }, + { + name: "default_allow", + setup: func() { defaultAllow = true }, + want: "default_allow", + }, + { + name: "unconfined", + setup: func() { unconfined = true }, + want: "unconfined", + }, + { + name: "prompt", + setup: func() { prompt = true }, + want: "prompt", + }, + { + name: "no mode set", + setup: func() {}, + wantErr: true, + }, + { + name: "two modes set", + setup: func() { enforce = true; complain = true }, + wantErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + resetFlags(t) + tt.setup() + got, err := selectedMode() + if (err != nil) != tt.wantErr { + t.Fatalf("selectedMode() error = %v, wantErr %v", err, tt.wantErr) + } + if err == nil && got != tt.want { + t.Errorf("selectedMode() = %q, want %q", got, tt.want) + } + }) + } +} + +func TestAaSetMode(t *testing.T) { + tests := []struct { + name string + profile string + mode string + want string + wantErr bool + }{ + { + name: "add complain to unflagged profile", + profile: "profile foo /usr/bin/foo {\n}\n", + mode: "complain", + want: "profile foo /usr/bin/foo flags=(complain) {\n}\n", + }, + { + name: "replace complain with kill", + profile: "profile foo /usr/bin/foo flags=(complain) {\n}\n", + mode: "kill", + want: "profile foo /usr/bin/foo flags=(kill) {\n}\n", + }, + { + name: "enforce removes mode flag", + profile: "profile foo /usr/bin/foo flags=(complain) {\n}\n", + mode: "enforce", + want: "profile foo /usr/bin/foo {\n}\n", + }, + { + name: "unknown mode errors", + profile: "profile foo /usr/bin/foo {\n}\n", + mode: "bogus", + wantErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + resetFlags(t) + path := tempDir(t).Join("foo") + if err := path.WriteFile([]byte(tt.profile)); err != nil { + t.Fatalf("write profile: %v", err) + } + err := aaSetMode(paths.PathList{path}, tt.mode) + if (err != nil) != tt.wantErr { + t.Fatalf("aaSetMode() error = %v, wantErr %v", err, tt.wantErr) + } + if tt.wantErr { + return + } + got, err := path.ReadFileAsString() + if err != nil { + t.Fatalf("read profile: %v", err) + } + if got != tt.want { + t.Errorf("profile content = %q, want %q", got, tt.want) + } + }) + } +} + diff --git a/pkg/paths/helper.go b/pkg/paths/helper.go new file mode 100644 index 0000000000..d490503a95 --- /dev/null +++ b/pkg/paths/helper.go @@ -0,0 +1,57 @@ +// This file is part of PathsHelper library. +// Copyright (C) 2018-2025 Arduino AG (http://www.arduino.cc/) +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package paths + +import ( + "fmt" + "regexp" +) + +var ( + Comment = `#` + regFilter = []*regexp.Regexp{ + regexp.MustCompile(`\s*` + Comment + `.*`), + regexp.MustCompile(`(?m)^(?:[\t\s]*(?:\r?\n|\r))+`), + } +) + +// Filter out comments and empty lines from a string. +func Filter(src string) string { + for _, re := range regFilter { + src = re.ReplaceAllLiteralString(src, "") + } + return src +} + +// PathListFromArgs resolves CLI-style arguments into a PathList. Each arg may +// be a file path, a directory (recursed into, skipping README.md), or a bare +// name looked up under magicRoot. +func PathListFromArgs(args []string, magicRoot *Path) (PathList, error) { + res := PathList{} + for _, arg := range args { + path := New(arg) + switch { + case !path.Exist(): + magic := magicRoot.Join(arg) + if !magic.Exist() { + return nil, fmt.Errorf("file %s not found", path) + } + res = append(res, magic) + case path.IsDir(): + files, err := path.ReadDirRecursiveFiltered(nil, + FilterOutDirectories(), + FilterOutNames("README.md"), + ) + if err != nil { + return nil, err + } + res = append(res, files...) + default: + res = append(res, path) + } + } + return res, nil +} diff --git a/pkg/paths/helper_test.go b/pkg/paths/helper_test.go new file mode 100644 index 0000000000..1f70a91a72 --- /dev/null +++ b/pkg/paths/helper_test.go @@ -0,0 +1,158 @@ +// This file is part of PathsHelper library. +// Copyright (C) 2018-2025 Arduino AG (http://www.arduino.cc/) +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package paths + +import ( + "os" + "testing" +) + +func tempDir(t *testing.T) *Path { + t.Helper() + if err := os.MkdirAll("/tmp/tests", 0o755); err != nil { + t.Fatalf("mkdir /tmp/tests: %v", err) + } + t.Setenv("TMPDIR", "/tmp/tests") + return New(t.TempDir()) +} + +func TestFilter(t *testing.T) { + tests := []struct { + name string + src string + want string + }{ + { + name: "comment", + src: "# comment", + want: "", + }, + { + name: "comment with space", + src: " # comment", + want: "", + }, + { + name: "no comment", + src: "no comment", + want: "no comment", + }, + { + name: "no comment # comment", + src: "no comment # comment", + want: "no comment", + }, + { + name: "empty", + src: ` + +`, + want: ``, + }, + { + name: "main", + src: ` +# Common profile flags definition for all distributions +# File format: one profile by line using the format: ' ' + +bwrap attach_disconnected,mediate_deleted,complain +bwrap-app attach_disconnected,complain + +akonadi_akonotes_resource complain # Dev +gnome-disks complain + +`, + want: `bwrap attach_disconnected,mediate_deleted,complain +bwrap-app attach_disconnected,complain +akonadi_akonotes_resource complain +gnome-disks complain +`, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + gotLine := Filter(tt.src) + if gotLine != tt.want { + t.Errorf("Filter() got = |%v|, want |%v|", gotLine, tt.want) + } + }) + } +} + +func TestPathListFromArgs(t *testing.T) { + tests := []struct { + name string + setup func(t *testing.T, dir *Path) []string + wantLen int + wantErr bool + }{ + { + name: "single file", + setup: func(t *testing.T, dir *Path) []string { + p := dir.Join("foo") + if err := p.WriteFile([]byte("x")); err != nil { + t.Fatalf("write: %v", err) + } + return []string{p.String()} + }, + wantLen: 1, + }, + { + name: "directory filters README.md", + setup: func(t *testing.T, dir *Path) []string { + for _, name := range []string{"a", "sub/b", "README.md"} { + p := dir.Join(name) + if err := p.Parent().MkdirAll(); err != nil { + t.Fatalf("mkdir: %v", err) + } + if err := p.WriteFile([]byte("x")); err != nil { + t.Fatalf("write: %v", err) + } + } + return []string{dir.String()} + }, + wantLen: 2, + }, + { + name: "missing path errors", + setup: func(t *testing.T, dir *Path) []string { + return []string{dir.Join("missing").String()} + }, + wantErr: true, + }, + { + name: "missing path resolves via magicRoot", + setup: func(t *testing.T, dir *Path) []string { + if err := dir.Join("named").WriteFile([]byte("x")); err != nil { + t.Fatalf("write: %v", err) + } + return []string{"named"} + }, + wantLen: 1, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + dir := tempDir(t) + args := tt.setup(t, dir) + got, err := PathListFromArgs(args, dir) + if (err != nil) != tt.wantErr { + t.Fatalf("PathListFromArgs() error = %v, wantErr %v", err, tt.wantErr) + } + if tt.wantErr { + return + } + if len(got) != tt.wantLen { + t.Errorf("PathListFromArgs() returned %d entries, want %d: %v", len(got), tt.wantLen, got) + } + for _, p := range got { + if p.Base() == "README.md" { + t.Errorf("README.md was not filtered out: %v", got) + } + } + }) + } +} diff --git a/pkg/paths/paths.go b/pkg/paths/paths.go index 46148bd21e..214ba09d10 100644 --- a/pkg/paths/paths.go +++ b/pkg/paths/paths.go @@ -11,29 +11,12 @@ import ( "io/fs" "os" "path/filepath" - "regexp" "slices" "strings" "syscall" "time" ) -var ( - Comment = `#` - regFilter = []*regexp.Regexp{ - regexp.MustCompile(`\s*` + Comment + `.*`), - regexp.MustCompile(`(?m)^(?:[\t\s]*(?:\r?\n|\r))+`), - } -) - -// Filter out comments and empty lines from a string. -func Filter(src string) string { - for _, re := range regFilter { - src = re.ReplaceAllLiteralString(src, "") - } - return src -} - // Path represents a path type Path struct { path string diff --git a/pkg/paths/paths_test.go b/pkg/paths/paths_test.go index bcff1f51df..40a39d6f6d 100644 --- a/pkg/paths/paths_test.go +++ b/pkg/paths/paths_test.go @@ -30,69 +30,6 @@ func makeTestPath(parts []string) *Path { return p } -func TestFilter(t *testing.T) { - tests := []struct { - name string - src string - want string - }{ - { - name: "comment", - src: "# comment", - want: "", - }, - { - name: "comment with space", - src: " # comment", - want: "", - }, - { - name: "no comment", - src: "no comment", - want: "no comment", - }, - { - name: "no comment # comment", - src: "no comment # comment", - want: "no comment", - }, - { - name: "empty", - src: ` - -`, - want: ``, - }, - { - name: "main", - src: ` -# Common profile flags definition for all distributions -# File format: one profile by line using the format: ' ' - -bwrap attach_disconnected,mediate_deleted,complain -bwrap-app attach_disconnected,complain - -akonadi_akonotes_resource complain # Dev -gnome-disks complain - -`, - want: `bwrap attach_disconnected,mediate_deleted,complain -bwrap-app attach_disconnected,complain -akonadi_akonotes_resource complain -gnome-disks complain -`, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - gotLine := Filter(tt.src) - if gotLine != tt.want { - t.Errorf("FilterComment() got = |%v|, want |%v|", gotLine, tt.want) - } - }) - } -} - func TestPath_IsInsideAnyDir(t *testing.T) { tests := []struct { name string diff --git a/pkg/util/profiles.go b/pkg/util/profiles.go index 6e96ce4a04..9bbb46c968 100644 --- a/pkg/util/profiles.go +++ b/pkg/util/profiles.go @@ -14,7 +14,7 @@ import ( var ( regFlags = regexp.MustCompile(`flags=\(([^)]+)\)`) regProfileHeader = regexp.MustCompile(` {\n`) - profileModes = []string{ + ProfileModes = []string{ "enforce", "complain", "kill", "default_allow", "unconfined", "prompt", } ) @@ -41,7 +41,7 @@ func SetFlags(profile string, flags []string) string { // SetMode sets the given mode in the profile string, removing any conflicting mode flags. func SetMode(profile string, mode string) (string, error) { - if !slices.Contains(profileModes, mode) { + if !slices.Contains(ProfileModes, mode) { return profile, fmt.Errorf("unknown profile mode: %s", mode) } @@ -49,7 +49,7 @@ func SetMode(profile string, mode string) (string, error) { // Remove all conflicting mode flags flags = slices.DeleteFunc(flags, func(f string) bool { - return slices.Contains(profileModes, f) + return slices.Contains(ProfileModes, f) }) // "enforce" is the default (no mode flag needed), otherwise add the mode From 87040cf638462d32ca4ba02049032451f763714c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 21 Apr 2026 01:05:40 +0200 Subject: [PATCH 1683/1736] feat(aa): cleanup the wip aa tool. --- cmd/aa/main.go | 221 ++++++++----------------------------------------- 1 file changed, 36 insertions(+), 185 deletions(-) diff --git a/cmd/aa/main.go b/cmd/aa/main.go index 7e9e5e486d..ba066b914f 100644 --- a/cmd/aa/main.go +++ b/cmd/aa/main.go @@ -1,5 +1,5 @@ // apparmor.d - Full set of apparmor profiles -// Copyright (C) 2024 Alexandre Pujol +// Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package main @@ -8,9 +8,6 @@ import ( "flag" "fmt" "os" - "os/exec" - "regexp" - "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/aa" @@ -18,64 +15,29 @@ import ( "github.com/roddhjav/apparmor.d/pkg/paths" ) -const usage = `aa [-h] [--lint | --format | --tree | --complain | --enfore] [-s] [-F file] [profiles...] +const usage = `aa [-h] [profiles...] - Various AppArmor profiles development tools + Various unprivileged AppArmor profiles tools. + +Command: + lint Lint the AppArmor profiles. + format Format the AppArmor profiles. + tree Generate a tree of visited profiles. Options: - -h, --help Show this help message and exit. - -e, --enforce Switch the given profile(s) to enforce mode. - -c, --complain Switch the given profile(s) to complain mode. - -f, --format Format the AppArmor profiles. - -l, --lint Lint the AppArmor profiles. - -t, --tree Generate a tree of visited profiles. - -F, --file FILE Set a logfile or a suffix to the default log file. - -s, --systemd Parse systemd logs from journalctl. + -h, --help Show this help message and exit. ` // Command line options var ( - help bool - path string - systemd bool - enforce bool - complain bool - lint bool - format bool - tree bool -) - -var ( - regFlags = regexp.MustCompile(`flags=\(([^)]+)\) `) - regProfileHeader = regexp.MustCompile(` {\n`) -) - -type kind uint8 - -const ( - isProfile kind = iota - isAbstraction - isTunable + help bool + command string ) func init() { flag.BoolVar(&help, "h", false, "Show this help message and exit.") flag.BoolVar(&help, "help", false, "Show this help message and exit.") - flag.BoolVar(&lint, "l", false, "Lint the AppArmor profiles.") - flag.BoolVar(&lint, "lint", false, "Lint the AppArmor profiles.") - flag.BoolVar(&format, "f", false, "Format the AppArmor profiles.") - flag.BoolVar(&format, "format", false, "Format the AppArmor profiles.") - flag.BoolVar(&tree, "t", false, "Generate a tree of visited profiles.") - flag.BoolVar(&tree, "tree", false, "Generate a tree of visited profiles.") - flag.StringVar(&path, "F", "", "Set a logfile or a suffix to the default log file.") - flag.StringVar(&path, "file", "", "Set a logfile or a suffix to the default log file.") - flag.BoolVar(&systemd, "s", false, "Parse systemd logs from journalctl.") - flag.BoolVar(&systemd, "systemd", false, "Parse systemd logs from journalctl.") - flag.BoolVar(&enforce, "e", false, "Switch the given profile to enforce mode.") - flag.BoolVar(&enforce, "enforce", false, "Switch the given profile to enforce mode.") - flag.BoolVar(&complain, "c", false, "Switch the given profile to complain mode.") - flag.BoolVar(&complain, "complain", false, "Switch the given profile to complain mode.") } func getIndentationLevel(input string) int { @@ -91,13 +53,13 @@ func getIndentationLevel(input string) int { return level } -func parse(kind kind, profile string) (aa.ParaRules, []string, error) { +func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { var raw string paragraphs := []string{} rulesByParagraph := aa.ParaRules{} switch kind { - case isTunable, isProfile: + case aa.TunableKind, aa.ProfileKind: f := &aa.AppArmorProfileFile{} nb, err := f.Parse(profile) if err != nil { @@ -106,7 +68,7 @@ func parse(kind kind, profile string) (aa.ParaRules, []string, error) { lines := strings.Split(profile, "\n") raw = strings.Join(lines[nb:], "\n") - case isAbstraction: + case aa.AbstractionKind: raw = profile } @@ -119,7 +81,7 @@ func parse(kind kind, profile string) (aa.ParaRules, []string, error) { return rulesByParagraph, paragraphs, nil } -func formatFile(kind kind, profile string) (string, error) { +func formatFile(kind aa.FileKind, profile string) (string, error) { rulesByParagraph, paragraphs, err := parse(kind, profile) if err != nil { return "", err @@ -127,40 +89,27 @@ func formatFile(kind kind, profile string) (string, error) { for idx, rules := range rulesByParagraph { aa.IndentationLevel = getIndentationLevel(paragraphs[idx]) rules = rules.Merge().Sort().Format() - fmt.Println(rules.String()) + fmt.Print(rules.String() + "\n") } return profile, nil } -// getKind checks if the file is a full apparmor profile file or an -// included (abstraction or tunable) file. -func getKind(file *paths.Path) kind { - dirname := file.Parent().String() - switch { - case strings.Contains(dirname, "abstractions"): - return isAbstraction - case strings.Contains(dirname, "tunables"): - return isTunable - default: - return isProfile - } -} - func aaFormat(files paths.PathList) error { for _, file := range files { if !file.Exist() { return nil } - profile, err := file.ReadFileAsString() + + raw, err := file.ReadFileAsString() if err != nil { return err } - profile, err = formatFile(getKind(file), profile) + raw, err = formatFile(aa.KindFromPath(file), raw) if err != nil { return err } - if err := file.WriteFile([]byte(profile)); err != nil { + if err := file.WriteFile([]byte(raw)); err != nil { return err } logging.Success("Formatted: %s", file) @@ -175,104 +124,10 @@ func aaLint(files paths.PathList) error { return nil } -func setFlag(profile string, flag string) (string, error) { - f := aa.DefaultTunables() - if _, err := f.Parse(profile); err != nil { - return profile, err - } - - flags := f.GetDefaultProfile().Flags - switch flag { - case "enforce": - if len(flags) == 0 || slices.Contains(flags, "enforce") { - return profile, nil // Nothing to do - } - idx := slices.Index(flags, "complain") - if idx == -1 { - return profile, nil // No complain flag, nothing to do - } - flags = slices.Delete(flags, idx, idx+1) - - case "complain": - if slices.Contains(flags, "complain") { - return profile, nil // Nothing to do - } - flags = append(flags, "complain") - - default: - return profile, fmt.Errorf("unknown flag: %s", flag) - } - strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n" - - // Remove all flags definition, then the new flags - profile = regFlags.ReplaceAllLiteralString(profile, "") - if len(flags) > 0 { - profile = regProfileHeader.ReplaceAllLiteralString(profile, strFlags) - } - return profile, nil -} - -func aaSetFlag(files paths.PathList, flag string) error { - for _, file := range files { - profile, err := file.ReadFileAsString() - if err != nil { - return err - } - profile, err = setFlag(profile, flag) - if err != nil { - return err - } - if err = file.WriteFile([]byte(profile)); err != nil { - return err - } - if err = reloadProfile(file); err != nil { - return err - } - } - return nil -} - func aaTree() error { return nil } -func reloadProfile(file *paths.Path) error { - cmd := exec.Command("apparmor_parser", "--replace", file.String()) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - if err := cmd.Run(); err != nil { - return fmt.Errorf("apparmor_parser failed: %w", err) - } - return nil -} - -func pathsFromArgs() (paths.PathList, error) { - res := paths.PathList{} - for _, arg := range flag.Args() { - path := paths.New(arg) - switch { - case !path.Exist(): - if aa.MagicRoot.Join(arg).Exist() { - res = append(res, aa.MagicRoot.Join(arg)) - } else { - return nil, fmt.Errorf("file %s not found", path) - } - case path.IsDir(): - files, err := path.ReadDirRecursiveFiltered(nil, - paths.FilterOutDirectories(), - paths.FilterOutNames("README.md"), - ) - if err != nil { - return nil, err - } - res = append(res, files...) - case path.Exist(): - res = append(res, path) - } - } - return res, nil -} - func main() { flag.Usage = func() { fmt.Print(usage) } flag.Parse() @@ -280,43 +135,39 @@ func main() { flag.Usage() os.Exit(0) } + if len(flag.Args()) < 1 { + flag.Usage() + os.Exit(1) + } + + command = flag.Args()[0] + if err := flag.CommandLine.Parse(flag.Args()[1:]); err != nil { + logging.Fatal("%s", err.Error()) + } var err error var files paths.PathList - switch { - case enforce: - files, err = pathsFromArgs() - if err != nil { - logging.Fatal("%s", err.Error()) - } - err = aaSetFlag(files, "enforce") - - case complain: - files, err = pathsFromArgs() - if err != nil { - logging.Fatal("%s", err.Error()) - } - err = aaSetFlag(files, "complain") - - case lint: - files, err = pathsFromArgs() + switch command { + case "lint": + files, err = paths.PathListFromArgs(flag.Args(), aa.MagicRoot) if err != nil { logging.Fatal("%s", err.Error()) } err = aaLint(files) - case format: - files, err = pathsFromArgs() + case "format": + files, err = paths.PathListFromArgs(flag.Args(), aa.MagicRoot) if err != nil { logging.Fatal("%s", err.Error()) } err = aaFormat(files) - case tree: + case "tree": err = aaTree() default: flag.Usage() + os.Exit(1) } if err != nil { From fbc9a8427d47657f1fe643608c63c9d7194f1301 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 21 Apr 2026 18:28:24 +0200 Subject: [PATCH 1684/1736] fix(aa): support literal ? in variable --- pkg/aa/parse.go | 6 +++++- pkg/aa/parse_test.go | 13 +++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index f03e3f43db..1786ea41c1 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -489,6 +489,7 @@ func parseContentRules(input string) (Rules, error) { func tokenizeRule(str string) []string { var currentToken strings.Builder isVariable, wasTokPLUS, wasTokQM, wasTokCOLON, quoted := false, false, false, false, false + sawAssignment := false blockStack := []rune{} tokens := make([]string, 0, len(str)/2) @@ -519,7 +520,7 @@ func tokenizeRule(str string) []string { currentToken.Reset() } - case (r == '+' || r == '?' || r == ':' || r == '=') && len(blockStack) == 0 && !quoted && isVariable: + case (r == '+' || r == '?' || r == ':' || r == '=') && len(blockStack) == 0 && !quoted && isVariable && !sawAssignment: // Handle variable assignment operators: =, +=, ?=, := if currentToken.Len() != 0 { tokens = append(tokens, currentToken.String()) @@ -537,6 +538,9 @@ func tokenizeRule(str string) []string { wasTokPLUS = (r == '+') wasTokQM = (r == '?') wasTokCOLON = (r == ':') + if r == '=' { + sawAssignment = true + } case r == '"' && len(blockStack) == 0: quoted = !quoted diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go index 038c8714c8..8c05f4ab1b 100644 --- a/pkg/aa/parse_test.go +++ b/pkg/aa/parse_test.go @@ -565,6 +565,19 @@ var ( wGetSlice: []string{"@{XDG_PROJECTS_DIR}", "+=", `"Git"`}, wString: `@{XDG_PROJECTS_DIR} += "Git"`, }, + { + name: "variable-5", + raw: `@{name} = super{p,P}roductivity Super?Productivity`, + tokens: []string{"@{name}", "=", "super{p,P}roductivity", "Super?Productivity"}, + rule: rule{ + {key: "@{name}"}, {key: "="}, {key: "super{p,P}roductivity"}, {key: "Super?Productivity"}, + }, + getIdx: 3, + wGet: "Super?Productivity", + wGetString: `@{name} = super{p,P}roductivity Super?Productivity`, + wGetSlice: []string{"@{name}", "=", "super{p,P}roductivity", "Super?Productivity"}, + wString: `@{name} = super{p,P}roductivity Super?Productivity`, + }, { name: "header", raw: `profile foo @{exec_path} xattrs=(security.tagged=allowed) flags=(complain attach_disconnected)`, From 63379ffe78bc34f9bf2c4b98432d48deece26aed Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Apr 2026 19:45:39 +0200 Subject: [PATCH 1685/1736] feat(abs): remove dbus abs from flatpak apps. There are only needed by the dbus proxy. Not by the flatpak app. --- apparmor.d/abstractions/app/flatpak | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak index 7882fca455..1841a3014c 100644 --- a/apparmor.d/abstractions/app/flatpak +++ b/apparmor.d/abstractions/app/flatpak @@ -76,16 +76,6 @@ # In the limmit of what is allowed by flatpak. include - # System bus: all system dbus interfaces a flatpak app can access - include - include - include - include - include - include - include - include - signal (send receive) peer=fapp, signal (send receive) peer=fapp//&fbwrap, signal (send receive) peer=fbwrap, From ff0378c61d40bcf808ced8c54fe15ab2c99e09f9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Apr 2026 20:14:10 +0200 Subject: [PATCH 1686/1736] feat(profile): minor profiles update. --- apparmor.d/groups/cups/cups-browsed | 2 +- apparmor.d/groups/freedesktop/cpupower | 2 +- apparmor.d/groups/freedesktop/xdg-icon-resource | 3 +++ apparmor.d/groups/freedesktop/xkbcomp | 1 - apparmor.d/groups/gnome/gnome-control-center | 1 + apparmor.d/groups/gnome/gnome-session-service | 1 + apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/mutter-x11-frames | 2 +- apparmor.d/groups/grub/grub-probe | 4 ++-- apparmor.d/groups/systemd/machinectl | 3 +++ apparmor.d/groups/systemd/systemd-detect-virt | 1 + apparmor.d/groups/ubuntu/apport | 10 +++++----- apparmor.d/profiles-g-l/git | 2 ++ apparmor.d/profiles-g-l/gpu-manager | 2 ++ apparmor.d/profiles-g-l/kernel | 1 + apparmor.d/profiles-g-l/libreoffice | 1 - apparmor.d/profiles-m-r/initramfs-hooks | 1 + apparmor.d/profiles-m-r/mdadm | 2 +- apparmor.d/profiles-m-r/mkinitramfs | 6 +----- apparmor.d/profiles-m-r/pam-auth-update | 1 + apparmor.d/profiles-s-z/signal-desktop | 2 ++ apparmor.d/profiles-s-z/solaar | 2 ++ apparmor.d/profiles-s-z/update-initramfs | 2 ++ 23 files changed, 35 insertions(+), 18 deletions(-) diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 3e83e4064c..976ffa6cb7 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -29,7 +29,7 @@ profile cups-browsed @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus talk bus=system name=org.cups.cupsd.Notifier label=cups-notifier-dbus + #aa:dbus talk bus=system name=org.cups.cupsd.Notifier label=cups-notifier-dbus dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager diff --git a/apparmor.d/groups/freedesktop/cpupower b/apparmor.d/groups/freedesktop/cpupower index 8433d038ce..9ea1890566 100644 --- a/apparmor.d/groups/freedesktop/cpupower +++ b/apparmor.d/groups/freedesktop/cpupower @@ -23,7 +23,7 @@ profile cpupower @{exec_path} { @{bin}/man rPx, @{bin}/uname rix, - @{lib}/linux-tools-*/cpupower rix, + @{lib}/linux-*/cpupower rix, @{sys}/devices/system/cpu/cpu@{int}/cpuidle/state@{int}/disable rw, @{sys}/devices/system/cpu/cpu@{int}/online r, diff --git a/apparmor.d/groups/freedesktop/xdg-icon-resource b/apparmor.d/groups/freedesktop/xdg-icon-resource index d1f2ecf2ad..07b05dd6fd 100644 --- a/apparmor.d/groups/freedesktop/xdg-icon-resource +++ b/apparmor.d/groups/freedesktop/xdg-icon-resource @@ -12,8 +12,11 @@ profile xdg-icon-resource @{exec_path} flags=(attach_disconnected) { include include include + include + include @{exec_path} r, + @{sh_path} r, @{bin}/dbus-send Cx -> bus, @{bin}/gtk{,4}-update-icon-cache Px, diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index a99e12b7a4..342bd66632 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -11,7 +11,6 @@ include profile xkbcomp @{exec_path} flags=(attach_disconnected) { include include - include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index a46734cdf0..8264d00140 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -58,6 +58,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord #aa:dbus talk bus=system name=org.freedesktop.fwupd path=/ label=fwupd #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" + #aa:dbus talk bus=system name=org.freedesktop.locale1 label=label=systemd-localed #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index f89170afee..01ae0a009e 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -47,6 +47,7 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { owner @{user_state_dirs}/ w, owner @{user_state_dirs}/gnome-session@*.state r, + owner @{user_state_dirs}/gnome-session@*.state.@{rand6} rw, @{run}/systemd/sessions/{,@{l}}@{int}{,.ref} rw, @{att}@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 7b860283cc..3ada2d2bb1 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -502,6 +502,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { network inet stream, network unix stream, + @{bin}/env mr, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr, @{lib}/gio-launch-desktop mr, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index ffe1d2661f..f478a8844e 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -20,7 +20,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner @{gdm_cache_dirs}//fontconfig/ rw, + owner @{gdm_cache_dirs}/fontconfig/ rw, owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl, @{sys}/devices/@{pci}/boot_vga r, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 877fdbd0a7..123a835661 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -16,6 +16,8 @@ profile grub-probe @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_admin, + mqueue (read getattr) type=posix @{att}/, + @{exec_path} mr, /{usr/,}{local/,}{s,}bin/zpool rPx, @@ -36,8 +38,6 @@ profile grub-probe @{exec_path} flags=(attach_disconnected) { /dev/**/ r, /dev/mapper/control w, - deny mqueue (read, getattr) type=posix /, - include if exists } diff --git a/apparmor.d/groups/systemd/machinectl b/apparmor.d/groups/systemd/machinectl index f745cb5dd3..6f26a8cea0 100644 --- a/apparmor.d/groups/systemd/machinectl +++ b/apparmor.d/groups/systemd/machinectl @@ -23,6 +23,9 @@ profile machinectl @{exec_path} flags=(attach_disconnected) { signal send set=(cont term winch) peer=systemd-tty-ask-password-agent, #aa:dbus talk bus=system name=org.freedesktop.machine1 label=systemd-machined + dbus send bus=system path=/org/freedesktop/machine1 + interface=org.freedesktop.machine1.Manager + peer=(name=org.freedesktop.machine1), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 8aa2896c01..42a5918880 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -23,6 +23,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{run}/host/container-manager r, @{run}/systemd/container r, + @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/uv/prot_virt_guest r, @{sys}/hypervisor/properties/features r, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 2b429248bb..4216296727 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -35,15 +35,15 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{bin}/gdbus rix, @{bin}/md5sum rix, - /usr/share/apport/{,**} r, - /usr/share/backgrounds/{,**} r, - /usr/share/doc/{,**} r, - @{etc_ro}/login.defs r, /etc/apport/{,**} r, /etc/dpkg/dpkg.cfg r, /etc/dpkg/dpkg.cfg.d/{,**} r, + # Apport needs access to all install path of packages to report problems. + /usr/{,**} r, + /opt/{,**} r, + /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, /var/lib/dpkg/info/*.md5sums r, @@ -51,7 +51,7 @@ profile apport @{exec_path} flags=(attach_disconnected) { /var/lib/dpkg/triggers/* r, /var/lib/dpkg/updates/{,*} r, - /var/lib/apport/coredump/{,**} r, + /var/lib/apport/{,**} r, /var/lib/ispell/{,**} r, /var/lib/systemd/coredump/{,**} r, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 7d457a358b..570fc207b8 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -59,6 +59,8 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.netrc r, owner @{user_config_dirs}/git/{,*} rw, + owner @{HOME}/.ansible/tmp{,**} rwlk, + # GPG owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{run}/user/@{uid}/keyring/ssh rw, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 0ad848c500..6add86d4f4 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -27,6 +27,8 @@ profile gpu-manager @{exec_path} { /var/log/gpu-manager.log w, /var/log/gpu-manager-switch.log w, + @{run}/modprobe.d/{,**} r, + @{sys}/devices/@{pci}/boot_vga r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index ea444f7f18..2aa7c45bd3 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -22,6 +22,7 @@ profile kernel @{exec_path} { @{bin}/chmod rix, @{bin}/cut rix, @{bin}/dirname rix, + @{bin}/kernel-install rm, @{bin}/kmod rCx -> kmod, @{bin}/mv rix, @{bin}/rm rix, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 765b1137bc..b818e5a20e 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -82,7 +82,6 @@ profile libreoffice @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/thumbnailers/{,**} r, /etc/cups/ppd/*.ppd r, - /etc/java{,-}{,@{version}}-openjdk/{,**} r, /etc/libreoffice/{,**} r, /etc/papersize r, /etc/paperspecs r, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 4da0cc82f5..678792f748 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -63,6 +63,7 @@ profile initramfs-hooks @{exec_path} { /etc/plymouth/plymouthd.conf r, /etc/systemd/network/{,**} r, /etc/udev/{,**} r, + /etc/xattr.conf r, / r, @{efi}/config-* r, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index d1cfd4414a..5f94a62ca5 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -20,7 +20,7 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { network netlink raw, - mqueue (read getattr) type=posix /, + mqueue (read getattr) type=posix @{att}/, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 9e786cfe53..f7b3c7a230 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -11,6 +11,7 @@ include @{exec_path} = @{sbin}/mkinitramfs profile mkinitramfs @{exec_path} { include + include include capability chown, @@ -127,11 +128,6 @@ profile mkinitramfs @{exec_path} { @{sys}/module/firmware_class/parameters/path r, @{sys}/bus/platform/drivers/simple-framebuffer/ r, - @{sys}/fs/cgroup/system.slice/*.service/cpu.max r, - @{sys}/fs/cgroup/system.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 947fb2f4ee..28b06fa43f 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -24,6 +24,7 @@ profile pam-auth-update @{exec_path} flags=(complain) { /etc/shadow r, /var/lib/dpkg/info/libpam-runtime.templates r, + /var/lib/dpkg/tmp.ci/control r, /var/lib/pam/* rw, include if exists diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 5de577f143..8b7543a1e0 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -37,6 +37,8 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-strict, + owner @{user_config_dirs}/signal-desktop-flags.conf r, + include if exists } diff --git a/apparmor.d/profiles-s-z/solaar b/apparmor.d/profiles-s-z/solaar index aa7618d04f..4a11528f9c 100644 --- a/apparmor.d/profiles-s-z/solaar +++ b/apparmor.d/profiles-s-z/solaar @@ -13,6 +13,7 @@ profile solaar @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -31,6 +32,7 @@ profile solaar @{exec_path} flags=(attach_disconnected) { owner @{tmp}/Solaar_@{rand8} rw, owner @{tmp}/@{word8} rw, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, deny @{bin}/git x, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index ef53dd7701..fe38df2859 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -31,11 +31,13 @@ profile update-initramfs @{exec_path} { @{bin}/run-parts rix, @{bin}/dpkg-trigger rPx, + @{bin}/dracut rPUx, @{bin}/ischroot rPx, @{bin}/limine-mkinitcpio rPUx, @{bin}/linux-version rPx, @{sbin}/mkinitramfs rPx, + /etc/initramfs/post-update.d/ r, /etc/initramfs/post-update.d/* rPUx, /var/lib/initramfs-tools/* w, From fdd28f83c6c469d1fd3e029bc2046727856b8e47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maxime=20B=C3=A9lair?= Date: Fri, 24 Apr 2026 10:00:22 +0200 Subject: [PATCH 1687/1736] fix(abstraction): Avoid conflicting exec rules. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Test abstraction allows executing /tmp/*test*/** to support test suites. However, some profiles, like do-release-upgrade also perform explicit Cx transitions. If the executed file matches the regex, it will fail with profile xxx has merged rule xxx with conflicting x modifiers. Fixed by adding priority=-1 in the abstraction to allow smooth overrides. Signed-off-by: Maxime Bélair --- apparmor.d/abstractions/tests | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/tests b/apparmor.d/abstractions/tests index d31f154fb7..d28eb91a26 100644 --- a/apparmor.d/abstractions/tests +++ b/apparmor.d/abstractions/tests @@ -40,9 +40,9 @@ /tmp/shunit.@{rand6}/** rwlk, /tmp/test*/ rw, - /tmp/test*/** rwlkmix, + priority=-1 /tmp/test*/** rwlkmix, /tmp/*test*/ rw, - /tmp/*test*/** rwlkmix, + priority=-1 /tmp/*test*/** rwlkmix, owner /tmp/dbusmock_data_*/{,**} rwlk, From a5e07f4b86c5006a814bbd10b01570cd5879fb11 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Apr 2026 20:26:11 +0200 Subject: [PATCH 1688/1736] feat(abs): update flatpak apps. --- apparmor.d/abstractions/app/flatpak | 6 +++--- apparmor.d/abstractions/flatpak/base | 13 ++++--------- .../flatpak/baseapp/org.chromium.Chromium | 5 +++++ .../flatpak/baseapp/org.mozilla.firefox | 12 ++++++++++-- apparmor.d/abstractions/java | 5 +++++ 5 files changed, 27 insertions(+), 14 deletions(-) diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak index 1841a3014c..e414994abd 100644 --- a/apparmor.d/abstractions/app/flatpak +++ b/apparmor.d/abstractions/app/flatpak @@ -76,6 +76,9 @@ # In the limmit of what is allowed by flatpak. include + # Programming language specific resources + include + signal (send receive) peer=fapp, signal (send receive) peer=fapp//&fbwrap, signal (send receive) peer=fbwrap, @@ -96,9 +99,6 @@ unix type=stream peer=(label=unconfined), unix type=stream peer=(label=xdg-desktop-portal), - # As a generic profile, we cannot restrict the session bus, and we trust flatpak on this. - dbus bus=session, - # apply_extra /app/extra/** w, diff --git a/apparmor.d/abstractions/flatpak/base b/apparmor.d/abstractions/flatpak/base index ea27c96a70..0804c1da2e 100644 --- a/apparmor.d/abstractions/flatpak/base +++ b/apparmor.d/abstractions/flatpak/base @@ -10,9 +10,6 @@ abi , - include - include - include include include @@ -50,6 +47,8 @@ /usr/ r, /etc/timezone r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, owner /.flatpak-info r, @@ -104,6 +103,8 @@ @{att}/tmp/ r, owner @{att}/tmp/** mrwlkix, + @{sys}/devices/system/cpu/kernel_max r, + # Show the list of active tty @{sys}/devices/virtual/tty/tty@{int}/active r, @@ -131,9 +132,6 @@ # Human-readable thread status @{PROC}/@{pid}/task/@{tid}/status r, - # - @{PROC}/cgroups r, - # Uptime @{PROC}/uptime r, @{PROC}/loadavg r, @@ -196,9 +194,6 @@ # measure approximately how much memory a process is using. owner @{PROC}/@{pid}/clear_refs w, - # Control which memory segments are written to the core dump file - owner @{PROC}/@{pid}/coredump_filter rw, - # Allow reading command line arguments for process identification owner @{PROC}/@{pid}/cmdline rk, owner @{PROC}/@{pid}/comm rk, diff --git a/apparmor.d/abstractions/flatpak/baseapp/org.chromium.Chromium b/apparmor.d/abstractions/flatpak/baseapp/org.chromium.Chromium index 1b5936edd9..a7c392b741 100644 --- a/apparmor.d/abstractions/flatpak/baseapp/org.chromium.Chromium +++ b/apparmor.d/abstractions/flatpak/baseapp/org.chromium.Chromium @@ -24,6 +24,11 @@ @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + # Pressure Stall Information interface + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, + # Chromium content api unfortunately needs these for normal operation owner @{PROC}/@{pid}/fd/@{int} w, diff --git a/apparmor.d/abstractions/flatpak/baseapp/org.mozilla.firefox b/apparmor.d/abstractions/flatpak/baseapp/org.mozilla.firefox index 46a774fd11..f6e29fb1ee 100644 --- a/apparmor.d/abstractions/flatpak/baseapp/org.mozilla.firefox +++ b/apparmor.d/abstractions/flatpak/baseapp/org.mozilla.firefox @@ -1,8 +1,7 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol +# Copyright (C) 2026 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# NEEDS-VARIABLE: appid abi , @@ -11,6 +10,15 @@ owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, owner /dev/shm/wayland.mozilla.ipc.@{int} rw, + # Allow getting the manufacturer and model of the computer where firefox is currently running. + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + # Pressure Stall Information interface + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/java b/apparmor.d/abstractions/java index 01597230c1..0931fe8545 100644 --- a/apparmor.d/abstractions/java +++ b/apparmor.d/abstractions/java @@ -9,6 +9,11 @@ /etc/java/{,**} r, /etc/java-*/{,**} r, + @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, + + @{PROC}/cgroups r, + + # Control which memory segments are written to the core dump file owner @{PROC}/@{pid}/coredump_filter rw, include if exists From 1c9485275a31e07cc6d9e52b38f0b66129cc4bd1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Apr 2026 20:38:05 +0200 Subject: [PATCH 1689/1736] fix(profile): apparmor does not support variable in mqueue. --- apparmor.d/groups/grub/grub-probe | 3 ++- apparmor.d/profiles-m-r/mdadm | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 123a835661..dd6832c3b5 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -16,7 +16,8 @@ profile grub-probe @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_admin, - mqueue (read getattr) type=posix @{att}/, + mqueue (read getattr) type=posix /, + mqueue (read getattr) type=posix /att/grub-probe/, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 5f94a62ca5..f172b4200b 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -20,7 +20,8 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { network netlink raw, - mqueue (read getattr) type=posix @{att}/, + mqueue (read getattr) type=posix /, + mqueue (read getattr) type=posix /att/mdadm/, @{exec_path} mr, From 883fc528979ae97e500ec5116d0f8c10fcd3054d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Apr 2026 21:02:28 +0200 Subject: [PATCH 1690/1736] feat(aa-mode): ensure unconfined profile is never modified. --- cmd/aa-mode/main.go | 8 +++++++- cmd/aa-mode/main_test.go | 12 ++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/cmd/aa-mode/main.go b/cmd/aa-mode/main.go index 21334eba30..e310f99669 100644 --- a/cmd/aa-mode/main.go +++ b/cmd/aa-mode/main.go @@ -89,11 +89,16 @@ func selectedMode() (string, error) { } func aaSetMode(files paths.PathList, mode string) error { + modified := paths.PathList{} for _, file := range files { profile, err := file.ReadFileAsString() if err != nil { return err } + if util.IsUnconfined(profile) { + logging.Warning("skipping %s: profile is in unconfined mode", file) + continue + } profile, err = util.SetMode(profile, mode) if err != nil { return err @@ -101,11 +106,12 @@ func aaSetMode(files paths.PathList, mode string) error { if err = file.WriteFile([]byte(profile)); err != nil { return err } + modified = append(modified, file) } if noReload { return nil } - return util.ReloadProfiles(files) + return util.ReloadProfiles(modified) } func main() { diff --git a/cmd/aa-mode/main_test.go b/cmd/aa-mode/main_test.go index a6dd1ee01d..ebd45d1826 100644 --- a/cmd/aa-mode/main_test.go +++ b/cmd/aa-mode/main_test.go @@ -122,6 +122,18 @@ func TestAaSetMode(t *testing.T) { mode: "bogus", wantErr: true, }, + { + name: "unconfined profile is never modified", + profile: "profile foo /usr/bin/foo flags=(unconfined) {\n}\n", + mode: "complain", + want: "profile foo /usr/bin/foo flags=(unconfined) {\n}\n", + }, + { + name: "unconfined profile preserved even when setting unconfined", + profile: "profile foo /usr/bin/foo flags=(attach_disconnected, unconfined) {\n}\n", + mode: "unconfined", + want: "profile foo /usr/bin/foo flags=(attach_disconnected, unconfined) {\n}\n", + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { From cca044939cd0b3465e025368b25fdede2336a487 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Apr 2026 20:08:03 +0200 Subject: [PATCH 1691/1736] build(arch): only the main package depends on apparmor. --- PKGBUILD | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index 2935d436c3..f67df65505 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -15,7 +15,6 @@ pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') url="https://github.com/roddhjav/apparmor.d" license=('GPL-2.0-only') -depends=('apparmor') makedepends=('go' 'rsync' 'just') prepare() { @@ -36,7 +35,7 @@ build() { } package_apparmor.d() { - depends+=('apparmor.d-base' 'apparmor.d-tools') + depends=('apparmor' 'apparmor.d-base' 'apparmor.d-tools') arch=("any") cd "$srcdir/$pkgbase" just destdir="$pkgdir" install-prebuilt From 4b40557f91d3a717e8e411c5970eabde236b31df Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Apr 2026 21:23:47 +0200 Subject: [PATCH 1692/1736] build: remove old prebuild tasks, add new one. --- Justfile | 71 +++++++++++++++++++++++--------------------------------- 1 file changed, 29 insertions(+), 42 deletions(-) diff --git a/Justfile b/Justfile index 07feaf914a..87e3281023 100644 --- a/Justfile +++ b/Justfile @@ -93,8 +93,24 @@ help: [group('build')] build: @go build -o {{build}}/ ./cmd/aa-log + @go build -o {{build}}/ ./cmd/aa-mode @go build -o {{build}}/ ./cmd/prebuild +# Build aa-flatpak +[group('build')] +build-aa-flatpak: + @go build -o {{build}}/ ./cmd/aa-flatpak + +# Prebuild the profiles +[group('build')] +prebuild: build + ./{{build}}/prebuild --buildir {{build}} --future + +# Prebuild the profiles in FSP mode +[group('build')] +prebuild-fsp: build + @./{{build}}/prebuild --buildir {{build}} --future --full + # Prebuild the profiles in enforced mode [group('build')] enforce: build @@ -115,46 +131,6 @@ complain: build complain-test: build @./{{build}}/prebuild --buildir {{build}} --complain --test -# Prebuild the profiles in FSP mode -[group('build')] -fsp: build - @./{{build}}/prebuild --buildir {{build}} --full - -# Prebuild the profiles in FSP mode (complain) -[group('build')] -fsp-complain: build - @./{{build}}/prebuild --buildir {{build}} --complain --full - -# Prebuild the profiles in FSP mode (debug) -[group('build')] -fsp-debug: build - @./{{build}}/prebuild --buildir {{build}} --complain --full --debug - -# Prebuild the profiles in server mode -[group('build')] -server: build - @./{{build}}/prebuild --buildir {{build}} --server - -# Prebuild the profiles in server mode (complain) -[group('build')] -server-complain: build - @./{{build}}/prebuild --buildir {{build}} --server --complain - -# Prebuild the profiles in server FSP mode -[group('build')] -server-fsp: build - @./{{build}}/prebuild --buildir {{build}} --server --full - -# Prebuild the profiles in server FSP mode (complain) -[group('build')] -server-fsp-complain: build - @./{{build}}/prebuild --buildir {{build}} --server --full --complain - -# Prebuild the profiles in server FSP mode (debug) -[group('build')] -server-fsp-debug: build - @./{{build}}/prebuild --buildir {{build}} --server --full --complain --debug - # Install base abstraction, tunable and booleans [group('install')] install-base: @@ -175,11 +151,21 @@ install-tools: #!/usr/bin/env bash set -eu -o pipefail install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log - mapfile -t share < <(find "{{build}}/share" -type f -not -name "*.md" -printf "%P\n") + install -Dm0755 {{build}}/aa-mode {{destdir}}/usr/bin/aa-mode + mapfile -t share < <(find "{{build}}/share" -type f -not -name "*.md" -not -name "*aa-flatpak*" -printf "%P\n") for file in "${share[@]}"; do install -Dm0644 "{{build}}/share/$file" "{{destdir}}/usr/share/$file" done +# Install aa-flatpak +[group('install')] +install-aa-flatpak: + @install -Dm0755 {{build}}/aa-flatpak {{destdir}}/usr/bin/aa-flatpak + @install -Dm0644 systemd/aa-flatpak.service {{destdir}}/usr/lib/systemd/system/aa-flatpak.service + @install -Dm0644 share/bash-completion/completions/aa-flatpak {{destdir}}/usr/share/bash-completion/completions/aa-flatpak + @install -Dm0644 share/man/man1/aa-flatpak.1 {{destdir}}/usr/share/man/man1/aa-flatpak.1 + @install -Dm0644 share/zsh/site-functions/_aa-flatpak.zsh {{destdir}}/usr/share/zsh/site-functions/_aa-flatpak.zsh + # Install prebuilt profiles [group('install')] install-prebuilt: @@ -303,7 +289,7 @@ build-rpm: (_ensure_pkgdest) sed -i "s/^Version:.*/Version: $VERSION/" "SPECS/{{pkgname}}.spec" rpmbuild -bb --define "_topdir $RPMBUILD_ROOT" "SPECS/{{pkgname}}.spec" - mv "$RPMBUILD_ROOT/RPMS/$ARCH/"*.rpm "{{pkgdest}}/" + find "$RPMBUILD_ROOT/RPMS" -name '*.rpm' -exec mv -t "{{pkgdest}}/" {} + rm -rf "$RPMBUILD_ROOT" # Build & install apparmor.d on Arch based systems @@ -390,6 +376,7 @@ packages: (clean) for dist in "${!matrix[@]}"; do IFS=' ' read -r -a releases <<< "${matrix[$dist]}" for release in "${releases[@]}"; do + echo "{{ RED + BOLD }}Building package for $dist $release{{ NORMAL }}" bash dists/docker.sh $dist $release done done From f32c46044d2c3502be348ad92ebe660309004520 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 27 Apr 2026 23:35:26 +0200 Subject: [PATCH 1693/1736] fix(prebuild): ensure flags cannot be added to if statement. --- pkg/util/profiles.go | 6 +++--- pkg/util/profiles_test.go | 6 ++++++ 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/pkg/util/profiles.go b/pkg/util/profiles.go index 9bbb46c968..068ca1eaa1 100644 --- a/pkg/util/profiles.go +++ b/pkg/util/profiles.go @@ -13,7 +13,7 @@ import ( var ( regFlags = regexp.MustCompile(`flags=\(([^)]+)\)`) - regProfileHeader = regexp.MustCompile(` {\n`) + regProfileHeader = regexp.MustCompile(`(?m)^([ \t]*profile [^\n]*?) \{\n`) ProfileModes = []string{ "enforce", "complain", "kill", "default_allow", "unconfined", "prompt", } @@ -35,8 +35,8 @@ func SetFlags(profile string, flags []string) string { if len(flags) == 0 { return profile } - flagsStr := " flags=(" + strings.Join(flags, ",") + ") {\n" - return regProfileHeader.ReplaceAllLiteralString(profile, flagsStr) + flagsStr := "${1} flags=(" + strings.Join(flags, ",") + ") {\n" + return regProfileHeader.ReplaceAllString(profile, flagsStr) } // SetMode sets the given mode in the profile string, removing any conflicting mode flags. diff --git a/pkg/util/profiles_test.go b/pkg/util/profiles_test.go index 1a2e3212c4..92c8cd75a2 100644 --- a/pkg/util/profiles_test.go +++ b/pkg/util/profiles_test.go @@ -58,6 +58,12 @@ func TestSetFlags(t *testing.T) { flags: []string{"complain"}, want: "profile foo /usr/bin/foo flags=(complain) {\n", }, + { + name: "add flags to profile with if statement", + profile: "profile foo /usr/bin/foo {\n if true {\n /bin/true rix,\n }\n}\n", + flags: []string{"complain"}, + want: "profile foo /usr/bin/foo flags=(complain) {\n if true {\n /bin/true rix,\n }\n}\n", + }, { name: "add multiple flags", profile: "profile foo /usr/bin/foo {\n", From 1513640f4c7857af8ab9124a718777b690f1d18d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Apr 2026 00:00:42 +0200 Subject: [PATCH 1694/1736] feat(aa): add IsUnconfined. --- pkg/util/profiles.go | 12 ++++++++++ pkg/util/profiles_test.go | 46 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+) diff --git a/pkg/util/profiles.go b/pkg/util/profiles.go index 068ca1eaa1..39fe75a5ae 100644 --- a/pkg/util/profiles.go +++ b/pkg/util/profiles.go @@ -39,6 +39,18 @@ func SetFlags(profile string, flags []string) string { return regProfileHeader.ReplaceAllString(profile, flagsStr) } +// IsUnconfined reports whether any profile in the given content has the unconfined mode flag set. +func IsUnconfined(profile string) bool { + for _, match := range regFlags.FindAllStringSubmatch(profile, -1) { + for f := range strings.SplitSeq(match[1], ",") { + if strings.TrimSpace(f) == "unconfined" { + return true + } + } + } + return false +} + // SetMode sets the given mode in the profile string, removing any conflicting mode flags. func SetMode(profile string, mode string) (string, error) { if !slices.Contains(ProfileModes, mode) { diff --git a/pkg/util/profiles_test.go b/pkg/util/profiles_test.go index 92c8cd75a2..4304501095 100644 --- a/pkg/util/profiles_test.go +++ b/pkg/util/profiles_test.go @@ -98,6 +98,52 @@ func TestSetFlags(t *testing.T) { } } +func TestIsUnconfined(t *testing.T) { + tests := []struct { + name string + profile string + want bool + }{ + { + name: "no flags", + profile: "profile foo /usr/bin/foo {\n}\n", + want: false, + }, + { + name: "unconfined only", + profile: "profile foo /usr/bin/foo flags=(unconfined) {\n}\n", + want: true, + }, + { + name: "unconfined with other flags", + profile: "profile foo /usr/bin/foo flags=(attach_disconnected, unconfined) {\n}\n", + want: true, + }, + { + name: "complain only", + profile: "profile foo /usr/bin/foo flags=(complain) {\n}\n", + want: false, + }, + { + name: "substring should not match", + profile: "profile foo /usr/bin/foo flags=(unconfinedx) {\n}\n", + want: false, + }, + { + name: "second profile is unconfined", + profile: "profile a /usr/bin/a {\n}\nprofile b /usr/bin/b flags=(unconfined) {\n}\n", + want: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := IsUnconfined(tt.profile); got != tt.want { + t.Errorf("IsUnconfined() = %v, want %v", got, tt.want) + } + }) + } +} + func TestSetMode(t *testing.T) { tests := []struct { name string From 5d4f764c02f5f306ea8e9bccec93de165ee5de17 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Apr 2026 00:02:53 +0200 Subject: [PATCH 1695/1736] chore: add go doc in all packages. --- pkg/aa/apparmor.go | 7 +++++++ pkg/builder/docs.go | 28 ++++++++++++++++++++++++++++ pkg/configure/core.go | 3 +++ pkg/directive/core.go | 2 ++ pkg/logging/logging.go | 2 ++ pkg/logs/logs.go | 3 +++ pkg/paths/doc.go | 15 +++++++++------ pkg/prebuild/cli/cli.go | 1 - pkg/runtime/runners.go | 2 ++ pkg/tasks/runner.go | 3 +++ pkg/util/profiles.go | 3 +++ 11 files changed, 62 insertions(+), 7 deletions(-) create mode 100644 pkg/builder/docs.go diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index 56087d776f..29b39f4644 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -2,6 +2,13 @@ // Copyright (C) 2021-2023 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only +// Package aa parses, formats, and manipulates AppArmor policy: profiles, +// rules, includes, variables, and abstractions. It is the core data model +// shared by the prebuild pipeline and the command-line tools. +// +// Each rule and profile element implements [fmt.Stringer]; serialisation +// is delegated to per-kind Go templates under templates/ that are loaded +// at build time via go:embed and rendered by [renderTemplate]. package aa import ( diff --git a/pkg/builder/docs.go b/pkg/builder/docs.go new file mode 100644 index 0000000000..2c41f00dcc --- /dev/null +++ b/pkg/builder/docs.go @@ -0,0 +1,28 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2026 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +// Package builder transforms profile content during the prebuild pipeline. +// +// A builder implements the [Builder] interface, whose [Builder.Apply] method +// receives an [Option] describing the profile being processed and the current +// profile content as a string, and returns the transformed content. Builders +// are stateless and may be invoked concurrently across profiles. +// +// Builders are composed into a pipeline via [Builders], created with +// [NewRunner]. The pipeline exposes a fluent [Builders.Add] for registration +// and [Builders.Run] to apply every registered builder, in order, to a +// profile: +// +// r := builder.NewRunner(cfg). +// Add(builder.NewABI3()). +// Add(builder.NewComplain()). +// Add(builder.NewUserspace()) +// +// out, err := r.Run(file, content) +// +// Order matters: each builder sees the output of the previous one, so a +// builder that rewrites attachments must run before one that depends on the +// resolved form, and mode-changing builders (complain, enforce) should run +// after content-shaping ones. +package builder diff --git a/pkg/configure/core.go b/pkg/configure/core.go index 2d48ce6e80..b5f9a6fe4e 100644 --- a/pkg/configure/core.go +++ b/pkg/configure/core.go @@ -2,6 +2,9 @@ // Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only +// Package configure provides prebuild tasks that prepare the apparmor.d +// build tree: synchronising directories, ignoring profiles, merging groups, +// applying distribution-specific flags, and resolving systemd defaults. package configure import ( diff --git a/pkg/directive/core.go b/pkg/directive/core.go index ada3fb5593..2d74109dc4 100644 --- a/pkg/directive/core.go +++ b/pkg/directive/core.go @@ -2,6 +2,8 @@ // Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only +// Package directive parses and expands "#aa:" comments embedded in profiles +// (dbus, exec, only, exclude, ...) into the corresponding AppArmor rules. package directive import ( diff --git a/pkg/logging/logging.go b/pkg/logging/logging.go index 642dc8273c..f655f42139 100644 --- a/pkg/logging/logging.go +++ b/pkg/logging/logging.go @@ -2,6 +2,8 @@ // Copyright (C) 2023-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only +// Package logging provides coloured, prefixed output helpers for the +// interactive command-line tools (success, warning, error, ...). package logging import ( diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 6317fb1e31..8a6e0b047f 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -2,6 +2,9 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only +// Package logs parses AppArmor denial events from auditd, the systemd +// journal, dmesg, and plain kernel log files (/var/log/kern.log, +// /var/log/messages), and exposes a unified stream consumable by aa-log. package logs import ( diff --git a/pkg/paths/doc.go b/pkg/paths/doc.go index d18ff4c1c0..e89b739754 100644 --- a/pkg/paths/doc.go +++ b/pkg/paths/doc.go @@ -3,10 +3,13 @@ // Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -// Paths is a library that provides a set of utilities to work with file paths in a platform-independent way. -// It includes functions for creating temporary directories and files, handling null paths, and more. -// It is designed to be used in Go applications that require file system operations without worrying about -// platform-specific details. -// Based on go-paths-helper (GPL2 version) with minor modifications and improvements. -// See https://github.com/arduino/go-paths-helper for more details and documentation. +// Package paths provides a set of utilities to work with file paths in a +// platform-independent way. It includes functions for creating temporary +// directories and files, handling null paths, and more. It is designed to be +// used in Go applications that require file system operations without worrying +// about platform-specific details. +// +// Based on go-paths-helper (GPL2 version) with minor modifications and +// improvements. See https://github.com/arduino/go-paths-helper for more +// details and documentation. package paths diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index f745153a0a..43410874ea 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -4,7 +4,6 @@ // Package cli provides the command line interface for prebuilding apparmor.d profiles. // It is separated from the main package as it is also used by downstream projects. - package cli import ( diff --git a/pkg/runtime/runners.go b/pkg/runtime/runners.go index a68704b18b..65330a875f 100644 --- a/pkg/runtime/runners.go +++ b/pkg/runtime/runners.go @@ -2,6 +2,8 @@ // Copyright (C) 2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only +// Package runtime wires the configure, builder, and directive runners into +// a single pipeline executed by prebuild and aa-install. package runtime import ( diff --git a/pkg/tasks/runner.go b/pkg/tasks/runner.go index f980f3c59a..f5e1deb078 100644 --- a/pkg/tasks/runner.go +++ b/pkg/tasks/runner.go @@ -2,6 +2,9 @@ // Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only +// Package tasks defines the generic Task and Runner abstractions reused by +// the configure, builder, and directive pipelines, and exposes the +// distribution detection used to drive distribution-specific behaviour. package tasks import ( diff --git a/pkg/util/profiles.go b/pkg/util/profiles.go index 39fe75a5ae..0069bb5cdd 100644 --- a/pkg/util/profiles.go +++ b/pkg/util/profiles.go @@ -2,6 +2,9 @@ // Copyright (C) 2023-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only +// Package util gathers small, dependency-free helpers shared across the +// codebase: profile flag manipulation, and AppArmor userspace utilities +// such as profile reload. package util import ( From 39dcbb38cbe4e0bac0e715c435ec5fb5a503b5e3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Apr 2026 00:04:08 +0200 Subject: [PATCH 1696/1736] chore: update golangci-lint and gitignore. --- .gitignore | 1 + .golangci.yaml | 19 +++++++++++++++---- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index d7ec4098f4..276eeaa59c 100644 --- a/.gitignore +++ b/.gitignore @@ -25,6 +25,7 @@ debian/*.debhelper # Debian build packages debian/apparmor.d.*/ +debian/apparmor.d-*/ debian/apparmor.d.displace debian/apparmor.d.substvars debian/apparmor.d/ diff --git a/.golangci.yaml b/.golangci.yaml index dc0ca11044..4a43f08035 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -4,13 +4,24 @@ version: "2" linters: settings: + errcheck: + exclude-functions: + - (*os.File).Close + - (*os.File).WriteString + - (*os.Process).Kill + - (*github.com/roddhjav/apparmor.d/pkg/paths.Process).Kill + - (*bufio.Writer).Flush + - (*bufio.Writer).WriteString + - (*github.com/roddhjav/apparmor.d/pkg/paths.Path).Chmod + - (*github.com/roddhjav/apparmor.d/pkg/paths.Path).Remove + - (*github.com/roddhjav/apparmor.d/pkg/paths.Path).RemoveAll + - (*github.com/roddhjav/apparmor.d/cmd/aa-flatpak.FileWatcher).Close + - os.Remove + - path/filepath.WalkDir staticcheck: checks: - all - - -SA1019 - - -ST1000 exclusions: paths: - - pkg/paths + - internal/ - tests/cmd/ - From 44e51b7169c94216f937186473b87761cdfd306a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Apr 2026 00:44:33 +0200 Subject: [PATCH 1697/1736] feat(aa): add ReloadProfiles and ReloadAppArmor. --- pkg/util/apparmor.go | 52 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 pkg/util/apparmor.go diff --git a/pkg/util/apparmor.go b/pkg/util/apparmor.go new file mode 100644 index 0000000000..0bc19bbe2a --- /dev/null +++ b/pkg/util/apparmor.go @@ -0,0 +1,52 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package util + +import ( + "fmt" + "os" + "os/exec" + + "github.com/roddhjav/apparmor.d/pkg/paths" +) + +func cmd(command string, args ...string) error { + cmd := exec.Command(command, args...) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + if err := cmd.Run(); err != nil { + return fmt.Errorf("%s failed: %w", command, err) + } + return nil +} + +func ReloadProfiles(files paths.PathList) error { + args := []string{"--replace"} + for _, file := range files { + args = append(args, file.String()) + } + return cmd("apparmor_parser", args...) +} + +func ReloadAppArmor() error { + _ = cmd("apparmor_parser", "--purge-cache") + + isActive := cmd("systemctl", "is-active", "--quiet", "apparmor.service") == nil + var err error + if isActive { + err = cmd("systemctl", "reload", "apparmor.service") + } else { + err = cmd("systemctl", "start", "apparmor.service") + } + + if err != nil { + err2 := cmd("journalctl", "--no-pager", "--since=-5m", "--unit", "apparmor.service") + if err2 != nil { + return err2 + } + return fmt.Errorf("failed to reload apparmor service: %w", err) + } + return nil +} From 150a073b2c74864b3e76b4efb03fafa9f3464a82 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Apr 2026 00:47:33 +0200 Subject: [PATCH 1698/1736] feat(aa): parser: use Scan in Parse. --- pkg/aa/parse.go | 46 +++++++++++--------------------------------- pkg/aa/parse_test.go | 8 ++++++-- 2 files changed, 17 insertions(+), 37 deletions(-) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 1786ea41c1..45eaf55b91 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -1036,51 +1036,27 @@ func (f *AppArmorProfileFile) parsePreamble(preamble string) error { // using antlr / participle. It is only used for experimental feature in the // apparmor.d project. Technically, it is more a scanner than a parser. // -// Very basic: -// - Only supports parsing of preamble and profile headers. -// - Stop at the first profile header. -// - Does not support multiline coma rules. -// - Does not support multiple profiles by file. -// // Current use case: // - Parse include and tunables // - Parse variable in profile preamble and in tunable files // - Parse (sub) profiles header to edit flags func (f *AppArmorProfileFile) Parse(input string) (int, error) { - var raw strings.Builder - rawHeader := "" - nb := 0 + if err := f.Scan(input); err != nil { + return 0, err + } -done: + // nb is the line index of the first profile or hat header. Callers + // rely on it to split the input into preamble (lines[:nb]) and + // body (lines[nb:]). for i, line := range strings.Split(input, "\n") { tmp := strings.TrimLeft(line, "\t ") - switch { - case tmp == "": - continue - case strings.HasPrefix(tmp, PROFILE.Tok()): - rawHeader = strings.TrimRight(tmp, "{") - nb = i - break done - case strings.HasPrefix(tmp, HAT.String()), strings.HasPrefix(tmp, HAT.Tok()): - nb = i - break done - default: - raw.WriteString(tmp + "\n") - } - } - - if err := f.parsePreamble(raw.String()); err != nil { - return nb, err - } - if rawHeader != "" { - header, err := newHeader(parseRule(rawHeader)) - if err != nil { - return nb, err + if strings.HasPrefix(tmp, PROFILE.Tok()) || + strings.HasPrefix(tmp, HAT.String()) || + strings.HasPrefix(tmp, HAT.Tok()) { + return i, nil } - profile := &Profile{Header: header} - f.Profiles = append(f.Profiles, profile) } - return nb, nil + return 0, nil } // ParseRules parses apparmor profile rules by paragraphs diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go index 8c05f4ab1b..02add7637d 100644 --- a/pkg/aa/parse_test.go +++ b/pkg/aa/parse_test.go @@ -179,13 +179,17 @@ func Test_newRules(t *testing.T) { func Test_AppArmorProfileFile_Parse(t *testing.T) { for _, tt := range testBlocks { t.Run(tt.name, func(t *testing.T) { + expected := tt.apparmorAll + if expected == nil { + expected = tt.apparmor + } got := &AppArmorProfileFile{} nb, err := got.Parse(tt.raw) if (err != nil) != tt.wParseErr { t.Errorf("AppArmorProfileFile.Parse() error = %v, wantErr %v", err, tt.wParseErr) } - if !reflect.DeepEqual(got, tt.apparmor) { - t.Errorf("AppArmorProfileFile.Parse() = |%v|, want |%v|", got, tt.apparmor) + if !reflect.DeepEqual(got, expected) { + t.Errorf("AppArmorProfileFile.Parse() = |%v|, want |%v|", got, expected) } raw := strings.Join(strings.Split(tt.raw, "\n")[nb:], "\n") gotRules, _, err := ParseRules(raw) From 1675b2fada8ce45d0eec98432fe9d38253ddcd89 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Apr 2026 00:48:03 +0200 Subject: [PATCH 1699/1736] feat(aa): parser: ensure Scan can parse if conditions. --- pkg/aa/parse.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 45eaf55b91..dc9dc3950a 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -1157,6 +1157,22 @@ func (f *AppArmorProfileFile) Scan(input string) (retErr error) { hat.Rules = rules f.Hats = append(f.Hats, hat) + case IF, ELSE: + condition, err := newCondition(parseRule(block.raw)) + if err != nil { + return err + } + rules, err := parseBlock(block.next) + if err != nil { + return err + } + if block.kind == IF { + condition.IfRules = rules + } else { + condition.ElseRules = rules + } + f.Conditions = append(f.Conditions, condition) + default: return fmt.Errorf("illegal %s block in profile file", block.kind) } From e3c915e304b8080e6d04981168d043e0e0e0004e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Apr 2026 00:52:21 +0200 Subject: [PATCH 1700/1736] chore(aa): minore linter improvement. --- pkg/paths/process_test.go | 4 +-- pkg/paths/readdir_test.go | 58 +++++++++++++++++++-------------------- pkg/tasks/os.go | 6 ++-- 3 files changed, 33 insertions(+), 35 deletions(-) diff --git a/pkg/paths/process_test.go b/pkg/paths/process_test.go index 813e5d9b95..932dda84b1 100644 --- a/pkg/paths/process_test.go +++ b/pkg/paths/process_test.go @@ -34,7 +34,7 @@ func TestProcess_RunWithinContext(t *testing.T) { if err == nil { t.Fatal("expected error") } - if elapsed := time.Since(start); !(elapsed < 500*time.Millisecond) { + if elapsed := time.Since(start); elapsed >= 500*time.Millisecond { t.Errorf("%v not less than %v", elapsed, 500*time.Millisecond) } cancel() @@ -58,7 +58,7 @@ func TestProcess_KillProcessGroupOnLinux(t *testing.T) { t.Fatalf("got %v, want signal: killed", err) } // Assert that the process was killed within the timeout - if elapsed := time.Since(start); !(elapsed < 2*time.Second) { + if elapsed := time.Since(start); elapsed >= 2*time.Second { t.Errorf("%v not less than %v", elapsed, 2*time.Second) } } diff --git a/pkg/paths/readdir_test.go b/pkg/paths/readdir_test.go index 16276cbbc0..ee467d1331 100644 --- a/pkg/paths/readdir_test.go +++ b/pkg/paths/readdir_test.go @@ -9,7 +9,6 @@ import ( "fmt" "io/fs" "os" - "runtime" "testing" "time" ) @@ -425,36 +424,35 @@ func TestPath_ReadDirRecursiveLoopDetection(t *testing.T) { }) } - if runtime.GOOS != "windows" { - t.Run("regular_4_with_permission_error", func(t *testing.T) { - dir1 := loopsPath.Join("regular_4_with_permission_error", "dir1") + t.Run("regular_4_with_permission_error", func(t *testing.T) { + dir1 := loopsPath.Join("regular_4_with_permission_error", "dir1") - l, err := unbuondedReaddir("regular_4_with_permission_error") - if err != nil { - t.Fatal(err) - } - if len(l) == 0 { - t.Error("expected non-empty list") - } - - dir1Stat, err := dir1.Stat() - if err != nil { - t.Fatal(err) - } - if err := dir1.Chmod(fs.FileMode(0)); err != nil { - t.Fatal(err) - } - t.Cleanup(func() { - dir1.Chmod(dir1Stat.Mode()) - }) + l, err := unbuondedReaddir("regular_4_with_permission_error") + if err != nil { + t.Fatal(err) + } + if len(l) == 0 { + t.Error("expected non-empty list") + } - l, err = unbuondedReaddir("regular_4_with_permission_error") - if err == nil { - t.Fatal("expected error") - } - if l != nil { - t.Errorf("expected nil, got %v", l) - } + dir1Stat, err := dir1.Stat() + if err != nil { + t.Fatal(err) + } + if err := dir1.Chmod(fs.FileMode(0)); err != nil { + t.Fatal(err) + } + t.Cleanup(func() { + dir1.Chmod(dir1Stat.Mode()) }) - } + + l, err = unbuondedReaddir("regular_4_with_permission_error") + if err == nil { + t.Fatal("expected error") + } + if l != nil { + t.Errorf("expected nil, got %v", l) + } + }) + } diff --git a/pkg/tasks/os.go b/pkg/tasks/os.go index 65885cea6d..1cf2238992 100644 --- a/pkg/tasks/os.go +++ b/pkg/tasks/os.go @@ -36,7 +36,7 @@ var ( "opensuse": {"suse", "opensuse-tumbleweed"}, "whonix": {}, } - famillyDists = map[string][]string{ + familyDists = map[string][]string{ "apt": {"debian", "ubuntu", "whonix"}, "pacman": {"arch"}, "zypper": {"opensuse"}, @@ -90,9 +90,9 @@ func getDistribution() string { } func getFamily() string { - for familly, dist := range famillyDists { + for family, dist := range familyDists { if slices.Contains(dist, Distribution) { - return familly + return family } } return "" From 5082ce538b367713f8f1bda560faeced392a2601 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Apr 2026 00:59:11 +0200 Subject: [PATCH 1701/1736] chore: update minimum go version to 1.24. --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 3bea9f5484..aea7e86612 100644 --- a/go.mod +++ b/go.mod @@ -1,3 +1,3 @@ module github.com/roddhjav/apparmor.d -go 1.23.0 +go 1.24.0 From 831646b77674960b101b3ef4aaa9ef9fff830fb8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Apr 2026 01:03:56 +0200 Subject: [PATCH 1702/1736] chore(aa): add missing package comment. --- pkg/prebuild/directories.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index 9ecbd87013..d6cca0d3e2 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -2,6 +2,9 @@ // Copyright (C) 2021-2026 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only +// Package prebuild defines the directory layout, manifest readers, and +// shared state used by the prebuild pipeline that turns the source profiles +// into a distribution-ready tree. package prebuild import "github.com/roddhjav/apparmor.d/pkg/paths" From f5c8d5813a348938b3b612ae4c9c7036be654fc1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Apr 2026 21:35:23 +0200 Subject: [PATCH 1703/1736] feat(profile): minor profile improvements. --- apparmor.d/abstractions/common/chromium | 2 -- apparmor.d/abstractions/locale | 1 + apparmor.d/abstractions/sys/dmi | 1 + apparmor.d/abstractions/sys/dmi-full | 1 - apparmor.d/groups/browsers/firefox | 5 +++-- apparmor.d/groups/browsers/firefox-crashreporter | 4 ++-- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 2 +- apparmor.d/groups/freedesktop/xdg-icon-resource | 2 ++ apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/systemd/systemd-networkd-wait-online | 2 ++ apparmor.d/groups/ubuntu/update-notifier-crash | 1 + apparmor.d/groups/usb/lsusb | 2 ++ apparmor.d/profiles-a-f/file-roller | 1 + apparmor.d/profiles-s-z/solaar | 1 + apparmor.d/profiles-s-z/terminator | 2 +- pkg/aa/parse_test.go | 1 + 16 files changed, 20 insertions(+), 9 deletions(-) diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 5bfb1a18a4..b925baef19 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -28,8 +28,6 @@ # drops CAP_SYS_ADMIN we are ok. capability sys_admin, - # Needed for sanely dropping from root and chrooting - capability sys_admin, capability sys_chroot, capability sys_ptrace, diff --git a/apparmor.d/abstractions/locale b/apparmor.d/abstractions/locale index 796b479aec..c275820790 100644 --- a/apparmor.d/abstractions/locale +++ b/apparmor.d/abstractions/locale @@ -19,6 +19,7 @@ @{etc_rw}/localtime r, /usr/share/**/locale/** r, + /usr/share/coreutils/locales/** r, /usr/share/locale-bundle/** r, /usr/share/locale-langpack/** r, /usr/share/locale/ r, diff --git a/apparmor.d/abstractions/sys/dmi b/apparmor.d/abstractions/sys/dmi index ccb344ac3a..80d47cbce7 100644 --- a/apparmor.d/abstractions/sys/dmi +++ b/apparmor.d/abstractions/sys/dmi @@ -16,6 +16,7 @@ @{sys}/devices/virtual/dmi/id/board_vendor r, # Motherboard manufacturer @{sys}/devices/virtual/dmi/id/product_family r, # Product family name @{sys}/devices/virtual/dmi/id/product_name r, # System product name + @{sys}/devices/virtual/dmi/id/product_version r, # Product version @{sys}/devices/virtual/dmi/id/sys_vendor r, # System manufacturer include if exists diff --git a/apparmor.d/abstractions/sys/dmi-full b/apparmor.d/abstractions/sys/dmi-full index 184f1140de..d89aef39cf 100644 --- a/apparmor.d/abstractions/sys/dmi-full +++ b/apparmor.d/abstractions/sys/dmi-full @@ -27,7 +27,6 @@ @{sys}/devices/virtual/dmi/id/product_serial r, # Product serial number @{sys}/devices/virtual/dmi/id/product_sku r, # Product SKU identifier @{sys}/devices/virtual/dmi/id/product_uuid r, # Product UUID - @{sys}/devices/virtual/dmi/id/product_version r, # Product version include if exists diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 9a245b21bd..80a7f5de58 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -86,10 +86,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.xfsm-ICE-@{rand6} rw, owner @{tmp}/@{rand8}.* rw, # file downloads (to anywhere) owner @{tmp}/@{uuid}.zip{,.tmp} rw, + owner @{tmp}/crashreporter@{int}-request@{int}.json r, owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk, owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-{@{hex15},@{hex16}} rwk, - owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/.parentlock k, - owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw, + owner @{tmp}/MozillaBackgroundTask-*/.parentlock k, + owner @{tmp}/MozillaBackgroundTask-*/{**,} rw, owner @{tmp}/Mozillato-be-removed-cachePurge-{@{hex15},@{hex16}} rwk, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowsrServer w, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index a6306752f1..9c53fb8a14 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -47,7 +47,7 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner @{config_dirs}/firefox/*.*/prefs.js r, owner @{config_dirs}/firefox/*.*/storage-sync-v2.sqlite-shm r, owner @{config_dirs}/firefox/*.*/storage/default/* r, - owner @{config_dirs}/firefox/Crash?Reports/{,**} rw, + owner @{config_dirs}/firefox/Crash?Reports/{,**} rwk, owner @{config_dirs}/firefox/Pending?Pings/@{uuid}.json w, owner @{config_dirs}/firefox/Profile*/*.sqlite-shm r, @@ -56,7 +56,7 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { /tmp/ r, /var/tmp/ r, owner @{tmp}/@{hex}.{dmp,extra} rw, - owner @{tmp}/crashreporter@{int}-request@{int}.json w, + owner @{tmp}/crashreporter@{int}-request@{int}.json rw, owner @{tmp}/firefox/.parentlock w, owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index 59a12bba3b..67e367fedc 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -23,7 +23,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { unix (send receive) type=seqpacket peer=(label=fapp), unix (send receive) type=seqpacket peer=(label=fbwrap), - signal receive set=int peer=flatpak-portal, + signal receive peer=flatpak-portal, # By design xdg-dbus-proxy proxies and filters dbus communication from flatpak # apps to the system. Thus, it can manage the full system and session buses. diff --git a/apparmor.d/groups/freedesktop/xdg-icon-resource b/apparmor.d/groups/freedesktop/xdg-icon-resource index 07b05dd6fd..7c6e5a95f2 100644 --- a/apparmor.d/groups/freedesktop/xdg-icon-resource +++ b/apparmor.d/groups/freedesktop/xdg-icon-resource @@ -22,6 +22,8 @@ profile xdg-icon-resource @{exec_path} flags=(attach_disconnected) { @{bin}/gtk{,4}-update-icon-cache Px, @{bin}/xprop Px, + /usr/local/share/icons/** w, + profile bus flags=(complain) { include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 0867e50df1..7dce149235 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -111,6 +111,7 @@ profile gnome-software @{exec_path} flags=(attach_disconnected,mediate_deleted) owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/deploy r, owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/metadata r, owner @{user_share_dirs}/flatpak/{app,runtime}/*/*/ r, + owner @{user_share_dirs}/flatpak/overrides/ rw, owner @{user_share_dirs}/flatpak/overrides/* r, owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/** rwl, diff --git a/apparmor.d/groups/systemd/systemd-networkd-wait-online b/apparmor.d/groups/systemd/systemd-networkd-wait-online index d414a1a7c0..c3df19eb8e 100644 --- a/apparmor.d/groups/systemd/systemd-networkd-wait-online +++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online @@ -16,6 +16,8 @@ profile systemd-networkd-wait-online @{exec_path} flags=(attach_disconnected) { network netlink raw, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{run}/systemd/netif/links/@{int} r, diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index 4926c0b1ca..eb00eeac9a 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -18,6 +18,7 @@ profile update-notifier-crash @{exec_path} { @{bin}/systemctl Cx -> systemctl, @{bin}/which{,.debianutils} rix, @{sh_path} mr, + @{lib}/update-notifier/system-crash-notification PUx, # TODO: Px /usr/share/apport/apport-checkreports Px, owner @{HOME}/ r, diff --git a/apparmor.d/groups/usb/lsusb b/apparmor.d/groups/usb/lsusb index ea24663287..c30453a5fc 100644 --- a/apparmor.d/groups/usb/lsusb +++ b/apparmor.d/groups/usb/lsusb @@ -22,6 +22,8 @@ profile lsusb @{exec_path} { /etc/udev/hwdb.bin r, + / r, + @{sys}/devices/**/usb@{int}/** r, @{sys}/devices/**/usb@{int}/{,**/}bAlternateSetting r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index d112105702..442f00ab9f 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/file-roller profile file-roller @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/profiles-s-z/solaar b/apparmor.d/profiles-s-z/solaar index 4a11528f9c..bfb42b9f6f 100644 --- a/apparmor.d/profiles-s-z/solaar +++ b/apparmor.d/profiles-s-z/solaar @@ -25,6 +25,7 @@ profile solaar @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sbin}/ldconfig ix, + @{bin}/git ix, owner @{user_config_dirs}/solaar/{,**} rw, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index bb54b5008e..948a0f8e26 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -25,7 +25,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) { signal send set=hup peer=unconfined, - #aa:dbus own bus=session name=net.tenshu.{T,t}erminator@{hex} + #aa:dbus own bus=session name=net.tenshu.Terminator2 dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go index 02add7637d..1a43a8e5b4 100644 --- a/pkg/aa/parse_test.go +++ b/pkg/aa/parse_test.go @@ -11,6 +11,7 @@ import ( "slices" "strings" "testing" + "github.com/roddhjav/apparmor.d/pkg/paths" ) From 84fd836bfe303ee71acb9e13d6222ce8799a7533 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Apr 2026 21:37:48 +0200 Subject: [PATCH 1704/1736] feat(profile): update some systemd-service profiles. --- .../cloud-init-hotplugd.service | 4 +++ .../systemd-service/debug-shell.service | 8 +++++- .../groups/systemd-service/dmesg.service | 13 +++++++--- .../systemd-service/grub-common.service | 25 ++++++++++++++++--- .../groups/systemd-service/ldconfig.service | 6 +++++ .../groups/systemd-service/man-db.service | 2 ++ .../systemd-service/secureboot-db.service | 19 ++++++++++---- .../groups/systemd-service/shadow.service | 10 ++++++-- .../snapd.system-shutdown.service | 4 +++ .../system-update-cleanup.service | 6 ++++- .../systemd-service/usb_modeswitch.service | 2 ++ 11 files changed, 83 insertions(+), 16 deletions(-) diff --git a/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service index 1b585c0cc1..62af762896 100644 --- a/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service +++ b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service @@ -2,9 +2,13 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# systemd service: `cloud-init-hotplugd.service` +# +# ```sh # /bin/bash -c 'read args <&3; echo "args=$args"; \ # exec /usr/bin/cloud-init devel hotplug-hook $args; \ # exit 0' +# ``` abi , diff --git a/apparmor.d/groups/systemd-service/debug-shell.service b/apparmor.d/groups/systemd-service/debug-shell.service index 9f8e235cfe..20d2bbd20d 100644 --- a/apparmor.d/groups/systemd-service/debug-shell.service +++ b/apparmor.d/groups/systemd-service/debug-shell.service @@ -2,7 +2,13 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# ExecStart=/usr/bin/bash +# systemd service: `debug-shell.service` +# +# ```sh +# /usr/bin/bash +# ``` +# +# On purpose, this profile allow everything. abi , diff --git a/apparmor.d/groups/systemd-service/dmesg.service b/apparmor.d/groups/systemd-service/dmesg.service index 0a46f6ed92..f4b2c0fc7d 100644 --- a/apparmor.d/groups/systemd-service/dmesg.service +++ b/apparmor.d/groups/systemd-service/dmesg.service @@ -2,10 +2,15 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# ExecStartPre=-/usr/bin/savelog -m640 -q -p -n -c 5 /var/log/dmesg -# ExecStart=/bin/journalctl --boot 0 --dmesg --output short-monotonic --quiet --no-pager --no-hostname -# ExecStartPost=/bin/chgrp adm /var/log/dmesg -# ExecStartPost=/bin/chmod 0640 /var/log/dmesg +# systemd service: `dmesg.service` +# +# ```sh +# /usr/bin/savelog -m640 -q -p -n -c 5 /var/log/dmesg +# /bin/journalctl --boot 0 --dmesg --output short-monotonic --quiet --no-pager --no-hostname +# /bin/chgrp adm /var/log/dmesg +# /bin/chmod 0640 /var/log/dmesg +# ``` +# abi , diff --git a/apparmor.d/groups/systemd-service/grub-common.service b/apparmor.d/groups/systemd-service/grub-common.service index fc4de5edc5..eaa87f5321 100644 --- a/apparmor.d/groups/systemd-service/grub-common.service +++ b/apparmor.d/groups/systemd-service/grub-common.service @@ -2,9 +2,13 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# ExecStartPre=/bin/sh -c '[ -s /boot/grub/grubenv ] || rm -f /boot/grub/grubenv; mkdir -p /boot/grub' -# ExecStart=grub-editenv /boot/grub/grubenv unset recordfail -# ExecStartPost=/bin/sh -c 'if grub-editenv /boot/grub/grubenv list | grep -q initrdless_boot_fallback_triggered=1; then echo "grub: GRUB_FORCE_PARTUUID set, initrdless boot paniced, fallback triggered."; fi' +# systemd service: `grub-common.service` +# +# ```sh +# /bin/sh -c '[ -s /boot/grub/grubenv ] || rm -f /boot/grub/grubenv; mkdir -p /boot/grub' +# grub-editenv /boot/grub/grubenv unset recordfail +# /bin/sh -c 'if grub-editenv /boot/grub/grubenv list | grep -q initrdless_boot_fallback_triggered=1; then echo "grub: GRUB_FORCE_PARTUUID set, initrdless boot paniced, fallback triggered."; fi' +# ``` abi , @@ -17,11 +21,26 @@ profile grub-common.service { @{bin}/{,e}grep ix, @{bin}/grub-editenv rix, @{bin}/mkdir ix, + @{bin}/plymouth Px, @{bin}/rm ix, + @{bin}/systemctl Cx -> systemctl, + + /etc/init.d/grub-common r, @{efi}/grub/ w, @{efi}/grub/grubenv rw, + profile systemctl { + include + include + + capability net_admin, + + ptrace read peer=@{p_systemd}, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/systemd-service/ldconfig.service b/apparmor.d/groups/systemd-service/ldconfig.service index f7d193e9ec..5781dcfa10 100644 --- a/apparmor.d/groups/systemd-service/ldconfig.service +++ b/apparmor.d/groups/systemd-service/ldconfig.service @@ -2,7 +2,13 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# systemd service: `ldconfig.service` +# +# ```sh # /sbin/ldconfig -X +# ``` +# +# FIXME: configure the systemd unit file to use the `ldconfig` profile. abi , diff --git a/apparmor.d/groups/systemd-service/man-db.service b/apparmor.d/groups/systemd-service/man-db.service index c3bfa7c32f..cfd7433335 100644 --- a/apparmor.d/groups/systemd-service/man-db.service +++ b/apparmor.d/groups/systemd-service/man-db.service @@ -14,6 +14,8 @@ profile man-db.service flags=(attach_disconnected) { include include + capability dac_read_search, + @{bin}/find ix, @{bin}/install ix, @{bin}/mandb r, diff --git a/apparmor.d/groups/systemd-service/secureboot-db.service b/apparmor.d/groups/systemd-service/secureboot-db.service index a951747be2..467a9a2a15 100644 --- a/apparmor.d/groups/systemd-service/secureboot-db.service +++ b/apparmor.d/groups/systemd-service/secureboot-db.service @@ -2,10 +2,14 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c -# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f -# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f -# ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose +# systemd service: `secureboot-db.service` +# +# ```sh +# /usr/bin/chattr -i /sys/firmware/efi/efivars/KEK-@{uuid} +# /usr/bin/chattr -i /sys/firmware/efi/efivars/db-@{uuid} +# /usr/bin/chattr -i /sys/firmware/efi/efivars/dbx-@{uuid} +# /usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose +# ``` abi , @@ -14,12 +18,17 @@ include profile secureboot-db.service flags=(complain) { include + capability linux_immutable, + @{bin}/chattr ix, @{bin}/sbkeysync PUx, - @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, + /usr/share/secureboot/updates/dbx/{,**} r, + + @{sys}/firmware@{efi}/efivars/PK-@{uuid} r, @{sys}/firmware/efi/efivars/db-@{uuid} rw, @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, + @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, include if exists } diff --git a/apparmor.d/groups/systemd-service/shadow.service b/apparmor.d/groups/systemd-service/shadow.service index 8edb05f2cc..12abfaf7c4 100644 --- a/apparmor.d/groups/systemd-service/shadow.service +++ b/apparmor.d/groups/systemd-service/shadow.service @@ -2,6 +2,12 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# systemd service: `shadow.service` +# +# ```sh +# /bin/sh -c '/usr/bin/pwck -qr || r=1; /usr/bin/grpck -r && exit $r' +# ``` + abi , include @@ -12,8 +18,8 @@ profile shadow.service flags=(attach_disconnected) { include @{sh_path} rix, - @{sbin}/grpck Px -> &grpck, - @{sbin}/pwck Px -> &pwck, + @{sbin}/grpck rPx -> shadow.service//&grpck, + @{sbin}/pwck rPx -> shadow.service//&pwck, /etc/machine-id r, /etc/shadow r, diff --git a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service index ce819a7916..cea4d9218d 100644 --- a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service +++ b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service @@ -2,9 +2,13 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# systemd service: `snapd.system-shutdown.service` +# +# ```sh # /bin/mount /run -o remount,exec # /bin/mkdir -p /run/initramfs # /bin/cp /usr/lib/snapd/system-shutdown /run/initramfs/shutdown +# ``` abi , diff --git a/apparmor.d/groups/systemd-service/system-update-cleanup.service b/apparmor.d/groups/systemd-service/system-update-cleanup.service index 4166cb76c2..0bce8c9336 100644 --- a/apparmor.d/groups/systemd-service/system-update-cleanup.service +++ b/apparmor.d/groups/systemd-service/system-update-cleanup.service @@ -2,7 +2,11 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# ExecStart=rm -fv /system-update /etc/system-update +# systemd service: `system-update-cleanup.service` +# +# ```sh +# rm -fv /system-update /etc/system-update +# ``` abi , diff --git a/apparmor.d/groups/systemd-service/usb_modeswitch.service b/apparmor.d/groups/systemd-service/usb_modeswitch.service index 00a62c933d..728f448882 100644 --- a/apparmor.d/groups/systemd-service/usb_modeswitch.service +++ b/apparmor.d/groups/systemd-service/usb_modeswitch.service @@ -2,6 +2,8 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# systemd service: `usb_modeswitch.service` + abi , include From 5667cd267dd46a0ae2e1b60b146e046c3c8cd24b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Apr 2026 23:00:54 +0200 Subject: [PATCH 1705/1736] feat(directive): dbus talk: allow send on direct peer_name. --- pkg/directive/dbus.go | 47 ++++++++++++++++++++++++++++++++++++------- 1 file changed, 40 insertions(+), 7 deletions(-) diff --git a/pkg/directive/dbus.go b/pkg/directive/dbus.go index 6050a7233f..fb080562d6 100644 --- a/pkg/directive/dbus.go +++ b/pkg/directive/dbus.go @@ -89,6 +89,7 @@ func (d Dbus) SanityCheck(opt *Option) (string, error) { if _, present := opt.ArgMap["path"]; !present { opt.ArgMap["path"] = "/" + strings.ReplaceAll(opt.ArgMap["name"], ".", "/") + "{,/**}" } + opt.ArgMap["name-original"] = opt.ArgMap["name"] opt.ArgMap["name"] += "{,.*}" return action, nil } @@ -183,15 +184,35 @@ func (d Dbus) Talk(rules map[string]string) aa.Rules { // Interfaces for _, iface := range interfaces { - res = append(res, &aa.Dbus{ - Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], - Interface: iface, - PeerName: peerName, PeerLabel: rules["label"], - }) + res = append(res, + // Interface: send and receive anything to the interface on the specific peer label + &aa.Comment{ + Base: aa.Base{ + Comment: " " + rules["name-original"] + ": send and receive anything to the interface on the specific peer label", + IsLineRule: true, + }, + }, + &aa.Dbus{ + Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: iface, + PeerName: peerName, PeerLabel: rules["label"], + }, + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: iface, + PeerName: `"` + rules["name"] + `"`, + }, + ) } res = append(res, - // DBus.Properties + // DBus.Properties: read and send properties + &aa.Comment{ + Base: aa.Base{ + Comment: " DBus.Properties: read and send properties", + IsLineRule: true, + }, + }, &aa.Dbus{ Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Properties", @@ -199,7 +220,13 @@ func (d Dbus) Talk(rules map[string]string) aa.Rules { PeerName: peerName, PeerLabel: rules["label"], }, - // DBus.Introspectable + // DBus.Introspectable: allow service introspection + &aa.Comment{ + Base: aa.Base{ + Comment: " DBus.Introspectable: allow service introspection", + IsLineRule: true, + }, + }, &aa.Dbus{ Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Introspectable", @@ -208,6 +235,12 @@ func (d Dbus) Talk(rules map[string]string) aa.Rules { }, // DBus.ObjectManager: allow clients to enumerate sources + &aa.Comment{ + Base: aa.Base{ + Comment: " DBus.ObjectManager: allow clients to enumerate sources", + IsLineRule: true, + }, + }, &aa.Dbus{ Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", From 1ba4a061d53a3ffe86f41bab69085b6a5e36da5d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Apr 2026 23:02:00 +0200 Subject: [PATCH 1706/1736] feat(directive): dbus talk: show the directive after resolution. --- pkg/directive/dbus.go | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/pkg/directive/dbus.go b/pkg/directive/dbus.go index fb080562d6..520af919bb 100644 --- a/pkg/directive/dbus.go +++ b/pkg/directive/dbus.go @@ -56,13 +56,25 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { r = d.See(opt.ArgMap) } + bus := opt.ArgMap["bus"] + if strings.Contains(profile, "include ") { + for i, rule := range r { + inc, ok := rule.(*aa.Include) + if !ok || !inc.IsMagic || inc.Path != "abstractions/bus/"+bus+"/own" { + continue + } + r = append(r[:i], r[i+1:]...) + break + } + } + + header := strings.ReplaceAll(opt.Raw, Keyword, "#aa/") + "\n" aa.IndentationLevel = strings.Count( strings.SplitN(opt.Raw, Keyword, 1)[0], aa.Indentation, ) generatedDbus := r.String() - lenDbus := len(generatedDbus) - generatedDbus = generatedDbus[:lenDbus-1] - profile = strings.ReplaceAll(profile, opt.Raw, generatedDbus) + generatedDbus = strings.ReplaceAll(generatedDbus, "\n\n", "\n") + profile = strings.ReplaceAll(profile, opt.Raw, header+generatedDbus) return profile, nil } From bf7cd4fbc3abe07afbff70654397b20b37eff78d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Apr 2026 23:17:23 +0200 Subject: [PATCH 1707/1736] feat(directive): dbus: update tests and comments to last changes. --- pkg/directive/dbus.go | 28 +++++- pkg/directive/dbus_test.go | 175 +++++++++++++++++++++---------------- 2 files changed, 124 insertions(+), 79 deletions(-) diff --git a/pkg/directive/dbus.go b/pkg/directive/dbus.go index 520af919bb..445fade689 100644 --- a/pkg/directive/dbus.go +++ b/pkg/directive/dbus.go @@ -150,6 +150,12 @@ func (d Dbus) Own(rules map[string]string) aa.Rules { res = append(res, // DBus.Properties: reply to properties request from anyone + &aa.Comment{ + Base: aa.Base{ + Comment: " DBus.Properties: reply to properties request from anyone", + IsLineRule: true, + }, + }, &aa.Dbus{ Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Properties", @@ -158,6 +164,12 @@ func (d Dbus) Own(rules map[string]string) aa.Rules { }, // DBus.Introspectable: allow clients to introspect the service + &aa.Comment{ + Base: aa.Base{ + Comment: " DBus.Introspectable: allow clients to introspect the service", + IsLineRule: true, + }, + }, &aa.Dbus{ Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Introspectable", @@ -166,6 +178,12 @@ func (d Dbus) Own(rules map[string]string) aa.Rules { }, // DBus.ObjectManager: allow clients to enumerate sources + &aa.Comment{ + Base: aa.Base{ + Comment: " DBus.ObjectManager: allow clients to enumerate sources", + IsLineRule: true, + }, + }, &aa.Dbus{ Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", @@ -186,6 +204,13 @@ func (d Dbus) Talk(rules map[string]string) aa.Rules { interfaces := getInterfaces(rules) peerName := `"{@{busname},` + rules["name"] + `,org.freedesktop.DBus}"` res := aa.Rules{ + // Unix: allow connection to the profile + &aa.Comment{ + Base: aa.Base{ + Comment: " Unix: allow connection to the profile", + IsLineRule: true, + }, + }, &aa.Unix{ Type: "stream", Address: "none", @@ -286,7 +311,6 @@ func (d Dbus) See(rules map[string]string) aa.Rules { PeerLabel: rules["label"], PeerAddr: "none", }, - nil, // DBus.Properties: read all properties from the interface &aa.Comment{ @@ -301,7 +325,6 @@ func (d Dbus) See(rules map[string]string) aa.Rules { Member: "{Get,GetAll}", PeerName: peerName, PeerLabel: rules["label"], }, - nil, // DBus.Properties: receive property changed events &aa.Comment{ @@ -316,7 +339,6 @@ func (d Dbus) See(rules map[string]string) aa.Rules { Member: "PropertiesChanged", PeerName: peerName, PeerLabel: rules["label"], }, - nil, // DBus.Introspectable: allow service introspection &aa.Comment{ diff --git a/pkg/directive/dbus_test.go b/pkg/directive/dbus_test.go index 627bed51f9..6f56a1b1b6 100644 --- a/pkg/directive/dbus_test.go +++ b/pkg/directive/dbus_test.go @@ -8,8 +8,9 @@ import ( "testing" ) -const dbusOwnSystemd1 = ` include - +const ( + dbusOwnSystemd1 = ` #aa/dbus own bus=system name=org.freedesktop.systemd1 + include dbus bind bus=system name=org.freedesktop.systemd1{,.*}, dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.systemd1{,.*} @@ -17,14 +18,17 @@ const dbusOwnSystemd1 = ` include dbus send bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.systemd1{,.*} peer=(name="{@{busname},org.freedesktop.DBus}"), + # DBus.Properties: reply to properties request from anyone dbus (send receive) bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll,Set,PropertiesChanged} peer=(name="{@{busname},org.freedesktop.DBus}"), + # DBus.Introspectable: allow clients to introspect the service dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name="@{busname}"), + # DBus.ObjectManager: allow clients to enumerate sources dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects @@ -32,7 +36,96 @@ const dbusOwnSystemd1 = ` include dbus send bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.ObjectManager member={InterfacesAdded,InterfacesRemoved} - peer=(name="{@{busname},org.freedesktop.DBus}"),` + peer=(name="{@{busname},org.freedesktop.DBus}"), +` + + dbusOwnInterface = ` #aa/dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions + include + dbus bind bus=session name=com.rastersoft.ding{,.*}, + dbus receive bus=session path=/com/rastersoft/ding{,/**} + interface=com.rastersoft.ding{,.*} + peer=(name="@{busname}"), + dbus send bus=session path=/com/rastersoft/ding{,/**} + interface=com.rastersoft.ding{,.*} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus receive bus=session path=/com/rastersoft/ding{,/**} + interface=org.gtk.Actions + peer=(name="@{busname}"), + dbus send bus=session path=/com/rastersoft/ding{,/**} + interface=org.gtk.Actions + peer=(name="{@{busname},org.freedesktop.DBus}"), + # DBus.Properties: reply to properties request from anyone + dbus (send receive) bus=session path=/com/rastersoft/ding{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll,Set,PropertiesChanged} + peer=(name="{@{busname},org.freedesktop.DBus}"), + # DBus.Introspectable: allow clients to introspect the service + dbus receive bus=session path=/com/rastersoft/ding{,/**} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="@{busname}"), + # DBus.ObjectManager: allow clients to enumerate sources + dbus receive bus=session path=/com/rastersoft/ding{,/**} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name="{@{busname},com.rastersoft.ding{,.*}}"), + dbus send bus=session path=/com/rastersoft/ding{,/**} + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.freedesktop.DBus}"), +` + + dbusTalkAccounts = ` #aa/dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + # Unix: allow connection to the profile + unix type=stream peer=(label=accounts-daemon), + # org.freedesktop.Accounts: send and receive anything to the interface on the specific peer label + dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} + interface=org.freedesktop.Accounts{,.*} + peer=(name="{@{busname},org.freedesktop.Accounts{,.*},org.freedesktop.DBus}", label=accounts-daemon), + dbus send bus=system path=/org/freedesktop/Accounts{,/**} + interface=org.freedesktop.Accounts{,.*} + peer=(name="org.freedesktop.Accounts{,.*}"), + # DBus.Properties: read and send properties + dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll,Set,PropertiesChanged} + peer=(name="{@{busname},org.freedesktop.Accounts{,.*},org.freedesktop.DBus}", label=accounts-daemon), + # DBus.Introspectable: allow service introspection + dbus send bus=system path=/org/freedesktop/Accounts{,/**} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{@{busname},org.freedesktop.Accounts{,.*},org.freedesktop.DBus}", label=accounts-daemon), + # DBus.ObjectManager: allow clients to enumerate sources + dbus send bus=system path=/org/freedesktop/Accounts{,/**} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name="{@{busname},org.freedesktop.Accounts{,.*},org.freedesktop.DBus}", label=accounts-daemon), + dbus receive bus=system path=/org/freedesktop/Accounts{,/**} + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.freedesktop.Accounts{,.*},org.freedesktop.DBus}", label=accounts-daemon), +` + + dbusSeePowerProfiles = ` #aa/dbus see bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon + # Unix: allow connection to the profile + unix type=stream peer=(label=power-profiles-daemon), + # DBus.Properties: read all properties from the interface + dbus send bus=system path=/net/hadess/PowerProfiles{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), + # DBus.Properties: receive property changed events + dbus receive bus=system path=/net/hadess/PowerProfiles{,/**} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), + # DBus.Introspectable: allow service introspection + dbus send bus=system path=/net/hadess/PowerProfiles{,/**} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), +` +) func TestDbus_Apply(t *testing.T) { tests := []struct { @@ -73,37 +166,7 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", }, profile: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", - want: ` include - - dbus bind bus=session name=com.rastersoft.ding{,.*}, - dbus receive bus=session path=/com/rastersoft/ding{,/**} - interface=com.rastersoft.ding{,.*} - peer=(name="@{busname}"), - dbus send bus=session path=/com/rastersoft/ding{,/**} - interface=com.rastersoft.ding{,.*} - peer=(name="{@{busname},org.freedesktop.DBus}"), - dbus receive bus=session path=/com/rastersoft/ding{,/**} - interface=org.gtk.Actions - peer=(name="@{busname}"), - dbus send bus=session path=/com/rastersoft/ding{,/**} - interface=org.gtk.Actions - peer=(name="{@{busname},org.freedesktop.DBus}"), - dbus (send receive) bus=session path=/com/rastersoft/ding{,/**} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll,Set,PropertiesChanged} - peer=(name="{@{busname},org.freedesktop.DBus}"), - dbus receive bus=session path=/com/rastersoft/ding{,/**} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="@{busname}"), - dbus receive bus=session path=/com/rastersoft/ding{,/**} - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name="{@{busname},com.rastersoft.ding{,.*}}"), - dbus send bus=session path=/com/rastersoft/ding{,/**} - interface=org.freedesktop.DBus.ObjectManager - member={InterfacesAdded,InterfacesRemoved} - peer=(name="{@{busname},org.freedesktop.DBus}"),`, + want: dbusOwnInterface, }, { name: "talk", @@ -120,27 +183,7 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", }, profile: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", - want: ` unix type=stream peer=(label=accounts-daemon), - - dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} - interface=org.freedesktop.Accounts{,.*} - peer=(name="{@{busname},org.freedesktop.Accounts{,.*},org.freedesktop.DBus}", label=accounts-daemon), - dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll,Set,PropertiesChanged} - peer=(name="{@{busname},org.freedesktop.Accounts{,.*},org.freedesktop.DBus}", label=accounts-daemon), - dbus send bus=system path=/org/freedesktop/Accounts{,/**} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{@{busname},org.freedesktop.Accounts{,.*},org.freedesktop.DBus}", label=accounts-daemon), - dbus send bus=system path=/org/freedesktop/Accounts{,/**} - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name="{@{busname},org.freedesktop.Accounts{,.*},org.freedesktop.DBus}", label=accounts-daemon), - dbus receive bus=system path=/org/freedesktop/Accounts{,/**} - interface=org.freedesktop.DBus.ObjectManager - member={InterfacesAdded,InterfacesRemoved} - peer=(name="{@{busname},org.freedesktop.Accounts{,.*},org.freedesktop.DBus}", label=accounts-daemon),`, + want: dbusTalkAccounts, }, { name: "see", @@ -157,27 +200,7 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus see bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", }, profile: " #aa:dbus see bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", - want: ` # Unix: allow connection to the profile - unix type=stream peer=(label=power-profiles-daemon), - - # DBus.Properties: read all properties from the interface - - dbus send bus=system path=/net/hadess/PowerProfiles{,/**} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), - - # DBus.Properties: receive property changed events - dbus receive bus=system path=/net/hadess/PowerProfiles{,/**} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), - - # DBus.Introspectable: allow service introspection - dbus send bus=system path=/net/hadess/PowerProfiles{,/**} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon),`, + want: dbusSeePowerProfiles, }, } for _, tt := range tests { From 271d08e94fb422c69b3cd4e86b61b6383694377e Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Thu, 30 Apr 2026 13:16:06 +0200 Subject: [PATCH 1708/1736] Update cups-notifier-dbus and ippfind flags profile cups-notifier-dbus flags=(attach_disconnected) { run/dbus/system_bus_socket r, # Failed name lookup - disconnected path profile cups-notifier-dbus flags=(attach_disconnected) { run/dbus/system_bus_socket r, # Failed name lookup - disconnected path /run/dbus/system_bus_socket is already covered by the `bus-system` abstraction. --- dists/flags/main.flags | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index d0c3d73156..7a66c26272 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -66,7 +66,7 @@ cups-backend-snmp complain cups-backend-socket complain cups-backend-usb complain cups-browsed complain -cups-notifier-dbus complain +cups-notifier-dbus attach_disconnected,complain cups-notifier-mailto complain cups-notifier-rss complain cups-pk-helper-mechanism complain @@ -155,6 +155,7 @@ hyprpm complain ibus-engine-table complain ibus-memconf complain im-launch complain +ippfind attach_disconnected iwctl complain iwd complain kaccess complain From 2dd2959215a7e5647c52e9d10fb4ac06fc4b9734 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 1 May 2026 18:45:01 +0200 Subject: [PATCH 1709/1736] Remove attach_disconnected for cups-notifier-dbus and ippfind --- dists/flags/main.flags | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 7a66c26272..d0c3d73156 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -66,7 +66,7 @@ cups-backend-snmp complain cups-backend-socket complain cups-backend-usb complain cups-browsed complain -cups-notifier-dbus attach_disconnected,complain +cups-notifier-dbus complain cups-notifier-mailto complain cups-notifier-rss complain cups-pk-helper-mechanism complain @@ -155,7 +155,6 @@ hyprpm complain ibus-engine-table complain ibus-memconf complain im-launch complain -ippfind attach_disconnected iwctl complain iwd complain kaccess complain From e96dfe1caaed8780abcd21d489124d748caa913c Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 1 May 2026 18:46:20 +0200 Subject: [PATCH 1710/1736] Add attach_disconnected to cups-notifier-dbus profile --- apparmor.d/groups/cups/cups-notifier-dbus | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/cups/cups-notifier-dbus b/apparmor.d/groups/cups/cups-notifier-dbus index fa31b726d7..4755c61ed0 100644 --- a/apparmor.d/groups/cups/cups-notifier-dbus +++ b/apparmor.d/groups/cups/cups-notifier-dbus @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/cups/notifier/dbus -profile cups-notifier-dbus @{exec_path} { +profile cups-notifier-dbus @{exec_path} flags=(attach_disconnected) { include include include From f8de8d248ba607d48c8f3e798b19cd35f814d71c Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 1 May 2026 18:52:04 +0200 Subject: [PATCH 1711/1736] Add attach_disconnected to ippfind profile --- apparmor.d/groups/cups/ippfind | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/cups/ippfind b/apparmor.d/groups/cups/ippfind index 1ef0866a54..1ad6e870ea 100644 --- a/apparmor.d/groups/cups/ippfind +++ b/apparmor.d/groups/cups/ippfind @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/ippfind -profile ippfind @{exec_path} { +profile ippfind @{exec_path} flags=(attach_disconnected) { include include include From 9c5ead6de39de20656c87020256e34dc2dcd2696 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 1 May 2026 22:07:17 +0200 Subject: [PATCH 1712/1736] feat(tunable): initial definition for some common condition. Note: it is not yet enabled. see #969 --- apparmor.d/tunables/multiarch.d/state | 95 +++++++++++++++++++++++++++ dists/ignore/main.ignore | 3 + 2 files changed, 98 insertions(+) create mode 100644 apparmor.d/tunables/multiarch.d/state diff --git a/apparmor.d/tunables/multiarch.d/state b/apparmor.d/tunables/multiarch.d/state new file mode 100644 index 0000000000..d4e3298ca6 --- /dev/null +++ b/apparmor.d/tunables/multiarch.d/state @@ -0,0 +1,95 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# System states +# +# Current system states. All of the variables depend on the running state and +# are thus expected to be configured by a program at runtime. +# +# All variables that depends on the running state should be uppercase. + + +# Apparmor version +# ---------------- + +# AppArmor ABI +@{ABI} = 5 + +# AppArmor version +@{VERSION} = 5 + + +# Security level +# -------------- + +# The targeted security level of the system. These are experimental and subject to change. +# Supported values are: +# - 0: default +# - 1: strict +# - 2: fsp +# - 3: extreme +# +# See https://apparmor.pujol.io/security/architecture/#security-levels +@{LEVEL} = 0 + +# Either or not role-based access control is enabled on the system. +# Supported values are: true, false +#${RBAC} = false + +# Either or not Full system policies is enabled on the system. +# If enabled, @{LEVEL} should be set to 2 or higher. +# Supported values are: true, false +#${FSP} = false + +# Either or not the system is running in test mode. +# Supported values are: true, false +# ${TEST} = false + + +# Distribution information +# ------------------------ + +# The OS family. Supported family values are: apt, pacman, zypper +# It is a preferred way to check for the distribution. +@{OS_FAMILY} = pacman + +# The OS ID. It is the value of the ID field in /etc/os-release. +@{OS_ID} = arch + +# The OS version. It is the value of the VERSION_ID field in /etc/os-release. +@{OS_VERSION_ID} = rolling + + +# Desktop +# ------- + +# The list of desktop environments installed on the system. +# Supported values are: gnome, kde, xfce, cosmic, none +@{DE} = gnome + +# The list of display managers installed on the system. +# Supported values are: gdm, sddm, lightdm, none +@{DM} = gdm + +# The display server in use. +# Supported values are: wayland, x11, none +@{DS} = wayland + + +# Sysctl +# ------ +# +# Provide variables for some of the sysctl settings. +# +# All variables that refer to a sysctl config should have the `sysctl_` prefix. +# +# !!! warning +# +# **It is experimental**, both variables and values may be automatically set +# set in the future. +# + +#${sysctl_kernel_unprivileged_userns_clone} = true + +# vim:syntax=apparmor diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index 27a272325c..44fda8f0a1 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -5,6 +5,9 @@ # when built with 'just fsp' apparmor.d/groups/_full +# Experimental system states +apparmor.d/tunables/multiarch.d/state + # Provided by other packages man From 3ee8d02bdab0ce7deb08cdec08dbf2cc46e07b5a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 2 May 2026 15:56:44 +0200 Subject: [PATCH 1713/1736] fix(aa-log): accept named pipes and write errors to stderr. fix #1107 --- cmd/aa-log/main.go | 4 ++-- pkg/logs/loggers.go | 6 +++++- pkg/logs/loggers_test.go | 13 +++++++++++++ 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index 12f24abb3d..289988a6d8 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -144,11 +144,11 @@ func main() { path, err := logs.SelectLogFile(path) if err != nil { - fmt.Println(err) + fmt.Fprintln(os.Stderr, err) os.Exit(1) } if err = aaLog(logger, path, profile, namespace, rules, raw, load); err != nil { - fmt.Println(err) + fmt.Fprintln(os.Stderr, err) os.Exit(1) } } diff --git a/pkg/logs/loggers.go b/pkg/logs/loggers.go index 045121f522..180852339f 100644 --- a/pkg/logs/loggers.go +++ b/pkg/logs/loggers.go @@ -131,7 +131,11 @@ func validateLogFile(filename string) error { if err != nil { return err } - if !info.Mode().IsRegular() { + mode := info.Mode() + if mode&(os.ModeNamedPipe|os.ModeCharDevice) != 0 { + return nil + } + if !mode.IsRegular() { return fmt.Errorf("not a regular file: %s", filename) } if info.Size() == 0 { diff --git a/pkg/logs/loggers_test.go b/pkg/logs/loggers_test.go index 5921734174..2940b0f901 100644 --- a/pkg/logs/loggers_test.go +++ b/pkg/logs/loggers_test.go @@ -7,6 +7,7 @@ package logs import ( "path/filepath" "reflect" + "syscall" "testing" ) @@ -71,6 +72,12 @@ func TestSelectLogFile(t *testing.T) { // return false // } + t.Setenv("TMPDIR", "/tmp/tests") + fifo := filepath.Join(t.TempDir(), "logs.fifo") + if err := syscall.Mkfifo(fifo, 0o600); err != nil { + t.Fatalf("mkfifo: %v", err) + } + tests := []struct { name string path string @@ -95,6 +102,12 @@ func TestSelectLogFile(t *testing.T) { // want: "/var/log/audit/audit.log", // wantErr: !canReadPath("/var/log/audit/audit.log.1"), // }, + { + name: "Named pipe (process substitution)", + path: fifo, + want: fifo, + wantErr: false, + }, { name: "File not found", path: "/nonexistent/file", From 8a2a9ac1211c834bcc4f9adcdbbe8633ead998bf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 2 May 2026 15:58:40 +0200 Subject: [PATCH 1714/1736] fix(logs): update profile key handling to include namespace separation in ParseToProfiles --- pkg/logs/logs.go | 10 +++++---- pkg/logs/logs_test.go | 52 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 4 deletions(-) diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 8a6e0b047f..7c7e0d8fb8 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -328,16 +328,18 @@ func (aaLogs AppArmorLogs) ParseToProfiles() map[string]*aa.Profile { } else { name = log["profile"] } + ns := getNameSpace(log["namespace"]) + key := profileKey(name, ns) - if _, ok := profiles[name]; !ok { + if _, ok := profiles[key]; !ok { profile := &aa.Profile{Header: aa.Header{ Name: name, - NameSpace: getNameSpace(log["namespace"]), + NameSpace: ns, }} profile.AddRule(log) - profiles[name] = profile + profiles[key] = profile } else { - profiles[name].AddRule(log) + profiles[key].AddRule(log) } } return profiles diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go index a621898e64..1675fb598d 100644 --- a/pkg/logs/logs_test.go +++ b/pkg/logs/logs_test.go @@ -470,6 +470,58 @@ func TestAppArmorLogs_ParseToProfiles(t *testing.T) { }, }, }, + { + name: "namespace-separated", + aaLogs: AppArmorLogs{ + { + "apparmor": "ALLOWED", + "profile": "podman", + "operation": "file_inherit", + "comm": "podman", + "family": "unix", + "sock_type": "stream", + "protocol": "0", + "requested_mask": "send receive", + "class": "net", + }, + { + "apparmor": "ALLOWED", + "namespace": "root//podman", + "profile": "podman", + "operation": "file_inherit", + "comm": "exe", + "family": "unix", + "sock_type": "dgram", + "protocol": "0", + "requested_mask": "send receive", + "class": "net", + }, + }, + want: map[string]*aa.Profile{ + "podman": { + Header: aa.Header{Name: "podman"}, + Rules: aa.Rules{ + &aa.Unix{ + Base: aa.Base{FileInherit: true}, + Access: []string{"send", "receive"}, + Type: "stream", + Protocol: "0", + }, + }, + }, + ":podman:podman": { + Header: aa.Header{Name: "podman", NameSpace: "podman"}, + Rules: aa.Rules{ + &aa.Unix{ + Base: aa.Base{FileInherit: true}, + Access: []string{"send", "receive"}, + Type: "dgram", + Protocol: "0", + }, + }, + }, + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { From 8c7031a4738735153de83a6c67601e8bdda09f9e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 13 May 2026 15:52:34 +0200 Subject: [PATCH 1715/1736] fix: add missing profileKey function. --- pkg/logs/logs.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 7c7e0d8fb8..dfc326bee9 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -318,6 +318,13 @@ func getNameSpace(rawNamespace string) string { return strings.TrimPrefix(rawNamespace, "root//") } +func profileKey(name, namespace string) string { + if namespace == "" { + return name + } + return ":" + namespace + ":" + name +} + // ParseToProfiles convert the log data into a new AppArmorProfiles func (aaLogs AppArmorLogs) ParseToProfiles() map[string]*aa.Profile { profiles := make(map[string]*aa.Profile, 0) From db8bcd5f336d24f2afbc06a28679d79b2a10a592 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 14 May 2026 23:53:06 +0200 Subject: [PATCH 1716/1736] build: update spec file. --- dists/apparmor.d.spec | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index 4c2f9e0e7a..8d51e90b72 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -40,18 +40,18 @@ apparmor_parser --purge-cache %doc README.md %config /etc/apparmor.d/ /usr/bin/aa-log +/usr/bin/aa-mode %dir /usr/lib/systemd/system/*.service.d /usr/lib/systemd/system/*.service.d/apparmor.conf %dir /usr/lib/systemd/user/*.service.d /usr/lib/systemd/user/*.service.d/apparmor.conf -/usr/share/bash-completion/completions/aa-log - %dir /usr/share/zsh %dir /usr/share/zsh/site-functions -/usr/share/zsh/site-functions/_aa-log.zsh - -%doc %{_mandir}/man8/aa-log.8.gz +/usr/share/zsh/site-functions/_aa-*.zsh +/usr/share/bash-completion/completions/aa-* +%doc %{_mandir}/man1/aa-*.1.gz +%doc %{_mandir}/man8/aa-*.8.gz %changelog From c274aa9afe88b46b68a902768e5b21cb1dfe8ef0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 14 May 2026 23:55:43 +0200 Subject: [PATCH 1717/1736] chore: add doc for aa-mode. --- Justfile | 1 + share/bash-completion/completions/aa-mode | 24 +++++++ share/man/man1/aa-mode.1 | 73 +++++++++++++++++++++ share/man/man1/aa-mode.md | 79 +++++++++++++++++++++++ share/man/man8/aa-log.md | 2 +- share/zsh/site-functions/_aa-mode.zsh | 23 +++++++ 6 files changed, 201 insertions(+), 1 deletion(-) create mode 100644 share/bash-completion/completions/aa-mode create mode 100644 share/man/man1/aa-mode.1 create mode 100644 share/man/man1/aa-mode.md create mode 100644 share/zsh/site-functions/_aa-mode.zsh diff --git a/Justfile b/Justfile index 87e3281023..0b34db17cd 100644 --- a/Justfile +++ b/Justfile @@ -331,6 +331,7 @@ check: # Generate the man pages [group('docs')] man: + @pandoc -t man -s -o share/man/man1/aa-mode.1 share/man/man1/aa-mode.md @pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md # Generate abstractions and tunable documentation from the source diff --git a/share/bash-completion/completions/aa-mode b/share/bash-completion/completions/aa-mode new file mode 100644 index 0000000000..c89dd5c5c5 --- /dev/null +++ b/share/bash-completion/completions/aa-mode @@ -0,0 +1,24 @@ +# aa-mode completion + +_aa-mode() { + COMPREPLY=() + local cur="${COMP_WORDS[COMP_CWORD]}" + local args=( + -e --enforce + -c --complain + -k --kill + -a --default-allow + -u --unconfined + -p --prompt + --no-reload + -h --help + ) + COMPREPLY+=($(compgen -W "${args[*]}" -- ${cur})) + COMPREPLY+=($(compgen -W "$(__aa_profiles)" -- ${cur})) +} + +__aa_profiles() { + find -L /etc/apparmor.d -maxdepth 1 -type f -printf '%P\n' | sort +} + +complete -F _aa-mode aa-mode diff --git a/share/man/man1/aa-mode.1 b/share/man/man1/aa-mode.1 new file mode 100644 index 0000000000..5ec024e55d --- /dev/null +++ b/share/man/man1/aa-mode.1 @@ -0,0 +1,73 @@ +.\" Automatically generated by Pandoc 3.1.11.1 +.\" +.TH "aa\-mode" "1" "April 2026" "" "" +.SH NAME +aa\-mode \- Switch AppArmor profiles mode. +.SH SYNOPSIS +\f[B]aa\-mode\f[R] [\f[I]options\&...\f[R]] +(\f[B]\-e\f[R]|\f[B]\-c\f[R]|\f[B]\-k\f[R]|\f[B]\-a\f[R]|\f[B]\-u\f[R]|\f[B]\-p\f[R]) +[\f[I]profiles\&...\f[R]] +.SH DESCRIPTION +Switch AppArmor profiles mode. +It modifies the profile flags and reloads the profiles with +\f[CR]apparmor_parser(8)\f[R]. +.PP +If a profile name is given without a path, it is looked up in +\f[CR]/etc/apparmor.d/\f[R]. +If a directory is given, all profiles in it are processed recursively. +.PP +Exactly one mode option must be given. +.SH OPTIONS +.TP +\f[I]profiles\f[R] +One or more profile paths or names to switch. +.TP +\f[CR]\-\-enforce\f[R], \f[CR]\-e\f[R] +Set the profile in \f[B]enforce\f[R] mode. +.TP +\f[CR]\-\-complain\f[R], \f[CR]\-c\f[R] +Set the profile in \f[B]complain\f[R] mode. +.TP +\f[CR]\-\-kill\f[R], \f[CR]\-k\f[R] +Set the profile in \f[B]kill\f[R] mode. +.TP +\f[CR]\-\-default\-allow\f[R], \f[CR]\-a\f[R] +Set the profile in \f[B]default_allow\f[R] mode. +.TP +\f[CR]\-\-unconfined\f[R], \f[CR]\-u\f[R] +Set the profile in \f[B]unconfined\f[R] mode. +.TP +\f[CR]\-\-prompt\f[R], \f[CR]\-p\f[R] +Set the profile in \f[B]prompt\f[R] mode. +.TP +\f[CR]\-\-no\-reload\f[R] +Do not reload the profile after modifying it. +.TP +\f[CR]\-\-help\f[R], \f[CR]\-h\f[R] +Print the program usage. +.SH USAGE +To switch a profile to complain mode: +.IP +.EX +aa\-mode \-c dnsmasq +.EE +.PP +To switch a profile to enforce mode: +.IP +.EX +aa\-mode \-\-enforce /etc/apparmor.d/dnsmasq +.EE +.PP +To switch all profiles in a directory to complain mode without +reloading: +.IP +.EX +aa\-mode \-\-complain \-\-no\-reload /etc/apparmor.d/ +.EE +.SH SEE ALSO +\f[CR]apparmor_parser(8)\f[R], \f[CR]apparmor(7)\f[R], +\f[CR]apparmor.d(5)\f[R],\f[CR]aa\-log(1)\f[R], +\f[CR]aa\-enforce(1)\f[R], \f[CR]aa\-complain(1)\f[R], and +https://apparmor.pujol.io. +.SH AUTHORS +aa\-mode was written by Alexandre Pujol (alexandre\[at]pujol.io). diff --git a/share/man/man1/aa-mode.md b/share/man/man1/aa-mode.md new file mode 100644 index 0000000000..10758b62a7 --- /dev/null +++ b/share/man/man1/aa-mode.md @@ -0,0 +1,79 @@ +% aa-mode(1) +% aa-mode was written by Alexandre Pujol (alexandre@pujol.io) +% April 2026 + +# NAME + +aa-mode - Switch AppArmor profiles mode. + +# SYNOPSIS + +**aa-mode** [*options...*] (**-e**|**-c**|**-k**|**-a**|**-u**|**-p**) [*profiles...*] + +# DESCRIPTION + +Switch AppArmor profiles mode. It modifies the profile flags and reloads the profiles with `apparmor_parser(8)`. + +If a profile name is given without a path, it is looked up in `/etc/apparmor.d/`. If a directory is given, all profiles in it are processed recursively. + +Exactly one mode option must be given. + +# OPTIONS + +*profiles* + +: One or more profile paths or names to switch. + +`--enforce`, `-e` + +: Set the profile in **enforce** mode. + +`--complain`, `-c` + +: Set the profile in **complain** mode. + +`--kill`, `-k` + +: Set the profile in **kill** mode. + +`--default-allow`, `-a` + +: Set the profile in **default_allow** mode. + +`--unconfined`, `-u` + +: Set the profile in **unconfined** mode. + +`--prompt`, `-p` + +: Set the profile in **prompt** mode. + +`--no-reload` + +: Do not reload the profile after modifying it. + +`--help`, `-h` + +: Print the program usage. + +# USAGE + +To switch a profile to complain mode: +```sh +aa-mode -c dnsmasq +``` + +To switch a profile to enforce mode: +```sh +aa-mode --enforce /etc/apparmor.d/dnsmasq +``` + +To switch all profiles in a directory to complain mode without reloading: +```sh +aa-mode --complain --no-reload /etc/apparmor.d/ +``` + +# SEE ALSO + +`apparmor_parser(8)`, `apparmor(7)`, `apparmor.d(5)`,`aa-log(1)`, `aa-enforce(1)`, `aa-complain(1)`, and +https://apparmor.pujol.io. diff --git a/share/man/man8/aa-log.md b/share/man/man8/aa-log.md index f4ce74be39..1df69eee98 100644 --- a/share/man/man8/aa-log.md +++ b/share/man/man8/aa-log.md @@ -8,7 +8,7 @@ aa-log - Review AppArmor generated messages in a colorful way. # SYNOPSIS -**aa-log** [*options…*] [*profile*] +**aa-log** [*options...*] [*profile*] # DESCRIPTION diff --git a/share/zsh/site-functions/_aa-mode.zsh b/share/zsh/site-functions/_aa-mode.zsh new file mode 100644 index 0000000000..3e42711524 --- /dev/null +++ b/share/zsh/site-functions/_aa-mode.zsh @@ -0,0 +1,23 @@ +#compdef aa-mode +#autoload + +_aa-mode() { + local IFS=$'\n' + _arguments : \ + {-e,--enforce}'[set the profile in enforce mode]' \ + {-c,--complain}'[set the profile in complain mode]' \ + {-k,--kill}'[set the profile in kill mode]' \ + {-a,--default-allow}'[set the profile in default_allow mode]' \ + {-u,--unconfined}'[set the profile in unconfined mode]' \ + {-p,--prompt}'[set the profile in prompt mode]' \ + '--no-reload[do not reload the profile after modifying it]' \ + {-h,--help}'[display help information]' + + _values -C 'profile names' ${$(__aa_profiles):-""} +} + +__aa_profiles() { + find -L /etc/apparmor.d -maxdepth 1 -type f -printf '%P\n' | sort +} + +_aa-mode From 285e3fef3970de2a9b88156e25d563c9ed6692fc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 14 May 2026 23:58:51 +0200 Subject: [PATCH 1718/1736] feat(abs): small abs improvement. --- .../abstractions/bus/session/org.gtk.vfs.MountOperation | 2 +- apparmor.d/abstractions/common/electron | 3 ++- apparmor.d/abstractions/flatpak/base | 4 ++++ apparmor.d/abstractions/gvfs-metadata | 1 + 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation index 54dfc837f1..40b4105ec5 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation @@ -6,7 +6,7 @@ dbus receive bus=session path=/org/gtk/gvfs/mountop/@{int} interface=org.gtk.vfs.MountOperation - member={AskPassword,AskQuestion} + member={AskPassword,AskQuestion,ShowProcesses} peer=(name=@{busname}, label=gvfsd-*), include if exists diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 174d19a00c..b671a199f0 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -40,6 +40,7 @@ @{bin}/electron@{int} rix, @{lib}/electron@{int}/{,**} r, @{lib}/electron@{int}/chrome_crashpad_handler Cx -> crashpad_handler, + @{lib}/electron@{int}/chrome-sandbox ix, @{lib}/electron@{int}/electron rix, @{lib_dirs}/{,**} r, @@ -65,7 +66,7 @@ owner @{user_config_dirs}/electron-flags.conf r, owner @{user_config_dirs}/electron@{u8}-flags.conf r, - owner @{tmp}/.@{domain}.*/{,**} rw, + owner @{tmp}/{,.}@{domain}.*/{,**} rw, @{att}@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/abstractions/flatpak/base b/apparmor.d/abstractions/flatpak/base index 0804c1da2e..6d3e443821 100644 --- a/apparmor.d/abstractions/flatpak/base +++ b/apparmor.d/abstractions/flatpak/base @@ -55,9 +55,13 @@ # In the sandbox, they are the same than ~/.var/app/@{appid}/{cache,config,data,cache/tmp} #aa:lint ignore=too-wide owner /var/ r, + owner /var/cache/ r, owner /var/cache/** rwlk, + owner /var/config/ r, owner /var/config/** rwlk, + owner /var/data/ r, owner /var/data/** rwlk, + owner /var/tmp/ r, owner /var/tmp/** rwlk, owner /home/ r, diff --git a/apparmor.d/abstractions/gvfs-metadata b/apparmor.d/abstractions/gvfs-metadata index 33666e6ccb..873536f824 100644 --- a/apparmor.d/abstractions/gvfs-metadata +++ b/apparmor.d/abstractions/gvfs-metadata @@ -13,6 +13,7 @@ owner @{user_share_dirs}/gvfs-metadata/home-@{hex8}.log r, owner @{user_share_dirs}/gvfs-metadata/uuid-@{uuid} r, + owner @{user_share_dirs}/gvfs-metadata/uuid-@{uuid}-@{hex8}.log r, include if exists From 0c6f34be67659b3d4e94d8ec495b69fc9b8d86e9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 May 2026 00:05:52 +0200 Subject: [PATCH 1719/1736] feat(profile): small profile update. --- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 2 -- apparmor.d/groups/gnome/gcr-prompter | 2 +- apparmor.d/groups/gnome/gnome-software | 10 ++++------ apparmor.d/groups/pacman/pacman | 1 + .../groups/systemd-service/secureboot-db.service | 2 +- apparmor.d/groups/systemd-service/shadow.service | 2 ++ apparmor.d/groups/utils/login | 2 ++ apparmor.d/groups/virt/docker | 9 +++++++++ apparmor.d/profiles-a-f/claude | 7 ++++++- apparmor.d/profiles-a-f/dkms | 4 ++-- 10 files changed, 28 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index 67e367fedc..5400a7946c 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -49,8 +49,6 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - include if exists } diff --git a/apparmor.d/groups/gnome/gcr-prompter b/apparmor.d/groups/gnome/gcr-prompter index 9e7af4178f..109cb2e5bb 100644 --- a/apparmor.d/groups/gnome/gcr-prompter +++ b/apparmor.d/groups/gnome/gcr-prompter @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/gcr-prompter -profile gcr-prompter @{exec_path} { +profile gcr-prompter @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 7dce149235..bec183985e 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -62,7 +62,7 @@ profile gnome-software @{exec_path} flags=(attach_disconnected,mediate_deleted) /usr/share/app-info/{,**} r, /usr/share/appdata/{,**} r, /usr/share/byobu/desktop/{,**} r, - /usr/share/flatpak/remotes.d/ r, + /usr/share/flatpak/remotes.d/{,**} r, /usr/share/metainfo/{,**} r, /usr/share/swcatalog/{,**} r, /usr/share/xml/iso-codes/{,**} r, @@ -90,9 +90,9 @@ profile gnome-software @{exec_path} flags=(attach_disconnected,mediate_deleted) /var/lib/PackageKit/prepared-update r, /var/lib/swcatalog/** r, - /var/tmp/flatpak-cache-*/ rw, - /var/tmp/flatpak-cache-*/** rwkl, /var/tmp/#@{int} rw, + /var/tmp/flatpak-cache-@{rand6}/ rw, + /var/tmp/flatpak-cache-@{rand6}/** rwkl, owner @{HOME}/.var/ rw, owner @{HOME}/.var/app/{,**} rw, @@ -116,8 +116,6 @@ profile gnome-software @{exec_path} flags=(attach_disconnected,mediate_deleted) owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/** rwl, - owner @{user_share_dirs}/gvfs-metadata/* r, - owner @{tmp}/#@{int} rw, owner @{tmp}/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, @@ -190,7 +188,7 @@ profile gnome-software @{exec_path} flags=(attach_disconnected,mediate_deleted) unix (send receive) type=seqpacket peer=(label=flatpak-system-helper), mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, - umount /var/tmp/flatpak-cache-*/*/, + umount /var/tmp/flatpak-cache-@{rand6}/*/, include if exists } diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index b530a4ab96..bf70c1c39f 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -246,6 +246,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{sbin}/ldconfig mrix, @{lib}/ r, + @{lib}/** rw, /usr/local/ r, /usr/local/lib/ r, diff --git a/apparmor.d/groups/systemd-service/secureboot-db.service b/apparmor.d/groups/systemd-service/secureboot-db.service index 467a9a2a15..f17a30acaa 100644 --- a/apparmor.d/groups/systemd-service/secureboot-db.service +++ b/apparmor.d/groups/systemd-service/secureboot-db.service @@ -7,7 +7,7 @@ # ```sh # /usr/bin/chattr -i /sys/firmware/efi/efivars/KEK-@{uuid} # /usr/bin/chattr -i /sys/firmware/efi/efivars/db-@{uuid} -# /usr/bin/chattr -i /sys/firmware/efi/efivars/dbx-@{uuid} +# /usr/bin/chattr -i /sys/firmware/efi/efivars/dbx-@{uuid} # /usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose # ``` diff --git a/apparmor.d/groups/systemd-service/shadow.service b/apparmor.d/groups/systemd-service/shadow.service index 12abfaf7c4..f77ce67c7c 100644 --- a/apparmor.d/groups/systemd-service/shadow.service +++ b/apparmor.d/groups/systemd-service/shadow.service @@ -21,6 +21,8 @@ profile shadow.service flags=(attach_disconnected) { @{sbin}/grpck rPx -> shadow.service//&grpck, @{sbin}/pwck rPx -> shadow.service//&pwck, + /etc/gshadow r, + /etc/login.defs r, /etc/machine-id r, /etc/shadow r, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index 1a94d89d64..4c0518f987 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -62,10 +62,12 @@ profile login @{exec_path} flags=(attach_disconnected) { @{att}@{run}/systemd/sessions/@{int}.ref w, + @{run}/cockpit/active.issue r, @{run}/credentials/getty@tty@{int}.service/ r, @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, @{run}/motd.dynamic{,.new} rw, + @{run}/systemd/io.systemd.Login rw, @{PROC}/@{pids}/cgroup r, @{PROC}/1/limits r, diff --git a/apparmor.d/groups/virt/docker b/apparmor.d/groups/virt/docker index fc7a02c4ba..5c0a8d0991 100644 --- a/apparmor.d/groups/virt/docker +++ b/apparmor.d/groups/virt/docker @@ -10,17 +10,26 @@ include profile docker @{exec_path} flags=(attach_disconnected) { include include + include capability dac_read_search, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, network netlink raw, + unix (bind listen) type=stream addr=@docker_cli_@{hex32}, + unix (accept send receive) type=stream addr=@docker_cli_@{hex32} peer=(label=docker-buildx), + @{exec_path} mr, @{lib}/docker/cli-plugins/docker-buildx Px, @{run}/docker.sock rw, + @{PROC}/sys/net/core/somaxconn r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/claude b/apparmor.d/profiles-a-f/claude index 9c84a81f60..c081b2c805 100644 --- a/apparmor.d/profiles-a-f/claude +++ b/apparmor.d/profiles-a-f/claude @@ -157,8 +157,10 @@ profile claude @{exec_path} flags=(attach_disconnected) { signal receive peer=claude, priority=1 @{bin}/flatpak Px -> claude//flatpak, + priority=1 @{bin}/git Px -> claude//git, + priority=1 @{bin}/scp PUx -> claude//ssh, priority=1 @{bin}/ssh Px -> claude//ssh, - priority=1 @{ldd_path} rPx -> claude//ldd, + priority=1 @{ldd_path} Px -> claude//ldd, owner @{HOME}/.claude/{,**} r, owner @{HOME}/.claude/shell-snapshots/* rw, @@ -234,6 +236,9 @@ profile claude @{exec_path} flags=(attach_disconnected) { owner @{user_projects_dirs}/** rw, + owner @{tmp}/claude{,-*}/ rw, + owner @{tmp}/claude{,-*}/** rwlk, + include if exists } diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 17e913a6d1..ccd2c5956f 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -76,10 +76,10 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{lib}/modules/*/build/tools/** rix, @{lib}/os-release rix, - /var/lib/dkms/**/build/* rix, - /var/lib/dkms/vboxhost/*/build/** rw, + /var/lib/dkms/**/build/** rix, /var/lib/dkms/**/configure rix, /var/lib/dkms/**/dkms.postbuild rix, + /var/lib/dkms/vboxhost/*/build/** rw, /var/lib/shim-signed/mok/** r, From 4e54c4b0c5e66532c315adf825fb400848d4d217 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 May 2026 16:25:02 +0200 Subject: [PATCH 1720/1736] ci(gitlab): update ubuntu to 26.04 --- .gitlab-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8babe0cb54..c21d51baec 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -95,7 +95,7 @@ debian: ubuntu: stage: build - image: registry.gitlab.com/roddhjav/builders/ubuntu:24.04 + image: registry.gitlab.com/roddhjav/builders/ubuntu:26.04 variables: GOFLAGS: "-buildvcs=false" script: @@ -154,7 +154,7 @@ preprocess-debian: preprocess-ubuntu: stage: preprocess - image: ubuntu + image: ubuntu:26.04 dependencies: - ubuntu script: From 05ebb5cce8209c0d8d86b2aed024d9c0949a8cdd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 May 2026 16:41:29 +0200 Subject: [PATCH 1721/1736] feat(aa): dbus directive: remove trailing newlines in see action. --- pkg/directive/dbus.go | 12 +++++++++++- pkg/directive/dbus_test.go | 10 ++++++++-- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/pkg/directive/dbus.go b/pkg/directive/dbus.go index 445fade689..6652acf55a 100644 --- a/pkg/directive/dbus.go +++ b/pkg/directive/dbus.go @@ -73,7 +73,11 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { strings.SplitN(opt.Raw, Keyword, 1)[0], aa.Indentation, ) generatedDbus := r.String() - generatedDbus = strings.ReplaceAll(generatedDbus, "\n\n", "\n") + if action == "see" { + generatedDbus = generatedDbus[:len(generatedDbus)-1] // Remove trailing newlines + } else { + generatedDbus = strings.ReplaceAll(generatedDbus, "\n\n", "\n") + } profile = strings.ReplaceAll(profile, opt.Raw, header+generatedDbus) return profile, nil } @@ -297,6 +301,7 @@ func (d Dbus) Talk(rules map[string]string) aa.Rules { func (d Dbus) See(rules map[string]string) aa.Rules { peerName := `"{@{busname},` + rules["name"] + `}"` res := aa.Rules{ + nil, // Unix: allow connection to the profile &aa.Comment{ @@ -311,6 +316,7 @@ func (d Dbus) See(rules map[string]string) aa.Rules { PeerLabel: rules["label"], PeerAddr: "none", }, + nil, // DBus.Properties: read all properties from the interface &aa.Comment{ @@ -325,6 +331,7 @@ func (d Dbus) See(rules map[string]string) aa.Rules { Member: "{Get,GetAll}", PeerName: peerName, PeerLabel: rules["label"], }, + nil, // DBus.Properties: receive property changed events &aa.Comment{ @@ -333,12 +340,14 @@ func (d Dbus) See(rules map[string]string) aa.Rules { IsLineRule: true, }, }, + nil, &aa.Dbus{ Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Properties", Member: "PropertiesChanged", PeerName: peerName, PeerLabel: rules["label"], }, + nil, // DBus.Introspectable: allow service introspection &aa.Comment{ @@ -347,6 +356,7 @@ func (d Dbus) See(rules map[string]string) aa.Rules { IsLineRule: true, }, }, + nil, &aa.Dbus{ Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Introspectable", diff --git a/pkg/directive/dbus_test.go b/pkg/directive/dbus_test.go index 6f56a1b1b6..778b34d1f5 100644 --- a/pkg/directive/dbus_test.go +++ b/pkg/directive/dbus_test.go @@ -107,24 +107,30 @@ const ( ` dbusSeePowerProfiles = ` #aa/dbus see bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon + # Unix: allow connection to the profile unix type=stream peer=(label=power-profiles-daemon), + # DBus.Properties: read all properties from the interface + dbus send bus=system path=/net/hadess/PowerProfiles{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), + # DBus.Properties: receive property changed events + dbus receive bus=system path=/net/hadess/PowerProfiles{,/**} interface=org.freedesktop.DBus.Properties member=PropertiesChanged peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), + # DBus.Introspectable: allow service introspection + dbus send bus=system path=/net/hadess/PowerProfiles{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), -` + peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon),` ) func TestDbus_Apply(t *testing.T) { From a540c686cd7c4b5dc53e215e20ff2d2e94c3cde3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 May 2026 17:21:13 +0200 Subject: [PATCH 1722/1736] fix(debian): add hostname to the list of hidden profiles. This is temporary and will have to be improved as it is already in dists/overwride --- pkg/prebuild/files.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/prebuild/files.go b/pkg/prebuild/files.go index d9879570b3..ceef034125 100644 --- a/pkg/prebuild/files.go +++ b/pkg/prebuild/files.go @@ -13,6 +13,7 @@ import ( // Hide is the default content of debian/apparmor.d.hide. Whonix has special addition. var Hide = `# This file is generated by "just", all edit will be lost. +/etc/apparmor.d/hostname /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/usr.bin.swtpm /etc/apparmor.d/usr.bin.wsdd From 41eea1ab03ab31b2122411fddac0832a06a3b1e1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 May 2026 17:48:03 +0200 Subject: [PATCH 1723/1736] feat(profile): minor profiles update --- apparmor.d/abstractions/app/flatpak | 12 +++--------- .../flatpak/baseapp/com.valvesoftware.Steam | 1 + apparmor.d/groups/flatpak/flatpak-system-helper | 2 ++ apparmor.d/groups/freedesktop/xdg-desktop-portal | 7 ++++--- apparmor.d/groups/gnome/gnome-keyring-daemon | 7 ++++--- apparmor.d/groups/network/nmcli | 3 +++ apparmor.d/namespaces/glycin/bwrap | 3 +-- apparmor.d/namespaces/glycin/loaders | 2 +- apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders | 1 - apparmor.d/profiles-s-z/update-info-dir | 2 ++ 10 files changed, 21 insertions(+), 19 deletions(-) diff --git a/apparmor.d/abstractions/app/flatpak b/apparmor.d/abstractions/app/flatpak index e414994abd..3bf06198db 100644 --- a/apparmor.d/abstractions/app/flatpak +++ b/apparmor.d/abstractions/app/flatpak @@ -83,21 +83,15 @@ signal (send receive) peer=fapp//&fbwrap, signal (send receive) peer=fbwrap, - ptrace read peer=fapp, - ptrace read peer=fapp//&fbwrap, - ptrace read peer=fbwrap, - ptrace trace peer=fapp, - ptrace trace peer=fapp//&fbwrap, - ptrace trace peer=fbwrap, + ptrace (read trace) peer=fapp, + ptrace (read trace) peer=fapp//&fbwrap, + ptrace (read trace) peer=fbwrap, unix (bind listen) type=seqpacket addr=@*, unix type=dgram peer=(label=fbwrap), unix type=seqpacket peer=(label=fbwrap), unix type=stream peer=(label=fbwrap), - unix type=stream peer=(label=flatpak), - unix type=stream peer=(label=gnome-keyring-daemon), unix type=stream peer=(label=unconfined), - unix type=stream peer=(label=xdg-desktop-portal), # apply_extra /app/extra/** w, diff --git a/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam b/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam index 4087921faf..bf9ad29d67 100644 --- a/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam +++ b/apparmor.d/abstractions/flatpak/baseapp/com.valvesoftware.Steam @@ -24,6 +24,7 @@ owner /dev/shm/ValveIPCSHM_@{uid} rw, @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, + @{sys}/devices/virtual/dmi/id/board_name r, # Pressure Stall Information interface @{PROC}/pressure/cpu r, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 280d858f74..5ec1e51a35 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -39,6 +39,8 @@ profile flatpak-system-helper @{exec_path} flags=(attach_disconnected,mediate_de unix type=seqpacket peer=(label=gnome-software), unix type=seqpacket peer=(label=gnome-software//fusermount), unix type=seqpacket peer=(label=unconfined), + unix type=seqpacket peer=(label=bazaar), + unix type=seqpacket peer=(label=bazaar//fusermount), #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 319773534f..991d6cbd45 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -42,9 +42,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { signal receive set=term peer=gdm, signal receive set=hup peer=gdm-session-worker, - unix type=stream peer=(label=fapp), - unix type=stream peer=(label=fbwrap), - unix type=stream peer=(label=snap.*), + unix (send receive) type=stream peer=(label=fapp), + unix (send receive) type=stream peer=(label=fbwrap), + unix (send receive) type=stream peer=(label=flatpak.*), + unix (send receive) type=stream peer=(label=snap.*), #aa:dbus own bus=session name=org.freedesktop.portal interface+=org.freedesktop.impl.portal diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 4138dcea7d..9b42cc9311 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -21,9 +21,10 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { signal receive set=(term) peer=gdm, signal send set=(term) peer=ssh-agent, - unix type=stream peer=(label=snap.*), - unix type=stream peer=(label=fapp), - unix type=stream peer=(label=fbwrap), + unix (send receive) type=stream peer=(label=snap.*), + unix (send receive) type=stream peer=(label=fapp), + unix (send receive) type=stream peer=(label=fbwrap), + unix (send receive) type=stream peer=(label=flatpak.*), #aa:dbus own bus=session name=org.gnome.keyring #aa:dbus own bus=session name=org.freedesktop.[sS]ecret{,s}{,.*} diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 849f38dc5e..8636abefd2 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -44,6 +44,9 @@ profile nmcli @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/@{pci}/net/*/{,**} r, + #aa:only test + /tmp/openvpn/** r, + include if exists } diff --git a/apparmor.d/namespaces/glycin/bwrap b/apparmor.d/namespaces/glycin/bwrap index b15ab34e56..fb74018add 100644 --- a/apparmor.d/namespaces/glycin/bwrap +++ b/apparmor.d/namespaces/glycin/bwrap @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol +# Copyright (C) 2025-2026 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # Confine glycin-loaders sandboxed with bwrap. It also confines bwrap itself. @@ -49,7 +49,6 @@ profile :glycin:bwrap flags=(attach_disconnected) { deny owner /tmp/*/** w, deny /opt/*/** rw, deny @{sys}/devices/system/** r, - deny owner @{PROC}/@{pid}/mountinfo r, deny /dev/shm/** rw, deny /dev/dri/* rw, diff --git a/apparmor.d/namespaces/glycin/loaders b/apparmor.d/namespaces/glycin/loaders index f697e34eb1..1dbe0b447a 100644 --- a/apparmor.d/namespaces/glycin/loaders +++ b/apparmor.d/namespaces/glycin/loaders @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol +# Copyright (C) 2025-2026 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index eb308b150d..04c9a33f24 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/gdk-pixbuf-query-loaders profile gdk-pixbuf-query-loaders @{exec_path} { include - include include capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir index bbd5222a9a..62f693e895 100644 --- a/apparmor.d/profiles-s-z/update-info-dir +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -11,6 +11,8 @@ profile update-info-dir @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, @{sh_path} r, From ad938956ea18fa32e13bb236694f7c61c5cb756f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 May 2026 18:10:17 +0200 Subject: [PATCH 1724/1736] fix(linter): issue in too wide check. --- apparmor.d/groups/apt/debsums | 1 + apparmor.d/groups/code/code | 1 + apparmor.d/groups/code/code-shells | 3 +++ apparmor.d/groups/kde/dolphin | 1 + apparmor.d/groups/kde/kioworker | 2 ++ apparmor.d/groups/pacman/pacdiff | 1 + apparmor.d/groups/systemd/systemd-tmpfiles | 1 + apparmor.d/groups/systemd/systemd-user-runtime-dir | 1 + apparmor.d/groups/utils/sync | 1 + apparmor.d/groups/virt/dockerd | 1 + apparmor.d/groups/xfce/thunar | 1 + apparmor.d/profiles-a-f/borg | 6 +++--- apparmor.d/profiles-a-f/claude | 3 ++- apparmor.d/profiles-a-f/fd | 1 + apparmor.d/profiles-m-r/nemo | 1 + apparmor.d/profiles-m-r/rg | 3 ++- apparmor.d/profiles-m-r/rga | 1 + tests/check.sh | 5 ++++- 18 files changed, 28 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index 8c00877705..a617cbc667 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -31,6 +31,7 @@ profile debsums @{exec_path} { / r, /root/ r, + #aa:lint ignore=too-wide # Scanning files @{bin}/{,*} r, /usr/{,**} r, diff --git a/apparmor.d/groups/code/code b/apparmor.d/groups/code/code index f008812386..2c0a7320a8 100644 --- a/apparmor.d/groups/code/code +++ b/apparmor.d/groups/code/code @@ -80,6 +80,7 @@ profile code @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib_dirs}/** mr, @{sh_path} r, + #aa:lint ignore=too-wide # Extensions priority=-10 /** Px -> code-extensions, diff --git a/apparmor.d/groups/code/code-shells b/apparmor.d/groups/code/code-shells index 245d612f6a..28c9ada6e9 100644 --- a/apparmor.d/groups/code/code-shells +++ b/apparmor.d/groups/code/code-shells @@ -59,6 +59,9 @@ profile code-shells flags=(attach_disconnected) { owner @{user_config_dirs}/git/*config r, owner @{user_config_dirs}/git/ignore r, + #aa:lint ignore=too-wide + owner @{tmp}/** rwlk, + /dev/ptmx rw, # file_inherit diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 033777186b..d7747984f0 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -61,6 +61,7 @@ profile dolphin @{exec_path} { /var/lib/samba/usershare/ r, + #aa:lint ignore=too-wide # Full access to user's data / r, /*/ r, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index c57f57223d..13cb76f38b 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -62,6 +62,7 @@ profile kioworker @{exec_path} { owner /var/cache/samba/gencache.tdb w, + #aa:lint ignore=too-wide # Full access to user's data / r, /*/ r, @@ -77,6 +78,7 @@ profile kioworker @{exec_path} { owner @{run}/user/@{uid}/{,**} rw, owner @{tmp}/{,**} rw, + #aa:lint ignore=too-wide # Silence non user's data deny @{efi}/{,**} r, deny /etc/{,**} w, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 72ab91872f..82f42a9bab 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -49,6 +49,7 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { include include + #aa:lint ignore=too-wide /etc/** rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index e0c2332fb6..5903614b45 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -38,6 +38,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { @{user_share_dirs}/user-tmpfiles.d/{,*.conf} r, /usr/share/user-tmpfiles.d/{,*.conf} r, + #aa:lint ignore=too-wide # Where the tmpfiles can be created, /{,*} rw, /dev/{,**} rw, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 7320cd4920..dc24850ba1 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -37,6 +37,7 @@ profile systemd-user-runtime-dir @{exec_path} flags=(attach_disconnected) { /tmp/ r, /var/tmp/ r, + #aa:lint ignore=too-wide @{run}/user/@{uid}/{,**} rw, include if exists diff --git a/apparmor.d/groups/utils/sync b/apparmor.d/groups/utils/sync index f364859812..728be9574c 100644 --- a/apparmor.d/groups/utils/sync +++ b/apparmor.d/groups/utils/sync @@ -13,6 +13,7 @@ profile sync @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + #aa:lint ignore=too-wide # All paths where sync can be used to flush all write operations on a single file to disk /{,**} rw, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 2409f1218c..116daaa51e 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -82,6 +82,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{sbin}/nft rCx -> nft, @{sbin}/xtables-{nft,legacy}-multi rCx -> nft, + #aa:lint ignore=too-wide # Docker needs full access of the containers it manages. # TODO: should be in a sub profile started with pivot_root, not supported yet. /{,**} rwl, #aa:only apt diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index feb7207d47..0a4beff237 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -39,6 +39,7 @@ profile thunar @{exec_path} flags=(attach_disconnected) { /etc/timezone r, /etc/xdg/{,xdg-xubuntu/}Thunar/{,**} r, + #aa:lint ignore=too-wide # Full access to user's data / r, /*/ r, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index d8a7e42272..90bc75fcbb 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -45,7 +45,7 @@ profile borg @{exec_path} { # Dirs that can be backed up / r, - /etc/{,**} r, + /etc/{,**} r, #aa:lint ignore=too-wide /home/{,**} r, @{MOUNTS}/{,**} r, /root/{,**} r, @@ -64,14 +64,14 @@ profile borg @{exec_path} { owner @{user_config_dirs}/borg/** rw, # If /tmp/ isn't accessible, then /var/tmp/ is used. - owner @{tmp}/* rw, + owner @{tmp}/* rw, #aa:lint ignore=too-wide owner @{tmp}/borg-cache-*/ rw, owner @{tmp}/borg-cache-*/* rw, owner @{tmp}/tmp*/ rw, owner @{tmp}/tmp*/file rw, owner @{tmp}/tmp*/idx rw, owner /var/lib/libuuid/clock.txt w, - owner /var/tmp/* rw, + owner /var/tmp/* rw, #aa:lint ignore=too-wide owner /var/tmp/tmp*/ rw, owner /var/tmp/tmp*/file rw, owner /var/tmp/tmp*/idx rw, diff --git a/apparmor.d/profiles-a-f/claude b/apparmor.d/profiles-a-f/claude index c081b2c805..4793a7c8da 100644 --- a/apparmor.d/profiles-a-f/claude +++ b/apparmor.d/profiles-a-f/claude @@ -62,6 +62,7 @@ profile claude @{exec_path} flags=(attach_disconnected) { @{lib}/node_modules/npm/bin/npx-cli.js rix, /usr/share/nodejs/npm/bin/npm-cli.js rix, + #aa:lint ignore=too-wide # TODO: should transition to a dev/plugin profile, not the shell one priority=-1 /** Cx -> shell, @@ -174,7 +175,7 @@ profile claude @{exec_path} flags=(attach_disconnected) { owner @{user_projects_dirs}/** rwlk, /var/tmp/@{word8} rw, - owner @{tmp}/* rwlk, + owner @{tmp}/* rwlk, #aa:lint ignore=too-wide owner @{tmp}/claude-@{uid}/ rw, owner @{tmp}/claude-@{uid}/** rwlk, owner @{tmp}/claude-shell/ rw, diff --git a/apparmor.d/profiles-a-f/fd b/apparmor.d/profiles-a-f/fd index a8b1a92ed7..4a64f5a033 100644 --- a/apparmor.d/profiles-a-f/fd +++ b/apparmor.d/profiles-a-f/fd @@ -16,6 +16,7 @@ profile fd @{exec_path} { @{exec_path} mr, + #aa:lint ignore=too-wide ## Allow reading the entire filesystem to search for filenames /{,**} r, diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo index c7c9160d72..f4d7a1c682 100644 --- a/apparmor.d/profiles-m-r/nemo +++ b/apparmor.d/profiles-m-r/nemo @@ -28,6 +28,7 @@ profile nemo @{exec_path} { /usr/share/nemo/** r, /usr/share/thumbnailers/{,*.thumbnailer} r, + #aa:lint ignore=too-wide # Full access to user's data / r, /*/ r, diff --git a/apparmor.d/profiles-m-r/rg b/apparmor.d/profiles-m-r/rg index c5047b8294..b1c2539c19 100644 --- a/apparmor.d/profiles-m-r/rg +++ b/apparmor.d/profiles-m-r/rg @@ -16,7 +16,8 @@ profile rg @{exec_path} { @{exec_path} mr, - ## Allow reading the entire filesystem to search for strings + #aa:lint ignore=too-wide + # Allow reading the entire filesystem to search for strings /{,**} r, include if exists diff --git a/apparmor.d/profiles-m-r/rga b/apparmor.d/profiles-m-r/rga index ecd3bdee45..2e3deee441 100644 --- a/apparmor.d/profiles-m-r/rga +++ b/apparmor.d/profiles-m-r/rga @@ -28,6 +28,7 @@ profile rga @{exec_path} { owner @{user_cache_dirs}/ripgrep-all/cache.sqlite3-shm rwk, owner @{user_cache_dirs}/ripgrep-all/cache.sqlite3-wal rwk, + #aa:lint ignore=too-wide ## Allow reading the entire filesystem to search for strings /{,**} r, diff --git a/tests/check.sh b/tests/check.sh index 4a44a61e43..2265cf91ee 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -264,8 +264,11 @@ _check_equivalent() { readonly TOOWIDE=('/' '/tmp/' '/var/tmp/' '@{tmp}/' '/etc/' '/dev/shm/' '@{run}/user/@{uid}/') _check_too_wide() { _is_enabled too-wide || return 0 + if [[ "$line" == *" file,"* ]]; then + _warn too-wide "$file:$line_number" "rule too wide: 'file,'" + fi for path in "${TOOWIDE[@]}"; do - for pattern in "$path/**" "$path/*" "$path/{,**}"; do + for pattern in "$path**" "$path*" "$path{,**}"; do if [[ "$line" == *" $pattern "* ]]; then _warn too-wide "$file:$line_number" "rule too wide: '$pattern'" fi From 7d5155e5c812b834b074060bf6a5f68cfd36421f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 May 2026 18:12:34 +0200 Subject: [PATCH 1725/1736] chore(aa): cosmetic. --- cmd/aa-mode/main.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/aa-mode/main.go b/cmd/aa-mode/main.go index e310f99669..b842ca808c 100644 --- a/cmd/aa-mode/main.go +++ b/cmd/aa-mode/main.go @@ -17,10 +17,10 @@ import ( const usage = `aa-mode [-h] (-e|-c|-k|-a|-u|-p) [profiles...] - Switch the given program to an AppArmor mode. + Switch the given program to an AppArmor mode. - If a profile name is given without a path, it is looked up in '/etc/apparmor.d/'. - If a directory is given, all profiles in it are processed recursively. + If a profile name is given without a path, it is looked up in '/etc/apparmor.d/'. + If a directory is given, all profiles in it are processed recursively. Options: -h, --help Show this help message and exit. From ac8b1d09294915986be5eae7bb1b81977cd98420 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 May 2026 18:23:23 +0200 Subject: [PATCH 1726/1736] feat(abs): rewrite the game abstraction. It is now a common set of locations for any games on Linux. Runtimes independants. This is done as the rules actually needed by a game depends **a lot** of its runtime: sandboxed or not, flatpak based or not. Preparation work for #1110 --- apparmor.d/abstractions/common/game | 114 +--------------------------- 1 file changed, 1 insertion(+), 113 deletions(-) diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index fa38303c61..29890148f1 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -1,13 +1,11 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# NEEDS-VARIABLE: att # NEEDS-VARIABLE: user_games_dirs # NEEDS-VARIABLE: system_games_dirs # NEEDS-VARIABLE: XDG_GAMESSTUDIO_DIR -# Core set of resources for any games on Linux. Runtimes such as sandboxing, -# wine, proton, game launchers should use this abstraction. +# Common set of locations for any games on Linux. Runtimes independants. # # This abstraction uses the following tunables: # @@ -17,24 +15,6 @@ abi , - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - /var/ r, /var/lib/ r, @{system_games_dirs}/ r, @@ -42,10 +22,6 @@ @{system_games_dirs}/*/** mrix, @{system_games_dirs}/*/**cache* w, - /mnt/ r, - @{run}/media/ r, - owner @{HOME}/ r, - owner @{user_games_dirs}/ r, owner @{user_games_dirs}/*/ r, owner @{user_games_dirs}/*/** mrix, @@ -60,94 +36,6 @@ owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{tmp}/CASESENSITIVETEST@{hex32} rw, - owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, - - owner /dev/shm/mono.@{int} rw, - owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, - - # The orcexec.* file is JIT compiled code for various GStreamer elements. - owner @{run}/user/@{uid}/orcexec.@{rand6} mrw, - - @{sys}/ r, - @{sys}/class/power_supply/ r, - @{sys}/devices/ r, - @{sys}/devices/**/power_supply/{AC,BAT@{int}}/ r, - @{sys}/devices/**/power_supply/{AC,BAT@{int}}/{type,online} r, - @{sys}/devices/**/uevent r, - @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor r, - - @{sys}/devices/virtual/dmi/id/bios_date r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/bios_version r, - @{sys}/devices/virtual/dmi/id/board_asset_tag r, - @{sys}/devices/virtual/dmi/id/board_name r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/board_version r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/devices/virtual/dmi/id/chassis_vendor r, - @{sys}/devices/virtual/dmi/id/chassis_version r, - @{sys}/devices/virtual/dmi/id/product_family r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_sku r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - - # Allow reading CPU cgroup limits - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - - @{PROC}/driver/nvidia/capabilities/mig/config r, - - # Allow to check check if BPF JIT is enabled - @{PROC}/sys/net/core/bpf_jit_enable r, - - # Allow to read the maximum number of file handles that can be allocated system-wide. - @{PROC}/sys/fs/file-max r, - - # Allow to read various device information - @{PROC}/devices r, - - # Allow to read system uptime - @{PROC}/uptime r, - - # Per man(5) proc, the kernel enforces that a thread may only modify its comm - # value or those in its thread group. - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - # Provide statistical information about our own processes/threads - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - # Allow reading cgroup membership information for process introspection - owner @{PROC}/@{pid}/cgroup r, - - # Allow reading command line arguments for process identification - owner @{PROC}/@{pid}/cmdline r, - - # Allow listing file descriptors for resource monitoring - owner @{PROC}/@{pid}/fd/ r, - - # Allow reading mount points for filesystem awareness - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/mountinfo r, - - # Allow reading page mapping information for memory profiling - owner @{PROC}/@{pid}/pagemap r, - - # Allow reading file descriptor info - owner @{PROC}/@{pid}/fdinfo/ r, - owner @{PROC}/@{pid}/fdinfo/@{int} r, - - /dev/tty rw, - - @{att}/dev/dri/renderD128 rw, - @{att}/dev/dri/renderD129 rw, - /dev/nvidia-caps/ rw, - /dev/nvidia-caps/nvidia-cap@{int} rw, include if exists From 5cde406e1ddb6d631b83a0f201010feba6d67c59 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 May 2026 18:30:42 +0200 Subject: [PATCH 1727/1736] feat(abs): add the pressure vessel abstraction. For games that are sandboxed in a similar way to Flatpak. It is used by steam and umu. Related to #1110 --- .../abstractions/common/pressure-vessel | 180 ++++++++++++++++++ apparmor.d/abstractions/common/steam-game | 2 +- dists/flags/main.flags | 1 + 3 files changed, 182 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/abstractions/common/pressure-vessel diff --git a/apparmor.d/abstractions/common/pressure-vessel b/apparmor.d/abstractions/common/pressure-vessel new file mode 100644 index 0000000000..607358305f --- /dev/null +++ b/apparmor.d/abstractions/common/pressure-vessel @@ -0,0 +1,180 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2026 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: att +# NEEDS-VARIABLE: steam_share_dirs +# NEEDS-VARIABLE: runtime_dirs + +# Pressure vessel abstraction, for games that are sandboxed in a similar way to +# Flatpak. It is used by steam and umu. +# +# It is assumed that profile including this abstraction wants to confine a game +# running sandboxed with bwrap. +# +# As Pressure vessel is architecturally very close to Flatpak, it is possible to +# use flatpak only abstractions (`abstractions/flatpak/...`) here. + + abi , + + # Base abstractions + include + include + include + include + include + include + + # The app base platform, similar to our desktop abstraction, but with flatpak paths + include + + # Base app specific rules + include + + # Flatpak devices + include + include + include + + # Flatpack share (IPC, network) + include + include + + # Flatpack sockets + include + include + + # Dbus: all dbus interfaces a pressure vessel app can access + # While close to flatpak, pressure-vessel does not use dbux-proxy. + include + include + include + include + + # Common to all @{lib}/pressure-vessel/from-host/libexec/steam-runtime-tools-@{int}/pv-adverb + @{sh_path} rix, + @{coreutils_path} ix, + @{bin}/getopt ix, + @{bin}/gzip ix, + @{bin}/localedef ix, + @{bin}/steam-runtime-launcher-interface-@{int} ix, + @{bin}/steam-runtime-system-info ix, + @{bin}/steam-runtime-urlopen ix, + @{bin}/zenity ix, + @{python_path} rix, + @{run}/host/@{bin}/localedef ix, + @{run}/host/@{sbin}/ldconfig ix, + @{sbin}/ldconfig ix, + + @{lib}/pressure-vessel/from-host/libexec/steam-runtime-tools-@{d}/** ix, + + @{att}@{steam_share_dirs}/compatibilitytools.d/ r, + @{att}@{steam_share_dirs}/compatibilitytools.d/*/ r, + @{att}@{steam_share_dirs}/compatibilitytools.d/*/** mrix, + @{steam_share_dirs}/compatibilitytools.d/ r, + @{steam_share_dirs}/compatibilitytools.d/*/ r, + @{steam_share_dirs}/compatibilitytools.d/*/** mrix, + @{steam_share_dirs}/compatibilitytools.d/*/**.msi k, + + @{runtime_dirs}/pressure-vessel/@{bin}/** ix, + @{runtime_dirs}/pressure-vessel/@{lib}/** mr, + + @{run}/host/@{lib}/**.dll m, + @{run}/host/@{lib}/**.so* m, + + /usr/share/zenity/{,**} r, + + @{run}/media/ r, + /mnt/ r, + owner / r, + owner @{lib}/ r, + owner /usr/local/lib/ r, + owner /usr/local/lib/**/ r, + owner @{HOME}/ r, + owner @{HOME}/.local/ r, + owner @{user_share_dirs}/ r, + + owner /var/cache/fontconfig/ rw, + owner /var/cache/fontconfig/** rwl, + owner /var/cache/ldconfig/aux-cache* rw, + owner /var/pressure-vessel/ldso/* rw, + + owner @{HOME}/.steam/steam.pid r, + owner @{HOME}/steam-@{int}.log rw, + + owner @{steam_share_dirs}/ r, + owner @{steam_share_dirs}/compatibilitytools.d/{,**/}__pycache__/ w, + owner @{steam_share_dirs}/compatibilitytools.d/{,**/}__pycache__/**.pyc.@{u64} w, + + owner @{runtime_dirs}/pressure-vessel/lib/@{multiarch}/steam-runtime-tools-0/libcap.so.2 mr, + owner @{runtime_dirs}/var/tmp-@{rand6}/.ref rw, + owner @{att}@{runtime_dirs}/var/tmp-@{rand6}/.ref rw, + + /tmp/ r, + owner /tmp/pressure-vessel-libs-@{rand6}/ rw, + owner /tmp/pressure-vessel-libs-@{rand6}/** rwlk, + owner /tmp/pressure-vessel-locales-@{rand6}/ rw, + owner /tmp/pressure-vessel-locales-@{rand6}/** rwlk, + + owner @{att}@{run}/user/@{uid}/bus rw, + owner @{att}@{run}/user/@{uid}/pulse/native rw, + + @{run}/host/usr/{,**} r, + owner @{run}/pressure-vessel/{,**} r, + + # The active clock source used by the kernel for timekeeping (e.g., tsc, hpet, acpi_pm) + @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, + + # The active CPU frequency scaling governor (e.g., performance, powersave, schedutil, ondemand) + @{sys}/devices/system/cpu/cpufreq/ r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor r, + + # Allow to check check if BPF JIT is enabled + @{PROC}/sys/net/core/bpf_jit_enable r, + + # Allow to read system uptime + @{PROC}/uptime r, + + # Allow to read the maximum number of file handles that can be allocated system-wide. + @{PROC}/sys/fs/file-max r, + @{PROC}/sys/fs/file-nr r, + @{PROC}/sys/fs/nr_open r, + + # Allow reading cgroup membership information for process introspection + owner @{PROC}/@{pid}/cgroup r, + + # Allow reading command line arguments for process identification + owner @{PROC}/@{pid}/cmdline rk, + owner @{PROC}/@{pid}/comm rk, + + # Allow listing file descriptors + owner @{PROC}/@{pid}/fd/ r, + + # Allow reading file descriptor info + owner @{PROC}/@{pid}/fdinfo/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, + + # Allow reading mount points for filesystem awareness. This is an information leak + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + # Allow reading page mapping information for memory profiling + owner @{PROC}/@{pid}/pagemap r, + + # Per man(5) proc, the kernel enforces that a thread may only modify its comm + # value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + # Provide statistical information about our own processes/threads + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + # Remain from `abstractions/flatpak/platform/org.freedesktop` not used outside flatpak. + deny /var/lib/flatpak/app/*/@{arch}/stable/@{hex64}/export/share/icons/{,**} r, + deny /var/lib/flatpak/exports/share/icons/{,**} r, + deny @{att}@{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game index 851588220c..6ee0c21c94 100644 --- a/apparmor.d/abstractions/common/steam-game +++ b/apparmor.d/abstractions/common/steam-game @@ -7,7 +7,7 @@ abi , - include + include @{lib_dirs}/ r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index d0c3d73156..169cc88790 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -373,6 +373,7 @@ udev-probe-bcache complain udisksctl complain udisksd complain ufw complain +umu-run complain update-catalog complain update-grub complain update-info-dir complain From bc264360646775e1f3ebc9eee3a0448bbedff7e1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 May 2026 18:41:41 +0200 Subject: [PATCH 1728/1736] feat(profile): rewrite the umu game profile using pressure-vessel. See #1110 --- apparmor.d/abstractions/app/umu | 114 ++---------------- .../abstractions/common/pressure-vessel | 1 + apparmor.d/groups/umu/umu-bwrap | 12 +- apparmor.d/groups/umu/umu-game | 8 +- apparmor.d/groups/umu/umu-run | 28 +++-- 5 files changed, 36 insertions(+), 127 deletions(-) diff --git a/apparmor.d/abstractions/app/umu b/apparmor.d/abstractions/app/umu index b97053cfb8..5873e92d35 100644 --- a/apparmor.d/abstractions/app/umu +++ b/apparmor.d/abstractions/app/umu @@ -2,19 +2,14 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: att +# NEEDS-VARIABLE: steam_share_dirs +# NEEDS-VARIABLE: runtime_dirs abi , - include - include + include include - include - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, signal (send receive) peer=umu-bwrap, signal (send receive) peer=umu-bwrap//&umu-game, @@ -23,87 +18,19 @@ unix type=seqpacket peer=(label=umu-bwrap), unix type=stream peer=(label=umu-bwrap), - unix (bind listen) type=seqpacket addr=@@{hex}, - unix bind type=seqpacket addr=@@{hex}, - unix bind type=seqpacket, - network unix seqpacket, + unix type=stream peer=(label=umu-game), ptrace (read trace) peer=umu-bwrap, ptrace (read trace) peer=umu-bwrap//&umu-game, ptrace (read trace) peer=umu-game, - # DBus.Properties: receive property changed events - - dbus receive bus=system path=/org/freedesktop/systemd1/job/@{int} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(label="@{p_systemd}"), - - dbus receive bus=system path=/org/freedesktop/systemd1/unit/* - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(label="@{p_systemd}"), - - # Common to all @{lib}/pressure-vessel/from-host/libexec/steam-runtime-tools-@{int}/pv-adverb - # Meaning umu, and steam - @{sh_path} rix, - @{coreutils_path} ix, - @{bin}/getopt ix, - @{bin}/gzip ix, - @{bin}/localedef ix, - @{bin}/steam-runtime-launcher-interface-@{int} ix, - @{bin}/steam-runtime-system-info ix, - @{bin}/steam-runtime-urlopen ix, - @{bin}/zenity ix, - @{python_path} rix, - @{run}/host/@{bin}/localedef ix, - @{run}/host/@{sbin}/ldconfig ix, - @{sbin}/ldconfig ix, - - @{lib}/pressure-vessel/from-host/libexec/steam-runtime-tools-@{d}/** ix, - - @{att}@{steam_share_dirs}/compatibilitytools.d/ r, - @{att}@{steam_share_dirs}/compatibilitytools.d/*/ r, - @{att}@{steam_share_dirs}/compatibilitytools.d/*/** mrix, # TODO: -> &wine ?, with namespace - @{steam_share_dirs}/compatibilitytools.d/ r, - @{steam_share_dirs}/compatibilitytools.d/*/ r, - @{steam_share_dirs}/compatibilitytools.d/*/** mrix, # TODO: -> &wine ?, with namespace - @{steam_share_dirs}/compatibilitytools.d/*/**.msi k, - - @{runtime_dirs}/pressure-vessel/@{bin}/** ix, - @{runtime_dirs}/pressure-vessel/@{lib}/** mr, @{runtime_dirs}/umu-shim rix, - @{run}/host/@{lib}/**.dll m, - @{run}/host/@{lib}/**.so* m, - - /usr/share/zenity/{,**} r, - - owner @{lib}/ r, - owner /usr/local/lib/ r, - owner /usr/local/lib/**/ r, - - # owner /var/pressure-vessel/** rw, - owner /var/pressure-vessel/ldso/* rw, - owner /var/cache/ldconfig/aux-cache* rw, - - # This is the fontconfig cache of the sandboxed runtime, not the host - owner /var/cache/fontconfig/** rwl, - - owner @{HOME}/.steam/steam.pid r, - owner @{HOME}/steam-@{int}.log rw, - - owner @{att}@{run}/user/@{uid}/bus rw, - owner @{att}@{run}/user/@{uid}/pulse/native rw, - owner @{att}@{run}/user/@{uid}/wayland-@{int} rw, - - owner @{steam_share_dirs}/ r, - owner @{steam_share_dirs}/compatibilitytools.d/{,**/}__pycache__/ w, - owner @{steam_share_dirs}/compatibilitytools.d/{,**/}__pycache__/**.pyc.@{u64} w, - - owner @{runtime_dirs}/pressure-vessel/lib/@{multiarch}/steam-runtime-tools-0/libcap.so.2 mr, - owner @{runtime_dirs}/var/tmp-@{rand6}/.ref rw, - owner @{att}@{runtime_dirs}/var/tmp-@{rand6}/.ref rw, + @{wineprefix_dirs}/ r, + @{wineprefix_dirs}/** mrix, + @{user_config_dirs}/heroic/tools/proton/ r, + @{user_config_dirs}/heroic/tools/proton/*/ r, + @{user_config_dirs}/heroic/tools/proton/*/** mrix, # file_inherit @{user_share_dirs}/umu/steamrt3/VERSIONS.txt r, @@ -117,29 +44,8 @@ owner @{wineprefix_dirs}/ rw, owner @{wineprefix_dirs}/** rwk, - /tmp/ r, - owner @{tmp}/pressure-vessel-libs-@{rand6}/{,**} rwlk, - owner @{tmp}/pressure-vessel-locales-@{rand6}/{,**} rwlk, owner @{tmp}/umu_crashreports/{,**} rw, - @{run}/host/fonts-cache/{,**} r, - @{run}/host/fonts/{,**} r, - @{run}/host/local-fonts/{,**} r, - @{run}/host/share/{,**} r, - @{run}/host/share/icons/{,**} r, - @{run}/host/user-share/icons/{,**} r, - @{run}/host/usr/{,**} r, - owner @{run}/host/font-dirs.xml r, - owner @{run}/host/user-fonts-cache/@{hex32}-le{32,64}.cache-@{int} r, - owner @{run}/host/user-fonts/{,**} r, - owner @{run}/pressure-vessel/{,**} r, - - @{sys}/devices/**/net/*/carrier r, - - @{PROC}/@{pid}/net/* r, - @{PROC}/sys/net/ipv4/conf/default/forwarding r, - @{PROC}/sys/net/ipv4/ip_default_ttl r, - owner @{PROC}/@{pid}/uid_map r, include if exists diff --git a/apparmor.d/abstractions/common/pressure-vessel b/apparmor.d/abstractions/common/pressure-vessel index 607358305f..8b8d39472b 100644 --- a/apparmor.d/abstractions/common/pressure-vessel +++ b/apparmor.d/abstractions/common/pressure-vessel @@ -60,6 +60,7 @@ @{bin}/steam-runtime-launcher-interface-@{int} ix, @{bin}/steam-runtime-system-info ix, @{bin}/steam-runtime-urlopen ix, + @{bin}/xrandr ix, @{bin}/zenity ix, @{python_path} rix, @{run}/host/@{bin}/localedef ix, diff --git a/apparmor.d/groups/umu/umu-bwrap b/apparmor.d/groups/umu/umu-bwrap index 274934d83b..57555dd0f8 100644 --- a/apparmor.d/groups/umu/umu-bwrap +++ b/apparmor.d/groups/umu/umu-bwrap @@ -9,10 +9,8 @@ include @{share_dirs} = @{user_share_dirs}/umu @{cache_dirs} = @{user_cache_dirs}/umu @{runtime_dirs} = @{share_dirs}/steamrt3/ -@{wineprefix_dirs} = @{HOME}/Games/umu/@{int} - -@{steam_share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation -@{steam_lib_dirs} = @{steam_share_dirs}/ubuntu@{int2}_{32,64} +@{wineprefix_dirs} = @{HOME}/Games/umu/*/ @{HOME}/Games/Heroic/*/ @{HOME}/Games/steam/*/ +@{appid} = X @{exec_path} = @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap profile umu-bwrap flags=(attach_disconnected,mediate_deleted) { @@ -25,12 +23,6 @@ profile umu-bwrap flags=(attach_disconnected,mediate_deleted) { @{exec_path} mr, - @{sh_path} rix, - @{bin}/sed ix, - @{bin}/tail ix, - @{bin}/true ix, - @{bin}/uname ix, - @{lib}/pressure-vessel/from-host/libexec/steam-runtime-tools-@{d}/pv-adverb Px -> umu-bwrap//&umu-game, /bindfile@{rand6} rw, diff --git a/apparmor.d/groups/umu/umu-game b/apparmor.d/groups/umu/umu-game index b7291ecc4a..8e24d9b6f6 100644 --- a/apparmor.d/groups/umu/umu-game +++ b/apparmor.d/groups/umu/umu-game @@ -9,10 +9,8 @@ include @{share_dirs} = @{user_share_dirs}/umu @{cache_dirs} = @{user_cache_dirs}/umu @{runtime_dirs} = @{share_dirs}/steamrt3/ -@{wineprefix_dirs} = @{HOME}/Games/umu/@{int} - -@{steam_share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation -@{steam_lib_dirs} = @{steam_share_dirs}/ubuntu@{int2}_{32,64} +@{wineprefix_dirs} = @{HOME}/Games/umu/*/ @{HOME}/Games/Heroic/*/ @{HOME}/Games/steam/*/ +@{appid} = X @{exec_path} = @{lib}/pressure-vessel/from-host/libexec/steam-runtime-tools-@{int}/pv-adverb profile umu-game flags=(attach_disconnected,mediate_deleted) { @@ -21,8 +19,6 @@ profile umu-game flags=(attach_disconnected,mediate_deleted) { @{exec_path} mr, - owner @{att}/dev/pts/@{int} rw, # file_inherit - include if exists } diff --git a/apparmor.d/groups/umu/umu-run b/apparmor.d/groups/umu/umu-run index 7b2235bdbf..10e11fe23e 100644 --- a/apparmor.d/groups/umu/umu-run +++ b/apparmor.d/groups/umu/umu-run @@ -2,6 +2,19 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Security objectives of the steam profiles: +# - Ensure no user data is accessed by either umu or umu games +# - Limit what steam/games can access to the host +# +# Overall architecture of the steam profiles: +# umu-run +# ├── umu-runtime # Pressure-vessel, steam runtime, create the game sandbox +# │ └── steam-bwrap # Native games +# │ └── steam-game # Proton games (sandboxed) +# ├── umu-run//bwrap +# ├── umu-run//ldd +# └── umu-run//ldconfig + abi , include @@ -9,10 +22,7 @@ include @{share_dirs} = @{user_share_dirs}/umu @{cache_dirs} = @{user_cache_dirs}/umu @{runtime_dirs} = @{share_dirs}/steamrt3/ -@{wineprefix_dirs} = @{HOME}/Games/umu/*/ - -@{steam_share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation -@{steam_lib_dirs} = @{steam_share_dirs}/ubuntu@{int2}_{32,64} +@{wineprefix_dirs} = @{HOME}/Games/umu/*/ @{HOME}/Games/Heroic/*/ @{HOME}/Games/steam/*/ @{exec_path} = @{bin}/umu-run profile umu-run @{exec_path} flags=(attach_disconnected) { @@ -47,9 +57,9 @@ profile umu-run @{exec_path} flags=(attach_disconnected) { @{bin}/gcc rix, @{lib}/gcc/**/collect2 rix, - @{sbin}/ldconfig rCx -> &umu-run//ldconfig, - @{bin}/bwrap Cx -> bwrap, - @{ldd_path} Cx -> &umu-run//ldd, + @{bin}/bwrap Cx -> bwrap, + @{ldd_path} Cx -> &umu-run//ldd, + @{sbin}/ldconfig Cx -> &umu-run//ldconfig, @{runtime_dirs}/umu ix, @{runtime_dirs}/run ix, @@ -72,6 +82,8 @@ profile umu-run @{exec_path} flags=(attach_disconnected) { owner @{steam_lib_dirs}/{,*} rw, owner @{steam_share_dirs}/compatibilitytools.d/{,**} rwm, + owner @{user_config_dirs}/heroic/tools/proton/** r, + owner @{cache_dirs}/ rw, owner @{cache_dirs}/** rwlk -> @{share_dirs}/**, @@ -80,6 +92,8 @@ profile umu-run @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/ r, + @{PROC}/ r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, From fe16daf7514196199a30df3b27fa03f98ae39313 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 May 2026 19:00:04 +0200 Subject: [PATCH 1729/1736] feat(profile): update dracut-install. Up to now, it was mostly targetting Ubuntu. see #1104 --- apparmor.d/profiles-a-f/dracut-install | 33 ++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install index 11a1c62efa..7cf07e445e 100644 --- a/apparmor.d/profiles-a-f/dracut-install +++ b/apparmor.d/profiles-a-f/dracut-install @@ -10,26 +10,55 @@ include profile dracut-install @{exec_path} { include include + include + + capability syslog, @{exec_path} mr, @{bin}/cp rix, + /usr/share/btrfsprogs/dracut* r, + /usr/share/kbd/{,**} r, + + /etc/ r, + /etc/depmod.d/{,**} r, + /etc/hostname r, + /etc/hosts r, /etc/machine-id r, + /etc/modules-load.d/{,**} r, + /etc/sysctl.d/{,**} r, + /etc/systemd/journald.conf.d/{,**} r, + /etc/systemd/system.conf.d/{,**} r, + /etc/udev/rules.d/{,**} r, + /etc/udev/udev.conf.d/{,**} r, + /etc/vconsole.conf r, + /etc/modprobe.d/{,**} r, + @{lib}/modprobe.d/{,**} r, + @{run}/modprobe.d/{,**} r, + + # Can copy any program to the initframs + @{bin}/* r, + @{lib}/ r, + @{sbin}/* r, + /{usr/,}{local/,}{s,}bin/ r, + /{usr/,}{local/,}lib{,32,64}/ r, / r, + /var/tmp/dracut.@{rand6}@{c}/{,**} rwl, + /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/ r, /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} rw, /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* rw, /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw, /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r, - @{sys}/devices/platform/{,**/} r, - @{sys}/devices/platform/**/modalias r, + @{sys}/devices/{,**} r, @{sys}/module/compression r, @{PROC}/cmdline r, + @{PROC}/modules r, include if exists } From 68544711efae0cd76b2b13698ec3f075d02946e9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 May 2026 19:12:26 +0200 Subject: [PATCH 1730/1736] feat(profile): improve kde profiles. fix #1104 --- apparmor.d/abstractions/common/xdg | 1 + apparmor.d/abstractions/fontconfig-cache | 1 + apparmor.d/groups/kde/dolphin | 10 +++++++++- apparmor.d/groups/kde/kioworker | 1 + apparmor.d/groups/kde/konsole | 5 ++++- apparmor.d/groups/kde/kwin_x11 | 1 + apparmor.d/profiles-g-l/git | 13 +++++++++---- 7 files changed, 26 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/common/xdg b/apparmor.d/abstractions/common/xdg index 9817ed7cf6..e58836862f 100644 --- a/apparmor.d/abstractions/common/xdg +++ b/apparmor.d/abstractions/common/xdg @@ -9,6 +9,7 @@ include include + include #aa:only apparmor>=4.1 priority=-1 @{sh_path} mrix, diff --git a/apparmor.d/abstractions/fontconfig-cache b/apparmor.d/abstractions/fontconfig-cache index 2b6729f97b..2bf6f9947b 100644 --- a/apparmor.d/abstractions/fontconfig-cache +++ b/apparmor.d/abstractions/fontconfig-cache @@ -34,6 +34,7 @@ /var/cache/fontconfig/ r, /var/cache/fontconfig/CACHEDIR.TAG r, + /var/cache/fontconfig/@{hex32}-@{arch}.cache-@{d} r, /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index d7747984f0..38a2863034 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -35,7 +35,7 @@ profile dolphin @{exec_path} { @{lib}/libheif/ r, @{lib}/libheif/*.so* mr, - @{bin}/ldd rix, + priority=1 @{ldd_path} rix, @{bin}/lsb_release rPx, @{lib}/{,@{multiarch}/}utempter/utempter rPx, @{thunderbird_path} rPx, @@ -130,12 +130,20 @@ profile dolphin @{exec_path} { @{sys}/class/*/ r, @{sys}/devices/**/uevent r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.dolphin-@{int}.scope/cgroup.controllers r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.dolphin-@{int}.scope/cgroup.subtree_control w, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.dolphin-@{int}.scope/main.scope/ w, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.dolphin-@{int}.scope/main.scope/cgroup.procs w, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.dolphin-@{int}.scope/tab(@{int}).scope/ w, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.dolphin-@{int}.scope/tab(@{int}).scope/cgroup.procs w, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/children r, @{sys}/devices/virtual/block/dm-@{int}/uevent r, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 13cb76f38b..940d8ccbad 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -57,6 +57,7 @@ profile kioworker @{exec_path} { /usr/share/wallpapers/{,**} r, /etc/fstab r, + /etc/sysconfig/proxy r, /etc/xdg/kioslaverc r, /etc/xdg/menus/{,**} r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 09d96b18a3..cd4c7f44b2 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -24,13 +24,15 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.kde.konsole-@{int} @{exec_path} mr, - @{bin}/@{shells} rUx, @{browsers_path} rPx, @{lib}/libheif/ r, @{lib}/libheif/** mr, @{lib}/{,@{multiarch}/}utempter/utempter rPx, + # The shell is not confined on purpose. + @{bin}/@{shells} rUx, + # Some CLI program can be launched directly from KDE @{bin}/btop rPUx, @{bin}/htop rPx, @@ -80,6 +82,7 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/** rw, + @{PROC}/@{pid}/task/@{tid}/children r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/status r, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index 68be87c689..3c58a7ecb3 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -34,6 +34,7 @@ profile kwin_x11 @{exec_path} { @{sh_path} rix, @{bin}/kdialog rix, @{lib}/kwin_killer_helper rix, + @{bin}/ r, #aa:exec drkonqi diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 570fc207b8..6423db11a3 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -35,10 +35,14 @@ profile git @{exec_path} flags=(attach_disconnected) { @{lib}/code/extensions/git/dist/git-editor.sh Px, /usr/share/aurpublish/*.hook Px, - @{bin}/gpg{,2} Cx -> &gpg, - @{bin}/ssh Cx -> &ssh, @{editor_path} Cx -> editor, + # TODO: revisit the stacking. Profile with nnp flag that use git should + # not use this git profile but a more specific one. + @{bin}/gpg{,2} Cx -> &gpg, + @{bin}/ssh rCx -> &ssh, + @{bin}/ssh.hmac r, + /usr/share/libalternatives/{,**} r, /usr/share/terminfo/** r, @@ -61,8 +65,9 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.ansible/tmp{,**} rwlk, - # GPG - owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, + # GPG / SSH + owner @{HOME}/@{XDG_SSH_DIR}/ rw, + owner @{HOME}/@{XDG_SSH_DIR}/** rwl -> @{HOME}/@{XDG_SSH_DIR}/**, owner @{run}/user/@{uid}/keyring/ssh rw, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, From 590cd9b640e7125328030ee8aad9127644e749f0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 May 2026 19:27:41 +0200 Subject: [PATCH 1731/1736] feat(profile): improve hyprland profiles. fix #1103 --- apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland | 2 ++ apparmor.d/groups/hyprland/hyprland | 3 +++ apparmor.d/groups/hyprland/hyprpm | 2 ++ apparmor.d/groups/kde/sddm | 1 + apparmor.d/profiles-s-z/waybar | 2 ++ 5 files changed, 10 insertions(+) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland index 5434a43012..82470cb372 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland @@ -24,6 +24,8 @@ profile xdg-desktop-portal-hyprland @{exec_path} { @{bin}/sleep rix, @{bin}/slurp rix, + owner @{user_config_dirs}/hypr/xdph.conf r, + owner /tmp/hypr/ rw, owner /tmp/hypr/\#@{int} rwkl, owner /tmp/hypr/hyprland-share-picker.conf* rwkl, diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 1d6c4697cc..f0cc85069f 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -33,6 +33,8 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { /etc/os-release r, + /var/cache/hyprpm/juan/split-monitor-workspaces/split-monitor-workspaces.so mr, + owner @{user_cache_dirs}/hyprland/{,**} rw, owner @{user_config_dirs}/hypr/** r, owner @{user_share_dirs}/hyprpm/** mr, @@ -52,6 +54,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+dmi:id r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) diff --git a/apparmor.d/groups/hyprland/hyprpm b/apparmor.d/groups/hyprland/hyprpm index 149128b1e9..cad7d918da 100644 --- a/apparmor.d/groups/hyprland/hyprpm +++ b/apparmor.d/groups/hyprland/hyprpm @@ -27,6 +27,8 @@ profile hyprpm @{exec_path} { /usr/share/git-core/** r, /usr/share/pkgconfig/** r, + /var/cache/hyprpm/{,**} r, + owner @{HOME}/.gitconfig r, owner @{user_share_dirs}/hyprpm/{,**} rw, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 297c724caa..d30a013f9a 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -106,6 +106,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/startplasma-x11 rPx, @{bin}/sway rPUx, @{bin}/systemctl rCx -> systemctl, + @{bin}/uwsm rPUx, @{bin}/xauth rCx -> xauth, @{bin}/Xorg rPx, @{bin}/xrandr rPx, diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar index d246ed3454..52b9b60fe2 100644 --- a/apparmor.d/profiles-s-z/waybar +++ b/apparmor.d/profiles-s-z/waybar @@ -12,6 +12,7 @@ profile waybar @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -24,6 +25,7 @@ profile waybar @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /etc/machine-id r, + /etc/timezone r, owner @{user_config_dirs}/waybar/{,**} r, From 6fc5682a9496c909f6ee443ffca2f1cf50bd0b41 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 May 2026 19:27:54 +0200 Subject: [PATCH 1732/1736] fix(profile): systemd-shutdown see #1109 --- apparmor.d/groups/systemd/systemd-shutdown | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/apparmor.d/groups/systemd/systemd-shutdown b/apparmor.d/groups/systemd/systemd-shutdown index e37586c96a..60a87500cb 100644 --- a/apparmor.d/groups/systemd/systemd-shutdown +++ b/apparmor.d/groups/systemd/systemd-shutdown @@ -21,6 +21,8 @@ profile systemd-shutdown @{exec_path} flags=(attach_disconnected) { mount options=(rw make-rprivate) /, + umount, + ptrace read, signal (send) set=(stop, cont, term, kill), @@ -28,6 +30,8 @@ profile systemd-shutdown @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{run}/initramfs/{,**} r, + @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @@ -36,6 +40,8 @@ profile systemd-shutdown @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/sys/kernel/core_pattern w, owner @{PROC}/sys/kernel/printk rw, From 3e4c8730d4efcda1ea6d49adfb2fd9a43d10993c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 May 2026 19:49:12 +0200 Subject: [PATCH 1733/1736] feat(tunable): add global steam paths. --- apparmor.d/tunables/multiarch.d/programs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 0feaa00720..dd5db56841 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -114,4 +114,8 @@ # Archives @{archive_names} = 7z 7zz ar bunzip2 bzip2 cpio gunzip gzip lzip rar tar unrar unrar-nonfree unzip xz zip zstd +# Steam +@{steam_share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{steam_lib_dirs} = @{steam_share_dirs}/ubuntu@{int2}_{32,64} + # vim:syntax=apparmor From 1821e2316eccc42900e00c5b442f826197f2911c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 May 2026 19:50:29 +0200 Subject: [PATCH 1734/1736] fix: keep compatibility with aa 4.0 It will be droped soon. --- apparmor.d/groups/kde/dolphin | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 38a2863034..bb849176eb 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -35,7 +35,9 @@ profile dolphin @{exec_path} { @{lib}/libheif/ r, @{lib}/libheif/*.so* mr, + #aa:only apparmor>=4.1 priority=1 @{ldd_path} rix, + @{bin}/lsb_release rPx, @{lib}/{,@{multiarch}/}utempter/utempter rPx, @{thunderbird_path} rPx, From a55eb45fbb5c11370d8ded3cb85e42c53388391b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 May 2026 22:39:29 +0200 Subject: [PATCH 1735/1736] build: default opensure to aa5. --- cmd/prebuild/main.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index b5a60d09f5..205677b9b8 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -26,6 +26,10 @@ func configInit() *tasks.TaskConfig { // Matrix of ABI/Apparmor version to integrate with switch tasks.Distribution { + case "opensuse": + c.ABI = 5 + c.Version = 5.0 + case "arch": case "ubuntu": From bff209ff2f5d942b9520cbefe68cb7a447c651cc Mon Sep 17 00:00:00 2001 From: JND94 Date: Sat, 16 May 2026 08:18:14 +0200 Subject: [PATCH 1736/1736] steamrt adjust --- apparmor.d/abstractions/app/umu | 6 +++--- apparmor.d/groups/umu/umu-bwrap | 2 +- apparmor.d/groups/umu/umu-game | 2 +- apparmor.d/groups/umu/umu-run | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/app/umu b/apparmor.d/abstractions/app/umu index 5873e92d35..cf04564b55 100644 --- a/apparmor.d/abstractions/app/umu +++ b/apparmor.d/abstractions/app/umu @@ -33,9 +33,9 @@ @{user_config_dirs}/heroic/tools/proton/*/** mrix, # file_inherit - @{user_share_dirs}/umu/steamrt3/VERSIONS.txt r, - @{user_share_dirs}/umu/steamrt3/var/tmp-@{rand6}/usr/.ref rw, - @{att}@{user_share_dirs}/umu/steamrt3/var/tmp-@{rand6}/usr/.ref rw, + @{user_share_dirs}/umu/steamrt@{int}/VERSIONS.txt r, + @{user_share_dirs}/umu/steamrt@{int}/var/tmp-@{rand6}/usr/.ref rw, + @{att}@{user_share_dirs}/umu/steamrt@{int}/var/tmp-@{rand6}/usr/.ref rw, owner @{user_cache_dirs}/umu-protonfixes/protonfixes_test.log w, diff --git a/apparmor.d/groups/umu/umu-bwrap b/apparmor.d/groups/umu/umu-bwrap index 57555dd0f8..ce59ccb1f1 100644 --- a/apparmor.d/groups/umu/umu-bwrap +++ b/apparmor.d/groups/umu/umu-bwrap @@ -8,7 +8,7 @@ include @{share_dirs} = @{user_share_dirs}/umu @{cache_dirs} = @{user_cache_dirs}/umu -@{runtime_dirs} = @{share_dirs}/steamrt3/ +@{runtime_dirs} = @{share_dirs}/steamrt@{int}/ @{wineprefix_dirs} = @{HOME}/Games/umu/*/ @{HOME}/Games/Heroic/*/ @{HOME}/Games/steam/*/ @{appid} = X diff --git a/apparmor.d/groups/umu/umu-game b/apparmor.d/groups/umu/umu-game index 8e24d9b6f6..f9b292f410 100644 --- a/apparmor.d/groups/umu/umu-game +++ b/apparmor.d/groups/umu/umu-game @@ -8,7 +8,7 @@ include @{share_dirs} = @{user_share_dirs}/umu @{cache_dirs} = @{user_cache_dirs}/umu -@{runtime_dirs} = @{share_dirs}/steamrt3/ +@{runtime_dirs} = @{share_dirs}/steamrt@{int}/ @{wineprefix_dirs} = @{HOME}/Games/umu/*/ @{HOME}/Games/Heroic/*/ @{HOME}/Games/steam/*/ @{appid} = X diff --git a/apparmor.d/groups/umu/umu-run b/apparmor.d/groups/umu/umu-run index 10e11fe23e..35b9ae9d62 100644 --- a/apparmor.d/groups/umu/umu-run +++ b/apparmor.d/groups/umu/umu-run @@ -21,7 +21,7 @@ include @{share_dirs} = @{user_share_dirs}/umu @{cache_dirs} = @{user_cache_dirs}/umu -@{runtime_dirs} = @{share_dirs}/steamrt3/ +@{runtime_dirs} = @{share_dirs}/steamrt@{int}/ @{wineprefix_dirs} = @{HOME}/Games/umu/*/ @{HOME}/Games/Heroic/*/ @{HOME}/Games/steam/*/ @{exec_path} = @{bin}/umu-run